return to table of content

Flipper Zero: Multi-Tool Device for Geeks

roughly
89 replies
18h44m

I’ve had one of these guys sitting around for a while - love the hardware, love the concept, but I haven’t really found a lot of use for it - what are y’all using them for?

gleenn
23 replies
18h39m

My friend found out the school he sysadmins for was using weak rfid card keys (despite the readers being smart enough to handle higher level encryption) and found he could clone his key and get in places. So basically he pen tested and then they decided to upgrade to the less or non-cloneable card keys. Security for the win.

Vegenoid
20 replies
18h30m

Before anyone tries this, doing this without first checking with security/facilities would likely be grounds for “disciplinary action, up to and including termination”

WantonQuantum
14 replies
18h11m

I don't know why you're getting downvoted for this. It's 100% correct advice. The person you're replying to is a sysadmin so they are probably okay in this situation but cloning access cards without permission would be a serious breach no matter how well intentioned or how easy.

spacebacon
11 replies
17h58m

I countered the statement and also getting down voted. The key is to train your brain to like down votes just as much as up votes. When the number is just a number not attached to dopamine then you are free.

faeriechangling
5 replies
17h41m

This just makes you disappointed if you don’t get negative or positive attention.

catchnear4321
3 replies
17h28m

there are people that read without voting.

you could be getting attention of all kinds and not even know it.

bookofjoe
1 replies
16h31m

I bet an equal number vote without reading.

spacebacon
0 replies
15h37m

That’s an interesting thought. 0 is a good number. Being satisfied with 0 can be conditioned as well.

spacebacon
0 replies
17h27m

Another good point.

spacebacon
0 replies
17h33m

I never thought about that. Good point.

mattlondon
4 replies
17h26m

The votes are not there for your benefit - they're there to make good/useful/valuable comments rise to the top, and bad/low-value/spam ones fall to the bottom.

oneshtein
1 replies
10h37m

... bad/low-value/spam/contradictory/unpopular opinion/dissidents/opposition/etc.

My comments got more than 200 downvotes and ban in discussion about physics about decade ago, but I nailed the problem. Also, I receive downvotes from Russian imperialists at constant rate just talking about history of Russia and Ukraine, because real history of Russian Federation/Russian Empire is well guarded secret in Russia.

spacebacon
0 replies
4h28m

Probably bots

If coercion was going to ever rule the world someone would have accomplished it fully already as many have tried. Yet here we are still free to say nearly whatever the fuck we want in the free world thankfully.

spacebacon
0 replies
16h52m

I agree with the second part of your statement. There is a real brain chemical benefit to the votes though.

a2800276
0 replies
10h46m

Nontheless the point about learning to accept downvotes is valid because "why was I downvoted?"-crybaby posts are annoying, useless and tend to also get downvoted.

Just as this meta-voting-post of mine should :)

omnimus
0 replies
7h57m

Hes getting downwoted because this site is called hacker news. Dont be such a corpo chicken. I am pretty sure people are aware of legality of similar actions and dont need this mentoring.

leoh
0 replies
16h11m

Because that’s, like, just your opinion man. Rules are made up.

spacebacon
2 replies
18h17m

Termination is a favor if security is that lax.

BizarreByte
1 replies
16h52m

Termination is a favor

Losing your job is never a favour. Would you prefer termination if any issue was found with your work place?

spacebacon
0 replies
16h12m

Losing your job may not seem like a favor at first, it depends on how high you bounce after the fact. Being self employed for 20 years after being laid off was the best favor anyone ever did for me. I would have never taken that initial risk without being pushed into it. Now risk is comfortable.

wmidwestranger
0 replies
17h58m

If only issuing clone-able key cards were the infraction instead...

heavyset_go
0 replies
16h57m

Unfortunately, it sounds potentially criminal, as well.

rekoil
0 replies
8h48m

Quite often the keycards have sequential IDs which means you can increase or decrease the number a few times and find a colleagues card with higher or lower privileges than you.

infinitedata
0 replies
9h26m

You can achieve this exact same use case with a $15 RFID reader/writer, supporting higher frequencies and encryption.

conradev
12 replies
18h30m

It's my backup key for my garage and my office door. I also use the universal remote to change TVs in public spaces occasionally. It's a chunker, so it's not a pocket carry, but I keep it in my backpack.

I recently discovered this, which I want to try: https://electroniccats.com/store/flipper-add-on-magspoof/

29athrowaway
11 replies
18h28m

What kind of garage opener do you have? I thought the Flipper zero won't provide that functionality unless you flash the firmware.

Eji1700
6 replies
16h21m

The part I don't get is even if you flash the firmware, does that mean you can make sure it doesn't make all other remotes fail? My understanding of the whole rolling code system was that you could get a few uses and then you were screwed.

If that's not the case I really need to do this because having it handle my tv's, ceiling fans, and garage door would be a nice trick.

ec109685
4 replies
16h1m

If you have control of the opener, couldn’t you use the door’s learning mode and make it into a real opener?

Eji1700
2 replies
13h16m

I thought so at first by my initial reading left me somewhat confused on if there's a private key that only certain remotes have or something like that?

abcd_f
1 replies
8h50m

It's less of a private key and more a random per-remote prng seed that gets set both on the remote and the door controller when they are paired. When you press the button, remote increments its sequence number and send this number, its ID and a hash of all that and the seed to the controller. Controller checks the hash, then checks that seq number is more than last seen for this remote and opens the door. This protects against replay attacks and fairly uncomplicated to implement.

tkems
0 replies
1h41m

This sounds a lot like the KeeLoq algorithm [0] (minus the hashing part). From my research into the rolling code space, I think most remotes don't quite have the CPU/featureset to support a real, secure crypto system with things like SHA, AES, and RSA/ECC. Would love to see one though!

[0] https://en.wikipedia.org/wiki/KeeLoq

tkems
0 replies
1h45m

For Chamberlain brands [0] there is some research that shows that their rolling code system (Security+ and Security+ 2.0) is quite easy to decode/decrypt [1]. This feature is supported in the flipper firmware, but is restricted (you can't create a custom remote, only clone is supported) without custom firmware. However, I'm sure you could decode a raw capture file if needed in a pinch.

[0] https://chamberlaingroup.com/our-brands

[1] https://github.com/argilo/secplus

lisnake
0 replies
11h23m

Many rolling door openers don’t use rolling code. Never heard of tvs or ceiling fans using rolling code either

HanClinto
2 replies
17h57m

Not terribly difficult to flash the firmware.

29athrowaway
1 replies
12h21m

But now you have to trust some random person from GitHub.

speedgoose
0 replies
11h41m

Almost all software supply chains rely on random persons at some point.

filoleg
0 replies
13h22m

Not the person you are replying to, but I use my flipper for the exact same purpose.

Not sure which specific garage opener my apartment building has. But the fob controller the leasing office gave out is way too weak, so i have to sometimes press it many many times and wiggle it in multiple ways until it triggers the garage door. With flipper, it works on the first try.

A funny anecdote: after using my flipper for about a year, I encountered another flipper user in my apartment elevator (the elevator requires a keyfob to go to any floor except the ground floor). I talked to him for a bit. Turns out, he manages a bunch of boat storage units here (in Seattle) that all use different keyfobs. So for him, it is just pure convenience to carry a single flipper device as opposed to always having a lot of different physical keyfobs on him, and then shuffling through them in his bag to get the right one.

willis936
7 replies
17h38m

Well I found that my apartment NFC key is hardened against dictionary attacks and I'm not able to copy it. It also helped me learn that my parents' garage door is pretty secure. I'm able to have the opener learn my flipper like any other remote, but not crack it. This is even with the unleashed firmware that doesn't mind violating FCC regulations (some of the frequencies it hops to are restricted).

I was able to copy my work NFC badge, but I'm not really interested in trying it out.

It's handy as a pocket spectrum sniffer, but I don't have much day-to-day use for it outside of that. I'm glad it was given to me because I learned a lot. Potential future use for me might be an amiibo emulator, but I've grown out of those sorts of things.

AndrewKemendo
5 replies
17h31m

All garage doors have rolling keys which are non trivial to deal with unless you have pro stuff.

tzs
1 replies
16h24m

Speaking of garage door rolling codes I've noticed there is some sort of slack in the synchronization, probably so that if you press the remote button a few times while out of range your remote still opens the door. My guess is that the receiver looks not only for next code after the last one used, but also for several codes after that.

Question: how many times would you have to press the button on the remote for it to get so far ahead of what the receiver looks for that the remote no longer works without reprogramming the receiver?

ec109685
0 replies
15h59m

There’s a great answer here that describes a rolling code attack and above it, an answer describing that they have slack regarding where they are in the code sequence.

https://crypto.stackexchange.com/a/47440

willis936
0 replies
17h14m

You can sync up on rolling codes with the flipper without too much effort. When there are a few private keys involved it gets more difficult.

epcoa
0 replies
17h3m

More like most garage doors sold in the last 20 years have a rolling code system, a few of which are non trivial to deal with.

This is already Western centric, but even here there are a ton of older static and fixed frequency systems still chugging along.

Of these rolling code systems most are not difficult to crack, especially those more than a decade old (and which are still sold today)

dawnerd
0 replies
17h27m

Besides easy to open garage doors with a metal shim to pop the emergency latch. Happened to me once before just zip tying the latch.

spike021
0 replies
17h16m

My apartment uses Latch deadlocks. From what I've read the model _should_ support an NFC key, which of course we don't get. I'd love to figure out if I could do it myself. Ideally I'd be able to use my iPhone that way automatically though (the app on iOS apparently can't due to Apple rules but I'm not an expert). When my hands are full with groceries or whatever it can be a chore to pull out my phone, dig for the app, and get it to unlock the door.

sneak
7 replies
17h39m

I use the IR universal remote function to turn off distracting TVs in bars and restaurants.

sureglymop
5 replies
15h2m

So you just take the liberty to turn off someone elses devices in someone elses establishment? That's... questionable.

sneak
4 replies
14h7m

So is forcing me to watch ads. TVs everywhere in public spaces in America is a cancer and I’ll happily turn them off or unplug them whenever and wherever I see them.

This isn’t a thing in other countries, it’s part of American culture.

sureglymop
1 replies
9h3m

I have a hard time telling whether you are being sarcastic here.

It's one thing to block ads when they have been loaded into your web browser that is in your room (completely morally and ethically fine). It's a completely different thing to go into someone elses space and start making decisions about what is or isn't running on a tv there.

I like ads as little as you so what I can do is just boycott that restaurant or bar entirely or ask the staff to turn it off. I think it's part of being a well adjusted adult to know what you want or don't want and go about it in a reasonable way (such as asking staff). It's immature though to just do that forcibly.

It is however not my duty to teach you that, so let's leave it at that.

sneak
0 replies
16m

Not being sarcastic (but am indeed questioning if you “like ads as little as [me]”).

Turning off a TV is also morally and ethically fine. I don’t see the big deal. Nothing is happening “forcibly”, I’m just sending out some IR. Nobody’s hurt or damaged.

stbtrax
0 replies
40m

Why would you go in to a restaurant that has TVs if you don't want that? This is borderline sociopathic behavior. You sound like the religious police of Iran imposing your view of what culture is. You should assimilate instead of trying to impose your draconian views on others

chrisdhal
0 replies
2h0m

Part of eating a bar (or similar) is to have a sporting event on TV so you can watch it while being out. I would be upset if someone was turning those off in that type of place. If you don't like it, don't go there.

bookofjoe
0 replies
16h21m

I had a TV-B-Gone [https://en.wikipedia.org/wiki/TV-B-Gone] back when they came out in 2004: good fun.

They cost $15 and were hugely controversial.

Digging Deeper::TV-B-Gone Device Shuts Public TVs Down

https://mediashift.org/2006/04/digging-deepertv-b-gone-devic...

arthurcolle
5 replies
18h29m

I cloned my apartment key-fob

The WeWork key-fob uses rolling codes so couldn't use it for that...

tpetr
3 replies
18h24m

Which WeWork do you belong to? Boston’s are all low-frequency rfid

arthurcolle
2 replies
18h19m

This is one in SF. I can clone the card, and it'll work, but then within a few days it won't work any longer.

ThePowerOfFuet
1 replies
16h25m

Does the original keep working?

arthurcolle
0 replies
16h7m

Yes

EricBetts
0 replies
13h46m

Do you recall any of the details? "Rolling code" is not a term often associated with RFID/NFC. The Portland Custom House WeWork used HID Prox.

DigiDigiorno
4 replies
18h32m

Spoofing amiibos on TOTK

guiambros
3 replies
18h28m

Same! Pretty handy to have all amiibos in a single place, and quickly iterate through them.

dawnerd
2 replies
17h25m

You can likely use your phone. There’s some apps designed for it specifically.

rjh29
1 replies
11h32m

IIRC phones need to be rooted to pretend to be an NFC card, although they can write to blank ones. I've done this before. The Flipper Zero is a lot more convenient though.

dawnerd
0 replies
11h7m

Ah yeah you’re right. What I’ve seen actually only lets you write to tags that can then be used.

xyst
3 replies
15h30m

Scanned a pet microchip lol. I had planned to build out my own kit but not enough time

peblos
2 replies
13h13m

Interesting! What kind of animal? Everything I had read suggested it wasn’t strong enough to read these and I couldn’t read my small dog’s chip

jjav
0 replies
12h33m

I've succesfully read a few pet microchips with it.

Of course, it wasn't useful to do, but hey it worked!

fullspectrumdev
0 replies
7h11m

I’ve had no problems reading chips from a few cats, but you do have to scan around a bit because often the chip has moved a bit from where you expect it to be

brobinson
2 replies
16h18m

Mine is just a cool-looking paperweight now.

ekianjo
1 replies
15h55m

how much paper can it hold down?

thot_experiment
0 replies
15h3m

I would 100% spend an unreasonable amount of time looking at a website that did wind tunnel testing on paperweights.

twosdai
0 replies
18h40m

Just a party gag so far with some friends. Like if I'm at a friend's house and they're using their phone I'll Bluetooth spam them to lock up their phone for a second to mess with them.

spookie
0 replies
16h40m

Cloning my NFC cards, being my garage opener (I wasn't given a key and couldn't be bothered getting one... and yes, it's my garage), testing equipment using the GPIO pins and what not. Last one is really handy tbh

Edit: oh! I used it today to snap pictures with my phone every second for photogrammetry work, that was neat! Wish I had gotten better point clouds out of Gaussian splatting though

sli
0 replies
16h59m

A bit different than the other replies, but I'm using mine like a very extensible input/output device for my own hardware projects and as a general STM board for fiddling with embedded on an STM chip (I usually stick to RP2040s and ESPs). I'm really interested in making expansion boards for the Flipper, especially ones built on the RP2040. Just sounds like a ton of fun.

sidmitra
0 replies
17h57m

My building charges USD 40+ to replace the white rfid cards if you lose it and something similar for the remote control for the parking gate. So i just cloned all my cards and remotes and keep them as backup, just in case.

selecsosi
0 replies
14h9m

A specific but satisfying use case, my apt building was being stingy* with handing out RFID tokens so I used it to copy and program a cheap RFID token for lending to a trusted visitor.

* Stingy => security protocols that I agree with in sentiment but unfortunately I need to let my pet sitter in and it's nice to allow them to keep the keys as I travel frequently and key exchanges are less than optimal for my spouse and I

rzazueta
0 replies
17h5m

I bought it in the hopes of causing mostly harmless mischief, but its capabilities in that realm are oversold.

That said, I knew very little about UART communication or SPI until I started playing with this and an ESP32 device. I also knew very little about bluetooth, RF, and RFID/NFR type stuff until I started exploring the world with this. It's been a fun journey that's rapidly advanced my understanding of quite a few things.

Others have said its overpriced or that you can build your own or whatever, but it's actually just the right price for a cool little educational tool that also works beyond the educational stage. It may even inspire me to build my own advanced version at some point.

If you're already a hardware hacker or EE, this is probably not much more than a toy for you. If you've always wanted to explore some of these topics but had no idea how to start, the Flipper is a good introduction. I immediately flashed it with custom firmware and it was easier than flashing my BIOS.

rubatuga
0 replies
18h40m

Some people are using them to break smart meters:

https://news.ycombinator.com/item?id=36253591

robbiet480
0 replies
18h29m

Just used it + the MCT app on Android to clone my apartment key fob (Schlage 9691T) to a Dangerous Things Magic Ring https://dangerousthings.com/product/magic-ring/

rjh29
0 replies
11h29m

I used it a lot at first and it taught me about NFC, IR, etc. I made a few remote controls on it, which is convenient to e.g. turn a fan on at night due to its backlight. I also clone Amiibos for Switch games. And make copies of hotel room keys and RFID tokens for backup purposes although some keys can't be cloned. You can monitor all kinds of wireless signals like garage doors getting fired off around you, which is fun. I know some people use the USB feature to somehow install Windows automatically when they have a bunch of laptops to set up.

peblos
0 replies
17h23m

Extra ceiling fan remote was my favourite use.

Couldn’t find a ceiling fan remote one time ( I have 3 with the exact same remote ) and used it to manage fan speeds

Still doesn’t justify the cost but I guess it’s like my leatherman. Hardly use it but handy when I do.

I actually bought it when seeing the pwnagotchi comparison and expected functionality from the wifi/marauder dev boards to be included. Meaning I got my flipper in the first batch for my country but couldn’t get a dev board even months later

margalabargala
0 replies
18h23m

I use it as an easy voltage tester for various hardware projects. I wrote an app that can do GPIO input (the built in only does output) so I can check which parts of a given circuit I'm building are high or low at a given time. Basically like a parallel multimeter.

la_fayette
0 replies
12h3m

You can emulate any tonie figurine for the toniebox.

gregshap
0 replies
18h12m

Nice try FBI agent

boopmaster
0 replies
18h34m

I’m also in this place. I have the wifi card as well and I’ve not taken to writing any hobbyist software for mine.

I had perhaps foolishly hoped to at least get a fun universal remote out of it, and it’s somewhat possible yet the software just isn’t there to bring a robust family of device RF and Bluetooth commands together. It’s no harmony remote.

Lwrless
0 replies
18h13m

Cloned a 125KHz RFID keycard on my Flipper as a backup, my Android phone is able to clone 13.56MHz MIFAREs, but not these 125KHz ones.

INTPenis
0 replies
12h9m

I gave two of them away at a hacker con last year. During the event it was used to open up the charging lid of a Tesla and to remote control a fog machine.

I'm not competent of interested enough to make full use of them but I get the impression that they still have a lot of use in a large part of the world where simple RF is used to open gates and garages.

And of course you can copy and store RFID but you still have to get your hands on the tags. And that's where it falls down in certain more developed countries because they've mostly moved to RFID.

Havoc
0 replies
17h46m

That’s what keeps me hesitant. Can’t figure out what I’d do with it once unboxed

AndrewKemendo
0 replies
18h40m

Yeah I’m in the same boat.

Had it a few years and the whole Tesla port trick gets old quickly.

geor9e
60 replies
17h53m

$169 is a bit steep for me, so I went on Temu and bought a $8 125KHz RFID programmer & a $5 USB-C IR Blaster. Combined with my Samsung phones native NFC writing, bluetooth, etc I feel like it scratched the itch of 90% of what people do with Flipper for 10% the cost.

ramraj07
18 replies
17h23m

“1200 seems too high for a phone, so I bought a raspberry Pi and attached a 4G module now I can make calls and browse the internet”…

geor9e
10 replies
17h12m

iPhones aren't sitting unused in a drawer forgotten like 99% of Flippers. There's nothing differentiating or polished about clicking one button versus clicking a different button to clone an RFID tag. I'd rather have cheapo version of 1 time use gizmos.

ramraj07
4 replies
14h4m

For me the appeal of Flipper Zero is the mythical rare day when it becomes useful in an emergency, and until then it can stay in my draw peacefully.

rvnx
3 replies
13h50m

There is another possibility: that the Flipper gets an update with the order of a government. For example, to reprogram or shutdown electrical systems in the house. And then it will be a day to remember :D

stavros
1 replies
12h27m

Or, an equally plausible scenario, it grows its own consciousness and decide to attack, hiding behind its delightful dolphin facade.

a2800276
0 replies
10h52m

Oh, come on, you're being ridiculous. It's much more plausible for the flipper to develop consciousness and steal all the tuna in your pantry.

Gabrys1
0 replies
11h13m

More likely your smart home app in your phone will do that

j0hnyl
3 replies
14h57m

Is this really the case? I would think there would be a mobile app interface for flipper?

filoleg
1 replies
13h30m

You are correct, there is a mobile app interface for it.

You can check firmware version and device status, update it, have access to file manager, can backup keys, read logs, reboot, speed/stress test, and probably do a lot of other things that I am not aware about.

elliottcarlson
0 replies
8h32m

Any app run on the Flipper Zero can be run and interfaced with from the mobile app. It works quite well.

cruffle_duffle
0 replies
2h11m

I would think there would be a mobile app interface for flipper?

If you want to interact with the software on flipper zero you have to use the "remote" app (or whatever) on the phone. It kinda sucks though because it literally acts just like the physical device. If you wanna type a filename out and think having a full keyboard like on your phone would make that task easier... it doesn't. You are stuck using the fake "buttons" to move the cursor around to each letter just like you would on the device itself.

camillomiller
0 replies
12h28m

Design is way more important than just what things look like. But it contributes to a product's success in ways that are sometimes hard to measure. That's why engineer-driven company don't understand it and engineers (as a sweeping generalization) usually hate it.

thelastparadise
4 replies
17h19m

“1200 seems too high for a phone, so I bought a raspberry Pi and attached a 4G module now I can make calls and browse the internet”…

That actually sounds really cool...

ThePowerOfFuet
3 replies
16h29m

Until you want to take it with you when you leave the house.

Grimblewald
1 replies
16h18m

Battery? A pi zero phone is a thing that works

throwaway2037
0 replies
11h26m

I had no idea. Google tells me there is a sub-Reddit for it!

r/ZeroPhone: ZeroPhone - a Raspberry Pi smartphone

Krustopolis
0 replies
10h57m

Leave the house?

jauntywundrkind
0 replies
16h7m

I would love love love this to become a vibe.

hattmall
0 replies
14h59m

Or just one of the hundreds of equally capable reasonably priced phones.

spookie
14 replies
16h48m

The point of the flipper zero is to have one good supported gadget that has a lot of people hacking away with it.

It's the same thing with the raspberry pi, sure you can get some cheap clone off less than ideal places, but you're gonna pay with your time. That's basically it.

Scoundreller
11 replies
16h40m

That's what I like about InstantPots: having a standardized cooking device makes recipes a lot easier to share.

nonethewiser
8 replies
16h2m

Well sure, for pressure and slow cooking. You could say the same thing about the microwave.

dartos
3 replies
15h5m

Could you?

Two different models microwaves cook pretty differently from each other. Especially if they have differing wattage.

8organicbits
2 replies
10h57m

Another is that a microwave doesn't operate at a set pressure, so even the same model will behave differently at different evelations.

TeMPOraL
1 replies
7h39m

That's true of pretty much all cooking (and baking) except when using a pressure cooker, so it's kind of a given - people learn to cook given their local pressure and humidity levels.

But then again, cooking is poor man's process engineering - what you do when you don't particularly care about quality and consistency, or at least don't have access to hardware and methods to ensure them.

dartos
0 replies
5h11m

Yeah so the instant pot is an exceptionally good kitchen tool for sharing recipes with others in a reproducible way.

thot_experiment
2 replies
15h5m

My partner's instant pot also does toasting/air frying/normal cooking, I've been very impressed with it.

phone8675309
1 replies
14h3m

For anyone with a compatible model you can add this with a lid accessory from Instant Pot: https://instantpot.com/portfolio-item/air-fryer-lid/

nathancahill
0 replies
7h9m

Bought this to see what the hype was about. Hardly use it any more, the Instant Pot is just too small to be useful for air frying. 90% of the things come out better in the oven in convection mode.

Biggest level up was just lightly dusting anything with a starch or flour (lentil flour is awesome) and then a few light sprays of olive oil.

tycho-newman
0 replies
15h12m

Chef Mike is the hardest working chef in the kitchen!

omnimus
1 replies
8h10m

Arent most things in a kitchen standardized cooking device? Like stainless pan is stainless pan…

internet101010
0 replies
3h0m

Kind of. But turning a stove up to medium-high and reducing to a simmer can lead to different outcomes depending on how the stove is calibrated and someone's interpretation of "simmer".

jefftk
1 replies
15h5m

> It's the same thing with the raspberry pi, sure you can get some cheap clone...

It's a little different: from when the rPI first came out the price was a big driver of it's popularity. It started with the Model B at $35 (with the Model A at $25 "later this year") and this was so much cheaper than other options at the time. Look over threads from the time [1][2] and you'll see things like: "I teach middle school programming/computer classes. I cannot wait to get my hands on one of these. Right now it's cheap enough that I can tell the parents to buy one for their kids without a problem, and out of pocket it for those few of my students whose parents won't be able to afford it." and "The pricepoint is simply revoultionary. I intend to make a few amateur home automation gadgets with this."

[1] https://news.ycombinator.com/item?id=2974292

[2] https://news.ycombinator.com/item?id=3448677

regularfry
0 replies
8h12m

Allowing for inflation they've stayed in roughly the same ballpark, price-wise. It's just that there are now also cheaper boards available, which used not to be the case.

michaelteter
6 replies
13h58m

I went on Temu and bought

Too bad. I was sincerely hoping nobody would buy anything from them so they would die.

camillomiller
4 replies
12h30m

I was thinking the same. It's a proven predatory and reckless company that can sell at these prices because of shady practices. But hey, savings!

kvdveer
3 replies
12h20m

I'm not ver familiar with Temu. Are these shady practices documented somewhere, and are they worse than industry peers (aliexpress, wish, overseas ebay, etc)?

fomine3
1 replies
10h7m
geor9e
0 replies
1h10m

I don't install apps when there is a website I can use from my desktop. So, I guess I have a green light to enjoy Temu.

SushiHippie
0 replies
10h14m
geor9e
0 replies
1h12m

Amazon costs twice as much, and Aliexpress takes twice as long to ship. I have an adblocker installed, so I haven't experienced the annoying ads people are mentioning. I don't install apps when a website is available, so it's not a a spyware concern. If Temu is more evil that the other main two options, I have yet to see an explanation.

moolcool
5 replies
17h30m

The M5Stack Cardputer seems like it would scratch the same itch as the Flipper Zero.

s17n
4 replies
17h11m

the whole point of the flipper is the sub-1ghz radio and nfc/rfid capabilities. It's not really intended to be used as a general purpose computer, it's more like a really extensible radio

lolinder
2 replies
16h49m

Yeah, but for me (and I imagine a lot of people on here) the itch that Flipper Zero teases is that of a hackable computer in a neat form factor, not the specific radio capabilities that it's actually meant for.

I didn't know about M5 before and now I'm hooked exploring M5's store, so I appreciate OP's pointing me there!

s17n
1 replies
15h59m

I think there are a lot of better options if that's what you want. From what I've seen the appeal of the Flipper is that you can do a bunch of fun stuff with a super easy to use interface (just select the thing you want to do and press go!) It's like the iPod of radio/rfid hacking.

lolinder
0 replies
15h56m

Yeah, for sure—I looked at the Flipper when it first came out and decided it was overkill for me.

grishka
0 replies
16h17m

Also the 1-wire/iButton capabilities. Systems that use this kind of keys are probably nonexistent in the US, but in some other countries, they're everywhere.

1oooqooq
4 replies
12h20m

no phone can act as a nfc card. your set up doesn't cover the main use case for the flipper on nfc space

baobun
2 replies
11h8m

Many (most recent) smartphone models can act as NFC cards very well, with the right software.

guitarlimeo
0 replies
10h10m

Phones unfortunately disallow setting the NFC UID on the hardware level (it's random each time), Flipper allows you to do anything.

1oooqooq
0 replies
8h3m

That is kinda misleading. They can act as a very limited version of a client of a very specific and largely unused spec.

geor9e
0 replies
9h0m

Sure but I have dozens of blank cards and stickers I bought for a few dollars.

tkems
3 replies
16h48m

If you want to go deeper with RFID and can spend a bit more (~$50), I am pretty happy with my knockoff Proxmark3 Easy [0] I got on ebay. (Do some research to find a good seller as I have heard some sellers ship bad units). It can do both 125khz and 13.25Mhz RFID/NFC and is easier to use then some of the Android apps for cracking Mifare keys.

For the price, it is great for more complex attacks and almost has all the features of a full Proxmark RDV4 (minus BLE and a battery).

[0] https://proxmark.com/proxmark-3-hardware/proxmark-3-easy

stavros
2 replies
12h29m

Do you have any resources for learning about RFID? I have some tokens for opening my garage door that I'd like to clone, and I'd like to know how they work.

tkems
1 replies
11h58m

I would check out the Proxmark3 Github repo [0]. They have a cheatsheet [1] with the basics on how to get started. I also did a talk about RFID security last year about the basics [2]

To get started, the basics are: low freq (LF) is usually around 125khz and is rarely encrypted (HID Prox is the most common in the US). The data is often encoded in Wiegand format for access control systems (something to keep in mind when reading the raw data).

High freq (HF) (aka NFC) is ~13Mhz and is readable by most Android phones with NFC. Not all tag data can be read however. HF cards support a lot of different options including data storage (normally in a block layout with permissions to read and write depending on keys) and encryption (iCLASS and SEOS being the HID offerings and very common). Some can be cloned (like hotel cards) while others (like SEOS) require a downgrade attack to work correctly (SEOS -> normal SEOS reader -> Weigand data -> older style card like HID Prox).

[0] https://github.com/RfidResearchGroup/proxmark3

[1] https://github.com/RfidResearchGroup/proxmark3/blob/master/d...

[2] https://www.youtube.com/watch?v=zKOAywZqisc

stavros
0 replies
11h57m

Thanks! I've just bought a Proxmark clone, so this will be very useful.

SV_BubbleTime
2 replies
14h46m

So instead of supporting the community and a project with a specific goal, your point is that you bought a Chinese knockoff of a different product?

mightyham
0 replies
14h3m

Yes, gp seems to be pointing out the flippers' largest use cases can be satisfied by significantly cheaper products. They also aren't necessarily "Chinese knockoffs". It just so happens that they bought them from a Chinese online retailer, and I don't see how they could even be called knockoffs because what gp described are fairly different products from flipper.

NavinF
0 replies
13h51m

RFID programmers and USB-C IR Blasters are commodities. How could they possibly be knockoffs?

tauntz
0 replies
10h3m

so I went on Temu and bought a $8 125KHz RFID programmer

OT but if you found it for $8 on Temu, then you can most likely find the exact same device on Aliexpress for $1 - $2. Don't feed Temu - their ads are clogging up my feeds :)

tkems
25 replies
16h53m

I got one not too long after the official launch and I've used it a decent amount (granted I am in cybersecurity and have a more real-world use cases then the average person). My favorite use case is the IR remote since phones no longer have IR blasters. It's saved me twice so far in having to buy/find a remote for something.

One thing people don't realize is that the custom firmware [0] that you can run allows you to receive and transmit on a wide range of frequencies under 1Ghz. Lots of things use that range (garage doors, gates, fan remotes, etc.) and are not very secure. I think that this will be a time looked back on where it's possible to interact with those devices without having to buy a custom PCB transmitter or somewhat expensive and complex SDR.

[0] https://github.com/DarkFlippers/unleashed-firmware

dheerajvs
8 replies
14h16m

phones no longer have IR blasters

Plently of phones still do [0]. I've configured mine to operate all my devices at home.

[0] https://www.gsmarena.com/results.php3?nYearMin=2023&chkInfra...

BossingAround
4 replies
9h47m

In other words, Chinese brands still have IR blasters. I don't know I would trust Chinese-brand of phones though.

sofixa
2 replies
9h29m

Why not? Most phones are manufactured in China anyways, and Xiaomi, OnePlus, Honor, Oppo are major and very widely popular and used brands all over the world (outside of the US which is allergic to Chinese brands unless it's for cheap crap or to outsource manufacturing to).

dangus
1 replies
5h39m

Outside of the US is a problem when it comes to availability and usability. I’m not going to buy a phone that doesn’t play nicely with my carrier or receive regionally relevant support.

OnePlus is the only brand on that list that makes sense buying in the US.

(Personally I can see why the IR blaster was removed as a feature in US phones. I can’t think of a time I wanted or needed it. How often are y’all losing remotes? My current remote doesn’t even really use IR for anything since the streaming box is controlled by Bluetooth and connected devices including the sound system are controlled by HDMI-CEC. My phone already controls the entire setup via a remote app that utilizes WiFi/Bluetooth).

Telemakhos
0 replies
4h17m

I don’t have a television, and I haven’t owned anything with an IR port since the 2012 MacBook. I have zero use cases for IR blasters.

chpatrick
0 replies
9h23m

In terms of functionality they're night and day compared to Western brands which seem to just enshittify their devices while raising prices. They're all made in China at the end of the day.

JKCalhoun
2 replies
5h13m

You just need a small Bluetooth-enabled box sitting on your coffee table near the TV that has an IR transmitter and a paired app on your phone that can send commands to the box.

Edit: I had only search and one did appear: https://www.amazon.com/PUCK-Smart-Universal-Remote-Model/dp/...

copperx
1 replies
4h13m

Universal remotes are still a thing, and much cheaper than that or a Flipper Zero.

dylan604
0 replies
1h48m

yeah, but you have to be line of sight for a universal remote to work. the app enabled IR box means you can be anywhere within range. that does have its advantages. also, being in the kitchen while the remote is near the couch when your streaming platform of choice asks "Are You Still There?" means you can answer from the kitchen.

bookmark99
5 replies
3h12m

A friend got this for me, but I'm struggling to put it into any useful purpose, any pointers with things I can experiment it.

Using it as a remote seems so cool, esp bc I lost my roku remote not so long ago so if you have any resources that could help I'd appreciate it.

The documentation I've seen so far seems far and scattered and it seems people are more scared of being implicit in illegal activities based on their resources.

tkems
1 replies
2h8m

For IR remotes, there are a few ways to go about it. If you have a remote you want to clone, you can just use the flipper to clone and map buttons to a custom remote. If you don't have the remote and have a common device (like TVs), I would check this repo on Github [0] and see if you can find a compatible IR file. Note, you need a micro SD card in order to move the files onto the flipper, but a small one works fine.

I've had good luck with the basic universal remote when I'm in a pinch. Also, you can create custom IR files, but it can be a pain with encoding. The flipper forums are a good resource too [1].

[0] https://github.com/Lucaslhm/Flipper-IRDB

[1] https://forum.flipper.net/

bookmark99
0 replies
1h28m

sweet. thank you

spacecadet
0 replies
2h54m

Great tool for learning Bluetooth Pen-testing. I run BTCTF-Infinity on an ESP32, powered through the flippers GPIO. It creates the BTCTF environment and I use the flipper to crack the examples. Kinda like a self-contained gaming handheld for BT practice.

sbdaman
0 replies
2h39m

You can buy a Roku remote for like $5.

Nexxxeh
0 replies
2h1m

Not answering your question, but the Roku app includes a better version of the remote.

CraigJPerry
4 replies
10h3m

> or somewhat expensive and complex SDR

I don’t think that’s as accurate today as it used to be.

On the hardware side there are tons of options very cheaply available - iirc the flipper uses the c1100 (or a number like that) it’s a popular cheap chip and it’s well documented and interfaces easily with arduino.

More accessibly, lime mini SDRs are cheap but there’s quite a few alternatives too.

On the software side GNU Radio is free with decent tutorials - we’re not talking anything like blender levels of difficulty to adopt even if it is a complex domain.

Although on the more accessible side, urh is incredibly powerful given how easy to use it is https://github.com/jopohl/urh

I used the latter to tap into a 2 channel wireless bbq thermometer via a $10 rtl sdr and that was a breeze, an absolute walk in the park compared to when I reverse engineered the flysky telemetry system.

ale42
1 replies
8h53m

GNU radio is free, but what about the hardware you need if you want to transmit an actual signal?

tiagod
0 replies
8h41m

An HackRF clone is quite a bit cheaper than a Flipper, and it's a full-blown SDR with TX capability

tkems
0 replies
1h57m

As someone with a HackRF PortaPack knockoff I got from ebay, I would agree that SDRs are better and cheaper than ever before. However, I think the average person will struggle with using a HackRF for more complex projects. I've used URH before, and while useful, it can be intimidating for beginners.

Also, while I like the RTL-SDR (and the price tag!), you can't transmit with it. While this isn't a deal breaker to everyone, if you'd like to clone a garage door remote, for example, you need to be able to transmit. While you could use something like a raspberry pi and rpix [0], but I think it is more work than it's worth for many. Also, multiple RTL-SDRs are required for higher bandwidth applications like ASTC TV or trunked radios.

With the flipper, I think the main draw for most is the point-click-done nature. Include the Android/iOS app and it makes it easy to configure on the go without a computer. The expandability is one of the main feature that will increase adoption over time compared to the HackRF+PortaPack which, from what I saw in the past, lacked longer-term support and regular updates and new features.

[0] https://github.com/F5OEO/rpitx

TeMPOraL
0 replies
8h0m

It's not the TX hardware part that will be expensive - but rather bespoke encoding and crypto. Not prohibitively expensive, just annoyingly expensive in money and/or time - enough to prevent anyone except criminals from tampering with those devices.

Or worse, vendors will use it as an excuse to make their products cloud-dependent, with strong cryptographic auth and actual processing done on the other side of the world.

(And with that enabling the rent seekers their recurring revenue, we arrive at the reality foretold by IIRC Philip K. Dick, where you have to subscribe to your own apartment doors.)

(EDIT: the more IoT embraces actual security, the more I feel that US gov had a point in classifying cryptography as munition. Perhaps there ought to be legal limits on using crypto against other people.)

MuffinFlavored
3 replies
1h49m

Lots of things use that range (garage doors, gates, fan remotes, etc.) and are not very secure.

https://en.wikipedia.org/wiki/Rolling_code I didn't know this wasn't secure enough. I thought this was the basis of most modern vehicle keyless entry too?

It is hard for me to not think of the Flipper Zero as a script-kiddie tool to do super illegal things like open your neighbor's garage illegally.

tkems
2 replies
1h33m

While rolling codes can be secure (KeeLoq [0] is a more secure example but has it's own issues), this [1] is an example of some of the weaknesses that can happen if a rolling code algorithm is broken. I have personally been able to capture, decode, encode, and transmit garage door codes using that python script and a HackRF (which can also be done with a flipper and custom firmware).

[0] https://en.wikipedia.org/wiki/KeeLoq

[1] https://github.com/argilo/secplus

MuffinFlavored
1 replies
1h21m

Can you help me understand why rolling code attacks aren't broken on most cars but are broken for garages?

Also, are attacks like this real/common/easy to pull off? https://youtu.be/1SUGf6OwRzw Where the signal is amplified from the key inside the house to the car. How does the car/keyfob not detect it's signal/noise ratio or time for roundtrip is all messed up distance wise?

tkems
0 replies
1h5m

From what I understand, cars are a bit more complex now then garages. KeeLoq, from my understanding, is not 'breakable' like garage doors. It does have weaknesses, but more related to the raw cryptography/math. Since KeeLoq is a cryptographic function, it can be broken by brute force or by gaining access to the manufacture key.

For the amplification attacks, my understanding of them is that the key fob and car may be able to detect this kind of attack, but require more logic/software to do so. Also, most of these attacks use high frequency 'backhaul' wireless networks (key fob at 3-400Mhz, backhaul at 2.4-5 Ghz Wifi with lower latency) to prevent such timing/signal-noise from being detected. If I had to guess, most key fobs/cars are more focused on making sure the key fob works at range or in hard-to-detect environments and not focused on preventing such relay/amplification attacks.

Also, some similar attacks to what you linked could also be done against Bluetooth (I think Tesla had this issue in the past few years) with a simple Bluetooth range extender/relay setup.

(Note: without one of those devices, most of this is just guesses/what I've seen is possible/theoretical in terms of attacks)

elliottcarlson
0 replies
8h41m

The batteries died in my bedroom TV remote a few nights ago, it wasn't until I went to replace them did I notice that one of the batteries had leaked and seems to have caused some corrosion on the contact, so until I clean it up I've switched to my Flipper Zero as the remote for it (just need power and audio control, rest is via a Roku stick). Never thought this would be my use case for it, but it worked out perfectly.

kristopolous
11 replies
18h27m

I really resent the marketing of this product. It's as if they invented the cheap RF chips they're using and are the exclusive distributors of it.

It's rubbed me as thoroughly dishonest and fraudulent.

I know this is currently a minority position, that's why I took the time to state it.

fortran77
5 replies
18h17m

Really? I like mine. Learned a lot about RFID and was able to successfully copy and clone some hotel prox card. Sure, they didn't "invent" the chips inside, but they put the hardware and software in a nice package, included software, and grew a nice community of hackers around it.

Because of the popularity of the device, there are third parties, some less reputable than others, trying to ride their coattails. Perhaps that's what you're reacting to?

brendoelfrendo
4 replies
18h3m

I was able to clone my apartment fob using a tool I got for $30 on Amazon, and it even came with extra blank fobs and cards to clone to. Flipper Zero can more than just clone RFID keys, but my point is that the tools exist to do all the things it does and do them cheaper, and they're just as easy to use.

If you really need a tool that can do them all, though, I can't really argue with the utility; but I do kind of agree with the GP comment that Flipper didn't exactly do anything that hasn't been done before.

wffurr
3 replies
17h22m

Other than create the marketing buzz and pull together a community of hackers to make the on ramp to this type of programming easier.

kristopolous
2 replies
16h27m

And that's really it. It's purely a marketing play. I guess my other frustration is when I see people who I thought were pretty clever not realize that

dinkleberg
1 replies
15h27m

No offense, but that is a pretty one-dimensional view of products and businesses. So many great products are just an exciting and/or user-friendly version of a simple concept and well marketed which opens up the doors to a much larger audience than the original concept otherwise would've received.

This approach isn't a cheap cop out, it is serving a genuine utility and bridging the technology to more people.

kristopolous
0 replies
15h9m

I get it at this sophisticated level as well. I'm surprised by how many don't

hobs
2 replies
15h49m

Flipper was inspired by the pwnagotchi project, but unlike other DIY boards, Flipper is designed with the convenience of everyday usage in mind

Front page, nothing about their copy or their website says what you think it says.

kristopolous
1 replies
9h48m

You know they've released a lot more than a landing page, right? They were initially a kickstarter: https://www.kickstarter.com/projects/flipper-devices/flipper...

They created a fast-food substitution product and have been trying to pass it off as the real thing. It's a hardware script kiddie device and that's exactly how their videos depict it.

I was always turned off by their approach since first seeing it in 2019. I've played with the device, get their facebook ads all the time, tried to change my mind about it but 5 years later I keep coming back to the same animosity towards it.

These are all easy to teach things and this thing shrouds that fact through product alienation intentionally distancing the user from any real hacker education and replacing it with animations and theatrics.

I'm cool being dismissed as a crank. They're obviously successful millionaires and I'm not.

tommit
0 replies
6h3m

It sounds more like gatekeeping to me rather than being cranky. Not saying you are actively doing so, but I'm not sure RFID and the likes are "easy to teach things". Quite the contrary, actually. So if this motivates some teens to go out possibly discover an affinity for hacking, it has done its job. That's my thought of this product anyway.

ok_dad
0 replies
18h20m

They made a product that’s really easy to use out of a bunch off of the shelf components. What’s fraudulent about that? I haven’t seen them claim any features that the device doesn’t have. They literally have the chip product numbers they use for each module on their home page! They’re not hiding it!

IshKebab
0 replies
5h17m

I think you're just feeling that you knew about something "before it was cool", and now anyone can do it so you aren't special anymore.

ChrisArchitect
9 replies
17h54m

Recent news discussions:

Flipper Zero can be used to crash iPhones running iOS 17

https://news.ycombinator.com/item?id=37919396

Apple Shuts Down Flipper Zero's Ability to Shut Down iPhones

https://news.ycombinator.com/item?id=38656607

Flipper Zero banned by Amazon for being a ‘card skimming device’

https://news.ycombinator.com/item?id=35481580

UK airport confiscates passenger's Flipper Zero

https://news.ycombinator.com/item?id=37707486

Alifatisk
6 replies
9h23m

Someone on Twitter mentioned how some kid managed to crash and shutdown their insulin pump using the flipper zero.

Mad_ad
5 replies
9h18m

source? sounds fishy to me, can't believe insulin pumps are so vulnerable.

Alifatisk
2 replies
7h38m
hnbad
0 replies
6h16m

Specifically they say there's an Android device for monitoring/controlling the pump that was taken out by this. That seems more plausible given that it likely isn't exactly running the newest version of everything.

core-utility
0 replies
4h12m

And the fix would be to remove yourself ~30ft from the source (though BLE might have even less range). The pump itself wasn't "disabled", the dude's Android phone (or dedicated Android device for this) was temporarily glitched while in range.

jandrese
0 replies
1h39m

Medical devices with shit firmware are hardly uncommon. I can totally believe someone crashed one with a device like this.

ablation
0 replies
8h59m

I don't have a source for OP's Flipper Zero story, but insulin pumps are surprisingly vulnerable: https://www.cisa.gov/news-events/ics-medical-advisories/icsm...

ulucs
1 replies
9h37m

The last one is hilarious, just endless speculation on how the guy could have handled it better, the guy coming in with the account of how he handled thing pretty nicely, and then just crickets.

pugworthy
0 replies
1h24m

Good read indeed - a lot of conclusions being jumped to there.

ChuckMcM
7 replies
17h58m

This is a super fun gizmo, it's discord channel is, uh, not great.

One cool thing is that you can talk to it serially. I pretty quickly had it organized with an IoT temperature sensor so that it could send commands to my ceiling fan given the temperature in my office.

I have also used it to capture the NFC code on a hotel card key so that I could still get into my room even after my key was inevitably "damaged" by nearness to other fields.

Some parts of it are silly, like the Tomagachi type game with the dolphin. Doesn't add value for me, but I can see how it might be something for someone.

There is also growing awareness with agencies about its flexibility, some apocryphal stories of them being confiscated by TSA checkpoints have come in.

Writing your own apps for them has a fairly high learning curve.

justsid
3 replies
14h35m

The Discord server is terrible. It’s both overrun with kids and yet also weirdly harshly moderated.

The device itself is fantastic though. Gives me some real Pebble vibes in all of the best ways. It’s very hackable and even though I don’t do crazy pentest things with it, it’s just an overall fun device.

MOARDONGZPLZ
2 replies
3h36m

The reddit is the same way. All the threads are new people asking how to use it to “have fun” by “hacking” vending machines and stuff, or for help convincing their parents to let them get one, or whether it’s worth their allowance to get.

I do have one, I think it’s a fun thing to have in my bag, but haven’t had any luck finding forums of responsible adults, or even just adults, discussing development or things to do with it. Even the “adults” who post about it inevitably do something like get fired because they take it to work and try to clone their own badges and the enter their work with the flipper.

Sorry for the rant.

evilduck
0 replies
1h57m

There's a ton of TikTok/Instagram nonsense showing it out in the world doing those things.

A large volume of the stuff you can do with it is just spoofing a USB keyboard and running console commands. You could do that for years with tons of existing microcontrollers the price of a hotdog, but suddenly script kiddies have taken notice and are willing to pay 100x for the ability.

cruffle_duffle
0 replies
2h22m

Was going to say the exact same thing about /r/flipperzero. It feels more like a fan subreddit full of kids, which.... ain't my scene at all. People on that subreddit make it seem like it is this amazing thing that will get you in jail or something for posessing.

... But after owning one? I dunno. It's a neat gadget but to be honest about the only practical thing I've got out of it is cloning our apartment keyfobs and duplicating hotel cardkeys. Otherwise it's kinda fun opening up tesla charge doors and messing with iphones using Bluetooth LE. Somebody somewhere was starting a project to add CANbus support, which would be a perfect fit for the device.

I feel like the ecosystem needs a better way to add "apps" to the device. I might be missing something but it doesn't really have any official app registry or anything. Something like you'd see for npm, pypi, or platformio.

tekeous
0 replies
9h43m

The dolphin game is to allow them to avoid some import/export restrictions by classifying it as a toy, which it is, and not a hacking tool. It’s not a professional device.

rdslw
0 replies
1h9m

Friend of mine has 3 yrs old. The "dolphin" is in constant use by the child. "What is he doing now?" " Let's check what dolphin is playing with today". "What does it say" "Does he miss me?" "Let's play with him".

It quickly became pal of the child.

Friend told that is one in top 5 toys of the child now :)

m0llusk
0 replies
16h12m

The dolphin annoyed me immediately, but it turns out that all of the graphic assets are simple to find in the firmware so it should be quite easy to change the look and feel of operation into something other than fun time with dolphin friend.

pnw
6 replies
5h18m

I would love to get one but articles like this about the Russian connection put me off.

https://simovits.com/flipper-zero-zero-trust/

Gormo
2 replies
3h10m

Interesting. Do you have any sources that substantiate the claims made on this blog post?

sev1
1 replies
2h28m

I wasn't aware of a Russia connection until this post. On flipperzero.com near the top it says:

Our team was originally formed in Neuron Hackspace by collaborating with industrial design and manufacturing experts Design Heroes.

A quick Google search for Neuron Hackspace and Design Heroes shows their location as Moscow. I'm inclined to believe the detailed report from that blog post and am glad I did not end up buying the device.

Gormo
0 replies
18m

I wasn't aware of a Russia connection until this post.

I'm still not aware of it after reading the post. Pointing out that some of the people on the project were members of a hackerspace in Moscow at some point in the past is not remotely sufficient to substantiate that there exists any current connection between the project and Putin's regime.

what-the-grump
0 replies
2h59m

As it should, and US consumer protection is failing to act, this is from the report. People do not understand the level of control the Russian authorities maintain over businesses in Russia and citizens.

1. Flipper Devices Inc. is registered in USA as their main office, but no development or business is done at that address. The address belongs to a ”mailbox” company. 2. A majority of registered staff on LinkedIn were until recently registered in the Moscow region, (but suddenly moved to Tbilisi, Georgia according to their LinkedIn profiles.) - No developers remain in Russia according to LinkedIn.

3. TZOR and Neuron Hackspace shared the same address during the period of 2012-2013. (Neuron Hackspace used the address before TZOR was founded.) The Company of the founder of Neuron Hackspace, Esage Lab/TZOR, is placed on US sanction lists due to the DNC hack 2016, under the claim that the company provided tools to the Russian intelligence GRU and FSB. The attributions were validated both 2017 and 2020.

4. The Company and founder of Neuron Hackspace, Esage Lab/TZOR, had contracts with at least two companies that delivered services for the Russian government, FSB and the Russian military.

5. The founder and CEO of Flipper Devices Inc., has been involved in activities, such as running the DDOS site putinvzrivaetdoma.org, that could have attracted the attention of Russian security services.

6. The founder and CEO of Flipper DevicesInc., has been involved in activities since he moved to Moscow that can be interpreted as actively supporting the authorities in Russia, like trying to sabotage Alexei Navalny’s blog in 2014 and building a tool, Zaborona_help, to circumvent Ukrainian blocking of the Russian websites

The assessment is that there is an even chance that Flipper Zero has links to Russian Intelligence Services. The founder and financier of Neuron Hackspace was placed under US-sanctions due to providing tools to FSB and GRU related to the DNC-hack. The validity of the investigations behind the US-sanctions has been confirmed in 2017 (Intelligence community assessment) and 2020 (Senate Intelligence Committee). Pavel Zhovner’s past activities and that he seems to have been an early member of Neuron Hackspace contribute to this assessment.

It is at the same time likely that Russian authorities are well aware of the distribution of Flipper Zero and monitors the situation for opportunities to gain other types of benefits, either in form of influence over the hacking community, recruitment of talented hackers for similar projects or even attacks of infrastructure or other targets in the future.

It is also likely that Russian authorities will remain to have a substantial influence or control over this hacker community and could benefit from the future possibility to recruit talents with some form of combined security and IT background or even to blackmail foreigners that have been connected to this community.

squarefoot
0 replies
4h56m

The device is nothing more than a quite powerful STM32 board with some interesting peripherals added and of course a very powerful firmware/software, which is what makes the difference. However, as everything is Open Source, it can be ported to a similarly designed, possibly different looking, device without the code that phones home, an it probably is what hackers should consider since the Flipper Zero has been banned in some places and being caught with it say in a airport could be enough for confiscation and/or interrogation. Also, it is overpriced for what it contains; they could sell it at half the price and still make a significant profit. And frankly, as someone who is 100% on Ukraine's side against the barbaric Putin invasion, I'd rather use my money to buy some electronics from Ukrainian surplus shops on Ebay.

python273
0 replies
1h41m

So, they found nothing suspicious with devices or apps.

Also made some far fetched connections of Flipper Devices to companies owning the hackspace Pavel Zhovner worked in, and attributed his trolling and making anti-censorship tools "as actively supporting the authorities in Russia". lol.

futhey
6 replies
14h38m

When people realized anyone with a sophisticated police scanner could listen in on cordless (and then early cellular) phone calls, it forced manufacturers to actually implement a bare-minimum level of security on those devices.

I hope this pushes more manufacturers to switch to rolling-code algorithms (like the key fob your car uses), in place of simpler, less secure codes that can be captured and replayed.

tivert
2 replies
3h17m

When people realized anyone with a sophisticated police scanner could listen in on cordless (and then early cellular) phone calls, it forced manufacturers to actually implement a bare-minimum level of security on those devices.

Did it?

IIRC, the biggest thing to fall out of that is the US government banned scanners that could pick up the frequencies commonly used by cordless phones.

cruffle_duffle
1 replies
2h21m

IIRC, the biggest thing to fall out of that is the US government banned scanners that could pick up the frequencies commonly used by cordless phones.

I recall that. I think the age of SDR's made such a ban (law?) almost impossible to enforce.

dylan604
0 replies
1h47m

When did the age of SDRs begin where these devices were still in vogue? What's the overlap?

porbelm
0 replies
1h44m

Well, DECT wasn't exactly very secure, and neither was GSM (2G) call encryption. And check out the recent TETRA-related CVE's for more fun ;)

https://www.midnightblue.nl/tetraburst

forinti
0 replies
4h58m

In the 1980s a friend of mine had a German radio which had a larger array of frequencies than that available in my country. It allowed us to listen to the police. Curious, but not interesting.

In the 90s my brother had a portable TV/Radio which we managed to tune into cellphone conversations.

Those were the days you could still telnet 25 to send emails with whatever sender you wanted. I used to send Christmas greetings from Santa to my colleagues at uni.

IshKebab
0 replies
5h22m

Sure though in some cases it isn't worth the cost or effort, e.g. kinetic light switches. In some cases it's appropriate to expect people to not be arseholes.

dymk
6 replies
17h49m

Bad actors are going to ruin this cool little device for everyone else. For every story I hear about a cool usecase for it, there's another about it being used to annoy or harm others.

sneak
4 replies
17h37m

Tools can be used for good and bad. This isn’t anything new and doesn’t “ruin” a device.

karaterobot
2 replies
17h7m

The person you're responding to probably means that bad actors will cause the device to become illegal to buy or use in certain areas as a result of being associated with illegal or harmful behavior.

mihaaly
0 replies
9h5m

It is true, tools will be misused, banning already happened to knifes and scissors in narrow or broader context for example. Will see how this one will be regulated, if will be at all. If they are smart - usually not, but at least less smart than paranoid - then it will not be a blanket rule, actually cannot be without unplugging all computation and wireless devices.

goshx
0 replies
16h56m

It’s already banned in Brazil, for instance

dymk
0 replies
15h51m

thanks sneak, very insightful

neilv
0 replies
16h32m

Flipper Zero is/was banned on eBay.

I tried repeatedly to sell mine there, because I'd see some auctions for them complete. Then they told me it was definitely banned, because it could be used for (IIRC) RFID hacking.

(Fair enough. I ended up having to sell mine locally, for a lot less money than what the occasional auction would complete for on eBay. And finding a buyer locally was harder, and with much higher rate of flaking. As someone with deep frugal influences, who likes to save money when buying things, and to sell things once not really needed, I really like eBay when it works OK.)

rabbitofdeath
2 replies
1h42m

I have found it pretty useful in a few situations: - USB/Mouse keyboard when the iMac you are working on has totally dead batteries for the mouse/keyboard- its not fun but works in a pinch.

- Cloning weird ceiling fans/lights. Apparently I've bought horrible remotes but this helped.

- Used this as a nightstand clock while traveling.

- Used the authenticator app as a backup Yubi key

- Mouse jiggler to keep a computer awake

- blasting tvs at restaurants is a ton of fun and my kids like that.

- And the IR functionality for Nerf Laser Ops Pro (IR laser tag) is an absolute blast - the actual Nerf guns have a delayed trigger, but with Flipper there is no delay or need to "reload" so you are an unstoppable beast.

tkems
0 replies
1h37m

Just a heads up about the Flippers U2F implementation [0] and the possible weaknesses compared to a Yubikey/other U2F key.

[0] https://modusmundi.com/posts/u2f-flipper/

bcks
0 replies
1h13m

I had a lot of fun playing with the Flipper's Bad USB DuckyScript to automate some repetitive and tedious CMS workflow for a client, filling in a lot of input fields on multiple browser windows with a single press of a button. It improved my productivity and happiness. I've since graduated to Playwright, but it was the Flipper that sparked the idea.

dzink
2 replies
15h51m

The initial marketing mentioned that flippers can exchange collected data as a social interaction. The reason I haven’t bought it is that I don’t want private stuff used and home being leaked to flippers nearby or to a central server. Any experience with that?

sharperguy
0 replies
8h11m

Everything is recorded on an SD card, so you could copy the files online somewhere and download others files. There is no automatic sharing.

DHowett
0 replies
12h56m

As of firmware version 0.97.1 (current at the time of this comment,) no such feature exists.

byb
2 replies
13h25m

I tried using a Flipper with some NFC stickers so I wouldn't have to carry around so many FOBs and cards. It turns out that the Flipper does not excel at this task. It complained that the NFC stickers I bought were non-writable. And it couldn't read all the sectors on some NFC tags. However, I was able to use the Android MCT app to write to the same stickers and read the tags the flipper couldn't read. Cloning required copying strings to the clipboard, which is something the Flipper's UI is not really designed for.

cruffle_duffle
0 replies
2h14m

It complained that the NFC stickers I bought were non-writable.

I'm not an expert at NFC but after playing around with Flipper I've learned that there are different types of NFC devices and they aren't at all interchangeable. They aren't just dumb devices but actual computers that power up and do shit (I think).

blep-arsh
0 replies
12h55m

Yeah, Flipper as a concept sounds cool but then I found out the current implementation is rather half-baked and comes with a lot of limitations. And the community is not that welcoming either.

shantnutiwari
1 replies
4h40m

I got one some time ago, and like my rpi, has been sitting in teh drawer since.

Another one of those "Sounds cool, but not really useful" tools

jpcfl
0 replies
4h32m

A lot of people buy tools and then never use them, just like people buy trucks and 4x4's, but never use them to haul cargo or go off-road. When you buy a tool, you generally want to have a job in mind, and then have the follow-through to do that job.

holografix
1 replies
16h25m

Anyone tried to crash Bluetooth speakers with this? I’d buy one immediately if I can mute loud tvs and harmlessly disable Bluetooth speakers from a distance.

My new rental only provided us with one garage door remote and it looks ancient. Fairly certain this could an overly expensive extra garage door remote.

beala
0 replies
14h33m

It doesn't operate at bluetooth's frequency. You could definitely mute TV's with the IR blaster.

LZ2DMV
1 replies
18h10m

Apart from access control systems, it hardly has any good uses in the real world as a pen-testing device. If it was a pocket carry, true SDR, capable of recording RF signals as I/Q, performing actions on them, replaying them, etc, it would have justified its cost. But, with a limited set of modulations supported by the used RF chips, it is more like a toy for hacker wanna-be teenagers than a serious tool.

An investment in something like HackRF+PortaPack clone is far better, IMHO.

tkems
0 replies
16h42m

Totally agree that this isn't a good full pentesting device, but I also think that such a device doesn't need to be in order to be popular. Just look at the IM-ME when Samy Kamkar showed it off [0] and it sold out.

Most people don't need a full SDR like a HackRF in order to explore their RF devices and a Flipper gives that too them without the headache of software and the bulk of a full PortaPack.

(I love my HackRF and PortaPack for the record. The Flipper can't complete with the features and low-level access when you need it)

[0] https://hackaday.com/2015/06/08/hacking-the-im-me-to-open-ga...

Duanemclemore
1 replies
18h19m

Oh man. If my friends and I had this in high school things probably would have gotten even more out of control.

mtreis86
0 replies
5h16m

Yeah we found a remote control cloning app for a palm pilot that had IR and caused enough trouble randomly turning tvs on with that.

yakshaving_jgt
0 replies
9h35m

My Flipper Zero has been useful for me while living in Ukraine.

For some reason, many apartment buildings require the use of a little electronic tag not only to open the outside gates, but also to operate the elevator to reach someone's apartment. This also includes trying to use the elevator to reach the ground floor, e.g., when you leave your friend's apartment and you are going home. So you can't leave the building with the elevator without your friend coming out and unlocking it for you. It's madness.

So, I clone my friends' tags (with their knowledge) and come and go as I please.

xyst
0 replies
15h35m

I got one. Only thing I used it for was scanning my dogs microchip

vivak6223
0 replies
9h37m

Mj

tehwebguy
0 replies
17h19m

I love this thing but I mostly just use it to avoid touching hotel TV remotes.

tamimio
0 replies
2h41m

I have one, loaded it with Xtreme firmware (better than unleashed etc.), and works great! some people are missing the point of this device and start comparing it to an advanced NFC tool or other SDR, that’s not its intended use, it is AIO swiss army tool style that you will (might) find it handy in situations that other advanced tools aren’t around, for example I have some advanced SDR like BladeRF and limeSDR, far better in terms of everything than the flipper, but in many situations it would be impossible to use one of these SDR, not just how suspicious it will look with all that gears, but simply you just don’t have it at that time. So I have my flipper loaded with all fobs keys, garage (yes it does work with rotating key if you pair it), all my home sub-ghz, IR, are all backed up as well, and as someone who works in robotics I find the quick access to GPIO is handy sometimes, among other usages, for example, I have a friend who lives inside a uni dorm, and if you happen to lock your keycard inside your apartment, the cost to just open that door is $50, not even replacing the card.. so after he paid it few times I took a backup of his card, and whenever he locks it, he will call me and I open it for him.

system2
0 replies
18h21m

Hard to justify the cost. I see the ads everywhere for this device. If you have this product please review it for everyone.

spacecadet
0 replies
2h48m

The flipper has great size/capabilities. I mainly use it for NFC/NF wireless pen-testing. Some clients use NF payments and this gives me a single click testing tooling.

As others have said, if you want real capabilities get into SDR. My real kit includes HackRF piped into wireshark.

Lastly, a community that has seen a bump recently, Pwnagotchi. Its worth checking out and to me has alot of potential.

some-natalie
0 replies
15h2m

It's good as a bluetooth presentation remote, sharing QR codes or NFC contact info at conferences, and jiggling your mouse so your VPN connection doesn't die when your laptop locks up. It was handy around the house over the holidays too (https://some-natalie.dev/blog/flipper-at-home/).

It's a decent multitool. :-)

smcleod
0 replies
15h27m

$310 AUD... that's insane!

rjcrystal
0 replies
3h39m

They're never in stock! They need to fix the logistical issues with supply.

philip1209
0 replies
17h27m

I've mainly use Flipper Zero to duplicate my digital apartment keys (iButton then later RFID fobs). It's so easy to duplicate a physical apartment key, but making backups of the digital equivalents is annoyingly tedious. Plus, apartment managers treat them as scarce commodities and refuse to give backups.

With Flipper Zero I now have backup keys in my backpack, on my dog's leash, in my running belt, and with close friends. It's great.

notatoad
0 replies
15h16m

this seems like a cool device that people actually like, but it's crazy that i've still never seen a blog post of "hey check out this cool thing i did" that just happens to use a flipper. it's always the other way around, the point is to have a flipper and find things to do with it, not to have a flipper because it does something you want.

i buy lots of nerdy toys, but can we all just admit that this is a toy, not a tool?

lawlessone
0 replies
3h15m

I have one, honestly too expensive in hindsight for what it is. I make impulsive buys.

iceflinger
0 replies
13h22m

Even beyond the wireless stuff it's focused on, it's super useful as a combined UART bridge, SPI Flash dumper, DAPLink debugger and other hardware tools.

hnthrowaway0328
0 replies
2h51m

I'm thinking about building gadgets that serve parallel functionalities:

1. Relatively small to carry around.

2. Specifically built for one topic of purposes.

3. Can be achieved by a single hacker with on market tools.

What kind of tools have you built for yourself? Here are some examples I have in mind:

Hardware debugging dongles, rom burning boards and of course Flipper zero itself.

hemanthb
0 replies
16h42m

“Outside” perspective after I was recently gifted one for my birthday: it’s a fun and easy tool to learn about hardware. I became a programmer through the “Applied Math” route (Causal Inference -> Probability -> UL -> DL -> CS). Never owned a Raspberry Pi/Arduino and too busy to get into hobbyist electronics. The Flipper is accessible and low friction, motivates learning eg about GPIO, and is the first time I’ve messed with firmware and signals.

dr_kiszonka
0 replies
16h19m

I'd love to have one to learn more about radios with my kids. Some of Flipper's apps look pretty interesting too.

Probably out of scope, but I hope FlipperOne has a few environmental sensors too. (In a perfect world, it would also have thermal imaging, but these sensors are way too expensive.)

dfc
0 replies
18h24m

I have seen a lot of hardware addon boards lately. They are rarely, if ever in stock. Are there any good ones?

dang
0 replies
18h9m

Related. Others?

Apple Shuts Down Flipper Zero's Ability to Shut Down iPhones - https://news.ycombinator.com/item?id=38656607 - Dec 2023 (26 comments)

Tiny device is sending updated iPhones into a never-ending DoS loop - https://news.ycombinator.com/item?id=38125426 - Nov 2023 (108 comments)

Probably Buy a Flipper Zero Before It's Too Late - https://news.ycombinator.com/item?id=38025786 - Oct 2023 (27 comments)

Flipper Zero can be used to crash iPhones running iOS 17 - https://news.ycombinator.com/item?id=37919396 - Oct 2023 (33 comments)

UK airport confiscates passenger's Flipper Zero - https://news.ycombinator.com/item?id=37707486 - Sept 2023 (44 comments)

Flipper-Xtreme-Firmware: Give your Flipper Zero the power it is craving - https://news.ycombinator.com/item?id=37519277 - Sept 2023 (4 comments)

Flipper Zero can spam nearby iPhones with Bluetooth pop-ups - https://news.ycombinator.com/item?id=37397481 - Sept 2023 (44 comments)

Flipper Zero Controlling Traffic Lights [video] - https://news.ycombinator.com/item?id=36756787 - July 2023 (3 comments)

Flipper Zero Self Destructs an Electricity Smart Meter - https://news.ycombinator.com/item?id=36253591 - June 2023 (210 comments)

FlipperZero: 1 Month Battery Life with Firmware Update - https://news.ycombinator.com/item?id=35735415 - April 2023 (82 comments)

Flipper Zero banned by Amazon for being a ‘card skimming device’ - https://news.ycombinator.com/item?id=35481580 - April 2023 (133 comments)

Brazil seizing Flipper Zero shipments to prevent use in crime - https://news.ycombinator.com/item?id=35109931 - March 2023 (67 comments)

Hacker Uncovers How to Turn Traffic Lights Green with Flipper Zero - https://news.ycombinator.com/item?id=34872104 - Feb 2023 (4 comments)

Trying Out Flipper Zero - https://news.ycombinator.com/item?id=34215390 - Jan 2023 (99 comments)

Hands on with Flipper Zero, the Hacker Tool Blowing Up on TikTok - https://news.ycombinator.com/item?id=34102109 - Dec 2022 (2 comments)

FlipperZero hardware hacker released for US sales - https://news.ycombinator.com/item?id=33720764 - Nov 2022 (7 comments)

Bad news: US Customs have seized a container with 15k Flippers Zero - https://news.ycombinator.com/item?id=33073141 - Oct 2022 (13 comments)

PayPal blocked Flipper Zero account with $1.3M - https://news.ycombinator.com/item?id=32739950 - Sept 2022 (105 comments)

Flipper Zero – Portable Multi-Tool Device for Geeks - https://news.ycombinator.com/item?id=32166058 - July 2022 (263 comments)

Quick Start Guide for Flipper Zero - https://news.ycombinator.com/item?id=31368209 - May 2022 (137 comments)

Flipper Zero: How it’s made and tested - https://news.ycombinator.com/item?id=27704883 - July 2021 (34 comments)

Flipper Zero: Bringing Cases to Perfection - https://news.ycombinator.com/item?id=27479684 - June 2021 (6 comments)

Case manufacturing behind the scenes - https://news.ycombinator.com/item?id=27155584 - May 2021 (1 comment)

Flipper Zero: Tamagochi for Hackers - https://news.ycombinator.com/item?id=26405919 - March 2021 (48 comments)

Flipper Zero Manufacturing and Shipping Plan - https://news.ycombinator.com/item?id=25870255 - Jan 2021 (14 comments)

Flipper Zero – Tamagochi for Hackers - https://news.ycombinator.com/item?id=23996733 - July 2020 (53 comments)

Show HN: Flipper Zero – Tamagotchi for Hackers - https://news.ycombinator.com/item?id=22941733 - April 2020 (10 comments)

Tamagotchi for Hackers - https://news.ycombinator.com/item?id=22859083 - April 2020 (1 comment)

Flipper Zero: Under Development Multi-Tool Device for Pen-Testers - https://news.ycombinator.com/item?id=21842830 - Dec 2019 (1 comment)

cactusplant7374
0 replies
7h53m

The problem with the Flipper is it's missing documentation. And new learners need documentation. The response from the Flipper team has been telling people to read the source code.

bastardoperator
0 replies
15m

I bring this when travelling so I can dupe remotes and door keys.

FrustratedMonky
0 replies
4h47m

I don't even do hardware and want one.

Is it as great as it seems?

Deprogrammer9
0 replies
2h32m

fun toy to get people into security.

AlbertCory
0 replies
1h53m

I saw this and thought "I need this toy!"

Their website wouldn't take my credit card. Needless to say, it's a good card and I used it on other sites that same day and after. I wrote to Support.

Three days later, they wrote back and suggested I try a different card. Sorry, Flipper, you lose. Nice idea, but a company is more than a piece of hardware.

127361
0 replies
17h25m

Flipper Zero was designed in Russia, the company moved since the start of the war.