This project must be flashed to development board compatible with MeshCore. You need at least one other node to receive packets constructed by the firmware.
minutemesh was made to demonstrate a vulnerability in Meshtastic communications (pre-2.8) where a user could craft a packet from any arbitrary source MAC address, which would result in the message being recieved as if it were sent from the impersonated node.
The reason this vulnerability exists is because Meshtastic encrypts packets using AES counter mode using the destination node ID (which in the case of channels, is the broadcast ID), source node ID (which is dervied from a user's MAC address, which can be arbitrarily set), and a packet ID (whose only restriction is that it shouldn't be the same as one of the last 80 or so messages). Since all of these values can be set by a sender using MeshTNC, a user could impersonate any other user by sending a packet encrypted in the same manner Meshtastic encrypts packets.
In August 2025, an exploit named meshmarauder was used to 'poison' the contact lists of users by capturing and rebroadcasting another node's NodeInfo packet after modifying the field containing their public key. Because NodeInfo packets are Trust-on-First-Use, they noted that nodes receiving a forged packet would associate the sender's MAC address with the illegitimate public key. In addition, this included user "name" information, which was modified to be "[WARNING] Meshtastic is insecure".
Mesh networks are particularly useful in emergency communications, especially when existing infrastructures are unavailable. This technology currently being pitched as military or first-responder technology, keeping them secure is of massive importance.
This project highlights numerous issues with Meshtastic's form of authentication in public and private channels, by allowing users to send a fake packet at the push of a button. By connecting to the serial port, users may send a packet with an arbitrary user ID and message.
Currently, there is no counter-measure to this implemented in the Meshtastic protocol. Users may ignore other users, but doing so ignores the impersonated user, not the attacker.
Run the ./build.sh script with the arguments build-firmware and whatever device you have.
After flashing the firmware to the device, run the command craft_packet with your message to send the message to the minutemesh channel from the default radio, VimCard. To specify a different "sending" radio, add the MAC address of the radio as an argument before the message.
To specify a different channel, modify MINUTEMESH_KEY located in CraftPacket.h with the channel key and modify the channel hash in CommonCLI.cpp.