M5Stick S3 · Volume 9

M5Stack M5StickS3 Volume 9 — Use Cases and Recipes

Wearable pentest, IR universal remote with learning, audio recipes, gesture-triggered actions, walkie-talkie, internet radio

Contents

SectionTopic
1About this volume
2Wearable pentest sessions
3IR recipes — universal remote with on-device learning
4Audio recipes
· 4.1ESP-NOW walkie-talkie
· 4.2Internet radio receiver
· 4.3Voice memo recorder (authorized use)
· 4.4Real-time audio FFT visualization
· 4.5Wake-word activated features
5Gesture-triggered actions via IMU
6BadUSB recon-and-bail (when authorized)
7Magnetic-back deployment patterns
8Wardriving with Grove GPS
9The “covert audio recorder” use case — legal posture
10Resources

1. About this volume

Vol 9 collects end-to-end recipes for M5StickS3. Each recipe names the firmware, the menu path or code skeleton, the time-budget expectation, and the post-engagement hand-off.

Cross-reference: many recipes from Cardputer ADV Vol 9 carry forward with M5StickS3-specific adaptations (smaller battery, smaller screen, button-only input). This volume documents the adaptations and the M5StickS3-unique recipes (IR learning, audio bug, wearable deployment).

Legal posture reminder: every pentest recipe assumes written authorization for the target network/device. Full posture in Vol 11 § 7. Audio-recording recipes also have legal constraints (Vol 5 § 10 + Vol 11 § 7).

2. Wearable pentest sessions

Goal: leave M5StickS3 running passive Wi-Fi capture in a pocket / magnetic-mounted during a target visit.

Hardware: M5StickS3 + Evil-M5Project firmware (or Bruce / Marauder port).

Workflow:

  1. Pre-charge battery to 100% (~30-45 min via USB-C).
  2. Configure firmware for passive capture:
    • Wi-Fi → Sniffer → Probe Request (or Beacon, depending on scope)
    • Channel mode: hopping (1-11 US, 1-13 EU)
    • Capture format: csv to internal flash (or pcap to Hat2 SD if equipped)
    • MAC randomization: ON
  3. Mount or pocket the device:
    • Magnetic back: stick to metal surface in target area (locker, file cabinet, drone frame)
    • Pocket: clip lanyard inside jacket pocket
  4. Start capture — press Button A.
  5. Walk away / continue normally. M5StickS3 captures continuously.
  6. Time-box: pull the device or stop the capture after 30-60 minutes (battery limit). Practical sweet spot: ~30 minutes.
  7. Extract: pull device, connect via USB-CDC, dump capture files. Or pull Hat2 SD card if equipped.
  8. Sanitize: per chain-of-custody discipline (Vol 11 § 11).

Battery-life sanity check: 250 mAh @ 120 mA continuous scan = ~2 hours theoretical. With brownout margin: plan for 30-60 minutes practical. Multi-hour wearable engagements are not feasible without USB-C power.

Capture yield expectations:

  • ~30-50 unique probe-request MACs in a city walk
  • ~100-200 unique beacons in a residential neighborhood
  • Variability is large depending on environment

For sustained engagement: use Cardputer ADV (1750 mAh) or laptop instead. M5StickS3 is for short-burst wearable deployments.

3. IR recipes — universal remote with on-device learning

The M5StickS3’s IR RX (absent on Cardputer ADV) enables on-device code learning — a unique capability in tjscientist’s lineup.

Recipe: Build a per-room universal remote

Goal: walk through a target room, capture every IR remote’s codes via M5StickS3’s IR RX, save to a database. Use later for TV-B-Gone, custom replay, social-engineering demos.

Workflow:

  1. Boot Evil-M5Project (or custom IR-learning firmware).
  2. Menu: IR → Learn → New Profile.
  3. Hold remote toward M5StickS3 (~10-30 cm). Press capture button.
  4. Press button on remote — M5StickS3 captures the modulation pattern (carrier frequency 38 kHz typical for consumer IR; on/off timing).
  5. Save with named entry: “Living-Room-TV-Off”, “Receiver-Volume-Up”, etc.
  6. Repeat for every button on every remote in the room.
  7. Result: a database of IR codes on flash, replayable via on-board IR TX.

Replay:

  1. Menu: IR → Replay → pick saved profile.
  2. Aim M5StickS3 at target device (range ~3-5 m).
  3. Press Button A to fire the saved code.

Use cases:

  • Crowd disruption (TV-B-Gone style): bulk-replay TV-off codes in restaurants/bars. Authorized scope only.
  • Demo support: capture target device IR; replay during a security demo to show the attack surface.
  • Universal remote: keep a personal IR remote on a wrist (literally — the M5StickS3 fits a magnetic-wristband).

Recipe: AC-B-Gone

Capture HVAC remote codes from a target environment. Replay all of them in rapid sequence — most ACs turn off, change temperature, or cycle modes. Effective for crowd-discomfort.

Authorized scope only. Disabling AC in a hot building has health-and-safety implications.

4. Audio recipes

4.1 ESP-NOW walkie-talkie

Goal: push-to-talk text + voice between two M5StickS3s without Wi-Fi infrastructure.

Hardware: 2× M5StickS3 + same firmware (esp-now-talkie community port).

Workflow:

  1. Flash both devices with esp-now-talkie firmware via web flasher or PlatformIO.
  2. Set both to same channel + same broadcast MAC (typically the firmware’s default).
  3. On both devices: hold Button A (or designated push-to-talk button).
  4. Speak: device 1 captures audio at 8 kHz mono, μ-law encodes, broadcasts via ESP-NOW.
  5. Receive: device 2 receives the audio frames, decodes, plays via speaker.
  6. Release Button A: device 1 stops transmitting; both listen.

Range: ~50 m indoor / ~150 m LoS outdoor (Wi-Fi range). Audio quality: 8 kHz / 16-bit μ-law mono — voice intelligible, 1990s walkie-talkie quality.

Cross-compatibility: M5StickS3 ↔ Cardputer ADV walkie-talkie pairs work (same ES8311 codec).

Vol 5 § 7 has the full protocol description.

4.2 Internet radio receiver

Goal: M5StickS3 plays internet radio streams.

Hardware: M5StickS3 + RHesus-RAdio firmware (community port to M5StickS3 may be required).

Workflow:

  1. Flash RHesus-RAdio firmware.
  2. Connect to Wi-Fi via the firmware’s setup wizard.
  3. Browse stations:
    • Shoutcast directory
    • Icecast directory
    • Direct URL entry (paste any HTTP MP3 / AAC URL)
  4. Select station → audio plays via on-board speaker.
  5. Volume control via Button A (up) / Button B (down) or M5Unified-style menu.

Battery life: ~1-2 hours playback at moderate volume on the 250 mAh battery. For sustained use, plug in USB-C.

Audio quality: 128 kbps MP3 stream → 8 Ω 1 W speaker is acceptable for casual listening in quiet rooms. Better via Bluetooth speaker (M5StickS3 streams via BLE Audio profile).

4.3 Voice memo recorder (authorized use)

Goal: M5StickS3 records voice memos to flash or SD-via-Hat2.

Hardware: M5StickS3 + custom firmware (Vol 5 § 4 code skeleton, Vol 10 § 5 worked example).

Workflow:

  1. Boot voice-memo firmware.
  2. Press Button A to start recording.
  3. Speak: M5StickS3 captures at 16 kHz mono via ES8311 + MEMS mic, buffers in PSRAM.
  4. Press Button A again to stop. Buffer written to flash as voice_memo_<timestamp>.wav (~32 KB/sec).
  5. Playback: navigate menu → Files → pick memo → play via Speaker.
  6. Export: connect via USB-CDC → mount as USB mass-storage → copy WAV files to host.

Capacity:

  • Flash: ~3 minutes (~5 MB usable after partitions)
  • PSRAM: ~3.5 minutes (~7 MB usable buffer)
  • Hat2 SD (if equipped): essentially unlimited

Legal posture: see Vol 5 § 10 and Vol 11 § 7. Voice recording legal landscape varies by jurisdiction. Authorized use only outside personal-bench work.

4.4 Real-time audio FFT visualization

Goal: M5StickS3 displays real-time audio spectrum.

Hardware: M5StickS3 + m5Cardputer_audiospectrum ported (or custom FFT sketch — Vol 5 § 5 code skeleton).

Workflow:

  1. Flash FFT firmware (or write custom sketch).
  2. Boot device: display shows 16-band bar graph.
  3. Make sound near M5StickS3: bars react in real-time at ~20 fps.
  4. Tune sensitivity: adjust gain in firmware settings.

Use cases:

  • Educational tool (understand audio frequency content)
  • Party trick / demo
  • Frequency analysis for specific tones (e.g., identifying device-emitted sounds)

4.5 Wake-word activated features

Goal: voice-activate menu navigation or specific actions.

Hardware: M5StickS3 + custom firmware integrating esp-skainet (Vol 5 § 6).

Workflow:

  1. Flash firmware with wake-word detection enabled. Multinet5 model loaded into PSRAM at boot.
  2. Say wake word: “Hey Jarvis” (or whichever is configured).
  3. Speak command: e.g., “scan Wi-Fi”, “record audio”, “stop”, “time”.
  4. Firmware reacts: triggers the matched action.

Power: wake-word detection runs at <5% CPU — can run continuously without materially shortening battery life. ~3 hours battery on continuous wake-word mode.

Use cases:

  • Hands-free menu navigation (during presentations, while wearing gloves, etc.)
  • Voice-triggered attack scenarios (authorized demos)
  • Smart-home voice control (combine with ESPHome)

5. Gesture-triggered actions via IMU

Goal: M5StickS3 reacts to physical gestures (shake, tilt, flick) via BMI270 / MPU6886 IMU.

Hardware: M5StickS3 + custom firmware leveraging M5.Imu.* API.

Gestures + actions:

GestureDetection methodExample action
Shake (rapid acceleration on multiple axes)Threshold on accel magnitude over short windowTrigger Wi-Fi scan, wake from sleep
Tilt (sustained orientation change)Z-axis acceleration sign for >500 msToggle menu page
Flick (rapid wrist motion in one direction)Single-axis acceleration peakAdvance menu
Tap detection (BMI270 only)On-chip tap interruptAugment buttons; “double-tap to confirm”
Step counting (BMI270 on-chip)Pedometer algorithmFitness logging, deployment-distance tracking

Code skeleton:

#include <M5Unified.h>

void setup() {
    auto cfg = M5.config();
    M5.begin(cfg);
}

void loop() {
    M5.update();

    auto accel = M5.Imu.getAccelData();
    float mag = sqrt(accel.x * accel.x + accel.y * accel.y + accel.z * accel.z);

    static float prev_mag = 1.0;
    if (mag > 2.5 && prev_mag < 1.5) {
        // Sharp acceleration spike = shake
        M5.Speaker.tone(880, 100);
        M5.Display.println("Shake detected");
    }
    prev_mag = mag;

    delay(10);
}

Use case combinations:

  • POV LED art: wave M5StickS3 in air; RGB LED modulated by IMU position estimate; long-exposure phone camera captures the message
  • Shake-to-attack: shake the M5StickS3 to fire an Evil Portal or Sour Apple swarm (authorized demos)
  • Tilt-to-navigate: cycle through menus by tilting; eyes-free menu use

6. BadUSB recon-and-bail (when authorized)

Same pattern as Cardputer ADV Vol 9 § 2.6 — M5StickS3 + USB-C-to-A adapter + DuckyScript payload + receive target machine. The M5StickS3’s smaller form factor makes it less conspicuous than a Cardputer ADV plugged into a laptop USB port.

Authorized engagements only. HID injection on systems without authorization = CFAA violation in US, equivalent in other jurisdictions.

Workflow (briefly):

  1. Authorization confirmed (written, signed).
  2. Load DuckyScript payload on M5StickS3 (via BadCard-class firmware or M5Launcher’s BadUSB module if M5StickS3 supports it).
  3. Connect M5StickS3 to target machine via USB-C-to-A adapter.
  4. Navigate to BadUSB menu, run payload.
  5. ~3 seconds: payload executes (PowerShell on Windows, AppleScript on macOS).
  6. Disconnect, withdraw, document.

The M5StickS3’s 20 g weight + small form factor + magnetic back makes it deployable as a “look like a USB-A adapter” on a desk — operationally distinct from the larger Cardputer ADV.

7. Magnetic-back deployment patterns

The M5StickS3’s magnetic back enables deployment scenarios that no other device in tjscientist’s lineup supports:

DeploymentSurfaceUse case
Fridge / lockerVertical metal surfaceAmbient Wi-Fi monitoring; audio recording (authorized)
Server-rack sideVertical metal panelWi-Fi monitoring of data center / SCIF perimeter
Inside metal drawerInternal metal surfaceHidden capture; magnetic-back keeps device in place when drawer slides
Drone frameAluminum drone airframeAerial Wi-Fi capture / live telemetry display
Vehicle interior (with consent)Dashboard / metal panelTracking + Wi-Fi capture during transit
Wrist (with magnetic band)Third-party magnetic strapWearable use, hands-free menu nav via IMU
Clip on clothingMagnetic disc on lanyardConference / event wear; hidden capture

Operational discipline:

  • Own the airspace / hardware target (Vol 11 first rule)
  • Time-box all deployments (battery limit)
  • Document chain of custody (Vol 11 § 11)
  • Sanitize post-engagement

Power posture: 250 mAh limits most deployments to <2 hours active operation. For sustained: tether USB-C or use a USB-C battery pack (the small form factor of the M5StickS3 means even a 10000 mAh power bank dwarfs the device — but enables 24+ hour deployment).

8. Wardriving with Grove GPS

Goal: walk a route, log Wi-Fi APs + GPS coordinates, upload to WiGLE.

Hardware: M5StickS3 + Unit GPS V2 Grove Unit (~$12) — M5StickS3 has no on-board GNSS, unlike Cardputer ADV + Cap LoRa-1262.

Workflow:

  1. Plug Unit GPS V2 into Grove port. Wait ~30 sec for GPS fix.
  2. Flash Evil-M5Project / Bruce with wardriving support + Grove GPS integration.
  3. Configure firmware to use Grove UART for GPS NMEA input.
  4. Walk the route at normal pace. M5StickS3 logs SSID/BSSID/RSSI/channel/encryption + GPS lat/lon to flash or Hat2 SD in WiGLE-compatible CSV format.
  5. Stop wardriving. Pull logs.
  6. Upload to https://wigle.net/upload. Appears on global heatmap within ~24h.

Battery life on wardriving: ~2-3 hours with Wi-Fi + GPS active. Plan walks accordingly.

Cross-reference: same WiGLE-export logic as Cardputer ADV Vol 9 § 3.2; storage path is the on-board flash or Hat2 SD (instead of Cardputer ADV’s larger internal SD).

9. The “covert audio recorder” use case — legal posture

(Detailed in Vol 5 § 10. Brief recap here.)

The M5StickS3’s combination of wearable form + magnetic back + 20 g weight + voice-quality recording + 1 W audio playback = a covert audio recorder.

Legal landscape:

  • US one-party-consent states (39 states): operator (one party) consents — recording yourself in conversation = legal.
  • US two-party-consent states (11 states: CA, FL, IL, MD, MA, MT, NV, NH, PA, VT, WA): all parties must consent — recording without all consent = criminal felony.
  • EU: GDPR + national laws — recording voice without lawful basis = regulatory violation with criminal exposure.
  • UK: Investigatory Powers Act + Data Protection Act 2018 — strict.

Operational rule: the M5StickS3 can technically be deployed as a covert audio recorder. The operator must not, except under explicit authorization.

For tjscientist’s own bench / private spaces: legal everywhere.

For engagement work in two-party-consent jurisdictions: not legal without all parties’ consent. Don’t.

Cross-ref: Vol 5 § 10 (full legal landscape) + Vol 11 § 7 (operational posture).

10. Resources

Tools

Maps + uploads

Firmware specifics

Community

  • r/m5stack, M5Stack Discord, M5Stack community forum
  • Cardputer Wiki (much applies to M5StickS3): https://cardputer.wiki/

Cross-references

  • Audio deep dive (recipes detailed): Vol 5
  • Operational posture / legal: Vol 11
  • Cardputer ADV recipes (analogs): ../../../M5Stack Cardputer ADV/03-outputs/Cardputer_ADV_Complete.html Vol 9
  • Marauder Firmware (platform-neutral): ../../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html

This is Volume 9 of a twelve-volume series. Next: Vol 10 covers custom firmware development — worked wearable-scanner example, Evil-M5Project fork patterns, MicroHydra apps, stick-form-factor UI considerations.