Enhanced firmware for the Monstatek M1 multi-tool device, forked from the original firmware with major feature additions, Flipper Zero file compatibility, a modern scene-based UI architecture, and stability improvements.

This is a community project and is not affiliated with or endorsed by Monstatek.

Hapax uses a GitHub-centered workflow for development, releases, and documentation. GitHub is the primary home for source code, builds, releases, project discussion, and related project resources:

• Automated CI/CD — pushes/merges to main trigger a GitHub Actions build and publish a versioned GitHub Release with firmware artifacts, except for changes excluded by the workflow's paths-ignore rules (for example, docs/database/IDE/workflow-only updates). No manual compilation, no "here's a .bin I built on my laptop."
• Web Updater — a GitHub Pages-hosted browser-based flashing tool. Plug in via USB, pick a release, and flash — no desktop software required. Hapax original: the updater also automatically installs SD card assets (IR/SubGHz signal databases, 1,700+ files) directly to the device over USB — skip, overwrite, or cherry-pick what gets installed. No ZIP extraction, no SD card reader needed.
• API Documentation — Doxygen-generated source documentation, auto-deployed on every push to main that touches firmware source files.
• OTA from the device — the M1 itself can browse GitHub Releases over WiFi, download firmware, and install it — all without a PC.
• Automated testing — host-side unit tests run automatically via GitHub Actions on pull requests and pushes to main for relevant changes; Doxygen docs are deployed on source/docs updates, and static analysis is available as a manual, on-demand workflow.
• Transparent development — all code, issues, pull requests, security advisories, and discussions live on GitHub. Nothing is hidden behind invite-only servers or private channels.

🔧 Flash your M1 right now — open the Web Updater

No software to install for updates or reflashing if Hapax is already installed. Plug in via USB-C, open Chrome/Edge, and flash the latest firmware in seconds. For a first install from stock firmware, use the DFU/qMonstatek method below.

• Import and use Flipper Zero .sub, .rfid, .nfc, and .ir files directly
• Drop Flipper files onto the SD card and use them on the M1
• Flipper Music Format (.fmf) playback via the Music Player
• Furi compatibility layer for near-direct protocol porting from Flipper/Momentum

• 100 protocol decoders — Princeton, CAME, Nice Flo, Keeloq, Security+ 1.0/2.0, Linear, Holtek, Hormann, Marantec, Somfy, Ansonic, BETT, Clemsa, Doitrand, FireFly, CAME Twee/Atomo, Nice Flor S, Alutech AT-4N, Centurion, Kinggates Stylo, Megacode, Mastercode, Chamberlain 7/8/9-bit, Liftmaster 10-bit, Dooya, Honeywell, Intertechno, Elro, Acurite (incl. 592TXR/986), Bresser, Oregon v1/v2/v3, LaCrosse, Scher-Khan, Toyota, Auriol AHFL, GT-WT-02, Kedsum-TH, ThermoPro TX-4, LaCrosse TX141THBv2, Wendox W6726, DITEC GOL4, Honeywell WDB, X10, FireCracker/CM17A, TX-8300, POCSAG pager decode, and more
• Spectrum Analyzer — visual RF spectrum display with zoom, pan, and peak detection
• RSSI Meter — real-time signal strength with bar graph and peak tracking
• Frequency Scanner — sweep and find active frequencies above threshold
• Weather Station — decode Oregon v2, Acurite 606TX/609TXC/592TXR/986, LaCrosse TX141THBv2, Auriol, GT-WT-02, Kedsum-TH, ThermoPro TX-4, Solight TE44, Vauno EN8822C, Emos E601x sensors
• Brute Force — brute-force RF code transmitter (Princeton, CAME, Nice FLO, Linear, Holtek)
• Playlist Player — load .txt playlist files from SubGHz/playlist/ and transmit each .sub file sequentially; supports repeat count, progress display, and Flipper path remapping
• Add Manually — select a protocol, enter a hex key, and transmit a single-burst RF signal
• Radio Settings — adjustable TX power, custom frequency entry (300–928 MHz)

• Tag Info — manufacturer lookup, SAK decode, technology identification
• T2T Page Dump — read and display Type 2 Tag memory pages
• Clone & Emulate — copy and replay NFC tags
• PicoPass/iCLASS — read, authenticate, and emulate HID iCLASS cards (DES key diversification)
• NFC Fuzzer — protocol testing tool
• MIFARE Classic Crypto1 support

• 26 protocol decoders — EM4100 (+ 32/16-bit variants), H10301, HID Generic, HID ExGeneric, Indala26, Indala224, AWID, Pyramid, Paradox, IOProx, FDX-A, FDX-B, Viking, Electra, Gallagher, Jablotron, PAC/Stanley, Securakey, GProx II, Noralsy, Idteck, Keri, Nexwatch, InstaFob
• Clone Card — write to T5577 tags
• Erase Tag — reset T5577 to factory
• T5577 Info — read tag configuration
• RFID Fuzzer — protocol testing tool
• Manchester decoder with carrier auto-detection (ASK/PSK)

• Universal Remote Database — pre-built remotes for Samsung, LG, Sony, Vizio, Bose, Denon, and more (see ir_database/)
• Learn & Save — record IR signals and save to SD card
• Import Flipper Zero .ir files

• DuckyScript interpreter — run keystroke injection scripts from SD card
• Supports STRING, DELAY, GUI, CTRL, ALT, SHIFT, key combos, and REPEAT
• Place .txt scripts in BadUSB/ on the SD card

• CAN Commander — sniff, send, and analyse CAN bus traffic via the J7 (X10) header
• Sniffer — real-time CAN frame display with baud rate cycling (125 k / 250 k / 500 k / 1 Mbps)
• Send Frame — build and transmit arbitrary CAN frames
• Supports standard 11-bit CAN IDs (Classic CAN)
• Requires external CAN transceiver — recommended: Waveshare SN65HVD230 CAN Board (3.3 V, ESD protected)

Note: The M1 does not include an on-board CAN transceiver. See HARDWARE.md for wiring instructions.

• ELF app loader — load and run third-party apps from SD card
• Browse and launch .m1app files from the Apps menu
• Download ready-to-use apps and the App SDK at m1-sdk

• Snake, Tetris, T-Rex Runner, Pong, Dice — built-in games accessible from the menu
• Music Player — plays Flipper Music Format (.fmf) files from SD:/Music/

Requires SiN360 ESP32 firmware — see ESP32 note above.

Sniffers:

• Packet sniffers: All, Beacon, Probe, Deauth, EAPOL, SAE/WPA3, Pwnagotchi
• Signal Monitor, Station Scan, MAC Tracker, Wardrive, Station Wardrive

Attacks:

• Deauth, Beacon Spam, AP Clone, Rickroll, Evil Portal, Probe Flood, Karma, Karma+Portal

Network Scanners:

• Ping, ARP, SSH, Telnet, Port Scan

General:

• Scan nearby access points, Status, Saved Networks (AES-256 encrypted on SD card)
• Firmware Download — browse and download Hapax releases directly to SD card
• Set SSID/MAC/channel, Evil Portal HTML config, save/load/clear AP lists

• Detect external 13.56 MHz NFC reader fields and ~125 kHz RFID reader fields
• Useful for identifying hidden readers
• Accessible from the NFC → Field Detect menu entry

• Continuous square-wave output via the buzzer pin (GPIO/speaker)
• 18 frequency presets from 200 Hz to 8 kHz; UP/DOWN to change, OK to toggle on/off
• Accessible from the GPIO → Signal Gen menu entry

Requires SiN360 ESP32 firmware — see ESP32 note above.

BLE Sniffers: Analyzer, Generic, Flipper, AirTag Sniff/Monitor, Flock

BLE Wardrive: Regular, Continuous, Flock

BLE Spam: Sour Apple, SwiftPair, Samsung, Flipper, All, AirTag Spoof

BLE Detectors: Skimmers, Flock, Meta

BLE Config: Advertise, BLE settings

Bad-BT (Bluetooth HID):

• Wireless DuckyScript — same scripting as BadUSB but over Bluetooth HID
• Pairs with target device wirelessly, no cable needed

Note: Bad-BT (HID) is under active development. Bluetooth pairing and keystroke delivery depend on the target device's BLE HID support.

• Two firmware banks with safe boot validation
• Swap between banks from the menu or via the companion app
• CRC verification before boot — falls back to working bank on corruption

• AES-256-CBC encryption — device-derived keys (from STM32H5 UID) or user-provided custom keys
• WiFi credentials encrypted at rest on SD card
• Crypto API available to external apps via m1_crypto.h

• Scene-based UI — all modules use a stack-based scene manager with push/pop navigation
• RPC protocol for qMonstatek companion app communication
• Settings persistence — LCD brightness, southpaw mode, ISM band region, preferences saved to SD card
• Southpaw mode — swap left/right button functions
• Safe NMI handler — proper ECC fault recovery instead of hard fault
• Watchdog improvements — task-level suspend/resume for long operations
• CI/CD pipeline — automated build, test, and release on every merge to main via GitHub Actions. Hapax is the only M1 fork with automated builds and releases.

qMonstatek — community-maintained Windows desktop app (developed by bedge117; not part of Hapax). Connect your M1 via USB to mirror the device screen, manage SD card files, configure WiFi, update the ESP32 coprocessor firmware, and flash firmware over USB — including DFU mode for first-time installation from stock firmware.

For firmware updates on a device already running Hapax, the browser-based Web Updater requires no software at all. qMonstatek is the recommended path for first-time installation from stock or for users who prefer a desktop UI.

Download from the qMonstatek releases page.

The ir_database/ directory contains 1,412 infrared remote files for popular devices.

Categories: TV (413), AC (238), Audio — receivers, soundbars & speakers (292), Fan (155), Projector (122), LED lighting (167), Streaming devices (25).

Top-level files per category are M1-curated "universal" remotes (tested on hardware). Brand subdirectories contain model-specific files imported from the Flipper-IRDB community database (CC0 license). See ir_database/SOURCES.md for full attribution.

The subghz_database/ directory contains 313 curated Sub-GHz .sub signal files.

Categories: Outlet switches (179), Doorbells (81), Weather stations (39), Smart home remotes (10), Fans (4).

Imported from the UberGuidoZ/Flipper community repository (GPLv3). See subghz_database/SOURCES.md for full attribution.

The subghz_playlist/ directory contains ready-to-use Sub-GHz playlist files.

Categories: Tesla charge port openers, Doorbells, Fans.

Imported from UberGuidoZ/Flipper (GPLv3). See subghz_playlist/SOURCES.md for attribution.

Copy the directories manually: ir_database/ contents → IR/, subghz_database/ contents → SubGHz/, subghz_playlist/ contents → SubGHz/playlist/.

• MCU: STM32H573VIT6 (Cortex-M33, 250 MHz, 2 MB dual-bank flash, 640 KB RAM)
• Display: 128×64 monochrome (ST7586s)
• WiFi/BT: ESP32-C6 coprocessor (binary SPI protocol — see ESP32 firmware note below)
• RF: Si4463 sub-GHz transceiver (300–928 MHz)
• NFC: ST25R3916 (13.56 MHz)
• RFID: 125 kHz ASK/PSK reader with T5577 write support
• IR: TSOP38238 receiver + IR LED transmitter
• CAN: FDCAN1 on J7 header (requires external transceiver)
• USB: USB-C (CDC + MSC composite)
• Storage: microSD card
• Hardware revision: 2.x

ESP32 firmware required: As of v0.9.1, Hapax uses the sincere360/M1_SiN360_ESP32 binary SPI firmware for the ESP32-C6 coprocessor. This firmware must be installed for WiFi, Bluetooth, and BLE features to work. Flash it via Settings → ESP32 Update (OTA over SPI) or via esptool — no hardware changes required. The stock Espressif AT firmware and older SPI-AT builds are not compatible with v0.9.1+.

Download the latest factory_ESP32C6-SPI-XIAO.bin from the SiN360 ESP32 releases page.

• ARM GCC 14.2+ with CMake and Ninja, or
• STM32CubeIDE 1.17+ (tested with 1.17.0 and 2.1.0)
• Python 3 (for post-build CRC injection)

# Configure
cmake -B build -G Ninja -DCMAKE_BUILD_TYPE=Release

# Build (post-build CRC injection runs automatically)
cmake --build build

The CMake POST_BUILD step automatically runs tools/append_crc32.py to inject CRC and Hapax metadata into the binary. For non-CMake builds (STM32CubeIDE), run manually:

python tools/append_crc32.py build/M1_Hapax_v<VERSION>.bin \
    --output build/M1_Hapax_v<VERSION>_wCRC.bin \
    --hapax-revision 1 --verbose

Replace <VERSION> with the version from m1_fw_update_bl.h (e.g. 0.9.0.1).

Open the project directory in STM32CubeIDE and build.

make

Output: ./artifacts/

See DEVELOPMENT.md for detailed build environment setup and documentation/mbt.md for SRecord/CRC tooling.

Host-side unit tests run on x86 with Address Sanitizer and Undefined Behavior Sanitizer:

cmake -B build-tests -S tests -DCMAKE_BUILD_TYPE=Debug
cmake --build build-tests
ctest --test-dir build-tests --output-on-failure

Hapax is the only M1 firmware fork with automated quality checks. All of these run as GitHub Actions workflows:

All firmware releases are published automatically to GitHub Releases by the CI/CD pipeline. You never need to compile firmware yourself — just pick a method below.

The fastest way to reflash — no software to install. The Web Updater is hosted on GitHub Pages and fetches firmware directly from GitHub Releases. Requires Hapax firmware already running on the M1 (the Web Updater connects over USB Serial, which needs the Hapax RPC interface). For a first install from stock firmware, use Via DFU Mode below.

1. Open the M1 Web Updater in Chrome or Edge
2. Power on the M1 normally so it boots to the regular UI
3. Connect via USB-C
4. Click Connect, select the M1 serial device, pick a firmware release, and flash

Requires a browser with Web Serial support (Chrome 89+ or Edge 89+). Do not use DFU mode for the Web Updater. If the screen stays dark, the device is in DFU mode and will usually not appear as a serial port; use the Via DFU Mode (recovery / first install) section below instead.

Connect to WiFi, then go to Settings → FW Update → Download to browse and install firmware images from GitHub Releases directly to SD card.

1. Power off the M1 (Settings → Power → Power Off → Right Button)
2. Hold Up + OK for 5 seconds to enter DFU mode (screen stays dark)
3. Connect via USB-C
4. Use the DFU Flash page in qMonstatek

To exit DFU mode without flashing, hold Right + Back to reboot.

Connect to the GPIO header (pins 1-18):

1. Connect ST-Link to GPIO pins
2. Connect USB for power and serial console
3. Open serial terminal (PuTTY/Tera Term) at 9600 baud - keep open for logs
4. Build firmware:

   ./build

5. Flash with STM32CubeProgrammer:
   • Click "Connect"
   • Click "Open File" → Select distribution/M1_v*.hex
   • Click "Program"
6. Reset via ST-Link:
   • Click "Reset" button in STM32CubeProgrammer
   • OR use CLI command reboot in serial terminal

Pro tip: Keep the serial terminal open during testing to see debug messages in real-time.

If the device does not boot after programming:

• Use Under Reset + Hardware reset connect mode in STM32CubeProgrammer.
• If PC reads near 0xFFFFFFFE, the mapped boot vector is invalid (often from flashing an image that does not match post-build CRC metadata). Rebuild with ./build clean and reflash distribution/M1_v*.hex.

If you need to flash the firmware directly via USB using STM32CubeProgrammer (without an ST-Link), you must boot the device into DFU Mode using the hardware strap. The software menu option has been removed for reliability.

1. Unplug the USB cable from the M1.
2. Press and hold the UP button on the D-pad.
3. While holding UP, plug the USB cable back in.
4. You will hear a loud "tick" from the speaker. This confirms the hardware strap was detected and the device is now in DFU mode.
5. In STM32CubeProgrammer, select USB from the dropdown menu and click Connect.

To exit DFU mode: Simply unplug the USB cable and plug it back in without holding any buttons to boot into normal firmware.

0:/
├── BadUSB/          DuckyScript .txt files
├── Firmware/        Downloaded firmware images (created by Download feature)
├── IR/              Infrared remote .ir files (see ir_database/)
│   └── Learned/     IR signals recorded by the M1
├── Music/           Flipper Music Format .fmf files
├── NFC/             NFC tag .nfc files
├── RFID/            RFID tag .rfid files
├── SubGHz/          Sub-GHz signal .sub files (see subghz_database/)
│   └── playlist/    Playlist .txt files (see subghz_playlist/)
├── System/          System configuration files
│   └── fw_sources.txt  Firmware download sources (auto-generated, user-editable)
├── apps/            External .m1app applications
├── settings.ini     M1 settings (auto-generated)
└── wifi_cred.ini    Saved WiFi credentials (AES-256 encrypted, auto-generated)

⚠ If you saved Sub-GHz signals using any Hapax firmware build earlier than v0.9.0.124, those files must be deleted and recaptured.

Any .sub or .sgh file that was saved by the Hapax firmware before v0.9.0.124 contains a zeroed key (Key: 0x0) and a blank frequency field due to two bugs that were fixed together in v0.9.0.124:

1. Zero key bug — the legacy save code path did not copy the decoded key value into the signal struct before writing to disk. Every file it produced has Key: 00 00 00 00 00 00 00 00, which causes emulation to transmit all-zero pulses — the gate or remote will not respond.
2. Blank frequency bug — snprintf("%.2f MHz", ...) is a no-op under --specs=nano.specs (newlib-nano) without -u _printf_float, so the Freq: field in the Signal Info screen was empty and the saved value was not useful for diagnosis.

Files NOT affected by this:

How to check a file: Open Sub-GHz → Saved, select the file, press OK → Info. If "Key: 0x0" appears, the file is corrupted by this bug and must be recaptured.

Contributions are welcome. Please see .github/CONTRIBUTING.md for guidelines.

If you're building a companion app or tool that communicates with the M1, the RPC protocol is implemented in m1_csrc/m1_rpc.c and Core/Src/cli_app.c.

This project is licensed under the GNU General Public License v3.0 — see COPYING.txt for details.

Sub-GHz and LF-RFID protocol decoders are derived from the Flipper Zero firmware (GPLv3). Database files are sourced from Flipper-IRDB (CC0) and UberGuidoZ/Flipper (GPLv3). See README_License.md for full component attribution.