The Flipper Zero is a multi-tool for penetration testers and hardware geeks, which was initiated in July 2020 as a Kickstarter project. After only 8 minutes, the funding goal of the campaign was already reached. In total, funding of 4.8 million US dollars was achieved. Due to the Corona pandemic and the resulting chip shortage, some components had to be replaced, which in turn led to adjustments to hardware and software. At the beginning of 2022, the first Flipper Zeros could leave production and be shipped to their supporters.

At the time of this writing, the Flipper Zero is considered the Swiss army knife in the field of small portable hacking tools. It comes with a lot of modules for transmitting and receiving various frequencies and protocols and can also be expanded via GPIO pins. The firmware and software around the Flipper Zero as well as the electronic circuit diagrams are open source under the General Public License (GNU) v3.0.

Infrared Transceiver

Infrared is often used in remote controls for TVs, air conditioners, music systems or even shower toilets. The Flipper Zero comes with a large library of infrared sequences from the best-known television and air-conditioning manufacturers, covering the most common functions. This makes it possible to send all the on/off commands for television sets at the touch of a button, for example, to switch off the desired television. Because the Flipper Zero itself can also receive infrared signals, it is possible to record and play back new remote controls. So to speak the universal remote control in a dolphin costume.

Sub-1 GHz Transceiver

The Flipper Zero has a Sub-1 GHz module, located to the left of the display, and can receive and transmit the following frequencies: 300-348 MHz, 387-464 MHz, and 779-928 MHz. It must be said here, however, that depending on the region, it is not possible to transmit on certain frequency bands in the official firmware due to legal requirements. In Switzerland, for example, it is not possible to transmit on 310 MHz, although it is possible to record such signals. The sub-1 GHz module can be used to switch radio-controlled sockets, operate garage doors and also open the flap of the charging port of Tesla vehicles. Many car keys also transmit in this range, but these often use a rolling code.

125kHz Radio-Frequenz-Identifikation (RFID)

At the bottom of the Flipper Zero is a 125kHz antenna, which enables the reading and emulation of RFID cards and chips. More specifically, EM-4100 and HID proximity cards can be read, as these only contain an N-byte ID and do not have an authentication mechanism. An ID can also be added manually to the Flipper Zero.

Through an update of the firmware, the reading of microchips for pets such as dogs and cats is now also possible. At the time of this article, it is unclear whether all microchips used for pets in the world can be read.

Near-Field Communication (NFC)

The Flipper Zero can also read and emulate various types of NFC cards and modules. NFC is a collection of communication protocols that works between two electronic devices at a distance of less than 4 centimetres and at a frequency of 13.56 MHz. NFC is used in many cards and applications in everyday life; contactless payment with debit/credit cards or Apple Pay works via NFC, the SwissPass has an NFC chip which is read during checks and existing tickets are loaded from the SBB servers but can also be used to store and use other tickets such as ski tickets. NFC enables easy pairing of speakers with a smartphone or fast connection in a WLAN network. NFC is also used in smart cards, other access cards and chips instead of 125kHz RFID. Unlike RFID, NFC can communicate both ways and, depending on the configuration, the data on the NFC chip can be overwritten. At the time of writing, Flipper Zero supports the following NFC Type A cards, which are compatible with ISO 14’443:

In addition to NFC type A cards, there are also type B, type F and type V cards, for which the Flipper Zero can read the UID but not store it.

At the beginning of the communication between the reader and the NFC module, the exact technology is communicated so that both use the same protocol. Depending on the type, a different encoding and amplitude modulation is used. Type F NFC is very popular in Japan, where it is used for cashless payments, ticketing, public transport access and personal identification. Type V provides a single communication mode that is compatible with existing ISO 15’693 memory tags.

Bluetooth

The Bluetooth Low Energy module in the Flipper Zero enables communication with apps on the smartphone. The Flipper Zero can be controlled via the Flipper app and, for example, sub-GHz commands can be sent. There is also an open source library that can be integrated and used in self-made apps.

GPIO Pins

The built-in GPIO pins on the top of the Flipper Zero allow the multi-tool to be expanded with, for example, a developer board that provides debugging functionality and 2.4GHz WLAN connectivity. Other chips and empty prototyping boards can also be easily connected and custom extensions created. With its USB port and GPIO pins, the Flipper Zero can also be used as a UART, SPI and I2C converter.

iButton

Flipper Zero also has a 1-Wire connector, which enables it to read and save iButtons, write empty so-called keys and emulate the key itself. The necessary pins are located on the back of the Flipper Zero. The 1-Wire protocol has no authentication. iButton is used, for example, in cash register systems in restaurants; each waiter has his own iButton magnetic waiter key, which enables access to the cash register and ordering system in his context.

USB Interface

On the one hand, the firmware can be updated via the USB interface using the qFlipper desktop application, the update is also possible via the Flipper smartphone app. On the other hand, the USB interface allows the Flipper Zero to be used as a BadUSB or as a Universal 2nd Factor (U2F) Security Token. However, it is recommended to use certified U2F security keys for security-sensitive websites/applications.

Conclusion

Flipper Zero combines a variety of frequencies and protocols in a form factor that fits easily into a trouser pocket. The existing GPIO pins, the USB interface and the open source software allow expansion in all directions. Further technical details and a good starting point can be found in the online documentation of Flipper Zero itself. We are curious to see where the journey with Flipper Zero will take us. Ah, and of course Doom also runs on the Flipper Zero.

About the Author

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Links

• https://docs.flipperzero.one/
• https://github.com/flipperdevices
• https://github.com/p4nic4ttack/doom-flipper-zero
• https://www.kickstarter.com/projects/flipper-devices/flipper-zero-tamagochi-for-hackers