Part 2 walked through the Flipper Zero hardware itself: what the modules do, how signals move through the device, and why this particular tool earns its place in a serious wireless recon kit. That foundation matters. But knowing what a tool does and knowing how to stage it for reliable fieldwork are two different things.
This part is about the second one.
Before any capture session, before any GPIO experiment, before any Sub-GHz sweep, there's a setup sequence that separates clean data from noise and reproducible results from one-off luck. Momentum firmware is at the center of that sequence. So is SD card structure, physical board preparation, and a disciplined approach to the tools you install. None of it is glamorous. All of it matters.
If you've ever chased a phantom firmware bug for two hours only to discover the SD card was corrupted from the start, you already understand why this part exists.
Why Preparation Is the Actual First Skill
Sloppy Rigs Produce Sloppy Data
Most wireless recon failures don't happen because someone used the wrong technique. They happen earlier than that. A firmware version that doesn't match the installed apps. An SD card that silently drops writes under load. A GPIO header that makes intermittent contact because nobody checked the seating before heading into the field. The capture looks fine until it doesn't, and by then you're not sure whether the anomaly is real or an artifact of your own setup.
That's the core problem with skipping preparation. You can't trust your data if you can't trust your rig.
"The most common source of false positives in wireless captures isn't signal interference. It's investigator error introduced before the first packet is ever recorded."
Professional RF analysts treat rig setup as a repeatable procedure, not a pre-flight suggestion. Every session starts from a known state. Firmware version confirmed. SD card verified. Connections checked. Apps validated. That discipline is what makes results defensible.
What This Part Covers
This part moves through five areas in sequence. First, Momentum firmware: what it is, why it replaces stock, and how to install it cleanly. Second, SD card structure: how to verify health, set up the right folder layout, and establish naming conventions that make documentation fast instead of painful. Third, GPIO basics: what the pins do, how to read the pinout, and how to avoid the connections that will damage your board. Fourth, physical board setup: seating the NRF24 module and the ESP32 correctly before power is ever applied. Fifth, Momentum tool inventory: the external apps this series depends on and how to confirm they're installed and functional.
By the end of this part, you'll have a fully staged rig in a known good state. Every part that follows builds on that foundation.
Backing Up Your Flipper Before Anything Else
What Lives on Your Flipper That You Can Lose
The Flipper Zero isn't just a signal tool. Over time it becomes a personal archive. Sub-GHz captures from previous sessions. NFC dumps of cards you've analyzed. IR remote profiles you've built or collected. iButton key records. Custom app configurations. Saved frequency files. If you've been using your device for more than a few weeks, there's data on that SD card that doesn't exist anywhere else.
Firmware upgrades can restructure or wipe SD card folders, especially when you're switching firmware families entirely, which is exactly what moving from stock to Momentum involves. The upgrade process itself doesn't target your data, but folder reorganization on first boot can orphan files, and some app configs are stored in locations that change between firmware families.
Don't Skip This Step
A full backup takes under two minutes. Recovering lost NFC dumps or Sub-GHz captures without a backup can take hours, or be impossible entirely if the original source is no longer accessible.
How to Pull a Full Backup
Open qFlipper on your desktop and connect your Flipper via USB. Once the device is recognized, navigate to the device panel and select the backup option from the top menu. qFlipper will pull the entire SD card contents and the device configuration into a single archive file and save it to your host machine. On Windows, that file lands in your Documents folder under a qFlipper directory. On macOS, it goes to your home directory under the same folder name.
The backup file is a standard archive. You can open it and inspect the contents before you do anything else.
To restore from a backup, connect the device, open qFlipper, and select the restore option from the same menu. Point it at the archive file and let it run. The restore process rewrites the SD card structure and configuration to match the backup state exactly.
Do this before touching the firmware. Every time.
Updating Official Firmware First
Why You Start With Stock Before Going Custom
Momentum firmware is built on top of the official Flipper Zero codebase. That means it inherits the bootloader and low-level hardware drivers from whatever official firmware version was present at flash time. If those components are outdated, Momentum can behave unpredictably: apps that crash on launch, GPIO behavior that doesn't match documentation, Sub-GHz ranges that don't unlock correctly, or a device that boots into a recovery loop.
The fix is straightforward. Run the official firmware update first. That ensures the bootloader is current, the hardware drivers are patched, and the base layer Momentum builds on is solid.
Running the Official Update via qFlipper
Connect your Flipper to qFlipper and look at the firmware channel selector. You'll see three options: Release, Release Candidate, and Development. Release Candidate builds are functional but haven't completed the full validation cycle. Development builds are exactly what they sound like. For this step, select Release and install the latest version in that channel.
qFlipper downloads the firmware package, flashes the device, and reboots it automatically. The whole process takes about three minutes on a decent connection. When the device comes back up, navigate through the stock menus: Sub-GHz, NFC, Infrared, iButton, GPIO. Confirm everything is accessible and the interface responds normally.
If the device boots cleanly and all menus are reachable, the base layer is good. You're ready to install Momentum on top of it.
Skipping this step is a common source of hard-to-diagnose Momentum issues. The symptoms are inconsistent enough that people spend significant time troubleshooting the custom firmware when the actual problem is a stale bootloader underneath it.
Installing Momentum Firmware
What Momentum Adds Over Stock
Momentum firmware is a community-maintained fork of the official Flipper Zero firmware. The project focuses on three things the stock firmware doesn't prioritize: expanded external app support, deeper GPIO control, and extended Sub-GHz frequency ranges that cover bands the official firmware restricts by region. For wireless reconnaissance work, those additions aren't optional extras. They're the difference between a capable tool and a limited one.
Momentum also ships with a more active app ecosystem. The apps this series depends on, including NRF24 tools and the ESP32 Marauder companion, are built and maintained against Momentum releases. Running them on stock firmware is possible in some cases but produces version mismatch problems that waste time.
Installation Methods: Web Updater vs. Manual Flash
The recommended method is the web updater at momentum-fw.com. Connect your Flipper via USB, open the site in a Chromium-based browser (Chrome or Edge; Firefox doesn't support WebUSB), select your channel, and click flash. The updater handles everything: download, verification, and write. It's the fastest path to a clean install and the one least likely to introduce errors.
The manual method exists for users who want to inspect the package before flashing or who are working in environments without reliable internet access. Download the .dfu file from the Momentum GitHub releases page, open qFlipper, navigate to the advanced update option, point it at the .dfu file, and flash. The result is identical to the web updater method.
For channel selection, Momentum offers stable and edge. Edge gets new features faster but also gets new bugs faster. For reconnaissance work where data integrity matters, stable is the right choice. Edge is fine for experimentation on a secondary device.
Confirming a Successful Install
When the device reboots after flashing, navigate to Settings > Firmware. The version string should display Momentum branding alongside the build number. If you see the stock firmware version string, the flash didn't take and you need to repeat the process.
On first boot, Momentum may regenerate the SD card folder structure. Some folders will appear that weren't there before, and a few may be renamed. This is expected behavior. It's not deleting your files; it's creating the directory structure the firmware expects. Your backup from earlier covers you if anything looks wrong.
SD Card Health and Folder Structure
Checking SD Card Health Before Trusting It With Captures
Momentum inherits the SD card diagnostic tool from the stock firmware. Navigate to Settings > Storage > SD Card Info to pull basic health information, and run the benchmark from the same menu. A healthy card shows consistent read and write speeds with no reported errors. A card that fails the write test or returns inconsistent speeds is one you don't want in the field.
Card quality matters more than most people expect. The Flipper writes captures continuously during active sessions. A slow or failing card introduces write latency that can corrupt capture files or drop data silently. Neither failure mode announces itself clearly.
Card Recommendation
Use a Class 10 or UHS-I microSD card at 32GB or smaller. Larger cards introduce compatibility quirks with the Flipper's FAT32 implementation. Name brands from SanDisk or Samsung in the 16GB to 32GB range have the strongest track record with this hardware.
The Recommended Folder Layout for Wireless Recon
Momentum creates its own top-level folders on first boot: /subghz/, /nfc/, /infrared/, /ibutton/, /apps/, and a few others. Those are the firmware's working directories and you should leave them where they are.
The recon-specific structure sits alongside them. Create the following:
/subghz/captures/for raw Sub-GHz capture files/nrf/captures/for NRF24 session logs/marauder/for ESP32 Marauder output files/logs/for any text-based session logs/evidence/for organized, session-specific archives
The /evidence/ folder is where session discipline lives. Each engagement or test session gets its own dated subfolder inside /evidence/. Captures stay in their protocol-specific folders during a session and get copied into the evidence subfolder when the session closes. That separation means you never mix captures from different sessions and you always know exactly where a given file came from.
Naming Conventions That Save You Later
Every saved file should follow the same pattern: YYYYMMDD_location_protocol_description. A Sub-GHz capture from a parking lot access point becomes 20260510_parkinglot_subghz_garagedoor_433mhz. An NRF24 session log from a home lab test becomes 20260510_homelab_nrf24_mousejack_scan01.
That format looks verbose until you have forty captures from six sessions and need to find a specific one in three minutes. Consistent naming makes reporting faster, makes review faster, and makes it obvious when something is out of place.
Installing and Updating External Apps
What External Apps Are and Why They Matter
Momentum supports a class of applications stored directly on the SD card as .fap files, compiled app packages that load at runtime without requiring a firmware reflash. This architecture means the app ecosystem can move faster than the firmware release cycle, and it means you can add, remove, or update individual tools without touching the base firmware at all.
For wireless recon work, that flexibility is significant. The tools this series depends on are external apps. They're maintained by separate contributors, updated on their own schedules, and installed independently of each other.
Installing Apps Through the Momentum App Loader
The primary installation path is the Momentum App Loader, accessible from the Apps menu on the device itself when connected to the internet via a companion setup, or through qFlipper's app catalog tab on the desktop. Browse by category, select the app, and install. The .fap file is written directly to the appropriate subfolder under /apps/ on the SD card.
Apps must match the firmware version they're installed against. A .fap compiled for a different Momentum build version will crash at launch, usually with a generic error that doesn't explain the actual cause. Always install apps through the catalog for your current firmware version, not from third-party sources unless you're certain the build target matches.
To update apps without reinstalling Momentum, re-run the app loader and let it check versions, or replace the .fap file manually on the SD card with the correct version for your current firmware build.
Which Apps to Prioritize for This Series
Install these five before moving to Part 4:
- NRF24 Sniffer: passive packet capture for NRF24-based devices
- NRF24 Scanner: active device detection and channel mapping
- ESP32 Marauder companion: the Flipper-side interface for Marauder sessions
- BLE spam detector: monitors for Bluetooth advertisement floods
- Sub-GHz playlist tools: queues and replays multiple Sub-GHz captures in sequence
After installing each one, launch it from the Apps menu and confirm it reaches its main screen without crashing. A clean launch confirms the version matches. A crash on launch means the .fap version is wrong and needs to be replaced before you rely on it in the field.
Part 4 moves into active territory. The NRF24 module gets wired to the GPIO header, the pinout gets explained in full, and you'll run your first live scan against a real target device. The physical connection work is straightforward once you understand what each pin is doing and why the order of operations matters. That's exactly where Part 4 starts.
GPIO Basics: Connecting Your Expansion Board Safely
The Flipper Zero's GPIO header is small, exposed, and unforgiving if you treat it carelessly. Seventeen pins of actual signal and power, plus one pin-1 marker, arranged in two rows along the top edge of the device. Get the connection right and you have a capable wireless platform. Get it wrong and you have a bent pin, a shorted rail, or a dead peripheral. The margin for error is narrow enough that it's worth slowing down.
Understanding the Flipper GPIO Header
The header runs 18 pins total, numbered from pin 1 in the upper left when the Flipper screen faces you. The key pins you'll use constantly are 3.3V (pin 9), 5V (pin 1), and GND at pins 8, 11, and 18. UART TX and RX sit at pins 13 and 14, useful for serial communication with modules that expose a UART interface. SPI is spread across pins 2, 3, 4, and 5 (SCK, MOSI, MISO, and CS respectively). The remaining pins are general-purpose I/O, some of which double as additional hardware functions depending on firmware configuration.
Momentum exposes all of these through its GPIO menu, which lets you read pin states in real time. That menu is your first diagnostic stop whenever a connected module isn't behaving.
Pin Numbering Reference
Pin 1 is marked with a small triangle or dot on the Flipper Zero's case near the header. Your expansion board will have a corresponding marker, usually a printed "1" or a silkscreen dot. These two marks must align before you seat the board.
Orientation, Alignment, and Pin Inspection
Power the Flipper off before touching the GPIO header. This is not optional. Even low-voltage shorts during hot-plugging can corrupt firmware state or damage GPIO circuitry.
Once the device is off, hold the expansion board above the header and locate the pin-1 markers on both sides. They should line up cleanly. Set the board down onto the header without pressing yet, and look at the pin alignment from the side. Every pin should drop straight into its corresponding socket with no lateral offset. Then press down evenly with two thumbs, applying pressure across the full width of the board rather than rocking it. A properly seated board clicks or stops with a firm, flat feel against the Flipper body.
After seating, inspect from both ends of the header. Any pin that's visibly angled, pushed sideways, or not fully inserted means you need to reseat. Don't power on with a misaligned pin.
The 5V Rail Rule
The 5V rail on pin 1 is disabled by default in Momentum. That's intentional. Most expansion boards and peripheral modules run on 3.3V logic, and connecting a 5V rail to a 3.3V-only device can destroy it immediately.
Enable 5V only when the module you're using explicitly requires it in its documentation. Navigate to GPIO in Momentum's main menu, select GPIO Pins, and toggle the 5V output from there. When your test is done, go back and disable it. Don't leave it on between sessions.
5V Rail Warning
Leaving the 5V rail enabled drains battery faster and creates a live hazard for any 3.3V-only peripheral you connect later without thinking. Disable it as a habit, every time, without exception.
The 3.3V rail on pin 9 is always active when the Flipper is on. Most modules draw from that rail and never need the 5V line at all. When in doubt, leave 5V off.
Physical Board Setup: Antennas, Heat, and Battery Discipline
An expansion board sitting on your desk looks like a single piece of hardware. In the field, it's actually three or four separate radio systems sharing a power rail and a physical chassis. Each of those radios needs its own antenna. Mixing them up, or forgetting to attach one, creates problems that range from degraded range to a burned power amplifier. Neither outcome is acceptable.
Attaching and Labeling Antennas
Most Wi-Fi expansion boards expose at least two U.FL or SMA connectors: one for the ESP32 Wi-Fi module, sometimes a second for an external CC1101 Sub-GHz module, and a third for an NRF24L01 2.4GHz module if the board includes one. The connectors are often unlabeled or labeled with tiny silkscreen text that's unreadable in low light.
Before any field session, label every antenna connector and its corresponding cable with small colored tape or a fine-tip marker. One color per radio. Do this once, on day one, and you'll never accidentally run the wrong antenna on the wrong connector again. It takes four minutes and saves genuine hardware damage later.
Never Run a Radio Module Without Its Antenna
This is physics, not preference. When a transmitting radio module has no antenna, the RF energy it generates has nowhere to go. It reflects back into the power amplifier stage of the module. That reflected power converts to heat inside the PA, and PA stages are not designed to absorb it. Run a module antenna-free for long enough and the PA burns out. The module stops transmitting. Sometimes it stops working entirely.
This applies to every active radio on the board. The ESP32 Wi-Fi module during Marauder scans. The CC1101 if you're transmitting Sub-GHz signals. The NRF24L01 if you're in any mode that involves active packet injection. Passive sniffing on NRF24 draws minimal power and carries lower risk, but the habit of always having antennas attached before powering on is worth building regardless.
Antenna Rule
No radio module transmits without its antenna attached. Check before you power on. Check again before you run any active tool. This rule doesn't have exceptions.
Managing Heat and Battery Drain During Testing
For your first sessions with an expansion board, keep initial runs to 10 to 15 minutes. That's enough time to confirm tools load, signals appear, and nothing misbehaves. It's also enough time to catch heat buildup before it becomes a problem.
After 10 minutes, flip the board over and touch the underside. It should be warm, not hot. A board that's hot enough to be uncomfortable is dissipating too much power, which usually means something is running that shouldn't be, or the 5V rail is enabled unnecessarily. Rapid battery percentage drops, more than about 15 percent in 10 minutes of light scanning, point to the same issue. Unexpected reboots are a harder sign: the Flipper's battery voltage is sagging under load.
Check battery level before every field session. Carry a USB power bank for anything longer than 30 minutes of active work. A dead Flipper mid-capture is an annoyance at a desk and a real problem in the field.
Momentum Tool Inventory: What You Have and What It Does
Before you use any tool seriously, you should know what every tool does at a basic level. Not how to operate it in depth, that comes in later parts, but what its purpose is, what kind of data it produces, and where it fits in a reconnaissance workflow. This section is orientation. The deep dives come later.
GPIO Control Menu
Navigate to GPIO from Momentum's main menu. This screen shows the current state of every pin on the header: high, low, or floating. It's your first stop when a connected module isn't responding. If a module that should be drawing 3.3V shows a floating pin where you expect a logic-high signal, the board isn't seated correctly or the module isn't initializing.
The 5V toggle lives here. Confirm it works, then turn it off.
Sub-GHz Tools: Frequency Analyzer, Read, and Read RAW
Sub-GHz in the main menu contains three tools you'll use constantly.
Frequency Analyzer is a passive scan. It doesn't transmit anything. It sweeps the Sub-GHz spectrum and displays signal energy as a visual graph, showing you where activity is happening before you commit to any specific frequency. Always start here. It's the least invasive tool in the Sub-GHz suite and gives you the lay of the RF environment before you do anything else.
Read locks to a specific frequency and protocol. Once locked, it attempts to decode incoming signals using Flipper's library of known formats: garage doors, key fobs, weather stations, and similar devices. When it recognizes a signal, it displays the decoded data. When it doesn't, it tells you something is there but can't identify it.
Read RAW doesn't try to decode anything. It records the raw waveform of whatever signal it receives at the tuned frequency. That raw recording can be replayed later, analyzed externally, or used to reverse-engineer an unknown protocol. For anything that Read doesn't recognize, Read RAW is the next step.
External CC1101 Note
Momentum allows you to route Sub-GHz operations through an external CC1101 module connected via GPIO instead of the Flipper's internal Sub-GHz radio. The external module can offer extended range and access to frequency bands outside the internal radio's range. This setting lives inside the Sub-GHz menu under the configuration options.
External CC1101 Configuration
When an external CC1101 module is connected and configured, Momentum routes Sub-GHz operations through it instead of the internal radio. This matters for range and for specific frequency bands that the internal module doesn't cover well. You'll configure this in Part 5 when the Sub-GHz deep-dive begins.
NRF24 Apps
The NRF24 Sniffer and NRF24 Scanner apps operate on the 2.4GHz band using an NRF24L01 module connected via GPIO. Both are passive tools. The scanner maps active 2.4GHz channels and shows traffic presence. The sniffer captures packet data from NRF24L01-based devices, which includes a surprising number of wireless keyboards, mice, and other consumer peripherals that use the NRF24 protocol stack without any encryption.
"The NRF24 sniffer doesn't care what the device thinks it's doing privately. It just reads what's in the air."
Wi-Fi Marauder App
Wi-Fi Marauder is the Flipper-side interface for the ESP32 Marauder firmware you installed in Part 2. The app sends commands from the Flipper to the ESP32 over a serial connection and displays the results on the Flipper screen. The ESP32 does the actual 802.11 work. The Flipper is the terminal. You'll spend significant time in this app starting in Part 6.
BLE Scanner Apps
Bluetooth Low Energy scanner apps enumerate BLE advertisement packets from nearby devices. Every BLE device broadcasts advertisements periodically, announcing its presence and sometimes its capabilities. The scanner collects those broadcasts, shows device addresses and signal strength, and lets you build a picture of what's operating in a given space. It's useful for device inventory and proximity mapping before any deeper analysis.
Your Part 3 Preparation Checklist
Complete These Before Moving to Part 4
Everything in Part 4 assumes this list is done. Not mostly done. Finished. A skipped step here creates a compounding problem two sessions from now, and diagnosing it will take longer than doing the prep correctly today.
What Comes Next: From Setup to Signal
You now have a Flipper Zero running Momentum firmware with a healthy SD card, a properly seated expansion board, labeled antennas, and a working mental map of every tool in the suite. That's not a trivial starting point. Most people who pick up a Flipper spend weeks in a state of partial setup, wondering why things don't work, because they skipped the foundation. You didn't skip it.
Part 4 is where the actual work begins. You'll open the Sub-GHz Frequency Analyzer for the first time in a real environment and start mapping the RF landscape around you: which frequencies are active, what kind of signal density you're dealing with, and how to identify bands worth investigating further. It's the first active reconnaissance session in this series, and everything you've set up in Parts 2 and 3 is what makes it possible.
Take your time with the checklist. Don't rush into captures. The preparation you've done here is the foundation every subsequent part builds on, and arriving at Part 4 with a clean, confirmed setup means you spend that session learning signals instead of debugging hardware.
