11 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The Bluetooth module",
3 | "position": 4,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The bluetooth module of capibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_sniffer.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: BLE Sniffer
4 | ---
5 |
6 | The BLE Sniffer of CapibaraZero can sniff BLE advertising packets, retrive some informations from it and save the captured data in a PCAP file readable with Wireshark.
7 |
8 | ## Start the sniffing
9 |
10 | - Go under bluetooth attack section of CapibaraZero
11 | - Select BLE sniffer bluetooth
12 | - Choose if save PCAP to SD card(under /bluetooth) and until scanning finish(60 seconds)
13 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_spam/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "BLE spam",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Various Bluetooth spam exploit supported by CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_spam/apple_juice.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: AppleJuice
4 | ---
5 |
6 |
7 | AppleJuice is an exploit found by [ECTO-1A](https://github.com/ECTO-1A/AppleJuice) that make tons of fake Apple devices advertsing packets. This packets are recognized by Apple real devices like iPhone or iPad and make them crash due to huge flow of packets that device must elaborate.
8 | The porting for ESP32 is made by [RapierXbox](https://github.com/RapierXbox/ESP32-Sour-Apple) and it's adapted for CapibaraZero.
9 |
10 | ## Vulnerable iOS versions
11 |
12 | | iOS version | Compatible |
13 | | -------- | ------- |
14 | | iOS 16.x | :x: |
15 | | iOS 17.0 | :white_check_mark: |
16 | | iOS 17.1 | :white_check_mark: |
17 | | iOS 17.2* | :x: |
18 |
19 | *until iOS 17.2 beta 3 the exploit wasn't fix
20 |
21 | On the newer versions of iOS, some connection popup spawn but phone doesn't crash anymore.
22 |
23 |
24 | ## Start the attack
25 |
26 | - Go under bluetooth attack section of CapibaraZero
27 | - Select BLE spam bluetooth
28 | - Select AppleJuice and start the exploit
29 | - Wait 30 seconds and your iPhone will start to lag and will reboot
30 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_spam/fastpair_ble_spam.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 4
3 | title: FastPair BLE spam
4 | ---
5 |
6 | Fast Pair is a fast pairing tecnology used by Google in Android 6.0 and above and like others fast pairing systems it's vulnerable to BLE spam attacks. CapibaraZero's implementation spam only fake Arduino 101 advertisement because it works on every Android version.
7 |
8 | ## Start the attack
9 |
10 | - Go under bluetooth attack section of CapibaraZero
11 | - Select BLE spam bluetooth
12 | - Select FastPair BLE spam and start the exploit
13 | - Your Android phone will start to spawn pairing request popup
14 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_spam/samsung_ble_spam.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Samsung BLE spam
4 | ---
5 |
6 | The Samsung BLE spam attack is discovered by [Spooks4576](https://github.com/Spooks4576/ESP32Marauder) and act like AppleJuice, it spam tons of fake Galaxy Watch advertisement packets and make phone lag a lot. It is adapted for CapibaraZero from [ESP32Marauder](https://github.com/justcallmekoko/ESP32Marauder)
7 |
8 | ## Start the attack
9 |
10 | - Go under bluetooth attack section of CapibaraZero
11 | - Select BLE spam bluetooth
12 | - Select Samsung BLE spam and start the exploit
13 | - Your Samsung phone will start to spawn pairing request popup
14 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/ble_spam/swiftpair_ble_spam.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: SwiftPair BLE spam
4 | ---
5 |
6 | Swift Pair is a fast pairing tecnology used by Microsoft from Windows 10 1803 and like others fast pairing systems it's vulnerable to BLE spam attacks. Like AppleJuice and Samsung BLE spam, the attack, discovered by [Spooks4576](https://github.com/Spooks4576/ESP32Marauder), make your Windows PC spawn pairing requests from fake devices.
7 |
8 | ## Start the attack
9 |
10 | - Go under bluetooth attack section of CapibaraZero
11 | - Select BLE spam bluetooth
12 | - Select Samsung BLE spam and start the exploit
13 | - Your Windows PC will start to spawn pairing request popup
14 |
--------------------------------------------------------------------------------
/docs/esp32_s3/bluetooth/hid_attack.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 4
3 | title: HID Attack
4 | ---
5 |
6 | Usually you perform an HID attack using a USB interface but capibaraZero have support also BLE HID.
7 |
8 | In this way a device can connect to capibaraZero and it will act like a HID interface.
9 |
10 | capibaraZero HID doesn't have any type on bluetooth PIN, so as soon as a device connects, capibaraZero will start to execute the ducky script.
11 |
12 | ## Configuration
13 |
14 | In the capibaraZero JSON configuration you can set BLE device name, HID manufacturer and battery level.
15 |
16 | By default the following are used:
17 |
18 | - Device name: capibaraZero HID
19 | - HID manufacturer: capibaraZero
20 | - Battery level: 100
21 |
22 | ### Run attack
23 |
24 | - Go in the bluetooth attack section
25 | - Select HID attack
26 | - Connect to capibaraZero and see the ducky script running
27 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/ArduinoNanoESP32.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Arduino Nano ESP32
4 | ---
5 |
6 | 
7 |
8 | | Feature | Specs |
9 | |:-------:|:----------------------------------------------------------------:|
10 | | Module | NORA-W106(ESP32-S3) |
11 | | Flash | 16MB |
12 | | PSRAM | 8MB |
13 | | Screen** | 240x320 |
14 | | SubGHZ | SX1276 |
15 | | Navigation | Navigation button |
16 | | WiFi | :white_check_mark:|
17 | | BLE | :white_check_mark:|
18 | | USB OTG | :white_check_mark:|
19 | | NFC | PN532 |
20 | | Battery chip | TP4057 |
21 |
22 | Here you can find breadboard boards of CapibaraZero on Arduino Nano ESP32(photo is outdated):
23 |
24 | 
25 |
26 | And here the electrical diagram:
27 |
28 | 
29 |
30 | You can also download the original project [here](https://github.com/CapibaraZero/resources/tree/main/electrical_diagram/Arduino_Nano_ESP32)
31 |
32 | ## Arduino Nano ESP32 pinout
33 |
34 | With an Arduino Nano ESP32 board you must use the following pin if you doesn't want to modify source code:
35 |
36 | ### SD card
37 |
38 | For the SD card we must use the SPI bus.
39 |
40 | - CS: pin D10
41 | - MOSI: pin D11
42 | - MISO: pin D12
43 | - SCK: pin D13
44 |
45 | ### SX1276
46 |
47 | For the SX1276 we must use the SPI bus. We use the same pin of SD card but make sure to change CS pin since is the one that identify the devices on SPI bus.
48 |
49 | We also need DIO 1 and DIO 2 pin to receive data from module in OOK/FSK mode. LoRa™ mode use SPI to get data.
50 |
51 | - DIO1: pin D0
52 | - NSS: pin D7
53 | - DIO2: pin D1
54 | - MOSI: pin D11
55 | - MISO: pin D9
56 | - SCK: pin D13
57 |
58 | ### PN532
59 |
60 | Make sure to put PN532 in I2C mode since we use it in this way. You can also use in UART mode or SPI mode but you need to change source code
61 |
62 | - SCL: pin A6
63 | - SDA: pin A7
64 |
65 | ### Display
66 |
67 | - SCL(SCLK): D4
68 | - RST: Not connected
69 | - SDA(MOSI): D2
70 | - CS: pin D6
71 | - DC: pin D5
72 | - BLK: 3v3
73 |
74 | ### IR
75 |
76 | - Emitter: D3
77 | - Receiver: D8
78 |
79 | ### TP4057
80 |
81 | - BAT+: A0
82 |
83 | ### Buttons
84 |
85 | - Right: pin A1
86 | - Down: pin A2
87 | - OK: pin A3
88 | - Left: pin A4
89 | - Up: pin A5
90 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/ESP32S3.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: ESP32-S3
4 | ---
5 |
6 | 
7 |
8 | | Feature | Specs |
9 | |:-------:|:----------------------------------------------------------------:|
10 | | Module | ESP32-S3-WROOM-1U |
11 | | Flash | 16MB |
12 | | PSRAM | :x: |
13 | | Screen** | 240x320 |
14 | | SubGHZ | SX1276 |
15 | | Navigation | Navigation button |
16 | | WiFi | :white_check_mark:|
17 | | BLE | :white_check_mark:|
18 | | USB OTG | :white_check_mark:|
19 | | NFC | PN532 |
20 | | Battery chip | TP4057 |
21 |
22 | ** You can change dimension in project config
23 |
24 | Here you can find breadboard boards of CapibaraZero on ESP32 S3 DevkitC(photo is outdated):
25 |
26 | 
27 |
28 | And here the electrical diagram:
29 |
30 | 
31 |
32 | You can also download the original project [here](https://github.com/CapibaraZero/resources/tree/main/electrical_diagram/ESP32-S3-DEVKITC-1)
33 |
34 | ## ESP32-S3 pinout
35 |
36 | With an ESP32-S3 board you must use the following pin if you doesn't want to modify source code:
37 |
38 | ### SD card
39 |
40 | For the SD card we must use the SPI bus.
41 |
42 | - CS: pin 13
43 | - MOSI: pin 35
44 | - MISO: pin 37
45 | - SCK: pin 36
46 |
47 | ### SX1276
48 |
49 | For the SX1276 we must use the SPI bus. We use the same pin of SD card but make sure to change CS pin since is the one that identify the devices on SPI bus.
50 |
51 | We also need DIO 1 and DIO 2 pin to receive data from module in OOK/FSK mode. LoRa™ mode use SPI to get data.
52 |
53 | - NSS: pin 1
54 | - DIO2: pin 15
55 | - DIO1: pin 16
56 | - MOSI: pin 35
57 | - MISO: pin 7
58 | - SCK: pin 37
59 |
60 | ### PN532
61 |
62 | Make sure to put PN532 in I2C mode since we use it in this way. You can also use in UART mode or SPI mode but you need to change source code
63 |
64 | - SDA: pin 8
65 | - SCL: pin 9
66 |
67 | ### Display
68 |
69 | - RST: 4
70 | - DC: pin 5
71 | - CS: pin 10
72 | - SDA(MOSI): pin 11
73 | - SCL(SCLK): pin 12
74 |
75 | ### IR
76 |
77 | - Emitter: 14
78 | - Receiver: 6
79 |
80 | ### TP4057
81 |
82 | - BAT+: 2
83 |
84 | ### Buttons
85 |
86 | - Left: pin 39
87 | - OK: pin 40
88 | - Down: pin 41
89 | - Right: pin 42
90 | - Up: pin 47
91 |
92 |
100 |
107 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/LilyGo_T_Embed_CC1101.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 4
3 | title: LilyGo T-Embed CC1101
4 | ---
5 |
6 | 
7 |
8 | | Feature | Specs |
9 | |:-------:|:----------------------------------------------------------------:|
10 | | Module | ESP32-S3-WROOM-1U |
11 | | Flash | 16MB |
12 | | PSRAM | 8MB |
13 | | Screen | 320x170 |
14 | | SubGHZ | CC1101 |
15 | | Navigation | Rotary encoder |
16 | | NFC | PN532 |
17 | | Battery chip | BQ27220 |
18 |
19 | CapibaraZero natively support LilyGo T-Embed CC1101 from firmware 0.5.1.
20 |
21 | You can download the latest firmware from [here](https://github.com/CapibaraZero/fw/releases)
22 |
23 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Boards",
3 | "position": 8,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Check this section to build your CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/box/Box.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: -1
3 | title: Box
4 | ---
5 |
6 | # Official Box enclosure of capibaraZero
7 |
8 | #### Credits
9 |
10 | Thanks to [XyDrive](https://github.com/XyDrive) for his work!
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/box/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Box",
3 | "position": 1,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Check this section to build your CapibaraZero"
7 | },
8 | "className": "hidden"
9 | }
10 |
--------------------------------------------------------------------------------
/docs/esp32_s3/boards/getting_started.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Getting Started
4 | ---
5 |
6 | Here you can check how to build your capibaraZero. The project, actually, need an ESP32-S3 to enjoy all the features, SD card socket, 5 push buttons and some external modules that are listed below. Or you can buy ready board like [LilyGo T-Embed CC1101](/docs/esp32_s3/boards/LilyGo_T_Embed_CC1101)
7 |
8 |
9 |
22 |
23 | ## External module
24 |
25 | There are some features that need external module in order to work:
26 |
27 | - ST7789 display
28 | - NFC(PN532)
29 | - SubGHZ(SX1276)
30 | - IR(IR emitter + receiver)
31 |
32 | After building capibaraZero board, you must flash firmware. You can download the latest from [here](https://github.com/CapibaraZero/fw/releases/)
33 |
--------------------------------------------------------------------------------
/docs/esp32_s3/development/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Development",
3 | "position": 8,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "More information about CapibaraZero development"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/development/code_structure.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Code structure
4 | ---
5 |
6 | # CapibaraZero's code structure
7 |
8 | ## Feature framework
9 |
10 | Most complex feature have a framework that works as layer between UI code that launch the attack and the attack code. This make more easy to fix or improve a single attack.
11 |
12 | Also, this separation made the attack code easy to find and easier to understand. The typical framework code is designed to works without the capibaraZero's code so the framework can be used as a standalone library for every project.
13 |
14 | You can find frameworks used in capibaraZero here:
15 |
16 | - [NFCFramework](https://github.com/CapibaraZero/NFCFramework)
17 | - [IrFramework](https://github.com/CapibaraZero/IrFramework)
18 | - [HID](https://github.com/CapibaraZero/HID)
19 |
20 | Others feature have only a library included in the main repository. For example:
21 |
22 | - [Networks attacks](https://github.com/CapibaraZero/fw/blob/main/lib/network_attacks/network_attacks.cpp)
23 |
24 | If you are unsure where to add your code, feel free to open an issue on GitHub or write on Matrix/Discord server.
25 |
26 | ## Attack code
27 |
28 | Every section have a corresponding section_attacks.cpp/.hpp files, they are used to start an attack from the framework and usually the attack code includes also tasks that need to be run to avoid UI block or because they run until they are stopped by the user or by a condition. This tasks, except in rare cases, controls also the UI if the content is dynamic(e.g WiFi scan progress).
29 |
30 | ## UI navigation
31 |
32 | The (Feature)Navigation.cpp/.hpp declare functions that will be called from the UI, they are usually a wrapper for the attack code since UI page require a void function without parameters.
33 |
34 | ## UI pages
35 |
36 | A UI pages is controlled by the Page class that define primitives for the UI movement(up, down, etc.), all the primitives can be overloaded if the page require it(for example we overload primitives in MainPage).
37 |
38 | Basically, every page is composed by a grid that includes all the widgets that you see on the page. The button call a specified callback passed in his constructor and usually call a void function without parameters from the FeatureNavigation.cpp/.hpp
39 |
40 | ## Pins.h
41 |
42 | The file include/pins.h define all the pin used by the CapibaraZero's firmware, if you are planning to port a new board to the CapibaraZero's firmware you should define all the pin in that file following the name of the other board pin beyond the correct #ifdef macro for your board, if your board doesn't specify a specific flag like the [ESP32-S3 DevkitC](https://github.com/platformio/platform-espressif32/blob/f6ec3926f9f660ee9abada8540ffe1e205da4bbf/boards/esp32-s3-devkitc-1.json), you can define a build_flag in the platformio.ini
43 |
44 | To find if your board expose a build_flag you can check [here](https://github.com/platformio/platform-espressif32/tree/develop/boards) the build_flags for your board
--------------------------------------------------------------------------------
/docs/esp32_s3/development/new_porting.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Add a new board support
4 | ---
5 |
6 | # Create a new porting
7 |
8 | capibaraZero is borned for ESP32-S3-DevKitC-1 and that is the only way to use all the features but you can also port for other platforms. Here is a little guide to explain general steps to port capibaraZero to a new platform.
9 |
10 | ## Add a new env to platformio
11 |
12 | In order to add a new platform, you need to create a new environment for the ESP that you wanna port in the platformio.ini, for example for an ESP32, you need to create an environment based on your board.
13 |
14 | For example:
15 |
16 | ```ini
17 | [env:lilygo_t_embed_cc1101]
18 | platform = espressif32
19 | framework = arduino ; Must not be changed
20 | board = lilygo-t-display-s3
21 | build_type = debug ; Give better stacktrace for debugging
22 | monitor_filters = esp32_exception_decoder ; Give better stacktrace for debugging
23 | lib_deps =
24 | ${common.lib_deps_builtin} ; FW libraries
25 | ${common.lib_deps_external} ; FW libraries
26 | mathertel/RotaryEncoder@^1.5.3 ; Device specific library
27 | build_flags =
28 | ${common.build_flags} ; FW build flags
29 | -DARDUINO_USB_MODE=1 ; Device flags
30 | -DARDUINO_USB_MSC_ON_BOOT=0 ; Device flags
31 | -DLILYGO_T_EMBED_CC1101=1 ; Describe board. This flag will identify your board in fw code
32 | -DENCODER_NAVIGATION=1 ; Specify navigation(button or encoder)
33 | -DCC1101_SUBGHZ=1 ; Specify SubGHZ chip
34 | ```
35 |
36 | Let's break down this section of platformio.ini:
37 |
38 | - `[env:lilygo_t_embed_cc1101]` is the name of the environment. Please use the name of the board with underscore instead of space
39 | - `platform = espressif32` It must not be changed if you want to add support for an ESP32 board. If you wanna try to add another MCU family, you must change platform but not framework
40 | - `board = lilygo-t-display-s3` is the configuration of the board. You can find all supported boards [here](https://registry.platformio.org/platforms/platformio/espressif32/boards)
41 | - `lib_deps` describe the libraries needed for the board. It includes all the libraries needed for the firmware and you can add also specific device library
42 | - `build_flags` contains all the flags needed by the board. It can safeguard if needed
43 |
44 | Now you may want to try to build, if you are lucky, the build will be successful else you need to fix errors to adapt code([you may need safeguard](#add-safeguard) to avoid linker errors).
45 |
46 | Generally if you are building for an ESP32 based platform, shouldn't be any errors but probably for ESP8266 based boards you need to change some code.
47 |
48 | ## Add Peripherals code
49 |
50 | Since some boards need some specific code for a proper initialization, we decided to separate every board in a different c++ class. This section can be found [here](https://github.com/CapibaraZero/fw/tree/main/lib/Peripherals)
51 |
52 | Each Peripherals have three methods:
53 |
54 | - `init_i2c_bus()`: Initialize I2C bus. It may needed if you have multiple device on same bus.
55 | - `init_sd()`: Initialize SD card.
56 | - `init_navigation()`: Initialize navigation buttons/encoder.
57 |
58 | In order to add a board you need to follow this steps:
59 |
60 | - Create a new pinout header under `include/boards/BOARD_NAME/pins.h`. BOARD_NAME must be named like board environment name from platformio.ini
61 | - Add pinout under `include/pins.h`. Remember to use the right build_flag for your board
62 | - Create a folder under `lib/Peripherals` named like board environment name from platformio.ini
63 | - Create a new class in your created folder name with this convention `Peripherals_BOARD_NAME`. You can copy the template class from ESP32-S3-DevKitC. Remember to change all the #ifdef header safeguard with your build_flag
--------------------------------------------------------------------------------
/docs/esp32_s3/installation/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Installation",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Flashing CapibaraZero to your device, both manually and using the web flasher"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/installation/from_release.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: From Release
4 | ---
5 |
6 | ## Requirements:
7 |
8 | - Python3
9 | - esptool
10 |
11 | esptool is a Python module which is installed through `pip3 install esptool`.
12 |
13 | ## Obtain From Release
14 |
15 | 1. Navigate to the firmware releases tab on Github: [releases](https://github.com/CapibaraZero/fw/releases/) and select the version you want to install.
16 | 2. Download the release zip for the device you have.
17 | 3. Unzip the downloaded file, and open a terminal in the newly created folder.
18 |
19 | ## Install
20 |
21 | ```bash
22 | python3 -m esptool --chip esp32s3 --port UPLOAD_PORT --baud 460800 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 80m --flash_size detect 0x0000 bootloader.bin 0x8000 partitions.bin 0xe000 boot_app0.bin 0x10000 firmware.bin
23 | ```
24 |
--------------------------------------------------------------------------------
/docs/esp32_s3/installation/from_source.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: From Source
4 | ---
5 |
6 | ## Requirements:
7 |
8 | :::warning
9 |
10 | It is strongly advised to use baremetal **Linux**, or **WSL**, for installing from source.
11 |
12 | :::
13 |
14 | - Python3
15 | - [Platformio](https://platformio.org/)
16 | - GNU Bison
17 | - Flex
18 |
19 | Platformio can also be installed as a python package, requiring python 3 to be available:
20 | `python3 -m pip install -U platformio`
21 |
22 | GNU Bison and Flex can be installed with your Linux package manager of choice (apt/pacman)
23 |
24 | ## Source Code:
25 |
26 | Source code can be found on the official Capibara Zero firmware repository, on Github. [Source](https://github.com/CapibaraZero/fw)
27 |
28 | To obtain the source code for a particular release, it can be downloaded from the [releases page](https://github.com/CapibaraZero/fw/releases/).
29 |
30 | ## Install:
31 |
32 | :::info
33 |
34 | If you installed platformio from Python pip, you may need to run `python3 -m platformio run` instead of `pio run`.
35 |
36 | :::
37 |
38 | ```
39 | # Init NFC libs
40 | bash init_libs.sh
41 |
42 | pio run
43 | # OR python3 -m platformio run
44 |
45 | # To upload firmware
46 | pio run -t upload
47 | ```
48 |
--------------------------------------------------------------------------------
/docs/esp32_s3/installation/web_flasher.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Web Flasher
4 | ---
5 |
6 | CapibaraZero has a convenient web flasher found at [flash.capibarazero.com](https://flash.capibarazero.com).
7 |
8 | You must select the device you are using, as well as the version of the firmware you wish to install. Follow through the steps as prompted.
9 |
10 | :::warning
11 |
12 | Web flasher works **only** with Chromium-based browsers such as Google Chrome and Microsoft Edge.
13 |
14 | :::
15 |
16 |
17 | ## Known Issues
18 |
19 | `failed to execute 'open' on 'serialport': failed to open serial port`
20 |
21 | This is known to affect Linux users. The solution is to run the following which gives the user read/write access to the USB device
22 | ```bash
23 | sudo setfacl -m u:$USER:rw /dev/ttyACM0
24 | ```
25 |
--------------------------------------------------------------------------------
/docs/esp32_s3/ir/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "IR",
3 | "position": 5,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The IR section of CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/ir/emulate_signal.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Emulate Signal
4 | ---
5 |
6 | # Emulate Signal
7 |
8 | CapibaraZero is able to emulate many protocols but also RAW signal that cannot be decoded by the capibaraZero.
9 |
10 | Upload the signals that you want to emulate in your SD under /IR/signals
11 |
12 | # Requirements
13 |
14 | - ESP32-S3
15 | - IR trasmitter
16 | - SD card
17 |
18 | ## Signal file format
19 |
20 | ```json
21 | {
22 | "protocol": 8,
23 | "address": 32989,
24 | "command": 151,
25 | "number_of_bits": 32,
26 | "extra": 0
27 | "decoded_raw_data": 1754759389,
28 | "raw_len": 3,
29 | "raw_data": [
30 | 181,
31 | 44,
32 | 11
33 | ]
34 | }
35 | ```
36 |
37 | ### Protocol number:
38 |
39 | | Keyword | Protocol Number |
40 | | -------------------- | ------------------------ |
41 | | NEC | 8 |
42 | | NEC2 | 9 |
43 | | Onkyo | 10 |
44 | | Apple | :x: |
45 | | Denon | 4 |
46 | | Sharp | 22 |
47 | | Panasonic | 11 |
48 | | Kaseikyo | 12 |
49 | | Kaseikyo Denon | 13 |
50 | | Kaseikyo JVC | 15 |
51 | | Kaseikyo Mitsubishi | 16 |
52 | | Kaseikyo Sharp | 14 |
53 | | Kaseikyo | 12 |
54 | | JVC | 5 |
55 | | LG | 6 |
56 | | LG2 | 7 |
57 | | RC5 | 17 |
58 | | RC6 | 18 |
59 | | Samsung | 19 |
60 | | Samsung48 | 21 |
61 | | SamsungLG | 20 |
62 | | Sony | 23 |
63 | | Pulse Distance | 2 |
64 | | Pulse Width | 1 |
65 | | BoseWave | 25 |
66 | | Bang & Olufsen | 24 |
67 | | Lego | 26 |
68 | | FAST | 29 |
69 | | Whynter | 30 |
70 | | MagiQuest | :x: |
71 |
72 | ### Address and Command
73 |
74 | Address and command is required for the following protocols: NEC, NEC2, Onkyo, Denon, Kaseikyo(all vendors), LG, LG2, Panasonic, RC5, Samsung(all), Sharp and Sony
75 |
76 | ### Number of bits
77 |
78 | Number of bits is required for the following protocols: Bang & Olufsen, JVC, Lego, RC6 and Whynter
79 |
80 | ### Extra
81 |
82 | Extra is required only for Kaseikyo
83 |
84 | ### Decoded Raw Data
85 |
86 | Decoded raw data is required for the following protocols: Bang & Olufsen, JVC, Lego, RC6 and Whynter
87 |
88 | ### Raw length
89 |
90 | Raw length is required by Pulse Width, Pulse Distance and RAW signals.
91 |
92 | ### Raw data
93 |
94 | Raw data is required by Pulse Width, Pulse Distance and RAW signals.
95 |
96 | ### Signals list
97 |
98 | ```json
99 | [
100 | {
101 | "protocol": 8,
102 | "address": 32989,
103 | "command": 151,
104 | "number_of_bits": 32,
105 | "extra": 0
106 | "decoded_raw_data": 1754759389,
107 | "raw_len": 3,
108 | "raw_data": [
109 | 181,
110 | 44,
111 | 11
112 | ]
113 | },
114 | {
115 | "protocol": 9,
116 | "address": 32989,
117 | "command": 159,
118 | "number_of_bits": 32,
119 | "extra": 0
120 | "decoded_raw_data": 1754759312,
121 | "raw_len": 3,
122 | "raw_data": [
123 | 181,
124 | 44,
125 | 15
126 | ]
127 | }
128 | ]
129 | ```
130 |
131 | CapibaraZero's signal emulator supports also array of signals like the one above. It will sends all the signals in the array consecutively.
132 |
133 | ### Notes
134 |
135 | IR signals captured by the capibaraZero have all of this property even though they are not used.
136 |
137 | Protocols that doesn't support one or more properties like RAW or Pulse Width/Distance have unused property set to 0.
138 |
139 | If you are creating a signal it's better to not include unused properties.
140 |
141 | ### IRDB
142 |
143 | You can find capibaraZero's IRDB at the following [link](https://github.com/CapibaraZero/resources/tree/main/IRDB)
144 |
145 | Contributions are welcome! If you capture a signal that are not available in capibaraZero's IRDB, you can upload it under the IRDB github repository by opening a pull request after forked the repo and uploaded the IR file under the right category.
146 |
147 | ## How to emulate an IR signal?
148 |
149 | - Go to the IR section
150 | - Select Emulate Signal
151 | - Select file that you want to emulate
152 | - The capibaraZero will transmit the signal through the IR emitter
153 |
154 | If you have a list of signals the operation can take some times
--------------------------------------------------------------------------------
/docs/esp32_s3/ir/rc_emulator.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: RC Emulator
4 | ---
5 |
6 | # RC Emulator
7 |
8 | CapibaraZero can also emulate entire(or partial) remote controller.
9 |
10 | Upload the RC that you want to emulate in your SD under /IR/signal_rc
11 |
12 | # Requirements
13 |
14 | - ESP32-S3
15 | - IR trasmitter
16 | - SD card
17 |
18 | ## Signal file format
19 |
20 | ```json
21 | [
22 | {
23 | "name": "Off",
24 | "protocol": 7,
25 | "address": 136,
26 | "command": 49157
27 | },
28 | {
29 | "name": "On",
30 | "protocol": 7,
31 | "address": 136,
32 | "command": 49158
33 | }
34 | ]
35 | ```
36 |
37 | ### Name
38 |
39 | Name property give a name to the command, it's better do not exceed the 6 characters for the name to avoid UI glitch due to small display size.
40 |
41 | ### Other properties
42 |
43 | For the other properties check here: [IR protocol format](/esp32_s3/ir/emulate_signal.md#signal-file-format)
44 |
45 | ### Notes
46 |
47 | IR signals captured by the capibaraZero have all of this property even though they are not used.
48 |
49 | Protocols that doesn't support one or more properties like RAW or Pulse Width/Distance have unused property set to 0.
50 |
51 | If you are creating a signal it's better to not include unused properties.
52 |
53 | The current limit of button is 8 for each file.
54 |
55 | ## How to emulate an RC remote?
56 |
57 | - Go to the IR section
58 | - Select Emulate RC
59 | - Select file that you want to emulate
60 | - The capibaraZero will transmit the signal through the IR emitter when you select a button
--------------------------------------------------------------------------------
/docs/esp32_s3/ir/record_signal.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Record Signal
4 | ---
5 |
6 | # Record Signal
7 |
8 | CapibaraZero is able to capture and decode many IR protocol but can also works with RAW protocol.
9 |
10 | Recorded signal can be used for protocol analysis or can be sent by an IR emitter.
11 |
12 | # Requirements
13 |
14 | - ESP32-S3
15 | - IR receiver
16 | - SD card
17 |
18 | ## How to record an IR signal?
19 |
20 | - Go to the IR section
21 | - Select Record Signal
22 | - Put the remote controller near to the capibaraZero's IR receiver
23 | - Press the button that you want to record
24 | - Press save when the signal got received by the capibaraZero
25 |
26 | The recorded signal will saved under /IR/signals make sure that directory exists on SD, otherwise it will fail.
27 |
28 | ### Supported Protocols:
29 |
30 |
31 | | Keyword | Supported |
32 | | -------------------- | ------------------ |
33 | | NEC | :white_check_mark: |
34 | | NEC2 | :white_check_mark: |
35 | | Onkyo | :white_check_mark: |
36 | | Apple | :white_check_mark: |
37 | | Denon | :white_check_mark: |
38 | | Sharp | :white_check_mark: |
39 | | Panasonic | :white_check_mark: |
40 | | Kaseikyo | :white_check_mark: |
41 | | JVC | :white_check_mark: |
42 | | LG | :white_check_mark: |
43 | | LG2 | :white_check_mark: |
44 | | RC5 | :white_check_mark: |
45 | | RC6 | :white_check_mark: |
46 | | Samsung | :white_check_mark: |
47 | | Sony | :white_check_mark: |
48 | | Pulse Distance | :white_check_mark: |
49 | | Pulse Width | :white_check_mark: |
50 | | Pulse Distance Width | :white_check_mark: |
51 | | Hash | :white_check_mark: |
52 | | Pronto | :white_check_mark: |
53 | | BoseWave | :white_check_mark: |
54 | | Bang & Olufsen | :white_check_mark: |
55 | | Lego | :white_check_mark: |
56 | | FAST | :white_check_mark: |
57 | | Whynter | :white_check_mark: |
58 | | MagiQuest | :white_check_mark: |
--------------------------------------------------------------------------------
/docs/esp32_s3/network_attacks/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The network attacks",
3 | "position": 7,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The network attacks of CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/network_attacks/arp_poisoner.mdx:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: ARP poisoner
4 | ---
5 | import MacToJson from '@site/src/components/mac_to_json';
6 |
7 |
8 | CapibaraZero's ARP poisoner is an implementation of ARP poisoning DoS through the WiFi interface.
9 |
10 | It will send ARP reply requests where it will announce its MAC address as default gateway of the network.
11 |
12 | This attack requires to know victim MAC address and IP address besides ARP reply request will update likely all ARP table of hosts in the network.
13 |
14 | ## How to make attack
15 |
16 | - Create config.json under /arp_poisoner path like [this](/example_config/arp_poisoner/example.json) with SSID and password of AP to connect then target IP in the form of array and target MAC address in the form of array(convert HEX to decimal like the example config since JSON doesn't support HEX.)
17 | - Go to NetAt.(Network attacks)
18 | - Select ARPoisoner
19 | - Attack start to run. You can stop when you want
20 |
21 |
22 | ### Convert MAC to JSON array
23 |
24 | In order to configure ARPoisoner, you need to convert a MAC address in hexadecimal format to a decimal JSON array. Here there is a converter that can make the work for you. Put MAC in aa:bb:cc:dd:ee:ff form or AA:BB:CC:DD:EE:FF form and submit the form.
25 |
26 | 
34 |
--------------------------------------------------------------------------------
/docs/esp32_s3/network_attacks/evilportal.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: EvilPortal
4 | ---
5 |
6 | EvilPortal is an attack that creates an AP with a captive portal access and it captures all the POST requests on the login form.
7 |
8 | It can be used to capture body of POST requests to /login. You must create a webpage like [this](https://github.com/CapibaraZero/EvilPortal/blob/main/example.html) with a form that submit to /login URL.
9 |
10 | You must upload the whole pages to SD under /captive_portal path.
11 |
12 | CapibaraZero captive portal act like a web server so you can upload CSS, JS or other assets.
13 |
14 | ## How to make the attack
15 |
16 | - Upload web pages and resources(CSS, JS) to SD under /captive_portal path
17 | - (Optional) Create config.json under /captive_portal path like [this](/example_config/dhcp_glutton/config.json) with SSID and password of capibaraZero AP
18 | - If you not provide config.json, capibaraZero will create AP with capibaraZero SSID without any password. You can change default_ssid at [this line](https://github.com/CapibaraZero/fw/blob/main/lib/network_attacks/network_attacks.cpp#L31) and recompile firmware
19 | - Go to NetAt.(Network attacks)
20 | - Select EvilPortal
21 | - Connect to ESP and login to captive portal
22 | - Check captured packets in GUI. You can stop when you want. Requests received will be printed on serial port and saved in SD card under /captive_portal path
23 |
24 | ## Custom Handler
25 |
26 | If want to perform custom action when receiving credentials, you can create a custom handler [here](https://github.com/CapibaraZero/fw/tree/main/lib/captive_portal_callback) then recompile the firmware.
27 |
28 | ## Custom page
29 |
30 | Custom HTML page must make POST requests to /login path. capibaraZero will gets all the fields in the form.
31 |
32 | ### GUI
33 |
34 | 
35 |
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The NFC module",
3 | "position": 6,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The NFC module of CapibaraZero powered by a PN532"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/clone_tag.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 5
3 | title: Clone tag
4 | ---
5 |
6 |
7 | ### Getting started
8 |
9 | Make sure to correctly connects the PN532 to the ESP board and check that can be found by the firmware.
10 | Now make sure that you have the right key for both card if you wanna read/write all the sector, otherwise you will get an authentication error. Save original card key under /NFC/original.key and cloned card key under /NFC/cloned.key
11 |
12 | ### Supported cards
13 |
14 | - ISO14443A tag(only reading UID then can be written in a supported clonable card)
15 | - Mifare Classic and Ultralight
16 | - NTAG2xx
17 | - Felica support is WIP
18 |
19 | ### How to use?
20 |
21 | - Under the NFC menu select clone tag
22 | - Put the path of original and the cloned card key(eg. /NFC/original.key) in the prompt
23 | - Put the tag near the PN532 and wait until the tag get read
24 | - Put the target tag near the PN532, confirm from the CLI that you wanna finish clone and wait until all the sectors will be written.
25 |
26 |
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/create_key.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Create key list to read tag
4 | ---
5 |
6 | # Why you need a key?
7 |
8 | The key is used to read or write the tag sectors and it's needed for the read and dump features. Each sector have Key A and Key B, more details [here](https://github.com/XaviTorello/mifare-classic-toolkit/blob/master/README.md#Keys). In the section we will see how to save a list of authentication keys in the SD card.
9 |
10 | ## Key format
11 |
12 | The key is composed by a 6 hexadecimal bytes and allow NFC reader to read the sectors.
13 |
14 | The key format followed by CapibaraZero(and Mifare app) is the following: FFFFFFFFFFFF
15 |
16 | ### Save key in SD card
17 |
18 | To save key in SD card you will need to create a file called keys.txt under the path /NFC/. Full path will be: /NFC/keys.txt
19 |
20 | An example can be:
21 |
22 | ```txt
23 | FFFFFFFFFFFF
24 | B4C132439EEF
25 | 7BBEBOC8FB49
26 | 1BC1F6FF32CC
27 | D9D923DAE083
28 | 990AEB52D8AC
29 | 90DEAB425EA5
30 | 40A061DABC43
31 | 43D65DC2363C
32 | 5AFE558BC710
33 | ```
34 |
35 | You can also create comment using the # character.
36 |
37 | ### Keys collection
38 |
39 | Here a list of some NFC keys:
40 |
41 | [FlipperZero Mifare keys collection](https://github.com/UberGuidoZ/Flipper/tree/main/NFC/mf_classic_dict)
42 |
43 | [MifareClassicTool keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/extended-std.keys)
44 |
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/dump_tag_sd.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: Dump a card in the SD
4 | ---
5 |
6 | ### Getting started
7 |
8 | Make sure to correctly connects the PN532 to the ESP board and check that can be found by the firmware.
9 |
10 | ## Supported Card
11 |
12 | - Mifare Classic, Ultralight and NTAG2xx
13 | - FeliCa cards
14 |
15 | ## How to read a tag
16 |
17 | - Go under NFC section
18 | - Select Polling ISO14443A tag for Mifare or NTAG2xx family otherwise select Polling ISO18092 for FeliCa cards
19 | - Put tag near PN532 reader
20 | - Wait until PN532 read tag details(UID or IDm, PMm and System code)
21 | - Now you can dump tag. The CapibaraZero will try each key you put in the list until it will find the right one for each sector. It will find the Key A and the Key B
22 |
23 | The dump will be saved under /NFC/dumps in binary format(useful to analyze tag data) and JSON format(useful for clone).
24 |
25 | 
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/emv_read.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 5
3 | title: Read EMV Credit Card
4 | ---
5 |
6 |
7 | :::danger[Warning]
8 | This section is for experimental purposes only and is not meant for any illegal activity/purposes.
9 | We are not responsable of illegal activity made with this tool.
10 | :::
11 |
12 | ### Getting started
13 |
14 | Make sure to correctly connects the PN532 to the ESP board and check that can be found by the firmware. **EMV read feature is only supported by Elechouse PN532, others module won't work due to hardware issue.**
15 |
16 | ## Tested EMV Cards
17 |
18 | - MasterCard(Tested)
19 |
20 | Others card may work, please contribute, updating this section if you test a card that is not present here.
21 |
22 | ## How to read an EMV card
23 |
24 | - Go in NFC section
25 | - Select Read EMV
26 | - Put your EMV card near the PN532 reader
27 | - Wait until your capibaraZero will parse the EMV data
28 |
29 |
--------------------------------------------------------------------------------
/docs/esp32_s3/nfc/getting_started.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Getting Started
4 | ---
5 |
6 | # Getting started with NFC
7 |
8 | ## Features
9 |
10 | - Read UID ISO14443A tag
11 | - Read IDm, PMm and System code of FeliCa™ card
12 | - Read block of FeliCa™ card
13 | - MIFARE classic© support
14 | - Bruteforce MIFARE© card
15 | - MIFARE© Ultralight© support
16 | - Read/Write NTAG2xx©
17 | - Dump card to SDCard
18 |
19 |
20 | | Tag type | Read sector* | Write sector | Authentication** |
21 | | ----------------- | ------------------ | ------------------ | ------------------ |
22 | | Mifare classic | :white_check_mark: | :x: | :white_check_mark: |
23 | | Mifare Ultralight | :white_check_mark: | :x: | :x: |
24 | | Felica | :white_check_mark: | :x: | :x: |
25 | | NTAG2xx | :white_check_mark: | :x: | :x: |
26 |
27 | *If read sector supported, dump to SD card is possible
28 |
29 | ** If Authentication supported, bruteforce is possible
30 |
31 | Read UID is always supported for all ISO14443A tags
32 |
33 | ## Requirements
34 |
35 | - PN532 module
36 | - SDCard
37 |
38 | The NFC module of CapibaraZero can read almost any ISO14443A like Mifare Classic, Ultralight, ecc... and ISO18092(FeliCa) card but there are some limitation:
39 |
40 | - Write tag not implemented yet(both MIFARE and FeliCa)
41 | - Tag with different tag than default(FFFFFFFFFFFF) will give authentication error(We will add support to different keys soon)
42 |
43 | 
25 | 
26 | 
27 |
--------------------------------------------------------------------------------
/docs/esp32_s3/wifi/wifi_sniffer.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: WiFi sniffer
4 | ---
5 |
6 | The WiFi sniffer of CapibaraZero can sniff the WiFi packets in the enviroments and save the capture in a PCAP file in the SD.
7 | You can also apply some filter for packets. This attack can sniff EAPOL key, PMKID, etc...
8 |
9 | ## Requirements
10 |
11 | - ESP32
12 | - SD card
13 |
14 | ### How to use?
15 |
16 | - Go under WiFi
17 | - Select Sniffer and CapibaraZero will start the sniff
18 | - To stop press save with OK button
19 |
20 |
21 | The pcap file will be saved under /wifi
22 |
23 | 
--------------------------------------------------------------------------------
/docs/intro.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | ---
4 |
5 | # CapibaraZero Docs
6 |
7 | Welcome to the CapibaraZero docs, a cheap alternative to Flipper Zero™ built on top of ESP32-S3!
8 |
9 | ## What you will find here?
10 |
11 | - How to create your CapibaraZero
12 | - Documentation about the CapibaraZero modules
13 | - boards and how to build your CapibaraZero
14 | - Roadmap
15 |
16 | ### Playground
17 |
18 | From our design prototype, we also created a little playground so you can see how CapibaraZero works.
19 |
20 | [Check it here](https://www.figma.com/proto/4v1vgGq7pUMw96To1iamSw/CapibaraZero?type=design&node-id=25-120&t=qCUo12uAuokHufff-1&scaling=scale-down&page-id=0%3A1&starting-point-node-id=25%3A120&mode=design)
21 |
--------------------------------------------------------------------------------
/docs/sbc_linux/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "SBC Linux",
3 | "position": 3,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "capibaraZero docs for Linux platform"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The Bluetooth module",
3 | "position": 4,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The bluetooth module of capibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_scan.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | ---
4 |
5 | # BLE Scan
6 |
7 | BLE Scan will scan for nearby BLE devices that are discoverable.
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_sniffer.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: BLE Sniffer
4 | ---
5 |
6 | The BLE Sniffer of CapibaraZero can sniff BLE advertising packets, retrive some informations from it and save the captured data in a PCAP file readable with Wireshark.
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_spam/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "BLE spam",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Various Bluetooth spam exploit supported by CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_spam/apple_juice.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: AppleJuice
4 | ---
5 |
6 |
7 | AppleJuice is an exploit found by [ECTO-1A](https://github.com/ECTO-1A/AppleJuice) that make tons of fake Apple devices advertsing packets. This packets are recognized by Apple real devices like iPhone or iPad and make them crash due to huge flow of packets that device must elaborate.
8 | The porting for ESP32 is made by [RapierXbox](https://github.com/RapierXbox/ESP32-Sour-Apple) and it's adapted for CapibaraZero.
9 |
10 | ## Vulnerable iOS versions
11 |
12 | | iOS version | Compatible |
13 | | -------- | ------- |
14 | | iOS 16.x | :x: |
15 | | iOS 17.0 | :white_check_mark: |
16 | | iOS 17.1 | :white_check_mark: |
17 | | iOS 17.2* | :x: |
18 |
19 | *until iOS 17.2 beta 3 the exploit wasn't fix
20 |
21 | On the newer versions of iOS, some connection popup spawn but phone doesn't crash anymore.
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_spam/fastpair_ble_spam.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 4
3 | title: FastPair BLE spam
4 | ---
5 |
6 | Fast Pair is a fast pairing tecnology used by Google in Android 6.0 and above and like others fast pairing systems it's vulnerable to BLE spam attacks.
7 |
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_spam/samsung_ble_spam.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Samsung BLE spam
4 | ---
5 |
6 | The Samsung BLE spam attack is discovered by [Spooks4576](https://github.com/Spooks4576/ESP32Marauder) and act like AppleJuice, it spam tons of fake Galaxy Watch advertisement packets and make phone lag a lot. It is adapted for CapibaraZero from [ESP32Marauder](https://github.com/justcallmekoko/ESP32Marauder)
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/ble_spam/swiftpair_ble_spam.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 3
3 | title: SwiftPair BLE spam
4 | ---
5 |
6 | Swift Pair is a fast pairing tecnology used by Microsoft from Windows 10 1803 and like others fast pairing systems it's vulnerable to BLE spam attacks. Like AppleJuice and Samsung BLE spam, the attack, discovered by [Spooks4576](https://github.com/Spooks4576/ESP32Marauder), make your Windows PC spawn pairing requests from fake devices.
7 |
--------------------------------------------------------------------------------
/docs/sbc_linux/bluetooth/hid_attack.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 4
3 | title: HID Attack
4 | ---
5 |
6 | Usually you perform an HID attack using a USB interface but capibaraZero have support also BLE HID.
7 |
8 | In this way a device can connect to capibaraZero and it will act like a HID interface.
9 |
10 | capibaraZero HID doesn't have any type on bluetooth PIN, so as soon as a device connects, capibaraZero will start to execute the ducky script.
11 |
12 | ## Configuration
13 |
14 | In the capibaraZero JSON configuration you can set BLE device name, HID manufacturer and battery level.
15 |
16 | By default the following are used:
17 |
18 | - Device name: capibaraZero HID
19 | - HID manufacturer: capibaraZero
20 | - Battery level: 100
21 |
22 | ### Run attack
23 |
24 | - Go in the bluetooth attack section
25 | - Select HID attack
26 | - Connect to capibaraZero and see the ducky script running
27 |
--------------------------------------------------------------------------------
/docs/sbc_linux/installation/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "Installation",
3 | "position": 2,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "Flashing CapibaraZero to your device, both manually and using the web flasher"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/installation/installation.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | ---
4 |
5 | # Installation
6 |
7 | Currently the capibaraZero is tested on Raspberry Pi platform but can run everywhere that runs Linux. If you have a SBC that is not Raspberry Pi, try to adapt the `install.sh` and open a pull request to add support for your SBC. **Your contribution is essential to keep the project active!**
8 |
9 | ### Requirements
10 | - A Raspberry Pi(better if it's a RPI Zero 2W)
11 | - A WiFi dongle with a chip that support monitor mode and packet injection(Ralink, Realtek, ...) (if you wanna use WiFi section)
12 | - A PN532(if you wanna use NFC section)
13 | - A SDR receiver(if you wanna use SDR in SubGHZ)
14 | - IR Receiver and Transmitter(if you wanna use IR section)
15 | After installing capibaraZero you must follow this steps:
16 | - An USB-ethernet adapter(if you wanna use network attack. If you use SBC with integrated ethernet, it's fine)
17 |
18 | ### Installation
19 |
20 | #### Enable I2C and SPI
21 |
22 | - Enable I2C and SPI from `raspi-config`
23 | - Connect the PN532 to the I2C SDA and SCL using the I2C pins of official pinout for your board
24 |
25 | #### Enable WiFi
26 |
27 | In order to use internal WiFi card, you will need to set your country code to avoid using banned frequencies
28 |
29 | - Execute `sudo raspi-config`
30 | - Go in system option
31 | - Go in Wireless LAN
32 | - Select your country
33 | - We you will be prompted for SSID, press ESC on your keyboard
34 |
35 | #### Prepare IR
36 |
37 | Append the following config to `/boot/firmware/config.txt`:
38 |
39 | ```ini
40 | dtoverlay=gpio-ir,gpio_pin=GPIO_IR_RECEIVER
41 | dtoverlay=gpio-ir-tx,gpio_pin=GPIO_IR_TRANSMITTER
42 | ```
43 |
44 | Replacing with your GPIO value.
45 |
46 | #### Run the installation script
47 |
48 | ```bash
49 | curl https://github.com/CapibaraZero/fw_linux/raw/refs/heads/main/install.sh | sh
50 |
51 | # If you want SDR support run this commands
52 | sudo wget -O /usr/share/keyrings/openwebrx.gpg https://repo.openwebrx.de/openwebrx.gpg
53 | sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/openwebrx.gpg] https://repo.openwebrx.de/debian/ experimental main" > /etc/apt/sources.list.d/openwebrx-experimental.list'
54 | sudo apt update
55 | sudo apt install openwebrx
56 | ```
57 |
58 | #### Create AP for external usage
59 |
60 | ```bash
61 | sudo nmcli d wifi hotspot ifname wlan0 ssid YOUR_SSID password YOUR_PASSWORD
62 | sudo nmcli connection modify Hotspot connection.autoconnect yes
63 |
64 | # Run this command to save some energy
65 | echo "[Unit]
66 | Description=Run capibarazero API server
67 | DefaultDependencies=no
68 | Wants=network-online.target
69 | After=network.target network-online.target
70 |
71 | [Service]
72 | Type=simple
73 | ExecStart=/root/wifi_tx_limit.sh
74 | TimeoutStartSec=0
75 | RemainAfterExit=yes
76 |
77 | [Install]
78 | WantedBy=default.target
79 | " | sudo tee -a /etc/systemd/system/wifi_limit.service
80 |
81 | echo "#!/bin/sh
82 | iwconfig wlan0 txpower 1
83 | " | sudo tee -a /root/wifi_tx_limit.sh
84 |
85 | sudo chmod +x /root/wifi_tx_limit.sh
86 | systemctl daemon-reload
87 | systemctl enable wifi_limit
88 | ```
89 |
90 | Replace YOUR_SSID and YOUR_PASSWORD with your values. The Raspberry Pi will create a WiFi network with that values.
91 |
92 | #### Post installation command
93 |
94 | - Connect to the WiFi network with the SSID and password that you choose
95 | - Go to the gateway address via a web browser
96 | - Press the + button on the navbar
97 | - Insert the ip of the gateway with port 3000, usually 10.42.0.1:3000
98 | - Enjoy your capibaraZero RPI!
--------------------------------------------------------------------------------
/docs/sbc_linux/intro.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | ---
4 |
5 | # CapibaraZero Docs
6 |
7 | Welcome to the CapibaraZero docs, a cheap alternative to Flipper Zero™ built on top of ESP32-S3!
8 |
9 | ## What you will find here?
10 |
11 | - How to create your CapibaraZero
12 | - Documentation about the CapibaraZero modules
13 | - boards and how to build your CapibaraZero
14 | - Roadmap
15 |
16 | ### Playground
17 |
18 | From our design prototype, we also created a little playground so you can see how CapibaraZero works.
19 |
20 | [Check it here](https://www.figma.com/proto/4v1vgGq7pUMw96To1iamSw/CapibaraZero?type=design&node-id=25-120&t=qCUo12uAuokHufff-1&scaling=scale-down&page-id=0%3A1&starting-point-node-id=25%3A120&mode=design)
21 |
--------------------------------------------------------------------------------
/docs/sbc_linux/ir/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "IR",
3 | "position": 5,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The IR section of CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/ir/emulate_signal.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: Emulate Signal
4 | ---
5 |
6 | # Emulate Signal
7 |
8 | CapibaraZero is able to emulate almost all protocols that FlipperZero's support. You will be asked to upload a `.ir` file from the web GUI.
9 |
10 | # Requirements
11 |
12 | - IR trasmitter
13 |
14 | ### Supported protocols:
15 |
16 | | Keyword | Protocol Number |
17 | | -------------------- | ------------------------ |
18 | | NEC | :white_check_mark: |
19 | | NECext | :white_check_mark: |
20 | | NEC42(ext) | :x: |
21 | | Samsung32 | :x: |
22 | | RC6 | :white_check_mark: |
23 | | RC5(X) | :white_check_mark: |
24 | | SIRC(15/20) | :white_check_mark: |
25 | | Kaseikyo | :x: |
26 | | RCA | :x: |
27 |
--------------------------------------------------------------------------------
/docs/sbc_linux/ir/record_signal.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Record Signal
4 | ---
5 |
6 | # Record Signal
7 |
8 | CapibaraZero is able to capture RAW IR signals with decoding it at the moment.
9 |
10 | Recorded signal can be used for protocol analysis or can be sent by an IR emitter. The recorded signal will be saved in FlipperZero's encoding and downloaded on the client.
11 |
12 | # Requirements
13 |
14 | - IR receiver
--------------------------------------------------------------------------------
/docs/sbc_linux/network_attacks/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The network attacks",
3 | "position": 7,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The network attacks of CapibaraZero"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/network_attacks/arp_scanner.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: ARP Scanner
4 | ---
5 |
6 | # ARP scanner
7 |
8 | The ARP scanner will scan for devices on the network that you selected from the interface selection menu. After the ARP scan you will be able to perform ARP poisoning of the selected device.
9 |
10 | ## Requirements
11 |
12 | - An ethernet interface(if you want to perform an ARP poisoning)
--------------------------------------------------------------------------------
/docs/sbc_linux/network_attacks/dhcp_starvation.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 2
3 | title: DHCP starvation
4 | ---
5 |
6 | # DHCP starvation(aka DHCPGlutton)
7 |
8 | DHCP starvation is a network attack that aim to finish ip in the DHCP pool by sending fake DHCP discover in the network. CapibaraZero can send hundreds of DHCP discover requests so it performs also a DoS attack that usually, if you are targeting a poor DHCP server, may result in a DHCP server crash.
9 |
10 | ## Requirements
11 |
12 | - An ethernet interface(since WiFi check for fake MAC address requests)
--------------------------------------------------------------------------------
/docs/sbc_linux/nfc/_category_.json:
--------------------------------------------------------------------------------
1 | {
2 | "label": "The NFC module",
3 | "position": 6,
4 | "link": {
5 | "type": "generated-index",
6 | "description": "The NFC module of CapibaraZero powered by a PN532"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/docs/sbc_linux/nfc/clone_tag.WIP:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 5
3 | title: Clone tag
4 | ---
5 |
6 |
7 | ### Getting started
8 |
9 | Make sure to correctly connects the PN532 to the ESP board and check that can be found by the firmware.
10 | Now make sure that you have the right key for both card if you wanna read/write all the sector, otherwise you will get an authentication error. Save original card key under /NFC/original.key and cloned card key under /NFC/cloned.key
11 |
12 | ### Supported cards
13 |
14 | - ISO14443A tag(only reading UID then can be written in a supported clonable card)
15 | - Mifare Classic and Ultralight
16 | - NTAG2xx
17 | - Felica support is WIP
18 |
19 | ### How to use?
20 |
21 | - Under the NFC menu select clone tag
22 | - Put the path of original and the cloned card key(eg. /NFC/original.key) in the prompt
23 | - Put the tag near the PN532 and wait until the tag get read
24 | - Put the target tag near the PN532, confirm from the CLI that you wanna finish clone and wait until all the sectors will be written.
25 |
26 |
--------------------------------------------------------------------------------
/docs/sbc_linux/nfc/getting_started.md:
--------------------------------------------------------------------------------
1 | ---
2 | sidebar_position: 1
3 | title: Getting Started
4 | ---
5 |
6 | # Getting started with NFC
7 |
8 | ## Features
9 |
10 | - Read UID ISO14443A tag
11 | - Read IDm, PMm and System code of FeliCa™ card
12 | - MIFARE classic© support
13 | - Bruteforce MIFARE© card
14 | - Nested attack for MIFARE© classic
15 | - MIFARE© Ultralight© support
16 | - Read/Write NTAG2xx©
17 | - Dump card blocks
18 |
19 |
20 | | Tag type | Read sector* | Write sector | Authentication** |
21 | | ----------------- | ------------------ | ------------------ | ------------------ |
22 | | Mifare classic | :white_check_mark: | :white_check_mark: | :white_check_mark: |
23 | | Mifare Ultralight | :white_check_mark: | :white_check_mark: | :x: |
24 | | Felica | :x: | :x: | :x: |
25 | | NTAG2xx | :white_check_mark: | :white_check_mark: | :x: |
26 |
27 | *If read sector supported, dump to SD card is possible
28 |
29 | Read UID is always supported for all ISO14443A tags
30 |
31 | ## Requirements
32 |
33 | - PN532 module
34 |
35 | ## Read tag
36 |
37 | `libnfc` will try to read data using the [key list of FlipperZero unleashed-firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/applications/main/nfc/resources/nfc/assets/mf_classic_dict.nfc). If you wanna add custom key, append your keys to this file through SSH session, you can find it in `/home/capibarazero/mf_classic_dict.nfc`.
38 |
39 | ## Write to tag
40 |
41 | To write a dump to your tag, the web GUI will ask you a file in `.mfd` format.
42 |
43 |
26 |
37 |
39 | );
40 | }
41 |
--------------------------------------------------------------------------------
/src/css/custom.css:
--------------------------------------------------------------------------------
1 | .img_radius {
2 | border-radius: 8px;
3 | }
4 |
5 | .button-1 {
6 | background-color: #703ceb;
7 | border-radius: 8px;
8 | border-style: none;
9 | box-sizing: border-box;
10 | color: #FFFFFF;
11 | cursor: pointer;
12 | display: inline-block;
13 | font-family: "Haas Grot Text R Web", "Helvetica Neue", Helvetica, Arial, sans-serif;
14 | font-size: 14px;
15 | font-weight: 500;
16 | height: 40px;
17 | line-height: 20px;
18 | list-style: none;
19 | margin: 0;
20 | outline: none;
21 | padding: 10px 16px;
22 | position: relative;
23 | text-align: center;
24 | text-decoration: none;
25 | transition: color 100ms;
26 | vertical-align: baseline;
27 | user-select: none;
28 | -webkit-user-select: none;
29 | touch-action: manipulation;
30 | }
31 |
32 | .button-1:hover,
33 | .button-1:focus {
34 | background-color: rgb(16, 16, 220);
35 | }
36 |
37 | .grid-4 {
38 | display: grid;
39 | grid-template-columns: repeat(2, 1fr);
40 | grid-gap: 10px;
41 | }
42 |
43 | .button-1 {
44 | text-decoration: none;
45 | }
46 |
47 | .button-1:link, .button-1:visited {
48 | color: white;
49 | }
50 |
51 | .button-1:hover {
52 | color: white;
53 | text-decoration: none;
54 | }
55 |
56 | .hidden {
57 | display: none !important;
58 | }
--------------------------------------------------------------------------------
/src/pages/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: CapibaraZero docs
3 | ---
4 |
5 | Output MAC: {mac}
38 |
7 |