diff --git a/.gitignore b/.gitignore
index 6369c25..8b946c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -118,6 +118,7 @@ htmlcov/
 # Internal planning
 plan.md
 *.plan.md
+MODULE_IDEAS.md
 
 # Hardware-specific configs (optional)
 # Uncomment if you don't want to track these
diff --git a/MODULE_IDEAS.md b/MODULE_IDEAS.md
deleted file mode 100644
index 33660cf..0000000
--- a/MODULE_IDEAS.md
+++ /dev/null
@@ -1,796 +0,0 @@
-# Espilon Module Ideas
-
-Future module ideas for the Espilon agent framework, organized by category. Each entry includes hardware requirements, estimated cost, complexity (1-5), and key C2 commands.
-
-> **Legend**: Complexity 1 = simple wrapper, 5 = full protocol stack. Cost = additional hardware beyond ESP32.
-
----
-
-## Table of Contents
-
-- [Radio & Wireless](#radio--wireless)
-- [USB & HID](#usb--hid)
-- [Hardware Hacking](#hardware-hacking)
-- [Network & Protocols](#network--protocols)
-- [Industrial & SCADA](#industrial--scada)
-- [Exfiltration & Covert Channels](#exfiltration--covert-channels)
-- [Sensors & Environment](#sensors--environment)
-- [Crypto & WiFi Attacks](#crypto--wifi-attacks)
-- [Automotive](#automotive)
-- [Physical Security](#physical-security)
-
----
-
-## Radio & Wireless
-
-### mod_ble — Bluetooth Low Energy
-
-**Hardware**: ESP32 built-in | **Cost**: 0 EUR | **Complexity**: 3/5
-
-BLE scanning, GATT enumeration, beacon spoofing, and device tracking.
-
-**Commands**:
-- `ble_scan [duration]` — Discover BLE devices (name, RSSI, services)
-- `ble_enum <addr>` — Enumerate GATT services and characteristics
-- `ble_read <addr> <handle>` — Read characteristic value
-- `ble_write <addr> <handle> <hex>` — Write to characteristic
-- `ble_beacon <uuid> [major] [minor]` — Spoof iBeacon/Eddystone
-- `ble_track <addr> [duration]` — Track device RSSI over time
-- `ble_flood [count]` — Broadcast random BLE advertisements
-
-**Use cases**: IoT device recon, BLE lock testing, asset tracking, Bluetooth phishing.
-
----
-
-### mod_zigbee — IEEE 802.15.4 / Zigbee
-
-**Hardware**: CC2530/CC2531 module via UART | **Cost**: ~4 EUR | **Complexity**: 4/5
-
-Sniff, inject, and replay Zigbee/802.15.4 frames. Targets smart home (Philips Hue, SmartThings, Ikea).
-
-**Commands**:
-- `zigbee_scan [channel]` — Discover Zigbee networks and devices
-- `zigbee_sniff <channel> [duration]` — Capture 802.15.4 frames
-- `zigbee_inject <channel> <hex_frame>` — Inject raw frame
-- `zigbee_replay` — Replay captured frames
-- `zigbee_key_sniff [duration]` — Capture transport key exchange
-- `zigbee_jam <channel>` — Channel jamming
-
-**Use cases**: Smart home testing, IoT protocol analysis, Zigbee network penetration.
-
----
-
-### mod_nfc — RFID / NFC
-
-**Hardware**: RC522 (MIFARE) or PN532 (full NFC) via SPI | **Cost**: ~3 EUR | **Complexity**: 3/5
-
-Read, write, clone, and emulate RFID/NFC tags. Supports MIFARE Classic, NTAG, and ISO 14443.
-
-**Commands**:
-- `nfc_scan` — Detect tags in range (UID, type, ATQA, SAK)
-- `nfc_read <sector> [key]` — Read MIFARE sector
-- `nfc_write <sector> <hex> [key]` — Write to sector
-- `nfc_clone` — Read tag → store → emulate (UID-level clone)
-- `nfc_crack <sector>` — MIFARE Classic key recovery (nested/hardnested)
-- `nfc_dump` — Dump full tag contents
-- `nfc_emulate <uid>` — Emulate tag UID
-
-**Use cases**: Access card cloning, NFC payment research, badge system testing.
-
----
-
-### mod_subghz — Sub-GHz Radio (433/868/915 MHz)
-
-**Hardware**: CC1101 module via SPI | **Cost**: ~3 EUR | **Complexity**: 4/5
-
-Sniff, decode, record, and replay sub-GHz radio signals. Targets garage doors, remotes, weather stations, sensors.
-
-**Commands**:
-- `subghz_rx <freq_mhz> [modulation]` — Listen on frequency (ASK/FSK/GFSK)
-- `subghz_tx <freq_mhz> <hex_data> [repeat]` — Transmit raw data
-- `subghz_scan <start_mhz> <end_mhz>` — Frequency scanner (find active freqs)
-- `subghz_record <freq_mhz> [duration]` — Record raw signal
-- `subghz_replay [speed]` — Replay recorded signal
-- `subghz_decode <protocol>` — Decode known protocols (Oregon, LaCrosse, etc.)
-- `subghz_bruteforce <freq_mhz> <bits> [delay]` — Brute-force fixed codes
-
-**Use cases**: Garage door testing, remote control analysis, sensor spoofing, ISM band recon.
-
----
-
-### mod_lora — LoRa Long-Range Mesh
-
-**Hardware**: SX1276/SX1278 module via SPI | **Cost**: ~5 EUR | **Complexity**: 3/5
-
-LoRa-based backup C2 channel and mesh network for long-range, low-bandwidth communication.
-
-**Commands**:
-- `lora_start <freq_mhz> [sf] [bw]` — Init LoRa radio (spreading factor, bandwidth)
-- `lora_send <hex_data>` — Send raw LoRa packet
-- `lora_listen [duration]` — Receive packets
-- `lora_mesh_start` — Enable mesh relay mode (multi-hop)
-- `lora_c2_enable` — Use LoRa as backup C2 channel
-- `lora_range_test` — Ping-pong range measurement
-
-**Use cases**: Backup C2 (1-10 km range), field mesh network, exfiltration when WiFi unavailable.
-
----
-
-### mod_ir — Infrared TX/RX
-
-**Hardware**: IR LED + IR receiver (VS1838B) | **Cost**: ~1 EUR | **Complexity**: 2/5
-
-Capture, decode, and replay infrared remote signals. Universal remote functionality.
-
-**Commands**:
-- `ir_learn [timeout]` — Record IR signal from any remote
-- `ir_send <protocol> <code>` — Send known protocol (NEC, Sony, RC5, Samsung)
-- `ir_replay` — Replay last captured signal
-- `ir_scan` — Brute-force common power codes (TV-B-Gone style)
-- `ir_raw_send <timing_data>` — Send raw pulse/space timing
-
-**Use cases**: TV/AC control, IR protocol analysis, physical access (some locks use IR).
-
----
-
-### mod_espnow_swarm — Coordinated ESP-NOW Swarm
-
-**Hardware**: Additional ESP32 agents | **Cost**: 0 EUR per agent | **Complexity**: 4/5
-
-Coordinate multiple Espilon agents via ESP-NOW for distributed operations. Mesh-aware task distribution.
-
-**Commands**:
-- `swarm_discover` — Find nearby Espilon agents
-- `swarm_broadcast <command>` — Send command to all agents
-- `swarm_assign <agent_id> <command>` — Targeted task assignment
-- `swarm_sync` — Synchronize clocks for coordinated actions
-- `swarm_scan_distributed <target>` — Parallel network scanning from multiple positions
-- `swarm_relay <agent_id>` — Use agent as relay for out-of-range C2
-
-**Use cases**: Distributed WiFi scanning, coordinated deauth, coverage extension, multi-angle recon.
-
----
-
-### mod_tpms — Tire Pressure Monitoring
-
-**Hardware**: CC1101 (315 or 433 MHz) | **Cost**: ~3 EUR | **Complexity**: 3/5
-
-Sniff and spoof TPMS sensors at 315/433 MHz. Vehicle identification via unique sensor IDs.
-
-**Commands**:
-- `tpms_listen [duration]` — Capture TPMS broadcasts
-- `tpms_decode` — Show decoded sensor data (pressure, temp, ID)
-- `tpms_track <sensor_id>` — Track specific vehicle presence
-- `tpms_spoof <sensor_id> <pressure> <temp>` — Inject fake reading
-
-**Use cases**: Vehicle tracking via TPMS IDs, TPMS protocol research.
-
----
-
-## USB & HID
-
-### mod_badusb — USB HID Injection
-
-**Hardware**: ESP32-S2 or ESP32-S3 (native USB) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-Keystroke injection attack via USB HID. Triggered remotely from C2.
-
-**Commands**:
-- `badusb_run <payload_name>` — Execute named payload
-- `badusb_type <text>` — Type arbitrary text
-- `badusb_key <combo>` — Send key combo (e.g., `WIN+R`, `CTRL+ALT+DEL`)
-- `badusb_delay <ms>` — Wait between keystrokes
-- `badusb_upload <script>` — Upload Ducky Script payload
-- `badusb_list` — List stored payloads
-- `badusb_os_detect` — Detect target OS via timing analysis
-
-**Use cases**: Physical access exploitation, credential harvesting, reverse shell deployment.
-
----
-
-### mod_rubber_ducky — Ducky Script Interpreter
-
-**Hardware**: ESP32-S2/S3 | **Cost**: 0 EUR | **Complexity**: 2/5
-
-Full Ducky Script interpreter for scripted USB HID payloads. Companion to mod_badusb.
-
-**Commands**:
-- `ducky_load <script>` — Load script from NVS or C2
-- `ducky_exec` — Execute loaded script
-- `ducky_store <name> <script>` — Save payload to NVS
-- `ducky_list` — List stored scripts
-
----
-
-### mod_usb_mitm — USB Man-in-the-Middle
-
-**Hardware**: ESP32-S3 (dual USB ports) | **Cost**: 0 EUR | **Complexity**: 5/5
-
-Transparent USB proxy: sniff, modify, or inject traffic between host and device.
-
-**Commands**:
-- `usb_mitm_start` — Start USB proxy
-- `usb_mitm_sniff [class]` — Log traffic (HID, mass storage, etc.)
-- `usb_mitm_inject <hex>` — Inject USB packets
-- `usb_mitm_filter <rule>` — Modify packets in transit
-
-**Use cases**: USB protocol analysis, keyboard sniffing, mass storage interception.
-
----
-
-## Hardware Hacking
-
-### mod_jtag — JTAG/SWD Debug Interface
-
-**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 4/5
-
-Bit-bang JTAG/SWD for firmware extraction, debug access, and boundary scan on target devices.
-
-**Commands**:
-- `jtag_scan` — Detect JTAG chain (IDCODE scan)
-- `jtag_read <addr> <size>` — Read memory via debug port
-- `jtag_write <addr> <hex>` — Write memory
-- `jtag_dump <addr> <size>` — Dump firmware to C2
-- `swd_scan` — Detect SWD target
-- `swd_read <addr> <size>` — Read via SWD
-- `swd_halt` / `swd_resume` — Halt/resume target CPU
-
-**Use cases**: Firmware extraction from IoT devices, bypassing read-out protection, live debugging.
-
----
-
-### mod_uart_bridge — UART Sniff/Inject
-
-**Hardware**: GPIO wires (no extra module) | **Cost**: 0 EUR | **Complexity**: 2/5
-
-UART bridge: sniff serial console traffic or inject commands. Auto-detect baud rate.
-
-**Commands**:
-- `uart_scan [gpio]` — Auto-detect baud rate on GPIO pin
-- `uart_listen <baud> <rx_gpio> [duration]` — Sniff UART traffic
-- `uart_send <baud> <tx_gpio> <data>` — Send data
-- `uart_bridge <baud> <rx> <tx>` — Bidirectional bridge (relay to C2)
-
-**Use cases**: Router console access, IoT device debug ports, embedded system exploitation.
-
----
-
-### mod_i2c_scan — I2C Bus Discovery
-
-**Hardware**: GPIO wires | **Cost**: 0 EUR | **Complexity**: 2/5
-
-Scan, read, and write I2C devices. EEPROM dumping and sensor spoofing.
-
-**Commands**:
-- `i2c_scan [sda] [scl]` — Discover devices on bus
-- `i2c_read <addr> <reg> <len>` — Read registers
-- `i2c_write <addr> <reg> <hex>` — Write registers
-- `i2c_dump_eeprom <addr> <size>` — Dump EEPROM contents
-
-**Use cases**: EEPROM credential extraction, sensor data manipulation, I2C device enumeration.
-
----
-
-### mod_spi_flash — SPI Flash Dumper
-
-**Hardware**: SOIC-8 clip + GPIO wires | **Cost**: ~5 EUR | **Complexity**: 3/5
-
-Read/write SPI NOR flash chips (25xx series). In-circuit or off-board.
-
-**Commands**:
-- `spi_flash_detect` — Read JEDEC ID, detect chip
-- `spi_flash_read <addr> <size>` — Read flash to C2
-- `spi_flash_write <addr> <hex>` — Write data
-- `spi_flash_erase <addr> <size>` — Erase sectors
-- `spi_flash_dump` — Full chip dump
-
-**Use cases**: Firmware extraction, credential recovery, flash image modification.
-
----
-
-### mod_glitch — Voltage/Clock Glitching
-
-**Hardware**: MOSFET + GPIO (voltage glitch) or clock inject circuit | **Cost**: ~5 EUR | **Complexity**: 5/5
-
-Fault injection: precise voltage or clock glitches to bypass secure boot, skip instructions, or corrupt crypto.
-
-**Commands**:
-- `glitch_config <width_ns> <offset_ns> <repeat>` — Set glitch parameters
-- `glitch_arm <trigger_gpio>` — Arm, fire on trigger edge
-- `glitch_fire` — Manual trigger
-- `glitch_sweep <start_ns> <end_ns> <step>` — Automated parameter sweep
-
-**Use cases**: Secure boot bypass, read-out protection defeat, crypto fault injection.
-
----
-
-## Network & Protocols
-
-### mod_dns — DNS Spoofing & Tunneling
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-DNS server for spoofing + DNS tunnel for covert data exfiltration through firewalls.
-
-**Commands**:
-- `dns_spoof_start <domain> <ip>` — Spoof specific domain resolution
-- `dns_spoof_all <ip>` — Redirect all DNS queries to IP
-- `dns_spoof_stop` — Stop spoofing
-- `dns_tunnel_start <domain>` — Start DNS tunnel (data over TXT/CNAME)
-- `dns_tunnel_send <hex>` — Exfiltrate data via DNS
-
-**Use cases**: Pharming, captive portal bypass, firewall evasion, covert exfiltration.
-
----
-
-### mod_dhcp — DHCP Attacks
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-DHCP starvation and rogue DHCP server for MitM via gateway redirection.
-
-**Commands**:
-- `dhcp_starve [count]` — Exhaust DHCP pool with fake MACs
-- `dhcp_rogue_start <gateway_ip> <dns_ip>` — Start rogue DHCP server
-- `dhcp_rogue_stop` — Stop rogue server
-- `dhcp_discover` — Passive DHCP monitoring
-
-**Use cases**: MitM setup, network disruption, rogue gateway for traffic interception.
-
----
-
-### mod_mdns — mDNS/Bonjour Discovery
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
-
-Discover and spoof local services via mDNS (Bonjour, Avahi).
-
-**Commands**:
-- `mdns_scan [duration]` — Discover all mDNS services
-- `mdns_query <service>` — Query specific service type (_http._tcp, _ssh._tcp, etc.)
-- `mdns_spoof <hostname> <ip>` — Spoof mDNS response
-- `mdns_register <service> <port>` — Advertise fake service
-
-**Use cases**: Local service enumeration, service spoofing, printer/AirPlay impersonation.
-
----
-
-### mod_mqtt — MQTT Broker/Client
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-MQTT client for IoT device interaction + rogue broker for message interception.
-
-**Commands**:
-- `mqtt_connect <broker> [user] [pass]` — Connect to broker
-- `mqtt_sub <topic>` — Subscribe and stream messages to C2
-- `mqtt_pub <topic> <payload>` — Publish message
-- `mqtt_enum` — Enumerate all topics (wildcard subscribe)
-- `mqtt_broker_start [port]` — Start rogue MQTT broker
-- `mqtt_intercept <topic>` — MitM specific topic
-
-**Use cases**: IoT device control, smart home exploitation, message injection, credential sniffing.
-
----
-
-### mod_coap — CoAP Discovery & Exploitation
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-CoAP client for constrained IoT device interaction (UDP-based REST).
-
-**Commands**:
-- `coap_discover <ip>` — Discover CoAP resources (.well-known/core)
-- `coap_get <uri>` — GET resource
-- `coap_put <uri> <payload>` — PUT resource
-- `coap_observe <uri>` — Subscribe to resource changes
-
-**Use cases**: IoT device enumeration, sensor data extraction, actuator control.
-
----
-
-### mod_upnp — UPnP/SSDP Discovery
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
-
-Discover and interact with UPnP devices on the network. Map router port forwards.
-
-**Commands**:
-- `upnp_scan` — Discover UPnP devices (SSDP M-SEARCH)
-- `upnp_describe <url>` — Get device description XML
-- `upnp_port_map <ext_port> <int_ip> <int_port>` — Add port mapping on router
-- `upnp_port_list` — List existing port mappings
-- `upnp_port_del <ext_port>` — Remove port mapping
-
-**Use cases**: Router exploitation, port mapping for persistence, device enumeration.
-
----
-
-### mod_socks — SOCKS5 Proxy
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-Full SOCKS5 proxy running on the agent for network pivoting.
-
-**Commands**:
-- `socks_start [port] [auth]` — Start SOCKS5 server
-- `socks_stop` — Stop proxy
-- `socks_status` — Active connections, bandwidth stats
-- `socks_whitelist <ip>` — Allow only specific clients
-
-**Use cases**: Network pivoting, traffic routing through agent, accessing internal networks.
-
----
-
-### mod_wifi_rogue — Advanced Evil Twin
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 5/5
-
-WPA2-Enterprise Evil Twin with EAP credential interception (EAP-TTLS, PEAP, MSCHAPv2).
-
-**Commands**:
-- `rogue_start <ssid> [eap_type]` — Start evil twin with RADIUS
-- `rogue_stop` — Stop
-- `rogue_creds` — List captured credentials
-- `rogue_deauth <bssid> <station>` — Force client reconnection to rogue AP
-
-**Use cases**: Enterprise WiFi credential harvesting, WPA2-Enterprise testing.
-
----
-
-## Industrial & SCADA
-
-### mod_modbus — Modbus TCP/RTU
-
-**Hardware**: None (TCP) or MAX485 (~2 EUR for RTU) | **Cost**: 0-2 EUR | **Complexity**: 3/5
-
-Modbus protocol for SCADA/ICS reconnaissance and interaction.
-
-**Commands**:
-- `modbus_scan <ip_range>` — Discover Modbus TCP devices
-- `modbus_read <ip> <unit> <addr> <count> [type]` — Read holding/input registers
-- `modbus_write <ip> <unit> <addr> <value>` — Write register
-- `modbus_coils <ip> <unit> <addr> <count>` — Read/write coils
-- `modbus_enum <ip>` — Enumerate function codes and unit IDs
-- `modbus_rtu_scan <baud>` — Scan RTU bus (RS-485)
-
-**Use cases**: SCADA assessment, PLC interaction, industrial network mapping.
-
----
-
-### mod_bacnet — Building Automation
-
-**Hardware**: None (WiFi/Ethernet) | **Cost**: 0 EUR | **Complexity**: 4/5
-
-BACnet protocol for building automation system interaction (HVAC, lighting, access).
-
-**Commands**:
-- `bacnet_discover` — Who-Is broadcast, discover BACnet devices
-- `bacnet_read <device> <object> <property>` — Read property
-- `bacnet_write <device> <object> <property> <value>` — Write property
-- `bacnet_enum <device>` — Enumerate objects on device
-
-**Use cases**: Building automation testing, HVAC control, access system research.
-
----
-
-### mod_ethernet — Wired Ethernet (W5500)
-
-**Hardware**: W5500 or ENC28J60 SPI module | **Cost**: ~4 EUR | **Complexity**: 3/5
-
-Wired Ethernet connectivity — bypass WiFi isolation, direct LAN access.
-
-**Commands**:
-- `eth_start [dhcp|static <ip>]` — Init Ethernet interface
-- `eth_status` — Link state, IP config
-- `eth_scan` — ARP scan on wired LAN
-- `eth_bridge` — Bridge WiFi ↔ Ethernet traffic
-
-**Use cases**: Drop box on wired network, bypass wireless ACLs, physical pentesting.
-
----
-
-## Exfiltration & Covert Channels
-
-### mod_dns_tunnel — C2 over DNS
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
-
-Full C2 communication over DNS queries/responses. Bypasses most firewalls.
-
-**Commands**:
-- `dns_c2_start <domain> <resolver>` — Start DNS C2 channel
-- `dns_c2_stop` — Revert to TCP
-- `dns_c2_status` — Throughput, latency stats
-
-**Use cases**: Firewall bypass, restricted network C2, exfiltration through corporate DNS.
-
----
-
-### mod_icmp_tunnel — C2 over ICMP
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 3/5
-
-Backup C2 channel using ICMP echo request/reply payloads.
-
-**Commands**:
-- `icmp_c2_start <server_ip>` — Start ICMP tunnel
-- `icmp_c2_stop` — Revert to TCP
-- `icmp_exfil <hex_data>` — One-shot data exfiltration
-
-**Use cases**: C2 when TCP is blocked, ping-based covert channel.
-
----
-
-### mod_audio_exfil — Audio Capture
-
-**Hardware**: INMP441 I2S MEMS microphone | **Cost**: ~3 EUR | **Complexity**: 4/5
-
-Audio recording and optional ultrasonic covert channel for air-gapped data transfer.
-
-**Commands**:
-- `audio_record [duration] [quality]` — Record audio, stream to C2
-- `audio_level` — Ambient noise level (trigger-based recording)
-- `audio_vad_start` — Voice Activity Detection — record only when speaking
-- `audio_ultrasonic_tx <hex>` — Transmit data via ultrasound (18-22 kHz)
-
-**Use cases**: Environmental awareness, meeting capture, air-gap bridging.
-
----
-
-### mod_sdcard — SD Card Storage
-
-**Hardware**: MicroSD module via SPI | **Cost**: ~2 EUR | **Complexity**: 2/5
-
-Local offline storage for dead-drop operations, large data dumps, and logging.
-
-**Commands**:
-- `sd_init` — Mount SD card
-- `sd_write <filename> <data>` — Write file
-- `sd_read <filename>` — Read and stream to C2
-- `sd_list` — List files
-- `sd_log_start` — Log all C2 traffic to SD
-- `sd_space` — Free/total space
-
-**Use cases**: Offline data collection, dead-drop exfiltration, large firmware dumps.
-
----
-
-## Sensors & Environment
-
-### mod_gps — GPS/GNSS Tracking
-
-**Hardware**: NEO-6M/NEO-7M via UART | **Cost**: ~5 EUR | **Complexity**: 2/5
-
-GPS positioning, geofencing, and location-stamped events.
-
-**Commands**:
-- `gps_start` — Begin GPS acquisition
-- `gps_position` — Current lat/lon/alt/speed
-- `gps_track [interval]` — Stream position to C2
-- `gps_geofence <lat> <lon> <radius_m> <action>` — Trigger action on enter/exit
-- `gps_log_start` — Log positions to NVS
-
-**Use cases**: Asset tracking, geofenced triggers, location-aware operations.
-
----
-
-### mod_environment — Environmental Sensors
-
-**Hardware**: DHT22/BME280/PIR/LDR | **Cost**: ~3 EUR | **Complexity**: 1/5
-
-Read temperature, humidity, pressure, motion, and light sensors.
-
-**Commands**:
-- `env_read` — Read all connected sensors
-- `env_monitor [interval]` — Stream readings to C2
-- `env_motion_alert` — Alert C2 on PIR trigger
-- `env_trigger <sensor> <threshold> <action>` — Conditional triggers
-
-**Use cases**: Physical security awareness, environmental monitoring, trigger-based activation.
-
----
-
-### mod_power — Power Management
-
-**Hardware**: TP4056 + LiPo battery | **Cost**: ~5 EUR | **Complexity**: 3/5
-
-Battery management, intelligent deep sleep, and solar charging support.
-
-**Commands**:
-- `power_status` — Battery voltage, charging state, estimated runtime
-- `power_sleep <seconds>` — Enter deep sleep with wake timer
-- `power_sleep_until <gpio_trigger>` — Sleep until GPIO event
-- `power_profile <mode>` — Power profiles (aggressive, balanced, stealth)
-- `power_schedule <cron> <command>` — Scheduled wake + command execution
-
-**Use cases**: Long-duration deployment, battery-powered field operations, solar-powered persistent presence.
-
----
-
-### mod_display — OLED/TFT Display
-
-**Hardware**: SSD1306 OLED (0.96") or ST7735 TFT via SPI/I2C | **Cost**: ~3 EUR | **Complexity**: 2/5
-
-Local status display for field operations (no C2 needed to see agent state).
-
-**Commands**:
-- `display_text <text>` — Show text on screen
-- `display_status` — Show device info, connection state, active module
-- `display_qr <data>` — Generate QR code on display
-- `display_off` — Turn off (stealth)
-
-**Use cases**: Field status monitoring, debug output, one-way info display.
-
----
-
-## Crypto & WiFi Attacks
-
-### mod_deauth — 802.11 Deauthentication
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 2/5
-
-Targeted 802.11 deauth for forcing client reconnection (handshake capture setup).
-
-**Commands**:
-- `deauth <bssid> <station> [count]` — Targeted deauth
-- `deauth_all <bssid> [count]` — Broadcast deauth
-- `deauth_continuous <bssid> [interval]` — Persistent deauth
-
-**Use cases**: WPA handshake capture setup, client denial, forced AP migration.
-
----
-
-### mod_wpa_crack — WPA Handshake Capture
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
-
-Capture 4-way handshake and attempt dictionary attack with embedded wordlist.
-
-**Commands**:
-- `wpa_capture <bssid> [channel] [timeout]` — Wait for handshake (or deauth to force)
-- `wpa_crack <bssid> [wordlist]` — Dictionary attack on captured handshake
-- `wpa_export <bssid>` — Export handshake as pcap/hccapx to C2
-
-**Use cases**: WiFi security assessment, credential recovery.
-
----
-
-### mod_pmkid — PMKID Attack
-
-**Hardware**: None (WiFi) | **Cost**: 0 EUR | **Complexity**: 4/5
-
-Capture PMKID from AP without any connected client. Faster than handshake capture.
-
-**Commands**:
-- `pmkid_scan [duration]` — Scan APs and capture PMKIDs
-- `pmkid_target <bssid>` — Target specific AP
-- `pmkid_export` — Export PMKIDs for offline cracking
-
-**Use cases**: WiFi testing without connected clients, faster WPA cracking.
-
----
-
-### mod_rfcrack — Rolling Code Analysis
-
-**Hardware**: CC1101 via SPI | **Cost**: ~3 EUR | **Complexity**: 5/5
-
-Analyze and attack rolling code systems (garages, car key fobs, gates).
-
-**Commands**:
-- `rfcrack_listen <freq>` — Capture rolling code transmissions
-- `rfcrack_analyze` — Identify protocol (KeeLoq, etc.)
-- `rfcrack_rolljam <freq>` — RollJam attack (jam + capture + replay)
-- `rfcrack_desync <freq>` — De-synchronization attack
-
-**Use cases**: Physical security research, rolling code protocol analysis.
-
----
-
-## Automotive
-
-### mod_lin_bus — LIN Bus
-
-**Hardware**: MCP2004A LIN transceiver | **Cost**: ~3 EUR | **Complexity**: 3/5
-
-LIN bus (Local Interconnect Network) — sub-bus used for windows, seats, mirrors, lights.
-
-**Commands**:
-- `lin_start [baud]` — Init LIN transceiver (default 19200)
-- `lin_sniff [duration]` — Capture LIN frames
-- `lin_send <id> <data_hex>` — Send LIN frame
-- `lin_master_start` — Become LIN master (send schedule table)
-- `lin_enum` — Enumerate slave nodes
-
-**Use cases**: Automotive body control testing, seat/window/mirror manipulation.
-
----
-
-### mod_obd_tracker — OBD-II GPS Tracker
-
-**Hardware**: MCP2515 + NEO-6M GPS | **Cost**: ~8 EUR | **Complexity**: 3/5
-
-Autonomous vehicle tracker: logs GPS position + OBD-II data, reports to C2 when connectivity available.
-
-**Commands**:
-- `tracker_start [interval]` — Begin tracking (OBD + GPS)
-- `tracker_stop` — Stop and upload buffered data
-- `tracker_status` — Current position + vehicle stats
-- `tracker_geofence <lat> <lon> <radius>` — Alert on geofence breach
-- `tracker_trips` — Summarize recorded trips
-
-**Use cases**: Vehicle tracking, fleet monitoring, trip analysis.
-
----
-
-### mod_flexray — FlexRay Bus
-
-**Hardware**: FlexRay transceiver (TJA1080) | **Cost**: ~15 EUR | **Complexity**: 5/5
-
-FlexRay monitoring for premium vehicles (BMW, Mercedes, Audi). Deterministic, time-triggered protocol.
-
-**Commands**:
-- `flexray_listen <channel>` — Monitor FlexRay channel (A or B)
-- `flexray_decode` — Decode known frame IDs
-- `flexray_status` — Bus state, cycle time, slot info
-
-**Use cases**: Premium vehicle bus analysis, FlexRay protocol research.
-
----
-
-## Physical Security
-
-### mod_keylogger — PS/2 Keyboard Logger
-
-**Hardware**: PS/2 connector + GPIO wires | **Cost**: ~2 EUR | **Complexity**: 2/5
-
-Hardware keylogger for PS/2 keyboards. Inline transparent interception.
-
-**Commands**:
-- `keylog_start` — Begin capturing keystrokes
-- `keylog_stop` — Stop and send buffer to C2
-- `keylog_dump` — Send current buffer
-- `keylog_live` — Stream keystrokes in real-time to C2
-
-**Use cases**: Physical access keystroke capture.
-
----
-
-### mod_relay — Relay Control
-
-**Hardware**: Relay module (1/2/4 channel) | **Cost**: ~2 EUR | **Complexity**: 1/5
-
-GPIO relay control for physical actuators (doors, power, devices).
-
-**Commands**:
-- `relay_on <channel>` — Activate relay
-- `relay_off <channel>` — Deactivate relay
-- `relay_pulse <channel> <duration_ms>` — Momentary activation
-- `relay_schedule <channel> <cron>` — Scheduled activation
-
-**Use cases**: Physical access control, remote power switching, automated triggers.
-
----
-
-## Priority Matrix
-
-Modules ranked by impact/effort ratio for implementation priority:
-
-| Priority | Module | Why |
-|----------|--------|-----|
-| **High** | mod_ble | Built-in hardware, zero cost, huge IoT attack surface |
-| **High** | mod_deauth | Simple, essential for WiFi assessment workflows |
-| **High** | mod_badusb | ESP32-S2/S3 native USB, high impact physical access |
-| **High** | mod_uart_bridge | Zero cost, essential for hardware hacking |
-| **High** | mod_dns | WiFi only, enables MitM and exfiltration |
-| **Medium** | mod_nfc | Cheap hardware, wide applicability (access cards) |
-| **Medium** | mod_subghz | CC1101 is cheap, covers huge attack surface |
-| **Medium** | mod_mqtt | IoT everywhere, zero additional hardware |
-| **Medium** | mod_socks | Pivoting capability, WiFi only |
-| **Medium** | mod_gps | Cheap module, enables location-aware operations |
-| **Medium** | mod_modbus | SCADA is a growing target, dual TCP/RTU |
-| **Medium** | mod_sdcard | Simple, enables offline operations |
-| **Low** | mod_lora | Good range but low throughput |
-| **Low** | mod_glitch | High complexity, niche use case |
-| **Low** | mod_flexray | Expensive hardware, niche vehicles |
-| **Low** | mod_usb_mitm | Requires ESP32-S3 dual USB, very complex |