The board sitting on your desk looks simple. A rectangle of green PCB, a few chips, some ports, a coin cell battery tucked into a holder. Nothing about it announces itself. But plug it into a Flipper Zero and suddenly you're holding a three-layer wireless receiver capable of seeing across most of the radio spectrum that surrounds your home, your car, your office, and your body every minute of every day.
This 13-part series is about what that means. Not in a breathless way. In a careful, methodical, document-everything way. Each part covers one layer of the electromagnetic environment you already live inside, using the AIO Board V1.4 as the physical instrument and Momentum firmware as the software framework. The arc moves from hardware orientation through Wi-Fi reconnaissance, Sub-GHz signal capture, BLE scanning, and into documentation, defensive analysis, and evidence logging. Theory first. Tools second. Lab work third. Every time.
Welcome to the Grimoire: What This Series Is and Who It Is For
A Field Guide, Not an Attack Manual
The tagline for this series is simple: Not hacking the world. Understanding your own signal environment before someone else does.
That sentence does a lot of work. It tells you what this series is for. It also tells you what it isn't for.
The intended audience is defenders, hobbyists, security researchers, and people who bought a Flipper Zero because they were curious and now want to do something serious with it. If you want to understand why your garage door remote works the way it does, why your wireless keyboard might be a liability, or what your home RF environment actually looks like when you stop assuming it's fine, you're in the right place.
"The goal is to learn how wireless systems work, how they fail, how criminals abuse weak implementations, and how to document abnormal RF activity without interfering with anyone else's systems."
This series is not a collection of attack tutorials wearing a thin ethical veneer. The ethical frame comes first in every article, not buried at the bottom as a disclaimer afterthought. Each of the 13 parts follows the same internal structure: theory, board components, Momentum tools, a lab exercise, results, mistakes made, a defensive takeaway, an evidence log template, and an explicit ethical boundary. That structure is deliberate. Skipping sections is your choice, but the series is built to be read in order.
One standing note before you go any further: Momentum firmware is unofficial. App names, menu structures, and available tools change between releases. Every article in this series includes a reminder to verify current Momentum app names in your installed version before following any menu navigation. Don't assume the name you read here matches what's on your screen today.
How to Use This Series Across All 13 Parts
Part 1 is about the hardware. Before touching a tool, before opening a menu, before capturing a single signal, you need to know what you're holding. What each chip does. What each port connects to. Why three separate radios exist on one board and what they can and cannot see.
The rest of the series builds on this foundation. You cannot use a tool you don't understand, and you cannot defend a signal environment you've never actually looked at.
The AIO Board V1.4 at a Glance: A Physical Tour
What You Are Looking At and What Each Part Does
Pick up the board and look at it before you connect anything. The first skill in hardware work is reading a board before you power it.
The ESP32 module sits prominently on the board. It's the largest chip package you'll see, often marked with "ESP32" in the silkscreen. This module handles Wi-Fi 802.11 b/g/n and Bluetooth Low Energy simultaneously. It's also the communication bridge between the board and Flipper Zero over serial. When you run Marauder-compatible workflows later in this series, everything routes through this chip.
The NRF24L01 module is a small rectangular radio daughterboard, usually seated in a socket or soldered near one edge of the board. It operates at 2.4 GHz but speaks a completely different protocol language than Wi-Fi. Mice, keyboards, cheap IoT sensors, toys, and embedded telemetry modules live in this frequency space. It has its own antenna, either a PCB trace antenna or a small stub.
The CC1101 module handles Sub-GHz RF from roughly 300 MHz to 928 MHz. This is the workhorse of the board for field signal capture. Garage remotes, gate controllers, weather stations, tire pressure sensors, alarm perimeter sensors, and doorbells all transmit in this range. The CC1101 connects to the board's SMA port, which is the threaded metal connector you'll use to attach an external antenna. That external antenna option is a meaningful capability upgrade over Flipper's internal Sub-GHz antenna alone.
The GPIO header is the physical connection between the board and Flipper Zero. Orientation matters here more than almost anything else on the board. The header aligns with Flipper's GPIO pins in one direction only. Forcing it backward will damage both the board and your Flipper. Look for the pin-1 marker or the silkscreen orientation guide before seating the board.
The MicroSD slot on the AIO board serves a different purpose than Flipper's own SD slot. Flipper's SD card stores firmware assets, saved signals, and app data. The AIO board's SD slot is used by the ESP32 module for Marauder logs, packet captures, and scan results that the ESP32 writes directly. Both slots matter. They are not interchangeable.
Reading the Board: Labels, Ports, and Markings
The RTC module and its coin cell battery handle real-time clock functions. For logging and timestamping captured signals, an accurate clock matters. Check that the coin cell is seated and has charge before your first session.
Boot and reset buttons appear on some versions of the board. The boot button holds the ESP32 in programming mode for firmware flashing. The reset button restarts the ESP32 without power cycling the whole assembly. You'll use both during firmware setup in Part 3.
The version number is printed in the silkscreen, usually near one corner. Confirm you're reading V1.4 specifically before following any part of this series. Earlier versions have different pin assignments and component layouts.
GPIO Voltage and Current Warning
The AIO board's GPIO header operates at 3.3V logic. Flipper Zero's GPIO pins are also 3.3V. Do not connect external modules rated for 5V logic without a level shifter. Current limits per pin are low. Driving high-current loads directly from GPIO pins will damage the board.
The Three Wireless Layers: What Each Radio Actually Covers
Layer One: Wi-Fi and Bluetooth Through the ESP32
The ESP32 sees the 2.4 GHz band through two lenses: Wi-Fi and BLE. Wi-Fi scanning reveals access points, SSIDs, BSSID addresses, signal strength, channel assignments, and security modes. BLE scanning reveals advertising packets from phones, wearables, beacons, smart locks, and a growing list of consumer devices that broadcast continuously whether you're paying attention or not.
What the ESP32 cannot see: non-Wi-Fi 2.4 GHz protocols. The NRF24L01 world is invisible to it. The ESP32 is also not a packet injector in its default configuration and won't break WPA2 encryption by itself. It's a scanner and a logger.
Layer Two: 2.4 GHz Low-Power Devices Through the NRF24L01
The NRF24L01 operates at 2.4 GHz but speaks the low-power Nordic Semiconductor protocol stack. This is the frequency world of wireless mice and keyboards, cheap RC toys, basic sensor nodes, and embedded telemetry modules that run on coin cells for years. These devices don't appear in a Wi-Fi scan. They don't advertise as Bluetooth devices. They're invisible to the ESP32 entirely.
This distinction matters defensively. A wireless keyboard sitting on your desk is transmitting keystrokes through the air in this frequency space. Some implementations are unencrypted. The NRF24L01 module is the tool that can see those transmissions.
Layer Three: Sub-GHz RF Through the CC1101
The CC1101 covers 300 to 928 MHz, which is where most of the physical-world control signals live. Garage door remotes, gate controllers, car key fobs using older fixed-code systems, wireless doorbells, outdoor weather stations, tire pressure monitoring systems, alarm perimeter sensors, and utility meter transmitters all operate somewhere in this range.
Flipper Zero's built-in Sub-GHz radio already covers this range with region-specific restrictions. The CC1101 on the AIO board extends that capability by adding an external SMA antenna port, which meaningfully improves reception range and signal quality in field conditions.
Each of these three layers requires different Momentum apps, different antenna considerations, and a different defensive mental model. The series covers each layer in dedicated articles. Don't conflate them.
What the Board Is Not: Correcting the Narrative Before It Starts
The 'Magic Hacker Toy' Problem
When the Flipper Zero appeared in news coverage, the framing was almost always the same: a pocket-sized device that could unlock cars, clone keycards, and compromise any wireless system within range. That framing was wrong in the specific and right in the vague, which is the most dangerous kind of wrong.
The AIO board does not break encryption. It doesn't bypass rolling codes. It cannot jam signals legally anywhere in the world, and attempting to do so is a federal crime in the United States and illegal in most other jurisdictions. It cannot identify an unknown transmitter without significant additional analysis work. Capturing a raw Sub-GHz signal gives you a file. It does not give you a working replay attack, a decoded protocol, or any useful offensive capability without hours of additional research.
What Consumer Media Gets Wrong About Flipper Zero
The value of this board is discovery, documentation, and defense. Think of it as a portable RF notebook. It makes invisible things visible. The signal your garage door remote sends every morning, the BLE advertisement your smart lock broadcasts continuously, the Sub-GHz transmission from your driveway sensor: none of these were secret, but you probably didn't know they existed or what they looked like.
Misuse Is Real and Consequential
The same tools used for defensive documentation can be misused. This is not a hypothetical. That's exactly why the ethical frame comes first in this series, not last. Understanding what a tool can do includes understanding what it must not do.
Understanding your own signal environment is not the same as attacking someone else's. This series is built on that distinction, and every article returns to it.
Ethical Disclaimer and Series Ground Rules
The Hard Rules: What This Series Will Never Instruct You to Do
This is not the section you skim.
"This series is for ethical testing, defensive research, and understanding your own equipment. The goal is to learn how wireless systems work, how they fail, how criminals abuse weak implementations, and how to document abnormal RF activity without interfering with anyone else's systems."
That disclaimer is not boilerplate. It's the operating principle for all 13 parts. Here's what it means in practice.
Test only your own equipment. Not your neighbor's garage door. Not the office building's access control system. Not a hotel room's keycard reader. Not a car in a parking lot that isn't yours. Your own equipment, in your own space, with documentation of ownership if it ever comes up.
Never jam, spoof, replay, or interfere with any signal you don't own and haven't received explicit written permission to test. Written permission. Not a verbal agreement. Not an assumption. Written.
Never transmit on unknown frequencies. If you don't know what's using a frequency and who owns the system, you don't transmit on it. Full stop.
Never replay captured signals from systems you don't own. Capturing a garage door signal from your own home and replaying it to test your own receiver is research. Capturing a neighbor's signal and replaying it is a crime.
Receive-Only Posture as the Default
For any unknown signal encountered in the field, receive-only mode is the default posture. You listen. You log. You analyze later. You don't transmit back. You don't replay. You don't probe.
The difference between a researcher and a criminal in RF work is consent and documentation. Consent from the system owner. Documentation of what you did, why you did it, and what you found. Every lab exercise in this series includes an evidence log template for exactly this reason.
Laws vary significantly by country and region. Frequency allocations, transmission power limits, and prohibited activities differ between jurisdictions. You are responsible for knowing your local RF transmission regulations before conducting any active testing. This series cannot substitute for that knowledge.
Momentum Firmware: A Quick Orientation Before Part 3
Why Momentum and Not Official Firmware Alone
Momentum firmware is an unofficial firmware build based on Flipper Zero's official firmware, extended with additional apps, GPIO support improvements, and a broader external module ecosystem. This series uses Momentum throughout because several of the tools needed for AIO board work, particularly for NRF24 apps, external CC1101 configuration, and Marauder integration, either don't exist or are less capable in the official firmware.
That said, official firmware handles a meaningful portion of what this series covers. If you're running official firmware and following along, you'll be able to complete most of the Sub-GHz and BLE work. The NRF24 and Marauder sections require Momentum or an equivalent unofficial build.
The App Name Warning You Need to Read Now
Here is the note you'll see in every article in this series, and here's why it exists.
Verify Momentum App Names in Your Installed Version
Momentum is unofficial firmware. App names, menu locations, and available tools change between releases without notice. Every app name mentioned in this series reflects what was current at time of writing. Before following any menu navigation, open your Momentum build and confirm the app names match. If they don't, search the Momentum GitHub or community forums for the current equivalent.
The tools that matter most across this series include: the GPIO menu, Sub-GHz, Sub-GHz Frequency Analyzer, Sub-GHz Read, Sub-GHz Read RAW, external CC1101 settings, NRF24 apps, the Wi-Fi Marauder app, and BLE scanner apps. You don't need to know what all of these do yet. Part 3 covers full firmware installation and SD card preparation in detail.
This section exists so you know what's coming and why Momentum is the framework this series is built around. Don't flash anything yet. Read Part 2 first.
Part 2 covers the physical setup: attaching the AIO board to Flipper Zero correctly, selecting and connecting antennas for each radio, and confirming the board is recognized before you install a single app. The goal is zero surprises when you power it on for the first time.
Flipper's Electromagnetic Grimoire is a 13-part series on wireless reconnaissance and documentation using the Flipper Zero AIO Board V1.4 with Momentum firmware. Part by part, it builds a complete skill set: from physical board setup and legal boundaries, through tool-by-tool radio deep dives, into applied defensive workflows, and finally to field-grade evidence synthesis. If you've ever wanted to understand what's actually broadcasting in your home, your car, or your office, this series is the structured path to that understanding.
The Core Thesis: Your Signal Environment Belongs to You
Why RF Awareness Is a Defensive Skill, Not an Offensive One
Most people have no idea how many wireless signals pass through their walls every hour. Garage door openers, tire pressure monitors, smart plugs, baby monitors, wireless keyboards, neighbors' routers, Bluetooth speakers advertising to anyone listening. None of this is visible. None of it announces itself. It just exists, constantly, in the same physical space you occupy.
Criminals know this. So do surveillance actors. A motivated adversary scanning your driveway with a $30 software-defined radio can learn your garage door code, your vehicle identity, and which IoT devices you've never updated. They don't need special access. They need patience and a basic antenna.
The AIO Board V1.4 paired with Flipper Zero and Momentum firmware puts a comparable capability in your hands, with one critical difference: you're using it to understand your own environment. That distinction matters legally, ethically, and practically. This series is built entirely around it.
The Portable RF Notebook Concept
Before you can detect something abnormal, you have to know what normal looks like. That's the concept of an RF baseline, and it's the spine of this entire series. Parts 1 through 4 build the foundation: physical setup, legal boundaries, firmware orientation, and baseline methodology. Parts 5 through 8 go tool by tool through Sub-GHz, NRF24, Wi-Fi, and BLE. Parts 9 through 11 apply those tools to defensive workflows. Parts 12 and 13 synthesize everything into field-grade documentation and evidence review.
The board itself functions as a portable RF notebook. It captures signals, logs observations, and helps you build a layered picture of your wireless environment across three distinct radio layers. But the board doesn't do the thinking. You do.
Documentation is the skill that separates useful research from noise. A signal you cannot describe, timestamp, and repeat is not evidence of anything. It's a story you're telling yourself. This series teaches you to stop telling stories and start keeping records.
What Each Wireless Layer Defends Against: Threat Mapping for Beginners
Sub-GHz Threats: Remotes, Sensors, and Replay Risk
Sub-GHz radio covers the frequencies most people never think about and most attackers check first. Garage doors manufactured before 2010 commonly use static rolling codes that can be captured and replayed without any cryptographic barrier. Wireless alarm sensors in the 315 MHz and 433 MHz bands can sometimes be silenced by sustained interference, not because the attacker broke the code, but because the receiver never heard the signal. Backyard weather stations broadcast temperature, humidity, and barometric data in cleartext. Tire pressure monitoring systems transmit a unique vehicle identifier every few minutes while you drive, which is enough to track a specific car across a route.
None of these are exotic attack surfaces. They're in most neighborhoods right now.
2.4 GHz NRF24 Threats: Cheap Peripherals and Weak Authentication
The NRF24L01 module operates in the 2.4 GHz band and targets a specific category of device: cheap wireless peripherals and embedded IoT sensors that prioritize cost over security. Wireless keyboards and mice from budget manufacturers have been documented transmitting unencrypted keystrokes over NRF24 protocols, meaning every password you type is broadcast in plaintext to anyone within range. Inexpensive temperature sensors, soil monitors, and appliance modules frequently use NRF24 chipsets with no authentication layer at all.
This Is Not a Paranoia List
Every threat category listed here represents devices that exist in typical homes. The goal isn't to frighten you. It's to inventory what's actually present so you can make informed decisions about what stays on your network and what gets replaced.
Wi-Fi and BLE Threats: Rogue Networks and Beacon Tracking
Wi-Fi threats are the most familiar but still routinely underestimated. Rogue access points and evil-twin SSIDs can impersonate legitimate networks with equipment that costs under $50. Old IoT devices, especially cameras and smart plugs manufactured before 2019, frequently still broadcast on default credentials that haven't changed since the factory. Channel congestion from neighbors isn't a security threat, but it is a performance and reliability issue worth mapping.
BLE is quieter but persistent. Smart devices advertise their presence continuously. Unknown BLE devices near your environment, a tracker someone placed in your car, a device left behind in a room, will appear in a BLE scan before they appear anywhere else.
The board carries three radios because each layer requires a different lens. One tool cannot see all of it.
Before You Plug Anything In: Physical Setup Principles
Antenna Discipline from Day One
Physical setup discipline established in Part 1 prevents mistakes that are genuinely hard to reverse. The first rule is simple: always attach the correct antenna before powering any radio module. Running a transmit-capable module without a proper antenna load can damage the output stage of that module. This is not a theoretical risk.
The second rule is just as important: label your antennas before you use them. The 315 MHz, 433 MHz, 868 MHz, and 915 MHz antennas that ship with or accompany Sub-GHz boards look nearly identical. Mixing them doesn't just degrade performance. It produces false scan results that will confuse your analysis for as long as you let the mislabeling stand. Use a paint marker or label tape on the antenna body itself, not on the packaging it came in.
Antenna Warning
Never power a radio module that expects an antenna without one connected. The reflected power from an unloaded transmitter can permanently damage the RF output stage. This applies to the CC1101 Sub-GHz module and any other active transmitter on the board.
GPIO Safety and the 5V Rule
Confirm board orientation before connecting the Flipper to the AIO Board every single time. The GPIO header is not keyed in a way that prevents reverse insertion on all board variants. Bent pins can short circuits and damage both the board and the Flipper simultaneously.
The 5V GPIO rule is non-negotiable: enable 5V power through the Flipper GPIO menu only when a connected module explicitly requires it. Turn it off when the session ends. Leaving 5V enabled when no module needs it exposes components to unnecessary voltage stress over time.
Start with short testing sessions, especially when running multiple radios simultaneously. Watch for heat buildup on the board and monitor battery drain. These are early indicators that something is drawing more current than expected. Make the bent-pin check a physical habit before every session, not just the first one.
Evidence Thinking: Why Documentation Is the Real Skill
What Makes RF Observation Credible
A single observed signal is not proof of anything. It's the beginning of a question. This is the documentation mindset that runs through all 13 parts of this series, and it's worth establishing clearly before you touch a single tool.
RF environments are noisy. Signals appear and disappear. Interference mimics transmission. A device you've never seen before might be your neighbor's new sprinkler controller, or it might be something worth investigating further. The only way to tell the difference is to build a record over time and let the pattern speak.
Start recording now, before any formal lab work. The minimum fields for every observation are: date, time, location, tool used, what was observed, what file was saved, and what your interpretation is. That last field is separate from the observation field on purpose. Observation is what the tool reported. Interpretation is what you think it means. Conflating them is how researchers lose credibility.
The Evidence Hierarchy Introduced
The evidence hierarchy that will be developed fully in Part 12 works like this. One observed signal is weak evidence. A signal that recurs on schedule is better. A recurring signal that correlates with a device malfunction or behavioral change is stronger. Multiple independent instruments confirming the same signal at the same time is strong evidence worth acting on.
Overclaiming is the fastest way to lose credibility in a legal context, in a technical context, and in a personal safety context. The evidence log template that appears at the end of every article in this series is designed to keep your observations honest. The habit starts in Part 1, before you've scanned a single frequency.
Part 1 Lab: Identify and Inventory Your Board Before Any Scan
Step-by-Step Visual Inspection Checklist
The first lab in this series involves no transmissions, no firmware menus, and no scanning. It's a purely physical and visual inventory of the board. Skipping it is the most common mistake new users make, and it creates confusion that compounds across every subsequent session.
Work through this list slowly. The point isn't to finish quickly. The point is to build a physical mental model of the board before any software enters the picture.
What Your Results Should Look Like
When this lab is complete, you should have: at least two photographs of the board (top-down, and one close-up of the GPIO header), a written list of every component with its location noted, an antenna assignment record showing which antenna goes to which SMA port, a note confirming the board version from the silkscreen, and a MicroSD confirmation.
The common mistake is skipping this step and going straight to scanning. When you do that, you don't know which antenna is connected to which radio, and you don't know which tool is reading from which module. Your first scan results become uninterpretable, and you have no baseline to return to.
One additional note: Momentum firmware app names and menu structures should be verified in your currently installed version before the lab work in Part 3. App names change between releases, and a menu path written here may differ from what you see on your device.
Defensive Takeaway and What Comes Next
Part 1 Evidence Log Template
You can't defend what you can't see, and you can't document what you don't understand. The AIO Board V1.4 makes the invisible visible, but only if you know what you're looking at and you're keeping a record of what you find. That's the portable RF notebook concept, and it's the thesis this entire series is built on.
The Part 1 evidence log template is intentionally minimal. It will grow in complexity as the series progresses. Start with these fields now:
| Field | Description |
|---|---|
| Date | Full date of observation |
| Time | Time with timezone noted |
| Location | Where the observation occurred |
| Board Component Inspected | Which module or port was examined |
| Observation | What was physically seen or recorded |
| Photo File Name | Exact filename of any saved image |
| Notes | Anything relevant that doesn't fit above |
| Ethical Boundary Confirmed | Yes/No: did this session stay within authorized, passive observation only |
The habit starts now, before any scan, before any firmware work, before any signal is ever received.
Preview of Part 2: Safety, Law, and Responsible RF Testing
Coming in Part 2
Before any tool is opened or any scan is run, Part 2 establishes the full legal and ethical boundary for this series. Passive observation, authorized testing, unauthorized access, transmission, replay, jamming, and interference are each defined with hard rules and real legal context. This is not optional reading. It is the foundation everything else is built on.
Momentum firmware updates frequently. What's shown in screenshots or described in menus may differ from your current install. Always check your device first.
Not hacking the world. Understanding your own signal environment before someone else does.
