3 Flipper Zero Hacks to Wow Your Friends (and How They Work)by@jamesbore
351,603 reads
351,603 reads

3 Flipper Zero Hacks to Wow Your Friends (and How They Work)

by James BoreOctober 21st, 2022
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

The Flipper Zero is a multitool for geeks. It provides multiple RFID frequency ranges, Bluetooth, sub-1GHz radio, USB, infrared port, and even a connector to intercept and impersonate iButton keys. With a little bit of prep work and some basic tricks you can easily convince your friends it’s bordering on magic. The tricks I describe in this article are intended for fun and entertainment purposes only.
featured image - 3 Flipper Zero Hacks to Wow Your Friends (and How They Work)
James Bore HackerNoon profile picture

The Flipper Zero, aside from having Snake built in by default and a friendly dolphin avatar, is an incredibly powerful little device. Accurately described as a multitool for geeks, it provides multiple RFID frequency ranges, Bluetooth, sub-1GHz radio, GPIO pins for debugging, USB to carry out BadUSB attacks, infrared port, and even a connector to intercept and impersonate iButton keys.

It’s not quite Watch Dogs level hacking, but it’s the closest I’ve found and with only a little bit of prep work and some very basic tricks you can easily convince your friends it’s bordering on magic.

Warning: It is theoretically possible to use the hacks and the Flipper Zero for nefarious purposes, including the tricks in this article. But you know…don’t do that. The tricks I describe in this article are intended for fun and entertainment purposes only, and are basic, beginner techniques intended to illustrate the underlying protocols and their weaknesses.

Flipper Zero Hacks:

  1. The Gone in 60 Seconds
  2. The Face the Music
  3. The Spare Key

1. The Gone in 60 Seconds

Warning: Do not steal cars. It is illegal, and generally a bad idea (though I have used this when a car key was locked in, getting my other half to capture one from her key 50 miles away, email it to me, and replaying it to get in).

This is a great starter (clever car pun there) to convince people you’ve gone full on sci-fi hacker, despite being really easy. Simply enough, you’re going to learn to unlock a car at the touch of a button without the key (does not work on cars without radio keys, and may not work on all radio keys).

  1. Get hold of the radio key, far enough away from the car that it won’t activate it (or grab yourself a Faraday bag)
  2. Take your Flipper Zero and choose Sub-GHz > Read RAW, then press the central button to start recording
  3. Hold down the unlock button on the radio key for a few seconds and make sure you’re picking up the code being transmitted (see Gif)

And that’s it. If you want to use it immediately, walk close enough to the car and hit the central button to Send the code and (hopefully) unlock it remotely, to the shock and awe of all around. If you’d prefer to be a bit more subtle then choose to Save the code instead, give it a useful name, and you can go back into Sub-GHz > Saved later on to transmit it, it should still work as the key should not be reusing the same code.

So how does it work?

It’s a form of replay attack, reusing a valid code to unlock the car. The trick is that modern cars generally use rolling or hopping codes to prevent people from being able to do exactly this - which is why when you recorded the code you wanted to be out of range of the car.

Normally the car will only accept each unlock code once, then mark it as used and refuse to accept it in the future. Because accidental keypresses happen, or signals might not work the first time, a range of codes are considered valid for unlocking.

What you’ve done is steal one of those valid codes, while preventing it from making its way to the car to be marked as invalid. Once you’ve used it, you’ll find it won’t work to unlock the car again, each one is one-use (though you could record multiple codes to get a few extra uses, and do the same with lock codes).

You may also find if you wait too long to use it, it’ll no longer work as too many keypresses have been used and so the range of valid codes has moved on.

The same technique has been used for years for car theft, using a jammer to prevent the car from receiving a code while capturing it using a receiver. Of course as cars get ‘smarter’, there are__plenty of other concerns__ than just having yours stolen.

2. The Face the Music - Hack TVs with the Flipper Zero

Warning: In the wrong bar, this may get you punched. As with all others listed there are risks, use responsibly.

Ever gone into a bar and found the TV is far, far too loud? Or it’s stuck on a channel you don’t want to watch and the remote is mysteriously missing?

This is where the Flipper Zero’s infrared port can come into play for a simple, old-fashioned hack.

If you’re lucky, the universal codes will be enough. Otherwise you might need to have it learn the remote codes from the actual remote, or grab them online and upload them to your Flipper Zero.

For the universal codes you just want to go to Infrared > Universal Remotes (Learn New Remote and Saved Remotes are pretty self-explanatory), then TVs (or air conditioning if you need to control that), and it’ll present you a nice interface to power on or off, change volume, or channel. Even if the channel and volume don’t work, the universal power codes work on most things.

So how does it work?

The vast majority of televisions, still, rely on infrared codes from remotes to control them (an old trick to check if batteries in a remote are working is to aim it at a mobile phone camera and push a button - mobile cameras are sensitive to infrared, so you’ll see the bulb flickering on the screen if it’s working). All you’re doing is using the standard codes, or recording the ones for a particular television, and again replaying them through the infrared port. Really, you can use this for anything with an infrared remote, you just need to capture the command, save it, and replay at will.

3. The Spare Key

Warning: I shouldn’t have to say this, but just in case, do not use this to break into people’s hotel rooms!

This won’t work for all electronic locks at hotels, but does work for many. That’s because most hotels don’t bother investing in highly secure locking mechanisms, just basic ones with a minimum of security. I’ll explain more about that later, just be aware that this will not work everywhere.

Ever been irritated that you only get one key at a hotel, or a holiday village? Well, no longer an issue with this simple Flipper Zero hack. The RFID reader can pick up most contactless key cards used by hotels, offices, and others. Easy to access through NFC > Read (or 125 kHz RFID for lower frequency cards), then scan the card, save it, and emulate as needed.

Even if the card has password protected pages available, often electronic lock systems won’t make use of the encryption and so you can simply emulate the card to unlock the door.

This one’s becoming less useful as places upgrade their lock system, but a combination of cost and legacy technology means it’ll work a lot of the time (and hotels aren’t known for having the greatest security). I won’t get into how to break the encryption in this article, but it is often possible with a few extra tools and time put in.

So how does it work?

RFID cards are powered by the reader and activated when they are read. Older cards had no encryption capabilities, and even in modern ones the encryption is often not used effectively.

When we’re talking about hotel rooms, the number of the room is encoded in the card. Depending on the system used there may be options to encode a whole floor, a set of rooms, or a master key to unlock everywhere (as used by housekeeping services).

There are a dozen or so different schemes which are commonly used, and with most of them each card writer has a key embedded in it to secure it to a particular hotel and prevent people from unlocking room 101 worldwide with the same key.

Keys are also encoded, usually, with a check-in and check-out time, so the only reason to save hotel keys is if you want more data to try and crack the encryption so that you could make your own master key (not recommended for legal reasons, but fun to do if you’re interested in these schemes), or of course to write them as spare keys rather than waving your Flipper Zero around everywhere.

There’s plenty more that you can do with some Flipper Zero hacks to impress friends and have fun (see video below), and while there are other tools out there I’ve got to say this is far and away the easiest to use and most multifunctional I’ve come across.

Comment below with your own favourite Flipper Zero hacks to impress your friends, or ones you’d like me to look into for future articles.