After seeing the Flipper Zero was finally shipping, I tried to get one. Unfortunately, in Australia, getting the Flipper Zero officially was impossible. There seems to be a lot of demand for this little gadget. Fortunately, there were a few on eBay.
The original Kickstarter campaign is here if you want to read about it. As you can see, it was behind schedule, missing its delivery deadline by about a year.
I ended up paying quite a premium as the Flipper Zero is a little hard to obtain, at least here in Australia. I am sure they’ll be easier to get in a few months and hopefully cheaper.
After getting my beloved Flipper Zero, I set out, like most people who get these types of gadgets, to see what I could do. For such a small device, it can do infrared, NFC, GPIO, Button, 125 kHz RFID and most importantly: the ability to transmit and receive sub-GHz frequencies.
It’s important to taper your expectations. The Flipper Zero is not some magical Watch Dogs-inspired hacking device that will allow you to control traffic lights, security cameras or make ATMs give you money. It’s quite limited in what it can do and is very much a gadget for light pentesting and a gentle introduction to the world of software-defined radio.
The Flipper Zero most interested me for its ability to work with sub-GHz frequencies (frequencies below 1 GHz). This allows you to read key fobs like modern wireless car key fobs, garage door openers, ceiling fan remotes and many other devices that use sub-GHz frequencies.
Before buying the Flipper Zero, you should know that many modern sub-GHz devices, such as garage doors, leverage a security concept called rolling codes. Simply put, it means your remote and device that receives the button presses are keyed and, leveraging some secret seed, transmit a different code each time.
My first attempt to clone my wireless car key fob and garage door failed. You’re presented with a lock icon in the Sub-GHz menu when you do a read if it’s using rolling codes. The stock firmware will not let you save these, but third-party firmware (I recommend one below) will.
The Flipper Zero will not allow you to bypass rolling code encryption. There is a third-party tool with a free option called Kaiju, which claims to be able to decrypt rolling codes, but I haven’t tried it, and I am not sure if it will ever be possible.
Reliving my fun as a child when I bought a universal remote and would mess with the TVs at school and the neighbour’s house. On the first day I received the Flipper Zero, I turned off some TVs. I then started reading things like my bank card, Amiibos and anything else with an NFC or RFID chip.
Because this is a gadget that works with frequencies, the FCC licences it. Therefore some frequencies are restricted in the stock firmware to comply with region restrictions on what frequencies you’re allowed to transmit or receive. However, many third-party firmware removes this restriction and adds new features and frequencies. My favourite is Roguemaster.
I will be honest; the one thing I did find disappointing is many of the remotes I’ve attempted to capture use rolling codes. Some use fixed codes still, but most modern sub-GHz devices use rolling codes. Still, it’s a fun device. I recommend getting some Tesla captures that allow you to open the charging port on Tesla vehicles.
Another use case I have used a lot is the Amiibo support. This has allowed me to pretend to own numerous Amiibo’s without buying them for my Nintendo Switch. Amiibos can give you new characters and other features in certain Switch games.
Overall it’s a fun device and seems to be regularly updated. Seeing the community release unlocked firmware and features gives me hope in the future, this little device will be able to do so much more than it currently can.
The Flipper Zero has taken me down the software-defined radio (SDR) rabbit hole. I placed an order for a HackRF One and a Portapack a few days after getting my Flipper, so wish me luck as I go down what could be quite an addictive path of working with radio and frequencies.
Now, excuse me, I have some TVs to turn off at my local McDonald’s again.