To the untrained eye, the Flipper Zero looks like a toy. It’s a small, orange and white plastic device with a playful, Tamagotchi-like dolphin on its monochrome orange 1.4-inch display. Cute! But in reality, the Flipper Zero is a multi-tool that covers many of your hacking needs. Imagine a Leatherman or a Swiss Army knife but for talking to electronics, and you have a general sense of what the Flipper Zero can do. To nobody’s surprise, it’s open source and was successfully funded on Kickstarter to the tune of roughly $4.6 million.
The Flipper Zero is a Swiss Army knife of antennas
Don’t be fooled by its fun name and Tamagotchi-like interface—this do-everything gadget is trouble waiting to happen and a whole lot more.
What is Flipper Zero?
What really sets it apart from other tools, aside from the stylish Y2K design, is its flexibility. While some tools, like the Chameleon Mini, have a limited number of tools at their disposal, the Flipper has several. It can talk to sub-1GHz devices like old garage doors, both Low- and High-Frequency RFID, NFC cards, Infrared devices, and even Bluetooth. You may have seen viral videos of people using the flipper to mildly annoy Tesla owners by remotely opening up their charging ports — but the real power of the flipper is its versatility. Just about every wireless device is vulnerable to it in some way or another.
INFRARED TRANSCEIVER
Infrared is often used in remote controls for TVs, air conditioners, music systems or even shower toilets. The Flipper Zero comes with a large library of infrared sequences from the best-known television and air-conditioning manufacturers, covering the most common functions. This makes it possible to send all the on/off commands for television sets at the touch of a button, for example, to switch off the desired television. Because the Flipper Zero itself can also receive infrared signals, it is possible to record and play back new remote controls. So to speak the universal remote control in a dolphin costume.
SUB-1 GHZ TRANSCEIVER
The Flipper Zero has a Sub-1 GHz module, located to the left of the display, and can receive and transmit the following frequencies: 300-348 MHz, 387-464 MHz, and 779-928 MHz. It must be said here, however, that depending on the region, it is not possible to transmit on certain frequency bands in the official firmware due to legal requirements. In Switzerland, for example, it is not possible to transmit on 310 MHz, although it is possible to record such signals. The sub-1 GHz module can be used to switch radio-controlled sockets, operate garage doors and also open the flap of the charging port of Tesla vehicles. Many car keys also transmit in this range, but these often use a rolling code.
125KHZ RADIO-FREQUENZ-IDENTIFIKATION (RFID)
At the bottom of the Flipper Zero is a 125kHz antenna, which enables the reading and emulation of RFID cards and chips. More specifically, EM-4100 and HID proximity cards can be read, as these only contain an N-byte ID and do not have an authentication mechanism. An ID can also be added manually to the Flipper Zero.
Through an update of the firmware, the reading of microchips for pets such as dogs and cats is now also possible. At the time of this article, it is unclear whether all microchips used for pets in the world can be read.
NEAR-FIELD COMMUNICATION (NFC)
The Flipper Zero can also read and emulate various types of NFC cards and modules. NFC is a collection of communication protocols that works between two electronic devices at a distance of less than 4 centimetres and at a frequency of 13.56 MHz. NFC is used in many cards and applications in everyday life; contactless payment with debit/credit cards or Apple Pay works via NFC, the SwissPass has an NFC chip which is read during checks and existing tickets are loaded from the SBB servers but can also be used to store and use other tickets such as ski tickets. NFC enables easy pairing of speakers with a smartphone or fast connection in a WLAN network. NFC is also used in smart cards, other access cards and chips instead of 125kHz RFID. Unlike RFID, NFC can communicate both ways and, depending on the configuration, the data on the NFC chip can be overwritten. At the time of writing, Flipper Zero supports the following NFC Type A cards, which are compatible with ISO 14’443:
| Label | Readable | Storable | Emulatable |
|---|---|---|---|
| MIFARE Classic 1K & 4K | Yes | Yes | Whole card |
| MIFARE Ultralight and NTAG | Yes | Yes | Whole card |
| MIFARE DESFire | Non-encrypted data | Non-encrypted data | UID |
| Bank cards | UID, SAK und ATQA | No | No |
| Unknown / other cards | UID, SAK and ATQA | UID, SAK and ATQA | UID |
In addition to NFC type A cards, there are also type B, type F and type V cards, for which the Flipper Zero can read the UID but not store it.
At the beginning of the communication between the reader and the NFC module, the exact technology is communicated so that both use the same protocol. Depending on the type, a different encoding and amplitude modulation is used. Type F NFC is very popular in Japan, where it is used for cashless payments, ticketing, public transport access and personal identification. Type V provides a single communication mode that is compatible with existing ISO 15’693 memory tags.
BLUETOOTH
The Bluetooth Low Energy module in the Flipper Zero enables communication with apps on the smartphone. The Flipper Zero can be controlled via the Flipper app and, for example, sub-GHz commands can be sent. There is also an open source library that can be integrated and used in self-made apps.
GPIO PINS
The built-in GPIO pins on the top of the Flipper Zero allow the multi-tool to be expanded with, for example, a developer board that provides debugging functionality and 2.4GHz WLAN connectivity. Other chips and empty prototyping boards can also be easily connected and custom extensions created. With its USB port and GPIO pins, the Flipper Zero can also be used as a UART, SPI and I2C converter.
IBUTTON
Flipper Zero also has a 1-Wire connector, which enables it to read and save iButtons, write empty so-called keys and emulate the key itself. The necessary pins are located on the back of the Flipper Zero. The 1-Wire protocol has no authentication. iButton is used, for example, in cash register systems in restaurants; each waiter has his own iButton magnetic waiter key, which enables access to the cash register and ordering system in his context.
USB INTERFACE
On the one hand, the firmware can be updated via the USB interface using the qFlipper desktop application, the update is also possible via the Flipper smartphone app. On the other hand, the USB interface allows the Flipper Zero to be used as a BadUSB or as a Universal 2nd Factor (U2F) Security Token. However, it is recommended to use certified U2F security keys for security-sensitive websites/applications.
CONCLUSION
Flipper Zero combines a variety of frequencies and protocols in a form factor that fits easily into a trouser pocket. The existing GPIO pins, the USB interface and the open source software allow expansion in all directions. Further technical details and a good starting point can be found in the online documentation of Flipper Zero itself. We are curious to see where the journey with Flipper Zero will take us. Ah, and of course Doom also runs on the Flipper Zero.
Danial Zahoor
Professional Ethical Hacker and Cybersecurity Researcher with a proven track record in dismantling online threats. Successfully neutralized 4 scammer networks, thwarted 13 phishing schemes, and disrupted 4 kidnapper networks. Committed to ensuring online safety and security, I leverage my expertise to protect individuals and organizations from digital threats. Passionate about cybersecurity education and empowering others to stay safe online.
