MicroPython on Flipper Zero
(lab.flipper.net)174 points by psvisualdesign 10 months ago
174 points by psvisualdesign 10 months ago
I was really excited to get mine! It is neat. I got it and it has been in my drawer almost exclusively. I have done exactly two things with mine:
* Opened my friend's Tesla battery charge hatch from a distance for fun (it closes again on its own after maybe 30 seconds)
* Recorded a lamp's IR remote on/off/up/down toggles and used the Flipper to turn on the lamp, rather than using the IR remote, to try to debug whether the remote was going bad or if there was a problem with the lamp (it was the lamp itself)
And I tried, unsuccessfully, to:
* Read my dog's microchip data
Otherwise, I haven't found any use for it. I really wanted to like it. I did a search to see if there was anything interesting to do with it that I was missing, and basically it's what I did (or failed to do) above. Some people also use it to change TV channels at restaurants as a prank it looks like.
1/4th of my cats have microchips. They were moderately annoyed as I scanned them.
The whole microchip registry thing is a mess, though. There's no authoritative database and I'm certain that the database entry for my cat is at some shelter where he was briefly held. I have no way of updating this data without paying a subscription fee, so that's out of the question.
Outside of IR remotes and popping tesla ports, I have used it to emulate RFID tags. I don't have enough free time to really utilize it appropriately.
Cat tax: https://i.imgur.com/8vAabRM.jpeg -- He is sleeping where he really should not be sleeping.
https://old.reddit.com/r/CatsOnPizza/
https://old.reddit.com/r/orangecats/
Here's a ML problem for someone to consider tackling ... given a cat picture, identify all of the relevant cat subs that it might get posted in. This could be applied to dogs too... but cats rule the internet ( https://en.wikipedia.org/wiki/Cats_and_the_Internet )
> The whole microchip registry thing is a mess, though.
That is, unfortunately, correct ^^^ I went through this with my dog. I was told to find out which services your local animal control and humane society use, and make sure your pet is added to those registries. Yes, some charge $$$, but the registries recommended to me were free.
If your pet ends up with animal control, and they can't find the chip registration, getting your pet back can be a nightmare.
There is no single authoritative database, but it works kinda like MAC addresses, in that the microchip prefix tells the system who made the chip, which tells them which database to look you up in. You should be able to get the shelter to update the database to match your contact information for you free of charge. At least our shelter was willing to do so. They already have to pay the fee, so why not?
> The whole microchip registry thing is a mess, though. There's no authoritative database and I'm certain that the database entry for my cat is at some shelter where he was briefly held.
Yeah it is a mess, but my vet told me they use this to search across the dozens of registries in the United States: https://www.aaha.org/for-veterinary-professionals/microchip-...
That form is able to find my cat's microchip information in both the registries I have her on, for example. But yes, I was surprised the pet microchip scene isn't more consolidated. Like bicycle registrations are, where the two major U.S. players are https://bikeindex.org and https://project529.com
EDIT: But I was unable to read my cat's microchip with my Flipper Zero, even though my vet confirmed it's still readable using their more appropriate tool for the job.
Can you emulate common TV IR blaster protocols without first recording them?
I used to have an LG G4 android phone with a TV remote app built in- with just the TV manufacturer information, I could change the channel / volume in all sorts of useful places (the gym, etc.). I miss this feature often.
Yep:
"Flipper Zero has a built-in library of signals for common TVs, ACs, projectors, and stereo systems brands. This library is regularly updated with new signals, thanks to the Flipper Zero community's active contributions to the IR Remote database."
(from the flipper zero homepage)
I've successfully used mine as a "TVbGone", switching off all the TVs in a bar...
Thank you, and sorry for being so blind. I think this is enough to sell me on one!
Do you know if I can emulate car keys with it? Say a relatively modern BMW? Or is there some safety mechanism.
(Not for nefarious purposes, but just in case I can’t find my keys.)
Not natively. There is other firmware out there, though, that allows such functionality. Depending on where you live, it may be illegal to even try, though, hence the native firmware locking out such use (you can record or visualize but not save/replay).
I'd love to have this, mainly so that I could have a single dongle on my keychain for both my and my wife's car. I know others have said that there are issues around rolling codes. But it's possible to get official duplicate / replacement keys; how does that work?
IIRC it's somewhat possible but for some cars if you do it wrong it makes the car and key go out of sync which causes a lot of issues
My current practical use case is that I read our cat's microchip, so when a new device comes, instead of coaxing the cat into the device (e.g. smart cat flap), I just use the Flipper in emulation mode to train the device.
As someone in cybersecurity, it is handy as a low frequency RFID reader as Android phones only support higher frequency. Having something compact and in a single unit (compared to a Proxmark) makes it easier to 'grab-n-go'. It is neat to show people how insecure common access control systems are.
I've also used it as a universal remote more than a few times on devices that didn't come with a remote. The App running on a phone makes it somewhat easy to transfer new remote templates to the Flipper over Bluetooth.
It also comes in handy as a serial adapter as it has GPIO pins you can connect to things (UART headers).
The RF transceiver is also cool to capture RF remotes (garage doors, overhead fans, etc.) and replay them.
Yeah, the Flipper Zero has a "sub 1GHz" transceiver, from memory its a CC1101?
It can receive and transmit from about 300MHz to 930MHz (with a few gaps in between).
I've used my Flipper to sniff the signals for my wireless controlled projector screen, projector, and home theatre amp. I then used the data I sniffed to program an ESP32 with a CC1101 module attached, so I can roll down the screen and turn on the project and amp via wifi (with Homebridge and iOS Home app).
I later sniffed my garage door opener, added that into the ESP32/CC1101 gadget. I needed to add a better antenna to make sure it reliably had range to get to the garage door, but it now works more reliably than the keychain fob, and I can use an "arrived home" automation to have the door open without me needing to stop the motorcycle and take off my gloves and get the key fob out of my pocket. I may replace this with an Arduino/CC1101 triggered by the hi beam switch.
The Flipper Zero is a super useful tool when having ideas like this, but like most tools, it really does sit in the drawer most of the time. But I'm glad it's there, I don't regret a cent of it's purchase price.
I use it as a store for all the amiibo data I might want, as well as a universal remote for my TVs and fan/light in the house. I also use it on the TVs and receivers at work when someone misplaces or loses the remotes, and keep a separate one in the car with a few garage codes for my parents and siblings houses.
The wifi board is fun to play with to learn about how some of the more common/basic SSID spoofing and broadcast spam attacks and similar things work. There are some fun HID device attacks you can check out too that are pretty cool. I also used it as a jumping off point to dabble with programming in C and using gdb and stuff like that.
I use it to automatically turn my older A/C off and on automatically while I’m not home. When I’m home, my wife and I use it as a universal remote around the house. Admittedly, it’s not what I originally bought it for (like others, I bought it as a toy), but now we depend on it for the former reason mentioned.
If you want to see my lousy code I wrote, you can see it here: https://github.com/Jestzer/Flipper.AC/blob/main/ac_app.c
For 99.99% of buyers, it's a toy. It will be played with briefly and discussed online for more. For a tiny portion there is a legitimate use, however I think its highly unlikely there isn't something that does that use for cheaper, and better.
The only "real" thing I did with it was use it as an IR blaster and debug tool to remote control my window fan. Once I figured out the IR protocol, I replaced it with a $10 gizmo from Aliexpress that has an ESP32 hooked up to an IR LED.
Otherwise, it's kinda fun for scanning credit cards, pet microchips, maybe the occasional NFC or RFID tag. It can clone most hotel keycards, at least to the level required to open your door, although the parking gates tend to use better security.
It can also emulate an AirTag, at least on the bluetooth beacon side, which is kinda funny.
But yes, mine mostly lives in a drawer.
Ok, I am intruiged ( and I think wife has an airtag ). Did it work as expected:D?
It’s sort of like having a leatherman. You almost never NEED it but it feels great when you do. I clone all the remotes in my house for when my kids inevitably lose them.
According to guys on reddit, turn on public TVs in malls so minimum wage workers have to spend a lot of time to find out who actually has the remote to turn it back on, they buy cases for them, new shells, and take photos of them.
That would be a variant on the old TV-B-Gone prank gadget, which can be easily built with a minimum uC and a few parts, plus firmware. https://en.wikipedia.org/wiki/TV-B-Gone
I got one so that I could make copies of my apartment keyfob; I live alone and having a spare keycard that goes inside my phone case has saved me from locking myself out of my building multiple times. For me it's already paid for itself by ensuring my peace of mind. I've also used it to copy my gym tag (NFC), my parents' apartment keyfob (also NFC surprisingly), and multiple office access cards.
I've had mine for a long time. I mostly use it to read and clone 125KHz RFID tags.
I have a few ideas to make it more useful, but every time I try to get into developing an app, I get frustrated and give up. It is probably the worst codebase I have ever seen. Just walls of strangely named function calls with no code comments and no documentation whatsoever.
I keep meaning to play with the NFC/RFID API, I got a little eink price tag I'd like to try changing the display of via the flipper zero.
I created a very simple attempt at an oscilloscope type program ( https://github.com/anfractuosity/flipperscope ).
Exactly what happened to mine, or it doubled as a second office badge
This is what happened to mine. I flashed Momentum, got Maurader and a wifi dev board, did the "all the pcaps!" thing for a bit, opened some garage doors, then used it to clock in at work for no reason.
Then I went to go sell it and found out you can't list them on eBay or FB Marketplace. Not sure how to go about selling or trading one beyond those types of places, either, so I basically have a pricey dust collector in a drawer.
My neighborhood has a vehicle gate that is opened by an RF clicker, and a pedestrian gate opened by an RFID tag. I copied both of mine to my flipper. A couple months ago the coin cell battery in my clicker died, but I had my flipper! I also use the cloned RFID tag fairly regularly. There are two RFID tags in the house and more than two people using them, so I use my flipper for that too.
Tried to read my dog chip but couldn't find it.
I use mine to get into my friend's apartment building (after cloning his key fob) so he doesn't need to come let me in.
I would have expected the Flipper to be pretty good at that, but it manages to crash while emulating the key fob like a third of the time.
I make keyfobs for my friends' buildings. And I can turn off TVs at restaurants if they're distracting.
you can execute a suite of BLE, wifi, and IR attacks. You can target NFC and RFID. You can add scripts and boards to boost signal and functionality. You know, fun stuff.
This makes me long for the days of RockBox on Sansa Clip devices.
https://download.rockbox.org/daily/manual/rockbox-sansaclipz...
You can get “broken” ones on EBay pretty cheap. Be careful prying them open though - there’s no aftermarket shells unfortunately.
I spent a weekend not long ago upgrading a broken Sansa Clip+ with a new battery, RockBox, and a USB-C port - first one with USB-C AFAIK. Oh and I replaced all the SMD buttons too while I was at it.
I’m very happy with how it turned out! I only wish I knew how to do something more advanced like adding Bluetooth audio capability that doesn’t just hook into the DAC output and sound terrible.
How was the usb c installation? Feels a bit beyond my soldering skills. I mainly use a zip but I put together a very slim mini to c cable for my Clip+ that does the job.
Don't suppose you could tell me the name of the part they use for the headphone jack? I can find loads that look almost right but never the exact model
It was pretty intense, but mostly because I’m clumsy and didn’t plan anything.
There’s not a lot of room on the board, so I soldered 0402 resistors directly to the pins on the port to allow it to work with modern PD chargers, and I had to expose a few traces so I could jump the pins since it didn’t align with the mini usb pads. Fortunately I was able to solder its feet to the main structural pads and it’s a good firm connection.
I bought an assorted usb-c port kit from Amazon with something like 10 varieties and chose the port that best fit onto the board. I needed to bend the legs a bit but it worked.
I used a digital microscope and fine solder tips. There’s no “easy” way to do this that I’m aware of, especially since I chose low melt solder to avoid melting the port’s plastic, which meant the jumper wire conducted enough heat to desolder the other connection if I didn’t work quickly!
This experience had me wondering if I could design a little thin adapter pcb to make the process less error prone, but I’ve never done anything like that before…
What’s wrong with your audio port? To find a replacement you might want to get some cheap calipers and measure a bunch of stuff to compare with components on digikey/mouser/aliexpress.
Or you may just be able to repair it instead of replacing it. Could be it just needs its pins reflowed to the board if you haven’t tried that yet. I hope you can fix it - good luck!
I've a few backups but I've only destroyed one of them (somehow fried the board soldering the headphone jack back down).
They're fairly durable other than the headphone jack and the clip from what I've seen
Has anyone tried to run Micropython on the Flipper Zero? I'm using Micropython on my ESPs, but not in the Flipper Zero. With the new Firmware 1.0 you can also use JavaScript. Now the question is: what's easier/better for own plugins/apps? Micropython, Javascript or the native Flipper language?
Isn't native C/C++?
I'd expect C to run the best due to it being compiled. JS is pretty quick, but we're talking a microcontroller, so any speed you can pickup by reducing computation cycles is a win.
Easiest/better is using what you already know as that'll provide the best speed to MVP. If it's too slow in Python/JS, but it seems like a useful thing, it's probably worth rolling up your sleeves and learning some C. At least enough to build a python library.
I spent a lot of time trying to get it to detect signals from my remote-controlled sunblind, only it turns out that it doesn't support the frequency at least out of the box.
Out of the box they are locked down to prevent transmission on certain frequencies for legal reasons. This is trivial to get around with a firmware flash.
I would check out the Unleashed firmware [1]. I've had pretty good luck with it so far.
Hah, talk about good timing. I just got my flipper:D
I have a weird related question and I am not looking for a full answer, but rather on what/where would be a good resource to find that information as what I have found so far was not super useful.
In short, for the newer employee badges, are there some secret handshake pieces that flipper can't copy? Stuff around the house worked flawlessly, but the moment I tried to play with employee card, I got, um, mixed results.
Step 1 of reverse engineering anything: Figure out the make and model of the thing. ;)
"Employee badges" can be implemented in a number of ways, from simple broadcasted rfids down to having secret challenge responses that aren't breakable without going down the jlsca route since the secret is on the device and never leaves it.
So, step 1: figure out what exactly the model your 'employee badge' is using and what protocol it uses. There's probably some marking on it that should give you the manufactuerer at least.
CEO of Lab401.com / Flipper Distributor / RFID geek.
One of the best resources is probably the Discord channels. There is the official channel, and the non-official (for non-official firmware). YMMV, but the non-official seems to be more active.
The Flipper is "somewhat underpowered" in terms of hardware for RFID, or specifically 13.56MHz, but makes up for it in a very active development community.
"Access badges" is a fairly vast blanket term. Anything that's not an exhaustive, lengthy breakdown will be inherently over-generalised, but here we go:
125KHz: Low Frequency: _usually_ cards with "just" an ID or very limited memory. _Usually_ much simpler technology. _Usually_ without security, and much easier to copy.
There are multiple encoding and modulation methods in this family, almost all of which are encompassed in a (fairly amazing) tag that can emulate them all - meaning they can be cloned easily : the T5577 chipset.
There's much more penetration of these chipsets in non-EU markets (US, Canada, etc). Key brands and tags: HID Prox, EM4XXX, Hitag, etc.
The FlipperZero handles most / if not all of these very well (read / save / emulate / write).
High-Frequency tags (13.56MHz) : encompasses multiple ISO Standards : 14443-A/B/C (lots of access cards), also ISO15693 (Slightly Longer read range, more industrial tags, ski-passes, etc), and EMV (Payment Cards) among others.
There are many sub-protocols and implementations of these higher level standards. But these can be generalised as : small memory units / computing units on a chip. As such : larger functionality, and various security.
The most well-known family is probably MIFARE (1K/4K Classic..). Chances are, if you've got one somewhere. Encryption is totally broken.
Ultralight / NTAG: Cheaper, no / not much security (password + signatures on some tags, and counters). Typically used for ticketing etc.
These are handled in Flipper.
Other implementations: DESFIRE: Uncracked. iCLASS (Commercial Access Control - iCLASS SE / ELITE / SEOS ..). Can be cloned, or suffer from downgrade attacks. Not handled by Flipper by default.
The Flipper has a fundamental 'flaw' with high-frequency tags: it can't handle emulation on chip, and its clock isn't evenly divisible by 13.56MHz, so emulation and some functions are always going to be limited. With that said, the 13.56MHz stack is always improving - the community has done amazing things.
Likewise, cracking (typically: MIFARE) is CPU / memory intensive. The Flipper can limp through some implementations, and can team up with a PC for others.
However, more specialised devices (Proxmark, iCopy-X) pick up where the Flipper leaves off.
In summary, it's a very useful tool for RFID (LF + HF) - can handle most LF operations, and quite a few HF operations - before you have to reach for much more expensive hardware (Proxmark : ~300 EU).
Some people to check out on YT: https://www.youtube.com/@TalkingSasquach https://www.youtube.com/watch?v=VF3xlAm_tdo
Feel free to reach out for more questions.
Is it possible to emulate EMV cards? I have not had any luck with that, and most people are unwilling to talk about it as the usual use cases are pretty black hat (carding etc). I just want to use my Flipper (or some other hardware) to make a payment with my own card. I'm not trying to do any fraud. I want something that does tap to pay using any of the CCs that I own, without having to have a modern locked Android or iPhone that cooperates with the bank.
Yeah I built one of these for myself around the time it was announced. Even then, EMV was on the way, and you needed to do a little dance where you put a disabled card into the reader three times to force it to fall back to magstripe, then you could run the spoofer. I did this successfully on some vending machines and the like, but never tried it in stores.
>The bad uses outstrip the good uses.
I understand this logic, but I reject it conceptually. This is true for a huge variety of products. At the end of the day, it should be up to the individual to decide this. We survived as a society with substantially higher trust in the past. For example, check fraud is technically trivial and quite common, but did not prevent checks from being an accepted method of payment. Perhaps there is a path back to this in the future, but certainly not if we allow the megacorps and governments to make all technical decisions for the greater good.
I can write more about this but this is not the place or time.
I got a Proxmark 3 clone from Ali for $35 or so, it's been fantastic. I'm not entirely sure how to crack Mifare tags with the Proxmark (how to efficiently brute-force the key), though. AFAIK the way to do it on the Flipper is to read the tag and then listen to what the reader sends (which I haven't gotten around to trying), does the Proxmark do things differently?
There are multiple ways to crack MIFARE - depending on the actual chipset version / manufacturer.
For Mifare Classic: - Nested (Uses one known key to crack others) - darkside (Derives a key with no others. Slower, results are typically handed off to the nested attack to calculate remaining keys..)
For newer versions of the Mifare Classic with better PRNGs - "Hardened" cards: HardNested. Needs one known key.
For cards that provide a static nonce (to try to evade cracking, ie FUDAN) - Static Nested.
For the latest generation FUDAN: Static Encrypted HardNested.
Note, for the nested attacks - if you don't have a known key, these can be sniffed from the access control reader, and then cracked (MFKey32/64).
Flipper supports the MFKey32 attacks, and limited nested. You may bump into limits of your Proxmark clone with hardnested cracking - it's memory intensive, and most of the Proxmark Easy clones have reduced RAM.
There's actually an auto_crack LUA script on proxmark ( Use this fork: https://github.com/RfidResearchGroup/proxmark3 ) which will take most of the hassle out of cracking.
Cracking requires very, very precise timing: In a nutshell, you're trying to predict nonces / PRNG values, by sending very precicesly timed requests, and then later cracking those results.
The Flipper has limited CPU power - its main "attack vector" against MIFARE is a very large keylist / dictionary of common MIFARE keys. It's slow and dumb, but it works for most cases. It can also do limited cracking, depending on the type required.
The Proxmark is built around an FPGA, and can crack much, much more efficiently.
What a great comment. If I could overpay my karma into it, I would do so ten times. Thanks for the helpful tips. Most fobs I've encountered are the basic 125 kHz ones but some, like my garage keycard, are not. And I'd like to be able to amplify that signal because it's hard to get the garage in my condo building to detect the card.
Thank you for going into that level of detail here:D That makes the search a lot easier for me and it is a reminder, why I a keep coming back here.
I am only starting my adventure with RFID and there is a lot to learn, but it has been a while since I was this weirdly excited.
Check out the RFID Hacking Community discord: https://discord.com/invite/QfPvGFRQxH
Almost everything in the community happens here.
I asked our IT manager and our employee badges have RFID plus some kind of timestamp check or something. The secret handshake is actually secret I guess. Lot of information out there but mostly guarded by radio nerds who talk like you should already have an EE degree.
Depends on the system your work uses. Lots of them just have unencrypted strings.
What are people doing with the Flipper? It seems neat, but I fear I would get one and then forever leave it in a drawer having never done anything real with the device.