Nyan Box Volume 4 — Wi-Fi and BLE Toolset — Nyan Box · Hacking

The ESP32-radio tools — Wi-Fi network analysis, client detection, beacon work, BLE scan/spoof, BT Classic scan

Section	Topic
1	About this volume
2	Wi-Fi tools
3	BLE + BT Classic tools
4	The tool catalog at a glance
5	How these compare to ESP32 Marauder
6	Education-mode framing of these tools
7	Resources

1. About this volume

Vol 4 covers the nyanBOX tools that run on the ESP32’s own radio — Wi-Fi 2.4 GHz and Bluetooth (BLE + Classic). These are the “conventional” half of the nyanBOX tool catalog; they overlap heavily with ESP32 Marauder, Bruce, and every other ESP32-pentest firmware. The NRF24-specific tools are Vol 5; the two unique features (RemoteID, camera detection) are Vols 6-7.

Cross-reference: the canonical engineer-grade reference for ESP32 Wi-Fi/BLE pentest mechanics is the ESP32 Marauder Firmware deep dive (). The frame-level anatomy of deauth, the PMKID attack, the BLE channel structure, captive-portal mechanics — all live there in full. This volume covers what the nyanBOX specifically exposes and how its education-first wrapper presents it, citing the Marauder deep dive for the underlying mechanics rather than re-authoring.

2. Wi-Fi tools

A typical ESP32 development board — the same SoC family the nyanBOX's WROOM-32U module is built on. Every Wi-Fi and Bluetooth tool in this volume runs on the ESP32's own radio; the nyanBOX is, at t… — A typical ESP32 development board — the same SoC family the nyanBOX's WROOM-32U module is built on. Every Wi-Fi and Bluetooth tool in this volume runs on the ESP32's own radio; the nyanBOX is, at the Wi-Fi/BLE level, an ESP32 with a purpose-built menu UI wrapped around it.

Figure 4.1 — ESP32 development board (representative). Photo: File:ESP32 Dev Board.jpg by Edwiyanto. License: CC BY-SA 4.0. Via Wikimedia Commons.

The ESP32-WROOM-32U does 2.4 GHz 802.11 b/g/n. In promiscuous mode it’s a monitor-mode capture device; in AP/STA modes it can inject. The nyanBOX’s Wi-Fi tool group:

2.1 Network analysis / scan

   nyanBOX Wi-Fi Scan — OLED view
   ════════════════════════════════
   ┌────────────────────────────────┐
   │ WiFi Scan        14 APs  87%   │
   ├────────────────────────────────┤
   │ > HOME-5A24    -41  ch6   WPA2 │
   │   xfinitywifi  -58  ch1   open │
   │   IoT_Cam_3F   -52  ch6   WPA2 │
   │   [hidden]     -67  ch11  WPA2 │
   │   guest-net    -71  ch1   WPA2 │
   ├────────────────────────────────┤
   │ [OK] detail [↓] more [←] back  │
   └────────────────────────────────┘

Tool	What it does	Underlying mechanic
AP scan	Enumerate access points — SSID, BSSID, channel, RSSI, encryption	Passive beacon-frame capture
Client / station detection	Find devices associated to APs	Monitor-mode capture of data + probe frames
Probe-request capture	Log devices probing for known SSIDs	Monitor-mode; reveals device SSID history
Channel survey	Per-channel activity / congestion	Hop channels, count frames

2.2 Beacon work

Tool	What it does	Notes
Beacon spam	Broadcast many fake AP beacons	The “fill the Wi-Fi list with junk” demo; harmless-looking but disruptive
Beacon clone	Mimic a specific AP’s beacon	Foundation of evil-twin work
SSID flood	Mass-broadcast SSID names	A subset of beacon spam

2.3 Active Wi-Fi tools

Tool	What it does	Posture note
Deauth	Send deauthentication frames to disconnect clients	Disruptive — Vol 11 § 3 covers the legal line; likely XP-gated (Vol 8 § 4)
Evil portal / captive portal	SoftAP + captive-portal page to capture credentials	Disruptive + credential-capture — authorization required
Probe-response / Karma	Respond to probe requests to lure clients	Disruptive

Posture callout: the active Wi-Fi tools (deauth, evil portal, Karma) are disruptive and in many jurisdictions illegal without authorization. The nyanBOX’s education-first design likely XP-gates these — a learner has to progress through passive tools first. For tjscientist, the gate is friction (Vol 8 § 4 covers bypass); the legal line is not — see Vol 11.

2.4 What the nyanBOX Wi-Fi tools do NOT do

Not available	Why	Where to look
5 GHz Wi-Fi	ESP32-WROOM-32U is 2.4 GHz only	AWOK ESP32 C5, Banshee
WPA handshake → host crack	The nyanBOX captures; cracking is a host-PC job	Capture, pull over USB, hashcat on host (cross-ref [Marauder deep dive Vol 9](../../ESP32%20Marauder%20Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html#vol09))
Deep packet inspection	128×64 OLED + ESP32 RAM limits this	Capture + offline analysis

3. BLE + BT Classic tools

The ESP32 (original, not S3/C3) has both BLE and Bluetooth Classic — a capability the newer ESP32-S3 lacks. The nyanBOX inherits this.

3.1 BLE tools

Tool	What it does	Underlying mechanic
BLE scan	Enumerate BLE devices — address, name, RSSI, advertised services	Passive advertisement capture on ch37/38/39
BLE spoof	Advertise as a chosen device — name, address, service UUIDs	Crafted advertisement injection
BLE spam	Mass BLE advertisements (the “Apple/Android popup spam” family)	Advertisement flooding
Device tracking	Follow a BLE device by address + RSSI over time	Repeated advertisement capture

3.2 BT Classic tools

Tool	What it does	Notes
BT Classic scan	Discover Bluetooth Classic (BR/EDR) devices	The original ESP32 can do this — the S3 cannot
BT Classic device info	Class-of-device, name, services	Inquiry-based

3.3 Why BT Classic matters

Most modern ESP32-pentest hardware is moving to the ESP32-S3 (faster, native USB, more RAM) — but the S3 dropped Bluetooth Classic. It’s BLE-only. The original ESP32 in the nyanBOX still has BT Classic. The practical consequence:

The nyanBOX can scan/discover legacy Bluetooth Classic devices (older headsets, car kits, industrial gear, classic-BT IoT) that an S3-based device simply can’t see
This is a small but genuine capability advantage over the ESP32-S3-based Game Over for BT Classic recon

3.4 The BLE-spam ethics note

BLE spam (the “device pairing popup flood” family — Sour Apple, Swift Pair spam, etc.) is in the catalog. It is disruptive and increasingly regulated — some jurisdictions treat it as harassment / interference. The nyanBOX likely XP-gates it. Vol 11 § 4 covers the posture. The [Marauder deep dive Vol 6](../../ESP32%20Marauder%20Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html#vol06) covers why mainline Marauder deliberately omits the worst BLE-spam variants — worth reading for the ethical context.

4. The tool catalog at a glance

The vendor advertises “40+ tools”. Here’s the structure of the catalog:

   nyanBOX tool catalog — structure
   ══════════════════════════════════

   ┌─ Wi-Fi ──────────────────┐  ┌─ BLE / BT ───────────────┐
   │ AP scan                  │  │ BLE scan                 │
   │ Client detection         │  │ BLE spoof                │
   │ Probe-request capture    │  │ BLE spam                 │
   │ Channel survey           │  │ Device tracking          │
   │ Beacon spam / clone      │  │ BT Classic scan          │
   │ Deauth                   │  │ BT Classic device info   │
   │ Evil portal              │  └──────────────────────────┘
   │ Karma / probe-response   │
   └──────────────────────────┘  ┌─ NRF24 / 2.4 GHz ────────┐
                                 │ Spectrum analysis        │
   ┌─ Detection (unique) ──────┐ │ Multi-channel sniff      │
   │ Drone RemoteID    → Vol 6 │ │ Jam                      │
   │ Hidden camera     → Vol 7 │ │ Replay                   │
   └──────────────────────────┘  │ Mousejack-class tools    │
                                 │ Transmit-and-confirm     │  → Vol 5
   ┌─ System / education ──────┐ └──────────────────────────┘
   │ XP progression view       │
   │ Device lock               │
   │ Settings                  │
   │ Firmware info             │
   └──────────────────────────┘

   "40+" comes from counting every distinct menu entry across
   all groups. The exact catalog depends on firmware version —
   verify against the vendor GitHub docs for the current list.

[FIGURE SLOT — Vol 4, § 4] Photo of the nyanBOX main menu showing the tool-group structure on the OLED. Source: vendor product page. Caption when filled: “Figure 4.2 — The nyanBOX main menu / tool-group navigation.”

5. How these compare to ESP32 Marauder

The nyanBOX’s Wi-Fi/BLE tools are functionally a subset of ESP32 Marauder’s, wrapped in a friendlier UI. The honest comparison:

Dimension	nyanBOX stock firmware	ESP32 Marauder
Wi-Fi tool depth	Solid, education-framed	Deeper — more attack variants, more capture detail
BLE tool depth	Solid	Comparable
BT Classic	Yes (original ESP32)	Yes (on ESP32, not S3 builds)
UI	Menu-driven, XP-scaffolded, beginner-friendly	Flat menu, assumes knowledge
Capture storage	EEPROM (small) — limited	microSD on Marauder-capable hardware
Source	Closed (likely)	Open source
The two unique features	Yes (RemoteID, camera)	No
Customizability	Low (closed)	High (open, forkable)

5.1 The implication

For the Wi-Fi/BLE tools specifically, ESP32 Marauder is the more capable firmware. If tjscientist wanted only Wi-Fi/BLE depth, running Marauder on the nyanBOX hardware (Vol 8 § 5) — or just using the AWOK Dual Touch V3, which already runs Marauder — beats the stock firmware.

The nyanBOX stock firmware earns its place not on Wi-Fi/BLE depth, but on: (a) the two unique detection features, (b) the triple-NRF24 tooling, (c) the education UX. The Wi-Fi/BLE tools are table stakes — present and competent, but not the reason to buy.

6. Education-mode framing of these tools

The nyanBOX’s distinctive presentation of the Wi-Fi/BLE tools:

6.1 The scaffolding

Each tool, in the stock firmware, comes with progression context — the XP system frames why you’d use a tool and what it teaches:

   Education framing — example
   ════════════════════════════

   Tool: "Probe Request Capture"

   Flat-firmware presentation (Marauder):
     > Probe Req Sniff   [start]

   nyanBOX education presentation:
     > Probe Request Capture
       Devices broadcast the names of WiFi networks
       they remember. This tool captures those — and
       shows you how much a phone reveals just by
       being on. [Tier 1: Passive]  XP: +5
       [start]  [learn more]

6.2 Is this valuable for tjscientist?

For a learner: yes, genuinely. The scaffolding turns a tool list into a curriculum.

For tjscientist (45+ years EE): the framing is friction — he knows what a probe request is. But it’s non-destructive friction; the tools still work, you just click past the context. And there’s a real use: the nyanBOX is the device to hand to someone else — a student, a new hire, a curious colleague. In that role, the education framing is the entire point.

6.3 The gate caveat

If the education framing also gates tools (you can’t use deauth until you’ve earned XP on passive tools), that’s friction tjscientist would want to bypass. Vol 8 § 4 covers whether the gate is real and whether it’s bypassable. For now: assume some gating exists; assume it’s bypassable (either via XP grinding, a settings option, or alternative firmware).

7. Resources

Canonical mechanics reference

ESP32 Marauder Firmware deep dive (the engineer-grade reference for ESP32 Wi-Fi/BLE pentest mechanics):
AWOK Dual Touch V3 deep dive (tjscientist’s owned Marauder-running unit): ../../../AWOK Dual Touch V3/03-outputs/

ESP32 radio

ESP32-WROOM-32U datasheet: https://www.espressif.com/sites/default/files/documentation/esp32-wroom-32u_datasheet_en.pdf
ESP-IDF Wi-Fi driver docs: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/network/esp_wifi.html
ESP-IDF Bluetooth docs: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/bluetooth/index.html

Vendor

Nyan Devices: https://nyandevices.com
Vendor GitHub tool docs: linked from the site

End of Vol 4. Next: Vol 5 covers the NRF24 / 2.4 GHz toolset — spectrum analysis, jam, sniff, replay, Mousejack-class tools, and the transmit-and-confirm workflow the triple-radio hardware enables.

Nyan Box Volume 4 — Wi-Fi and BLE Toolset

Contents