Flipper Zero: A Hacker Multi-Tool for Geeks
Flipper, a hacker “multi-tool” created by a team of Russian developers, has managed to become quite famous. At the beginning of 2021, the project raised almost $ 5 million on Kickstarter, then the community followed with interest all the ups and downs of production, and now difficulties with distribution and delivery have begun. I have already received my copy and will tell you how I use it in my life to help you understand whether it is urgent to acquire a Flipper.
It’s been more than a year since the first backers received their devices, but the hype around Flipper Zero is only getting stronger. Millions of views of the script kiddy video on Tiktok and reviews on famous blogs such as Linus Tech Tips, news about the destruction and confiscation of Flipper shipments, and even a ban on sale on Amazon and eBay only fuel interest in the device. In advertising for ACS components, they already write “Flipper Zero will not work!”. The demand for the Flipper is so great that drops of new batches are announced in advance, and they scatter instantly. At the same time, scammers who are trying to make money on the hype are not asleep either.
At the same time, the newly minted owners of the device, who fell for the hype, ask over and over again on the Flipper subreddit: “What to do with it?” The answer is most often: “Play snake and open Tesla charging hatches.”
Let’s go through the Flipper’s capabilities available in the factory firmware together and try to understand what potential applications it will find in the life of a geek.
So, after unpacking, Flipper quickly turns on and is immediately ready to go. The only thing required was a microSD flash drive and a firmware update.
Sub-GHz
Let’s start with the most interesting, in my opinion, function. Flipper can receive, record and play radio signals in certain bands at frequencies up to 1 GHz. But with the basic firmware – in resolution within these limits depending on the region. For my country, these bands are the same as for Russia: 433.05-434.79 MHz, 868.15-868.55 MHz, 915 MHz, 925 MHz.
Judging by my little experience and a cursory search of marketplaces, most barriers in our region operate at a frequency of 433.92 MHz and use a static code. This means that the remote control signal from such a barrier is easy to receive and save in the Flipper for further use.
Of course, this does not apply to paid underground parking lots, private houses and other places like that. There are usually more advanced access control systems. But barrier codes in closed courtyards of apartment buildings, in small private parking lots and office parking lots are perfectly copied.
Barrier in the parking lot
In my house, just such a barrier with an inexpensive remote control is used to enter the territory. Copying the signals of all three of its buttons takes less than a minute in total, and the signal recorded on the Flipper works fine – no worse than when using the remote control.
To record, you just need to select the Read item in the Sub-GHz section and set the center frequency, which is usually indicated on the remote control. After pressing all the buttons in turn, the Flipper will detect and demodulate the signals, and we just have to save them under some name.
My next victim was the remote control for the underground parking gate. There was little hope for it, because, unlike the barrier remote control, I had to forfeit a deposit equivalent to 3.5 thousand rubles for it, and the local radio market flatly refused to copy it, repeating “Rolling code, rolling code”.
However, on the same settings, Flipper accurately identified the signal source as Marantec, which coincided with the inscription on the remote control itself. Both buttons registered successfully and function perfectly. Even the range of the remotes and the Flipper is no different.
Total: minus two leash them a key fob, money saved and a plus sign for Flipper.
By the way, about the signal reading range. I conducted a small experiment, as a result of which I determined that it is possible to record a signal from such wireless remote controls from a distance of about 20 m in direct line of sight. True, the zone of reliable reception (signal recording after a short press of the button) turned out to be slightly smaller – about 15-18 m, depending on the remote control. However, this distance can be increased by using an optional RF module with an external antenna.
The main conclusion: when using simple, unprotected remotes, there is always a chance that a potential attacker will intercept the signal.
Automobile
Encouraged by this success, I decided to move on to the car key fob. Here, of course, the code is not static, but dynamic, that is, the same rolling code.
Rolling code (rolling, or dynamic, code) is a technology that is used in radio frequency remote control to protect against key copying. The principle of its operation is very simple: with each use, the code changes, and each code sent by the transmitter and received by the receiver is considered used and can only be received once.
The technology is reliable, but even from the description it can be understood that it has one flaw – only the code accepted by the receiver is considered used.
That is, it will not be possible to completely copy the key fob from a modern car, but the signal taken by Flipper once will work. Unlike the case with the parking remote control, the signal will not be completely demodulated, and we will record it in RAW format by selecting the appropriate item in the menu.
warning If you try to use the previous code after the next one has been used, the receiver unit in the vehicle is put into lockout mode. I managed to get him out of this mode only by throwing off the clamp mu battery. Prior to this, the car did not react in any way to pressing the buttons on the key, so it was possible to open or close the car only with the physical key of the car. And in many cars, the keyhole is hidden behind the cover of the door handle, which the owners often do not even suspect. If you do not want to be in this situation, it is better to refrain from experimenting with a car.
As a result, I managed to open the central lock once, writing down the opening code in RAW mode, and play the opening signal next to the car. Please note: the key must be far from the car, otherwise the signal will be received by the car.
Conclusion: never leave your key unattended, and do not store valuables in the car. An attacker can discreetly record the opening signal from the key and open the car doors while you are away. For this, such a simple device as the Flipper is enough, but there are also more powerful specialized devices.
Hack “Tesla”
A popular entertainment for Flipper owners in Europe and America is the remote opening of charging hatches in Teslas. In Russia, the probability of meeting Tesla is not so great. But where I live, they come across much more often. The hatch of one of them (exclusively for educational purposes) I solemnly opened to the great surprise of the owner sitting in it. Of course, I did it in the super-convenient Screen Streaming stealth mode from the iPhone app, so as not to run into misunderstandings with the owner of the car.
To pull off this trick, you need to download four files from GitHub, corresponding to two variations of signals – for cars of the European and American markets. Since the frequencies of the Flipper in the standard firmware are region-locked, I could not reproduce the signal for the American Tesla, and when I tried to do this, the Flipper gave out a formidable picture. Apparently, several other cars that I came across that I did not manage to hack were just American.
RFID
Perhaps the simplest and most useful application of the Flipper is the storage of intercom keys.