THE JAIL

⚡ Pi Zero 2 W  ·  ESP32  ·  It owns the spectrum ⚡

An industrial-grade RF penetration platform built on a Raspberry Pi Zero 2 W with an ESP32 attack co-processor. Wi-Fi karma, deauth, evil twin, captive portal, Sub-GHz capture/replay, NFC, IR, all driven wirelessly from your phone — wherever you are in the world.

The Jail — render of the device, matte black case with orange THE JAIL wordmark and hippo head etched into the vented top, antenna on the right.
🔒 SOURCE SEALED · LAUNCHING ON KICKSTARTER · JUNE 26, 2026
🦛 SEE THE HARDWARE

/ THE HARDWARE

Two radios. One mind. Pi handles brains, ESP32 handles attacks.

RPI · ZERO 2 WH

// THE BRAIN
  • BLE GATT server — phone discovers it as TheJail-Pi0-2WH
  • Cloud relay client — stays online via overlapping WebSocket rollover (zero downtime)
  • Wi-Fi watchdog — auto-reconnects if station drops, kills brcmfmac powersave permanently
  • MongoDB-backed signal store — every captured frame, every Sub-GHz code, every probe
  • Live system vitals — CPU, temp, mem, uptime to your phone in real time

ESP32 · WROOM

// THE TEETH
  • USB serial co-processor — talks JSON over /dev/ttyUSB0 to the Pi
  • Real packet injection — 802.11 deauth, beacon flood, evil twin frames
  • Promiscuous probe sniffer — channel-hops 1→13 capturing every nearby device
  • Karma + Evil Twin AP — built-in captive portal grabs creds, ring buffer of 30
  • Pi keeps its own Wi-Fi — ESP32 does the dirty work so the relay never drops

⚠ Ethical Use Only

Wi-Fi attacks, captive portals, and Sub-GHz replay are illegal against systems you don't own or have explicit written permission to test. The Jail is built for security research, your own gear, and authorized engagements. Don't be a dick.

/ FEATURES

Live, in-flight, and on the roadmap.

📡

WI-FI ATTACK SUITE

LIVE
  • Real 802.11 deauth via ESP32 injection
  • Karma — fake AP that accepts any SSID
  • Evil Twin clone with optional WPA2
  • Captive portal credential capture (ring buffer 30)
  • Probe-request sniffer w/ channel hopping
  • Beacon flood (fake AP names)
  • Live AP scan with RSSI + BSSID
🦛

CLOUD RELAY

LIVE
  • Drive your Pi from anywhere on earth
  • Overlapping WebSocket rollover — zero gap
  • Auto-reconnect grace window on disconnect
  • No port forwarding, no DDNS, no NAT pain
  • "Recent device" cache — no false-offline alerts
🦷

BLE BRIDGE

LIVE
  • Direct BLE GATT (no internet needed)
  • Service UUID: 4d-41-4b-4f… "MAKO"
  • Custom write/notify protocol
  • Pi advertises as TheJail-Pi0-2WH
🛰️

SUB-GHZ

LIVE
  • CC1101 transceiver, 300–928 MHz
  • RSSI sweep across all common ISM bands
  • Raw OOK capture + bit-perfect replay
  • Preset library: garage doors, car fobs, TPMS, weather, LoRa ISM
  • Saved captures live in your cloud signal library
📱

NFC 13.56 MHz

LIVE
  • PN532 over I2C
  • Read any ISO14443A tag — full UID + type ID
  • Full MIFARE Classic 1K dump (13 default-key dictionary)
  • Block-level read/write/clone to Magic Card
  • NTAG21x / Ultralight support
📺

IR UNIVERSAL REMOTE

LIVE
  • KY-005 TX + KY-022 RX modules (plug-and-play)
  • Kernel-driver IR transmit (precise 38 kHz carrier)
  • LEARN mode — capture any remote in 2 seconds
  • NEC / Samsung / Sony / RC5/RC6 preset library
  • "TV-Off" brute-force power-off sweep
🎥

PI CAMERA

PLANNED
  • Live preview in app
  • Snapshot + record
  • Motion-trigger capture
  • Streaming via cloud relay
⌨️

BADUSB

LIVE
  • Pi-Zero-as-keyboard via USB HID gadget
  • DuckyScript-compatible — REM / STRING / DELAY / GUI / CTRL / ALT / SHIFT
  • 500-line script cap, named-key shortcuts
  • PIN-locked client-side before any injection
  • Pre-loaded examples: Notepad pwn, terminal pop, lock-screen prank
📶

BLE SCANNER

LIVE
  • Pi-side passive scan via BlueZ + bleak
  • Address, RSSI, advertised services, manufacturer ID decode
  • Apple / Microsoft / Samsung / Tile / Garmin / Bose recognized
  • Up to 200 devices per 20 s window
⚙️

GPIO PLAYGROUND

LIVE
  • Visual grid of every safe GPIO pin
  • Read with optional pull-up/down
  • Write HIGH/LOW, one-shot pulse
  • Software PWM (1 Hz – 10 kHz, 0–100% duty)
  • Hardware-reserved pins fenced off — can't brick your rig

/ SEE IT WORK

Real Wi-Fi scan output from a working rig (no simulator).

raspberry@raspberry: ~ — the-jail.service @959ab5512b944118

/ GET STARTED

Setup is sealed under embargo until launch.

🔒

LAUNCHING JUNE 26, 2026

Pi setup wizard, ESP32 web-flasher, install scripts, hardware blueprint, and the companion app are all sealed until our Kickstarter goes live. Backers get the full kit on launch day.

Want early-access? DM us — limited founders' tier available before Kickstarter goes live.

/ ROADMAP

What's done, what's next, what's dreaming.

✓ SHIPPED

  • BLE GATT + Cloud Relay
  • Wi-Fi attack suite (5 working ops)
  • ESP32 firmware v0.3.0
  • Captive credential capture
  • Pi Vitals dashboard
  • Wi-Fi watchdog + auto-recovery
  • IR universal remote (KY-005 + KY-022)
  • Sub-GHz transceiver (CC1101, 300–928 MHz)
  • NFC reader/writer (PN532, MIFARE Classic dump/clone)
  • BadUSB (HID gadget, PIN-locked DuckyScript)
  • BLE Scanner (manufacturer-ID decode)
  • GPIO Playground (toggle/pulse/PWM)
  • CSV / JSON signal export

→ IN FLIGHT  — LANDS BEFORE KICKSTARTER CLOSES

  • Pi Camera live preview
  • Phishing template gallery
  • Encrypted signal library backups
  • AES-GCM end-to-end encrypted comms
  • Audit log + tamper-evident chain
  • Self-hosted backend (Docker drop-in)
  • ATECC608A hardware-anchored anti-clone
  • Keeloq rolling-code bruteforce

/ FAQ

Quick answers.

What is The Jail and how is it different from a Flipper Zero?

Flipper Zero is great for short-range RF / NFC / IR tinkering, but it's hardware-locked, has a tiny screen, and you can't drive it from across the planet. The Jail is a Pi Zero 2 W + ESP32 in a custom enclosure that runs your favorite Flipper-style attacks AND adds: real packet injection (deauth/beacon flood), captive portal credential capture, full Wi-Fi station, network reconnaissance, and remote control over a cloud relay or BLE — all from a phone app.

Why two radios (Pi + ESP32) instead of just the Pi?

The Pi Zero 2 W has one Wi-Fi radio, and that radio can only do ONE of these at a time: be a station (connected to your home Wi-Fi), be an AP (Karma/Evil Twin), or be in monitor mode (sniffing). Running attacks on the Pi's radio kicks the Pi off your Wi-Fi and breaks the relay. The ESP32 is a dedicated second radio that handles all attacks while the Pi stays online to manage the bridge.

What hardware do I need?

Required: Raspberry Pi Zero 2 W (with 40-pin headers), micro-SD card (8 GB+), 5 V/2.5 A power supply, Freenove ESP32-WROOM (or any ESP32 dev board), Micro-USB OTG adapter, USB cable. Optional: TSOP4838 IR receiver, 940 nm IR LED, CC1101 module (Sub-GHz), PN532 module (NFC), Pi Camera.

Is this legal?

Owning the device and running it against your own gear is legal everywhere I know of. Running deauth, evil twins, or captive portals against networks/devices you don't own is a serious crime in most jurisdictions (CFAA in the US, similar laws elsewhere). Use The Jail only on equipment you own or have explicit written authorization to test.

Where does the cloud relay run? Do I need to pay?

The cloud relay is a tiny FastAPI server with a WebSocket endpoint. You can self-host it on any $5/month VPS (Hetzner / DigitalOcean / OVH), or use the public preview backend during early development. The Pi-side and ESP32-side code is yours forever — once you self-host the backend, there's no ongoing cost.

Can the captive portal capture HTTPS sites?

No, and that's by design. The captive portal serves its own HTTP page (not a clone of an HTTPS site). Any modern browser will refuse to send credentials to an HTTP form pretending to be google.com. The portal works because phones auto-pop a "Sign in to Wi-Fi" sheet over HTTP when they detect a captive network — and victims voluntarily type into that sheet.

>