FAQ.md 6.7 KB
| Table of Contents | |||||||
|---|---|---|---|---|---|---|---|
Preamble
- This is a community FAQ. Please consider also reading the Official docs.
- This FAQ is still being worked on, and contributions are welcome.
- *If your question isn't answered here, SEARCH the Discord and check pinned messages before asking there.*
Meta
What is Awesome Flipper Zero?
It's an Awesome List that I (djsime1) created shortly after receiving Lurat, my lovely dolphin sidekick.
General
(TODO)
Sub-GHz
How do I hack my neighbors garage or unlock some random persons car?!?
Short answer: You don't. That's illegal, and NOT what Flipper was designed for.
What does "This frequency can only be used for RX in your region" mean?
Due to legal regulations, Flipper is not allowed to transmit on certain frequencies depending on your order location. For more information, read this: https://docs.flipperzero.one/sub-ghz/frequencies If you have no regard for laws, you can use custom firmwares such as Unleashed to bypass this restriction at your own risk.
How do I find the frequency of a device/transponder?
If it's a commonly used frequency, bring the device really close to the Flipper and use the Frequency analyzer. If that didn't work, check for the device's FCC ID. It's legally required to be somewhere on the device if it's sold in the US. Then, look up that ID on https://fccid.io.
I can't tune Flipper to capture a specific frequency.
(TODO)
I captured a garage/car/etc. signal, but it doesn't work when I replay it.
Unless the item of interest is extremely old, it probably uses rolling codes. Read more below.
What is a rolling code?
Think of it like this: Imagine your garage door was programmed to open whenever it received the code "1234" from a transponder. This would be a static code, where a replay attack (Read RAW) would be able to open the garage. Since replay attacks are so easy, most devices will shuffle the code after each use. So the first time you open your garage, the transponder sends "1234" and the second time it sends "5678." Rolling codes aren't that simple, but you get the gist.
I replayed a rolling code and now my original keyfob/transponder doesn't work.
You'll have to re-sync your old device manually, since it's now lagging behind on the rolling code.
What is a Debruin/Brute force code?
A brute force code tries every possible code for a specific bit length, however this is inefficient. Example: 0001, 0002, 0003, 0004 ... 9998, 9999. Debruin sequences are more efficient by merging multiple codes together. Example: 365, 136, and 650 can all be found in 13650 by looking at 3 digits individually.
NFC & RFID
Feature/Compatability table
| Card name/type | Read | Write | Save | Emulate | Notes |
|---|---|---|---|---|---|
| Mifare Classic | X | X | X | Emulation is hit/miss | |
| Mifare DESFire | X | ||||
| Mifare Ultralight | X | X | X | Non-password protected | |
| EMV Cards | X | Can read bank cards | |||
| NTAG-21X | X | X | X | ||
| iClass/PicoPass | X | X | |||
| EM4100/EM4102 | X | X | X | ||
| H10301 | X | X | X | ||
| Indala | X | X | X | ||
| T5577 | X | X | X | X |
How do I identify which type of card I have?
Run the "Read card" action in the NFC app. If you don't see "NFC-A", your card is unfortunately unsupported. Note that you've only read the card UID and type, not the actual data. For that you need to select the "Run compatible app" option.
Why can't I write an NFC tag?
Currently unsupported, but is being worked on.
Mifare Ultralight/NTAG was detected, but nothing happens when I'm trying to read the data.
This happens when the tag is password protected. There's no quick fix for this, but solutions are in the works.
Why does it take so long to read a Mifare Classic?
The data on Mifare Classic cards is split up into sections, and each section is protected by a key. Flipper attempts to read the card by preforming a dictionary attack on the card using a bunch of common keys. Some sectors will be unlocked, others won't be.
What does it mean when no sectors could be read on a Mifare Classic?
The data on Mifare Classic cards is split up into sections, and each section is protected by a key. The read has failed, meaning the card didn't use any common keys. Workarounds are being developed.
What does it mean when some but not all sectors could be read on a Mifare Classic?
The data on Mifare Classic cards is split up into sections, and each section is protected by a key. The read wasn't successful, but it didn't fail either. Some of the card's data was read and saved, but not all. Even if not all sectors were read, it's still worth trying to use the partial save.
Why isn't Mifare Classic emulation working?
There are a number of reasons, some of which can be fixed while others can't. Most prominently, the Flipper's NFC chip doesn't have hardware support for Mifare Classic, so it's been offloaded to the CPU. However, the CPU's clock cycle can't conform to the exact (and strict) timings that Mifare Classics communicate with. This means that some readers will respond to emulation, while others won't. This can not be fixed with firmware.
Why can't I save/emulate Mifare DESFire?
DESFire is a very complicated and much more secure protocol. There are no known attacks against it yet.
What are the .sha files in the NFC directory?
These are shadow files, and they're created whenever an emulated tag is written to. They store a copy of the original file with whatever was written. This way, the original file remains untouched.