Radio is everywhere. Not metaphorically. Literally, physically everywhere, passing through your walls, your body, your coffee, your sleep. Every Bluetooth speaker, every garage door opener, every contactless payment terminal, every baby monitor on your block is adding its voice to a shared electromagnetic conversation that never stops. Most people live inside that conversation without ever knowing it exists.
This part of the Grimoire is about learning to hear it.
Parts 1 through 3 built the foundation. Part 1 introduced the Flipper Zero as a tool and established the philosophy of this series: curious, methodical, legal, and genuinely technical. Part 2 walked through the hardware itself, what each module does and why the architecture matters. Part 3 got hands-on with the sub-GHz interface, capturing and replaying simple signals for the first time. If you haven't read those, they're worth starting from. If you have, you're exactly where you need to be.
Part 4 is different. There's nothing to capture today. No replays, no saves, no button presses. This part is entirely conceptual, and that's intentional. Before you can use a tool intelligently, you need a mental model of what the tool is actually measuring. Skipping this step is how people end up pressing buttons without understanding what they're doing, which is a fast road to confusion and a slow road to competence.
The mental model this part builds has five components: where a signal lives on the spectrum (frequency), how it carries information (modulation), what language it speaks (protocol), how strong it is at your receiver (RSSI), and how often it appears (duty cycle and timing). Each concept builds on the last. By the end, you'll have a framework for thinking about any wireless signal you encounter, not just the ones the Flipper Zero already knows.
The Invisible Ocean You're Already Swimming In
Why Radio Literacy Matters Before You Touch Any Tool
There's a version of wireless hacking education that skips straight to the tool. Download the firmware, open the app, scan for signals, capture something, feel clever. That version exists, and it produces people who can repeat specific steps without understanding why those steps work. The moment something unexpected happens, they're stuck.
Radio literacy is different. It means understanding the medium itself, not just the menu options. When you know why a 433 MHz signal reaches farther than a 2.4 GHz one, you stop being surprised when your car key fob works from a concrete parking garage. When you understand modulation, you know why the Flipper Zero needs to be configured correctly before a capture attempt. The tool becomes transparent, and the physics becomes visible.
The electromagnetic spectrum is a shared public resource. Nobody owns it. Everybody uses it. Right now, without any effort on your part, dozens of signals are passing through the room you're sitting in. Some are regulated and licensed. Some operate in unlicensed bands that any device can use, provided it follows the power and duty cycle rules set by bodies like the FCC or Ofcom. Tools like the Flipper Zero operate inside this ocean as both receivers and transmitters. Understanding the ocean is step one.
How This Part Fits the Grimoire Series
The Grimoire series is structured so that conceptual parts earn their place. Part 4 sits here, after the first hands-on work in Part 3, because you now have enough practical context to make the theory stick. You've seen the sub-GHz interface. You've captured a signal. You have a sensory memory of what "receiving" feels like on the device. Now the concepts have something to attach to.
The five-part mental model introduced above runs through every remaining section of this article: frequency, modulation, protocol, RSSI, and timing. Each one answers a specific question about any wireless signal you encounter. Together, they give you a complete first-pass analysis framework. You won't need an engineering degree to use it. You'll need to read the next several sections carefully.
What Is the Spectrum?
The Electromagnetic Spectrum as a Highway System
The electromagnetic spectrum is the full range of frequencies at which energy can travel as waves. It runs from extremely low frequencies, measured in a few hertz, all the way up through radio, microwave, infrared, visible light, ultraviolet, X-ray, and gamma radiation. The physics is continuous. The categories are human-made, drawn for regulatory and engineering convenience.
Think of it as a highway system. Different frequency bands are different roads, each with different speed limits and different kinds of traffic. A rural two-lane road moves slower but handles heavy loads over long distances. A city expressway moves faster but gets congested and doesn't reach the countryside. Radio frequencies work the same way. Lower frequencies travel farther, penetrate obstacles more easily, and carry less data per second. Higher frequencies carry more data but lose energy quickly over distance.
Every country's government regulates this highway. In the United States, the FCC (Federal Communications Commission) assigns frequency bands to specific uses and licenses. In the UK, Ofcom does the same. Internationally, the ITU (International Telecommunication Union) coordinates spectrum allocation across borders. Within this regulated structure, certain bands are designated as unlicensed, meaning any device can use them without a license, provided it operates within defined power limits and follows interference rules. These unlicensed bands are where most consumer wireless technology lives.
Which Bands Actually Matter for Wireless Reconnaissance
For Flipper Zero work, three frequency regions dominate. The first is sub-1 GHz, specifically the 300 MHz to 900 MHz range. This is where garage door openers, car key fobs, weather sensors, alarm systems, and remote controls operate. The 433.92 MHz and 315 MHz frequencies are the most common. The second is 2.4 GHz, home to Wi-Fi (802.11b/g/n), Bluetooth, Zigbee, and a significant portion of IoT devices. The third is 5 GHz, used by newer Wi-Fi standards and some specialized wireless systems, though less relevant for basic Flipper reconnaissance.
NFC operates at 13.56 MHz, which sits below the sub-1 GHz range entirely and deserves its own mention because it's one of the most common targets in access control work.
Why Unlicensed Bands Exist
Unlicensed bands like 433 MHz and 2.4 GHz were deliberately set aside so that consumer devices could operate without requiring individual licenses. The trade-off is that these bands are crowded, uncoordinated, and subject to interference from any device that follows the power rules. This is why your Wi-Fi slows down when your neighbor runs their microwave.
What Is Frequency?
Cycles Per Second: The Simple Truth
Frequency is the number of times a wave completes a full cycle per second. The unit is the Hertz (Hz), named after Heinrich Hertz, who proved the existence of electromagnetic waves in the 1880s. One Hz means one cycle per second. One kilohertz (kHz) is a thousand cycles per second. One megahertz (MHz) is a million. One gigahertz (GHz) is a billion.
Frequency and wavelength are inversely related. Higher frequency means shorter wavelength. Lower frequency means longer wavelength. This isn't abstract. It has direct physical consequences for how signals behave in the real world.
Why Frequency Determines Range, Penetration, and Interference
Lower frequencies travel farther and pass through solid materials more easily. A 433 MHz garage door opener signal can punch through concrete walls, wooden doors, and metal-framed structures with relatively little degradation. That's why your car key fob works from inside a parking garage several levels underground. The signal is long-wavelength enough to find its way around and through obstacles.
Higher frequencies carry more data because they complete more cycles per second, giving more opportunities to encode information. But they lose energy faster over distance and get absorbed or reflected by walls, furniture, and even people. 2.4 GHz Wi-Fi has a typical indoor range of 30 to 50 meters under good conditions. 13.56 MHz NFC cards are deliberately limited to a few centimeters of range, which is a security feature, not a flaw.
The practical rule for reconnaissance is this: frequency tells you where the signal lives on the spectrum. Once you know the frequency, you know which band to monitor, which hardware settings to apply, and roughly what kind of device you're looking for.
Common frequencies you'll encounter with Flipper Zero work include 315 MHz (North American garage doors and key fobs), 433.92 MHz (European and global remotes), 868 MHz (European IoT and smart metering), 2.4 GHz (Wi-Fi, Bluetooth, Zigbee), and 13.56 MHz (NFC and RFID access cards). Each one behaves differently. Knowing the frequency is always the first question.
What Is Modulation?
Amplitude, Frequency, and Phase: The Three Ways a Signal Speaks
A carrier wave on its own carries no information. It's just a steady oscillation at a fixed frequency. Modulation is the technique used to encode information onto that carrier wave by varying one of its properties in a controlled way.
There are three properties that can be varied. The first is amplitude, the height of the wave. AM (Amplitude Modulation) works like a volume knob. The carrier frequency stays constant, but the strength of the signal rises and falls to encode data. Old AM radio works this way. So do many simple remote control systems. The second is frequency. FM (Frequency Modulation) works like pitch-shifting. The amplitude stays roughly constant, but the frequency shifts slightly up or down to encode information. FM radio and many two-way radios use this approach. The third is phase, the timing offset of the wave relative to a reference. Phase modulation is less intuitive but forms the basis for many digital communication schemes.
For digital signals, the relevant modulation types are more specific. OOK (On-Off Keying) is the simplest: the carrier is either on or off, representing 1s and 0s. Most garage door openers and key fobs use OOK. ASK (Amplitude Shift Keying) is a generalization of OOK that uses multiple amplitude levels. FSK (Frequency Shift Keying) switches between two or more frequencies to encode bits. PSK (Phase Shift Keying) encodes data by shifting the phase of the carrier.
Why Modulation Is the Accent, Not the Language
Here's the postal analogy that makes this click. Frequency is the address on the envelope. It tells you which road the signal travels. Modulation is whether the letter inside is typed or handwritten. Both are valid ways of writing, but if your reading software only handles typed text, a handwritten letter is unreadable, even if it arrives at the right address.
"Setting the wrong modulation type is the single most common reason a Flipper Zero capture attempt produces nothing but noise."
The Flipper Zero and any SDR (Software Defined Radio) receiver must be configured to the correct modulation type before they can decode a signal. Receiving at the right frequency but with the wrong modulation setting produces garbage output. This is why modulation is the second question you ask, after frequency. It answers how the signal speaks, which is the physical delivery mechanism, not the meaning of what's being said.
What Is a Protocol?
The Language Layer Above the Physical Signal
Frequency tells you where. Modulation tells you how. Protocol tells you what it means.
A protocol is the agreed-upon set of rules that gives meaning to the bits being transmitted. Two devices can be operating on the same frequency, using the same modulation, and still be completely unintelligible to each other if they're speaking different protocols. This is the language layer. Modulation is the delivery mechanism. Protocol is the grammar, vocabulary, and sentence structure.
The distinction between the physical layer (frequency plus modulation) and the protocol layer (meaning of the data) is one of the most important concepts in wireless communications. The physical layer gets the bits from point A to point B. The protocol layer determines what those bits represent, how they're organized into packets, when each device is allowed to transmit, how errors are detected and corrected, and how two devices establish and maintain a connection.
Physical Layer vs. Protocol Layer
Think of the physical layer as the telephone line and the protocol layer as the language spoken over it. A phone call between someone speaking Mandarin and someone speaking Portuguese uses the same physical infrastructure. The conversation still fails. Wireless protocols work the same way.
Common Protocols You Will Encounter in the Field
The protocols relevant to Flipper Zero work span several categories. For short-range access control, EM4100 and HID Prox are the dominant RFID standards, operating at 125 kHz and used in the vast majority of older building access cards. NFC/ISO 14443 operates at 13.56 MHz and covers modern contactless payment cards, newer access badges, and transit cards. Wiegand is the data transmission protocol used between card readers and access control panels, and it's famously simple and famously insecure.
For longer-range wireless, Bluetooth (both Classic and BLE) covers audio devices, peripherals, and a massive range of IoT sensors. Zigbee and Z-Wave are mesh networking protocols used in smart home devices, operating at 2.4 GHz and 868/915 MHz respectively.
Proprietary protocols present the greatest challenge. Many industrial remote controls, specialized access systems, and consumer devices use undocumented, manufacturer-specific protocols. Decoding them without documentation requires reverse engineering at the bit level, which is a skill this series will address in later parts. For now, knowing that proprietary protocols exist and that they're deliberately opaque is enough.
What Is RSSI?
Reading Signal Strength Without an Engineering Degree
RSSI stands for Received Signal Strength Indicator. It's a relative measure of how much power a receiver is detecting from a given signal at a given moment. The unit is dBm, which stands for decibel-milliwatts, a logarithmic scale that expresses power relative to one milliwatt.
The scale is counterintuitive until you see it once. RSSI values are almost always negative. A reading of -30 dBm represents a very strong signal, the kind you'd see with a device sitting centimeters from your receiver. A reading of -90 dBm is weak, borderline usable, the kind you'd see from a device at the edge of its range or behind significant obstructions. Zero dBm would mean the received signal has exactly one milliwatt of power, which almost never happens in practical wireless work. The more negative the number, the weaker the signal.
What Good and Bad RSSI Actually Look Like in Practice
For reconnaissance purposes, RSSI answers the question of how strong the signal is at your receiver, which tells you how close the transmitter is and whether you're
What Is the Noise Floor?
Every radio receiver on the planet is listening to two things at once: the signal you care about and everything else. That "everything else" has a name. It's called the noise floor, and understanding it changes how you think about wireless reconnaissance entirely.
The Background Hiss That Hides Your Signals
The noise floor is the aggregate level of background electromagnetic interference present at a given frequency in a given location. It's not silence. It's never silence. Power lines radiate. Switching power supplies radiate. Your neighbor's microwave radiates. Fluorescent lighting, poorly shielded HDMI cables, electric motors, the atmosphere itself. All of it bleeds into the spectrum and raises the baseline level of electromagnetic garbage your receiver has to sort through.
Think about a crowded restaurant. The ambient noise of a hundred conversations, clinking glasses, and background music is the noise floor. Someone trying to talk to you from across the room is the signal. If the restaurant is quiet, you can hear them fine from thirty feet away. If the restaurant is packed and loud, they have to be much closer, or much louder, before their voice rises above the din. That ratio between signal strength and background noise is called the Signal-to-Noise Ratio, or SNR. Higher SNR means cleaner, more detectable signals.
Urban environments are loud restaurants. Dense cities pack hundreds of transmitters into every city block. The noise floor in a downtown apartment is measurably higher than the noise floor in a rural field, and that has real consequences for reconnaissance range. A sensor beacon that broadcasts clearly from 200 meters in a quiet suburb might be undetectable from 40 meters in a noisy urban environment.
Why Urban Noise Floors Matter
If you're doing RF reconnaissance in a dense area and a signal seems weak or intermittent, the noise floor is often the culprit. Try moving away from large electrical equipment, HVAC units, and elevator shafts before concluding the signal is too faint to work with.
How to Distinguish a Real Signal from RF Garbage
SDR software like SDR# or GQRX displays a waterfall view: a scrolling visual where frequency runs left to right and time runs top to bottom. Signals appear as bright vertical lines or bands. The noise floor appears as a relatively uniform dim background. Real signals stand out because they have consistent shape, occupy a defined bandwidth, and often repeat at predictable intervals. Random noise doesn't do that. It's chaotic, spread across frequencies, and inconsistent over time.
Learning to read a waterfall is one of the most useful skills in this entire series. It trains your eye to separate structure from chaos, which is exactly what good reconnaissance requires.
What Is Bandwidth?
The word "bandwidth" gets abused constantly. Your internet provider uses it to mean download speed. In RF, it means something specific and different: the width of the frequency range that a signal occupies. Getting these two definitions mixed up will cause real confusion when you're configuring an SDR or reading a signal capture.
Channel Width, Data Rate, and Why They Are Linked
Bandwidth, in the RF sense, is the slice of spectrum a transmission uses. A narrow signal occupies a small slice. A wide signal occupies a large one. The tradeoff is direct: wider bandwidth allows more data to be transmitted per second, but it requires more spectrum real estate and demands cleaner conditions to maintain signal integrity.
The numbers make this concrete. A simple 433 MHz OOK sensor transmission, the kind that a wireless weather station or a cheap door sensor sends, might occupy as little as 10 kHz of bandwidth. It doesn't need to carry much data. A single button press or a temperature reading is a handful of bits. A 2.4 GHz Wi-Fi channel, by contrast, occupies 20 MHz in standard mode and 40 MHz in high-throughput mode. It needs that width because it's carrying video streams, file transfers, and dozens of simultaneous connections.
Bandwidth in Reconnaissance: How Wide Should You Listen?
When you're scanning for unknown signals, you start wide. SDR software lets you observe hundreds of MHz at once in the waterfall view, which is how you discover what's actually transmitting before you commit to a specific frequency. Once you spot something interesting, you narrow your bandwidth to match the signal's actual width. Too wide and you pull in adjacent noise. Too narrow and you clip the edges of the signal and lose data.
The Flipper Zero's Sub-GHz module has configurable bandwidth settings for exactly this reason. Matching your receive bandwidth to the signal you're targeting isn't optional polish. It's the difference between a clean capture and an unreadable mess. Scanning wide to discover, then narrowing to capture, is the standard workflow you'll use throughout the rest of this series.
What Is Encryption?
Hearing a signal and understanding a signal are two completely different things. Encryption is the reason why.
Encryption is the mathematical transformation of data so that only parties holding the correct key can decode it. The signal travels through the air in its encrypted form. Anyone with a receiver can capture it. Almost no one can read it.
When You Can Hear the Signal But Cannot Read It
Here's what matters for reconnaissance: capturing an encrypted signal is still useful even when you can't decode its contents. You learn that a device exists. You learn its operating frequency, its modulation type, its approximate transmission timing, and often its protocol. That's a meaningful reconnaissance profile, and none of it requires breaking the encryption.
A Bluetooth LE device running AES-128 encryption broadcasts its presence constantly. The advertisement packets are visible to anyone scanning. You can see the device address, the signal strength, and the transmission interval without touching the encryption at all. The encrypted payload is opaque, but the metadata surrounding it is not.
A Line This Series Does Not Cross
Attempting to break encryption, whether through brute force, exploiting implementation flaws, or using tools designed for cryptographic attacks, crosses both legal and ethical lines that this series won't approach. The goal here is reconnaissance literacy, not unauthorized access. Know the distinction and respect it.
Encryption You Will Actually Encounter in Consumer Wireless
The landscape is uneven. Modern systems take encryption seriously. Bluetooth LE uses AES-128 for encrypted connections. Z-Wave S2, the current security layer for Z-Wave home automation, uses AES-128 in CCM mode with per-device keys. These are not trivially broken.
Older systems are a different story. Many 433 MHz and 315 MHz remotes use no encryption at all. The data payload is transmitted in plaintext OOK or FSK. You can capture it, decode it, and replay it with minimal effort. This is why legacy RF reconnaissance is so productive for learning. The signals are simple, unprotected, and abundant. Cheap temperature sensors, older garage door remotes, wireless doorbells, and basic alarm system sensors often fall into this category.
The pattern is consistent across consumer wireless: the older the system, the less likely it is to have meaningful encryption. That's not an invitation to exploit it. It's a reason to understand the full spectrum of what you'll encounter.
What Is a Rolling Code?
Not all unencrypted signals are replayable. Some systems protect themselves through a different mechanism entirely, one that doesn't scramble the data but makes the data itself expire the moment it's used.
Why Your Car Key Fob Cannot Simply Be Replayed
A rolling code, sometimes called a hopping code, is a security mechanism where the transmitted code changes with every single button press. Press your key fob once and it sends code 4821. Press it again and it sends code 7063. Press it a third time and it sends code 2918. The sequence is not random. It's generated by a cryptographic algorithm, and both the transmitter and the receiver share a synchronized counter so they always know which code comes next.
When you capture a rolling code transmission, you capture a code that has already been consumed. The receiver saw it, accepted it, and incremented its counter. If you replay that same code, the receiver compares it against its expected sequence and rejects it. The window has closed.
KeeLoq is the most widely deployed rolling code algorithm in automotive and garage door applications. It was introduced in the 1990s and became nearly ubiquitous. Researchers published significant cryptanalytic attacks against KeeLoq starting around 2007, demonstrating that with enough captured transmissions and significant computation, key recovery was possible. Real-world exploitation is not trivial, but the theoretical vulnerabilities are documented and known.
How Rolling Codes Work and Where They Break Down
The mechanism has one structural weakness: counter desynchronization. If you press your key fob many times while out of range of the receiver, the transmitter's counter advances but the receiver's counter doesn't. Most systems handle this by accepting codes within a resync window, typically a few hundred counts ahead of the last accepted value. If you're far enough outside that window, you have to perform a manual resync procedure.
Fixed codes, by contrast, never change. Older garage door remotes, basic RF light switches, and many IoT sensors transmit the same code every time. Capture it once and you can replay it indefinitely. The Flipper Zero can capture and log rolling code transmissions, and it will identify them correctly as rolling codes. What it won't do is trivially replay them. That's not a limitation of the hardware. That's the algorithm working as designed.
The Five-Part Mental Model: Putting It All Together
Ten concepts. Two articles. A lot of vocabulary. Now we use it.
The framework introduced at the start of this piece asked five questions about any unknown signal. Every concept covered since then feeds directly into one of those questions. This is where the model becomes a tool.
Where, How, What Language, How Strong, How Often
Frequency answers WHERE. Where does this signal live on the spectrum? 433 MHz puts it in the unlicensed ISM band alongside a hundred other consumer devices. 915 MHz narrows it to a different ISM slice. 2.4 GHz opens up Wi-Fi, Bluetooth, and Zigbee territory. Frequency alone tells you which category of device you're likely dealing with.
Modulation answers HOW. How is the signal physically encoded onto the carrier wave? OOK means simple on/off keying, common in cheap remotes and sensors. FSK means frequency shifting, common in more sophisticated short-range protocols. The modulation type tells you something about the device's complexity and age.
Protocol answers WHAT LANGUAGE. What ruleset gives the bits meaning? Two devices can share a frequency and a modulation type and still be completely incompatible because they speak different protocols. Z-Wave and Zigbee both operate near 900 MHz and 2.4 GHz, but they don't understand each other at all.
RSSI answers HOW STRONG. How strong does the signal appear at your receiver? A reading of -45 dBm means you're close or the transmitter is powerful. A reading of -95 dBm means you're at the edge of detection. RSSI shapes your physical positioning during a scan.
Repetition answers HOW OFTEN. Is this a one-shot command that fires and goes silent, or a constant beacon that announces itself every few seconds?
Applying the Model Before You Scan a Single Signal
Here's a worked example. You're scanning the 433 MHz band and you see a signal appearing in the waterfall every 30 seconds. The modulation looks like OOK. The RSSI is moderate, around -70 dBm. It transmits briefly and goes quiet.
Frequency: 433 MHz ISM band. Modulation: OOK. Repetition: every 30 seconds, brief burst. RSSI: moderate. That profile almost certainly describes a sensor beacon, not a command. Commands fire on demand. Sensors report on a schedule. You haven't decoded a single bit yet, and you already know what category of device you're looking at.
Noise floor, bandwidth, encryption, and rolling codes don't replace this model. They refine it. Knowing the noise floor tells you whether a weak signal is genuinely distant or just buried in interference. Knowing the bandwidth helps you capture cleanly. Knowing whether encryption is present tells you how far your analysis can realistically go. Knowing whether rolling codes are involved tells you whether a replay attack is worth considering or a dead end before it starts.
The model is the skeleton. Everything else is the detail that fills it in.
Your RF Literacy Checklist Before Part 5
Part 5 moves from concepts to active hardware. The Flipper Zero's Sub-GHz module will be in your hands and scanning. Every term in the checklist below will appear again, in practical context, without re-explanation. If any of these feel shaky, re-read the relevant section now. It's much easier to do that here than to stop mid-scan to look something up.
Concepts to Confirm Before Moving to Active Scanning
If you can answer all seven of those without scrolling back up, you're ready. If two or three are fuzzy, that's fine. Reread those sections once. The vocabulary compounds quickly in Part 5 and a solid foundation now saves real frustration later.
Part 5 covers the Flipper Zero's Sub-GHz module in hands-on detail: how to configure it for a target frequency, how to read what it captures, and how to start building a picture of the RF environment around you from actual scan data rather than diagrams.
RF tools are powerful precisely because most people don't understand what they're doing with them. Understanding what you're doing, and staying within legal boundaries while you do it, is what separates a practitioner from someone who's going to cause problems for themselves and others. Keep that in mind as the work gets more hands-on.
