First Impressions of the Flipper Zero
I got a lovely little gadget in the mail recently: the Flipper Zero, a charming handheld device for all sorts of hacking chaos. I’ve had some fun with its Bluetooth, infrared, LF RFID, NFC, and BadUSB functionalities already, and I’m still learning the ins and outs of this platform, so beware that by no means am I an expert.
By the way, I’m not sponsored or affiliated with the Flipper Zero in any way. I just think it’s really neat.
The Build and Hardware
To start, I think it’s very well-built and professionally made. It’s not flimsy or cheap in any way and has a very premium feel. The 5-button D-pad and return button have very satisfying clicky feedback and I really dig the orange and white look of the Flipper. The display has a resolution of 128x64 pixels, which I can assure you is adequate so as long as you don’t have absurdly long file names. It’s backlit and I have no problems reading in direct sunlight, which I often do.
There’s an RGB LED next to the display as well as a vibration motor inside the device which gives satisfying feedback during use. For example, it rapidly blinks blue when you begin the NFC card reader and then turns green and vibrates upon a successful card read in addition to playing a charming sound through the speaker and communicating to you through the display. This all comes together for a satisfying and fulfilling experience.
There’s a neat wrist strap hole if you want to get a wrist strap for it (not included), but I usually just carry it around in my backpack or pocket. There are GPIO pins on the top of the Flipper for 3.3- and 5-volt logic for tinkerers, though I haven’t used them yet. There’s infrared so the Flipper can act as a remote, which is fun for causing chaos. The iButton (Dallas key) hardware intrigued me as I’ve never seen or even heard of iButton before, and assume it must be more common in other states, perhaps abroad.
There’s a microSD card slot (microSD not included) to store your files on and a USB C port (USB C-to-A cable included) for installing firmware updates running BadUSB payloads, and charging. The battery lasts for a while and is not a problem at all. I’m not sure how long specifically, but it can last many, many days without a charge – and it charges fast! I’d estimate I could get around 7 days of battery life with frequent usage before it drains to 0% and needs a recharge.
One of my teammates suggested I use the Unleashed firmware, a fork of the Official firmware with regional sub-GHz transmission frequency restrictions removed, some more apps and plugins, and other additional features too numerous for me to enumerate here. Both the unleashed and official firmware are actively developed with major updates available every few days, so there’s always more to have fun with.
Flashing the firmware is easy with the qFlipper tool. It’s just a matter of running qFlipper on a computer, plugging your Flipper into your computer, and then upgrading the firmware. For non-official firmware, which is what I use, it’s also easy to update the firmware through qFlipper by flashing from a file. qFlipper also allows you to upload files directly to the SD card, which is a convenient way to get payloads on your Flipper.
I’m happy with the active community around the Flipper and am overall satisfied with the rate and quality of firmware development. This is not a community that programs bloat – this is a community that creates real, meaningful improvements to an already-great codebase, and truly pushes the limits of the available hardware.
At the heart of the Flipper is your pet dolphin, who will level up with more use and grow more or less happy depending on how frequently you use the device. This is purely aesthetic and to add character to the Flipper, and the features and usability of the features of the Flipper are not affected at all by your dolphin. That is to say, level 1 or level 3, happy or sad, the actual functionality of the Flipper is completely independent from your pet’s status.
Although I wasn’t initially a big fan of the dolphin, thinking of it as an unnecessary plaything, it admittedly grew on me and I now consider it to be a part of my essential Flipper experience.
The sub-GHz hardware and firmware allows you to read radio waves in the air on select frequencies from 300 to 928 MHz, with or without frequency hopping, and with AM270, AM650, FM238, or FM476 modulation. You can replay captured and saved signals to open car and garage doors, ring doorbells, and cause plenty of chaos. There’s also a frequency analyzer if you’re unsure which settings to use.
Hackers, beware that most modern systems implement rolling codes, making replay attacks much, much more difficult, but not impossible. Perhaps I’ll write a blog post at a later time about attacks on rolling codes.
125 kHz RFID
The 125 kHz RFID hardware and firmware allow you to easily read, analyze, and directly emulate RFID or write to blank RFID cards and fobs. This has been a lot of fun, and you might be surprised how many places still use insecure (but cheaper) RFID over the more secure (but shorter range) NFC. I was able to easily read my friend’s RFID fob (HID H10301) from work and we plan on writing it to an RFID ring so he can give doors the middle finger to gain access.
Unlike LF RFID (125 kHz RFID), which is only powerful enough for 1-way communication, 13.56 MHz NFC trades range for more power and 2-way communication. Plenty of access systems, including my school’s student ID card system, use NFC over RFID for added security via encryption.
I’ve been able to successfully use the Flipper to emulate NFC Amiibos on my partner’s Nintendo Switch to spawn characters in Animal Crossing, and have gained partial success in using the Flipper to crack the keys on my friend’s Mifare key fob she uses for her apartment via a dictionary attack. I have not had any success cracking my school’s student ID card system (HID iClass DY) yet, though, and continue to hammer away at that. There have been promising developments in the community centered around HID/PicoPass and it’s still actively being researched and developed.
The Flipper’s infrared has been a lot of fun. Turning off TVs, changing the channel or volume, etc. is a surefire way to cause harmless chaos, confusion, and fun. The Flipper can also learn new remotes by receiving and retransmitting infrared signals, and the Flipper community has been great about sharing captured remotes so that you can upload them to your microSD and use them on your Flipper. I’ve had a lot of fun so far and have taught my Flipper some Samsung, Roku, and Westinghouse remotes and used them with great success.
For the uninitiated, a BadUSB is a device that computers inherently trust due to thinking they’re HID (human interface devices). When plugged in, the BadUSB can type in payloads extremely quickly; anything you can type, click, or do by hand in minutes, a BadUSB can do in seconds. It’s often said that an attacker only needs you to look away from your device for 5 seconds in order to hack it. The Flipper’s BadUSB functionality accepts the same BadUSB language as Hak5’s famous USB Rubber Ducky, which is already an extremely simple language you could learn in a few minutes of reading through documentation.
If you plan on using the Flipper as a BadUSB, beware that the included USB C-to-A cable is too new for most practical attacks. This means that it’ll fit snugly with USB ports and requires a bit of force to get in, as opposed to a cheaper, older, more beat up and broken in cable that slides in and out of a USB port with ease.
One complaint that I do have for the Flipper’s BadUSB functionality, which could very easily be fixed with a few lines of code and a firmware update, is that the Flipper waits for you to press the center button on the D-pad after plugging it into a computer before it executes a payload. BadUSBs in real deployments and attacks typically run payloads automatically upon being plugged in and recognized by the computer.
Overall, I think the Flipper Zero is a neat and well-built device that can be used for some real hacking. Personally, I would have traded the iButton for a magnetic stripe reader since the existing RF hardware – perhaps the LF RFID hardware – should be theoretically capable of magspoofing attacks. Maybe I’m wrong and iButton is actually really common, but I’ve personally never seen it before here in California.
The community is great and the developers are constantly pushing new updates that make real improvements to the firmware. This is a project that I actively keep an eye on and keep up-to-date with because I think, “Cool, new features!” instead of, “Ugh, more bloat.”
It’s pretty awesome.