M5Stack M5StickS3 Volume 12 — Cheatsheet (the laminate-ready field card)

Contents

Section	Topic
1	About this volume
2	Hardware quick-facts panel
3	Pinout one-page reference
4	Firmware decision tree
5	Audio recipes quick-ref (the standout)
6	Battery-life realism table
7	Pentest quick-ref
8	Hat + Unit family compatibility one-page
9	Flashing-method picker
10	Regional Wi-Fi/BLE rules
11	Audio-bug legal quick-ref (the load-bearing section)
12	Common build / flash errors
13	Troubleshooting flow
14	Pre-engagement checklist (one-page)
15	Key references in one block

---

1. About this volume

Vol 12 is the laminate-ready field card — synthesis of every preceding volume’s most-referenced content. Print, laminate, carry. In the field, lookups are by section number.

Pages are sized for typical 8.5×11 or A4 print at readable type size. Some sections are dense — print at 100% scale, not “fit to page”.

---

2. Hardware quick-facts panel

┌──────────────────────────────────────────────────────────────┐
│ M5Stack M5StickS3 — K150                                     │
├──────────────────────────────────────────────────────────────┤
│ MCU       ESP32-S3-PICO-1-N8R8 (SIP) · LX7 dual @ 240 MHz    │
│           8 MB flash + 8 MB OPI PSRAM                        │
│           Wi-Fi 4 2.4 GHz · BLE 5.0 · Native USB-CDC         │
│ Display   1.14" 135×240 IPS · ST7789P3 · SPI                 │
│ Audio     ES8311 codec · MEMS mic 65dB · AW8737 amp · 1W spk │
│           ← THE STANDOUT FEATURE (Vol 5)                     │
│ IR        TX + RX (both — Cardputer ADV is TX only)          │
│ IMU       6-axis (BMI270 or MPU6886 — verify on hardware)    │
│ Buttons   Programmable A + B + power                         │
│ Storage   No on-board microSD (Hat2 add-on for SD)           │
│ Battery   250 mAh LiPo · USB-C charge                        │
│           ← THE LIMITING FACTOR (Vol 11 § 4)                 │
│ Expansion 1× Hat2 16-pin (top) + 1× HY2.0-4P Grove (side)    │
│ Form      48 × 24 × 15 mm · 20 g · MAGNETIC BACK             │
└──────────────────────────────────────────────────────────────┘

Most-common first-time mistake: wrong USB device path.
M5StickS3 uses /dev/ttyACM0 (native USB-CDC), NOT /dev/ttyUSB0.

Most-common build-flag mistake: missing OPI PSRAM flag.
Add: board_build.arduino.memory_type = qio_opi

---

3. Pinout one-page reference

Critical GPIOs (verify against M5Unified source on hardware):

GPIO	Function
0	BOOT button — hold during USB plug-in for download mode
1, 2	Grove TX/RX (UART) or secondary I²C SCL/SDA
8, 9	Primary I²C SDA/SCL (codec + IMU + Hat2 I²C)
10	Battery ADC
13, 19, 21	IR (TX + RX pins — verify)
14	SPI MOSI (shared display + Hat2)
18, 19	USB D-/D+ (native)
39	SPI MISO
40	SPI SCK
41-43, 46	I²S audio (ES8311)

Grove HY2.0-4P (side):

Pin 1  Black   GND
Pin 2  Red     +5V (USB or boost; ~250-500 mA budget)
Pin 3  White   G2 (UART RX or I²C SDA when re-tasked)
Pin 4  Yellow  G1 (UART TX or I²C SCL when re-tasked)

Hat2 16-pin (top) — pinout TBD pending vendor PDF; expected layout per Vol 3 § 4:

1   3V3      2   5V         3   GND       4   GND
5   RESET    6   INT        7   SDA       8   SCL
9   UART TX  10  MISO       11  SCK       12  MOSI
13  UART RX  14  CS         15  GPIO      16  GPIO

---

4. Firmware decision tree

What's the use case?
  ├─ Pentest             → Evil-M5Project (preferred — M5Stack-aware)
  │                         OR Bruce-for-stick (if S3-stick port good)
  │                         OR Marauder Cardputer port (PCAP best)
  ├─ Off-grid mesh       → N/A — no LoRa. Use Cardputer ADV + Cap LoRa-1262.
  ├─ Embedded dev        → Arduino + M5Unified or PlatformIO
  ├─ Block coding        → UiFlow 2 (M5Stack official)
  ├─ Home automation     → ESPHome
  ├─ Audio work          → Custom (Vol 10 § 5) + RHesus-RAdio + esp-now-talkie
  └─ Voice command       → esp-skainet integration

Recommended setup: M5Launcher on factory (if supports M5StickS3) + Evil-M5Project on ota_0 + audio firmware on ota_1.

---

5. Audio recipes quick-ref (the standout)

The M5StickS3’s differentiator. One-page summary of Vol 5 + Vol 9 § 4:

Recipe	Firmware	Time-to-effect	Battery cost
Voice memo recorder	Custom (Vol 5 § 4) or MicroHydra	Immediate	~95 mA → 2.5 hours
ESP-NOW walkie-talkie	esp-now-talkie	Two devices same channel	~250 mA → 1 hour
Internet radio	RHesus-RAdio	Wi-Fi + URL	~150 mA → 1.5 hours
Audio FFT visualization	m5Cardputer_audiospectrum (ported)	Real-time	~120 mA → 2 hours
Wake-word detection	esp-skainet Multinet5	<5% CPU continuous	~85 mA → 3 hours (near-free)
Audio attack patterns (DTMF, etc.)	Custom firmware	Per recipe	Varies

---

6. Battery-life realism table

Critical reference (from Vol 11 § 4):

Mode	Battery life (250 mAh)
Display only	~5 hours
Wi-Fi scan	~2 hours
Sustained TX-spam	~50-60 minutes
Audio playback (full vol)	~50 minutes
Audio recording	~2.5 hours
Walkie-talkie	~1 hour
Wake-word idle	~3 hours

Plan engagements <30 min for safety margin; <2 hr for scan-only.

For longer: USB-C tethered or external power bank.

---

7. Pentest quick-ref

Attack	Firmware	Menu path	M5StickS3-specific notes
Wi-Fi deauth	Evil-M5Project / Bruce	WiFi → Attack → Deauth	Same as Cardputer ADV; smaller battery limits duration
Beacon spam	Evil-M5Project / Bruce	WiFi → Attack → Beacon Spam	iOS UI denial works the same
Evil Portal	Evil-M5Project / Bruce	WiFi → Evil Portal	Smaller screen for status display
EAPOL capture	Marauder port (if S3-stick)	WiFi → Sniffer → EAPOL	Better on Cardputer ADV
Sour Apple BLE	Bruce (if S3-stick port)	BLE → BLE Spam → Sour Apple	Same Apple Continuity flood
Mifare crack	Bruce + Unit RFID2 Grove	RFID → Mifare	Need Unit RFID2; no on-board NFC
CC1101 sub-GHz	Bruce + CC1101 Grove Unit	SubGHz	Need CC1101 Grove
IR TV-B-Gone	Evil-M5Project	IR → TV-B-Gone	M5StickS3 has IR TX
IR remote learning	Evil-M5Project	IR → Learn	M5StickS3-unique (Cardputer ADV is TX-only)
BadUSB	BadCard / M5Launcher	Files → BadUSB → Run	Small form-factor advantage for covert plug-in

---

8. Hat + Unit family compatibility one-page

Memorize this table to avoid the most-common shopping mistake:

Connector	M5Stack family	Pin count	Physical
Hat2 16-pin	M5StickS3	16 pin	2.54 mm header (top)
HAT-original 8-pin	M5StickC family (classic ESP32)	8 pin	Pogo connector (top)
Cap 14-pin EXT	Cardputer ADV only	14 pin	2.54 mm header (underside)
Atom 8-pin	Atom / Atom S3 family	8 pin	Pogo (top)

Cap LoRa-1262 does NOT fit M5StickS3. M5StickC HAT does NOT fit M5StickS3. Verify the physical connector before buying any accessory.

---

9. Flashing-method picker

Method	Best for	URL / command
Web flasher (UiFlow)	First install / known-good	https://uiflow.m5stack.com/
Web flasher (Bruce)	Pentest install	https://bruce.computer/
Web flasher (Evil-M5)	Pentest install (alternative)	linked from https://github.com/7h30th3r0n3/Evil-M5Project
M5Burner desktop	Fleet flashing or when Web Serial unavailable	https://docs.m5stack.com/en/download
esptool.py CLI	Scripting, CI, recovery	pip install esptool
OTA in-firmware	Updates once on Wi-Fi	Per-firmware UI

Backup factory firmware FIRST:

esptool.py --chip esp32s3 -p /dev/ttyACM0 -b 1500000 \
    read_flash 0 0x800000 m5sticks3_backup.bin

---

10. Regional Wi-Fi/BLE rules

Region	Frequency	Max EIRP	Notes
US (FCC §15.247)	2400-2483 MHz	+30 dBm typical limit	Wi-Fi devices typically +14-+20 dBm
EU (ETSI EN 300 328)	2400-2483.5 MHz	+20 dBm	Strict
JP (ARIB STD-T66)	2400-2483.5 MHz	+20 dBm	Similar to EU

M5StickS3 at +20 dBm is universally legal in 2.4 GHz ISM. No EIRP-compliance gotcha like Cap LoRa-1262.

No LoRa on M5StickS3 — no LoRa region rules apply.

---

11. Audio-bug legal quick-ref (the load-bearing section)

Most-important reference for operators using audio recording features:

US states with two-party consent (recording without all parties’ consent = criminal felony):

CA, FL, IL, MD, MA, MT, NV, NH, PA, VT, WA

Other 39 US states: one-party consent (operator’s consent suffices).

EU + UK: GDPR / national laws — recording voice without lawful basis = violation with potential criminal exposure.

Operational rule: document authorization, time-box, sanitize. The M5StickS3 can record audio covertly; the operator must not, except under explicit authorization.

Bench / private spaces: legal everywhere. Engagement work: authorization required.

---

12. Common build / flash errors

Symptom	Fix
PSRAM not detected	Add board_build.arduino.memory_type = qio_opi to platformio.ini
Device not found at /dev/ttyUSB0	M5StickS3 uses /dev/ttyACM0 (USB-CDC native)
No chip detected in esptool	Hold Button A during USB plug-in for download mode
Display init fails	Use M5Unified; if raw driver, specify ST7789P3 (not V2)
Audio not working	Initialize via M5Unified M5.config() + M5.begin(cfg)
Flash succeeds, BLACK SCREEN	Wrong silicon target (used StickC Plus 2 binary) — reflash with M5StickS3-specific binary
Brownout reboot loop	Better USB cable; fresh battery; lower audio volume; relax brownout threshold
USB Serial output empty	Add -DARDUINO_USB_CDC_ON_BOOT=1 to build_flags

---

13. Troubleshooting flow

Device won't boot?
    │
    ├─ Black screen → Press Button A while plugging USB (force download mode)
    │                 → If still nothing: esptool erase_flash + factory restore
    │
    ├─ Display on, looping → Settings → About → reads version?
    │                        Yes → app issue, reflash known-good firmware
    │                        No  → bootloader issue, mask-ROM recovery
    │
    └─ Charges but won't power on → Long-press power button (>2 sec)
                                    Short-press to wake from sleep

No scan results?
    │
    ├─ Wi-Fi scan empty   → Region setting matches venue?
    │                       → Antenna OK (PCB trace inside Stamp-S3A)?
    │                       → Channel-hop mode on, not stuck on one ch?
    │
    └─ BLE scan empty     → BLE radio enabled?
                            → No interfering Wi-Fi traffic?

Audio not playing / recording?
    │
    ├─ Speaker silent     → Volume > 0? Check M5.Speaker.setVolume()
    │                       → ES8311 initialized? Need M5.begin(cfg)
    │
    └─ Mic captures silence → Mic gain set? esp_codec_dev_set_in_gain()
                              → Initialize ES8311 input path explicitly

Battery dies fast?
    │
    └─ Expected — 250 mAh is small. Plan for <2 hr active operation.
       For sustained: USB-C tether or power bank.

hashcat says "No hashes loaded"?
    │
    └─ Run hcxpcapngtool first to convert PCAP → .hc22000 format

---

14. Pre-engagement checklist (one-page)

Print this. Tape inside gear bag.

• Written authorization signed and dated
• RF coverage scope specified
• Attacks permitted listed
• Audio recording authorization documented separately if audio in scope
• Two-party-consent state check done if US recording
• Battery charged (≥ 90% if engagement > 30 min; ≥ 50% if shorter)
• SD-via-Hat2 if equipped + fresh storage
• Firmware version locked (tag, not master)
• Region setting matches venue
• Target BSSID(s) configured if surgical attacks planned
• MAC randomization enabled
• Capture destination plan
• Sanitization plan post-engagement
• Bystander mitigation (narrow targeting; no broadcast in public)
• Discovery response: stop, produce authorization, document
• Out-of-band channel prepared for security to reach me

If any item isn’t checked, abort.

---

15. Key references in one block

Upstream

• M5Stack M5StickS3 product page: https://shop.m5stack.com/products/m5sticks3-esp32s3-mini-iot-dev-kit
• M5Stack docs: https://docs.m5stack.com/
• M5Cardputer library (also for M5StickS3): https://github.com/m5stack/M5Cardputer
• M5Unified: https://github.com/m5stack/M5Unified
• M5GFX: https://github.com/m5stack/M5GFX
• M5Burner: https://docs.m5stack.com/en/download

Firmware

• Evil-M5Project: https://github.com/7h30th3r0n3/Evil-M5Project
• Bruce: https://github.com/BruceDevices/firmware · https://bruce.computer/
• ESP32 Marauder: https://github.com/justcallmekoko/ESP32Marauder
• MicroHydra: https://github.com/echo-lalia/MicroHydra
• ESPHome: https://esphome.io/
• UiFlow 2: https://flow.m5stack.com

Audio-specific

• esp-skainet (wake-word + AI): https://github.com/espressif/esp-skainet
• esp_codec_dev (audio framework): https://github.com/espressif/esp-adf
• esp-now-talkie (community): GitHub search
• RHesus-RAdio (community): GitHub search

Tools

• esptool: https://github.com/espressif/esptool
• hashcat: https://hashcat.net/hashcat/
• hcxtools: https://github.com/ZerBea/hcxtools
• PlatformIO: https://platformio.org/

Datasheets

• ESP32-S3: https://www.espressif.com/sites/default/files/documentation/esp32-s3_datasheet_en.pdf
• ST7789P3: Sitronix
• ES8311: https://www.everest-semi.com/
• AW8737: Awinic
• BMI270 IMU: https://www.bosch-sensortec.com/products/motion-sensors/imus/bmi270/

Regulatory

• US FCC §15.247: https://www.fcc.gov/general/title-47-code-federal-regulations
• US CFAA: https://www.law.cornell.edu/uscode/text/18/1030
• US Wiretap Act: https://www.law.cornell.edu/uscode/text/18/2510
• EU GDPR: https://gdpr.eu/
• UK Computer Misuse Act: https://www.legislation.gov.uk/ukpga/1990/18

Community

• Cardputer Wiki (much applies): https://cardputer.wiki
• r/m5stack (Reddit)
• M5Stack Discord (linked from m5stack.com)
• M5Stack community forum: https://community.m5stack.com/

Hack Tools cross-references

• ../../../_shared/comparison.md — cross-tool decision matrix
• ../../../_shared/capability_matrix.html — sortable matrix
• ../../../_shared/legal_ethics.md — Hack Tools shared posture
• ../../../M5Stack Cardputer ADV/03-outputs/Cardputer_ADV_Complete.html — sibling deep dive (most content carries forward)
• ../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html — platform-neutral Marauder

---

This is the final volume of the M5Stack M5StickS3 12-volume series.