Flipper Zero · Volume 4

Flipper Zero Volume 4 — Sub-GHz Radio (CC1101)

Register-level CC1101 theory + the firmware protocol catalog + when the external amp earns its keep

Contents

SectionTopic
1About this Volume
2The Chip in One Page
3The Register Set That Matters
4Frequency, Channel BW, Data Rate — the relationships you need to know
5The Flipper Sub-GHz App — what it actually does
· 5.1Read
· 5.2Read RAW
· 5.3Frequency Analyzer
· 5.4Add Manually
· 5.5Static / Rolling
6The Protocol Catalog
7RAW Captures and Decoding Workflow
8The Regional Bypass Reality
9The External CC1101 Module Story
· 9.1What it does
· 9.2How firmware picks between internal and external
· 9.3Pin mapping
· 9.4When the external amp is the wrong tool
10The CC1101 vs HackRF Decision
11Common Bench Recipes
· 11.1Garage door audit
· 11.2Weather station capture
· 11.3Range testing
12What’s next

1. About this Volume

The CC1101 is the radio that does most of what people buy a Flipper for — garage doors, weather stations, IoT sensors, key fobs. This volume covers the chip at the register level, the firmware abstraction layered above it, the protocol catalog, the on-device workflow (Read / Read RAW / Frequency Analyzer / Add Manually), the regional-bypass story, and the “when-do-I-stop-using-Flipper-and-use-HackRF” decision.

2. The Chip in One Page

TI CC1101 — single-chip sub-1 GHz transceiver, integrated PA, SPI bus. The exhaustive answer is in the datasheet (literature ID SWRS061I1) — what you actually need on the bench:

SpecValue
Frequency bands300–348 / 387–464 / 779–928 MHz
ModulationOOK, 2-FSK, GFSK, MSK, 4-FSK
Data rate0.6–600 kbps
RX sensitivity−116 dBm @ 0.6 kBd 2-FSK
TX power−30 dBm to +12 dBm
BusSPI (CS, SCK, MOSI, MISO) + 2 GDO IRQ pins
FIFO64 bytes RX + 64 bytes TX
Channel BW58 kHz–812 kHz programmable
State machine19 states, mostly auto-managed

The Flipper’s onboard CC1101 is in a SAW-filtered, L-network-matched front-end biased toward 433 MHz. 868/915 MHz operation is functional but with worse return loss; this is the dominant reason an external CC1101 module + tuned antenna gives a 10–20× range improvement on those bands.

3. The Register Set That Matters

47 configuration registers (datasheet Tbl 5). About a dozen are touched per protocol; the rest are set once at init.

IOCFG2/1/0     What the GDO pins assert (sync-found, RX threshold, etc.)
FIFOTHR        FIFO threshold for IRQs
SYNC1/0        Sync-word value, 16 bits
PKTLEN         Packet length (fixed/variable/infinite)
PKTCTRL1/0     Address check, append-status, CRC, packet format
ADDR           Address for filtering
FSCTRL1/0      Frequency synthesizer IF + offset
FREQ2/1/0      Carrier frequency (24-bit divider value)
MDMCFG4/3/2/1/0  Modem config — modulation, data rate, channel BW
DEVIATN        FSK frequency deviation
MCSM2/1/0      Main state-machine config (auto-cal, RXOFF behavior)
FOCCFG         Frequency offset compensation
BSCFG          Bit synchronization
AGCCTRL2/1/0   AGC config
WOREVT1/0      Wake-on-radio event timer
WORCTRL        Wake-on-radio control
FREND1/0       Front-end RX/TX
FSCAL3/2/1/0   Frequency synthesizer calibration
RCCTRL1/0      RC oscillator config
TEST2/1/0      Test settings (factory)
PARTNUM/VERSION  Read-only chip ID
PATABLE        TX power table (8 entries × 8 bits)

Flipper firmware’s sub-GHz preset files are essentially dumps of these registers — typically generated from TI’s SmartRF Studio desktop app. Adding a new modulation profile is “set up the registers in SmartRF, dump to .ini, port to a Flipper protocol descriptor, write a parser” — Vol 7 walks through the parser side.

4. Frequency, Channel BW, Data Rate — the relationships you need to know

F_carrier = (FREQ_REG[23:0] / 2^16) × 26 MHz   (XOSC = 26 MHz on Flipper)

R_data    = 1e6 × (256 + DRATE_M) × 2^DRATE_E / 2^28

CHANBW    = 26 MHz / (8 × (4 + CHANBW_M) × 2^CHANBW_E)

f_dev     = 1e6 × (8 + DEVIATN_M) × 2^DEVIATN_E / 2^17

Useful corollaries:

  • For a known data rate (say, 1.2 kbaud OOK common in fobs), you can read these formulas backwards to derive MDMCFG3/4.
  • For weak signals, narrow the channel BW and slow the data rate; you trade Doppler tolerance for noise floor.
  • For CCA / collision avoidance, set MCSM1.CCA_MODE = 11b (RSSI below threshold AND not currently receiving a packet).

5. The Flipper Sub-GHz App — what it actually does

5.1 Read

“Sub-GHz → Read” runs the CC1101 through a list of preset configurations (Princeton, CAME, NICE, FAAC, Holtek, KeeLoq, Star Line, etc.), one at a time, listening on a frequency you select (default 433.92 MHz). When a packet is captured that matches the active preset’s framing, the parser fires, the result lands on screen and gets saved to /ext/subghz/<protocol>/<timestamp>.sub.

This is the easy path — works for any protocol Flipper firmware already recognizes.

5.2 Read RAW

Captures the demodulated bit stream as a raw timing series, no parser involved. Output is a long list of ON/OFF durations in .sub format with Protocol: RAW header. This is what you use when you don’t know the protocol yet — you replay the raw timings and see if the device responds.

Read RAW also feeds into reverse-engineering: pull the .sub off the SD, look at the timings, recognize the modulation by eye or with Universal Radio Hacker (URH), write a parser.

5.3 Frequency Analyzer

Scans the chip’s RSSI register across a frequency range (typically 300–928 MHz with regional gaps), reports the strongest signal. It does not show a spectrogram — it shows one number, RSSI in dB, and which frequency it came from. That’s why this is a frequency finder and not a frequency analyzer in the usual sense. To actually see what’s on the band, use an RTL-SDR or HackRF with GQRX.

5.4 Add Manually

UI for entering a captured value (button code, manufacturer code, etc.) that the parser then frames into a complete packet for replay. Useful when you have the raw value from a teardown or an OEM datasheet but not a captured .sub.

5.5 Static / Rolling

For static-code remotes (most cheap garage openers), Read → save → Send is all you need. For rolling-code systems (KeeLoq with manufacturer secret, AES-rolling, modern car fobs) the captured sequence is good for exactly one transmission and the receiver expects the next sequence — replay attacks fail. The Flipper firmware will parse and decode some rolling-code formats but TX’ing back is generally useless.

6. The Protocol Catalog

Stock firmware (OFW + Momentum) ships parsers for at least the following (non-exhaustive — both projects add new ones in updates):

FamilyExamples
Generic OOKPrinceton, CAME, NICE FLO/SMILO/SMILO_24, FAAC, Came/Atomo, BinRAW
KeeLoq familyKeeLoq 64-bit, KeeLoq 96-bit, JCM, Honda
Doitrand-styleDoorHan, Beninca
Brand fobsBFT, Pujol, Holtek, Star Line, Hörmann, Genie Intellicode
HCS familyHCS200, HCS300, HCS301 (KeeLoq variants)
SensorsLaCrosse, Acurite, Oregon Scientific weather, RAVEN, Ambient
Gates / barriersLinear MegaCode, Magellan
Tire-pressure (TPMS)Several brands — receive only
GenericRAW (always available; replay-only)

The list grows with firmware updates. A community-maintained matrix lives on awesome-flipperzero (djsime1’s catalog). A few protocols are firmware-specific — for example, SecurityPlus 2.0 (LiftMaster modern fobs) is supported on Unleashed but blocked on OFW.

7. RAW Captures and Decoding Workflow

Flipper:
  Sub-GHz → Frequency Analyzer → set the frequency you found
        → Read RAW → press the unknown remote → save .sub

Pull SD card to PC:
  Open the .sub in a text editor — it's plain text:
    Filetype: Flipper SubGhz RAW File
    Version: 1
    Frequency: 433920000
    Preset: FuriHalSubGhzPresetOok650Async
    Protocol: RAW
    RAW_Data: 416 -240 416 -240 832 ...

Universal Radio Hacker (URH) recipe:
  pip install urh
  urh
  → Open file → import as IQ data... no, not directly.
  → Easier: feed the RAW timings into rtl_433 -A (manual analysis) or
  → Use the Flipper-Zero-Sub-GHz-RAW-Decoder web tool
    (community: github.com/Tobi-r9/Sub-GHz-RAW-Decoder)
  → Manually inspect the inter-pulse gap pattern; identify the modulation
    (OOK / 2-FSK), the bit rate, the framing; write a parser.

When the captured signal looks weird — wrong frequency offset, marginal sensitivity — that’s usually antenna or front-end matching, not protocol. A retune to 433.92 ± a few kHz on a fixed protocol can fix it; a Flipper in a coat pocket loses 3–6 dB vs in your hand.

8. The Regional Bypass Reality

Flipper’s CC1101 is physically capable of TX at any frequency in its band. OFW restricts TX based on the regional RegionData file (US: no 433.05–434.79; EU: 868.0–868.6 only at +14 dBm with duty-cycle limits). Custom firmwares lift the software check.

The radio regulators don’t care about software toggles. If you TX in a band you’re not licensed for, with power you’re not authorized for, that’s a regulatory violation regardless of which firmware permitted it. ETSI and FCC enforcement is rare for low-power devices in normal operation but real for sustained TX, jamming, and intentional transmission outside licensed bands. Lab use on owned equipment with appropriate dummy loads / Faraday cage is the right posture.

See _shared/legal_ethics.md.

9. The External CC1101 Module Story

9.1 What it does

An external CC1101 module is a second CC1101 chip on the GPIO header, typically with:

  • A purpose-built antenna (typically a 433 MHz quarter-wave or a tuned spring + matching network)
  • An optional LNA (low-noise amplifier on the RX path, ~12–15 dB improvement in sensitivity)
  • An optional PA (power amplifier on the TX path, +13 to +20 dBm output vs the internal CC1101’s +12 dBm max)

Together: 5–10 m onboard → 70–150 m external. The biggest wins are on the TX side for fobs/garage doors and on the RX side for weak signal hunting (weather stations, distant TPMS).

9.2 How firmware picks between internal and external

  • Stock OFW: the user toggles in Sub-GHz → Settings → Radio. Manual.
  • Momentum / Unleashed / RogueMaster: auto-detect on boot via the external CS line. If detected, “External” appears as default.
  • The active CC1101 cannot be both internal and external simultaneously on the same SPI bus segment — the firmware switches the chip select.

9.3 Pin mapping

External CC1101 modules typically use the standard “Sub-GHz module pinout”:

Flipper pinNetCC1101
93V3VCC
8GNDGND
4PA4 (CS)CSn
5PB3 (SCK)SCLK
2PA7 (MOSI)MOSI
3PA6 (MISO)MISO
17PB14 / 1WGDO0 (IRQ)
6PB2GDO2 (IRQ)

Vendors: rg4geek, Mayhem XLabs, JustCallMeKoko. ~$25–60. Verify the silk on the module before trusting the pinout — community modules occasionally swap GDO0/GDO2.

9.4 When the external amp is the wrong tool

For receive-only spectrum survey or wideband sniffing, the external amp is the wrong shape — it’s a packet radio, not an SDR. Use RTL-SDR ($30 receive-only) or HackRF One (transmit + receive) — see Vol 11 §3 for the companion-mode workflow.

10. The CC1101 vs HackRF Decision

JobRight toolWhy
Capture and replay a known-protocol fobFlipper CC1101On-device parser, walking protocol catalog
Wideband spectrum survey (any band, modulation)HackRF OneIQ streaming + GNU Radio
Modulation reverse-engineering (URH protocol RE)HackRF or RTL-SDRNeed IQ samples, not bit stream
Long-range field replay 70–150 mFlipper + external CC1101 ampRight form factor
TX above +20 dBm, custom waveformsHackRFHigher TX power, fully programmable
Multi-channel capture (sniff multiple cars / fobs)HackRF + GR-BlockFlipper does one channel at a time
Subcarrier digital decode (DPMR, dPMR, TETRA)HackRF + DSDFlipper has no decoder
Casual on-device test / show-and-tellFlipperPulls out of pocket

The pattern: Flipper for known-protocol field work, HackRF for unknown-protocol R&E. They’re complementary, not redundant.

11. Common Bench Recipes

11.1 Garage door audit

  1. Sub-GHz → Frequency Analyzer → standing 1 m from garage opener.
  2. Press fob — note frequency (typically 300–315 MHz US, 433.92 MHz EU).
  3. Sub-GHz → Read → press fob again. If a parser fires (Princeton, Holtek, Linear MegaCode, KeeLoq), you’ve got a static-code or known-rolling-code system.
  4. Read RAW for unknown protocols.
  5. Disclosure: static codes can be replayed; rolling codes generally can’t. Either way, do this on your own door.

11.2 Weather station capture

  1. Frequency Analyzer near the sensor head; typical frequency 433.92 MHz.
  2. Read with Acurite / LaCrosse / Oregon presets. The captured data should include sensor ID, temperature, humidity.
  3. To decode for logging, pull the captured .sub and run through rtl_433 -r if it has a matching decoder.

11.3 Range testing

Use the Test Mode in Sub-GHz settings to TX a continuous signal at a known frequency / power. Walk away with a second device (RTL-SDR + GQRX) and watch RSSI fall. The transition from “clean” to “intermittent” to “silence” tells you your usable range envelope.

12. What’s next

Vol 5 — RFID and NFC. The 125 kHz LF subsystem, the 13.56 MHz ST25R3916, MIFARE Classic mfkey32 + nested attacks, magic cards, the emulation-vs-cloning distinction, and where Proxmark3 takes over.

Footnotes

  1. TI, CC1101 Low-Power Sub-1 GHz RF Transceiver datasheet, SWRS061I, https://www.ti.com/lit/ds/symlink/cc1101.pdf.