Radio is everywhere. It moves through walls, through car doors, through the gap under your garage. It doesn't announce itself. It doesn't ask permission. It just transmits, continuously, on frequencies that have been standardized for decades, carrying signals that most people never think about and most devices never bother to encrypt. The Sub-GHz layer is the loudest, most populated, and most overlooked wireless environment in everyday life, and the Flipper Zero gives you a front-row seat to all of it.
Part 4 of this series put the Flipper's infrared capabilities under the microscope: how IR works at a physical level, how the Flipper reads and stores remote codes, and how to build a tidy documentation archive of the IR devices in your environment. That was close-range, line-of-sight work. This part goes further, literally and figuratively. Sub-GHz signals travel through obstacles, across parking lots, through concrete walls. The devices broadcasting them number in the billions. And most of them are completely transparent to anyone with the right radio hardware and a little patience.
This is Part 5 of the Flipper's Electromagnetic Grimoire series. It covers the Sub-GHz layer from the ground up: the frequencies, the device ecosystem, the hardware inside the Flipper doing the work, the software tools you'll use, and a hands-on lab for capturing and documenting your own remotes. The goal here is observation and documentation. Understanding what's transmitting around you, and recording it carefully, is the foundation. Everything else builds on that.
Welcome to the Sub-GHz Layer: What This Part Covers
Where Part 5 Fits in the Grimoire Series
Parts 1 through 4 established the framework. You learned how the Flipper Zero is organized, how to think about wireless reconnaissance as a documentation discipline, how GPIO and hardware expansion work, and how infrared fits into the broader picture. Each part added a layer. Sub-GHz is the next layer, and it's a significant one.
Where IR required physical proximity and a clear line of sight, Sub-GHz operates at ranges that can stretch to hundreds of meters under good conditions. Where IR devices tend to be televisions and air conditioners, Sub-GHz devices include garage doors, alarm sensors, gate controllers, weather stations, tire pressure monitors, and agricultural switches. The scope is wider. The signal density in any populated area is remarkable. And the protocols in use range from trivially simple to genuinely complex.
Why Sub-GHz Deserves Its Own Deep Dive
The CC1101 transceiver chip at the heart of Flipper's Sub-GHz capability is a programmable radio. It doesn't just listen on one fixed frequency. It can be tuned across a wide swath of spectrum, configured for different modulation schemes, and set to capture raw signal timing or attempt structured protocol decoding. That flexibility is what makes this part of the Flipper so interesting for reconnaissance work, and also what makes it worth taking seriously from a legal and ethical standpoint.
Everything in this part operates within a clear ethical boundary: you capture signals from devices you own, in environments you control, for the purpose of understanding and documenting how those devices communicate. Replaying captured signals outside that boundary, even signals you captured yourself, moves into territory that varies by jurisdiction and can carry real legal consequences. The Flipper is a documentation tool. Treat it like one.
Legal Framing for This Entire Section
Capturing and analyzing signals from your own devices is legal in virtually every jurisdiction. Transmitting on licensed or restricted frequencies without authorization is not. Replaying signals to operate devices you don't own or control is not. Every exercise in this part assumes you are working with hardware you own, in a space you control. That framing isn't a disclaimer. It's the actual operating principle.
Understanding Sub-GHz Frequencies: The Three Bands and Regional Rules
Sub-GHz refers to radio frequencies below 1 gigahertz used for low-power, medium-to-long-range device communication. These frequencies propagate well through physical obstacles, require minimal transmit power, and have been allocated internationally for unlicensed industrial, scientific, and medical use. That combination makes them ideal for consumer devices that need to work reliably, cheaply, and without a cellular subscription. The result is a spectrum band so crowded with everyday hardware that a single apartment building can have dozens of active transmitters operating simultaneously.
The 300–348 MHz Band
This is the oldest populated corner of the Sub-GHz consumer space. Garage door openers manufactured in the 1990s and early 2000s frequently used fixed codes in this range, particularly around 300 and 310 MHz. Some North American gate controllers and early keyless entry systems also operated here. You're less likely to encounter active devices in this band than in the higher ranges, but legacy hardware persists longer than most people expect. A garage door opener from 2001 still works fine, and its owner has no reason to replace it.
The 387–464 MHz Band
The 433 MHz region dominates this band and, frankly, dominates the entire consumer Sub-GHz landscape. European ISM allocations center here, and the global standardization around 433.92 MHz means that a remote manufactured in China, sold in Germany, and used in Canada is almost certainly broadcasting on this frequency. Keyfobs, wireless alarm sensors, doorbell transmitters, weather station sensors, and smart outlet remotes are overwhelmingly concentrated at 433.92 MHz. If you only ever learn one frequency for Sub-GHz reconnaissance, that's the one.
The 779–928 MHz Band
This band carries the modern IoT and smart home device ecosystem. 868 MHz is the primary European allocation for low-power IoT devices and is heavily used by Z-Wave, wireless alarm systems, and smart metering infrastructure. 915 MHz is the US ISM band equivalent, used by LoRa, some smart home hubs, and agricultural telemetry hardware. 315 MHz appears in older North American automotive remotes, while 868 and 915 MHz increasingly appear in tire pressure monitoring systems depending on the vehicle's market region.
Regional Restrictions and Legal Compliance
Radio frequency use is regulated nationally, and those regulations have teeth. In the United States, FCC Part 15 governs unlicensed low-power devices and defines which frequencies can be used without a license, at what power levels, and under what conditions. In Europe, ETSI EN 300 220 covers the 433 and 868 MHz ISM bands. Japan's ARIB standards define a narrower set of permitted frequencies with strict duty cycle limits.
Flipper Zero enforces these regional rules through firmware region settings. Your device's region determines which frequencies the transmit function will actually activate. Receiving is unrestricted across the full supported range. Transmitting outside your authorized band is a different matter entirely.
Transmit Restrictions Are Not Optional
Transmitting on frequencies outside your regional authorization is illegal regardless of power level, intent, or duration. The Flipper's region lock exists for this reason. Custom firmware that removes region restrictions places the legal responsibility entirely on you. This series does not recommend bypassing regional frequency locks.
The Device Ecosystem: What Lives in Sub-GHz Space
The sheer variety of hardware broadcasting in Sub-GHz frequencies is one of the things that makes this layer so interesting to document. These aren't obscure industrial devices. They're the remotes clipped to sun visors, the sensors stuck to door frames, the weather stations mounted on back fences. They're ordinary. They're everywhere. And most of them are transmitting data in the clear.
Access Control: Garage Doors, Gates, and Entry Systems
Garage door remotes split cleanly into two generations. Fixed-code systems, common in hardware manufactured before the mid-1990s and still found in budget units today, transmit the same binary code every time the button is pressed. The receiver opens the door if the code matches. There's no session, no challenge, no randomization. Rolling-code systems, which became standard after the introduction of KeeLoq technology in the mid-1990s, generate a new code for every button press using a synchronized counter shared between the remote and the receiver. The Flipper can capture both, but only fixed-code signals are meaningfully decodable into a replayable representation.
Commercial gate controllers, the kind managing parking structures and gated communities, typically operate in the 300 to 433 MHz range depending on age and manufacturer. Many use proprietary protocols layered over standard OOK modulation. Documenting which frequency a gate controller uses, and whether its protocol matches any of Flipper's known decoders, is genuinely useful information for understanding the security posture of an access control installation.
Home Sensors: Doorbells, Alarms, and Weather Stations
Wireless doorbells are almost universally simple. The button unit transmits a short OOK burst at 433.92 MHz when pressed, the receiver plays a chime, and that's the entire protocol. There's typically no pairing handshake, no encryption, and no authentication. The "security" is just the fact that the specific timing pattern varies between manufacturers.
Alarm system perimeter sensors are more varied. Door and window contact sensors, passive infrared motion detectors, and glass-break sensors all transmit status updates to a central hub, usually at 433 or 868 MHz depending on the system's age and region. Many budget alarm systems transmit sensor status in plaintext, which means a Flipper Zero in Read mode can tell you whether a door sensor is reporting open or closed without any decoding effort beyond protocol identification.
Home weather stations deserve special mention. The outdoor sensor units broadcast temperature, humidity, wind speed, and barometric pressure continuously, typically every 30 to 60 seconds, at 433.92 MHz, with no encryption whatsoever. They're an excellent target for protocol analysis because the data is benign, the transmissions are regular, and the signal is easy to find.
Automotive and Industrial: TPMS, Smart Outlets, and Remote Switches
Tire Pressure Monitoring Systems are federally mandated in new vehicles sold in the United States since 2008 and similarly required in Europe since 2012. Each wheel sensor broadcasts its pressure and temperature reading, along with a unique sensor ID, at either 315 MHz (North American vehicles) or 433 MHz (European and Asian vehicles). These broadcasts are completely unencrypted. The sensor ID is static and tied to the physical sensor unit.
Smart outlets and plug-in remote switches using 433 MHz OOK modulation are among the simplest devices in the Sub-GHz ecosystem. The remote sends a fixed on or off code, the outlet responds. Agricultural and industrial remote switches, used for controlling irrigation valves, pump motors, and grain bin equipment in rural environments, operate on similar principles but sometimes at higher power levels and on less common frequencies. Most consumer devices in this entire space use unencrypted or only trivially encoded signals. That's not an accident. Simplicity and low cost drove the design decisions, and security was rarely a priority.
Inside the CC1101: Flipper Zero's Sub-GHz Radio Engine
The hardware doing all of this work is a single chip: the Texas Instruments CC1101. It's a programmable sub-GHz transceiver, which means it can both receive and transmit, and its operating parameters are software-configurable rather than fixed at the hardware level. The CC1101 is not exotic hardware. It's used in countless commercial products, development boards, and research tools. What makes it interesting in the Flipper is the software layer built around it and the interface that makes it accessible without requiring radio engineering expertise.
What the CC1101 Chip Actually Does
The CC1101 supports a configurable center frequency across its operating range, adjustable channel bandwidth, variable data rate, and selectable modulation type. In practical terms, this means you can point it at 433.92 MHz with a 200 kHz bandwidth and a 3.79 kbps data rate to match the characteristics of a typical OOK remote, or reconfigure it entirely to capture FSK telemetry from a weather station sensor. The chip doesn't know what it's listening for. The firmware tells it how to listen, and the signal processing layer interprets what comes back.
One important limitation: the CC1101 is not a spectrum analyzer. It tunes to one center frequency at a time. Flipper's Frequency Analyzer tool sweeps across a range by rapidly retuning, measuring signal strength at each step, and displaying the results as a simple RSSI readout. It gives you a useful map of where activity is concentrated, but it doesn't capture signals while sweeping. You need to stop on a frequency to actually receive anything.
Modulation Types Flipper Can Decode
The CC1101 supports several modulation schemes relevant to consumer Sub-GHz devices. OOK (On-Off Keying) and ASK (Amplitude Shift Keying) are functionally identical for most consumer remotes: the transmitter turns the carrier on and off to encode binary data. This is the dominant modulation type in cheap consumer hardware because it's simple to implement and easy to decode. FSK (Frequency Shift Keying) encodes data by shifting between two frequencies and appears in weather stations, some alarm sensors, and automotive TPMS units. GFSK (Gaussian FSK) applies a smoothing filter to reduce bandwidth and is common in Bluetooth and some proprietary protocols. MSK (Minimum Shift Keying) is a variant of FSK used in higher-data-rate applications.
For practical reconnaissance, OOK and FSK cover the vast majority of what you'll encounter. The Flipper's protocol library is built primarily around OOK-modulated fixed-code systems, which is where its structured decoding capability is strongest.
Internal vs. External Antenna: When It Matters
The Flipper Zero ships with an internal PCB antenna tuned for reasonable performance across its operating range. For most indoor reconnaissance work at typical room-to-room distances, the internal antenna is sufficient. You can capture a garage remote at 10 meters without any trouble.
For field work at longer ranges, or when trying to capture signals from devices at the edge of reception, an external antenna connected via the SMA port on the Flipper's top edge makes a meaningful difference. A simple whip antenna cut for 433 MHz adds several decibels of gain and can extend usable receive range noticeably. The improvement is real, but it's not magic. If a device is transmitting at very low power, no antenna upgrade will compensate for a fundamentally weak signal.
Flipper Sub-GHz Tools: A Practical Walkthrough of the Interface
The Sub-GHz application on the Flipper Zero is organized around a small set of tools that each serve a specific purpose. Understanding which tool to reach for, and why, is more important than memorizing menu paths. The menu paths change between firmware versions. The underlying logic doesn't.
From the main menu, navigate to Sub-GHz. The top-level options are Frequency Analyzer, Read, Read RAW, Saved Signals, and Add Manually. Each one represents a different relationship with the incoming signal.
Frequency Analyzer: Finding the Signal
Frequency Analyzer is your starting point when you don't
Decoding vs. Raw: Understanding What Flipper Is Actually Telling You
Part 4 introduced the Flipper Zero's Sub-GHz hardware and walked through your first signal captures. Now the question shifts from "did I capture something?" to "what did I actually capture?" That distinction matters more than most beginners expect.
What a Decoded Signal Reveals
When Flipper successfully decodes a signal, it's doing more than recording radio energy. It's extracting semantic meaning from that energy: the protocol family, the transmitted key value, and often a repeat count showing how many times the device sent the same frame. A decoded Princeton signal might display something like Protocol: Princeton, Key: 0xA3F2C1, Bits: 24, Repeat: 3. A Came or Nice signal follows a similar structure with its own bit width and key format. That output tells you the device's protocol lineage, the specific code it transmitted, and how the manufacturer structured the data frame.
This is useful. It's also limited. Decoding only works for protocols Flipper's firmware already understands.
What a RAW Capture Preserves
RAW mode skips the translation layer entirely. Instead of extracting a key, it records the physical signal itself: a sequence of pulse widths and gap durations measured in microseconds. A RAW file might read as alternating values like +320 -680 +320 -1200, where positive numbers represent signal-on periods and negative numbers represent silence. That's the waveform, not the meaning.
This matters enormously for protocols Flipper doesn't yet recognize. If you point Flipper at an obscure agricultural gate controller or a proprietary sensor network, decoded output gives you nothing. RAW gives you the raw timing structure, which is exactly what protocol researchers need to reverse-engineer new formats.
Rolling-code signals complicate both modes. Flipper may successfully decode a KeeLoq or AUT64 frame, displaying a valid key value. But that key is already expired. The receiver incremented its counter the moment you pressed the button, and replaying the captured code accomplishes nothing. RAW captures of rolling-code signals are still worth keeping: the timing structure, modulation depth, and frame cadence are all useful data for protocol research even when the payload itself is ephemeral.
Why the Difference Matters for Documentation
The .sub file format stores both types of captures with a structured header. Fields include Filetype, Version, Frequency, Preset (which encodes modulation settings like AM270 or AM650), and Protocol. RAW files then contain a RAW_Data block with the pulse-gap sequence. Decoded files store the protocol name and key fields instead.
Always capture both when studying a new device. The decoded file gives you the searchable, human-readable record. The RAW file gives you the evidence that survives protocol ambiguity, firmware updates, and future analysis tools that don't exist yet.
Field Reconnaissance: Reading the Wireless Environment Around You
A Flipper Zero in your pocket is a passive sensor. Before you transmit anything, before you replay anything, there's a tremendous amount you can learn just by listening.
Running a Passive Sub-GHz Survey
A passive Sub-GHz survey is straightforward in practice. Open Frequency Analyzer, walk the space slowly, and watch which frequencies show activity. You're not capturing signals yet. You're building a map of what's broadcasting and roughly where. Log every frequency that shows consistent activity, note the approximate signal strength, and record whether the modulation looks narrow or wide-band. Residential environments typically show activity around 433.92 MHz almost immediately: weather stations, tire pressure monitors, key fobs, and cheap remote-controlled outlets all cluster there. The 315 MHz range is common in older North American equipment. The 868 MHz band appears more frequently in European devices and some modern alarm sensors.
Commercial environments tell a different story. Access control remotes, gate operators, wireless alarm sensors, and loading dock systems all add traffic. Some of that traffic is intermittent and easy to miss on a quick walk-through. Patience matters here. A sensor that only transmits when tripped won't show up during a passive walk unless something triggers it.
What Unexpected Signals Tell You About a Space
Identifying a signal type doesn't require decoding its content. A signal at 433.92 MHz with AM modulation and a short, repeated burst pattern is almost certainly a remote control or a sensor reporting state. You don't need to read the key to know a wireless device is present and active. That's useful information on its own, particularly when you're assessing whether a space has more wireless infrastructure than its occupants realize.
Passive Observation vs. Active Capture
Running Frequency Analyzer without transmitting anything is a passive observation activity. You're not interacting with any device. In most jurisdictions, passive radio monitoring of unencrypted signals in unlicensed bands carries no legal restriction. Capturing signals intended for another party's device, even passively, enters murkier ethical territory. Know the difference before you start logging.
Documenting Field Captures Responsibly
Log every finding with at minimum: frequency, observed signal strength, modulation type, estimated device class, and the time of observation. Synchronize your written or digital notes with the SD card captures from that session. A field notebook entry that says "433.92 MHz, strong signal, AM, likely weather station, northwest corner of property" is infinitely more useful six months later than an unlabeled .sub file sitting in a folder called "misc."
Field documentation builds a skill that transfers directly into professional security assessment work. It also builds your own intuition about what a healthy versus anomalous wireless environment looks like.
Defensive Lessons: What Sub-GHz Vulnerabilities Teach Us About Wireless Security
The most valuable thing Sub-GHz reconnaissance teaches you isn't how to capture signals. It's how to recognize when a system is built on assumptions that were outdated before you were born.
Static Codes: The Weakest Link
Fixed-code or static-code systems transmit the same signal every single time you press the button. The receiver accepts any transmission that matches its stored code. There is no session, no handshake, no counter. Capture the code once and you can replay it indefinitely.
This isn't a theoretical vulnerability. Older garage door openers manufactured before the mid-1990s almost universally use static codes. A significant number of decorative gate controllers, cheap remote-controlled locks, and entry-level alarm remotes sold well into the 2010s still use them. Some continue to ship today in low-cost consumer hardware.
Rolling Codes: A Meaningful Improvement
Rolling-code systems, primarily KeeLoq and AUT64, advance the transmitted code with every button press using a synchronized counter between the remote and the receiver. Capturing a rolling-code signal and replaying it fails because the receiver has already moved past that counter value. This is a genuine security improvement.
It isn't perfect. Relay attacks bypass rolling codes entirely by extending the range between a key fob and a receiver in real time rather than replaying a captured signal. Desync attacks can, under specific conditions, force a receiver to accept an older code. These are not trivial attacks, but they exist and they work.
What Raw Captures Reveal About Protocol Maturity
When you capture a signal and Flipper can decode it cleanly into a named protocol, that tells you something important: the transmission is plaintext over air. There's no encryption layer between the button press and the receiver. The data is just modulated radio energy that any receiver tuned to the right frequency can read. The existence of a decoded signal is itself a security observation.
Unknown Captures Carry Unknown Risk
If you capture a RAW signal and can't identify what device it came from or what it controls, treat it with caution. You don't know what that signal does. Replaying an unknown capture is not a learning exercise. It's pressing a button you can't read in a room you can't see.
Practical Hardening Recommendations
Check your own garage opener first. If it was manufactured before 2000 and you've never replaced the receiver board, it almost certainly uses a static code. Replacing the opener or installing a rolling-code retrofit kit is a weekend project that meaningfully improves your security posture. For home alarm sensors, physically inspect the hardware. Check the brand, look up the model, and verify whether the wireless protocol uses rolling codes or static transmission. Wireless-only alarm systems with no wired backup sensor loop are vulnerable to jamming: a sustained transmission on 433.92 MHz can prevent sensors from reporting to the panel without triggering any alert. A hybrid system with wired zones for critical entry points is more resilient.
Sub-GHz reconnaissance isn't a toolkit for attacking systems. It's a diagnostic lens. Point it at your own environment first.
Ethics, Legality, and the Responsible Operator's Mindset
The Flipper Zero is a legal device. What you do with it determines whether your use is legal. That distinction is not a technicality. It's the entire framework.
The Receive vs. Transmit Legal Distinction
In most jurisdictions, passive reception of radio signals in unlicensed frequency bands is not regulated. You can listen. Frequency Analyzer, passive Read mode, and RAW capture of signals in the 315 MHz, 433 MHz, and 868 MHz bands generally fall into this category. Transmission is different. Transmitting in those bands is permitted under specific power and duty-cycle limits, but transmitting signals intended to interact with devices you don't own or control is a separate matter entirely, and in many places it's a separate offense.
Intercepting communications with intent to use them is illegal in many jurisdictions regardless of whether the interception itself was passive. Capturing a neighbor's garage code and using it is not a gray area. It's unauthorized access.
Consent and Scope in Sub-GHz Work
If you're conducting a Sub-GHz assessment for a client, get written permission before you start. Define the scope explicitly: which frequencies, which devices, which physical locations. "I was just curious" is not a defense in a federal computer crime proceeding, and neither is "I was learning."
The Permission Standard
Written permission, defined scope, documented methodology. If you can't check all three boxes before you start transmitting, you shouldn't be transmitting.
The One Rule That Covers Everything
This series has stated it before and will state it again.
"Own it, have explicit permission for it, or observe it passively only. Everything else is someone else's property."
That rule covers every scenario this series addresses. It covers Sub-GHz. It will cover everything that comes after Sub-GHz. If you apply it consistently, you'll stay on the right side of both the law and your own professional integrity.
Part 5 Lab Checklist: Your Sub-GHz Reconnaissance Workflow
What Comes Next: Previewing Part 6 and Continuing the Grimoire
Sub-GHz is the layer where the physical world talks to itself without expecting anyone to listen. You now know how to listen, how to document what you hear, and how to evaluate what it means for the security of your own environment. Frequency identification, signal capture, protocol comparison, and defensive analysis: those are real skills, and they compound.
Part 6 moves into a different kind of wireless territory. The signals get shorter, the devices get more personal, and the attack surface gets considerably more interesting. Keep your SD card organized and your documentation current. The grimoire builds on itself. Every capture you make now is a reference you'll return to later, and the parts ahead will assume you have them.
Finish the lab. Then come back.
