VANDAL Architecture

Event-driven firmware built on three structural pillars — one codebase for all SWAP boards

Three Architectural Pillars

01

Event-Driven Runtime

ESP event loop as the spine. Components emit — modules consume. No direct cross-component calls. FreeRTOS tasks run in parallel, supervised by process_manager.

02

Components vs Modules

components/ is Vandal-agnostic and project-portable. main/modules/ is VANDAL-specific orchestration. The boundary is enforced — dependencies flow one way only.

03

Centralized Action Handling

One handler per category, fed by a unified handler_context_t. MQTT, CLI, buttons, automation rules and MCP tools all reach the same code path.

Module Tree

init/Bootstrap — hw_init, network_init, event_handlers, slot_init, mcp_tunnel_init
core/action_dispatcher · producer · velocity_producer · notify_publisher · automation_engine · presence · management · system_led
scanners/ap_scanner · bt_scanner · bt_probing · bt_discovery · host_scanner · ports_scanner · freq_scanner · service_enum · smb_prober
sniffers/wifi_sniffer · handshake_capture · pmkid_capture · eap_identity_sniffer · subghz_sniffer · iv_capture
attacks/deauth · beacon_spam · rogue_ap · captive_portal · replay_subghz · bad_usb · shell_session
physical/voltage_reader · ground_detector · pin_detector · oscilloscope
messaging/espnow_messaging · subghz_messaging · messaging_manager
components/wifi_controller · bt_controller · cc1101_controller · nrf24_controller · gps_controller · mqtt_controller · dns_controller · http_controller · process_manager · slot_manager · duckyscript_parser · frame_analyzer · pcap_serializer · hc22000_serializer

Capability Domains

WiFi

Complete 802.11 b/g/n offensive stack — scan, capture, inject, attack.

Production

What ships

  • AP scanner — BSSID, SSID, RSSI, auth label
  • Probe request sniffer + EAP identity capture
  • Deauth frames (targeted / broadcast, reason 1–45)
  • Beacon spam (dynamic SSID list, random BSSID)
  • Handshake capture → hc22000 direct export
  • PMKID capture (WPA2-PSK)
  • Rogue AP + Captive Portal with DNS hijacking
  • APSTA mode — AP + STA simultaneously

What is NOT claimed

  • ×No 5 GHz / 802.11ac/ax
  • ×No WPA3 SAE cracking pipeline
  • ×No real-time PCAP-over-MQTT (roadmap)

Technology Stack

TechnologyVersionUsage
ESP-IDF5.5.xCore framework & drivers
FreeRTOS10.5.xReal-time OS & task management
RadioLib7.xCC1101 driver (C++ wrapped C ABI)
BluedroidESP forkBLE 5.0 + BR/EDR host stack
cJSON1.7.18JSON serialization
MQTT3.1.1Bidirectional command bus
libssh0.11.xEmbedded SSH server (disabled by default)
LwIPESP forkTCP/IP stack & raw socket layer

Open Source Firmware

Three pillars, one codebase, every SWAP board. Contributions welcome.

View on GitHub →