Frequently Asked Questions

VANDAL is the firmware — the software that provides all the capabilities: WiFi offensive, Bluetooth analysis, Sub-GHz replay, HID/BadUSB, network reconnaissance, and more. SWAP (Standalone Wireless Attack Platform) is the hardware family designed and produced by CIRCLE-Cyber specifically for VANDAL. Three variants exist: SWAP-0A (USB-A stick), SWAP-0C (USB-C stick), and SWAP-Pro (modular platform with M.2 expansion slots). All three run exactly the same VANDAL firmware; what changes is the peripheral footprint.

The SWAP-0x boards answer a specific operational need: a complete VANDAL agent cheap enough to be left behind. At 30€ per stick, if a device is discovered or physically inaccessible at the end of an engagement, the cost is acceptable. SWAP-0x boards have no SD, no GPS, no expansion slot — just the ESP32-S3 SoC with its WiFi, BLE, HID, and MQTT capabilities. The SWAP-Pro answers a different need: a long-lived modular field platform that can be reconfigured by swapping M.2 cards. One Pro board can run Sub-GHz analysis today and ADC-based physical pin analysis tomorrow without a reflash.

The SWAP-Pro has two M.2 slots that accept radio and peripheral cards. Currently available: CC1101 (Sub-GHz 300–928 MHz), SX1280 (LoRa 2.4GHz), nRF24L01+ (proprietary 2.4GHz protocols, alpha stage), and ADS1115 (16-bit ADC for physical analysis). Swapping a card on-site reconfigures the board's capability without any firmware change — the firmware detects the slot configuration at runtime and enables the corresponding code paths.

Three structural pillars define how the project evolves. First: an event-driven runtime where the ESP-IDF event loop is the spine — components emit typed events, modules consume them, no direct cross-component calls, FreeRTOS tasks run in parallel supervised by process_manager. Second: a strict components/ vs main/modules/ split — components/ is VANDAL-agnostic and portable to any ESP32 project; main/modules/ is VANDAL-specific orchestration. Third: centralized action handling — every interaction surface (MQTT, CLI, buttons, automation engine, MCP tools) reaches the same handler_context_t and the same business logic via action_dispatcher.

Production-ready: AP scan, probe-request sniffer, EAP identity capture, deauthentication (targeted or broadcast, full reason code range), beacon spam, 4-way handshake capture with direct hc22000 export (compatible with hashcat -m 22000), PMKID capture for WPA2-PSK, rogue AP cloning, and a full captive portal pipeline with DNS hijacking, HTTP/HTTPS serving, and credential capture published over MQTT. Not claimed: 5GHz, WPA3 SAE cracking, real-time PCAP-over-MQTT.

All SWAP boards currently ship in BLE-only mode because the ESP32-S3 controller does not expose BR/EDR. However, the firmware is built on Bluedroid (not NimBLE), which supports both BLE and BR/EDR. This is a deliberate forward-looking choice: Espressif has announced the ESP32-S31 SoC with a dual-mode controller, and that part is the intended target for the next SWAP hardware revision. On current hardware: BLE 5.0 extended scan, 40+ device-type classification, streaming GATT enumeration, and SMP security probing with passkey dictionary attack.

The ESP32-S3 has a native USB OTG controller — no co-processor required. VANDAL exposes a HID keyboard, a vendor HID interface, and optionally MSC. DuckyScript scripts can be stored in flash, on the SD card (SWAP-Pro), or sent inline via MQTT. The HID-Shell feature drops a small payload on the target via BadUSB, which opens a bidirectional shell channel back over the vendor HID interface — giving the operator a real shell on the target machine over the USB cable. No automatic OS detection; the operator selects which script to run.

Indicative pricing: SWAP-0A and SWAP-0C at 30€ each, or a pack of 5 for 100€. SWAP-Pro at 250€ including two M.2 expansion cards of your choice. Available M.2 cards: CC1101 Sub-GHz, SX1280 LoRa 2.4GHz, nRF24L01+ 2.4GHz, and ADS1115 16-bit ADC. These prices are not yet final and may adjust before the hardware campaign launch.

No. SWAP-0A and SWAP-0C are deliberately minimal — they contain only the ESP32-S3 SoC with its integrated WiFi and BLE radios. There is no M.2 slot and no external radio module. Sub-GHz (CC1101), 2.4GHz proprietary (nRF24), LoRa (SX1280), and physical analysis (ADS1115) require the SWAP-Pro with the corresponding M.2 card. The SWAP-0x firmware binary literally does not include the Sub-GHz code paths — they are excluded at build time.

Yes. OTA dual-slot is enabled on all SWAP boards. SWAP-0x has two 6 MB app partitions; SWAP-Pro has two 12 MB slots. Updates are triggered over MQTT and the board reboots into the new slot. The previous slot is preserved as a rollback target, so a bad update can be recovered without physical access.

Firmware updates via MQTT OTA — releases announced via the newsletter. The SWAP-Pro's SD card should be checked periodically. SWAP-0x boards are designed to be expendable: if one fails or is lost, you replace it. The SWAP-Pro is a long-lived instrument — treat it like any precision field tool.

Legal uses: passive scanning on your own networks, penetration testing with explicit written authorization from the infrastructure owner, academic research in a controlled lab environment, CTF competitions, and authorized red-team engagements. The HID/BadUSB capability and WiFi injection (deauth, beacon spam, rogue AP) are particularly sensitive — they require unambiguous written authorization from the asset owner before use.

Strictly prohibited: cracking or accessing third-party networks without explicit written authorization, intercepting private communications, causing denial of service or jamming of public infrastructure, and commercial exploitation of captured data. Sub-GHz emissions above regulatory limits require authorization in most jurisdictions. Consult ARCEP in France, FCC in the USA, ETSI in Europe. CIRCLE-Cyber and the VANDAL project accept no liability for unauthorized use.

VANDAL firmware is distributed under the MIT license — free to use, modify, and redistribute. No warranty is provided. SWAP hardware PCBs are proprietary designs produced by CIRCLE-Cyber; the schematics are not open-source. Users must comply with applicable RF regulations in their jurisdiction.

SWAP-0A or SWAP-0C at 30€ each (100€ for 5) vs FlipperZero at ~200€ (+ ~50€ for WiFi Dev Board). SWAP-0x delivers native WiFi 802.11 with full hc22000 handshake pipeline, BLE 5.0 with GATT enumeration and SMP probing, and a DuckyScript HID engine with a real bidirectional shell channel. FlipperZero excels at NFC/RFID, infrared, iButton, and has a built-in LCD for standalone use. They serve different missions: FlipperZero is a physical-access multi-tool; SWAP-0x is a deployable wireless agent.

SWAP-Pro at 250€ (with 2 M.2 cards) vs FlipperZero + WiFi Dev Board + Sub-GHz accessories at 300€+ without GPS. SWAP-Pro adds: GPS for tagged captures, SD card for offline logging, native USB HID with shell capability, Sub-GHz via CC1101 (spectrum + replay), and proprietary 2.4GHz research via nRF24. The M.2 ecosystem also adds SX1280 LoRa and ADS1115 ADC for physical analysis — capabilities that have no FlipperZero equivalent.

Marauder is a great WiFi-focused tool at ~60€. VANDAL on SWAP-Pro extends that: modular M.2 architecture, Sub-GHz via CC1101, GPS tagging, SD logging, native MQTT bidirectional control (no serial required), a HID/BadUSB engine with real shell channel, physical pin analysis via ADC, and a formally separated component/module codebase designed for extensibility. SWAP-0x at 30€ is price-competitive with Marauder while adding MQTT autonomy and HID.

VANDAL is open-source (MIT). You can report bugs via GitHub Issues, propose fixes or new features via Pull Requests, write documentation, or port the firmware to a new board target. The firmware architecture (components/ vs main/modules/, centralized handlers, action_dispatcher) is designed specifically to make adding new capabilities straightforward. CIRCLE-Cyber coordinates the hardware roadmap; firmware contributions from the community are welcome.

Subscribe to the newsletter on this site to receive firmware and hardware availability updates. The source code is at github.com/circle-rd/vandal. CIRCLE-Cyber's broader work is at circle-cyber.com.