WHAT IS FLIPPER ZERO
Flipper Zero is a portable multi-tool for pentesters and hardware geeks in a toy-like body. It loves to explore the digital world around: radio protocols, access control systems, hardware, and more. The main idea behind the Flipper Zero is to combine all the research & penetration hardware tools that you could need on the go in a single case. Out of the box, Flipper is filled with features and skills, but also It’s open-source and customizable, so you can extend its functionality in whatever way you like, along with the community.
Flipper is made by makers who got tired of all these rough PCBs and bulky external modules. We want to make a versatile and beautiful platform for prototyping, hardware research, and pentest of any kind.
Flipper Zero is completely autonomous — it has a beefy battery, a handy 5-position directional pad, and a display. All the main functions and scripts are available from Flipper’s menu, no computer or smartphone required.
For more control, Flipper is equipped with the USB Type-C port for upgrading the firmware, deploying virtual serial port, and emulating HID input device. We have also decided to build in a cool old-school LCD screen, and not fancy TFT / IPS / OLED because it’s perfectly visible in sunlight and has an ultra-low 400nA power consumption with the backlight turned off. This allows Flipper Zero to be always on and ready with more than 7 days of battery life.
To communicate with the real world systems, Flipper Zero has a built-in radio module based on TI CC1101 chip. It supports both transmitting and receiving digital signals within the 300-928 MHz frequency range. This is the operating range for a wide class of devices and access control systems such as garage doors remotes, boom barriers, IoT sensors, and remote keyless systems.
Out of the box, Flipper Zero can emulate remotes for popular garage doors and barriers. You can keep hundreds of remotes in Flipper’s memory as well as create a blank remote for the new wireless gate. Just select the right brand of the system in the Flipper menu, register a new key in your garage/barrier receiver, and give it a unique name for easy navigation between your remotes.
Customizable radio platform
CC1101 is well known universal transceiver designed for low-power wireless applications. And with a ready-to-use open-source library, developers can interact with the radio subsystem without limitations. You can write any wireless application, like custom protocol or decoder, as well as use it for connecting with IoT devices and access systems.
Flipper Zero has an integrated decoder for popular remote control algorithms such as Keeloq and others, so you can analyze an unknown radio system to figure out the protocol under the hood.
Furthermore, Flipper can record the samples of radio signals to analyze it later with more sophisticated tools on the computer, as well as replay the saved samples. Many remotes and IoT devices such as doorbells, sensors, and radio sockets don’t use any encryption at all — in this case, Flipper can replay the signal, even if the protocol wasn’t recognized.
Low-frequency proximity cards are widely used in access control systems around the world. It’s pretty dumb, keeps only a short few-byte ID, and has no authentication mechanism, allowing it to be easily read, cloned, and emulated by anyone. A 125 kHz antenna is located on the bottom of Flipper’s body — it can read the EM-4100 and HID Prox cards, save them to the memory and emulate any of the saved cards by choosing one from the menu.
You can also emulate the card by entering its ID manually, so you can easily send it to your friend in a text format. Thus, Flipper owners can exchange card dumps with each other remotely without ever touching a physical card.
iButton contact keys
Flipper Zero has a built-in 1-Wire pad to read iButton (DS1990A) keys, also known as TouchMemory or Dallas keys. This technology is quite old but still widely used around the world. It’s based on 1-Wire protocol and doesn’t have any authentication, so Flipper can easily read these keys, save IDs into the memory, write IDs to blank keys, and emulate the key itself.
Flipper Zero has a unique contact pad design on the case edge — its shape works as a reader and simulator at the same time. The central pad of the iButton key is a data contact and the outer ring is a ground contact, so you need to lay the key in the correct position. The same contact pad can be used to simulate keys from the memory — just place Flipper to the system reader. This mode is also handy for silent interception of the 1-Wire data line.
Flipper Zero can act as a fully functional U2F key, that works with any U2F-enabled services such as Google, Twitter, Facebook, Dropbox, LastPass, Amazon AWS, and many others.
Universal 2nd Factor (U2F) protocol is an open standard for hardware security tokens used for secure authentication. Developed by Google, Yubico, and NXP, U2F acts as a universal key that is designed to add another layer to the traditional login+password authentication method.
Even if your password gets compromised, an attacker will not be able to log in to your account. This method is much stronger than the usual SMS 2nd-factor method, as it doesn’t involve any third-parties like a cell phone operator.
The infrared transmitter can send any signal to control electronics such as TV, air conditioners, stereo systems, and others.
Flipper contains a built-in library of common remote commands like switching on/off, changing volume or adjusting temperature, and so on. This library is constantly updated by Flipper community users that upload new signals to Flipper’s IR remote database.
Infrared learning feature
At the same time, the IR receiver can catch signals and save them to the memory, so you can store any of your personal remotes and transmit it later, as well as upload it to the public database to share with other Flipper users.
Flipper’s infrared eye can automatically detect baud rate, frequency, and modulation of the IR signals it captures without any configuration. That allows you to easily capture and store signals from all your remotes and other IR appliances.
Flippers firmware is completely open-source. You will be able to find it on Github once the first units are shipped. This means anyone can extend Flipper Zero functionality by modifying the code and writing your own plugins.
All built-in hardware can be used in your programs, such as a built-in display to print text and draw images, buttons to navigate, radio module for Sub-1Ghz communication, RFID for proximity cards, IR for infrared applications, and GPIO for extending the functionality with your own modules. And thanks to handy and fully documented libraries, accessing all of those is fast and easy.
SDK packages for all platforms
Deploying a development environment for STM32 can be challenging. Therefore, to simplify this process, we will supply ready-to-use packages for Arduino and PlatformIO+VSCode IDEs, available for all platforms, no drivers required. Just install the package and you are ready to go. Uploading sketches is as easy as on the regular Arduino board.
Extend with your own plugins
Flipper Zero can run your code as a separate plugin without losing its own firmware, unlike other basic Arduino boards. Thus, you can run any specific code from the plugins menu without uploading it every time you need it. And don’t be afraid to break something — you can always reboot to original firmware if your code freezes.
Flipper Zero can be used as a versatile tool for hardware hacking. Its 12 built-in GPIO pins are 5V tolerant and allow you to connect it to any piece of hardware while running your own code, controlling it with buttons and printing debug messages to the LCD display.
You can use it as a handy firmware flashing, debugging, and fuzzing device, as well as USB to UART/SPI/I2C/etc adapter connected to the PC.
Extend with hardware modules
With the familiar header pins, Flipper allows third-party developers and makers to create their own compatible modules. Modules can be used to add new hardware features, interfaces, sensors, interface converters, wireless modules, and even a cellular modem. We will share the mockup 3D model, so anyone can easily develop a mechanical design for their modules.
As we all know, computers completely trust connected input devices like mouse and keyboard. Flipper Zero can emulate a USB slave device, allowing it to be recognized by the computer as a regular input device, such as HID keyboard or Ethernet adapter, just as USB Rubber Ducky. You can write your own keyboard payloads to type any key sequence, as well as fuzzing USB stack on a target device.
We realized long ago that 1 MB of STM32 flash is great to fit a firmware and all your plugins but might run out when it comes to additional data. There are lots of heavy data Flipper has to store: remotes codes, signal databases, dictionaries, image assets, logs and more. MicroSD slot always has been an obvious solution but we were not completely sure about the mechanics, so we didn’t announce this before.
Today we can finally confirm: every Flipper Zero will have a MicroSD slot.
The slot will be push-push, so the card will be reliably secured inside and will not protrude. Flipper Zero can work without a MicroSD card so it’s not included. You can put any FAT32 formatted card in and store all the needed assets with no worrying that the memory will run out.
Since Flipper Zero is a very resource-intensive project, not only from the hardware side, but also from the firmware side, we have identified some milestone features that we really want to implement, but can do it only if we have enough funding. These features get unlocked once the total pledged amount exceeds its respective goal.
Flipper in a different case and display colors. Cool, huh?
Bluetooth module will allow you to interact with Flipper using your smartphone, as well as transfer interfaces like UART and SPI to your computer wirelessly. $300k and we are on the job.
Well, this is a big one. In the current version, Flipper is only capable of RFID at 125khz. The NFC standard (ISO-14443) operates at 13.56MHz. Adding this feature will require significant hardware changes and matching the two antennas on the same plane. If this gets unlocked, we are going to use the TI TRF7970A chip, the same chip as used in the HydraNFC project.