Reference

All Arguments

Every flag WiFuX accepts — organized by category. Search or filter to find what you need.

⌕

Required1 flag

-i, --interface

<wlan0>

WiFi interface name. Always required. Usually wlan0 on Android.

Target2 flags

-b, --bssid

<MAC>

Target router MAC address. If omitted, WiFuX scans and lets you pick.

-p, --pin

<PIN>

Try a specific WPS PIN manually instead of automated attack.

Attack6 flags

-K, --pixie-dust

—

Pixie Dust. Fast offline PIN extraction from WPS handshake. Try this first.

-F, --pixie-force

—

Pixie Dust full range. Tries broader nonce range for partially patched routers.

-B, --bruteforce

—

Smart Bruteforce. Tries all WPS PINs with session saving. Works on any WPS router.

--pbc

—

Push Button Connect mode. Authenticates when WPS button on router is pressed.

--auto

—

One-Pass Area Scanner. Tries every visible network once, skips attacked BSSIDs.

-X, --show-pixie-cmd

—

Print the exact pixiewps command being executed.

Timing8 flags

-d, --delay

<sec>

Delay in seconds between each WPS attempt. Reduces lockout risk.

-t, --timeout

<sec>

WPS response timeout. Default: 10s. Increase for slow or distant routers.

-T, --m57-timeout

<sec>

M5/M7 message timeout. Default: 0.40s. Increase for slow APs.

--lock-delay

<sec>

Wait time after router WPS lock. Default: 60s.

--fail-wait

<sec>

Pause duration after 10 consecutive failures.

--recurring-delay

<X:Y>

Pause Y seconds every X attempts. Format: 10:5 = pause 5s every 10 tries.

--auto-timeout

<sec>

Pixie Dust timeout per network in --auto mode. Default: 30s.

--auto-pin-timeout

<sec>

PIN attempt timeout per network in --auto mode. Default: 15s.

Bruteforce3 flags

-g, --max-attempts

<n>

Maximum PIN attempts. 0 = unlimited.

-L, --ignore-locks

—

Ignore router WPS lock and keep attacking.

-M, --mac-changer

—

Rotate MAC address on every attempt.

Session3 flags

--resume-session

<BSSID>

Resume a saved bruteforce session from its last PIN mask.

--list-sessions

—

Show all saved sessions with BSSID and progress.

--auto-reset

—

Clear --auto mode attack history.

Output7 flags

--html-report

—

Generate HTML report after the session.

--report-format

<fmt>

Report format: html, txt, csv, or json.

--detailed-report

—

Include signal, channel and source in the report.

--json-output

<file>

Append cracked result to a JSON file.

--csv-output

<file>

Append cracked result to a CSV file.

--log-file

<file>

Write all activity to a log file.

--write-legacy

—

Also save in legacy stored.txt / stored.csv format.

Recon8 flags

--signal-analysis

—

Run 5 scans for avg/min/max signal per AP before attacking.

--detect-weak-algo

—

Highlight routers with weak WPS chipsets (Realtek, Broadcom, Atheros, MediaTek).

--check-vuln

—

Show full vulnerability report for target before attacking.

--auto-vuln-list

—

Automatically add cracked BSSIDs to the vulnerability list.

-r, --reverse-scan

—

Show scanned network list in reverse order.

--pixie-list

—

Print all router models in the Pixie Dust vulnerability database.

--list-all-models

—

Print all vendor and model entries in the router database.

--pin-algo

<algo>

Use a specific WPS PIN generation algorithm.

Android4 flags

--dts

—

Don't touch Android WiFi settings. Manage interface directly.

--handle-rfkill

—

Auto-unblock WiFi if rfkill is blocking the interface.

--mtk-wifi

—

Enable MediaTek wmtWifi driver for MTK-based Android devices.

--iface-down

—

Bring interface down after the session ends.

Other4 flags

-v, --verbose

—

Show detailed debug output — every packet and handshake step.

-l, --loop

—

Loop mode — restart network scan automatically after finishing.

--no-colors

—

Disable ANSI colors — for piping to a log file.

-h, --help

—

Show help message and exit.