Roadmap — POSEIDON

v0.1.0 2026-04-14 Shipped

First tagged release — the foundation

Every radio band brought online. Full menu shell with slide transitions. Hokusai splash. 90+ features across WiFi, BLE, sub-GHz, LoRa, nRF24, IR, net attacks, BadUSB, theme engine, Triton gotchi. Initial C5 satellite scaffolding (not yet end-to-end — that lands in v0.5).

v0.2.0 2026-04-17 Shipped

Deauth correctness + LoRa stability

Two back-to-back audits landed simultaneously — deauth wasn't kicking clients, LoRa was hard-rebooting the device. Both classes of bug found, fixed, reviewed, shipped.

Deauth: addr1 bug fixed across 4 sites + Triton, shared frame builder with correct 802.11-2016 Sequence Control encoding
Deauth + disassoc pair with per-frame seq increment, client sniffer feeding alternating broadcast/unicast rounds
PMF / WPA3 / WPA2-Enterprise warning + driver-level TX drop counter
LoRa bandwidth unit fixed (kHz directly, not divided by 1000)
PI4IOE antenna switch driven directly via M5.In_I2C, bypassing a broken M5 expander API that was LoadProhibited-panic'ing the device
Null-radio boot-loop eliminated — lora_radio() returns a dummy instead of esp_restart()
LoRa spectrum analyzer rewritten — no more 210-retune sweep per frame, real packet capture with RSSI/SNR/size overlay

v0.3.0 Shipped Released

Meshtastic node + SFX engine

POSEIDON becomes a full Meshtastic participant — send, receive, page, show up on the mesh.

Hand-rolled minimal protobuf for MeshPacket / Data / User / Position
AES-CTR-128 with default LongFast PSK (nonce counter at bytes 12-15 — byte-exact vs fw v2.7.23)
Broadcast text + direct-to-node (paging) + position reporting
Live node roster with long/short names, SNR, hops, last-seen, GPS pin
Tron-style cyberpunk SFX engine with NVS-persisted volume (boot jingle, menu clicks, attack cues, warn/bad)
SaltyJack phase-1: DHCP Starvation shipped standalone

v0.6.0 Shipped 2026-05-28 Live

Argus mood sprite · six themes · ambient motion · raw-IDF AP path · BLE cooperative tick · C5 protocol v3

The biggest single drop since 0.5.0. Triton finally has a real character — a 96x96 Argus mood sprite with twelve mood portraits (Watching, Pleased, Annoyed, Resigned, Calculating, Old Fury, Sleeping…) that maps live to hunt state. Six themes ship (POSEIDON / MATRIX / E-INK / SYNTHWAVE / PHANTOM / BLOOD), seven idle screensavers keyed off the active theme, carousel menu style with cyberpunk pictographs, ambient procedural motion painted under every menu draw. WiFi raw-TX moves to STA mode with a -Wl,-zmuldefs linker override of ieee80211_raw_frame_sanity_check (Bruce-libs-safe). Portal gets a real raw-IDF AP recipe that actually broadcasts. BLE features (Sour Apple, Spam, Karma, Flood, FindMy) move from broken xTaskCreate to a cooperative tick pattern that actually fires. IR LED polarity finally corrected (active-HIGH, not active-LOW), full Samsung Smart Remote keymap (~40 buttons) verified against Flipper-IRDB. New features: AP Signal Test, Evil Twin, BLE BlueDucky, SATCOM Tracker (SGP4 + baked TLEs), Drone Remote ID (ASTM F3411), Surveillance Hunter (Flock + Raven detection), Defensive Monitor, four nRF52 hat features. C5: protocol v3 with 5G scan terminator fix. Removed: OTA Update (M5Burner / web flasher cover the same ground without partition complexity).

v0.5.0 Shipped 2026-04-21 Shipped

TRIDENT (C5 satellite) · 5 GHz deauth · LoRa end-to-end · flicker killed · M5 Launcher

The ESP32-C5 companion node (TRIDENT) lands as a proper peripheral over ESP-NOW — 5 GHz deauth targeted + broadcast (binary patch bypassing ieee80211_raw_frame_sanity_check in libnet80211.a), 802.15.4 Zigbee sniffer, 5 GHz PMKID capture, dual-band WiFi scan with auth column. One-click WebSerial flasher on the install page (esp-web-tools@10.2.0). LoRa SX1262 now works end-to-end on the CAP-LoRa1262 hat: BUSY pin wired into RadioLib, shared HSPI with SD, antenna switch order fixed, setCurrentLimit(140). Every live screen (wifi_scan, ble_scan, wifi_clients, wifi_spectrum, the C5 dashboards) is flicker-free — state caching across the board. bmorcelli Launcher integration ships as a second PIO env (cardputer-launcher) that links into ota_0 at 0x170000.

v0.4.3 Shipped 2026-04-20 Shipped

Sub-GHz actually transmits · WhisperPair CVE probe · Jam Detect · HUNT bundle

Four consecutive drops across two days. Record / replay / broadcast finally fire the radio (native rmt_tx.h / rmt_rx.h). WhisperPair CVE-2025-36911 detector with real secp256r1 ECDH lands (credit COSIC @ KU Leuven). Sub-GHz Jam Detect RSSI monitor ships as peer to the WiFi deauth detector. Unified Tools → Hunt submenu. TRIDENT protocol grows status + loot commands. Meshtastic !poseidon command parser. Scan CSV export everywhere. Cross-feature state handoff (wardrive → Triton / PMKID). In-feature ? help. Theme persistence + WhisperPair scan fixes.

v0.4.0 Shipped 2026-04-19 Released

Deauth actually lands · SaltyJack · NimBLE 2.x · pioarduino IDF 5.5.4

The release where deauth frames finally TX on-air, a full RaspyJack LAN arsenal lands, and the whole BLE stack migrates to NimBLE 2.x.

Deauth on-air. The real blocker was ieee80211_raw_frame_sanity_check inside libnet80211.a — not the interface, not the mode, not the silent-AP pattern. Bypassed with a 5-line link-time symbol override + one linker flag. Credit to GANESH-ICMC for the original trick. Verified on-device: 800/800 frames TX'd, target kicks in seconds.
SaltyJack = RaspyJack port. Direct port of @7h30th3r0n3's RaspyJack + Evil-M5Project — DHCP Starve, Rogue DHCP (STA + AP), Responder (LLMNR/NBT-NS/SMB NTLMv2), WPAD PAC harvest, on-device NTLMv2 cracker. Custom pirate UX, 16×16 sprite pack, full-screen boot splash. Press j.
NimBLE 2.x migration. 1.4.1 crashed at BLE init on Core 3.3.8. Bumped to 2.3.9 and migrated 13 BLE feature files — callbacks take NimBLEConnInfo&, scan signatures changed, HID accessors renamed, et al.
Platform on pioarduino. platform-espressif32@55.03.38 (Arduino 3.3.8 / IDF 5.5.4) + bruce_esp32-arduino-libs-20260123 for stack parity with Bruce.
W5500 SPI Ethernet hat. Wired RJ45 for full RaspyJack parity — SaltyJack runs over lwIP's transport-agnostic netif, bypassing WiFi STA / PMF / 802.1X.
Build runs from WSL2 / native Linux (pioarduino's installer trips on Git Bash MSys markers).

v0.6.1 Shipped 2026-05-29 Live

Built-in sub-GHz library (40 baked signals) · ON-AIR TX indicator · Hydra hat pre-flight

Forty baked OOK signals ship with the firmware — no SD recordings required. Tesla Charge Port + Frunk, garage codes (Princeton / CAME / NICE / Linear / Holtek / Multicode / Stanley / Liftmaster pre-rolling), doorbells, restaurant pagers, keychain panic alarms, novelty bursts (cricket / TV-B-Gone / air horn), wireless outlet packs + master ALL ON/OFF, ceiling fan (low/med/high/off), smoke alarm test, window/PIR/glass-break sensor alerts. Baked signals merge into their natural category alongside any user recordings dropped into /poseidon/signals/<cat>/. New ON-AIR TX indicator drops a big red badge + frequency + play counter over the broadcast screen during every CC1101 transmit, with a green border flash on completion so you can tell "frame stuck" from "TX actually fired." Hydra RF hat pre-flight — six pre-arrival fixes audited against Bruce / bmorcelli's SmartRC fork / PINGEQUA pin reference: nRF24 driver moved off the FSPI display bus, CC1101 reclaims pin 13 from GPS UART, Init() return value checked, mousejack sniffer ports Bruce's 6-pipe noise-address table, RMT min-pulse 20 µs → 3 µs to catch fast Manchester edges. Hydra regression sweep happens the moment the hat lands.

v0.7.0 TBD Planned

nRF52840 BLE 5.0 dongle

Real BLE 5.0 via a dedicated nRF52840 dongle over USB-CDC (full advertisement decode, Coded PHY long-range, direction finding, LE Secure Connection MITM). The four nRF52 features that landed in v0.6.0 ride an Adafruit Feather hat as proof-of-concept; v0.7 hardens the path with a dedicated dongle that doesn't compete with the Feather's I/O.

nRF52840 dongle as USB-CDC BLE sniffer
BLE connection hijacking via nRF52 + NimBLE coordination
Coded PHY S=8 long-range attacks
Thread / Matter enumeration via TRIDENT C5

aspirational no ETA Idea

MIMIR drop-box — companion SBC

Unimplemented today. Future companion pentest drop-box on a Banana Pi BPI-M4 Zero running hcxdumptool, an on-device WPA2 cracker, and a Bjorn-style action DAG. POSEIDON would act as the USB-C control client — no wireless link, pure opsec. No code exists yet; listed here so the design intent is on record.

hcxdumptool wrapper for real scan events
On-device WPA2 cracker (dual-core PBKDF2-SHA1)
FENRIR RL policy head selecting exploit strategy
Armbian H618 one-flash image
Pull captured pcap / .22000 back to Cardputer SD over USB-CDC