Wardrive Integration
Home > 3rd-Party Integration > Wardrive Integration
Wardrive Integration
Wardriving is the most common 3rd-party integration target: a long-running session that streams Wi-Fi access points, Bluetooth devices, and Flock surveillance hits to your client as the device moves. This page documents the command surface, the expected reply stream, and the data record formats so you can build a wardrive recorder, analyzer, or live dashboard.
One command does everything
CMD:wardriveall:
A single wardriveall command starts a combined 2.4 GHz Wi-Fi + 5 GHz Wi-Fi + Classic/BLE devices + Flock detection session, interleaved on a single notification stream. The command works identically on Biscuit Pro, Biscuit Ultra, and Biscuit DIY. The device handles the radio split internally, and the wire protocol you observe is the same on every variant.
Sample exchange:
-> CMD:wardriveall:
<- RSP:wardriveall:OK
<- STATUS:2:Scan started: wardriveall
<- DATA:AP:MyWiFi,AA:BB:CC:DD:EE:FF,6,-58,WPA2_PSK
<- DATA:BT:MyHeadphones,11:22:33:44:55:66,-72,BLE
<- DATA:FLOCK:B4:1E:52:11:22:33,Penguin-1234567890,-65,1234567890,OUI
...
RSP:wardriveall:OK lands within 100 ms; the DATA: lines arrive continuously until you stop the session.
Stopping
CMD:stopscan:
Reply sequence:
<- RSP:stopscan:OK
<- STATUS:1:Ready
RSP:stopscan:OK is the acknowledgment that the stop command was accepted. STATUS:1:Ready arrives a few hundred milliseconds later, once the scan task has actually halted. Treat STATUS:1 as the signal that no more DATA: records will arrive. Queued records may still flush in between the two messages.
Live data formats
Every DATA: line is comma-separated:
| Frame | Fields |
|---|---|
DATA:AP |
SSID,BSSID,Channel,RSSI[,Security] |
DATA:BT |
Name,MAC,RSSI,BLE[,Payload] |
DATA:FLOCK |
MAC,Name,RSSI,Serial,Method |
DATA:STATS |
Beacons,Probes,Deauths,Data,EAPOL,MinRSSI,MaxRSSI |
Parser notes:
- Commas in SSID and Name fields are sanitized to
_before transmission, so CSV parsers do not break on user-generated network names. - RSSI is signed dBm (negative). The field is always present.
SecurityonDATA:APis omitted for open networks. Expect 4 or 5 fields.- AirTag and other manufacturer-payload BLE devices append a fifth field with hex-encoded manufacturer data. Expect 4 or 5 fields on
DATA:BT.
Single-radio variants
If you need to scope a session to a single radio, the following commands return only that subset:
| Command | Stream |
|---|---|
CMD:wardrive: |
2.4 GHz Wi-Fi APs only |
CMD:wardrive5g: |
5 GHz Wi-Fi APs only |
CMD:btwardrive: |
Classic and BLE devices, no Flock filtering |
CMD:flockwardrive: |
Flock devices only |
CMD:btflockwardrive: |
Bluetooth and Flock combined |
Use wardriveall unless you have a specific reason to narrow the stream. Packed notifications mean there is no bandwidth penalty for collecting everything at once.
Flock classification
wardriveall includes Flock automatically. Hits arrive as DATA:FLOCK: records on the same stream as Wi-Fi and Bluetooth. Each hit’s Method field indicates which signal the firmware matched on, in priority order:
Method |
What it matched | Confidence |
|---|---|---|
MFR |
Manufacturer ID 0x09C8 in advertisement |
Very high |
OUI |
Flock IEEE-registered OUI B4:1E:52 |
Very high |
NAME |
Pattern: Penguin-..., Flock-..., pigvision, or FS Ext Battery |
High |
WPROBE |
802.11 probe-request with wildcard SSID from a Flock OUI | High |
SOUI |
Suspected (un-published) Flock OUI | Medium |
SNAME |
10-digit-serial-only BLE name with no other signal | Medium |
WADDR2 |
Wi-Fi management frame transmitter MAC matched a Flock OUI | Medium |
WADDR1 |
Wi-Fi frame receiver MAC matched a Flock OUI | Lower |
When multiple methods match the same device, the highest-confidence one is reported.
Example records:
DATA:FLOCK:B4:1E:52:AA:BB:CC,Penguin-9876543210,-58,9876543210,OUI
DATA:FLOCK:11:22:33:44:55:66,FS Ext Battery,-71,,NAME
Attribution
The combined dual-band wardrive design draws on justcallmekoko’s upstream work on the ESP32 Marauder project. Credit is due wherever this protocol surface is reused.