The Ultimate USB Hacking Tool: How I Turned a LilyGo T-Dongle S3 into a Powerful Red Team Device

USB-based attacks are often overlooked, yet they remain one of the most effective methods for gaining access to a system. The USB Army Knife, running on the LilyGo T-Dongle S3, is a multi-functional tool that combines USB HID keystroke injection, mass storage emulation, network impersonation, and WiFi/Bluetooth exploitation into a single, compact device. Unlike traditional BadUSB devices, it offers a web-based control interface, allowing for remote payload execution, USB mode switching, and real-time monitoring, making it a powerful addition to any penetration tester’s toolkit.

This guide walks through setting up the USB Army Knife using the web flasher method, accessing the Web UI, and running basic attack scripts. Whether you’re a red team operator testing physical security controls, a pentester looking to exploit USB attack surfaces, or a compliance professional assessing USB security policies, this device provides an all-in-one solution for USB and network-based attack simulation. Let’s dive into how I got my LilyGo T-Dongle S3 up and running with the USB Army Knife!

Objectives

By the end of this guide, I will have:

• Flashed the USB Army Knife firmware onto my LilyGo T-Dongle S3 using a web browser.
• Set up and accessed the USB Army Knife Web UI.
• Learned how to troubleshoot USB recognition issues.
• Explored optional steps to increase USB compatibility using eFuse burning.

What is the USB Army Knife Firmware?

The USB Army Knife firmware is an open-source tool designed for penetration testers and security professionals. It transforms an ESP32-based device into a multifunctional USB attack tool, supporting:

• DuckyScript payloads for keystroke injection.
• USB Mass Storage emulation.
• USB Network impersonation & sniffing.
• ESP32 Marauder WiFi & Bluetooth exploits.
• Remote control via a web-based interface.

This firmware is extremely useful for physical access attacks and security research, allowing for a high degree of automation and flexibility.

What is the LilyGo T-Dongle S3?

The LilyGo T-Dongle S3 is an ESP32-S3-based development board shaped like a USB stick. It features:

• A built-in color LCD screen.
• A physical button for interaction.
• A hidden microSD card slot inside the USB connector.
• Support for USB host/device modes.
• WiFi & Bluetooth capabilities.

This device is one of the best-supported options for running the USB Army Knife firmware due to its small size, built-in screen, and SD card support.

Step 1: Getting the USB Army Knife Firmware

To start, I needed to grab the latest USB Army Knife firmware for my LilyGo T-Dongle S3.

Go to the USB Army Knife GitHub repository: GitHub Link

Find the latest release under the Releases section.

Download these essential files:

• bootloader.bin
• partitions.bin
• firmware.bin
• boot_app0.bin (Make sure to click ‘Download raw file’ to avoid any formatting issues).

• Extract the files if they are compressed.

Step 2: Flashing the Firmware (The Easy Way — Web Flasher)

Instead of messing around with VS Code & PlatformIO, I took the easy route and flashed the firmware directly from my web browser.

1. Putting the Device into Bootloader Mode

• Held the boot button on my LilyGo T-Dongle S3.
• Plugged it into my computer via USB.
• Released the button after 2 seconds.

2. Flashing with ESP Web Flasher

1. Opened the flashing tool: ESP Web Flasher
2. Clicked ‘Connect’ and selected my ESP32-S3 device.
3. Uploaded the firmware files, making sure each one was mapped to the right offset:

• bootloader.bin → Offset: 0x1000
• partition.bin → Offset: 0x8000
• firmware.bin → Offset: 0x10000
• boot_app0.bin → Offset: 0xe000

4. Checked that no extra files were listed, then clicked ‘Program’.

5. Waited for the flashing process to complete — a bunch of text started scrolling, confirming progress.

6. Unplugged and reinserted the device (without holding any buttons this time).

Step 3: Setting Up and Running the USB Army Knife

With the firmware installed, it was time to fire up the USB Army Knife Web UI.

1. Connecting to the Web Interface

• Plugged in the device.
• Connected to the WiFi Access Point:  SSID: iPhone14  Password: password
• Opened a browser and visited 👉 http://4.3.2.1:8080

2. What I Could Do from Here

Once inside the Web UI, I had full control over my device. I could: 

• Upload and execute DuckyScript payloads.
• Run WiFi and Bluetooth attacks.
• Monitor logs and live output.
• Use it as a custom USB attack tool.

Step 4: Blowing eFuses for Better USB Compatibility

By default, when plugged in, the ESP32-S3 first appears as a USB Serial Adapter before switching to its configured USB mode. Some computers don’t like this behavior and may fail to detect the device properly. The solution? Burn an eFuse to permanently disable this bootloader behavior.

Warning: Blowing eFuses is permanent. This means I can never flash firmware via USB again.

1. Installing Required Packages

To modify the eFuse settings, I installed these dependencies in VS Code’s PlatformIO terminal:

pip install cryptography ecdsa bitstring reedsolo        

2. Checking My eFuse State

Before making any changes, I checked the current eFuse settings with:

pio pkg exec --package "platformio/tool-esptoolpy" -- espefuse.py --port COM3 summary        

(Replaced COM3 with my actual device’s COM port—found in Device Manager on Windows).

3. Burning the USB_PHY_SEL eFuse

To lock in permanent USB compatibility, I ran:

pio pkg exec --package "platformio/tool-esptoolpy" -- espefuse.py --port COM3 burn_efuse USB_PHY_SEL 1        

After that, my device worked flawlessly as a USB HID on any system without connection issues. 

Exploring the Web Interface: Features & Running Commands

Once my USB Army Knife was successfully flashed and connected, I accessed its web-based control panel. The Web UI makes it easy to run USB, WiFi, Bluetooth, and HID attacks without needing to plug/unplug the device constantly.

Web Interface Features

The USB Army Knife Web UI provides full control over the device’s capabilities. Here’s what I found inside:

Home Dashboard

• Shows device status, uptime, and WiFi details.
• Quick access to payload execution and logs.

File Manager

• Upload, view, and delete DuckyScript payloads or images for the device’s screen.
• Manage USB storage files for mass storage emulation.

DuckyScript Execution

• Write and run DuckyScript commands directly from the browser.
• Choose from preloaded scripts or upload custom ones.

USB Mode Control

• Toggle between USB HID (keyboard), mass storage, and network modes.
• Emulate USB Ethernet adapters, CD-ROMs, and raw USB devices.

WiFi & Bluetooth Attack Panel

• Start ESP32 Marauder’s WiFi attacks (deauth, PMKID sniffing, beacon spam).
• Scan for Bluetooth devices and spoof connections.

Live Logs & Execution Status

• View real-time logs of executed commands.
• Debug scripts and see error messages if something fails.

Running a Basic DuckyScript from the Web UI

Now that my USB Army Knife was fully set up, I wanted to test running a basic DuckyScript payload. The Web UI makes this incredibly easy, allowing me to select and execute scripts directly from the dashboard.

Step 1: Accessing the Web UI

• I opened the Web UI by connecting to WiFi SSID: iPhone14 and visiting: http://4.3.2.1:8080.
• On the main dashboard, I found the ‘Select a Script’ dropdown menu.
• I selected hello_world.ds from the list.

Step 2: Selecting a Script from the Dropdown

On the main dashboard, I found the dropdown menu. This menu listed all available scripts stored on the device’s microSD card.

For my test, I selected hello_world.ds, a basic script designed to simulate keyboard input by opening Notepad and typing out a simple message.

Step 3: Executing the Script

• After selecting hello_world.ds, I clicked 'Execute'.
• The Web UI displayed a confirmation message:

Running hello_world.ds...        

• Within seconds, my USB Army Knife acted like a keyboard, automatically opening Notepad and typing: Hello, World!
• I watched the live logs to verify that the script executed correctly:

Executing hello_world.ds... 
STRING Hello, World! 
Execution Complete.        

Red Teaming, Penetration Testing, and Compliance Implications

The USB Army Knife is a versatile tool that can be used for physical security assessments, penetration testing, and compliance verification. Below, I’ll break down how this device fits into three key security domains: Red Teaming, Penetration Testing, and Compliance Assessments.

Red Teaming: Simulating Real-World Attacks

• For red team operations, the USB Army Knife allows for covert execution of payloads when physical access to a target machine is obtained. Unlike traditional USB attack devices like the Rubber Ducky, this tool can also masquerade as multiple USB devices, including HID keyboards, mass storage, and network adapters, making detection and prevention more difficult.
• A typical red team use case could involve leaving the USB Army Knife in a target environment disguised as an innocent-looking USB drive. Once plugged in, it can execute keystroke injection attacks, deploy reverse shells, or interact with the system remotely through its web interface. Its ability to deploy payloads via WiFi and Bluetooth adds another layer of remote-controlled attack capability, making it a potent tool for adversarial simulation.

Penetration Testing

• For penetration testers, the USB Army Knife provides a flexible way to test USB security defenses. Many organizations fail to enforce strict USB device policies, making them vulnerable to HID injection, rogue mass storage devices, and USB network impersonation attacks.
• One practical test involves using the USB Army Knife in network adapter mode to capture initial DHCP requests, intercept credentials, or conduct local network poisoning attacks. In addition, the built-in ESP32 Marauder functionality allows pentesters to scan for nearby WiFi access points, perform deauthentication attacks, and capture WPA handshakes for offline cracking. These capabilities make it ideal for both USB and wireless attack simulations in a single deployment.

Compliance & Security Awareness: Strengthening Defenses

• From a compliance and security awareness standpoint, organizations can use the USB Army Knife to evaluate and strengthen USB security policies. Many industry security frameworks, including NIST, ISO 27001, and CIS Controls, recommend implementing strict access controls, USB device whitelisting, and endpoint monitoring to mitigate USB-based threats.
• By testing environments with the USB Army Knife, security teams can validate whether endpoint detection and response (EDR) solutions properly flag unauthorized USB devices. Compliance teams can also use it to train employees on the dangers of USB threats, demonstrating how an attacker could easily execute malicious scripts or gain access through an unattended system.

Conclusion

Setting up and running the USB Army Knife on my LilyGo T-Dongle S3 was a straightforward and rewarding experience. In just a few steps, I transformed a simple ESP32-based USB device into a multi-functional penetration testing tool capable of USB attacks, network exploitation, and WiFi/Bluetooth hacking.

The Web UI proved to be an incredibly powerful interface, allowing me to execute scripts, control the device remotely, and monitor live logs — all without needing to manually interact with the USB dongle. The ability to run DuckyScript payloads on demand makes this device a versatile alternative to traditional BadUSB tools like the Rubber Ducky.

#CyberSecurity #InfoSec #Hacking #RedTeam #PenTesting #EthicalHacking #USBExploits #USBArmyKnife #BadUSB #HIDAttacks #LilyGo #ESP32 #ESP32S3 #USBHacking #RedTeamOps #PhysicalSecurity #SocialEngineering #NetworkPentest #WiFiHacking #BluetoothHacking #SecurityCompliance #NIST #ISO27001 #CISControls #EDRBypass #ThreatSimulation