After seeing the Flipper Zero was finally shipping, I tried to get one. Unfortunately, in Australia, getting the Flipper Zero officially was impossible. There seems to be a lot of demand for this little gadget. Fortunately, there were a few on eBay.
The original Kickstarter campaign is here if you want to read about it. As you can see, it was behind schedule, missing its delivery deadline by about a year.
I ended up paying quite a premium as the Flipper Zero is a little hard to obtain, at least here in Australia. I am sure they’ll be easier to get in a few months and hopefully cheaper.
After getting my beloved Flipper Zero, I set out, like most people who get these gadgets, to see what I could do. For such a small device, it can do infrared, NFC, GPIO, iButton, 125 kHz RFID and most importantly: the ability to transmit and receive sub-GHz frequencies.
Perhaps the most surprising thing when I started playing with my Flipper Zero was how far it could transmit. The antennas in this thing would not be that big, but the distance is quite admirable for such a tiny device.
My first use of this device was trolling my father. I cloned his TV remote and started messing with his TV. Because the device was so small, he had no idea. This was a hilarious first use of the Flipper Zero which can be an exceptional troll gadget.
It’s important to taper your expectations
The Flipper Zero is not some magical Watch Dogs-inspired hacking device that will allow you to control traffic lights, control security cameras or make ATMs give you money. It’s quite limited in what it can do and is very much a gadget for light pentesting and a gentle introduction to the world of sub-frequencies.
The Flipper Zero most interested me for its ability to work with sub-GHz frequencies (frequencies below 1 GHz). This allows you to read key fobs like modern wireless car key fobs, garage door openers, ceiling fan remotes and many other devices that use sub-GHz frequencies.
Before buying the Flipper Zero, you should know that many modern sub-GHz devices, such as garage doors, leverage a security concept called rolling codes. Simply put, it means your remote and device that receives the button presses are keyed and, leveraging some secret seed, transmit a different code each time.
My first attempt to clone my wireless car key fob and garage door failed. You’re presented with a lock icon in the Sub-GHz menu when you do a read if it’s using rolling codes. The stock firmware will not let you save these, but third-party firmware (I recommend one below) will.
The Flipper Zero will not allow you to bypass rolling code encryption. There is a third-party tool with a free option called Kaiju, which claims to be able to decrypt rolling codes, but I haven’t tried it, and I am not sure if it will ever be possible.
This is perhaps the first disappointment you encounter while using the Flipper Zero. And, I want to point out it’s through no fault of the Flipper itself. Manufacturers implementing rolling code security prevent people like you and me from opening their garage doors and unlocking their vehicles. Fair call, I’d say.
Some remotes and fobs still use fixed codes, but most modern sub-GHz devices use rolling codes. Still, it’s a fun device. I recommend getting some Tesla captures that allow you to open the charging port on Tesla vehicles. You haven’t lost your Flipper Zero virginity until you’ve popped a Tesla charging port.
Reliving my fun as a child when I bought a universal remote and would mess with the TVs at school and the neighbour’s house. On the first day, I received the Flipper Zero; I turned off some TVs. I then started reading things like my bank card, Amiibos and anything else with an NFC or RFID chip.
If you want to experience the next level of fun, go into an electronics store (I went into Costco) and become God by turning off all TVs, turning up the volume and trolling the entire store.
Because this is a gadget that works with frequencies and is sold, the FCC licences it (a legal requirement). Therefore some frequencies are restricted in the stock firmware to comply with region restrictions on what frequencies you’re allowed to transmit or receive. However, many third-party firmware removes this restriction and adds new features and frequencies. My favourite is Roguemaster.
Another use case I have used a lot is the Amiibo support. Amiibos can give you new characters and other features in certain Switch games. This has allowed me to pretend to own numerous Amiibo’s without buying them for my Nintendo Switch.
Overall it’s a fun device and seems to be regularly updated. Seeing the community release unlocked firmware and features gives me hope in the future, this little device will be able to do so much more than it currently can.
The Flipper Zero has taken me down the software-defined radio (SDR) rabbit hole. I placed an order for a HackRF One and a Portapack a few days after getting my Flipper, so wish me luck as I go down what could be quite an addictive path of working with radio and frequencies.
Now, excuse me, I have some TVs to turn off at my local McDonald’s again.
Extra Reading
If you are like me and you’ve become addicted to the world of frequencies, I highly recommend going deeper and considering other complimentary devices. Shortly after buying the Flipper Zero, I bought a HackRF One. This device allows you to do similar things to the flipper, except it supports much larger antennas.
You can buy third-party HackRF One devices, which are a fraction of the cost of the official one; your quality may vary. Make sure you get yourself a Portapack to make your HackRF One portable, and you’ve got a powerful radio device that can even do GPS.
There is also a similar device to the Flipper called PanwaRF, which claims to be able to use Kaiju (I linked above) to break rolling code encryption.
