πŸ”±
[BOOT] detecting hardware OK
[RF] six bands online OK
[NET] lwIP bound OK
[UI] handing control OK
LIVE Β· v0.6.1 (40 baked sub-GHz signals + ON-AIR indicator + Hydra prep)
v0.6.1 SHIPPED — 40 BAKED SUB-GHZ SIGNALS · ON-AIR TX INDICATOR · HYDRA HAT PREP
COMMANDER OF THE DEEP

POSEIDON

Keyboard-first pentesting firmware for the M5Stack Cardputer-Adv. 150+ features across six radio bands plus wired Ethernet. Sub-GHz. 2.4 GHz. LoRa. WiFi. BLE. Zigbee. RJ45. All from your pocket.

poseidon β–Έ saltyjack --responder --wpad --crack-on-device
⚑ Web Flash C5 ⬇ Install Page βŽ‡ See Arsenal
150+
Features
6
RF + Wired
6
Themes
3190+
.sub Signals
SCROLL
[OK] ch=hop tx=0xC0 deauth rc=0 ok=800 fail=0 rate=99% ble=nimble-2.x sd=mounted gnss=locked theme=poseidon β–Έ
DEAUTH on-air DHCP POOL starved NTLMv2 captured LLMNR poisoned PMKID caught WPAD 407 MESH paging SX1262 cad-clear CC1101 recorded MOUSEJACK hid-injected CHANNEL rl-hopped C5 esp-now W5500 lan-native DEAUTH on-air DHCP POOL starved NTLMv2 captured LLMNR poisoned PMKID caught WPAD 407 MESH paging SX1262 cad-clear CC1101 recorded
β˜… FEATURED DROP Β· v0.6.0

Argus & the visual overhaul

The biggest single drop since 0.5.0. Triton finally has a real character β€” a 96x96 Argus mood sprite that watches every handshake and shifts mood live. Six full themes (POSEIDON / MATRIX / E-INK / SYNTHWAVE / PHANTOM / BLOOD). Seven idle screensavers keyed off the active theme. Carousel menu style with cyberpunk pictographs. Ambient procedural motion painted behind every menu draw. The whole device feels alive.

Argus β€” Triton's mood sprite

Twelve mood portraits (Watching, Pleased, Annoyed, Resigned, Calculating, Old Fury, Sleeping, Reflective…). Mood-mapped to hunt state β€” Argus sleeps when idle, gets pleased on catch, fully unhinged on Feral burst. Sprite is cached to internal SRAM to dodge MMU stalls during raw-TX.

v0.6 Β· CHARACTER

Six themes + carousel menu

POSEIDON, MATRIX, E-INK, SYNTHWAVE, PHANTOM, BLOOD. Magenta splashes across the dashboard chrome, matrix rain on a 4x speed-up, ambient procedural motion painted under every screen. Carousel menu style toggles in System β€” big-card single-focus with pictograph icons.

v0.6 Β· LOOK

Raw-IDF AP path

Bruce's pinned libnet80211.a crashes Arduino's WiFi.softAP() in ieee80211_hostap_attach +0x2c. New path bypasses Arduino entirely β€” esp_bt_controller_mem_release(BTDM) β†’ raw netif β†’ 4/16 buffer init β†’ esp_wifi_set_config(WIFI_IF_AP) β†’ post-start channel set. Portal, Beacon Spam, Evil Twin all back on-air.

v0.6 Β· WIFI

7 idle screensavers

Sonar sweep, port scan, hex cascade, terminal crack, neural arc, glitch BSOD, tide waves. Kicks in at 2 min idle, pulled from a pool keyed off the active theme. Pick your favorite at System β†’ Screensaver.

v0.6 Β· IDLE

BLE cooperative tick

Sour Apple, Spam, Karma, Flood, FindMy refactored from xTaskCreate (silent rc=-1 because NimBLE eats 4 KB of heap) to cooperative ticks called from each feature's UI loop. Every nearby phone now sees the spam. Confirmed against iOS + Android.

v0.6 Β· BLE

C5 protocol v3 + terminator fix

TRIDENT C5 satellite jumps to wire protocol v3 β€” 9 new commands (clients hunt, beacon spam, probe sniff, deauth detect, karma, AP clone, spectrum, CIW). Critical fix: C5 now sends a zero-payload terminator when a scan finishes so POSEIDON stops spinning forever on empty results.

v0.6 Β· C5

Plus IR LED polarity finally fixed (active-HIGH, not active-LOW), Samsung remote codes verified against Flipper-IRDB, Evil Twin, AP Signal Test, BLE BlueDucky, SATCOM Tracker, Drone Remote ID, Surveillance Hunter, Defensive Monitor, and four nRF52 hat features. Full changelog on GitHub.

β˜… FEATURED DROP Β· v0.4

SaltyJack β€” the LAN arsenal

Press j from the root menu. Full wired/wireless LAN attack suite with a pirate UX β€” DHCP starvation, rogue DHCP (STA + AP), Responder (LLMNR/NBT-NS/SMB), WPAD PAC harvest, on-device NTLMv2 cracker. No PC tether. No Pi server. Pocket-sized.

@7h30th3r0n3
β˜… BIG HOMAGE Β· SALTYJACK'S ORIGINAL ARCHITECT

@7h30th3r0n3

SaltyJack is a direct port, not inspiration. Every attack module β€” DHCP starve, rogue DHCP, Responder, WPAD, NTLMv2 cracker β€” is a reforge of the work 7h30th3r0n3 shipped first on the Pi (RaspyJack) and on Cardputer (Evil-M5Project / Evil-Cardputer). We reorganized the code into POSEIDON's style, added a pirate sprite pack, built a custom renderer. The attacks themselves β€” protocol framing, timing, pool-exhaustion detection, hashcat 5600 output path β€” that's all 7h30th3r0n3. Go star both repos. Seriously.

What's inside

Six modules behind one menu key. Phase 1 shipped in v0.3; phase 2 lands with v0.4.

DHCP Starvation

Floods the network's DHCP server with random-MAC Discover/Request cycles until the pool exhausts. Live counters. Auto-detects exhaustion on NAK β‰₯ 20.

PHASE 1

Rogue DHCP (STA + AP)

Races the real server with our own Offer/Ack (STA mode) or is the DHCP server for clients on our SoftAP (AP mode). Gateway + DNS poisoning for chained MitM.

PHASE 2

Responder

LLMNR + NBT-NS name-poisoning plus SMB1 NTLMv2 Type-2 builder. Captured hashes logged to SD in hashcat mode-5600 format. Feed directly to the on-device cracker.

PHASE 2

WPAD NTLM harvest

Serves PAC file on port 80 + HTTP 407 Proxy-Authenticate challenge. Windows clients auto-fetch WPAD, auto-auth with current domain creds.

PHASE 2

On-device NTLMv2 cracker

Pure-C HMAC-MD5 wordlist runner. Reads hashcat-5600 lines from SD, tries each password. No PC needed. Seeds a starter wordlist on first run.

PHASE 2

Custom UX

Own renderer β€” list / grid / carousel views, RaspyJack-faithful info pages, screensaver, 7-sprite pirate icon pack baked from PNG via tools/sprite_sheet_to_icons.py.

UX

Every file in src/features/saltyjack/ opens with an attribution header crediting @7h30th3r0n3. Authorized testing only β€” hunt your own LAN.

β˜… FEATURED DROP Β· v0.4.1

WhisperPair β€” CVE probe for hundreds of millions of devices

Press W in the BLE menu. Scans for Google Fast Pair accessories β€” Sony XM5, Pixel Buds Pro, Jabra, JBL, Marshall, Nothing, OnePlus, Soundcore, Logitech β€” and probes each one for CVE-2025-36911. Vulnerable firmware responds to a Key-Based Pairing write even when it's not in pairing mode, silently letting an attacker take over the device in about ten seconds.

β˜… CREDIT Β· COSIC @ KU LEUVEN

The researchers who disclosed it

CVE-2025-36911 was disclosed by Preneel, Singelée, Antonijević, Duttagupta, and Wyns at COSIC, KU Leuven in January 2026. $15K Google bounty. POSEIDON's probe is a demonstration + self-check tool built on top of their published findings — stand on giants' shoulders, always.

β˜… Disclosure writeup whisperpair.eu β†’

What the probe does

Scan + classify

Active scan for Fast Pair service UUID 0xFE2C. Classifies each hit as pairable (spec-compliant) or in-use (shouldn't accept pairing β€” the vulnerable column). Model-ID lookup names the device on-screen.

STAGE 1

Real crypto probe

secp256r1 ephemeral keypair via mbedTLS (hardware accelerated on ESP32-S3). AES-128-ECB encrypts a valid Key-Based Pairing plaintext. 80-byte envelope lands on the target's KBP characteristic.

STAGE 2

Verdict + MAC lift

Response in 3 seconds = VULNERABLE. Silent drop = patched. When we have the accessory's anti-spoofing pubkey, we decrypt the response and extract the hidden BR/EDR MAC. Logged to /poseidon/whisperpair.csv.

STAGE 3

Probe-only. ESP32-S3 has no Classic Bluetooth radio so the full attack (bond + HFP mic capture + Find Hub registration) needs external hardware. Roadmap: nRF52 companion hat closes the loop. Authorized targets only β€” patches are rolling out unevenly, scan your own gear.

β—† COMING NEXT Β· v0.7 queued

What's landing next

v0.6.0 shipped Argus mood sprite, six themes, ambient motion, the cooperative BLE refactor, the STA-mode raw-TX path, and the C5 protocol v3 with 5G scan terminator. v0.7 closes the BLE gap with a real nRF52840 companion dongle. Everything below is planned, not promised.

nRF52840 companion β€” real BLE 5.0

USB-CDC nRF52840 dongle for full BLE 5.0 sniffing, LE Secure Connection attacks, Coded PHY S=8 long-range, and direction finding. The S3 can scan and spam BLE but can't MITM a real pairing β€” nRF52 closes that gap. The four nRF52 features (scan, scout-strike, MITM relay, WiFi+BLE combo) shipped in v0.6.0 against a Feather hat; v0.7 hardens the path with a dedicated dongle.

v0.7 Β· HEADLINE

On-device WPA2 cracker

Dual-core PBKDF2-SHA1 runner that eats .22000 files straight from SD. Seeded wordlist, custom dictionary support, resume-from-last-line. No PC tether. Listed here because testers keep asking and we have the hashcat-format captures already.

v0.7 Β· CRACK

Sub-GHz on Hydra hat (arriving tomorrow)

Hydra RF hat lands on the bench tomorrow β€” any sub-GHz bugs surfaced during v0.6 testing get fixed the moment the hardware is here. CC1101 RF / nRF24 mousejack / sub-GHz replay / Pocket SDR all queued for the regression sweep.

v0.6.1 Β· SUB-GHZ

Thread / Matter enumeration (via TRIDENT)

TRIDENT's 802.15.4 radio already sniffs Zigbee. Next step: passive Thread discovery, node enumeration, commissioning-invite detection, Matter bridge fingerprinting. Output to SD as structured JSON.

v0.7 Β· 802.15.4

MIMIR drop-box (aspirational)

Design sketch, not code. Future companion drop-box on a Banana Pi BPI-M4 Zero running hcxdumptool + WPA2 cracker + Bjorn-style action DAG. POSEIDON would act as the USB-C control client. No ETA, no implementation today.

future Β· IDEA

Full timeline on the roadmap page. Want to shape priorities? File a GitHub issue.

00 // NAVIGATE

Explore POSEIDON

Six sections, each its own page. Pick what you care about β€” there's a lot here.

01 Β· ARSENAL

Every Radio. Every Attack.

150+ tools across WiFi, BLE, sub-GHz, 2.4 GHz, LoRa, IR, and network. The full feature grid with per-domain counts.

Browse arsenal β†’
02 Β· HARDWARE

Four Hats. Every Frequency.

Base Cardputer-Adv plus LoRa, Hydra RF, ESP32-C5, and the new W5500 SPI-to-Ethernet β€” RaspyJack parity over wired.

Inspect hats β†’
03 Β· ROADMAP

Where we've been. Where we're going.

v0.1 foundations β†’ v0.4 SaltyJack + platform fork β†’ v0.5 TRIDENT (C5 satellite) + LoRa β†’ v0.6 Argus mood + visual overhaul + STA-mode raw-TX β†’ v0.7 nRF52 BLE 5.0.

See the timeline β†’
04 Β· TESTERS

Help us harden v0.6.

v0.6.0 just shipped β€” regression sweep on Triton, Portal, BLE Spam, Argus sprite. Hydra hat sub-GHz fixes land when the hardware arrives tomorrow.

Join the field team β†’
05 Β· CREDITS

Shoulders of Giants.

The open-source pentest, radio, and firmware work POSEIDON is built on. Go star every one of them.

Read the wall β†’
06 Β· SOURCE

The code itself.

MIT-licensed, master-branch-releases, CHANGELOG + TESTERS.md kept current. Issues open for bugs, PRs welcome.

Open on GitHub β†—
β˜… Β· DEPLOY

Ready to Dive?

Flash with M5Burner, esptool, or build from source with PlatformIO. Full walkthrough on the install page.

⬇ Install Guide GitHub Release β†—
ESP32-S3 • Cardputer-Adv • ~2.1 MB • Flash at 0x0
# M5Burner custom repo Β· one-click GUI flash
β–Έhttps://generaldussduss.github.io/poseidon/m5burner.json

# or build + flash from source
β–Έgit clone github.com/GeneralDussDuss/poseidon
β–Έcd poseidon && pio run -t upload