Evil-M5Project

Evil-M5Project

Open-Source WiFi Security Education Toolkit for M5Stack

Educational Use Only - Evil-M5Project is designed exclusively for cybersecurity education, authorized penetration testing, and security research in controlled lab environments. All features exist to teach how real-world attacks work so that defenders, students, and security professionals can better understand and prevent them. Users must comply with all applicable laws and obtain proper authorization before any testing. The creator is not responsible for any misuse.

Evil-M5Project transforms the M5Stack Cardputer into the most comprehensive pocket-sized cybersecurity education toolkit ever built on an ESP32. With 87+ features packed into a single firmware, it covers security assessment, threat detection, network analysis, IoT research, and hands-on security training - all running on a device that fits in your pocket.

Born from years of passion for cybersecurity education and open-source hardware, Evil-M5Project makes professional-grade security concepts accessible to students and educators for a fraction of the cost of traditional lab equipment.

87+ menu features - 38,000+ lines of code (Cardputer firmware alone) - 2,300+ GitHub stars, 220+ forks - 74 wiki documentation pages - 60+ multilingual portal templates - 17 slave firmware variants for distributed operations - 10+ M5Stack devices supported

The Evil-M5 Family - Cardputer, Core2, CoreS3, AtomS3 (and more)

Why Evil-M5Project?

Cybersecurity education suffers from a fundamental problem: professional tools are expensive, complex, and intimidating. Evil-M5Project breaks every barrier:

• Affordable - Built on a $30 M5Stack Cardputer
• Portable - Fits in your pocket, runs on battery
• Self-contained - No laptop needed for most operations
• Educational - Each feature teaches a real-world security concept and how to defend against it
• Open-source - Fully transparent, community-driven

Whether you are a cybersecurity student learning the fundamentals, an educator building a hands-on lab, a penetration tester with proper authorization, or a security researcher, Evil-M5Project puts an entire security learning platform in your hands.

1. WiFi Security Assessment

Understanding WiFi vulnerabilities is the first step to defending against them. Evil-M5Project provides a complete WiFi security assessment suite used in controlled lab environments:

• WiFi Scanning - Discover nearby networks with SSID, BSSID, channel, RSSI, security type. Teaches students how much information WiFi networks expose passively.
• Karma Attack Suite - Demonstrates how devices automatically connect to rogue APs by responding to probe requests. Teaches why auto-connect should be disabled on personal devices.
• Evil Twin - Shows how a cloned network can redirect clients to a captive portal. Teaches the importance of verifying network authenticity and using VPNs.
• Deauthentication - Demonstrates the 802.11 deauth vulnerability. Teaches why WPA3 and 802.11w (Protected Management Frames) are critical upgrades.
• Beacon Spam - Shows how fake SSIDs can confuse wireless scanners. Teaches network enumeration validation.
• WiFi Channel Visualizer - Real-time spectrum analysis across all 14 channels for RF environment assessment.
• Raw Packet Sniffing - Promiscuous mode capture with standard PCAP export for protocol analysis and forensics training.

Watch: Probe Attack vs. Probe Sniffing - understanding probe request vulnerabilities

2. Network Security Testing

These features demonstrate common network-layer vulnerabilities found during professional penetration tests, teaching defenders how to identify and mitigate them:

• Network Hijacking - Automated demonstration of a DHCP starvation + Rogue DHCP + DNS spoofing chain. Teaches why DHCP snooping, Dynamic ARP Inspection, and network segmentation are essential defenses.
• Responder (LLMNR/NBNS) - Demonstrates how NTLMv2 hashes can leak via legacy name resolution protocols. Teaches defenders to disable LLMNR and NBNS in enterprise environments.
• WPAD Abuse - Shows the Web Proxy Auto-Discovery vulnerability. Teaches why WPAD should be disabled and auto-proxy settings locked down.
• On-device NTLMv2 Cracking - 5,000 H/s with custom MD4/HMAC-MD5 on ESP32. Demonstrates that even a $30 device can crack weak passwords, reinforcing the need for strong password policies.
• Rogue DHCP Server - Shows DHCP spoofing in STA and AP modes. Teaches DHCP security controls.
• DNS Hijacking - Demonstrates DNS redirection. Teaches the value of DNS-over-HTTPS and DNSSEC.
• SSH Shell - Direct SSH connections for remote administration.
• Reverse TCP Tunnel - Demonstrates NAT traversal techniques used in authorized remote assessments.
• Web Crawler - Recursive HTTP(S) spidering for web application reconnaissance in authorized testing.

Watch: Network Security Testing demonstration

Watch: Network Hijacking - understanding the results

Watch: WPAD + NTLMv2 vulnerability demonstration

3. WPA Handshake Analysis & Password Auditing

Understanding WPA/WPA2 weaknesses helps organizations enforce strong wireless security policies:

• Handshake Master - Multi-device EAPOL capture across all 14 channels simultaneously using master/slave architecture. Teaches how 4-way handshakes work and why WPA3-SAE eliminates this attack surface.
• Auto Deauther - Autonomous channel-hopping deauth with automatic PCAP logging for authorized WiFi audits.
• On-device WPA2 Cracking - Dual-core PBKDF2-SHA1 cracker running directly on the ESP32. Demonstrates why short or common passwords are insufficient even against low-cost hardware.
• Handshake Validation - Verify PCAP files contain valid 4-way handshakes before analysis.
• PCAP Export - Standard format, compatible with aircrack-ng and hashcat for professional auditing workflows.

4. Bluetooth & RF Threat Detection

These tools help identify and understand wireless threats in your environment:

• Wall of Flipper - Detect Flipper Zero devices nearby and identify ongoing BLE advertisement attacks (iOS popups, Samsung/Android BLE, Windows Swift Pair, LoveSpouse DoS). A purely defensive awareness tool.
• Wall of AirTags - Real-time Apple Find My scanner tracking up to 24 trackers with distance estimation. Helps detect unwanted tracking devices.
• FindMyEvil - Apple Find My research tool with automatic MAC rotation for understanding the Find My protocol.
• BLE Name Flood - BLE stress-testing for protocol robustness assessment (SLOW/NORMAL/TURBO modes).
• Skimmer Detector - Scan for suspicious Bluetooth modules (HC-03/05/06) commonly used in credit card skimmers. Purely defensive - protects users at ATMs and point-of-sale.
• Bluetooth Keyboard - BLE HID keyboard emulation for accessibility and testing.
• SkyJack - Educational demonstration of legacy drone WiFi vulnerabilities (Parrot AR.Drone).

Watch: Wall of Flipper - detecting BLE threats in real-time

5. IoT & Infrastructure Security Research

Tools for assessing the security posture of IoT devices and network infrastructure in authorized environments:

• CIW Zeroclick - SSID injection fuzzing framework with 157 payloads across 14 categories (command injection, buffer overflow, format string, XSS, path traversal, Log4Shell/JNDI, NoSQL injection) with real-time crash detection. Helps IoT manufacturers discover parsing vulnerabilities before deployment.
• CCTV Toolkit - IP camera security audit: discovery, fingerprinting (Hikvision, Dahua, Axis, CP Plus), CVE database, default credential testing, RTSP analysis, live MJPEG viewing, and passive Spycam WiFi detector. Helps organizations assess surveillance infrastructure security.
• SIP Toolkit - 5 VoIP security assessment modules: Scanner, Enumeration, Message Spoofing, Flooding, Ring All. For authorized VoIP infrastructure audits.
• SSDP Poisoning - UPnP device spoofing demonstrating why UPnP should be disabled on production networks.
• UPnP NAT Mapping - Enumerate and audit router NAT port mappings for unintended exposure.
• LDAPDump - Active Directory enumeration with full HTML reports (users, groups, computers, GPOs, trusts, password policies). For authorized AD security audits.
• IMSI Catcher - Passive EAP-SIM monitor demonstrating IMSI leak vulnerabilities in legacy WiFi-cellular auth.
• Printer Security - Discovery, status check, and print testing via port 9100. Demonstrates why printers need access controls.
• Autodiscover Abuse - Microsoft Autodiscover protocol vulnerability demonstration for enterprise security awareness.
• UART AutoShell - Serial console with auto-baudrate detection across 19 standard rates for hardware security research.

Watch: CCTV Toolkit - IP camera security assessment

6. TagTinker ESL - Electronic Shelf Label Research (NEW!)

The latest addition to Evil-M5Project: security research on Electronic Shelf Label (ESL) e-ink price tags deployed in retail stores worldwide. Millions of ESL tags communicate wirelessly with minimal authentication - this tool makes that research accessible.

• Image Sending - Push any image to ESL tags with advanced processing: 5 dithering algorithms (Floyd-Steinberg, Atkinson, Ordered 4x4/8x8, Threshold), contrast, brightness, gamma, sharpness, edge detection, rotation, flip, zoom with pan
• Text Push - Send custom text messages with presets
• LED Control - Full control over tag LEDs: speed, power, duration, blink patterns, alerts
• Broadcast - Mass commands to all nearby tags: LED blink, page flip, WiFi icon toggle
• Tag Management - Barcode scanning, NFC decoding, save and organize tags
• Raw Frames - Send custom protocol frames for deep protocol analysis
• Beautiful Web UI - Full-featured responsive dashboard with dark mode, accessible from any browser on the local network

This feature demonstrates why retail IoT infrastructure needs proper authentication and encryption - a critical lesson as ESL deployments scale globally.

7. Social Engineering Awareness

60+ multilingual portal templates for authorized security awareness training. These demonstrate how phishing attacks look in the real world, helping organizations train employees to recognize and avoid them:

• 6 Languages - English, French, German, Dutch, Spanish, Portuguese
• Brand Templates - Realistic portal clones showing what employees might encounter during a phishing campaign
• Advanced Portals - Cookie siphoning, browser fingerprinting, clipboard capture demonstrations
• Custom Upload - Drag-and-drop any HTML portal via Web UI for custom awareness scenarios
• Credential Dashboard - Track which simulated phishing attempts succeed during authorized training exercises

8. USB Security Testing

• 23+ Ready Payloads - Demonstrate USB HID injection risks: WiFi credential extraction, clipboard interaction, kiosk bypass testing
• 10 Keyboard Layouts - US, UK, FR, DE, ES, IT, PT, SE, DK, HU
• Web UI Script Manager - Upload and manage test scripts remotely
• Mouse Jiggler - Prevent screen lock via USB HID input simulation
• SD on USB - Use Cardputer as USB mass storage device

These tools teach organizations why USB port security policies, device whitelisting, and endpoint protection matter.

Watch: Mouse Jiggler demonstration

9. Distributed Multi-Device Architecture

What truly sets Evil-M5Project apart: a master/slave architecture for comprehensive security assessments at scale.

• Wardriving Master - Deploy up to 14 ESP32 slaves like C6 on separate WiFi channels, aggregate all data with GPS coordinates on the Cardputer master. Cover all channels simultaneously - no more missed networks due to channel hopping.
• Handshake Master - Distributed EAPOL capture across all channels at once for thorough WiFi audits
• ESP-NOW Protocol - Low-latency encrypted inter-device communication
• 5GHz Support - ESP32-C5 slaves add dual-band (2.4GHz + 5.8GHz) capability
• Cost-effective - Each slave costs ~$5 (M5Stack C6, ESP32-C3 WEMOS D1 Mini)
• 17 Slave Variants - Wardriving, deauth, sniffer, portal, mesh relay, FindMy tracker, NTLM sniffer, 2.4GHz deauther, 5GHz multi-mode

A single Cardputer coordinating 14 slaves provides assessment capabilities that even professional tools costing thousands struggle to match.

10. Defense, Detection & Community

Defensive Tools

• EAPOL/Deauth Detection - Real-time WiFi attack monitoring - detect if someone is attacking your network
• Spycam Detector - Passive WiFi scanning for hidden cameras in your environment
• Skimmer Detector - Bluetooth card skimmer detection at ATMs and point-of-sale terminals
• Honeypot - High-interaction telnet honeypot simulating 30+ Linux commands with webhook alerts to Discord, Telegram, or SIEM - catch and study attackers
• Open WiFi Checker - Validate internet connectivity on open networks with safety indicators

Community Features

• EvilChatMesh - Offline encrypted mesh chat over ESP-NOW. IRC-like messaging without any WiFi or internet infrastructure, with relay nodes for extended range
• WiFi Dead Drop - Anonymous file and message exchange via temporary portal
• PwnGrid Spam - Interact with nearby Pwnagotchi devices

Watch: Honeypot - catching and studying attackers

11. Web UI & Administration

• Admin Dashboard (/evil-menu) - Protected web interface with credentials viewer, SD file browser, portal setup, network scanner, real-time status monitor, BadUSB script manager
• Navigator - Live remote screen control via WebSocket with keyboard input injection
• File Manager - On-device SD card browser with text preview, delete, rename
• LLM Chat - Connect to a local Ollama LLM server for AI-powered analysis
• Custom Themes - Fully customizable UI colors and 60+ community startup images
• 50+ Sound Effects - Configurable audio notifications and startup sounds

12. Companion Python Utilities

Desktop tools for post-processing and extended analysis:

• Pygle - Offline wardriving visualization on interactive Folium maps with RSSI color coding
• FindMyMap - Apple Find My forensics with ECDH decryption, interactive Leaflet.js maps, heatmaps, timeline playback, GPX/JSON export
• pcap2hccapx - Convert captured PCAP files to hashcat-ready format
• WigleOpenFinder - Query WiGLE API for open WiFi networks by city
• ReverseTCPControlServer - Asyncio TCP relay for NAT traversal and remote control
• CCTV Stream Scripts - MJPEG streaming servers (webcam, screen capture, video playback)
• Wardriving Merger - Consolidate multiple CSV wardriving logs for bulk analysis

How M5Stack Hardware is Used

Evil-M5Project leverages virtually every capability of the M5Stack Cardputer hardware:

• Dual-core Xtensa LX7 - Used for parallel crypto operations (producer-consumer architecture on both cores)
• WiFi 802.11 b/g/n - Raw frame handling via patched driver for security assessment and monitoring
• Bluetooth 5.0 LE - BLE scanning, advertising, GATT for threat detection, tracker identification, keyboard emulation
• USB OTG - USB security testing, mouse jiggler, SD mass storage mode
• 1.14" TFT LCD - Full menu system, real-time visualizations, channel heatmaps, status dashboards
• Physical QWERTY Keyboard - Direct text input for SSIDs, passwords, SSH commands, chat
• MicroSD Slot - Portal templates, PCAP captures, configs, scripts, ESL images, themes
• Speaker + LED - 50+ audio notifications, NeoPixel status indicators
• GPS Unit - Wardriving with geolocation tagging

The master/slave architecture transforms any combination of M5Stack devices into a distributed security assessment platform. A single Cardputer coordinating 14+ AtomS3 or ESP32 slaves monitors all WiFi channels simultaneously - a capability that even professional tools costing thousands sometimes struggle to match. Evil-M5Project is not just a project using M5Stack hardware: it is a platform that showcases the entire M5Stack ecosystem.

Supported devices: Cardputer, Core2, CoreS3, CoreS3 SE, Fire, AtomS3, M5Stick v1.1/v2/v3, tab5, CYD1USB/CYD2USB (beta).

Get Started

• Download the latest binary from GitHub (also available on M5Burner)
• Flash using M5Burner or esptool.py
• Copy the SD-Card-File folder contents to a FAT32 MicroSD card (8-16GB)
• Insert SD card, power on - ready to use

Full build guide: Wiki - Installation

GitHub: github.com/7h30th3r0n3/Evil-M5Project | Wiki: 74 pages of documentation | YouTube: @Evil-M5project | Discord: Join the community

Responsible Use Policy - Evil-M5Project is intended solely for educational purposes, authorized penetration testing engagements, and security research conducted in isolated lab environments. All features demonstrate known vulnerability classes documented in academic literature and industry standards (OWASP, NIST, MITRE ATT&CK). Users are responsible for ensuring all testing is performed only on networks and systems they own or have explicit written authorization to test.