v0.3.0 — Flagship overhaul (flash core, security, 18 firmwares)
Cyber Controller v0.3.0
Flagship overhaul — the convergence of Headless Marauder GUI, Universal Flasher, and Universal
Flasher & UI into one hardened controller. Flash. Control. Coordinate.
Highlights
- Hardware-validated flash core ported from the proven lineage: chip auto-detect, the
--flash_size detectanti-brick path, correct per-chip bootloader offsets (incl. ESP32-C5
0x2000), child-kill-on-error. - Fixed a silent flash bug — profiles previously produced an esptool call with zero binaries.
- Real backends wired — ADB (RayHunter/Orbic), SD-image (Pwnagotchi/RaspyJack/Kali), backup +
restore, batch flash; recovered Bruce/Flipper/HaleHound/Meshtastic protocol parsers + registry. - 18 firmware profiles (URL corrections + new RayHunter/Pwnagotchi/RaspyJack/Kali) and expanded
M5 / LilyGo / CYD / C5 boards. - New tabs — Settings, Cross-Comm (target pool + auto-routing), Targets.
- Security hardened (all critical/high audit findings, red-team-verified): authenticated
WebSockets + CSRF + CORS allowlist + rate-limit + localhost-default bind + no default creds;
SSRF allowlist + SHA-256 firmware pinning; AES-256-GCM fail-closed storage; injection/XSS fixes. - Docs:
SECURITY.md,docs/RED-TEAM.md(AI-codegen threat model),docs/WEBSITE-SECURITY.md.
Validation status — flash path hardware-validated ✅
The full flash path was validated on a real ESP32 (ESP32-D0WD-V3, 4MB): device detection + USB
autodetect, chip identification, a full-flash backup (read_flash), and a complete
download → write_flash -z --flash_size detect (bootloader/partitions/boot_app0/app at the correct
offsets) → every region hash-verified of ESP32 Marauder v1.12.1 — the board reboots into Marauder
and responds to serial commands. Still pending validation: the PyQt5 GUI runtime, other chip
families (S3 / C5 / C-series), and the ADB / SD-image / qFlipper backends. Run
pip install -e .[dev] && pytest to exercise the test suite.
MIT © 2026 LxveAce · https://lxveace.com · https://esp32marauder.com