I’ve had one of these guys sitting around for a while - love the hardware, love the concept, but I haven’t really found a lot of use for it - what are y’all using them for?
I’ve had one of these guys sitting around for a while - love the hardware, love the concept, but I haven’t really found a lot of use for it - what are y’all using them for?
$169 is a bit steep for me, so I went on Temu and bought a $8 125KHz RFID programmer & a $5 USB-C IR Blaster. Combined with my Samsung phones native NFC writing, bluetooth, etc I feel like it scratched the itch of 90% of what people do with Flipper for 10% the cost.
“1200 seems too high for a phone, so I bought a raspberry Pi and attached a 4G module now I can make calls and browse the internet”…
iPhones aren't sitting unused in a drawer forgotten like 99% of Flippers. There's nothing differentiating or polished about clicking one button versus clicking a different button to clone an RFID tag. I'd rather have cheapo version of 1 time use gizmos.
For me the appeal of Flipper Zero is the mythical rare day when it becomes useful in an emergency, and until then it can stay in my draw peacefully.
There is another possibility: that the Flipper gets an update with the order of a government. For example, to reprogram or shutdown electrical systems in the house. And then it will be a day to remember :D
Or, an equally plausible scenario, it grows its own consciousness and decide to attack, hiding behind its delightful dolphin facade.
Oh, come on, you're being ridiculous. It's much more plausible for the flipper to develop consciousness and steal all the tuna in your pantry.
More likely your smart home app in your phone will do that
Is this really the case? I would think there would be a mobile app interface for flipper?
You are correct, there is a mobile app interface for it.
You can check firmware version and device status, update it, have access to file manager, can backup keys, read logs, reboot, speed/stress test, and probably do a lot of other things that I am not aware about.
Any app run on the Flipper Zero can be run and interfaced with from the mobile app. It works quite well.
I would think there would be a mobile app interface for flipper?
If you want to interact with the software on flipper zero you have to use the "remote" app (or whatever) on the phone. It kinda sucks though because it literally acts just like the physical device. If you wanna type a filename out and think having a full keyboard like on your phone would make that task easier... it doesn't. You are stuck using the fake "buttons" to move the cursor around to each letter just like you would on the device itself.
Design is way more important than just what things look like. But it contributes to a product's success in ways that are sometimes hard to measure. That's why engineer-driven company don't understand it and engineers (as a sweeping generalization) usually hate it.
“1200 seems too high for a phone, so I bought a raspberry Pi and attached a 4G module now I can make calls and browse the internet”…
That actually sounds really cool...
Until you want to take it with you when you leave the house.
Battery? A pi zero phone is a thing that works
I had no idea. Google tells me there is a sub-Reddit for it!
r/ZeroPhone: ZeroPhone - a Raspberry Pi smartphone
Leave the house?
I would love love love this to become a vibe.
Or just one of the hundreds of equally capable reasonably priced phones.
The point of the flipper zero is to have one good supported gadget that has a lot of people hacking away with it.
It's the same thing with the raspberry pi, sure you can get some cheap clone off less than ideal places, but you're gonna pay with your time. That's basically it.
That's what I like about InstantPots: having a standardized cooking device makes recipes a lot easier to share.
Well sure, for pressure and slow cooking. You could say the same thing about the microwave.
Could you?
Two different models microwaves cook pretty differently from each other. Especially if they have differing wattage.
Another is that a microwave doesn't operate at a set pressure, so even the same model will behave differently at different evelations.
That's true of pretty much all cooking (and baking) except when using a pressure cooker, so it's kind of a given - people learn to cook given their local pressure and humidity levels.
But then again, cooking is poor man's process engineering - what you do when you don't particularly care about quality and consistency, or at least don't have access to hardware and methods to ensure them.
Yeah so the instant pot is an exceptionally good kitchen tool for sharing recipes with others in a reproducible way.
My partner's instant pot also does toasting/air frying/normal cooking, I've been very impressed with it.
For anyone with a compatible model you can add this with a lid accessory from Instant Pot: https://instantpot.com/portfolio-item/air-fryer-lid/
Bought this to see what the hype was about. Hardly use it any more, the Instant Pot is just too small to be useful for air frying. 90% of the things come out better in the oven in convection mode.
Biggest level up was just lightly dusting anything with a starch or flour (lentil flour is awesome) and then a few light sprays of olive oil.
Chef Mike is the hardest working chef in the kitchen!
Arent most things in a kitchen standardized cooking device? Like stainless pan is stainless pan…
Kind of. But turning a stove up to medium-high and reducing to a simmer can lead to different outcomes depending on how the stove is calibrated and someone's interpretation of "simmer".
> It's the same thing with the raspberry pi, sure you can get some cheap clone...
It's a little different: from when the rPI first came out the price was a big driver of it's popularity. It started with the Model B at $35 (with the Model A at $25 "later this year") and this was so much cheaper than other options at the time. Look over threads from the time [1][2] and you'll see things like: "I teach middle school programming/computer classes. I cannot wait to get my hands on one of these. Right now it's cheap enough that I can tell the parents to buy one for their kids without a problem, and out of pocket it for those few of my students whose parents won't be able to afford it." and "The pricepoint is simply revoultionary. I intend to make a few amateur home automation gadgets with this."
Allowing for inflation they've stayed in roughly the same ballpark, price-wise. It's just that there are now also cheaper boards available, which used not to be the case.
I went on Temu and bought
Too bad. I was sincerely hoping nobody would buy anything from them so they would die.
I was thinking the same. It's a proven predatory and reckless company that can sell at these prices because of shady practices. But hey, savings!
I'm not ver familiar with Temu. Are these shady practices documented somewhere, and are they worse than industry peers (aliexpress, wish, overseas ebay, etc)?
I don't install apps when there is a website I can use from my desktop. So, I guess I have a green light to enjoy Temu.
Amazon costs twice as much, and Aliexpress takes twice as long to ship. I have an adblocker installed, so I haven't experienced the annoying ads people are mentioning. I don't install apps when a website is available, so it's not a a spyware concern. If Temu is more evil that the other main two options, I have yet to see an explanation.
The M5Stack Cardputer seems like it would scratch the same itch as the Flipper Zero.
the whole point of the flipper is the sub-1ghz radio and nfc/rfid capabilities. It's not really intended to be used as a general purpose computer, it's more like a really extensible radio
Yeah, but for me (and I imagine a lot of people on here) the itch that Flipper Zero teases is that of a hackable computer in a neat form factor, not the specific radio capabilities that it's actually meant for.
I didn't know about M5 before and now I'm hooked exploring M5's store, so I appreciate OP's pointing me there!
I think there are a lot of better options if that's what you want. From what I've seen the appeal of the Flipper is that you can do a bunch of fun stuff with a super easy to use interface (just select the thing you want to do and press go!) It's like the iPod of radio/rfid hacking.
Yeah, for sure—I looked at the Flipper when it first came out and decided it was overkill for me.
Also the 1-wire/iButton capabilities. Systems that use this kind of keys are probably nonexistent in the US, but in some other countries, they're everywhere.
no phone can act as a nfc card. your set up doesn't cover the main use case for the flipper on nfc space
Many (most recent) smartphone models can act as NFC cards very well, with the right software.
Phones unfortunately disallow setting the NFC UID on the hardware level (it's random each time), Flipper allows you to do anything.
That is kinda misleading. They can act as a very limited version of a client of a very specific and largely unused spec.
Sure but I have dozens of blank cards and stickers I bought for a few dollars.
If you want to go deeper with RFID and can spend a bit more (~$50), I am pretty happy with my knockoff Proxmark3 Easy [0] I got on ebay. (Do some research to find a good seller as I have heard some sellers ship bad units). It can do both 125khz and 13.25Mhz RFID/NFC and is easier to use then some of the Android apps for cracking Mifare keys.
For the price, it is great for more complex attacks and almost has all the features of a full Proxmark RDV4 (minus BLE and a battery).
[0] https://proxmark.com/proxmark-3-hardware/proxmark-3-easy
Do you have any resources for learning about RFID? I have some tokens for opening my garage door that I'd like to clone, and I'd like to know how they work.
I would check out the Proxmark3 Github repo [0]. They have a cheatsheet [1] with the basics on how to get started. I also did a talk about RFID security last year about the basics [2]
To get started, the basics are: low freq (LF) is usually around 125khz and is rarely encrypted (HID Prox is the most common in the US). The data is often encoded in Wiegand format for access control systems (something to keep in mind when reading the raw data).
High freq (HF) (aka NFC) is ~13Mhz and is readable by most Android phones with NFC. Not all tag data can be read however. HF cards support a lot of different options including data storage (normally in a block layout with permissions to read and write depending on keys) and encryption (iCLASS and SEOS being the HID offerings and very common). Some can be cloned (like hotel cards) while others (like SEOS) require a downgrade attack to work correctly (SEOS -> normal SEOS reader -> Weigand data -> older style card like HID Prox).
[0] https://github.com/RfidResearchGroup/proxmark3
[1] https://github.com/RfidResearchGroup/proxmark3/blob/master/d...
Thanks! I've just bought a Proxmark clone, so this will be very useful.
So instead of supporting the community and a project with a specific goal, your point is that you bought a Chinese knockoff of a different product?
Yes, gp seems to be pointing out the flippers' largest use cases can be satisfied by significantly cheaper products. They also aren't necessarily "Chinese knockoffs". It just so happens that they bought them from a Chinese online retailer, and I don't see how they could even be called knockoffs because what gp described are fairly different products from flipper.
RFID programmers and USB-C IR Blasters are commodities. How could they possibly be knockoffs?
so I went on Temu and bought a $8 125KHz RFID programmer
OT but if you found it for $8 on Temu, then you can most likely find the exact same device on Aliexpress for $1 - $2. Don't feed Temu - their ads are clogging up my feeds :)
I got one not too long after the official launch and I've used it a decent amount (granted I am in cybersecurity and have a more real-world use cases then the average person). My favorite use case is the IR remote since phones no longer have IR blasters. It's saved me twice so far in having to buy/find a remote for something.
One thing people don't realize is that the custom firmware [0] that you can run allows you to receive and transmit on a wide range of frequencies under 1Ghz. Lots of things use that range (garage doors, gates, fan remotes, etc.) and are not very secure. I think that this will be a time looked back on where it's possible to interact with those devices without having to buy a custom PCB transmitter or somewhat expensive and complex SDR.
phones no longer have IR blasters
Plently of phones still do [0]. I've configured mine to operate all my devices at home.
[0] https://www.gsmarena.com/results.php3?nYearMin=2023&chkInfra...
In other words, Chinese brands still have IR blasters. I don't know I would trust Chinese-brand of phones though.
Why not? Most phones are manufactured in China anyways, and Xiaomi, OnePlus, Honor, Oppo are major and very widely popular and used brands all over the world (outside of the US which is allergic to Chinese brands unless it's for cheap crap or to outsource manufacturing to).
Outside of the US is a problem when it comes to availability and usability. I’m not going to buy a phone that doesn’t play nicely with my carrier or receive regionally relevant support.
OnePlus is the only brand on that list that makes sense buying in the US.
(Personally I can see why the IR blaster was removed as a feature in US phones. I can’t think of a time I wanted or needed it. How often are y’all losing remotes? My current remote doesn’t even really use IR for anything since the streaming box is controlled by Bluetooth and connected devices including the sound system are controlled by HDMI-CEC. My phone already controls the entire setup via a remote app that utilizes WiFi/Bluetooth).
I don’t have a television, and I haven’t owned anything with an IR port since the 2012 MacBook. I have zero use cases for IR blasters.
In terms of functionality they're night and day compared to Western brands which seem to just enshittify their devices while raising prices. They're all made in China at the end of the day.
You just need a small Bluetooth-enabled box sitting on your coffee table near the TV that has an IR transmitter and a paired app on your phone that can send commands to the box.
Edit: I had only search and one did appear: https://www.amazon.com/PUCK-Smart-Universal-Remote-Model/dp/...
Universal remotes are still a thing, and much cheaper than that or a Flipper Zero.
yeah, but you have to be line of sight for a universal remote to work. the app enabled IR box means you can be anywhere within range. that does have its advantages. also, being in the kitchen while the remote is near the couch when your streaming platform of choice asks "Are You Still There?" means you can answer from the kitchen.
A friend got this for me, but I'm struggling to put it into any useful purpose, any pointers with things I can experiment it.
Using it as a remote seems so cool, esp bc I lost my roku remote not so long ago so if you have any resources that could help I'd appreciate it.
The documentation I've seen so far seems far and scattered and it seems people are more scared of being implicit in illegal activities based on their resources.
For IR remotes, there are a few ways to go about it. If you have a remote you want to clone, you can just use the flipper to clone and map buttons to a custom remote. If you don't have the remote and have a common device (like TVs), I would check this repo on Github [0] and see if you can find a compatible IR file. Note, you need a micro SD card in order to move the files onto the flipper, but a small one works fine.
I've had good luck with the basic universal remote when I'm in a pinch. Also, you can create custom IR files, but it can be a pain with encoding. The flipper forums are a good resource too [1].
sweet. thank you
Great tool for learning Bluetooth Pen-testing. I run BTCTF-Infinity on an ESP32, powered through the flippers GPIO. It creates the BTCTF environment and I use the flipper to crack the examples. Kinda like a self-contained gaming handheld for BT practice.
You can buy a Roku remote for like $5.
Not answering your question, but the Roku app includes a better version of the remote.
> or somewhat expensive and complex SDR
I don’t think that’s as accurate today as it used to be.
On the hardware side there are tons of options very cheaply available - iirc the flipper uses the c1100 (or a number like that) it’s a popular cheap chip and it’s well documented and interfaces easily with arduino.
More accessibly, lime mini SDRs are cheap but there’s quite a few alternatives too.
On the software side GNU Radio is free with decent tutorials - we’re not talking anything like blender levels of difficulty to adopt even if it is a complex domain.
Although on the more accessible side, urh is incredibly powerful given how easy to use it is https://github.com/jopohl/urh
I used the latter to tap into a 2 channel wireless bbq thermometer via a $10 rtl sdr and that was a breeze, an absolute walk in the park compared to when I reverse engineered the flysky telemetry system.
GNU radio is free, but what about the hardware you need if you want to transmit an actual signal?
An HackRF clone is quite a bit cheaper than a Flipper, and it's a full-blown SDR with TX capability
As someone with a HackRF PortaPack knockoff I got from ebay, I would agree that SDRs are better and cheaper than ever before. However, I think the average person will struggle with using a HackRF for more complex projects. I've used URH before, and while useful, it can be intimidating for beginners.
Also, while I like the RTL-SDR (and the price tag!), you can't transmit with it. While this isn't a deal breaker to everyone, if you'd like to clone a garage door remote, for example, you need to be able to transmit. While you could use something like a raspberry pi and rpix [0], but I think it is more work than it's worth for many. Also, multiple RTL-SDRs are required for higher bandwidth applications like ASTC TV or trunked radios.
With the flipper, I think the main draw for most is the point-click-done nature. Include the Android/iOS app and it makes it easy to configure on the go without a computer. The expandability is one of the main feature that will increase adoption over time compared to the HackRF+PortaPack which, from what I saw in the past, lacked longer-term support and regular updates and new features.
It's not the TX hardware part that will be expensive - but rather bespoke encoding and crypto. Not prohibitively expensive, just annoyingly expensive in money and/or time - enough to prevent anyone except criminals from tampering with those devices.
Or worse, vendors will use it as an excuse to make their products cloud-dependent, with strong cryptographic auth and actual processing done on the other side of the world.
(And with that enabling the rent seekers their recurring revenue, we arrive at the reality foretold by IIRC Philip K. Dick, where you have to subscribe to your own apartment doors.)
(EDIT: the more IoT embraces actual security, the more I feel that US gov had a point in classifying cryptography as munition. Perhaps there ought to be legal limits on using crypto against other people.)
Lots of things use that range (garage doors, gates, fan remotes, etc.) and are not very secure.
https://en.wikipedia.org/wiki/Rolling_code I didn't know this wasn't secure enough. I thought this was the basis of most modern vehicle keyless entry too?
It is hard for me to not think of the Flipper Zero as a script-kiddie tool to do super illegal things like open your neighbor's garage illegally.
While rolling codes can be secure (KeeLoq [0] is a more secure example but has it's own issues), this [1] is an example of some of the weaknesses that can happen if a rolling code algorithm is broken. I have personally been able to capture, decode, encode, and transmit garage door codes using that python script and a HackRF (which can also be done with a flipper and custom firmware).
Can you help me understand why rolling code attacks aren't broken on most cars but are broken for garages?
Also, are attacks like this real/common/easy to pull off? https://youtu.be/1SUGf6OwRzw Where the signal is amplified from the key inside the house to the car. How does the car/keyfob not detect it's signal/noise ratio or time for roundtrip is all messed up distance wise?
From what I understand, cars are a bit more complex now then garages. KeeLoq, from my understanding, is not 'breakable' like garage doors. It does have weaknesses, but more related to the raw cryptography/math. Since KeeLoq is a cryptographic function, it can be broken by brute force or by gaining access to the manufacture key.
For the amplification attacks, my understanding of them is that the key fob and car may be able to detect this kind of attack, but require more logic/software to do so. Also, most of these attacks use high frequency 'backhaul' wireless networks (key fob at 3-400Mhz, backhaul at 2.4-5 Ghz Wifi with lower latency) to prevent such timing/signal-noise from being detected. If I had to guess, most key fobs/cars are more focused on making sure the key fob works at range or in hard-to-detect environments and not focused on preventing such relay/amplification attacks.
Also, some similar attacks to what you linked could also be done against Bluetooth (I think Tesla had this issue in the past few years) with a simple Bluetooth range extender/relay setup.
(Note: without one of those devices, most of this is just guesses/what I've seen is possible/theoretical in terms of attacks)
The batteries died in my bedroom TV remote a few nights ago, it wasn't until I went to replace them did I notice that one of the batteries had leaked and seems to have caused some corrosion on the contact, so until I clean it up I've switched to my Flipper Zero as the remote for it (just need power and audio control, rest is via a Roku stick). Never thought this would be my use case for it, but it worked out perfectly.
I really resent the marketing of this product. It's as if they invented the cheap RF chips they're using and are the exclusive distributors of it.
It's rubbed me as thoroughly dishonest and fraudulent.
I know this is currently a minority position, that's why I took the time to state it.
Really? I like mine. Learned a lot about RFID and was able to successfully copy and clone some hotel prox card. Sure, they didn't "invent" the chips inside, but they put the hardware and software in a nice package, included software, and grew a nice community of hackers around it.
Because of the popularity of the device, there are third parties, some less reputable than others, trying to ride their coattails. Perhaps that's what you're reacting to?
I was able to clone my apartment fob using a tool I got for $30 on Amazon, and it even came with extra blank fobs and cards to clone to. Flipper Zero can more than just clone RFID keys, but my point is that the tools exist to do all the things it does and do them cheaper, and they're just as easy to use.
If you really need a tool that can do them all, though, I can't really argue with the utility; but I do kind of agree with the GP comment that Flipper didn't exactly do anything that hasn't been done before.
Other than create the marketing buzz and pull together a community of hackers to make the on ramp to this type of programming easier.
And that's really it. It's purely a marketing play. I guess my other frustration is when I see people who I thought were pretty clever not realize that
No offense, but that is a pretty one-dimensional view of products and businesses. So many great products are just an exciting and/or user-friendly version of a simple concept and well marketed which opens up the doors to a much larger audience than the original concept otherwise would've received.
This approach isn't a cheap cop out, it is serving a genuine utility and bridging the technology to more people.
I get it at this sophisticated level as well. I'm surprised by how many don't
Flipper was inspired by the pwnagotchi project, but unlike other DIY boards, Flipper is designed with the convenience of everyday usage in mind
Front page, nothing about their copy or their website says what you think it says.
You know they've released a lot more than a landing page, right? They were initially a kickstarter: https://www.kickstarter.com/projects/flipper-devices/flipper...
They created a fast-food substitution product and have been trying to pass it off as the real thing. It's a hardware script kiddie device and that's exactly how their videos depict it.
I was always turned off by their approach since first seeing it in 2019. I've played with the device, get their facebook ads all the time, tried to change my mind about it but 5 years later I keep coming back to the same animosity towards it.
These are all easy to teach things and this thing shrouds that fact through product alienation intentionally distancing the user from any real hacker education and replacing it with animations and theatrics.
I'm cool being dismissed as a crank. They're obviously successful millionaires and I'm not.
It sounds more like gatekeeping to me rather than being cranky. Not saying you are actively doing so, but I'm not sure RFID and the likes are "easy to teach things". Quite the contrary, actually. So if this motivates some teens to go out possibly discover an affinity for hacking, it has done its job. That's my thought of this product anyway.
They made a product that’s really easy to use out of a bunch off of the shelf components. What’s fraudulent about that? I haven’t seen them claim any features that the device doesn’t have. They literally have the chip product numbers they use for each module on their home page! They’re not hiding it!
I think you're just feeling that you knew about something "before it was cool", and now anyone can do it so you aren't special anymore.
Recent news discussions:
Flipper Zero can be used to crash iPhones running iOS 17
https://news.ycombinator.com/item?id=37919396
Apple Shuts Down Flipper Zero's Ability to Shut Down iPhones
https://news.ycombinator.com/item?id=38656607
Flipper Zero banned by Amazon for being a ‘card skimming device’
https://news.ycombinator.com/item?id=35481580
UK airport confiscates passenger's Flipper Zero
Someone on Twitter mentioned how some kid managed to crash and shutdown their insulin pump using the flipper zero.
source? sounds fishy to me, can't believe insulin pumps are so vulnerable.
https://twitter.com/morganiteproto/status/173065586102911433... https://twitter.com/hackerfantastic/status/17307842936416793...
But it's also from Twitter so take it with a grain of salt.
Specifically they say there's an Android device for monitoring/controlling the pump that was taken out by this. That seems more plausible given that it likely isn't exactly running the newest version of everything.
And the fix would be to remove yourself ~30ft from the source (though BLE might have even less range). The pump itself wasn't "disabled", the dude's Android phone (or dedicated Android device for this) was temporarily glitched while in range.
Medical devices with shit firmware are hardly uncommon. I can totally believe someone crashed one with a device like this.
I don't have a source for OP's Flipper Zero story, but insulin pumps are surprisingly vulnerable: https://www.cisa.gov/news-events/ics-medical-advisories/icsm...
The last one is hilarious, just endless speculation on how the guy could have handled it better, the guy coming in with the account of how he handled thing pretty nicely, and then just crickets.
Good read indeed - a lot of conclusions being jumped to there.
This is a super fun gizmo, it's discord channel is, uh, not great.
One cool thing is that you can talk to it serially. I pretty quickly had it organized with an IoT temperature sensor so that it could send commands to my ceiling fan given the temperature in my office.
I have also used it to capture the NFC code on a hotel card key so that I could still get into my room even after my key was inevitably "damaged" by nearness to other fields.
Some parts of it are silly, like the Tomagachi type game with the dolphin. Doesn't add value for me, but I can see how it might be something for someone.
There is also growing awareness with agencies about its flexibility, some apocryphal stories of them being confiscated by TSA checkpoints have come in.
Writing your own apps for them has a fairly high learning curve.
The Discord server is terrible. It’s both overrun with kids and yet also weirdly harshly moderated.
The device itself is fantastic though. Gives me some real Pebble vibes in all of the best ways. It’s very hackable and even though I don’t do crazy pentest things with it, it’s just an overall fun device.
The reddit is the same way. All the threads are new people asking how to use it to “have fun” by “hacking” vending machines and stuff, or for help convincing their parents to let them get one, or whether it’s worth their allowance to get.
I do have one, I think it’s a fun thing to have in my bag, but haven’t had any luck finding forums of responsible adults, or even just adults, discussing development or things to do with it. Even the “adults” who post about it inevitably do something like get fired because they take it to work and try to clone their own badges and the enter their work with the flipper.
Sorry for the rant.
There's a ton of TikTok/Instagram nonsense showing it out in the world doing those things.
A large volume of the stuff you can do with it is just spoofing a USB keyboard and running console commands. You could do that for years with tons of existing microcontrollers the price of a hotdog, but suddenly script kiddies have taken notice and are willing to pay 100x for the ability.
Was going to say the exact same thing about /r/flipperzero. It feels more like a fan subreddit full of kids, which.... ain't my scene at all. People on that subreddit make it seem like it is this amazing thing that will get you in jail or something for posessing.
... But after owning one? I dunno. It's a neat gadget but to be honest about the only practical thing I've got out of it is cloning our apartment keyfobs and duplicating hotel cardkeys. Otherwise it's kinda fun opening up tesla charge doors and messing with iphones using Bluetooth LE. Somebody somewhere was starting a project to add CANbus support, which would be a perfect fit for the device.
I feel like the ecosystem needs a better way to add "apps" to the device. I might be missing something but it doesn't really have any official app registry or anything. Something like you'd see for npm, pypi, or platformio.
The dolphin game is to allow them to avoid some import/export restrictions by classifying it as a toy, which it is, and not a hacking tool. It’s not a professional device.
Friend of mine has 3 yrs old. The "dolphin" is in constant use by the child. "What is he doing now?" " Let's check what dolphin is playing with today". "What does it say" "Does he miss me?" "Let's play with him".
It quickly became pal of the child.
Friend told that is one in top 5 toys of the child now :)
The dolphin annoyed me immediately, but it turns out that all of the graphic assets are simple to find in the firmware so it should be quite easy to change the look and feel of operation into something other than fun time with dolphin friend.
I would love to get one but articles like this about the Russian connection put me off.
Interesting. Do you have any sources that substantiate the claims made on this blog post?
I wasn't aware of a Russia connection until this post. On flipperzero.com near the top it says:
Our team was originally formed in Neuron Hackspace by collaborating with industrial design and manufacturing experts Design Heroes.
A quick Google search for Neuron Hackspace and Design Heroes shows their location as Moscow. I'm inclined to believe the detailed report from that blog post and am glad I did not end up buying the device.
I wasn't aware of a Russia connection until this post.
I'm still not aware of it after reading the post. Pointing out that some of the people on the project were members of a hackerspace in Moscow at some point in the past is not remotely sufficient to substantiate that there exists any current connection between the project and Putin's regime.
As it should, and US consumer protection is failing to act, this is from the report. People do not understand the level of control the Russian authorities maintain over businesses in Russia and citizens.
1. Flipper Devices Inc. is registered in USA as their main office, but no development or business is done at that address. The address belongs to a ”mailbox” company. 2. A majority of registered staff on LinkedIn were until recently registered in the Moscow region, (but suddenly moved to Tbilisi, Georgia according to their LinkedIn profiles.) - No developers remain in Russia according to LinkedIn.
3. TZOR and Neuron Hackspace shared the same address during the period of 2012-2013. (Neuron Hackspace used the address before TZOR was founded.) The Company of the founder of Neuron Hackspace, Esage Lab/TZOR, is placed on US sanction lists due to the DNC hack 2016, under the claim that the company provided tools to the Russian intelligence GRU and FSB. The attributions were validated both 2017 and 2020.
4. The Company and founder of Neuron Hackspace, Esage Lab/TZOR, had contracts with at least two companies that delivered services for the Russian government, FSB and the Russian military.
5. The founder and CEO of Flipper Devices Inc., has been involved in activities, such as running the DDOS site putinvzrivaetdoma.org, that could have attracted the attention of Russian security services.
6. The founder and CEO of Flipper DevicesInc., has been involved in activities since he moved to Moscow that can be interpreted as actively supporting the authorities in Russia, like trying to sabotage Alexei Navalny’s blog in 2014 and building a tool, Zaborona_help, to circumvent Ukrainian blocking of the Russian websites
The assessment is that there is an even chance that Flipper Zero has links to Russian Intelligence Services. The founder and financier of Neuron Hackspace was placed under US-sanctions due to providing tools to FSB and GRU related to the DNC-hack. The validity of the investigations behind the US-sanctions has been confirmed in 2017 (Intelligence community assessment) and 2020 (Senate Intelligence Committee). Pavel Zhovner’s past activities and that he seems to have been an early member of Neuron Hackspace contribute to this assessment.
It is at the same time likely that Russian authorities are well aware of the distribution of Flipper Zero and monitors the situation for opportunities to gain other types of benefits, either in form of influence over the hacking community, recruitment of talented hackers for similar projects or even attacks of infrastructure or other targets in the future.
It is also likely that Russian authorities will remain to have a substantial influence or control over this hacker community and could benefit from the future possibility to recruit talents with some form of combined security and IT background or even to blackmail foreigners that have been connected to this community.
The device is nothing more than a quite powerful STM32 board with some interesting peripherals added and of course a very powerful firmware/software, which is what makes the difference. However, as everything is Open Source, it can be ported to a similarly designed, possibly different looking, device without the code that phones home, an it probably is what hackers should consider since the Flipper Zero has been banned in some places and being caught with it say in a airport could be enough for confiscation and/or interrogation. Also, it is overpriced for what it contains; they could sell it at half the price and still make a significant profit. And frankly, as someone who is 100% on Ukraine's side against the barbaric Putin invasion, I'd rather use my money to buy some electronics from Ukrainian surplus shops on Ebay.
So, they found nothing suspicious with devices or apps.
Also made some far fetched connections of Flipper Devices to companies owning the hackspace Pavel Zhovner worked in, and attributed his trolling and making anti-censorship tools "as actively supporting the authorities in Russia". lol.
When people realized anyone with a sophisticated police scanner could listen in on cordless (and then early cellular) phone calls, it forced manufacturers to actually implement a bare-minimum level of security on those devices.
I hope this pushes more manufacturers to switch to rolling-code algorithms (like the key fob your car uses), in place of simpler, less secure codes that can be captured and replayed.
When people realized anyone with a sophisticated police scanner could listen in on cordless (and then early cellular) phone calls, it forced manufacturers to actually implement a bare-minimum level of security on those devices.
Did it?
IIRC, the biggest thing to fall out of that is the US government banned scanners that could pick up the frequencies commonly used by cordless phones.
IIRC, the biggest thing to fall out of that is the US government banned scanners that could pick up the frequencies commonly used by cordless phones.
I recall that. I think the age of SDR's made such a ban (law?) almost impossible to enforce.
When did the age of SDRs begin where these devices were still in vogue? What's the overlap?
Well, DECT wasn't exactly very secure, and neither was GSM (2G) call encryption. And check out the recent TETRA-related CVE's for more fun ;)
In the 1980s a friend of mine had a German radio which had a larger array of frequencies than that available in my country. It allowed us to listen to the police. Curious, but not interesting.
In the 90s my brother had a portable TV/Radio which we managed to tune into cellphone conversations.
Those were the days you could still telnet 25 to send emails with whatever sender you wanted. I used to send Christmas greetings from Santa to my colleagues at uni.
Sure though in some cases it isn't worth the cost or effort, e.g. kinetic light switches. In some cases it's appropriate to expect people to not be arseholes.
Bad actors are going to ruin this cool little device for everyone else. For every story I hear about a cool usecase for it, there's another about it being used to annoy or harm others.
Tools can be used for good and bad. This isn’t anything new and doesn’t “ruin” a device.
The person you're responding to probably means that bad actors will cause the device to become illegal to buy or use in certain areas as a result of being associated with illegal or harmful behavior.
It is true, tools will be misused, banning already happened to knifes and scissors in narrow or broader context for example. Will see how this one will be regulated, if will be at all. If they are smart - usually not, but at least less smart than paranoid - then it will not be a blanket rule, actually cannot be without unplugging all computation and wireless devices.
It’s already banned in Brazil, for instance
thanks sneak, very insightful
Flipper Zero is/was banned on eBay.
I tried repeatedly to sell mine there, because I'd see some auctions for them complete. Then they told me it was definitely banned, because it could be used for (IIRC) RFID hacking.
(Fair enough. I ended up having to sell mine locally, for a lot less money than what the occasional auction would complete for on eBay. And finding a buyer locally was harder, and with much higher rate of flaking. As someone with deep frugal influences, who likes to save money when buying things, and to sell things once not really needed, I really like eBay when it works OK.)
I have found it pretty useful in a few situations: - USB/Mouse keyboard when the iMac you are working on has totally dead batteries for the mouse/keyboard- its not fun but works in a pinch.
- Cloning weird ceiling fans/lights. Apparently I've bought horrible remotes but this helped.
- Used this as a nightstand clock while traveling.
- Used the authenticator app as a backup Yubi key
- Mouse jiggler to keep a computer awake
- blasting tvs at restaurants is a ton of fun and my kids like that.
- And the IR functionality for Nerf Laser Ops Pro (IR laser tag) is an absolute blast - the actual Nerf guns have a delayed trigger, but with Flipper there is no delay or need to "reload" so you are an unstoppable beast.
Just a heads up about the Flippers U2F implementation [0] and the possible weaknesses compared to a Yubikey/other U2F key.
I had a lot of fun playing with the Flipper's Bad USB DuckyScript to automate some repetitive and tedious CMS workflow for a client, filling in a lot of input fields on multiple browser windows with a single press of a button. It improved my productivity and happiness. I've since graduated to Playwright, but it was the Flipper that sparked the idea.
The initial marketing mentioned that flippers can exchange collected data as a social interaction. The reason I haven’t bought it is that I don’t want private stuff used and home being leaked to flippers nearby or to a central server. Any experience with that?
Everything is recorded on an SD card, so you could copy the files online somewhere and download others files. There is no automatic sharing.
As of firmware version 0.97.1 (current at the time of this comment,) no such feature exists.
I tried using a Flipper with some NFC stickers so I wouldn't have to carry around so many FOBs and cards. It turns out that the Flipper does not excel at this task. It complained that the NFC stickers I bought were non-writable. And it couldn't read all the sectors on some NFC tags. However, I was able to use the Android MCT app to write to the same stickers and read the tags the flipper couldn't read. Cloning required copying strings to the clipboard, which is something the Flipper's UI is not really designed for.
It complained that the NFC stickers I bought were non-writable.
I'm not an expert at NFC but after playing around with Flipper I've learned that there are different types of NFC devices and they aren't at all interchangeable. They aren't just dumb devices but actual computers that power up and do shit (I think).
Yeah, Flipper as a concept sounds cool but then I found out the current implementation is rather half-baked and comes with a lot of limitations. And the community is not that welcoming either.
I got one some time ago, and like my rpi, has been sitting in teh drawer since.
Another one of those "Sounds cool, but not really useful" tools
A lot of people buy tools and then never use them, just like people buy trucks and 4x4's, but never use them to haul cargo or go off-road. When you buy a tool, you generally want to have a job in mind, and then have the follow-through to do that job.
Anyone tried to crash Bluetooth speakers with this? I’d buy one immediately if I can mute loud tvs and harmlessly disable Bluetooth speakers from a distance.
My new rental only provided us with one garage door remote and it looks ancient. Fairly certain this could an overly expensive extra garage door remote.
It doesn't operate at bluetooth's frequency. You could definitely mute TV's with the IR blaster.
Apart from access control systems, it hardly has any good uses in the real world as a pen-testing device. If it was a pocket carry, true SDR, capable of recording RF signals as I/Q, performing actions on them, replaying them, etc, it would have justified its cost. But, with a limited set of modulations supported by the used RF chips, it is more like a toy for hacker wanna-be teenagers than a serious tool.
An investment in something like HackRF+PortaPack clone is far better, IMHO.
Totally agree that this isn't a good full pentesting device, but I also think that such a device doesn't need to be in order to be popular. Just look at the IM-ME when Samy Kamkar showed it off [0] and it sold out.
Most people don't need a full SDR like a HackRF in order to explore their RF devices and a Flipper gives that too them without the headache of software and the bulk of a full PortaPack.
(I love my HackRF and PortaPack for the record. The Flipper can't complete with the features and low-level access when you need it)
[0] https://hackaday.com/2015/06/08/hacking-the-im-me-to-open-ga...
Oh man. If my friends and I had this in high school things probably would have gotten even more out of control.
Yeah we found a remote control cloning app for a palm pilot that had IR and caused enough trouble randomly turning tvs on with that.
My Flipper Zero has been useful for me while living in Ukraine.
For some reason, many apartment buildings require the use of a little electronic tag not only to open the outside gates, but also to operate the elevator to reach someone's apartment. This also includes trying to use the elevator to reach the ground floor, e.g., when you leave your friend's apartment and you are going home. So you can't leave the building with the elevator without your friend coming out and unlocking it for you. It's madness.
So, I clone my friends' tags (with their knowledge) and come and go as I please.
I got one. Only thing I used it for was scanning my dogs microchip
Mj
I love this thing but I mostly just use it to avoid touching hotel TV remotes.
I have one, loaded it with Xtreme firmware (better than unleashed etc.), and works great! some people are missing the point of this device and start comparing it to an advanced NFC tool or other SDR, that’s not its intended use, it is AIO swiss army tool style that you will (might) find it handy in situations that other advanced tools aren’t around, for example I have some advanced SDR like BladeRF and limeSDR, far better in terms of everything than the flipper, but in many situations it would be impossible to use one of these SDR, not just how suspicious it will look with all that gears, but simply you just don’t have it at that time. So I have my flipper loaded with all fobs keys, garage (yes it does work with rotating key if you pair it), all my home sub-ghz, IR, are all backed up as well, and as someone who works in robotics I find the quick access to GPIO is handy sometimes, among other usages, for example, I have a friend who lives inside a uni dorm, and if you happen to lock your keycard inside your apartment, the cost to just open that door is $50, not even replacing the card.. so after he paid it few times I took a backup of his card, and whenever he locks it, he will call me and I open it for him.
Hard to justify the cost. I see the ads everywhere for this device. If you have this product please review it for everyone.
The flipper has great size/capabilities. I mainly use it for NFC/NF wireless pen-testing. Some clients use NF payments and this gives me a single click testing tooling.
As others have said, if you want real capabilities get into SDR. My real kit includes HackRF piped into wireshark.
Lastly, a community that has seen a bump recently, Pwnagotchi. Its worth checking out and to me has alot of potential.
It's good as a bluetooth presentation remote, sharing QR codes or NFC contact info at conferences, and jiggling your mouse so your VPN connection doesn't die when your laptop locks up. It was handy around the house over the holidays too (https://some-natalie.dev/blog/flipper-at-home/).
It's a decent multitool. :-)
$310 AUD... that's insane!
They're never in stock! They need to fix the logistical issues with supply.
I've mainly use Flipper Zero to duplicate my digital apartment keys (iButton then later RFID fobs). It's so easy to duplicate a physical apartment key, but making backups of the digital equivalents is annoyingly tedious. Plus, apartment managers treat them as scarce commodities and refuse to give backups.
With Flipper Zero I now have backup keys in my backpack, on my dog's leash, in my running belt, and with close friends. It's great.
this seems like a cool device that people actually like, but it's crazy that i've still never seen a blog post of "hey check out this cool thing i did" that just happens to use a flipper. it's always the other way around, the point is to have a flipper and find things to do with it, not to have a flipper because it does something you want.
i buy lots of nerdy toys, but can we all just admit that this is a toy, not a tool?
I have one, honestly too expensive in hindsight for what it is. I make impulsive buys.
Even beyond the wireless stuff it's focused on, it's super useful as a combined UART bridge, SPI Flash dumper, DAPLink debugger and other hardware tools.
I'm thinking about building gadgets that serve parallel functionalities:
1. Relatively small to carry around.
2. Specifically built for one topic of purposes.
3. Can be achieved by a single hacker with on market tools.
What kind of tools have you built for yourself? Here are some examples I have in mind:
Hardware debugging dongles, rom burning boards and of course Flipper zero itself.
“Outside” perspective after I was recently gifted one for my birthday: it’s a fun and easy tool to learn about hardware. I became a programmer through the “Applied Math” route (Causal Inference -> Probability -> UL -> DL -> CS). Never owned a Raspberry Pi/Arduino and too busy to get into hobbyist electronics. The Flipper is accessible and low friction, motivates learning eg about GPIO, and is the first time I’ve messed with firmware and signals.
I'd love to have one to learn more about radios with my kids. Some of Flipper's apps look pretty interesting too.
Probably out of scope, but I hope FlipperOne has a few environmental sensors too. (In a perfect world, it would also have thermal imaging, but these sensors are way too expensive.)
I have seen a lot of hardware addon boards lately. They are rarely, if ever in stock. Are there any good ones?
Related. Others?
Apple Shuts Down Flipper Zero's Ability to Shut Down iPhones - https://news.ycombinator.com/item?id=38656607 - Dec 2023 (26 comments)
Tiny device is sending updated iPhones into a never-ending DoS loop - https://news.ycombinator.com/item?id=38125426 - Nov 2023 (108 comments)
Probably Buy a Flipper Zero Before It's Too Late - https://news.ycombinator.com/item?id=38025786 - Oct 2023 (27 comments)
Flipper Zero can be used to crash iPhones running iOS 17 - https://news.ycombinator.com/item?id=37919396 - Oct 2023 (33 comments)
UK airport confiscates passenger's Flipper Zero - https://news.ycombinator.com/item?id=37707486 - Sept 2023 (44 comments)
Flipper-Xtreme-Firmware: Give your Flipper Zero the power it is craving - https://news.ycombinator.com/item?id=37519277 - Sept 2023 (4 comments)
Flipper Zero can spam nearby iPhones with Bluetooth pop-ups - https://news.ycombinator.com/item?id=37397481 - Sept 2023 (44 comments)
Flipper Zero Controlling Traffic Lights [video] - https://news.ycombinator.com/item?id=36756787 - July 2023 (3 comments)
Flipper Zero Self Destructs an Electricity Smart Meter - https://news.ycombinator.com/item?id=36253591 - June 2023 (210 comments)
FlipperZero: 1 Month Battery Life with Firmware Update - https://news.ycombinator.com/item?id=35735415 - April 2023 (82 comments)
Flipper Zero banned by Amazon for being a ‘card skimming device’ - https://news.ycombinator.com/item?id=35481580 - April 2023 (133 comments)
Brazil seizing Flipper Zero shipments to prevent use in crime - https://news.ycombinator.com/item?id=35109931 - March 2023 (67 comments)
Hacker Uncovers How to Turn Traffic Lights Green with Flipper Zero - https://news.ycombinator.com/item?id=34872104 - Feb 2023 (4 comments)
Trying Out Flipper Zero - https://news.ycombinator.com/item?id=34215390 - Jan 2023 (99 comments)
Hands on with Flipper Zero, the Hacker Tool Blowing Up on TikTok - https://news.ycombinator.com/item?id=34102109 - Dec 2022 (2 comments)
FlipperZero hardware hacker released for US sales - https://news.ycombinator.com/item?id=33720764 - Nov 2022 (7 comments)
Bad news: US Customs have seized a container with 15k Flippers Zero - https://news.ycombinator.com/item?id=33073141 - Oct 2022 (13 comments)
PayPal blocked Flipper Zero account with $1.3M - https://news.ycombinator.com/item?id=32739950 - Sept 2022 (105 comments)
Flipper Zero – Portable Multi-Tool Device for Geeks - https://news.ycombinator.com/item?id=32166058 - July 2022 (263 comments)
Quick Start Guide for Flipper Zero - https://news.ycombinator.com/item?id=31368209 - May 2022 (137 comments)
Flipper Zero: How it’s made and tested - https://news.ycombinator.com/item?id=27704883 - July 2021 (34 comments)
Flipper Zero: Bringing Cases to Perfection - https://news.ycombinator.com/item?id=27479684 - June 2021 (6 comments)
Case manufacturing behind the scenes - https://news.ycombinator.com/item?id=27155584 - May 2021 (1 comment)
Flipper Zero: Tamagochi for Hackers - https://news.ycombinator.com/item?id=26405919 - March 2021 (48 comments)
Flipper Zero Manufacturing and Shipping Plan - https://news.ycombinator.com/item?id=25870255 - Jan 2021 (14 comments)
Flipper Zero – Tamagochi for Hackers - https://news.ycombinator.com/item?id=23996733 - July 2020 (53 comments)
Show HN: Flipper Zero – Tamagotchi for Hackers - https://news.ycombinator.com/item?id=22941733 - April 2020 (10 comments)
Tamagotchi for Hackers - https://news.ycombinator.com/item?id=22859083 - April 2020 (1 comment)
Flipper Zero: Under Development Multi-Tool Device for Pen-Testers - https://news.ycombinator.com/item?id=21842830 - Dec 2019 (1 comment)
The problem with the Flipper is it's missing documentation. And new learners need documentation. The response from the Flipper team has been telling people to read the source code.
I bring this when travelling so I can dupe remotes and door keys.
I don't even do hardware and want one.
Is it as great as it seems?
fun toy to get people into security.
I saw this and thought "I need this toy!"
Their website wouldn't take my credit card. Needless to say, it's a good card and I used it on other sites that same day and after. I wrote to Support.
Three days later, they wrote back and suggested I try a different card. Sorry, Flipper, you lose. Nice idea, but a company is more than a piece of hardware.
Flipper Zero was designed in Russia, the company moved since the start of the war.
My friend found out the school he sysadmins for was using weak rfid card keys (despite the readers being smart enough to handle higher level encryption) and found he could clone his key and get in places. So basically he pen tested and then they decided to upgrade to the less or non-cloneable card keys. Security for the win.
Before anyone tries this, doing this without first checking with security/facilities would likely be grounds for “disciplinary action, up to and including termination”
I don't know why you're getting downvoted for this. It's 100% correct advice. The person you're replying to is a sysadmin so they are probably okay in this situation but cloning access cards without permission would be a serious breach no matter how well intentioned or how easy.
I countered the statement and also getting down voted. The key is to train your brain to like down votes just as much as up votes. When the number is just a number not attached to dopamine then you are free.
This just makes you disappointed if you don’t get negative or positive attention.
there are people that read without voting.
you could be getting attention of all kinds and not even know it.
I bet an equal number vote without reading.
That’s an interesting thought. 0 is a good number. Being satisfied with 0 can be conditioned as well.
Another good point.
I never thought about that. Good point.
The votes are not there for your benefit - they're there to make good/useful/valuable comments rise to the top, and bad/low-value/spam ones fall to the bottom.
... bad/low-value/spam/contradictory/unpopular opinion/dissidents/opposition/etc.
My comments got more than 200 downvotes and ban in discussion about physics about decade ago, but I nailed the problem. Also, I receive downvotes from Russian imperialists at constant rate just talking about history of Russia and Ukraine, because real history of Russian Federation/Russian Empire is well guarded secret in Russia.
Probably bots
If coercion was going to ever rule the world someone would have accomplished it fully already as many have tried. Yet here we are still free to say nearly whatever the fuck we want in the free world thankfully.
I agree with the second part of your statement. There is a real brain chemical benefit to the votes though.
Nontheless the point about learning to accept downvotes is valid because "why was I downvoted?"-crybaby posts are annoying, useless and tend to also get downvoted.
Just as this meta-voting-post of mine should :)
Hes getting downwoted because this site is called hacker news. Dont be such a corpo chicken. I am pretty sure people are aware of legality of similar actions and dont need this mentoring.
Because that’s, like, just your opinion man. Rules are made up.
Termination is a favor if security is that lax.
Losing your job is never a favour. Would you prefer termination if any issue was found with your work place?
Losing your job may not seem like a favor at first, it depends on how high you bounce after the fact. Being self employed for 20 years after being laid off was the best favor anyone ever did for me. I would have never taken that initial risk without being pushed into it. Now risk is comfortable.
If only issuing clone-able key cards were the infraction instead...
Unfortunately, it sounds potentially criminal, as well.
Quite often the keycards have sequential IDs which means you can increase or decrease the number a few times and find a colleagues card with higher or lower privileges than you.
You can achieve this exact same use case with a $15 RFID reader/writer, supporting higher frequencies and encryption.
It's my backup key for my garage and my office door. I also use the universal remote to change TVs in public spaces occasionally. It's a chunker, so it's not a pocket carry, but I keep it in my backpack.
I recently discovered this, which I want to try: https://electroniccats.com/store/flipper-add-on-magspoof/
What kind of garage opener do you have? I thought the Flipper zero won't provide that functionality unless you flash the firmware.
The part I don't get is even if you flash the firmware, does that mean you can make sure it doesn't make all other remotes fail? My understanding of the whole rolling code system was that you could get a few uses and then you were screwed.
If that's not the case I really need to do this because having it handle my tv's, ceiling fans, and garage door would be a nice trick.
If you have control of the opener, couldn’t you use the door’s learning mode and make it into a real opener?
I thought so at first by my initial reading left me somewhat confused on if there's a private key that only certain remotes have or something like that?
It's less of a private key and more a random per-remote prng seed that gets set both on the remote and the door controller when they are paired. When you press the button, remote increments its sequence number and send this number, its ID and a hash of all that and the seed to the controller. Controller checks the hash, then checks that seq number is more than last seen for this remote and opens the door. This protects against replay attacks and fairly uncomplicated to implement.
This sounds a lot like the KeeLoq algorithm [0] (minus the hashing part). From my research into the rolling code space, I think most remotes don't quite have the CPU/featureset to support a real, secure crypto system with things like SHA, AES, and RSA/ECC. Would love to see one though!
[0] https://en.wikipedia.org/wiki/KeeLoq
For Chamberlain brands [0] there is some research that shows that their rolling code system (Security+ and Security+ 2.0) is quite easy to decode/decrypt [1]. This feature is supported in the flipper firmware, but is restricted (you can't create a custom remote, only clone is supported) without custom firmware. However, I'm sure you could decode a raw capture file if needed in a pinch.
[0] https://chamberlaingroup.com/our-brands
[1] https://github.com/argilo/secplus
Many rolling door openers don’t use rolling code. Never heard of tvs or ceiling fans using rolling code either
Not terribly difficult to flash the firmware.
But now you have to trust some random person from GitHub.
Almost all software supply chains rely on random persons at some point.
Not the person you are replying to, but I use my flipper for the exact same purpose.
Not sure which specific garage opener my apartment building has. But the fob controller the leasing office gave out is way too weak, so i have to sometimes press it many many times and wiggle it in multiple ways until it triggers the garage door. With flipper, it works on the first try.
A funny anecdote: after using my flipper for about a year, I encountered another flipper user in my apartment elevator (the elevator requires a keyfob to go to any floor except the ground floor). I talked to him for a bit. Turns out, he manages a bunch of boat storage units here (in Seattle) that all use different keyfobs. So for him, it is just pure convenience to carry a single flipper device as opposed to always having a lot of different physical keyfobs on him, and then shuffling through them in his bag to get the right one.
Well I found that my apartment NFC key is hardened against dictionary attacks and I'm not able to copy it. It also helped me learn that my parents' garage door is pretty secure. I'm able to have the opener learn my flipper like any other remote, but not crack it. This is even with the unleashed firmware that doesn't mind violating FCC regulations (some of the frequencies it hops to are restricted).
I was able to copy my work NFC badge, but I'm not really interested in trying it out.
It's handy as a pocket spectrum sniffer, but I don't have much day-to-day use for it outside of that. I'm glad it was given to me because I learned a lot. Potential future use for me might be an amiibo emulator, but I've grown out of those sorts of things.
All garage doors have rolling keys which are non trivial to deal with unless you have pro stuff.
Speaking of garage door rolling codes I've noticed there is some sort of slack in the synchronization, probably so that if you press the remote button a few times while out of range your remote still opens the door. My guess is that the receiver looks not only for next code after the last one used, but also for several codes after that.
Question: how many times would you have to press the button on the remote for it to get so far ahead of what the receiver looks for that the remote no longer works without reprogramming the receiver?
There’s a great answer here that describes a rolling code attack and above it, an answer describing that they have slack regarding where they are in the code sequence.
https://crypto.stackexchange.com/a/47440
You can sync up on rolling codes with the flipper without too much effort. When there are a few private keys involved it gets more difficult.
More like most garage doors sold in the last 20 years have a rolling code system, a few of which are non trivial to deal with.
This is already Western centric, but even here there are a ton of older static and fixed frequency systems still chugging along.
Of these rolling code systems most are not difficult to crack, especially those more than a decade old (and which are still sold today)
Besides easy to open garage doors with a metal shim to pop the emergency latch. Happened to me once before just zip tying the latch.
My apartment uses Latch deadlocks. From what I've read the model _should_ support an NFC key, which of course we don't get. I'd love to figure out if I could do it myself. Ideally I'd be able to use my iPhone that way automatically though (the app on iOS apparently can't due to Apple rules but I'm not an expert). When my hands are full with groceries or whatever it can be a chore to pull out my phone, dig for the app, and get it to unlock the door.
I use the IR universal remote function to turn off distracting TVs in bars and restaurants.
So you just take the liberty to turn off someone elses devices in someone elses establishment? That's... questionable.
So is forcing me to watch ads. TVs everywhere in public spaces in America is a cancer and I’ll happily turn them off or unplug them whenever and wherever I see them.
This isn’t a thing in other countries, it’s part of American culture.
I have a hard time telling whether you are being sarcastic here.
It's one thing to block ads when they have been loaded into your web browser that is in your room (completely morally and ethically fine). It's a completely different thing to go into someone elses space and start making decisions about what is or isn't running on a tv there.
I like ads as little as you so what I can do is just boycott that restaurant or bar entirely or ask the staff to turn it off. I think it's part of being a well adjusted adult to know what you want or don't want and go about it in a reasonable way (such as asking staff). It's immature though to just do that forcibly.
It is however not my duty to teach you that, so let's leave it at that.
Not being sarcastic (but am indeed questioning if you “like ads as little as [me]”).
Turning off a TV is also morally and ethically fine. I don’t see the big deal. Nothing is happening “forcibly”, I’m just sending out some IR. Nobody’s hurt or damaged.
Why would you go in to a restaurant that has TVs if you don't want that? This is borderline sociopathic behavior. You sound like the religious police of Iran imposing your view of what culture is. You should assimilate instead of trying to impose your draconian views on others
Part of eating a bar (or similar) is to have a sporting event on TV so you can watch it while being out. I would be upset if someone was turning those off in that type of place. If you don't like it, don't go there.
I had a TV-B-Gone [https://en.wikipedia.org/wiki/TV-B-Gone] back when they came out in 2004: good fun.
They cost $15 and were hugely controversial.
https://mediashift.org/2006/04/digging-deepertv-b-gone-devic...
I cloned my apartment key-fob
The WeWork key-fob uses rolling codes so couldn't use it for that...
Which WeWork do you belong to? Boston’s are all low-frequency rfid
This is one in SF. I can clone the card, and it'll work, but then within a few days it won't work any longer.
Does the original keep working?
Yes
Do you recall any of the details? "Rolling code" is not a term often associated with RFID/NFC. The Portland Custom House WeWork used HID Prox.
Spoofing amiibos on TOTK
Same! Pretty handy to have all amiibos in a single place, and quickly iterate through them.
You can likely use your phone. There’s some apps designed for it specifically.
IIRC phones need to be rooted to pretend to be an NFC card, although they can write to blank ones. I've done this before. The Flipper Zero is a lot more convenient though.
Ah yeah you’re right. What I’ve seen actually only lets you write to tags that can then be used.
Scanned a pet microchip lol. I had planned to build out my own kit but not enough time
Interesting! What kind of animal? Everything I had read suggested it wasn’t strong enough to read these and I couldn’t read my small dog’s chip
I've succesfully read a few pet microchips with it.
Of course, it wasn't useful to do, but hey it worked!
I’ve had no problems reading chips from a few cats, but you do have to scan around a bit because often the chip has moved a bit from where you expect it to be
Mine is just a cool-looking paperweight now.
how much paper can it hold down?
I would 100% spend an unreasonable amount of time looking at a website that did wind tunnel testing on paperweights.
Just a party gag so far with some friends. Like if I'm at a friend's house and they're using their phone I'll Bluetooth spam them to lock up their phone for a second to mess with them.
Cloning my NFC cards, being my garage opener (I wasn't given a key and couldn't be bothered getting one... and yes, it's my garage), testing equipment using the GPIO pins and what not. Last one is really handy tbh
Edit: oh! I used it today to snap pictures with my phone every second for photogrammetry work, that was neat! Wish I had gotten better point clouds out of Gaussian splatting though
A bit different than the other replies, but I'm using mine like a very extensible input/output device for my own hardware projects and as a general STM board for fiddling with embedded on an STM chip (I usually stick to RP2040s and ESPs). I'm really interested in making expansion boards for the Flipper, especially ones built on the RP2040. Just sounds like a ton of fun.
My building charges USD 40+ to replace the white rfid cards if you lose it and something similar for the remote control for the parking gate. So i just cloned all my cards and remotes and keep them as backup, just in case.
A specific but satisfying use case, my apt building was being stingy* with handing out RFID tokens so I used it to copy and program a cheap RFID token for lending to a trusted visitor.
* Stingy => security protocols that I agree with in sentiment but unfortunately I need to let my pet sitter in and it's nice to allow them to keep the keys as I travel frequently and key exchanges are less than optimal for my spouse and I
I bought it in the hopes of causing mostly harmless mischief, but its capabilities in that realm are oversold.
That said, I knew very little about UART communication or SPI until I started playing with this and an ESP32 device. I also knew very little about bluetooth, RF, and RFID/NFR type stuff until I started exploring the world with this. It's been a fun journey that's rapidly advanced my understanding of quite a few things.
Others have said its overpriced or that you can build your own or whatever, but it's actually just the right price for a cool little educational tool that also works beyond the educational stage. It may even inspire me to build my own advanced version at some point.
If you're already a hardware hacker or EE, this is probably not much more than a toy for you. If you've always wanted to explore some of these topics but had no idea how to start, the Flipper is a good introduction. I immediately flashed it with custom firmware and it was easier than flashing my BIOS.
Some people are using them to break smart meters:
https://news.ycombinator.com/item?id=36253591
Just used it + the MCT app on Android to clone my apartment key fob (Schlage 9691T) to a Dangerous Things Magic Ring https://dangerousthings.com/product/magic-ring/
I used it a lot at first and it taught me about NFC, IR, etc. I made a few remote controls on it, which is convenient to e.g. turn a fan on at night due to its backlight. I also clone Amiibos for Switch games. And make copies of hotel room keys and RFID tokens for backup purposes although some keys can't be cloned. You can monitor all kinds of wireless signals like garage doors getting fired off around you, which is fun. I know some people use the USB feature to somehow install Windows automatically when they have a bunch of laptops to set up.
Extra ceiling fan remote was my favourite use.
Couldn’t find a ceiling fan remote one time ( I have 3 with the exact same remote ) and used it to manage fan speeds
Still doesn’t justify the cost but I guess it’s like my leatherman. Hardly use it but handy when I do.
I actually bought it when seeing the pwnagotchi comparison and expected functionality from the wifi/marauder dev boards to be included. Meaning I got my flipper in the first batch for my country but couldn’t get a dev board even months later
I use it as an easy voltage tester for various hardware projects. I wrote an app that can do GPIO input (the built in only does output) so I can check which parts of a given circuit I'm building are high or low at a given time. Basically like a parallel multimeter.
You can emulate any tonie figurine for the toniebox.
Nice try FBI agent
I’m also in this place. I have the wifi card as well and I’ve not taken to writing any hobbyist software for mine.
I had perhaps foolishly hoped to at least get a fun universal remote out of it, and it’s somewhat possible yet the software just isn’t there to bring a robust family of device RF and Bluetooth commands together. It’s no harmony remote.
Cloned a 125KHz RFID keycard on my Flipper as a backup, my Android phone is able to clone 13.56MHz MIFAREs, but not these 125KHz ones.
I gave two of them away at a hacker con last year. During the event it was used to open up the charging lid of a Tesla and to remote control a fog machine.
I'm not competent of interested enough to make full use of them but I get the impression that they still have a lot of use in a large part of the world where simple RF is used to open gates and garages.
And of course you can copy and store RFID but you still have to get your hands on the tags. And that's where it falls down in certain more developed countries because they've mostly moved to RFID.
That’s what keeps me hesitant. Can’t figure out what I’d do with it once unboxed
Yeah I’m in the same boat.
Had it a few years and the whole Tesla port trick gets old quickly.