@rdhrobotics // cybersecurity

RF-Hunter

Wireless Penetration Research Platform

A compact, self-contained ESP8266 + nRF24L01 device with OLED display and hardware keypad. Three independent tools — RF jammer, Wi-Fi deauther, and captive portal harvester — unified under a single launcher UI. Built for hands-on wireless security research.

⚡ Standalone — No Laptop 🔓 Open Firmware 📱 Pocket-Sized 🖥️ Web + OLED Dual UI 👻 Evil Twin AP Clone 🚫 Deauth Attack Engine 🎣 Captive Portal Phish 📡 BLE + Zigbee + Wi-Fi Jam
🛒 BUY NOW
01 // Hardware
MCU
ESP8266
80/160 MHz, 2.4 GHz Wi-Fi, WIFI_AP_STA mode
RF Module
nRF24L01+
2.4 GHz, 125 channels, 2 Mbps, PA+LNA variant
Display
SH1106
128×64 OLED, I²C, 0.96"
Input
ADC Keypad
6-button voltage-divider — UP DOWN LEFT RIGHT ENTER BACK
Storage
EEPROM
Persistent PW vault, survives power cycle
Pins (nRF)
CE 16 / CSN 15
OLED SDA 4 / SCL 5
02 // Launcher — Three-Tool Architecture
MODE 01
RF-Hunter
nRF24 constant carrier jammer. BLE + all 2.4 GHz or Wi-Fi channels only.
MODE 02
Deauther Suite
spacehuhn esp8266_deauther engine. Scan, select, deauth, beacon flood, probe attack.
MODE 03
WiPhi
Deauth + EvilTwin + captive portal credential harvester with EEPROM vault.

Hold BACK 5 seconds from any mode → returns to launcher main menu. Each tool initialises and tears down its own WiFi stack independently.

03 // Feature Deep Dive
📡
RF-Hunter — 2.4 GHz Jammer
Uses nRF24L01 constant carrier mode to saturate the 2.4 GHz band.
  • Full sweep: all 125 channels (BLE, Zigbee, Wi-Fi, proprietary)
  • Targeted sweep: Wi-Fi channels 1–11 only (2412–2462 MHz)
  • RF24_PA_MAX + RF24_2MBPS for maximum interference power
  • CRC disabled, AutoAck off — pure carrier output
  • Plug-in mode table: add new attack modes with 3 lines of code
Deauther Suite
Full spacehuhn deauther engine integrated as a launcher mode.
  • Scan nearby APs and stations
  • Targeted deauthentication (802.11 type C0/A0 frames)
  • Beacon flood and probe attack
  • Web UI at 192.168.4.1 for remote control
  • CLI over Serial for scripting
  • LittleFS config persistence, autosave
  • OLED display driven by DisplayUI module
🎣
WiPhi — Captive Portal Harvester
EvilTwin AP clones the target SSID, serves a convincing firmware-update phishing page to connected victims.
  • Scans and lists up to 16 nearby APs with channel + RSSI
  • One-click AP select → deauth target → victim reconnects to clone
  • Captive portal hijacks all HTTP traffic via DNSServer wildcard
  • Password verification: attempts real WPA2 auth to confirm
  • OLED shows live client count + packet count
  • Auto-jumps to Captured screen on success
💾
EEPROM Password Vault
Captured credentials persist across power cycles.
  • 5 slots — SSID (32 bytes) + password (64 bytes) each
  • Magic byte detects first boot, auto-formats on corruption
  • WiPhi vault offset at 2000+ to avoid deauther EEPROM collision
  • OLED browse: scroll list of saved entries
  • Per-slot delete: BACK button on detail screen
  • Web admin panel also displays captured password
🖥️
OLED UI — Unified Design
All three tools share the same UI language: inverted title bar, arrow-only cursor, no fill on selected items.
  • 128×64 px, ArialMT_Plain_10 font
  • Title bar: filled rect, white-on-black centred label
  • Menu cursor: ">" prefix only — no invert, no fill
  • Scrollable lists with ^ / v indicators
  • Live status: deauth packet counter, client count
  • Animated scan progress bar during WiFi scan
🌐
Web Admin UI
Parallel web interface — works simultaneously with OLED. Connect to WiPhi_34732 (pass: d347h320) then open 192.168.4.1/admin.
  • AP scan table with Select button per entry
  • Start/Stop Deauth and EvilTwin buttons
  • Live captured password display
  • Victim-facing: convincing router firmware-update page
  • Wrong PW: 4-second redirect, try again loop
  • Correct PW: 15-second verification progress bar
04 // Bonus Tool — RF Chat
💬
nRF24 Mesh Chat
Standalone sketch. Point-to-point or group text chat over raw nRF24 radio. No Wi-Fi, no internet.
  • 5-digit Room ID → shared nRF24 pipe address
  • 3-char username selection on-device
  • Split OLED: left = message log, right = on-screen keyboard
  • 2-page keyboard: letters / numbers + emoji (:) :( ;) :D)
  • Join/leave packets broadcast to all devices on same room ID
  • Up to N devices per room — no pairing, no handshake
📻
RF Chat — Technical
32-byte packet format over nRF24, channel 90 (outside common Wi-Fi interference).
  • Packet: [type 1B] [name 3B] [text 28B]
  • Types: M=message, J=join, L=leave
  • Pipe address derived from Room ID: 'R' + first 4 digits
  • RF24_1MBPS, CRC_8, PA_MAX
  • Keyboard: 7 cols × 4 rows + action row [MNU][SND][DEL]
  • BACK button = instant delete, no keyboard navigation
05 // Who Is This For
Buyers
  • Ready-to-use hardware, no soldering required
  • Three tools in one device — RF jammer, deauther, harvester
  • Standalone — no laptop, no phone needed
  • Pocket-sized, battery-friendly
  • Web interface for remote operation
  • EEPROM stores results after power-off
  • Open firmware — fully hackable
Researchers
  • Full source — every layer visible and modifiable
  • Plugin table for RF modes: add in 3 steps
  • Launcher AppMode enum: drop in new tools cleanly
  • Promiscuous / scan mode handled correctly (no conflict)
  • EEPROM layout documented, WiPhi offset avoids deauther region
  • Dual-stack: OLED + Web run simultaneously
  • spacehuhn deauther engine intact and unmodified
Testers
  • Animated scan progress — see it working in real time
  • Live deauth packet counter on OLED
  • Live client count on EvilTwin AP
  • Auto-jump to Captured screen on credential harvest
  • Hold BACK 5s = safe exit from any mode
  • Wrong PW loop with redirect — test portal flow
  • Serial output on all critical events
Legal Notice // Authorized Use Only
This device is designed for authorized security research, penetration testing, and educational use only. Using deauthentication attacks, RF jamming, or credential harvesting against networks or devices you do not own or have explicit written permission to test is illegal in most jurisdictions and may result in criminal prosecution. The author assumes no liability for misuse. Always operate within the law and with the informed consent of all affected parties.