github JesseCHale/HaleHound-CYD v3.5.5
HaleHound-CYD v3.5.5
on GitHub

8 hours ago

HaleHound v3.5.5

What's New

New Modules

Airoha RACECVE-2025-20700/20701/20702
Unauthenticated BLE GATT exploit for Airoha-based Bluetooth audio devices. Targets Sony XM4/XM5/XM6, Marshall, JBL, Jabra, Beyerdynamic — anything running an Airoha chipset. Extracts link keys, BD_ADDR, firmware version, and flash memory without pairing. Two-phase scan: BLE discovery then GATT service probe. Attack report with SD card loot save.

Tesla Charge Port Opener
Opens the charge port on any Tesla. Static 43-byte OOK payload, zero authentication, zero rolling code. Region selector: US (315 MHz), EU (433.92 MHz), or both.

.Sub Read — Flipper .sub File Browser + Transmitter
Browse and transmit Flipper Zero .sub files from the SD card. Supports RAW, Princeton, CAME, Nice FLO across the full CC1101 frequency range (300-348, 387-464, 779-928 MHz). Nested folder navigation. No .sub files required — drop them in /subghz/ on the SD when you have them.

Battery Monitor
LiPo battery voltage and percentage monitoring for boards with TP4854 charge IC (E32R28T, E32R35T). ADC on GPIO 34.

SubGHz Replay — Major Overhaul

  • Complete UI revamp: Nosifer glitch title, 6-icon bar, skull watermark, transparent capture panel
  • RSSI gating — noise floor frames rejected, real remotes only
  • Drain loop — RMT RX buffer no longer floods with garbage
  • Repeat validation — requires signal decoded twice before accepting
  • CLEAR button — tap to discard capture and resume listening
  • On-screen QWERTY keyboard for custom profile naming
  • Auto-scan ON by default

SubGHz Brute Force — De Bruijn Fix

De Bruijn sequence generator was wired up but never called. Now active — overlapping code windows exhaust N-bit keyspace efficiently.

Proto Kill — GFSK Noise Mode

New toggle: CW carrier (original narrowband spike) or GFSK modulated noise (random 32-byte packets at 2Mbps filling ~2MHz bandwidth per channel). Toggle with SELECT when not jamming.

Bug Fixes

  • EEPROM address collision — Three modules used different EEPROM sizes and overlapping addresses. Settings commit with begin(512) was nuking all SubGHz saved profiles. Unified to 5120 bytes, moved WiFi portal addresses above SubGHz range.
  • SPI bus leak — Added SPI.end() to all NRF24 init failure paths (BLE Jammer, WLAN Jammer, Proto Kill, MouseJack). Prevents SPI bus lock when radio init fails on Core 0.
  • SubGHz Replay RMT restart — resumeRmtRx() wasn't uninstalling RX driver before re-init, causing capture to silently stop after clearing a signal.
  • SPI speed optimizations — Flash SPI 40→80 MHz, display SPI 40→55 MHz, NRF24 raw SPI 8→10 MHz.

Other

  • README complete rewrite — trimmed, all 40+ modules documented, community credits
  • Ebyte PA module independent 3.3V buck converter requirement documented
  • Supported boards consolidated to 4 targets
  • Version bump to v3.5.5

Firmware Downloads

File Board
HaleHound-CYD-FULL.bin CYD 2.8" (ESP32-2432S028)
HaleHound-E32R35T-FULL.bin QDtech E32R35T 3.5"
HaleHound-E32R28T-FULL.bin QDtech E32R28T 2.8"
HaleHound-CYD-HAT-FULL.bin NM-RF-Hat

Flash at address 0x0 with ESP Web Flasher or esptool.

Four-file method also available — download all assets below.

Check out latest releases or
releases around JesseCHale/HaleHound-CYD v3.5.5

Don't miss a new HaleHound-CYD release

NewReleases is sending notifications on new releases.

Get notifications