Can a Flipper Zero Do 5 GHz Wi-Fi? 5Ghost vs the ESP32 Marauder

PINGEQUA Lab · Wi-Fi research · 7 min read

If you've used a Flipper Zero Wi-Fi add-on, it was almost certainly 2.4 GHz only — and that's not a software choice. It's the radio. Here's why the popular ESP32 Marauder stops at 2.4 GHz, what changes when the hardware can actually reach 5 GHz, and an honest look at when each tool is the right call.

Short version The ESP32 chip the Marauder runs on has no 5 GHz radio, so it can't see, scan, or test 5 GHz networks at all. The 5Ghost board uses a Realtek RTL8720DN (BW16), which is natively dual-band — so 5 GHz scanning, channel mapping, handshake capture and deauth all work on both bands. The Marauder is still the more mature, fully open-source ecosystem with Bluetooth tools; 5Ghost is the pick when you specifically need 5 GHz and protection-aware results on a native Flipper app.

Why most Flipper Wi-Fi tools stop at 2.4 GHz

The Flipper Zero has no Wi-Fi radio of its own, so every Wi-Fi capability comes from an add-on board. By far the most common one is built on an ESP32 — cheap, well-documented, and the platform the excellent ESP32 Marauder firmware targets.

The catch is physical: the original ESP32, the ESP32-S2 and S3, and even the newer Wi-Fi 6 ESP32-C3 and C6 are all 2.4 GHz only. There is no 5 GHz radio on the die, so no firmware — Marauder included — can scan or interact with a 5 GHz network on those chips. It simply can't hear them.

One honest caveat: in 2024 Espressif released the ESP32-C5, the first ESP32 with dual-band 2.4 + 5 GHz Wi-Fi 6. So "ESP32 can never do 5 GHz" is no longer strictly true at the chip level. But the C5 is a brand-new part — it is not the hardware the Marauder ecosystem and the common Flipper "Wi-Fi dev boards" are built on. In practice today, a Marauder setup is 2.4 GHz.

What the ESP32 Marauder gets right

Let's be fair — the Marauder is popular for good reason, and for a lot of people it's the right tool:

  • Mature and fully open-source. Years of development, a huge community, and firmware you can read and build yourself.
  • A broad 2.4 GHz toolkit. Beacon spam, deauth, probe and packet sniffing, packet capture to PCAP, and an Evil Portal — the staples are all there.
  • Bluetooth tools too. The Marauder also does Bluetooth/BLE scanning and spam, which a Wi-Fi-focused board doesn't.
  • Cheap and everywhere. ESP32 boards are inexpensive and easy to find.

If your work is 2.4 GHz, you want Bluetooth tooling in the same board, and you value a large open-source community, the Marauder is a great answer.

What changes when the radio is actually dual-band

Modern routers have been pushing traffic to 5 GHz for years — it's faster and far less crowded. A 2.4 GHz-only tool is blind to that half of the air. That's the gap the 5Ghost WiFi Lab was built to close.

5Ghost runs on the Realtek RTL8720DN (BW16), which has a genuine 5 GHz radio. With dual-band hardware in place, the interesting part is what the software does with it:

  • Real 5 GHz scanning alongside 2.4 GHz — you finally see the networks 2.4-only tools miss.
  • PMF / WPA3 awareness. By parsing each beacon's RSN information element, 5Ghost flags access points that use 802.11w (Protected Management Frames) or WPA3 — the ones that are immune to deauth — so you know up front instead of attacking something that ignores you.
  • A 5 GHz handshake path that lands. On 2.4 GHz this class of chip often can't hear the client's uplink frames; 5Ghost routes WPA/WPA2 handshake capture through 5 GHz, where it reliably completes, and writes a standard PCAP to the SD card.
  • A native Flipper app. Channel-congestion mapping, an AP detail view, Evil Portal with your own HTML — driven from one clean app on the Flipper screen, not a serial console.

5Ghost vs ESP32 Marauder — side by side

Capability ESP32 Marauder 5Ghost (RTL8720DN)
Radio chipset ESP32 (2.4 GHz) RTL8720DN / BW16
2.4 GHz scan & tools Yes Yes
5 GHz scan & tools No — no 5 GHz radio Yes (native)
Deauth (2.4 GHz) Yes Yes
Beacon / probe / sniff Yes Yes
Handshake → PCAP Yes (2.4 GHz) Yes (via 5 GHz)
PMF / WPA3 deauth-immunity flagged Not a headline feature* Yes
Evil Portal / captive portal Yes Yes (custom HTML)
Bluetooth / BLE tools Yes No (Wi-Fi focused)
Interface Marauder UI / serial Native Flipper app
Openness Fully open-source App open (MIT); firmware closed
Maturity / community Large, established Newer, focused

*Feature sets evolve — this reflects each project's typical focus as of mid-2026; check each project's current documentation. The hardware 5 GHz difference, however, is fixed by the chip.

So which should you pick?

This isn't a "one is bad" story — they're built for different jobs:

  • Choose the ESP32 Marauder if your targets are 2.4 GHz, you want Bluetooth tooling on the same board, you prefer fully open-source firmware, and you want the largest community and the lowest price.
  • Choose 5Ghost if you need to work on 5 GHz networks, you want protection-aware results (knowing which APs are WPA3 / PMF before you act), you want a reliable 5 GHz handshake path, and you prefer a single native Flipper app.

Plenty of people keep both. But if the limitation you keep hitting is "my tool can't see the 5 GHz network," no amount of firmware fixes an ESP32 — you need dual-band hardware.

Get dual-band 5 GHz on your Flipper Zero

The 5Ghost board ships preloaded — dock it on the GPIO header, copy one app to the SD card, and you're scanning both bands. Two versions: compact onboard antenna, or a high-gain 8 dBi for range.

Onboard antenna → 8 dBi long-range →
See the open-source app on GitHub →

The honest limits (works on any tool)

A comparison is only useful if it's straight about what nothing in this category can do:

  • WPA3-SAE can't be cracked offline — by any tool. SAE (Dragonfly) is designed so a captured handshake carries no offline-crackable hash. 5Ghost detects WPA3 and tells you it's out of reach rather than pretending otherwise.
  • PMF / WPA3 access points can't be deauthed. That's 802.11w working as designed, on the Marauder and on 5Ghost alike. The difference is whether the tool tells you before you try.
  • Mesh roaming is hard for any single-radio device — a client can roam to another node faster than one radio can keep up.

FAQ

Can the ESP32 Marauder do 5 GHz Wi-Fi?
No. The ESP32 chips the Marauder runs on (ESP32, S2, S3, C3, C6) are 2.4 GHz only — there's no 5 GHz radio, so no firmware can add it. Espressif's 2024 ESP32-C5 is the first dual-band ESP32, but it isn't the hardware the Marauder ecosystem uses today. For 5 GHz you need different hardware, such as the RTL8720DN-based 5Ghost board.
Does the Flipper Zero have built-in Wi-Fi?
No. The Flipper Zero has no Wi-Fi radio. Every Wi-Fi feature comes from an add-on board on the GPIO header — an ESP32 board for the Marauder, or the dual-band RTL8720DN board for 5Ghost.
Is 5Ghost just a Marauder clone?
No. It's a different stack on different hardware: a native Flipper app driving a dual-band RTL8720DN, with 5 GHz support and PMF/WPA3 detection that the 2.4 GHz ESP32 platform can't offer. The Marauder remains the broader, fully open-source 2.4 GHz toolkit with Bluetooth features.
Can either tool crack a Wi-Fi password?
For WPA/WPA2, both can capture a 4-way handshake that you then crack offline on your own computer (hashcat / aircrack-ng) — success depends entirely on the password's strength. Neither can crack WPA3-SAE offline; that's a protocol-level guarantee, not a tool limitation.
Do I need to flash anything to use 5Ghost?
No. The 5Ghost board ships preloaded. You dock it on the GPIO header and copy one app file to the Flipper SD card. If the module firmware is ever corrupted, it re-flashes from a desktop Chromium browser over USB-C.

Sources & further reading: ESP32-C5 dual-band Wi-Fi 6 — Espressif; ESP32 2.4 GHz-only Wi-Fi — espboards.dev; ESP32 Marauder firmware & tools — justcallmekoko/ESP32Marauder wiki. Hardware/chipset facts verified May 2026.

For authorized security testing and education only. Test only networks and devices you own or have explicit written permission to test. You are responsible for compliance with all applicable laws and radio regulations (e.g. FCC Part 15 in the US). "Flipper Zero" and "ESP32 Marauder" are referenced for compatibility and comparison; PINGEQUA is independent and not affiliated with or endorsed by their respective owners.

Retour au blog