🔌 Physical Power-Up Sequence
The GhostChip ESP32-S3 Security Toolkit is fully pre-flashed out of the box. You do not need to install local tools, command lines, or compilers to initialize the system hardware. Connect standard 5V USB power to boot the module instantly.
Verify SD Card Mounting
Ensure that a formatted MicroSD card (supports up to 32GB) is inserted fully into the physical slot. (See the MicroSD limits page for partitioning details).
Plug in USB-A Connector
Plug the module directly into a computer USB-A socket, a portable power bank, or standard 5V USB charging bricks. Avoid using quick charge ports that fluctuate voltages.
Verify Wireless AP Broadcast
Once powered, the internal ESP32-S3 boots up within 3 seconds. Scan for available wireless networks on your mobile phone or PC, select the network named Ghostchip, and enter the password GhostChip@14.
💾 MicroSD Card Formatting & Limits
The ESP32-S3 utilizes an SDIO hardware interfacing framework. This places rigid architectural specifications on partition structures and card sizes. GPT configurations or modern partition models are not supported.
- Maximum Storage Support: 32GB. Larger card volumes (64GB, 128GB, etc.) formatted using exFAT are not compatible.
- Recommended Stable Capacity: Top-tier 16GB or 32GB MicroSD card modules.
- Partition Map Type: MBR (Master Boot Record) partition style strictly.
- Filesystem Formatting: FAT32 cluster formatting.
- Optimal Cluster Allocation Size: 32KB (32,768 bytes). This parameter guarantees maximum stability during rapid, high-frequency exfiltration logging.
Formatting Quick Guide:
| Target Host OS | Formatting Utility Tool | Required Settings |
|---|---|---|
| Windows 10/11 | Standard Disk Management or Rufus | File System: FAT32 | Cluster Size: 32 Kilobytes | MBR Style |
| macOS (Apple Sil.) | Disk Utility Console (Terminal `diskutil`) | Format Scheme: MS-DOS (FAT) | Scheme: Master Boot Record |
| Linux (Ubuntu/Arch) | GParted or CLI `mkfs.vfat` | `mkfs.vfat -F 32 -s 64 /dev/sdX1` (64 sectors per cluster = 32KB) |
🔍 Hardware Specs & Architecture
The GhostChip unites high-performance RF computing with physical keyboard HID injection circuitry in a micro form-factor.
Dual-Core 240MHz MCU
ESP32-S3 core engine equipped with vector extension instructions for high-speed cryptography, neural prompt structures, and passive WiFi monitoring.
USB-OTG HID Controller
Direct native USB-HID bus interfaces. Simulates standard USB Boot Keyboard layout models, bypassing operating system driver warning dialogs completely.
WS2812B NeoPixel RGB
Programmable 24-bit color status indicator. Fully controllable via API commands to allow complete stealth modes or visual payload alerts.
SDIO SD Interface
Direct low-latency data lines running to the MicroSD slot, facilitating instant reads/writes of exfiltrated data blocks.
Technical Electrical Tolerances:
Operating voltage requirements: 5V DC via USB connector. Idle power draw ranges around 90mA, whereas active RF scanning or high-speed typing bursts pull up to 310mA peak current. Avoid routing through unpowered USB splitter units.
⚡ USB Firmware Flashing & Recovery Guide
Reload your GhostChip with the official core binaries, re-partition the flash layout, or recover a bricked/bootlooping device over physical USB Web Serial.
📥 Step-by-Step Flashing Procedure
Launch the Flasher Interface
Open the native Web Serial Flasher Utility inside a Chromium-based browser (Chrome, Edge, or Opera).
Connect USB Data Cable
Plug one end of a standard USB-C data cable into the GhostChip module and connect the other end directly to a computer's high-speed USB port.
Establish Serial Connection
Select your desired Baud Rate speed (Default 921600 is recommended for low-latency flashing). Click Connect Device and choose the appropriate serial port interface (e.g., ESP32-S3 USB Node or COM3) from the pop-up browser interface.
Load Firmware Segments
Choose your binary source type:
- Auto-Flash (Preset Firmware): Click Fetch Preset Firmware Files to automatically download the official factory binaries from the remote repository.
- Manual Files (Custom Upload): Upload custom-compiled binaries into their dedicated memory offsets:
0x0->GhostChip.ino.bootloader.bin(Boot Sequence)0x8000->GhostChip.ino.partitions.bin(Partition Layout)0x10000->GhostChip.ino-4.bin(Core Application code)
Trigger Flashing Process
Select Erase all flash partitions before writing if performing a clean install to wipe active settings. Click Start Flashing Firmware and watch the real-time progress indicators. Once complete, unplug and reconnect the USB port to power cycle and boot the new code!
⚠️ Hard Recovery Mode (ROM Bootloader)
If your device fails to sync, is bootlooping continuously, or is completely bricked, you can manually override the active program execution and force the ESP32-S3 processor to initialize its internal read-only ROM bootloader:
📶 Wi-Fi Access Point Credentials
By default, GhostChip initiates its own wireless network immediately upon boot. Connect to this network on any mobile phone, laptop, or tablet to access the controls.
| Connection Parameter | Assigned Value | Notes / Explanations |
|---|---|---|
| SSID (AP Name) | Ghostchip |
Broadcasted in the 2.4GHz Wi-Fi spectrum. |
| WPA2 Password | GhostChip@14 |
Secured using WPA2-PSK protocol encryption. |
| Local Gateway IP | 192.168.4.1 |
Hardcoded network gateway of the internal DHCP server. |
| mDNS Domain Address | http://ghostchip.local |
Multicast DNS routing enabled for convenient browser access. |
| DHCP Lease Pool | 192.168.4.2 to 192.168.4.10 |
Dynamic IP distribution leases for connected control hosts. |
⚡ Control Modes: Direct Web vs PWA App
GhostChip supports two distinct modes of execution to match your operational audit environment.
Direct Web Server Portal
Pulls web assets directly from the ESP32 SPIFFS partition blocks. Requires no internet or external server hosting.
- Connect to Ghostchip Wi-Fi AP.
- Launch your device's web browser.
- Navigate to:
http://ghostchip.local(or `http://192.168.4.1`).
Progressive Web App (PWA)
Installs on your mobile screen as a native application with offline service worker caching and fluid UI rendering.
- Bridge your phone and ESP32 to the same local internet router.
- Visit cloud portal: Hosted PWA App Link
- Click your browser drawer -> Add to Home Screen.
🤖 Local Wi-Fi Bridging Setup for Groq AI Features
The Groq AI Llama-3 compiler and AI voice assistant require active internet routing to communicate with cloud APIs. Since the GhostChip's isolated Access Point (`Ghostchip`) does not have an internet path, you must bridge the devices onto your own local Wi-Fi router.
Initial AP Connection
Connect your mobile phone to the default Ghostchip Wi-Fi AP and open the local dashboard at `http://ghostchip.local` in your browser.
Setup WiFi Station on GhostChip
Navigate to the Settings menu page. Find the WiFi Station Setup card, click Scan Networks, select your home/office internet Wi-Fi network SSID, input its security password, and click Connect.
Switch Phone to the Same Router
Disconnect your mobile phone from the isolated `Ghostchip` AP. Connect your phone to your own local home/office internet router (the exact same network you selected for the GhostChip in Step 2).
Access Bridge Dashboard
Open your mobile web browser and enter: http://ghostchip.local, or simply launch your installed Hosted PWA App. Since mDNS resolution broadcasts seamlessly across your local bridged router subnet, both devices talk locally with no IP configurations needed, while having full cloud access for Llama-3 operations!
⚡ DuckyScript Language Reference & Simulator
DuckyScript is the native programming language of the GhostChip HID injector. It converts human-readable key commands into raw USB keyboard descriptors. Below is an exhaustive language catalog and a step-by-step guide on how to build, test, and deploy custom scripts.
1. Complete Syntax Keyword Reference
GhostChip supports the entire classic DuckyScript keyword index along with custom timing configurations:
| Keyword Command | Functional Description | Code Syntax Example |
|---|---|---|
REM |
Remark/Comment block. Lines starting with REM are ignored by the parser. Used to document code steps. |
REM This is a comment |
DELAY |
Pauses execution for a specified duration in milliseconds (1000ms = 1s). Highly critical for synchronizing actions. | DELAY 1000 |
DEFAULTDELAY |
Applies a standard delay pause (in ms) after every line in the script, pacing inputs safely. | DEFAULTDELAY 150 |
STRING |
Simulates rapid serial typing of the text string following the keyword. Supports symbols, numbers, and capital letters. | STRING echo Hello World! |
ENTER |
Simulates pressing the Standard Enter/Return key. Often used to submit entered command strings. | ENTER |
ESCAPE / ESC |
Presses the Escape key. Useful for dismissing active system popups or exiting full-screen applications. | ESCAPE |
TAB |
Presses the Tab key. Critical for navigating field focus when command-line consoles are unavailable. | TAB |
SPACE |
Presses the Spacebar. | SPACE |
BACKSPACE |
Simulates hitting the Backspace key to delete a preceding character. | BACKSPACE |
DELETE |
Simulates hitting the Forward Delete key. | DELETE |
INSERT |
Toggles the standard Insert cursor mode. | INSERT |
PAGEUP / PAGEDOWN |
Scrolls page text blocks up or down. | PAGEUP |
HOME / END |
Jumps the editing cursor to the absolute start or end of the current line. | HOME |
2. Arrow & Directional Controls
Directional arrow keys are indispensable when navigating administrative menus, custom windows, or text lists:
| Keyword Option | Alternative Syntax | Operation details |
|---|---|---|
UPARROW |
UP |
Simulates pressing the Up Arrow. |
DOWNARROW |
DOWN |
Simulates pressing the Down Arrow. |
LEFTARROW |
LEFT |
Simulates pressing the Left Arrow. |
RIGHTARROW |
RIGHT |
Simulates pressing the Right Arrow. |
3. Keyboard Lock Toggles
These commands simulate toggling hardware lock configurations on host machines:
CAPSLOCK: Toggles Caps Lock (all subsequent alphabetic typed inputs will shift case states).NUMLOCK: Toggles the Numeric Keypad lock state.SCROLLLOCK: Toggles Scroll Lock.
4. System Modifiers & Complex Combos
Modifiers are keys held down in combination with other characters to trigger special operating system shortcuts. You can define modifiers on their own line with a trailing key:
| Modifier Key | Alternative Keywords | Common Combo Examples |
|---|---|---|
| GUI | WINDOWS, COMMAND |
GUI r (Opens Run menu on Windows) GUI SPACE (Opens Spotlight search on macOS) |
| ALT | ALT |
ALT F4 (Closes active application) ALT SPACE (Opens window configurations) |
| CTRL | CONTROL |
CTRL ESCAPE (Opens Windows Start Menu) CTRL c (Copy shortcut) |
| SHIFT | SHIFT |
SHIFT ENTER (Newline indicator) SHIFT INSERT (Paste combo on classic terminals) |
CTRL SHIFT ESCAPE (Launches Windows Task Manager directly)
GUI SHIFT ENTER (Launches administrative terminals on pre-configured layouts)
5. The Repeater Block Command
To avoid copy-pasting the same instruction multiple times, the REPEAT keyword duplicates the exact action from the immediately preceding line:
REPEAT 4 (Presses the Down Arrow 4 more times, leading to 5 total presses)
🏗️ How to Build & Deploy Your DuckyScript Payload
Designing an effective BadUSB payload requires a structured methodology to ensure reliable execution across different target host machines. Follow these structured operational steps:
Determine Target OS Shortcuts
Verify the operating system of the target computer (Windows, macOS, or Linux). Identify the correct shortcut sequence to open a command terminal. For example, use GUI r followed by cmd on Windows, or GUI SPACE followed by terminal on macOS.
Establish initial Driver Delay
Always start your payloads with an initial delay buffer (e.g. DELAY 3000). When the hardware is plugged in, the victim operating system requires exactly 2 to 3 seconds to scan, load, and configure standard USB keyboard HID drivers. Typing before this window finishes results in missed keystrokes.
Configure typing Pace (Pacing Delay)
Add a DEFAULTDELAY 150 statement directly below your initial setup delay. This instructs the injector core to pause for 150ms between every line, giving slower computers time to parse incoming USB key descriptors without losing keystroke data.
Compose Payloads: Code vs Visual vs AI
Choose your preferred authoring method:
- Manual Coding: Write clean, standard DuckyScript commands directly into the dynamic text editor panel.
- Visual Builder: Drag and drop modular blocks (DELAY, STRING, ENTER) using the Script Builder Tool in the utilities drawer.
- AI Compiler: Tell the Groq AI Assistant what you want in plain English (e.g., "Write a Windows script to query IP configurations") to let it compile standard DuckyScript code instantly.
Verify in the Sandbox Simulator
Before executing the script on a physical machine, toggle the SIM (Simulator) panel switch. This parses your commands line-by-line in a sandboxed browser terminal, displaying exactly what will be typed, key pause delays, and loop structures. This allows you to verify script logic safely.
Save to MicroSD & Run
Click Save in the File Manager tool to write the completed script directly into the `/payloads/` directory on the FAT32 MicroSD card. Finally, select the target payload in your file manager explorer and click the Run (Play) button to physically inject the keystrokes.
📡 RF Sniffer Stack (WiFi, BLE, & Deauth Warnings)
The ESP32-S3 is equipped with a passive radio monitor framework, allowing diagnostic site evaluations and wireless audits.
WiFi Diagnostic Scanner
Sweeps channels 1-14 to discover local access points. Gathers detailed infrastructure metadata:
- Network SSID name and hardware BSSID.
- Signal RSSI value (measured in dBm).
- Encryption protocols (WEP, WPA2, WPA3).
BLE Proximity Sniffer
Passively parses the 2.4GHz spectrum for Bluetooth Low Energy advertising packets. Monitors physical beacons:
- Broadcast beacon names and UUID indicators.
- GATT service profiles.
- RSSI distance tracking.
802.11 Deauthentication Monitor
Legacy wireless protocols transmit management frames (such as deauth or disassociation packets) without cryptographic signing. The sniffer scans targeted radio channels and logs deauth attacks instantly:
This serves as an excellent security alert indicator. When active Wi-Fi jamming or client disruption events occur, warning logs are generated inside the live log console pane and trigger high-visibility alerts on your browser web console instantly.
🤖 Groq Llama-3 AI Engine & Voice Controls
The GhostChip features real-time neural payload compilation, translating plain English prompts into standard executable DuckyScript payloads instantly.
Groq Llama-3 API Compilation
Input descriptive prompts (e.g. "Open command prompt on Windows, query IP details, and output results"). The neural compiler processes the prompt and builds formatted DuckyScript code blocks. Select targeted operating systems (Windows, macOS, Linux) to optimize modifier sequences automatically.
Voice Recognition Interface
Tap the Microphone icon to initiate active voice controls. The dashboard leverages the browser's Web Speech API to capture speech queries, translate your intent, and compile scripts hands-free.
EEPROM Credentials Isolation
Your custom Groq API key is written directly to physical EEPROM sectors on the ESP32-S3. Keys remain securely isolated on the device hardware and are transmitted strictly via HTTPS directly to Groq endpoints, completely safeguarding your developer credentials.
📁 Tool: File Manager
The File Manager tool provides a robust explorer interface to manage partitions, view exfiltrated data captures, and deploy custom script binaries on the MicroSD card filesystem.
Wireless File Uploads
Drag and drop or select `.txt` or `.bin` script files directly from your phone's browser cache. The ESP32 writes them to the MicroSD `/payloads/` directory in milliseconds.
Real-time Exfiltration Viewer
When payload scripts output keys or logs, they are written to `/exfil/` logs. You can browse, read raw text in-browser, or download log sheets directly to your device.
Run Payload Trigger
Click the "Run" (Play) icon next to any script. This loads it directly into the active keyboard emulator and starts injection operations instantly.
/payloads/ root folder and exfiltrated payloads under the /exfil/ folder for correct dashboard indexing.
🤖 Tool: AI Assistant
A conversational dialog system driven by the Groq Llama-3 compiler, translating verbal instructions into working payloads.
Voice Capture Module
Click the Microphone icon to initiate web speech recognition. Speak your target instructions clearly (e.g. "Open Notepad, type 'System Audited', and save it").
Automatic Payload Compiling
The system passes the voice transcript to the Llama-3 API, which generates properly formatted DuckyScript code blocks automatically.
Deploy to Active Editor
Click Load Script to paste the generated code directly into your active workspace for visual validation or timing adjustment edits.
🛠️ Tool: Script Builder
Construct payloads visually using block components, eliminating the need to write raw code manually.
Command Block Library
Select from blocks like DELAY, STRING, ENTER, GUI modifier, and REPEAT.
Visual Parameter Forms
Type your strings directly into visual fields and drag sliders to easily adjust delay timers.
Syntax compiler
Click Compile to merge all visual block components into standard, valid DuckyScript text blocks.
🛡️ Tool: Payload Templates
Quickly deploy pre-configured DuckyScript templates designed for common network diagnostics and security audits.
| Auditing Template | Payload Operation Details | Standard Target OS |
|---|---|---|
| Network Diagnostics | Gathers IP information, traceroutes DNS configs, and writes output details to local files. | Windows / macOS / Linux |
| Webhook Exfiltrator | Leverages `curl` to transmit environment parameters straight to custom HTTP endpoints. | macOS / Linux |
| Stealth Reverse Shell | Spawns background listener interfaces to deploy automated local shells. | Windows PowerShell |
🎹 Tool: Live Keyboard
Transform your mobile phone interface into a real-time remote keyboard controller that types directly onto the target computer.
Modifier Key Combinations
Visual toggle controls for keys like `CTRL`, `ALT`, `SHIFT`, and `GUI (Win/CMD)`. Tap them to simulate hold-key actions.
Real-time Keystrokes
Type text into the visual input form. Characters are immediately transmitted over native USB descriptors with zero delay.
System Quick Macros
Dedicated buttons to trigger shortcuts: open Windows Run dialog (`GUI+R`), open macOS Terminal, or close active application (`ALT+F4`).
💡 Tool: NeoPixel LED
Customize the onboard WS2812B RGB diagnostic LED to change light modes or enable stealth operation.
Stealth Mode Switch
Toggle the LED off entirely. This hides all diagnostic flashes and makes the hardware blend in during physical USB deployments.
Diagnostic Color Wheel
Set custom colors for active scanning, keyboard injection states, deauth alarms, and file write loops.
Brightness Sliders
Fine-tune brightness scales from 0% up to 100% to manage power draw and thermal limits during prolonged audits.
🌐 Tool: Device Info
Access real-time hardware status metrics, networking details, and operating parameters of the ESP32-S3 module.
| Diagnostic Parameter | Value / Specification | System Description |
|---|---|---|
| Chip Model | ESP32-S3 Dual-Core Xtensa | Core hardware processor model. |
| CPU Frequency | 240 MHz | Active processing clock speed. |
| Internal SPIFFS Storage | 4 Megabytes (MB) | Onboard flash memory for the Web UI layout. |
| MicroSD Status | Mounted (FAT32 filesystem) | Indicates MicroSD connection state. |
| Station IP Address | Dynamic mDNS (`ghostchip.local`) | Assigned IP inside the bridged local network. |
💾 Tool: Payload Simulator
Safely run and dry-test payloads inside an isolated browser-shell sandbox before physical execution.
Syntax Analyzer
Scans scripts for syntax errors and highlights typos in keywords like STRING or modifier keys.
Virtual Shell Terminal
Shows a simulated terminal screen displaying typing speeds, pauses, and keystroke repeats visually.
Step-by-Step Debugging
Step through lines one by one to verify delay timings and keyboard modifier combos safely.
💿 Tool: OTA Flash Updater
Easily upgrade the GhostChip firmware wirelessly with zero cables or programming interfaces required.
Drag and Drop Firmware Binary
Drag your updated firmware file (`ghostchip.bin`) directly into the OTA drag-and-drop zone.
Dynamic Progress Bar
Monitor transmission metrics. The dashboard shows real-time progress bars as the file writes to the OTA partition.
Automatic Soft Reboot
Once writing is complete, the chip automatically reboots to run the new firmware safely.
🔌 Direct USB Web Serial Flashing
If the wireless network is unavailable or if the active partition is corrupted, you can flash the core factory binaries directly over a standard USB cable using our native Web Serial Flasher tool:
Launch Web Serial Flasher💾 Troubleshooting: SD Card Mount Failures
Symptom: The File Manager or Preset libraries display empty files lists, or show mount failure toasts.
Diagnostic & Action Steps:
- Connect your card reader to a PC/macOS host. Open your Disk Utility or Disk Management dashboard.
- Confirm the capacity of the MicroSD card does not exceed 32GB. (16GB or 32GB cards are highly recommended).
- Re-partition the card, changing the partition scheme explicitly from GPT (GUID) to MBR (Master Boot Record).
- Format the volume as FAT32 with the Allocation Unit (Cluster) Size set to 32KB (32,768 bytes).
- Ensure the MicroSD card is completely seated inside the physical card slot before plugging in USB power. The card reader is mounted strictly during the early boot sequence.
📶 Troubleshooting: Invisible AP Gateway
Symptom: The local wireless AP `Ghostchip` SSID does not appear in your smartphone's Wi-Fi network sweep.
Diagnostic & Action Steps:
- Verify the ESP32 receives standard 5V USB power (minimum 500mA output threshold). Avoid powering the device via high-voltage fast chargers that lack standard legacy 5V fallbacks.
- Ensure the onboard status RGB LED flashes or illuminates during power-up, indicating the chip is booted.
- If the AP is still missing, trigger a system clear: Disconnect USB power. Hold down the physical BOOT button on the ESP32 chip module. Reconnect USB power while holding the button, then release it to clear loop state anomalies.
- Ensure the device is not sitting directly next to high-power RF sources (routers, microwaves) that can degrade the local AP signal.
🤖 Troubleshooting: Groq AI & Assistant Compile Errors
Symptom: The AI prompts page or assistant display API communication errors, or generation hangs indefinitely.
Diagnostic & Action Steps:
- Network Verification: Confirm that both your control mobile phone and the GhostChip are connected to your own local Wi-Fi router (access point) with active internet. If your phone is connected to your home router but the GhostChip is still connected only to its default `Ghostchip` local network, API calls will fail. (See the AI Network Setup page).
- Ensure you can load `http://ghostchip.local` on your browser while connected to the router network. If the name fails to resolve on legacy devices, use the router IP shown on the connections dashboard.
- Confirm your saved Groq API Key is active. Retrieve a free key (starts with `gsk_`) from the official Groq Console and re-save it inside Settings.
- Check if your Groq request limits have been exceeded.
⌨️ Troubleshooting: Missed Keystrokes & Timings
Symptom: The HID injector types too fast, misses opening target windows, or types incorrect characters.
Diagnostic & Action Steps:
- Insert a
DELAY 3000command at the very beginning of your DuckyScript payloads. This gives the host OS time to enumerate the USB keyboard driver before keystrokes are typed. - Insert a
DEFAULTDELAY 150statement as the second line in your script. This adds a short delay after each keystroke, helping slower target systems process the inputs correctly. - Ensure the target host's input language layout is set to US English. Different regional keyboard layouts (such as UK, AZERTY) map characters to different physical keys and will result in character mapping errors.