General Hacking & Observation Security Tool
Standalone WPA/WPA2 handshake capture firmware for the Adafruit ESP32-S3 Reverse TFT Feather: built-in 240×135 TFT and three buttons — no companion phone app or browser required for normal use. Captures are saved as .pcap on LittleFS; Captures → Download AP exposes a small WiFi network so you can list and download files to another device.
FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY. Use only on networks you own or have explicit permission to test.
On an authorized target, the firmware can send deauthentication frames, capture the WPA 4-way handshake as clients reconnect, and store the result on flash. The UI is entirely on the TFT; the download web UI runs only when you start Download AP from Captures.
- Standalone UI — menus on the TFT; Up / Select / Down (plus board reset as needed)
- Scan — browse networks; per-network Attack, +WL, +BL, or back
- Hunt Whitelisted — walk the whitelist in order
- Hunt All — every visible network except blacklisted (skips open networks where applicable)
- Whitelist & Blacklist — persistent lists
- Captures — list
.pcapfiles, clear storage, or start Download AP - Basic Antifingerprint — optional STA MAC randomization (boot and/or each attack, plus manual renew), ±20–30% jitter on deauth spacing, randomized deauth reason codes (1/2/3/4/8 vs fixed), and a per-device Download AP SSID/password stored in Preferences (editable or re-randomized in Settings)
- Settings — timing and hunt limits (above), plus all antifingerprint toggles and AP credentials; changes autosave to flash (short debounce; flush when leaving Settings)
- NeoPixel status on the Feather
| Part | Adafruit | Price (approx.) |
|---|---|---|
| Adafruit ESP32-S3 Reverse TFT with w.FL Antenna | Product 6303 | See store |
| RP-SMA to w.FL / MHF3 / IPEX3 Adapter | Product 5444 | $2.95 |
| 2.4GHz Dipole Swivel Antenna with RP-SMA — 2dBi | Product 944 | $7.95 |
The w.FL board uses an external 2.4 GHz path: w.FL / IPEX3 (not u.FL) → RP-SMA pigtail → dipole (Feather guide).
You need a USB-C cable for power and flashing.
Power (no battery required): You can run the board from USB-C (charger, laptop, or phone with a suitable cable/OTG). A LiPoly on the JST is optional; this build often omits it after the board mod below.
Remove two through-hole connectors on the component side for enclosure clearance / routing: the JST-PH battery connector (near USB-C) and the STEMMA QT / JST-SH I²C connector (mid-board). Desolder carefully.
No extra wiring; defaults are in config_s3.h.
arduino.cc — 2.x is fine.
-
File → Preferences → Additional Boards Manager URLs:
https://raw.githubusercontent.com/espressif/arduino-esp32/gh-pages/package_esp32_index.json -
Tools → Board → Boards Manager → install esp32 by Espressif (3.x, ESP32-S3 capable).
- Adafruit ESP32-S3 Reverse TFT Feather (name may vary slightly by core version)
- Correct Port; enable USB CDC On Boot if uploads fail (per Adafruit)
The ESP32 WiFi stack blocks raw deauth frames unless the firmware can override ieee80211_raw_frame_sanity_check (implemented in GHOST_TFT.ino). The linker must allow that symbol to override the SDK copy — add -zmuldefs to compiler.c.elf.libs in your installed platform.txt (same change used in many ESP32 “raw frame” sketches):
Find platform.txt:
Windows: C:\Users\<USERNAME>\AppData\Local\Arduino15\packages\esp32\hardware\esp32\<VERSION>\platform.txt
Mac: ~/Library/Arduino15/packages/esp32/hardware/esp32/<VERSION>/platform.txt
Linux: ~/.arduino15/packages/esp32/hardware/esp32/<VERSION>/platform.txt
Change:
compiler.c.elf.libs="@{compiler.sdk.path}/flags/ld_libs"
to:
compiler.c.elf.libs="@{compiler.sdk.path}/flags/ld_libs" -zmuldefs
Save and restart Arduino IDE.
- Open
GHOST_TFT.ino(keep all.hfiles in the same folder). - Upload. Use BOOT / reset if the ROM bootloader is needed.
The sketch folder name must match the .ino filename (this repo: GHOST_TFT / GHOST_TFT.ino).
- Scan Networks — pick Attack, +WL, +BL, or back
- Hunt Whitelisted / Hunt All
- Captures — Download AP starts a WiFi AP using the SSID and password from Settings (randomized on first boot, then stored in Preferences)
- Lists — edit whitelist / blacklist entries
- Settings — attack timing, antifingerprint options, Download AP SSID/password (changes autosave after a short delay, or when you leave Settings). SSID/password edit: highlighted cursor on the current character; tap Select (release) for next position; hold Select (~1s, configurable as
SELECT_LONG_PRESS_MSinconfig_s3.h) to finish
From Captures, start Download AP, join that SSID on another device (password shown on the TFT and in Settings), open the IP shown (often http://192.168.4.1), download .pcap files, then stop the AP with Select.
GHOST_TFT/
├── assets/
│ └── logo.svg
├── docs/images/
├── GHOST_TFT.ino
├── config_s3.h
├── types.h
├── display.h
├── input.h
├── storage.h
├── attack.h
├── download_server.h
└── logo.h
- 2.4 GHz only — 5 GHz clients may reconnect out of band.
- PMF / WPA3 — deauth may be ignored where management frames are protected.
- One radio — download AP runs only when you start it from Captures.
- Flash — LittleFS size caps how many large captures you can keep.
unsupport frame type / deauth not working — add -zmuldefs and restart the IDE; confirm the line in platform.txt.
Upload failures on ESP32-S3 — data-capable USB cable; BOOT/reset per Adafruit.
Incomplete or missing handshake in the capture — signal, PMF, 5 GHz clients, or timeout; tune Settings and retest on a lab network you control.
Educational and authorized security testing only. Sending deauthentication traffic or capturing handshakes on networks you are not allowed to test is illegal in many jurisdictions.
Built with the Arduino-ESP32 core. Raw WiFi frame techniques owe a debt to community work such as Jeija / esp32-80211-tx.
GHOST is free and open source. If it's been useful, a tip is always appreciated but never expected.
