5Ghost WiFi Lab — Setup & User Guide

PINGEQUA · Dual-Band Wi-Fi Lab

5Ghost WiFi Lab — Setup & User Guide

For the PINGEQUA 5Ghost BW16 (RTL8720DN) dual-band Wi-Fi devboard for Flipper Zero. Covers all three variants — external antenna, black, and green — which share the same board, firmware, and app.

Module RTL8720DN (BW16) · 2.4 GHz + 5 GHz · 802.11 a/b/g/n
Host Flipper Zero · GPIO header · UART (TX/RX) + 5V/GND
Flipper app 5Ghost WiFi Lab .fap
Module firmware 5Ghost — preloaded at the factory
Source & releases github.com/pingequalab/5ghost-wifi-lab

Quick Start — three steps

The board is preloaded. There is nothing to flash for normal use.

1
Dock the board. Power off the Flipper Zero, then seat the 5Ghost module on the GPIO header (top pins). The 4-wire UART link is the only connection — no soldering, no jumper wires.
2
Copy the app. Download the latest .fap from GitHub Releases and place it on the Flipper SD card under /ext/apps/GPIO/ (using qFlipper or a card reader).
3
Open it. On the Flipper, go to Apps → GPIO → 5Ghost WiFi Lab. The header shows Official once the board is detected — you're live.
One universal .fap. A single build runs on Official, Momentum, and Unleashed firmware — it avoids the APIs the official firmware disables, so it loads cleanly on each. There is no separate version to pick.

What's inside the app

  • Dual-band Scan — lists 2.4 and 5 GHz APs with signal, encryption, precise PMF (capable / required), WPA3 detection, and same-SSID mesh markers.
  • Channel Map — congestion view across both bands, least-busy channel highlighted.
  • Capture Handshake — grabs the WPA/WPA2 4-way handshake on 5 GHz, written as standard PCAP to SD; drop into hashcat (mode 22000) or aircrack-ng.
  • Evil Portal — captive-portal pages: built-in, bundled demos, or your own .html from the SD card.
  • PMF-aware Deauth — on 2.4 + 5 GHz; tells you when a target is 802.11w / WPA3-protected instead of failing silently.
  • Create AP · Beacon — stand up a soft AP with captive portal, or send custom / random / Rickroll beacons.
  • Everything to SD — scans (CSV), credentials, and handshakes (PCAP) save to /ext/apps_data/5ghost/ with on-screen confirmation.

Compatibility

Host device Flipper Zero (GPIO / UART) — required, not included
Flipper firmware Official · Momentum · Unleashed
Module RTL8720DN (BW16), preloaded with 5Ghost firmware
Not supported Other BW16 boards (different firmware/pinout) · ESP32 boards (no 5 GHz radio) · standalone use without a Flipper

Firmware & browser recovery

You normally never flash the module — it ships preloaded. This is a safety net only. If the module firmware is interrupted mid-update, corrupted, or you want to restore factory state, re-flash it from a web browser — no Arduino, no toolchain, no command line.

1
Open the flasher. Go to flash.pingequa.com/devices/bw16-5ghost in Chrome or Edge on desktop (or Chrome on Android). Safari and Firefox lack the Web Serial API and cannot flash.
2
Connect the board. Plug it into your computer with a USB-C data cable, click Connect, and pick the port. Install the CH340 serial driver if your OS prompts for it.
3
Flash. Click Flash. It enters download mode automatically; if that fails, hold BOOT, tap RESET, release BOOT, and reconnect. A full image takes a few minutes at 115200 baud — let it finish.

Troubleshooting

  • App not visible on Flipper: confirm the .fap is in /ext/apps/GPIO/, then restart the Flipper.
  • Header doesn't show "Official" / board not detected: power off the Flipper, reseat the module firmly on the GPIO header, power back on.
  • "App too old" or API warning: download the latest .fap from GitHub Releases for your firmware.
  • No 5 GHz results: confirm 5 GHz networks are nearby. 5 GHz range is naturally shorter than 2.4 GHz.
  • Deauth has no effect on some APs: those are PMF (802.11w) / WPA3 protected and immune by design — 5Ghost flags them in the scan list.
  • Module unresponsive after a bad flash: use the browser recovery flasher above.

Honest limits

  • WPA3-SAE cannot be cracked offline — by any tool. A captured SAE handshake carries no offline-crackable hash. 5Ghost detects WPA3 and labels it out of reach rather than pretending otherwise.
  • PMF / WPA3 APs cannot be deauthed — that's 802.11w working as designed.
  • Handshake capture runs on 5 GHz — on 2.4 GHz this chip often can't hear the client uplink, so capture uses the 5 GHz path.
  • Cross-channel mesh roaming (802.11r) is hard to fully suppress on single-radio hardware.

FAQ

Do I have to flash or wire anything?

No. The board ships preloaded with 5Ghost firmware. You dock it on the GPIO header and copy one .fap to the SD card — that's the whole setup. Browser re-flash exists only as recovery.

Which Flipper firmwares are supported?

Official, Momentum, and Unleashed — one universal .fap build for all three.

Onboard antenna vs 8 dBi external — does the guide differ?

No. Same board, firmware, and app across all variants. Only the antenna and color differ; setup is identical.

Can it crack WPA3?

No tool can, offline. For WPA/WPA2 it captures the 4-way handshake to PCAP for hashcat/aircrack-ng on your own machine.

Does it work without a Flipper Zero?

No — it's a companion module. The Flipper is the host that runs the app and screen.

Responsible-use notice. For authorized security testing, network administration, and education only. Only test networks and devices you own or have explicit written permission to test. Unauthorized interception or disruption of networks is illegal in most jurisdictions. End users are solely responsible for compliance with local laws and radio regulations — FCC Part 15 (US), CE / RED (EU), and local equivalents. "Flipper Zero" is a trademark of Flipper Devices Inc.; this is an independent companion product, not affiliated with or endorsed by Flipper Devices.

Need help? Email support@pingequa.com with your order number, product variant, Flipper firmware version, and a photo of your setup.