M5Stack Cardputer ADV Volume 12 — Cheatsheet (the laminate-ready field card) — M5Stack Cardputer ADV · Hacking

Hardware quick-facts, pinout, firmware decision tree, attack quick-refs, hashcat commands, regional LoRa rules, troubleshooting flow

Section	Topic
1	About this volume
2	Hardware quick-facts panel
3	Pinout one-page reference
4	Firmware decision tree
5	Pentest attack quick-ref
6	Meshtastic preset table
7	Module ecosystem one-page reminder
8	Flashing-method picker
9	M5Launcher SD card layout reminder
10	Hashcat 22000 command reference
11	Regional LoRa rules
12	EIRP recalc after antenna upgrade
13	Common build / flash errors
14	Troubleshooting flow
15	Key references in one block

1. About this volume

Vol 12 is the laminate-ready field card — synthesis of every preceding volume’s most-referenced content into one-page-printable sections. Print, laminate, carry. In the field, lookups are by section number.

Pages are sized for typical 8.5×11 or A4 print at readable type size. Some sections are dense — print at 100% scale, not “fit to page”.

2. Hardware quick-facts panel

┌───────────────────────────────────────────────────────────────┐
│ M5Stack Cardputer ADV — K132-Adv                              │
├───────────────────────────────────────────────────────────────┤
│ MCU       ESP32-S3FN8 · LX7 dual @ 240 MHz · 8 MB flash       │
│           512 KB SRAM (no PSRAM) · Wi-Fi 4 2.4 GHz · BLE 5    │
│ Display   1.14" 240×135 IPS · ST7789V2 · SPI 40 MHz · 30 fps  │
│ Keyboard  56 keys · TCA8418RTWR scanner · 160 gf · I²C        │
│ Audio     ES8311 codec · NS4150B 1 W amp · MEMS mic · 3.5 mm  │
│ IMU       BMI270 6-axis (accel + gyro) · I²C                  │
│ IR        940 nm on GPIO44 · 3–5 m range                      │
│ Storage   microSD · ESP32 SD.h (FAT32 / exFAT)                │
│ Battery   1750 mAh LiPo · SY8089 buck · CHARGE NEEDS SW ON    │
│ Expansion 1× Grove HY2.0-4P (top edge)                        │
│           1× 14-pin EXT bus 2.54 mm (underside) ← Cap modules │
│           1× USB-C OTG (side)                                 │
│ Power     ~120 mA idle · ~155 mA BLE · 0.23 µA deep sleep     │
│ Size      84 × 54 × 19.6 mm · 81 g · LEGO-Technic mag base    │
└───────────────────────────────────────────────────────────────┘

Cap LoRa-1262 (M5Stack SKU U214):
┌───────────────────────────────────────────────────────────────┐
│ LoRa    SX1262 · 868–923 MHz · +22 dBm TX · −147 dBm RX       │
│         CSS + FSK/GFSK/MSK/GMSK/OOK · RP-SMA antenna          │
│ GNSS    AT6668 · 50-chan · GPS+GLONASS+Galileo+BeiDou         │
│         +QZSS+SBAS · CEP50 <1.5 m · TTFF 23s cold / 1s hot    │
│ Antenna RP-SMA female · 3 dBi rubber-duck included            │
│ Size    84 × 24 × 15.2 mm · 22.1 g · 14-pin EXT header        │
└───────────────────────────────────────────────────────────────┘

3. Pinout one-page reference

Critical GPIOs:

GPIO	Function
0	BOOT button — hold during USB plug-in for download mode
1, 2	Grove TX/RX (UART2 default) or secondary I²C SCL/SDA
3	EXT RESET (SX1262)
4	EXT INT (SX1262 DIO1)
5	EXT CS (SX1262 NSS)
6	EXT BUSY (SX1262)
8, 9	Primary I²C SDA / SCL (codec + keyboard + IMU + EXT + Grove-when-I²C)
10	Battery ADC
11	Keyboard INT (TCA8418)
12	microSD CS
13	EXT UART RX (from AT6668 TX)
14	SPI MOSI (shared display + microSD + EXT)
15	EXT UART TX (to AT6668 RX)
18, 19	USB D-/D+ (native)
33-38	LCD bus + RGB LED
39	SPI MISO
40	SPI SCK + microSD CLK
41-43, 46	I²S audio (codec)
44	IR TX LED

Grove HY2.0-4P (top edge) — default PortC UART:

Pin 1  Black   GND
Pin 2  Red     +5V (USB or boost; ~500 mA budget)
Pin 3  White   G2 (UART RX or I²C SDA when re-tasked)
Pin 4  Yellow  G1 (UART TX or I²C SCL when re-tasked)

14-pin EXT bus (underside) — Cap mating:

Pin 1   3V3              (~200 mA budget)
Pin 2   5V_IN            (~500 mA budget, shared with Grove)
Pin 3   EXT RESET (G3)
Pin 4   EXT INT (G4)
Pin 5   EXT CS (G5)
Pin 6   EXT BUSY (G6)
Pin 7   I²C SDA (G8)     [shared primary bus]
Pin 8   I²C SCL (G9)
Pin 9   EXT UART TX (G15)  [to GNSS RX]
Pin 10  MISO (G39)
Pin 11  SCK (G40)
Pin 12  MOSI (G14)
Pin 13  EXT UART RX (G13)  [from GNSS TX]
Pin 14  GND

4. Firmware decision tree

What's the use case?
        │
        ├─ Pentest → Bruce (most features, AGPLv3) OR
        │           NEMO (smaller, MIT, BadUSB Hunter) OR
        │           Marauder (best PCAP export) OR
        │           BadCard (BadUSB only, MIT) OR
        │           Evil-Portal-standalone (captive portal only)
        │
        ├─ Off-grid mesh → Meshtastic (with Cap LoRa-1262)
        │                  CardputerLoRaChat (simple P2P)
        │                  LoRa-APRS (licensed hams)
        │
        ├─ Embedded dev → Arduino IDE + M5Cardputer (quick sketches)
        │                 PlatformIO + M5Cardputer (serious projects)
        │                 MicroPython + mpremote (scripting)
        │                 UiFlow 2 (block coding)
        │                 ESP-IDF (low-level)
        │
        ├─ Home automation → ESPHome (Home Assistant satellite)
        │
        ├─ Retro gaming → cardputer-nofrendo (NES)
        │                Walnut-CGB (Game Boy / GBC)
        │                m5cardputer_doom (Doom)
        │
        └─ Audio / niche → RHesus-RAdio (internet radio)
                            m5Cardputer_audiospectrum (FFT)
                            esp-now-talkie (walkie-talkie)
                            PyDOS (DOS-shell)

ALWAYS install M5Launcher in app0 FIRST. Esc-on-boot = recovery.
Partitions (default scheme): nvs / app0=M5Launcher (subtype test) /
app1=ota_0 (the one OTA slot) / vfs=FAT / spiffs / coredump.
Device's CFG > List of Partitions shows: OTA, FAT, SPIFFS.
CFG > Change Partition Scheme switches Default/Doom/UiFlow/GameStation.
Save SPIFFS + Save FAT vfs BEFORE any scheme change (it wipes them).

5. Pentest attack quick-ref

Attack	Firmware	Menu path	SD output	Time-to-effect
Evil Portal	Bruce	WiFi → Evil Portal → Start	`/bruce/portals/captures.csv`	Captures arrive when users join + submit
EAPOL handshake capture	Marauder	WiFi → Sniffers → WiFi Pkt Capture	`/captures/wifi_NN.pcap`	Immediate (passive); deauth induces re-handshake
PMKID capture	Marauder	WiFi → Sniffers → WiFi Pkt Capture	`/captures/pmkid_NN.pcap`	Opportunistic — minutes-to-hours
Deauth	Bruce / Marauder	WiFi → Attacks → Deauth	none (capture separately)	Clients disconnect in 1-2 sec
Beacon spam	Bruce	WiFi → Attacks → Beacon Flood	none	iOS UI denial within ~10-15 sec
Sour Apple BLE	Bruce	BLE → BLE Spam → Sour Apple	none	iOS pairing prompts within seconds
Swiftpair BLE	Bruce	BLE → BLE Spam → Swiftpair	none	Windows toast queue within seconds
Mifare Classic crack	Bruce	RFID → Mifare → Default Key	`/rfid/dumps/uid_XXXX.dump`	~30 sec for default keys
CC1101 sub-GHz replay	Bruce	SubGHz → Read RAW + Replay	`/subghz/raw_NN.sub`	Per-button-press
IR TV-B-Gone	Bruce / NEMO	IR → TV-B-Gone	none	Loops through codes for ~30 sec
BadUSB DuckyScript	M5Launcher / BadCard	Files → BadUSB → Run	none	~3 sec injection

6. Meshtastic preset table

Preset	SF/BW/CR	ToA (50B)	Realistic range	Use case
VeryLongSlow	SF12/125/4/8	~3.5 s	15-25 km LoS	Long-range relays in remote terrain
LongSlow	SF12/250/4/5	~1.8 s	10-20 km LoS	Long-range moderate traffic
LongFast (default)	SF11/250/4/5	~510 ms	5-10 km mixed	General-purpose mesh chat
MediumSlow	SF10/250/4/5	~290 ms	2-5 km urban	Dense mesh
MediumFast	SF9/250/4/5	~155 ms	1-3 km	Urban high-density
ShortSlow	SF8/250/4/5	~95 ms	500 m - 1.5 km	High-traffic mesh
ShortFast	SF7/250/4/5	~50 ms	200-500 m	Very high traffic
ShortTurbo	SF7/500/4/5	~25 ms	200 m heavy traffic	Maximum capacity

Region preset is mandatory — Settings → Region → US (915 MHz) / EU868 / JP / CN / IN / RU.

Rule of thumb: +1 SF doubles range + ToA; +1 BW step halves both.

7. Module ecosystem one-page reminder

Cap modules (14-pin EXT, one at a time, daughter card):

Cap LoRa-1262 ($24-30) — SX1262 LoRa + AT6668 GNSS. The flagship.

Grove Units (HY2.0-4P top edge, one at a time without PaHub):

Unit RFID2 (NFC, $12)
CC1101 Sub-GHz ($10)
Unit C6L (ESP32-C6 + SX1262 standalone, $15)
Unit ENV IV (temp/humid/pressure, $10)
Unit GPS V2 (standalone GNSS, $12)
Unit IR (with RX, $5)
Unit OLED (status display, $5)
PaHub (I²C mux 6-channel, $5)
PbHub (digital I/O 6-channel, $8)
Unit Thermal MLX90640 (thermal cam, $50)

HAT modules DO NOT FIT Cardputer ADV. Use Grove Unit equivalents.

M5MonsterC5 (Grove, $25-35) — ESP32-C5 coprocessor for 5 GHz Wi-Fi capability.

USB-C OTG: USB keyboard, USB-to-Serial console, USB-MIDI, USB mass-storage thumb drives, BadUSB Hunter HID inspection. NOT supported: USB Wi-Fi, USB Ethernet, webcams.

8. Flashing-method picker

Method	Best for	URL / command
Web flasher (M5Launcher)	First install of M5Launcher	https://bmorcelli.github.io/Launcher/
Web flasher (Bruce)	Bruce-only install	https://bruce.computer/
Web flasher (Meshtastic)	Meshtastic install	https://flasher.meshtastic.org/
M5Burner desktop	Fleet flashing, when Web Serial unavailable	https://docs.m5stack.com/en/download
esptool.py CLI	Scripting, CI, recovery	`pip install esptool`
OTA (in-firmware)	Update once installed + on Wi-Fi	Per-firmware UI
M5Launcher OTA menu	Day-to-day path once M5Launcher is in app0	M5Launcher → OTA

Backup factory firmware FIRST:

esptool.py --chip esp32s3 -p /dev/ttyACM0 -b 1500000 \
    read_flash 0 0x800000 stock_backup.bin

9. M5Launcher SD card layout reminder

/                          ← microSD root (FAT32 mandatory)
├── apps/                  ← Small .bin apps + apps.json metadata
├── BadUSB/                ← DuckyScript .txt (case-sensitive!)
├── firmware/              ← Chain-loadable .bin
├── presets/               ← RF/IR captures
│   ├── subghz/
│   └── ir/
├── imgs/                  ← Boot splash 240×135 .jpg/.bmp
├── themes/                ← Theme JSON (RGB565 palettes)
├── update/                ← Self-update path (Launcher.bin)
└── nvs_backup.bin         ← Settings restore

Bruce additions:
├── bruce/portals/         ← Evil Portal HTML + captures.csv
├── captures/wifi_NN.pcap  ← Wi-Fi PCAPs
├── rfid/captures/         ← RFID dumps + nonces
└── wardriving/wifi_NN.csv ← WiGLE-format wardriving logs

Critical:
- FAT32 required (exFAT iffy)
- Class 10 / U1 minimum (slow cards = OTA timeout)
- Case-sensitive directory names (/BadUSB/ not /badusb/)

10. Hashcat 22000 command reference

# Convert Marauder PCAP to hashcat format
hcxpcapngtool -o handshakes.hc22000 /path/to/wifi_NN.pcap

# Crack with rockyou wordlist
hashcat -m 22000 handshakes.hc22000 /path/to/rockyou.txt

# With rules (best64 — strong general-purpose)
hashcat -m 22000 handshakes.hc22000 rockyou.txt \
    -r /path/to/best64.rule

# Mask attack (8 chars all printable)
hashcat -m 22000 -a 3 handshakes.hc22000 '?a?a?a?a?a?a?a?a'

# 8-digit phone-number-style password
hashcat -m 22000 -a 3 handshakes.hc22000 '?d?d?d?d?d?d?d?d'

# 8-hex-character router default
hashcat -m 22000 -a 3 handshakes.hc22000 '?h?h?h?h?h?h?h?h'

# Resume interrupted run
hashcat --restore

# View cracked
hashcat -m 22000 handshakes.hc22000 --show

# GPU-only with status
hashcat -m 22000 handshakes.hc22000 rockyou.txt \
    -D 2 --status --status-timer 60

Mask character classes:

GPU rental (RunPod / Vast.ai): RTX 4090 ~$0.40-0.80/hr. 5-min rockyou run ≈ $0.05.

11. Regional LoRa rules

Region	Frequency	Max EIRP	Duty cycle
EU g1	868.0-868.6 MHz	+14 dBm	1%
EU g3	869.4-869.65 MHz	+27 dBm	10%
US	902-928 MHz	+30 dBm	None
AU/NZ	915-928 MHz	+30 dBm	None
JP	920.6-928 MHz	+13 dBm	10%

Cap LoRa-1262 default (+22 dBm + 3 dBi = +25 dBm EIRP):

US: ✓ compliant
EU g3: ✓ compliant
EU g1: ✗ NON-COMPLIANT — must firmware-clamp TX to ≤+11 dBm or run g3-only
JP: ✗ NON-COMPLIANT — must firmware-clamp TX to ≤+10 dBm

12. EIRP recalc after antenna upgrade

TX power	Antenna	EIRP	US	EU g1	EU g3	JP
+22 dBm	3 dBi	+25 dBm	✓	✗	✓	✗
+22 dBm	6 dBi	+28 dBm	✓	✗	✗	✗
+22 dBm	14 dBi (Yagi)	+36 dBm	✗	✗	✗	✗
+11 dBm	3 dBi	+14 dBm	✓	✓	✓	✓
+11 dBm	6 dBi	+17 dBm	✓	✗	✓	✗
+8 dBm	6 dBi	+14 dBm	✓	✓	✓	✓
+5 dBm	14 dBi	+19 dBm	✓	✗	✓	✗

ALWAYS recalculate after any antenna change. Higher gain = lower allowed TX in EU/JP.

13. Common build / flash errors

Symptom	Cause	Fix
”Cardputer” vs “Cardputer-Adv” binary mismatch	Wrong board variant	Reflash with the ADV-specific binary
Device won’t enumerate	Charge-only USB cable	Use data-capable cable
Device won’t charge	Side switch OFF	Slide switch ON
”No chip detected” in esptool	Not in download mode	Hold G0 during USB plug-in
Web flasher won’t connect	Wrong browser	Use Chrome / Edge / Brave
Flash succeeds, BLACK SCREEN	Wrong TFT pin map (custom build)	Verify build flags per Vol 3 § 2
Reboot loop “Brownout triggered”	Inadequate USB power	Better cable / fresh battery
OTA times out	Slow SD card	Class 10 / U1+ required
`multiple definition of 'tft'`	Two .cpp instantiate display	Only one Display.cpp
`error: 'X' was not declared`	arduino-esp32 version drift	`pio platform update espressif32`

14. Troubleshooting flow

Device won't boot?
    │
    ├─ Black screen → SD card formatted FAT32?
    │                 → Esc-on-boot to M5Launcher
    │                 → If still nothing: G0+USB to mask-ROM, reflash
    │
    ├─ Display on, looping → Settings → About → reads version?
    │                        Yes → app issue, Esc-on-boot recovery
    │                        No  → bootloader issue, reflash via mask-ROM
    │
    └─ Charges but won't power on → side switch ON? USB switch ON?

No scan results?
    │
    ├─ Wi-Fi scan empty   → Region setting matches venue?
    │                       → Antenna OK (PCB trace) on Cardputer?
    │                       → Channel-hop mode on, not stuck on one ch?
    │
    └─ BLE scan empty     → BLE radio enabled?
                            → No interfering Wi-Fi traffic?

Evil Portal not capturing?
    │
    ├─ SSID set correctly?
    ├─ Open security (no password)?
    ├─ Form HTML has action="/get" or "/post"?
    ├─ Form inputs have name= attributes?
    ├─ File at /bruce/portals/<name>/index.html?
    └─ Captive-portal sheets pop on test device?

LoRa TX silent?
    │
    ├─ FM8625H switch enabled?
    │  (PI4IOE5V6408 addr 0x43, port P0 = HIGH)
    │
    ├─ Antenna physically attached?
    │  (Never TX without antenna — PA damage)
    │
    └─ Region setting matches operating environment?
       (Some firmwares refuse TX if region mismatch detected)

hashcat says "No hashes loaded"?
    │
    └─ Run hcxpcapngtool first to convert PCAP → .hc22000 format

15. Key references in one block

Upstream

M5Stack Cardputer ADV: https://shop.m5stack.com/products/cardputer-kit-w-m5stamps3
M5Stack docs: https://docs.m5stack.com/en/core/Cardputer
Cap LoRa-1262: https://shop.m5stack.com/products/cap-lora1262-with-m5stack-cardputer-adv-edition
M5Cardputer library: https://github.com/m5stack/M5Cardputer
M5Unified: https://github.com/m5stack/M5Unified
M5Burner: https://docs.m5stack.com/en/download

Firmware

M5Launcher: https://github.com/bmorcelli/Launcher · https://bmorcelli.github.io/Launcher/
Bruce: https://github.com/BruceDevices/firmware · https://bruce.computer/
NEMO: https://github.com/n0xa/m5stick-nemo
Marauder: https://github.com/justcallmekoko/ESP32Marauder
Meshtastic: https://meshtastic.org/ · firmware https://github.com/meshtastic/firmware
MicroHydra: https://github.com/echo-lalia/MicroHydra
BadCard: https://github.com/VoidNoi/BadCard
Evil-Portal: https://github.com/marivaaldo/evil-portal-m5stack
Evil-M5: https://github.com/7h30th3r0n3/Evil-M5
CardputerLoRaChat: https://github.com/nonik0/CardputerLoRaChat

Tools

esptool: https://github.com/espressif/esptool
hashcat: https://hashcat.net/hashcat/
hcxtools: https://github.com/ZerBea/hcxtools
PlatformIO: https://platformio.org/
RadioLib: https://github.com/jgromes/RadioLib
TinyGPSPlus: https://github.com/mikalhart/TinyGPSPlus

Datasheets

ESP32-S3: https://www.espressif.com/sites/default/files/documentation/esp32-s3_datasheet_en.pdf
SX1262: https://www.semtech.com/products/wireless-rf/lora-connect/sx1262
TCA8418: https://www.ti.com/product/TCA8418
ES8311: https://www.everest-semi.com/
BMI270: https://www.bosch-sensortec.com/products/motion-sensors/imus/bmi270/

Regulatory

US FCC §15.247: https://www.fcc.gov/general/title-47-code-federal-regulations
EU ETSI EN 300 220: https://www.etsi.org/
US CFAA: https://www.law.cornell.edu/uscode/text/18/1030
EU GDPR: https://gdpr.eu/

Community

Cardputer Wiki: https://cardputer.wiki
r/CardPuter (Reddit)
Cardputer Discord (linked from wiki)
M5Stack community forum: https://community.m5stack.com/
Awesome M5Stack Cardputer (terremoth): https://github.com/terremoth/awesome-m5stack-cardputer

Hack Tools cross-references

../../../_shared/comparison.md — cross-tool decision matrix
../../../_shared/capability_matrix.html — sortable matrix
../../../_shared/legal_ethics.md — Hack Tools shared posture
../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html — platform-neutral Marauder
../../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html — Flipper Zero
../../../Bus Pirate 6/03-outputs/BusPirate6_Complete.html — wired-protocol bring-up

This is the final volume of the M5Stack Cardputer ADV 12-volume series. Print, laminate, carry.

M5Stack Cardputer ADV Volume 12 — Cheatsheet (the laminate-ready field card)

Contents