Home > 3rd-Party Integration > Wardrive Integration

Wardrive Integration

Wardriving is the most common 3rd-party integration target: a long-running session that streams Wi-Fi access points, Bluetooth devices, and Flock surveillance hits to your client as the device moves. This page documents the command surface, the expected reply stream, and the data record formats so you can build a wardrive recorder, analyzer, or live dashboard.


One command does everything

CMD:wardriveall:

A single wardriveall command starts a combined 2.4 GHz Wi-Fi + 5 GHz Wi-Fi + Classic/BLE devices + Flock detection session, interleaved on a single notification stream. The command works identically on Biscuit Pro, Biscuit Ultra, and Biscuit DIY. The device handles the radio split internally, and the wire protocol you observe is the same on every variant.

Sample exchange:

-> CMD:wardriveall:
<- RSP:wardriveall:OK
<- STATUS:2:Scan started: wardriveall
<- DATA:AP:MyWiFi,AA:BB:CC:DD:EE:FF,6,-58,WPA2_PSK
<- DATA:BT:MyHeadphones,11:22:33:44:55:66,-72,BLE
<- DATA:FLOCK:B4:1E:52:11:22:33,Penguin-1234567890,-65,1234567890,OUI
   ...

RSP:wardriveall:OK lands within 100 ms; the DATA: lines arrive continuously until you stop the session.


Stopping

CMD:stopscan:

Reply sequence:

<- RSP:stopscan:OK
<- STATUS:1:Ready

RSP:stopscan:OK is the acknowledgment that the stop command was accepted. STATUS:1:Ready arrives a few hundred milliseconds later, once the scan task has actually halted. Treat STATUS:1 as the signal that no more DATA: records will arrive. Queued records may still flush in between the two messages.


Live data formats

Every DATA: line is comma-separated:

Frame Fields
DATA:AP SSID,BSSID,Channel,RSSI[,Security]
DATA:BT Name,MAC,RSSI,BLE[,Payload]
DATA:FLOCK MAC,Name,RSSI,Serial,Method
DATA:STATS Beacons,Probes,Deauths,Data,EAPOL,MinRSSI,MaxRSSI

Parser notes:

  • Commas in SSID and Name fields are sanitized to _ before transmission, so CSV parsers do not break on user-generated network names.
  • RSSI is signed dBm (negative). The field is always present.
  • Security on DATA:AP is omitted for open networks. Expect 4 or 5 fields.
  • AirTag and other manufacturer-payload BLE devices append a fifth field with hex-encoded manufacturer data. Expect 4 or 5 fields on DATA:BT.

Single-radio variants

If you need to scope a session to a single radio, the following commands return only that subset:

Command Stream
CMD:wardrive: 2.4 GHz Wi-Fi APs only
CMD:wardrive5g: 5 GHz Wi-Fi APs only
CMD:btwardrive: Classic and BLE devices, no Flock filtering
CMD:flockwardrive: Flock devices only
CMD:btflockwardrive: Bluetooth and Flock combined

Use wardriveall unless you have a specific reason to narrow the stream. Packed notifications mean there is no bandwidth penalty for collecting everything at once.


Flock classification

wardriveall includes Flock automatically. Hits arrive as DATA:FLOCK: records on the same stream as Wi-Fi and Bluetooth. Each hit’s Method field indicates which signal the firmware matched on, in priority order:

Method What it matched Confidence
MFR Manufacturer ID 0x09C8 in advertisement Very high
OUI Flock IEEE-registered OUI B4:1E:52 Very high
NAME Pattern: Penguin-..., Flock-..., pigvision, or FS Ext Battery High
WPROBE 802.11 probe-request with wildcard SSID from a Flock OUI High
SOUI Suspected (un-published) Flock OUI Medium
SNAME 10-digit-serial-only BLE name with no other signal Medium
WADDR2 Wi-Fi management frame transmitter MAC matched a Flock OUI Medium
WADDR1 Wi-Fi frame receiver MAC matched a Flock OUI Lower

When multiple methods match the same device, the highest-confidence one is reported.

Example records:

DATA:FLOCK:B4:1E:52:AA:BB:CC,Penguin-9876543210,-58,9876543210,OUI
DATA:FLOCK:11:22:33:44:55:66,FS Ext Battery,-71,,NAME

Attribution

The combined dual-band wardrive design draws on justcallmekoko’s upstream work on the ESP32 Marauder project. Credit is due wherever this protocol surface is reused.