Kashmir54

Cibersecurity blog. CTFs, writeups, electronics and more!

Home Flipper Boards CTF Writeups YouTube View on GitHub

VoyagerRF

A WiFi Devboard based on ESP32 for Flipper Zero.




NOTE: A new version of the board was released. Featuring:

  • WiFi
  • Bluetooth
  • Supports Marauder/Ghost_ESP
  • GPS (new!)
  • NeoPixel LED (new!)
  • Front cover (new!)

Check out the VoyagerRFv2 post.




Page index




Intro

After working on the NRF24 board and checking the range improvement of the external CC1101 with the antenna, I wondered if I can also enhance the WiFi dev module in terms of range, size, and functionality. After hours of design, programming, and research, I produced the VoyagerRF, a multipurpose board with several interesting features such as:

I wanna give a big shoutout to justcallmekoko for the amazing community he is building and for the developement and maintenance of the marauder project. Make sure you check out his YouTube channel.

I have some units in stock. If you are interested in getting the board and other accessories, you can contact me. Check out the last section to see bundles and prices.

Here you have more photos (also in black matte!):




Bundles and Boards

If you are interested in getting the board and other accessories, you can contact me on my email kashmir_54@hotmail.com and I will get back to you!

VoyagerRF Complete Pack / 70€

Available in black or white. Antennas can be black or white, as you prefer.

Includes:


VoyagerRF / 45€

Available in black or white. The antenna can be black or white, as you prefer.

Includes:




Community posts

Thanks for sharing the VoyagerRF over the internet! This little project got some awesome backers posting on reddit about it, go check them out!




Renders, objs and 3D cases.

Many people asked me for the 3D model of the board to start creating some cases, I have uploaded the file and you can download the obj here.

Here are some of the cases created by the community:

Currently I don’t have a 3D case designed by myself, if you create a 3D case, bear in mind the cable for the back antenna and the antenna itself! Also I will be grateful if you could share the 3D model with me or upload it to any of the free platforms (thingiverse or similars), so others can enjoy it. I will place the link and author in this blog.




Tutorials

In this section you can find resource to explore further this little board.


Getting started

What can you do with the VoyagerRF and the rest of the modules in the kit?

Possibilities are limitless! But here I will go over some ideas that you might find interesting and useful in some red teaming tasks.

DISCLAIMER: These tutorials and information are solely for educational purposes and not an intended use of the device. They provide a hands-on experience in the field of cybersecurity and penetration testing. Any illegal use is strictly prohibited. Test on your own environment and with your own gear.


RogueAP / Evilportal

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. Wikipedia, Rogue Access Point.

In this case, we can use the VoyagerRF and Marauder firmware to create a RogueAP to log user credentials. Requirements:

Once you have all the requirements set you are good to go.

Steps:

Step 1. Set the configuration files.

You need two files to be placed on the MicroSD card: ap.config.txt and index.html. The first one holds the AP name (the WiFi name) and the second one stores the html code that will be displayed in the captive portal (the webpage that pops up when you connect to the WiFi).

For the ap.config.txt I will use this content:

Google Free Wifi

And for the index.html I have use a login form with Google’s look and feel. You can choose any html you want, in this Github repo you will find many html files created by roshanravan, download it and rename it to index.html .

<!DOCTYPE html>
<html>
<head>
    ...
    <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">
</head>
<body>
    <div class="login-container">
        <form action="/get" id="email-form-step">
            ...
            <h1>Sign in</h1>
            <h2>Use your Google Account</h2>
            <input name="email" type="text" class="g-input" placeholder="Email" required>
            <input name="password" type="password" class="g-input" placeholder="Password" required>
            <button class="gbtn-primary" type="submit">Next</button>
        </form>
    </div>
</body>
</html>

Step 2. Load the files into the MicroSD card.

Just that, place the two files in the root folder or the MicroSD card

Step 3. Eject the MicroSD card and plug it into the VoyagerRF board.

Step 4. Launch WiFi Marauder app on the flipper with the MicroSD card already plugged in and launch the portal.

Step 5. Test it out on your mobile phone, it will display the captive portal once connected. Here are some examples:

Templates by roshanravan.

We connect to the Wifi Network and the captive portal shows up. Bare in mind that phones and PCs have defenses against these attacks, therefore, do not expect to work on all devices:

As easy as that! If you have any concerns, check out the YouTube video showing these steps!


NRF24 Sniffer: Wireless BadUSB

TBA


WiFi WPA Handshake: catch and crack

TBA


Flashing Marauder on VoyagerRF using web interface

I was curious about the Web Serial API and I also wanted to provide an easy way to update the VoyagerRF. That’s how I ended up creating the new VoyagerRF Flasher web application. Without further ado, let’s see how it works:

NOTE: Perform the update with the board disconnected from the Flipper. Optionally, remove the MicroSD card from the VoyagerRF.

Step 1. Open the website and connect the board holding the ESP32C3 BOOT button (the one on the top with the “B” letter):

Boot button (press, hold, and connect while holding the button, then, release):

Web interface:

Step 2. Select the version you want to flash and select the “USB JTAG/serial debug unit”. The COM number can be different, so don’t worry about that.

Step 3. Now, select “Install VoyagerRF Marauder vX.X.X”

Step 4. Hit next, doesn’t matter if you erase the device, MicroSD card data will remain.

Step 5. Hit “Install” to perform the update

Step 6. Wait for the process to finish. If successful, the following message will be displayed:

Now you can check the version in the reboot option in the ESP32 WiFi Marauder app in your Flipper!


Flashing Marauder on Xiao-ESP32-C3 (Outdated)

WARNING: You better use the Web Flasher I left this tutorial for anybody interested on building the environment.

Are you looking to explore further with the ESP32-C3? Then, let me share with you the flashing process and the different steps needed to shape the Arduino IDE environment.

WARNING: This tutorial is valid for Marauder v0.10.7 or before, version v0.11.0 requires tricky configurations that won't be explained in this page. If you are going to flash the VoyagerRF's ESP32 or connect its USBC to your computer or to a power source, make sure to unplug the VoyagerRF from your flipper in order to avoid malfunctions or data corruption on your Flipper's micro SD card.

Step 1. Install Arduino IDE.

Step 2. Download latests ESP32 Marauder source code and extract the ZIP content in a folder:

Step 3. Go to the folder you have extracted, over esp32_marauder and open esp32_marauder.ino with ArduinoIDE:

ESP32Marauder-0.10.x > esp32_marauder > esp32_marauder.ino

Step 4. Set up the libraries for Marauder:

We will install the firmware from the source code, therefore, we will need the libraries used in the Marauder. To do it, download the libraries as a zip as displayed in the following image:

You gotta do it over all the following requirements:

Then to add the libraries go to the following menu and select the downloaded ZIPs one by one.

Step 5. Install esp32 by Espressif Systems from the Boards Manager:

Currently, I found the ESP32 stable at version 2.0.9. Go to boards, search for esp32 and install version 2.0.9:

Step 6. Modifying platform.txt for ESP32-C3 support:

As stated in the ArduinoIDE setup instructions, you have to modify the platform.txt. To do that, find the esp32 platform.txt on your system. It should be somewhere near this path:

C:\Users\your_user\AppData\Local\Arduino15\packages\esp32\hardware\esp32\2.0.6\platform.txt

Now, add -w to build.extra_flags.esp32c3 option:

build.extra_flags.esp32c3=-w -DARDUINO_USB_MODE=1 -DARDUINO_USB_CDC_ON_BOOT={build.cdc_on_boot} ...

And add -zmuldefs to compiler.c.elf.libs.esp32c3 option:

compiler.c.elf.libs.esp32c3=-zmuldefs -lesp_ringbuf -lefuse -lesp_ipc -ldriver -lesp_pm ...

Save and restart Arduino IDE (if open).

Step 7. Change Micro SD Card pin

In the configs.h, change the MARAUDER_FLIPPER SD_CS definition to pin 4, since the VoyagerRF board is designed to work with CS pin in that GPIO:

// SD DEFINITIONS
#ifdef MARAUDER_V4
  #define SD_CS 12
#endif

#ifdef MARAUDER_V6
  #define SD_CS 12
#endif

#ifdef MARAUDER_KIT
  #define SD_CS 12
#endif

#ifdef MARAUDER_MINI
  #define SD_CS 4
#endif

#ifdef MARAUDER_FLIPPER
  #define SD_CS 4 // Change from 10 to 4 here
#endif

#ifdef ESP32_LDDB
  #define SD_CS 4
#endif

Step 8. Set the board (XIAO-ESP32-C3)

Connect your VoyagerRF board (remember to disconnect it from the Flipper). Go to the boards menu and select the proper model (XIAO-ESP32-C3):

Go over port and select the board that poped up when connected (don’t mind the fingerprint, it will be a little bit random):

The rest of the options are as follow:

Setting Value
USB CDC On Boot (important) Disabled
CPU Frequency 160MHz (WiFi)
Core Debug Level None
Erase All Flash… Disabled
Flash Frequency 80 MHz
Flash Mode QIO
Flash Size 4MB (32Mb)
Partition Scheme Minimal SPIFFS
Upload Speed 921600

Step 9. Hit Compile and Upload and all should run correctly. You should have this output if all went smoothly:

Troubleshooting

Check that the changes on platform.txt are correct and that you have restarted Arduino IDE.

Go to Tools > USB CDC On Boot and set “Disable” so the connection is set on the TX/RX ports instead of the USBC connector in the XIAO-ESP32-C3

Using a Samsung MicroSD card will cause Marauder not to boot, as stated on the official wiki.

Make sure to use 32GB or less MicroSD card, FAT32 file format and NOT to use SanDisk brand (awkward, but the brand counts).

Check the configs.h and make sure that only #define MARAUDER_FLIPPER is uncommented and that you have changed the #define SD_CS 4 as previously described.

Connect the SD card before entering the ESP32 WiFi Marauder app.