Flipper Zero - a project of a pocket multitool based on the Raspberry Pi Zero for the IoT Pentest and wireless access control systems. This is also the tamagotchi where the cyber dolphin lives.
He will be able to:
- Work in the 433 MHz band - for the study of radio controls, sensors, electronic locks and relays.
- NFC - read / write and emulate ISO-14443 cards.
- 125 kHz RFID - read / write and emulate low-frequency cards.
- iButton keys - read / write and emulate contact keys operating on the 1-Wire protocol.
- Wi-Fi - to check the security of wireless networks. The adapter supports packet injection and monitor mode.
- Bluetooth - supported bluez package for Linux
- Bad USB mode - can be connected as a USB-slave and emulate a keyboard, ethernet adapter and other devices for code injection or network pentest.
- Tamagotchi! - The low power microcontroller works when the main system is turned off.
I am excited to present my most ambitious project, the idea of which I have hatched for many years. This is an attempt to combine all the often necessary tools for a physical pentest into one device, while adding personality to it so that it is nice to shit.
At the moment, the project is at the stage of R&D and functional approval, and I invite everyone to participate in the discussion of functions or even take part in the development. Under the cut, a detailed description of the project.
Why is this needed?
I love to explore everything around and constantly carry around with me various tools for this. I have in my backpack: WiFi adapter, NFC reader, SDR, Proxmark3, HydraNFC, Raspberry Pi Zero (because of this there are problems at the airport). All these devices are not so easy to use on the run, when you have a cup of coffee in one hand or you ride a bicycle. You need to sit down, decompose, get out the compuctor - this is not always convenient. I dreamed of a device that would implement typical attack scenarios, was always on alert and at the same time was not a pack of falling apart boards wound with electrical tape.
Raspberry Pi Zero W with battery-shield UPS-Lite v1.0 as a stand-alone flooder for sending pictures to Apple devices via AirDrop
Recently, after the open implementation of the AirDrop owlink.org protocol was published and a study from HexWay guys about Apple-Bleee iOS vulnerabilities, I began to have fun in a new way: meeting people on the subway, sending them pictures through AirDrop and collecting their numbers phones. Then I wanted to automate this process and made an autonomous dick-peak car from the Raspberry Pi Zero W and batteries. This topic deserves a separate article, which I can’t finish writing. Everything would be fine, but this device was extremely inconvenient to carry, it could not be put in your pocket, because sharp drops of solder tore the fabric of the pants. I tried to print the case on a 3d printer, but I did not like the result.
Special thanks to Ana koteeq Prosvetova, the host of the Telegram channel @theyforcedme, who, at my request, wrote the Telegram bot @AirTrollBot , which generates pictures with text, telegram and the correct aspect ratio so that they are fully displayed on the preview when sending via Airdrop. You can quickly generate a picture suitable for the situation, it looks something like this.
Pwnagotchi assembly with e-ink screen and battery shield
Then I saw the amazing pwnagotchi project. It's like tamagotchi, only as a meal he eats WPA handshakes and PMKID from Wi-Fi networks, which can then be brute on GPU farms. I liked this project so much that for several days I walked with my pwnagotchi through the streets and watched how he enjoyed the new booty. But he had all the same problems: you can’t put it in your pocket normally, there are no controls, so any user input is possible only from a phone or computer.
And then I finally realized how I see the perfect multitool, which I missed. I tweeted about this and my friends liked the industrial designers who make serious electronic stuff. They proposed to make a full-fledged device, instead of a tricked DIY-craft. With real factory production and quality fit parts. We started to search for a design concept.
Clickable. The first sketches of the design of Flipper Zero
The case and design took a lot of time, because I was tired that all hacker devices look like a bunch of PCBs wound with electrical tape and it is impossible to use them normally. The task was to come up with the most convenient and compact body and device that would be easy to use autonomously without a computer or phone, and this is what came of it. The following describes the current non-final concept of the device.
What is Flipper Zero?
In fact, Flipper Zero is a few shields and a battery around the Raspberry Pi Zero, packed in a case with a small screen and buttons. Kali Linux is used as the OS, since it already contains all the necessary patches and out of the box supports rpi0. I looked at many different single-board computers: NanoPi Duo2, Banana Pi M2 Zero, Orange Pi Zero, Omega2, but they all lose rpi0 and here's why:
- Built-in Wi-Fi adapter that supports monitor mode and packet injection ( nexmon patches)
- Built-in Bluetooth 4.0
- Fairly Good 2.4 Ghz Antenna
- Officially supported by Kali Linux and has many prebuilt builds like P4wnP1 ALOA
- Easy access to the SD card, you can quickly transfer a large amount of data
Surely many will say that the Raspberry Pi is not the best choice for such a device and will find many arguments, such as high power consumption, lack of sleep mode, not open hardware, etc. But if you compare all the pros and cons, I did not find anything better than rpi0. If you have anything to say about this, welcome to the forum forum forum.flipperzero.one .
Flipper Zero is fully autonomous and can be controlled using a 5-way joystick without additional devices, such as a computer or phone. Typical attack scenarios can be called up from the menu. Of course, not everything can be done using the joystick, so for more control, you can connect via SSH via USB or via Wi-Fi / Bluetooth.
I decided to use an old-school monochrome LCD display with a resolution of 126x64px as on old Siemens phones. Firstly, it’s just cool, the monochrome screen with orange backlight makes me indescribable delight, a kind of retro-military cyberpunk. It is clearly visible in the bright sun and it has a very low power consumption, about 400uA with the backlight turned off. Therefore, it can be kept in Always-On mode and always display an image. The backlight will only turn on when you press the keys.
Examples of screens on Siemens phones
Such screens are still produced for all kinds of industrial devices and cash registers. Currently, we have selected this screen .
Ports Flipper Zero
At the ends, Flipper Zero has standard Raspberry Pi ports, a power / backlight button, a strap hole and an additional service port through which you can access the UART console, charge the battery, and fill in new firmware.
433 MHz transmitter
Flipper has a built-in 433 MHz antenna and a CC1111 chip, for operation in the <1 GHz band, the same as in the popular Yard Stick One device. He can intercept and analyze the signals of radio remote controls, remote controls, all sorts of smart sockets and locks. It supports the rfcat library and can decode, save and play popular remote control codes, like a remote control analyzer . For cases when the Raspberry Pi does not manage to process the signal, the CC1111 can be controlled by the built-in microcontroller. In Tamagotchi mode, Flipper can communicate with oneself and display their names, as pwnagotchi does.
Bad usb
Flipper can emulate USB-slave devices and pretend to be a keyboard for payload bay, like USB Rubber Ducky . And also emulate an ethernet adapter for DNS spoofing, serial port, etc. There is a ready-made framework for Raspberry Pi that implements various types of such attacks github.com/mame82/P4wnP1_aloa
The desired attack scenario can be selected from the menu with the joystick. At the same time, debugging information about the state of the attack or something harmless to disguise may be displayed on the screen.
Wifi
The Wi-Fi adapter built into the Raspberry Pi does not initially support the monitor mode of packet injection, but there are third-party patches that add this feature. For some types of attacks, you need two independent Wi-Fi adapters. The difficulty lies in the fact that almost all Wi-Fi chips are connected via USB, and we cannot take a single USB to rpi0, otherwise the USB Slave mode will break. Therefore, you must use the SPI or SDIO interface to connect a Wi-Fi adapter. I am not aware of any such chip that supports monitor mode and packet injection out of the box, but does NOT connect via USB. If you know this, please tell me on the forum in the topic Wi-Fi chip with SPI / SDIO interface that supports monitoring and packet injection
Nfc
NFC-module can read / write all ISO-14443 cards, including Mifare, bank contactless cards PayPass / PayWave, ApplePay / GooglePay and more. Supported by the LibNFC library. At the bottom of Flipper there is an antenna at 13.56 MHz, and to work with the card it is enough to put it on top of it. At the moment, the issue of card emulation remains open. I would like a full-fledged emulator like the Chameleon Mini , but at the same time I want to be able to work with LibNFC. I do not know the chip options except NXP PN532, but it can not fully emulate cards. If you know a better option, write about it in the topic Looking for better NFC chip than PN532
125kHz RFID
Old low-frequency cards of 125 kHz are still widely used in intercoms, office passes, etc. A 125 kHz antenna is located on the side of the flipper; it can read the EM-4100 and HID Prox cards, save them to memory and emulate previously saved cards. You can also transfer the ID card for emulation on the Internet or enter it manually. Thus, flipper owners can transfer read cards to each other remotely. Buzz.
iButton
iButton is an old type of contact keys that are still popular in the CIS. They work on the 1-Wire protocol and do not have any means of authentication, so they can be easily read. The flipper can read these keys, save the ID into memory, write the ID to the blanks and emulate the key on its own so that it can be applied to the reader as a key.
Reader Mode (1-wire master)
In this mode, the device acts as a door reader. Leaning the key against the contacts, the flipper considers its ID and saves it to memory. In the same mode, you can write the saved ID to the disc.
Key emulation mode (1-wire slave)
Saved keys can be emulated in 1-wire slave mode. The flipper acts as a key and can be applied to the reader. The main difficulty was to come up with a pad design that could be used both as a reader and as a key. We found such a form, but I’m sure that it can be done even better, and if you know how, suggest your option on the forum in the topic iButton contact pad design
Bluetooth
Built-in Raspberry Pi Bluetooth adapter. Of course, it cannot replace devices like ubertooth one , but it is fully supported by the bluez library, it can be used to control the flipper from a smartphone or for various bluetooth attacks like apple-bleee , which allows you to collect sha256 from mobile numbers tied to Apple IDs, and manage all sorts of IoT devices.
Low power microcontroller
Since the flipper is too cool to turn it off, we decided to put a separate low-power microcontroller into it that will work when the Raspberry Pi is turned off. He will control Tamagotchi, control the boot process of the Raspberry Pi until he is ready to control the screen and manage the power. He will also control the CC1111 chip to communicate with other flippers.
Tamagotchi regime
Flipper is a cyber-dolphin hacker, which is subject to all digital elements. When the Raspberry Pi is turned off, it goes into tamagotchi mode, with which you can play and make friends at a frequency of 433 MHz. In this mode, NFC functions are likely to be partially available.
The prototype of the character was the dolphin from the Johnny Mnemonic movie, which helped stomp Kiano Reeves' brains and smashed the bad guys with his radiation. Dolphins have a built-in frequency generator with which they explore everything around them, as well as an innate need for entertainment and natural curiosity. We need a person who can come up with the personality of a flipper, the entire game design as a whole, from emotions to mini-games. All your thoughts on this subject can be written in the appropriate section of the forum.
About me
My name is Pavel Zhovner, I live in Moscow. At the moment, I am in charge of the Moscow Hackspace Neuron . In childhood, I like to deeply explore everything around: nature, technology, people. My main focus is network, hardware, and security.
I try to never use the word “hacker,” because thanks to the media and media, it is completely worthless. I like to call myself "nerd", because it is more honest and without pathos reveals the essence. In life, I appreciate keen people who are deeply emotionally involved in what they are interested in, who can also be safely called nerds.
Flipper Zero is my attempt to make something really cool and massive, and at the same time beautiful. I believe in open source, so the project will be completely open. At the moment, I have a small team, but we do not have enough people competent in narrow areas, especially in radio. With the help of this post I hope to find people who want to join the project.
Join project
I invite everyone who liked this project to participate in the development in any way possible. At this stage, we need to approve the final list of functions in order to proceed with the implementation of the first version of the device. There are many technical issues that are currently not resolved.
For developers
We will discuss all our current R&D tasks on the forum.flipperzero.one forum. If you are a developer of hardware or software, or you have any questions, advice, suggestions, criticism - feel free to write them to the forum. This is the main place where there will be a discussion of all stages of development, crowdfunding, production. Communication on the forum is conducted only in English , do not hesitate to write clumsily, the main thing is that the meaning is clear.
Vote for features
It is very important for us to know what functions should be in the flipper. Development priorities will depend on this. Perhaps I mistakenly believe that some functions are important, or a set of miss something. For example, I have doubts about iButton, because this is an outdated technology. So please do a short survey: docs.google.com/7VWhgJRBmtS9BQtR9
Send money
When the prototype is completed and the project is ready to enter the crowdfunding platform like KickStarter, you can pay for pre-order. At the moment, you can personally support me with small donations for food through Patreon . Regular donations in the form of $ 1 are much better than a large amount at a time, because they allow you to predict ahead. Donate Link: flipperzero.one/donate
Disclaimer
The project is at a very early stage, there may be errors on the site, crooked layout and other problems, so do not scatter too much. Please inform me about all errors and inaccuracies found. This is the first public mention of the project, and with your help I hope to eliminate all the roughness before publishing to the big English-speaking Internet.
I publish all the notes on the project in my Telegram channel @zhovner_hub .