ESP32 DIV 2.1 // segfault.solutions

about

The ESP32 DIV v2.1 is an open-source multi-band wireless testing toolkit by CiferTech, built around the ESP32-S3. It supports WiFi, BLE, 2.4GHz and Sub-GHz frequencies — designed for wireless testing, signal analysis, jamming research and protocol exploration. The v2.1 is modular — a stable core board with a stackable shield via pogo-pin headers, keeping the device thin and expandable.

hardware

MCUESP32-S3 — fixes pin conflicts from v1, improved USB support

displayILI9341 TFT 2.8" + XPT2046 touch controller

powerIP5306 — battery charging + boost converter

USBCP2102 USB-to-Serial for flashing

storageMicroSD card slot — logs, scripts, firmware

2.4GHz3× NRF24 modules via SPI

sub-GHzCC1101 module via SPI

LEDs4× WS2812 NeoPixels

buttons5× tactile switches via PCF8574 I2C expander at 0x27

expansionPogo-pin headers — clean shield stacking

firmwareHaleHound-DIV custom port — PlatformIO, ESP32-S3, portrait 240×320

features

WiFi

Packet Monitor — real-time waterfall, channel hop 1–13 Beacon Spammer — 15 rotating fake SSIDs, randomised MAC Deauther — broadcast deauth, target from scan list Probe Sniffer — log probed SSIDs + RSSI per client MAC WiFi Scanner — scan → deauth or clone to captive portal Captive Portal — rogue AP + DNS, credential logging to SD Station Scanner — promiscuous data frame client harvester Auth Flood — random MAC auth storm, equaliser visualiser

Bluetooth (BLE)

BLE Jammer — flood all advertising channels BLE Spoofer — scan + clone target advert payload BLE Beacon — Apple AirDrop / FindMy beacon broadcast BLE Sniffer — continuous scan, dedup by MAC, RSSI + count AirTag Detect — FindMy manufacturer data scanner + distance estimate WhisperPair — CVE-2025-36911 Fast Pair GATT probe BLE Rubber Ducky — stub (requires BLEHIDDevice lib)

2.4GHz (NRF24 ×3)

Scanner — 126-channel sweep, bar graph activity display Spectrum Analyser — waterfall alias of scanner WLAN Jammer — WiFi ch 1/6/11 + BLE advert + Zigbee Proto Kill — target WiFi / BLE / Zigbee / broadband sweep

Sub-GHz (CC1101)

Replay Attack — GDO2 raw capture → retransmit via GDO0 Brute Force — 24-bit rolling code exhaustion, 315 / 433 MHz Jammer — noise burst, freq sweep across 315 / 433 / 868 / 915 Spectrum Analyser — 300–930 MHz sweep, peak-hold display Saved Profiles — SD card .bin replay library

EAPOL / WPA

EAPOL Capture — deauth-triggered 4-way handshake grab Save to SD — captured handshakes stored to /eapol/ Browse Saves — on-device capture review Karma Attack — probe sniffer → auto-spawn matching rogue AP

Firmware / Hardware

Custom PlatformIO port — HaleHound-DIV (ESP32-S3 target) PCF8574 button driver — confirmed I2C addr 0x27 on M5Shark V2.0 SPI bus arbitration — display / NRF24 ×3 / CC1101 / SD Splash screen — segfault.solutions logo, 240×320 portrait RGB565 PROGMEM, 10s display with NeoPixel cyan glow Background image — splash renders as menu background, transparent item overlay Radio test — boot-time verification of all radios + SD SD logging — creds, EAPOL captures, SubGHz profiles

images

// ESP32-DIV v2.1 — stock firmware, main menu. WiFi / IR Remote / Bluetooth / Tools / 2.4GHz / Settings / SubGHz

// splash screen — segfault.solutions logo, NeoPixel cyan glow

ESP32-DIV v2.1 boot radio test — NRF24 x3 OK, CC1101 OK, SD FAIL, PCF8574 OK

// boot radio test — NRF24 ×3 OK · CC1101 OK · PCF8574 OK · SD FAIL

ESP32-DIV v2.1 running Segfault-DIV firmware — main menu with Segfault Solutions splash background, WiFi selected, 62% battery

// Segfault-DIV firmware running — menu on splash bg · WiFi / Bluetooth / 2.4GHz NRF24 / SubGHz CC1101 / SIGINT / Tools · PCF8574 buttons · 62% battery

halehound-div firmware

Custom firmware ported from HaleHound-CYD to the ESP32-DIV v2.1 (ESP32-S3). Touch input replaced with PCF8574 GPIO expander at confirmed I2C address 0x27 (M5Shark V2.0 specific — not 0x20 as documented). Display running in portrait 240×320 (rotation=2). SPI bus arbitrated across the display (HSPI dedicated), 3× NRF24 modules, CC1101, and SD card. Boot splash displays for 10 seconds with NeoPixel cyan glow, then serves as the menu background image with transparent item overlay.

targetESP32-S3 — huge_app partition scheme, no PSRAM

buildpio run -e esp32s3-div --target upload

displaySCK=36 MOSI=35 MISO=37 CS=17 DC=16 BL=7 — portrait 240×320, HSPI dedicated

buttonsPCF8574 at 0x27 — SDA=8 SCL=9 — UP=P7 / DOWN=P5 / LEFT=P3(BACK) / RIGHT=P4 / CENTER=P6(SELECT)

NRF24 #1CSN=4 CE=15

NRF24 #2CSN=48 CE=47

NRF24 #3CSN=21 CE=14

CC1101CS=5 GDO0=6 GDO2=3 — spi symbol renamed in libdep to avoid TFT_eSPI collision

SDCS=10 Detect=38

IR TXGPIO14 — shared with NRF24 #3 CE, mutex required · raw replay via IRremoteESP8266

IR RXGPIO21 — shared with NRF24 #3 CSN · raw capture · NRF24 #3 CSN held HIGH during capture

NeoPixelGPIO1 — cyan glow on splash, status indicators

splashsegfault.solutions logo — 240×320 portrait RGB565 PROGMEM, also used as menu background

sourceSegfault-DIV.zip ↗

pin map

peripheral	signal	gpio	notes
display	SCK	36	HSPI dedicated
display	MOSI	35
display	MISO	37
display	CS	17
display	DC	16
display	BL	7
buttons	SDA	8	PCF8574 @ 0x27
buttons	SCL	9	UP=P7 DOWN=P5 LEFT=P3 RIGHT=P4 CENTER=P6
NRF24 #1	CSN	4
NRF24 #1	CE	15
NRF24 #2	CSN	48
NRF24 #2	CE	47
NRF24 #3	CSN	21	⚠ shared with IR RX — held HIGH during capture
NRF24 #3	CE	14	⚠ shared with IR TX — mutex required
CC1101	CS	5
CC1101	GDO0	6
CC1101	GDO2	3	spi renamed to avoid TFT_eSPI collision
SD card	CS	10
SD card	Detect	38
IR	TX	14	⚠ shared with NRF24 #3 CE
IR	RX	21	⚠ shared with NRF24 #3 CSN
NeoPixel	DATA	1	cyan glow on splash, status indicators

todo

2026-04-15 fix SD card
2026-04-15 add more modules

log

2026-01-15 started — researching ESP32 DIV v2.1, reviewing hardware and firmware
2026-04-01 firmware attempt failed — tried flashing JesseCHale's updated firmware but DIV v2 uses ESP32-S3 — chipset mismatch, incompatible with Hale's build
2026-04-09 HaleHound-DIV port started — full PlatformIO port of HaleHound-CYD to ESP32-S3. Remapped all SPI pins from cifertech schematic. Replaced touch input with PCF8574 button driver. Landscape 320×240 display orientation.
2026-04-09 attack modules written — WiFi (8 modes), BLE (7 modes inc. CVE-2025-36911 WhisperPair), NRF24 (4 modes), Sub-GHz CC1101 (5 modes), EAPOL capture + Karma attack. SPI bus arbitration + radio test on boot.
2026-04-10 splash screen added — segfault.solutions logo converted to RGB565 PROGMEM. First flash attempt — board crashes with StoreProhibited on tft.init(). Root cause: -DBOARD_HAS_PSRAM flag — board has no PSRAM despite product page claim.
2026-04-11 display working — removed PSRAM flags. Fixed SPI bus conflict between TFT_eSPI and CC1101 (both defined global spi symbol — renamed CC1101 libdep). Added -DUSE_HSPI_PORT=1 to give TFT dedicated SPI instance. Moved tft.init() before SPI.begin() for radios. Display boots cleanly.
2026-04-11 buttons working — I2C scan confirmed PCF8574 at 0x27 (not 0x20 as documented). Board also has IP5306 at 0x75. Button pin mapping confirmed via raw byte scan: UP=P7, DOWN=P5, LEFT=P3 (also BACK), RIGHT=P4, CENTER=P6. Fixed USER_SETUP_LOADED flag blocking font loading in TFT_eSPI.
2026-04-12 UI complete — switched to portrait 240×320 (rotation=2). Cifertech-style menu: black background, cyan accent lines, left bar on selected item, separator lines, footer hints. Splash image resampled to 240×320 portrait. Splash used as menu background with transparent item overlay.
2026-04-14 IR support added — TX (GPIO14) and RX (GPIO21) both working via IRremoteESP8266. Raw capture and replay implemented. GPIO14 mutex handles NRF24 #3 CE conflict — NRF24 #3 deselected before IR acquire, restored on exit. RX requires NRF24 #3 CSN HIGH (GPIO21 shared).

links

github — ESP32-DIV ↗ wiki ↗ releases ↗ Segfault-DIV firmware (source) ↗