M5Stick S3 · Volume 11
M5Stack M5StickS3 Volume 11 — Operational Posture
250 mAh battery realities, thermal under 1 W speaker, audio-bug legal landscape, Espressif OUI, chain-of-custody
Contents
1. About this volume
Vol 11 is the operational-posture synthesis for M5StickS3. Most considerations parallel the Cardputer ADV (Vol 11 there) — Wi-Fi attack detection, Espressif OUI fingerprinting, RF safety, chain-of-custody.
The M5StickS3-specific concerns that dominate this volume:
- The 250 mAh battery — fundamentally reshapes every engagement plan vs the Cardputer ADV’s 1750 mAh.
- The audio-bug legal landscape — the M5StickS3’s voice-recording capability + wearable + magnetic-back form factor creates legal exposure the Cardputer ADV doesn’t have at this risk level.
- Thermal under sustained audio playback — 1 W speaker continuous = real thermal load on a small device.
The “own the airspace + own the hardware target + know your audio-recording jurisdiction” rule is the operational frame.
2. Detection signatures across attack modes
| Attack mode | Signature | Detection ease |
|---|---|---|
| Wi-Fi deauth (Bruce / Evil-M5Project) | Burst of deauth frames sourced from spoofed AP MAC | Trivial — every Wi-Fi IDS has deauth-flood rules |
| Wi-Fi beacon spam | Rapid unique-SSID beacons; non-allocated OUI MACs | Trivial |
| Evil Portal SoftAP | New open SSID; Espressif OUI MAC unless spoofed; HTTP Server: header reveals firmware | Trivial |
| BLE-spam Sour Apple (via Evil-M5 fork or Bruce) | Rapid Apple-Continuity advertising; rotating BD_ADDRs but stable subtypes | Moderate — BLE-aware IDS detects |
| IR TV-B-Gone | Visible IR LED blink; remote-controlled devices reacting | Easy if anyone’s watching, otherwise silent |
| BadUSB HID injection | macOS “Keyboard Setup Assistant” pops; Windows more permissive | Moderate — UI-level detection on macOS |
| Audio playback (sustained at high volume) | Acoustically detectable by anyone in range | Trivial — any human in earshot hears it |
| Audio recording (passive) | None on the wire; legal-detectable if jurisdiction has audio surveillance laws | Wire-level: undetectable; legal-level: prosecutable in some jurisdictions |
| EAPOL handshake capture (pure passive) | None | Undetectable |
| PMKID capture (pure passive) | None | Undetectable |
M5StickS3-unique in this table:
- Audio playback is the loudest “attack” the M5StickS3 can do — and it’s not even an attack; it’s the device emitting sound. In covert scenarios, audio playback is the equivalent of a flashlight in stealth context.
- Audio recording has no on-the-wire signature — but has strict legal-detectability in jurisdictions with audio surveillance laws (Vol 11 § 7).
Espressif OUI fingerprinting: same as Cardputer ADV — Espressif’s MAC OUI prefixes (F4:12:FA, EC:DA:3B, 34:85:18, FC:F5:C4, etc.) are how rogue-AP scanners spot Espressif-class hardware. Bruce’s “Spoof MAC” feature randomizes the OUI to a non-Espressif range, breaking this fingerprint. M5StickS3 firmwares should expose the same setting.
3. Regional rules (LoRa-free Stick — Wi-Fi/BLE focused)
The M5StickS3 has no LoRa (no Cap LoRa-1262 equivalent — no EXT bus). The LoRa regional rules from Cardputer ADV Vol 11 § 3 don’t apply.
Wi-Fi 2.4 GHz regional rules apply identically to any 2.4 GHz device:
| Region | Frequency | Max EIRP | Notes |
|---|---|---|---|
| US (FCC §15.247) | 2400-2483 MHz | +30 dBm (1 W) for FHSS/DSSS; +20 dBm (100 mW) typical | Wi-Fi devices typically run +14-+20 dBm |
| EU (ETSI EN 300 328) | 2400-2483.5 MHz | +20 dBm EIRP | Strict |
| JP (ARIB STD-T66) | 2400-2483.5 MHz | +20 dBm EIRP | Similar to EU |
| Other regions | Similar variants | Generally +20 dBm cap |
The M5StickS3’s ESP32-S3 at +20 dBm (100 mW) is within all major-region limits. No EIRP-compliance gotcha like the Cap LoRa-1262’s EU g1 issue.
BLE 2.4 GHz rules: subset of Wi-Fi rules. BLE TX at +20 dBm is universally legal in ISM 2.4 GHz.
4. The 250 mAh battery posture
The constraint that defines M5StickS3 use cases.
Battery life math
| Mode | Current (mA) | Battery life (250 mAh full charge) |
|---|---|---|
| Deep sleep (display off, radios off) | ~0.5 µA | Weeks (theoretical) |
| Display backlight only (no Wi-Fi / radios) | ~50 mA | ~5 hours |
| Wi-Fi station idle connected | ~80 mA | ~3 hours |
| Wi-Fi scan continuous | ~120 mA | ~2 hours |
| Sustained Wi-Fi TX (deauth spam) | ~200-280 mA peak | ~50-60 minutes |
| Audio playback at low volume | ~150-200 mA | ~1.3-1.7 hours |
| Audio playback at full 1 W speaker output | ~280-320 mA peak | ~50 minutes |
| Audio recording (mic only, low display) | ~95 mA | ~2.5 hours |
| ESP-NOW walkie-talkie active | ~200-250 mA | ~1.0-1.2 hours |
| Wake-word detection idle | ~85 mA | ~3 hours |
Pattern: every “active” mode drops battery life below 3 hours. Multi-hour engagements not feasible without USB-C power or external power bank.
Brownout posture
ESP32-S3 brownout detector trips at ~2.7 V (configurable). Under sustained TX-spam or full-volume audio on a weak battery:
- Supply rail dips during current peaks
- If dip exceeds threshold + hysteresis, SoC resets
- Attack/audio “stops working” mid-session — actually the device rebooted
Mitigations:
- Fresh battery — 250 mAh degrades faster than larger cells; replace every 6-12 months for daily use.
- Known-good USB cable when on USB power.
- Lower audio volume if running audio simultaneously with Wi-Fi.
- Firmware-side rebuild with relaxed brownout —
CONFIG_ESP_BROWNOUT_DET_LVL_SEL_5in sdkconfig (Vol 10).
Practical operational wisdom
| Use case | Duration | M5StickS3 viable? |
|---|---|---|
| Quick site survey (<30 min) | Short | ✓ Yes |
| Sustained passive scan (~2 hr) | Moderate | ✓ Manage thermal + battery |
| Sustained Wi-Fi TX-spam | Long | ✗ Battery limit; use Cardputer ADV |
| Multi-hour audio recording | Long | ✓ if mic-only (~2.5 hr); ✗ if playback |
| Continuous wake-word listening | Hours | ✓ (~3 hr battery, near-free CPU) |
| USB-C tethered operation | Unlimited | ✓ Removes battery limits |
| Wall-mount / desk-stand with USB power | Always-on | ✓ Practical for HA / ESPHome use |
Plan engagements <30 min for safety margin; <2 hr for scan-only.
5. Thermal under sustained audio + TX
M5StickS3’s small enclosure (48×24×15 mm) + sustained 1 W speaker + ESP32-S3 at 240 MHz = real thermal load.
After 15-20 minutes of continuous playback at full volume:
- Case palpably warm to touch
- ESP32-S3 die temperature ~80-90 °C (below 125 °C throttle but warm)
- Speaker driver gets warm; cone displacement may drift if continuous high SPL
- Battery may also warm (LiPos accept some heat but >40 °C accelerates aging)
Recommendations:
- Take breaks: 15 min playback / 5 min rest cycles
- Lower volume: 50% volume halves the power; thermal load drops proportionally
- Don’t fully enclose: pocket use is OK because pockets breathe; sealed enclosures trap heat
- Avoid direct sun: ambient temp + audio thermal load can exceed safe operating temp (>40 °C)
For continuous audio operation: lower volume + take breaks.
6. RF safety
+20 dBm (100 mW) max Wi-Fi/BLE — same as Cardputer ADV. Body-distance operation well within SAR safety limits.
Antenna: PCB-trace on the Stamp-S3A SIP package — cannot be disconnected accidentally. Open-load damage risk: minimal (PCB antenna can’t be unplugged like an SMA whip).
RF exposure: 100 mW is much lower than smartphone cellular (typically +33 dBm = 2 W peak) or microwave oven RF (kilowatts, far higher frequency). M5StickS3 RF emissions are negligible from a body-exposure perspective.
7. Audio-bug legal posture (the load-bearing volume section)
The most legally hazardous M5StickS3 use case.
US federal law
Federal Wiretap Act (Title III, 18 USC §§ 2510-2522): prohibits interception of “oral communications” — defined as private communications spoken with reasonable expectation of privacy.
Federal interpretation: “one-party consent” — if one party (the operator) consents to recording, it’s legal under federal law. Most federal investigations proceed under this.
Federal exceptions: recording where no party consents is always illegal under federal law, regardless of state law. Surveillance of others’ private conversations without participation = federal felony.
US state law (more restrictive than federal)
Two-party / all-party consent states: 11 US states (as of 2026-05-13) require all parties to consent before recording. Operating without all-party consent in these states is a criminal offense, typically a felony:
| State | Statute | Notes |
|---|---|---|
| California | CA Penal Code §§ 631, 632 | Strict; civil + criminal exposure |
| Florida | FL Stat. § 934.03 | Felony |
| Illinois | 720 ILCS 5/14-2 | ”Eavesdropping” statute |
| Maryland | MD Cts. Jud. Proc. § 10-402 | Strict |
| Massachusetts | Mass. Gen. Laws ch. 272 § 99 | ”Recording in secret” prohibited |
| Montana | Mont. Code Ann. § 45-8-213 | Strict |
| Nevada | NRS 200.620 | Strict |
| New Hampshire | NH Rev. Stat. § 570-A:2 | Strict |
| Pennsylvania | 18 Pa. Cons. Stat. § 5704 | Strict |
| Vermont | Vermont Supreme Court rulings | Common-law-derived |
| Washington | RCW 9.73.030 | ”Privacy Act” |
The other 39 US states use one-party consent. Recording in those is legal as long as the operator is a party to the conversation.
EU + UK
GDPR (Regulation 2016/679): voice is personal data. Recording voice without lawful basis (consent / legitimate interest / legal obligation) is a regulatory violation. Penalties up to 4% of global annual revenue for organizations; criminal exposure under national laws for individuals.
UK Investigatory Powers Act 2016: regulates electronic interception. Strict criminal penalties for unauthorized interception.
National variations: each EU member state has slightly different rules.
- Germany (StGB § 201): “Spoken word” prohibition — strict.
- France: similar one-party consent + GDPR overlay.
- Italy: strict; criminal exposure.
- Netherlands: one-party consent.
Other jurisdictions
- Canada: Criminal Code § 184 — one-party consent.
- Australia: state-by-state. Generally restrictive (similar to two-party consent).
- Japan: Wiretap Act prohibits private-conversation recording without consent. Cultural norm: even one-party recording is socially censured.
- Singapore: similar to UK/Australia.
- Russia / China / restrictive regions: assume strict prohibitions + severe consequences (criminal + administrative).
Operational rule for M5StickS3 covert-audio use
The M5StickS3 can technically be deployed as a covert audio recorder. The operator must not, except under explicit authorization.
Practical operational discipline:
- Know your jurisdiction — US state of operation drives the rule. EU jurisdiction drives the rule. Travel jurisdictions matter.
- Document authorization — written, signed, scope-specified, before engagement starts.
- Time-box — shorter is safer.
- Don’t deploy in spaces where third parties might be present without all-party consent: schools, hospitals, courthouses, public accommodations have additional rules.
- Sanitize recordings post-engagement — chain-of-custody discipline (§ 11).
- For tjscientist’s own bench: recording yourself / your own equipment / your own private spaces = legal everywhere. This is the safe operating envelope.
For personal use (voice memos, audio note-taking, sound recording of your own activities): no legal exposure.
For engagement work: get authorization, document, time-box, sanitize.
For public-space deployment (magnetic-back stick on the side of a server rack with audio recording): only with explicit authorization from the venue + all parties present. Otherwise: don’t.
The form-factor + capability profile makes this device a temptation. Don’t yield to it without authorization.
8. BadUSB legal posture
HID injection works only against unlocked targets or systems that auto-accept new HID devices (most do — flag for “new keyboard” on macOS, most users click through).
Legal posture: HID injection of payloads on systems you don’t own is unauthorized computer access. Even harmless payloads (Rick-Roll, screen lock) constitute a violation:
- US: 18 USC § 1030 (CFAA) — unauthorized access; up to 10 years for some violations
- EU: national computer-misuse laws (UK Computer Misuse Act, German StGB § 202a/b/c)
- AU/NZ/CA/JP: equivalent statutes
Authorized engagement scope is the only safe operating envelope.
Even with authorization: log every BadUSB execution with timestamp + target machine identifier + payload hash. Defensible documentation is mandatory.
9. LiPo handling — small-cell-specific concerns
250 mAh small-cell concerns:
Aging: small cells age faster than large ones — internal resistance grows quicker, capacity drops faster. Expect ~200-300 charge cycles before significant capacity loss (vs ~500+ for the Cardputer ADV’s 1750 mAh).
Replacement frequency: every 6-12 months for daily use. Vendor part availability TBD.
Safety rules (apply universally to LiPos but more critical at small capacity):
- Never short-circuit the cell terminals.
- Never charge a damaged or punctured cell — small cells reach unsafe temperatures faster.
- Storage: ~50% charge for long shelf life. Full charge accelerates aging.
- Temperature: 0-40 °C operating; degrades faster >30 °C at full charge; avoid >50 °C entirely.
- If swelling observed: discontinue use immediately. Dispose properly (battery recycling, not regular trash).
- For battery replacement: source 251015 / 401015 form-factor LiPos from RC hobby suppliers. Verify JST-PH 2-pin polarity (red = +, black = −) before connecting.
10. Charging gotchas
USB-C charging at ~500 mA. Full charge from empty: ~30-45 minutes.
Side switch or button-based power:
Unlike the Cardputer ADV (slide switch), the M5StickS3 likely uses button-based power:
- Short-press power button → wake from sleep
- Long-press power button (>2 sec) → force shutdown
Charging while powered off: behavior depends on PMIC (TBD pending hardware inspection). AXP2101-class PMICs typically allow charging in any power state.
Charge-only cables: as with all USB-CDC devices, M5StickS3 requires a data-capable USB cable for flashing + serial console. Charge-only cables lack data lines, block enumeration.
Charging current: don’t charge from cables that supply more than 1 A — small batteries shouldn’t exceed 1C charge rate (so 250 mAh = 250 mA max charge current). M5StickS3’s internal charge controller limits charge current to safe levels, but external high-power chargers may stress the controller.
11. Chain-of-custody for captures
Audio captures + Wi-Fi captures from M5StickS3 are evidence-grade material:
- Hash at capture-time:
sha256sumof every file. Document the hash + the device + the date. - Encrypted archive only for transfer:
tar -czf captures.tar.gz /mnt/m5sticks3/
age -p captures.tar.gz > captures.tar.gz.age # Password-encrypted
# OR
gpg -c captures.tar.gz # GPG symmetric encrypt-
Out-of-band hash verification — share hash via separate channel.
-
Secure-erase source flash / SD post-engagement:
# For Hat2 SD card:
sudo dd if=/dev/urandom of=/dev/sdX bs=4M status=progress
sudo mkfs.vfat -F 32 /dev/sdX1
# For internal flash:
esptool.py --chip esp32s3 -p /dev/ttyACM0 erase_flash
esptool.py --chip esp32s3 -p /dev/ttyACM0 -b 1500000 write_flash 0x0 stock_backup.bin-
Audio captures specifically: more sensitive than Wi-Fi captures because they contain identifiable voice + ambient personal data. Treat with higher security discipline:
- Hash + encrypt within minutes of recording end
- Don’t keep originals on the M5StickS3 longer than necessary
- Document chain of custody for legal defense
-
Retention: only what scope authorizes. Purge bystander data with documentation.
Cross-ref: Cardputer ADV Vol 11 § 11 + Marauder Firmware Vol 11 § 7 for the same discipline applied to platform-neutral captures. The Hack Tools shared posture in ../../../_shared/legal_ethics.md carries.
12. When NOT to use the M5StickS3
Scenarios where M5StickS3 is the wrong tool:
| Scenario | Why M5StickS3 is wrong | Better alternative |
|---|---|---|
| Multi-hour engagement (>2 hr) | 250 mAh battery limit | Cardputer ADV or USB-powered device |
| QWERTY-typing-heavy workflow | No keyboard | Cardputer ADV |
| 5 GHz Wi-Fi work | ESP32-S3 silicon 2.4-only | M5MonsterC5 via Grove or Linux laptop |
| LoRa / off-grid mesh | No LoRa hardware | Cardputer ADV + Cap LoRa-1262 |
| Sub-GHz CC1101 work | No on-board CC1101; Hat2 ecosystem thin | Cardputer ADV with CC1101 Grove or BadCard |
| Public-space deployment with audio recording | Legal landmine — strict two-party consent jurisdictions | Don’t (or only with extreme legal cover) |
| Bench-class debugging | M5StickS3 too small | BP6 / HackRF |
| Sustained playback / music | 250 mAh + 1 W speaker drains fast | Different audio platform |
| Hostile-jurisdiction travel | Customs ambiguity for “hacker gadget” — magnetic-back + audio recording particularly suspect | Don’t carry; ship from in-country vendor if needed |
| BT-classic device enumeration | ESP32-S3 has BLE 5.0 only | M5StickC Plus 2 (classic ESP32) |
| Heavy on-device computation | LX7 is fine but Cardputer ADV has same silicon with more battery for sustained work | Cardputer ADV |
| Camera applications | No camera | M5Stack Core S3 or Atom S3R |
13. Pre-engagement checklist
Before any non-trivial engagement, verify each item:
- Written authorization signed and dated, covering target scope (network / hardware / location / time window)
- RF coverage scope specified (target SSIDs / BSSIDs / geographic area)
- Attacks permitted listed (deauth? Evil Portal? BLE-spam? IR? BadUSB? Audio recording?)
- Audio recording authorization documented separately if audio is in scope — especially critical
- Two-party-consent state check done if recording in US — list of states in § 7
- Stop condition defined (time limit, signal-of-completion)
- Battery charged (250 mAh; engagement < 30 min battery; ≤2 hr scan-only)
- Firmware version locked (specific tag, not master HEAD)
- Region setting matches venue (US / EU / JP)
- Target BSSID(s) configured if surgical attacks planned
- MAC randomization enabled (Bruce Settings → Spoof MAC)
- Capture destination + extraction plan — where do logs/audio/PCAPs go after engagement?
- Sanitization plan — how / when SD content + flash erased
- Bystander mitigation — narrow targeting only; no broadcast attacks in public spaces
- Discovery response (if observed, stop, produce authorization, document)
- Out-of-band channel prepared for security team to reach me
If any item isn’t checked, abort.
14. Resources
Legal references
- US CFAA (18 USC § 1030): https://www.law.cornell.edu/uscode/text/18/1030
- US ECPA (18 USC §§ 2510-2522): https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119
- US Federal Wiretap Act: https://www.law.cornell.edu/uscode/text/18/2510
- US FCC §15.247 (US ISM rules): https://www.fcc.gov/general/title-47-code-federal-regulations
- EU GDPR: https://gdpr.eu/
- UK Computer Misuse Act: https://www.legislation.gov.uk/ukpga/1990/18
- UK Investigatory Powers Act 2016: https://www.legislation.gov.uk/ukpga/2016/25
- US two-party-consent state laws: cited individually in § 7
Hack Tools shared posture
../../../_shared/legal_ethics.md— project-wide rules
Cross-references
- Audio chain detail (battery realism per mode): Vol 5 § 11
- Audio-bug legal landscape: Vol 5 § 10
- Wearable deployment patterns: Vol 9 § 7
- Cardputer ADV operational posture:
../../../M5Stack Cardputer ADV/03-outputs/Cardputer_ADV_Complete.htmlVol 11 - Marauder Firmware operational posture:
../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.htmlVol 11
This is Volume 11 of a twelve-volume series. Next: Vol 12 is the laminate-ready cheatsheet — synthesis of every preceding volume’s most-referenced content.