Pwnagotchi: Building an AI-Powered Hacker Gadget

Looking at the small device with a display showing a virtual pet making funny faces, it’s hard not to feel that Pwnagotchi is somewhat similar to the Flipper Zero. There’s a real connection between these projects: in an interview with “Hacker,” Flipper’s creator Pavel Zhovner mentioned that he was inspired by Pwnagotchi when designing his device. “Tamagotchi for hackers” (the name Pwnagotchi is a blend of the slang term “pwn” and the popular Bandai toy) actually appeared first: the initial version was announced in October 2019, while Flipper Zero hit Kickstarter in July 2020.

However, these devices are quite different. Flipper Zero is a “Swiss Army knife” for hackers and pentesters, offering a wide range of tools via additional modules and apps—except for Wi-Fi hacking. To get that, Flipper users need a separate module, while Pwnagotchi is designed specifically for one practical task: Wi-Fi hacking. Another difference: Flipper Zero uses two buttons for interaction, while Pwnagotchi has no controls at all. Just turn it on, and it works. But how exactly does it work?

How Does Pwnagotchi Work?

When your phone, laptop, or other device connects to a Wi-Fi access point using WPA2, they exchange four special data packets to establish a secure channel. This process is called a four-way handshake. During the handshake, EAPOL (Extensible Authentication Protocol over LAN) messages are exchanged. In the second packet (EAPOL M2), the client tells the access point it knows the PSK key. In response (EAPOL M3), the access point confirms the key is valid. If there’s no confirmation, the device likely tried to connect with the wrong password.

Pwnagotchi intercepts and saves data from confirmed M2 packets. Later, the user can recover the Wi-Fi password from the hash using dictionary attacks with tools like hashcat or online services like Onlinehashcrack.

To collect hashes, Pwnagotchi uses the Bettercap utility, familiar to anyone who’s used Kali Linux. It’s a tool for intercepting wireless traffic and performing MITM attacks. Pwnagotchi scans the airwaves and captures handshakes when client devices connect to access points, saving the data as PCAP files on an SD card for later analysis. Handshakes happen regularly, for example, when devices that previously connected to a network come into range, or when wireless printers are turned on. Since this attack is completely passive, it’s very hard to detect—Pwnagotchi operates silently and invisibly.

The device can also “force” handshake collection using more aggressive methods. The first is deauthentication: Pwnagotchi sends special packets to all connected devices, disconnecting them from the network. When they reconnect, Pwnagotchi captures their password hashes. The second method is sending special EAPOL packets to the access point to provoke a PMKID leak. In this case, the handshake isn’t even needed: PMKID is sent in the first handshake packet (M1), before password authentication. This feature is used by some routers in corporate networks, but not all devices are vulnerable.

Pwnagotchi uses artificial intelligence, specifically an AI model called Actor Advantage Critic (A2C). The A2C algorithm evaluates the device’s current state and recommends the best next action to maximize results, creating logical “state-action-reward” chains. This way, Pwnagotchi “learns” to hack wireless networks on the fly: the more successful hash captures it makes, the faster and more efficiently it will act in the future, choosing the best tactics for each situation.

Pwnagotchi Hardware

The Pwnagotchi’s design is very simple: all components can be bought on AliExpress and are relatively inexpensive.

• Raspberry Pi Zero WH: This single-board computer is the core of the device. Make sure to get the WH version, as it has built-in Wi-Fi, Bluetooth, and a pre-soldered interface connector for the display.
• E-Ink Display Module: The official project page recommends Waveshare V2 screens, but these are now outdated. The author used a 2.13″ Waveshare display (V4 version), which required some extra setup but worked fine.
• Power Module: Any compact power bank with a Micro-USB cable will work, but a dedicated battery module for Raspberry Pi Zero (like those from Waveshare) is neater and more convenient.
• MicroSD Card: At least 32GB capacity is recommended. Any inexpensive card will do.

Assembly and Setup

Assembling the Pwnagotchi is easy enough for anyone. Connect the battery to the power module, attach the Raspberry Pi Zero WH on top using the included screws, and make sure the pins align. Insert the display module into the interface connector on the Raspberry Pi. That’s it—the hardware is ready. Some people 3D print custom cases, but that’s optional.

To boot, the Raspberry Pi Zero needs a MicroSD card with an operating system. Pwnagotchi uses a modified Raspbian distribution with additional modules like Bettercap and Python libraries for machine learning. The official instructions suggest downloading the firmware from GitHub, but if you have a Waveshare V4 display, you’ll need a modified firmware that supports it.

Write the firmware image to the SD card using balenaEtcher or the dd utility. The card will have two partitions: boot (with boot files and settings) and the OS partition.

Next, edit the device’s basic settings. Without removing the card from your computer, open the boot partition and create a config.toml text file with content like this:

main.name = "PwnagotchiName"
main.lang = "en"
main.whitelist = [
  "MyWi-Fi_1",
  "MyWi-Fi_2"
]
main.plugins.grid.enabled = true
main.plugins.grid.report = true
main.plugins.grid.exclude = [
  "MyWi-Fi_1",
  "MyWi-Fi_2"
]
ui.display.enabled = true
ui.display.type = "waveshare_3"
ui.display.color = "black"

Replace PwnagotchiName with any name you like. In main.whitelist and main.plugins.grid.exclude, list the SSIDs or MAC addresses of networks/devices Pwnagotchi should ignore (e.g., your home Wi-Fi).

Now insert the SD card into the Raspberry Pi Zero, but don’t power it on yet. The board has two Micro-USB ports: one for power only, the other for power and data. Connect Pwnagotchi to your computer using the data port. It will likely show up as a USB serial device (Com3) in Windows, meaning you need to install the Ethernet RNDIS driver. Once installed, a new USB Ethernet/RNDIS Gadget network adapter will appear. Set its IP address to 10.0.0.1, subnet mask 255.255.255.0, gateway 10.0.0.1, and DNS server 8.8.8.8. Now you can connect to Pwnagotchi via SSH using any suitable app, like PuTTY.

It Works!

Setup is complete—turn on the device and enjoy! Booting takes 15–20 seconds, after which your virtual pet’s name and face will appear on the screen.

Pwnagotchi can make different faces, each with its own meaning (see the project website for details). Besides faces, the device displays its current status, the number of captured packets, the SSID of the last captured network, and other info. If another Pwnagotchi is nearby, it will display a message about it.

In the creators’ terminology, Pwnagotchi “feeds” on wireless network packets. If your pet says it’s hungry, take it somewhere with lots of Wi-Fi networks to scan and hack. If it’s bored, the only way to entertain it is to “feed” it some EAPOL packets.

By default, Pwnagotchi works automatically and doesn’t need user intervention. However, you can customize the firmware: change the language, add new faces and statuses, or install plugins to expand its capabilities. Instructions are available on the developers’ website.

Of course, how effective Pwnagotchi is depends on the strength of the Wi-Fi password you capture. If the password follows good security practices, you’ll probably need a mining rig to crack it. But if it’s a simple dictionary word, brute-forcing it could take just a few hours.

How to Protect Yourself

Most readers know the risks of unauthorized access to a wireless network: attackers can access shared resources, confidential files, intercept traffic, and use your internet connection. How can you protect yourself from attacks using this device, especially since Pwnagotchi is so stealthy? It’s hard to prevent passive packet capture, but you can take steps in case someone does recover your Wi-Fi key from a hash.

• Use a strong Wi-Fi password and monitor connected clients. If you see a suspicious new device, change your password.
• The best protection is to configure your router to only allow devices with pre-approved MAC addresses (a whitelist).

Personally, I found Pwnagotchi to be a fun and interesting device for testing wireless network security—just by walking around the office. It can’t match Flipper Zero’s range of features, but for the price of one Flipper, you could build a whole zoo of Pwnagotchis—and still have money left over for snacks.