Flipper: A Portable Phreaking Platform That Fits in Your Pocket!

If you're reading this, there's a good chance that you are more than familiar with the typical "hacker" movie trope.

You know the one — a group of geeks are sitting a car next to a secure facility. Some nonsensical techno-babble is muttered, something that sounds like an ML/AI startup sales pitch, and with a few over exaggerated keystrokes, suddenly the security systems are down. We're in.

That's not how it goes down in the real world. We all know that. Popping a shell within the "BadCorp" network rarely happens from the back seat of a car. Because there are far more suitable ways to get the job done, using the right tools, for the specific task at hand.

Like 'Ma Bell' — I got the ill communication...

When it comes to "hacking" in the world of electronics, most of the activities involved could maybe be more aptly described as "phreaking." Phreaking sprang into existence back in the days when Ma Bell reigned supreme over the consumer telecom market.

With payphones on every street corner, rather than a phablet in every pocket, phreaking culture was born of a desire to spring a few sonic tricks, in order to circumvent the call charges, sparing you the need to drop another quarter in the slot.

With the oldest instances of the practice, phreaking would involve rapidly clicking handset switch hook in a specific pattern. If you can hear the image below, this might ahem, ring a bell.

The rapid pattern of clicks you hear, when you dial a number on these phones can be mimicked by toggling the handset hook switch. So, a payphone key switch could be circumvented with some clever clicking!

Changing their tone...

When the networks moved over to tone based signalling, we entered an era that gave rise to a lot of phreaking cult references. Tone based signaling systems, like DTMF (dual-tone, multi-frequency), can't be mimicked by clicking the switch hook, as now instead of shorting out the line, the various key presses of the numeric buttons are now represented by a series of tones, assigned as shown in the table below.

If you dial a '1,' the phone circuit generates both a both 697Hz tone, and a 1,209Hz tone simultaneously, and sends it down the wire. Punch in a pound sign ('#'), and it pipes out 941Hz and 1,477Hz.

Thing is though, as with the previous system, the exchange still only gets to see the waveform, sent down the copper wires — in this case, an analog waveform of the two tones superimposed on each other. On a scope, that would look like this. You can make out the two different frequencies in the image below, showing what the waveform for a '1' would look like.

If you were to play a recording of a phone number being dialed, into a off-the-hook receiver, the exchange would dutifully do as it's been told to do.

Viewed as a major goof by some, and a godsend by others, Ma Bell messed up, in publishing the "keys to the kingdom" in a 1954 technical publication, detailing the functional operation of the switching network, in response to the various control tones permitted. With a detailed guide of how to get the guts of the Ma Bell's national network of telephones to do anything desired — well, you can probably work out what happens next.

#2600

That number is instantly recognizable to a certain generation. More than a cult status hacking / phreaking quarterly publication, a tone at this specific frequency — 2,600 Hz — was found to effectively disconnect a call that was in progress, leaving the phone still connected to the exchange, but with the ability to be subsequently, manually routed through the network, by either dialing numbers conventionally on the keypad, or tuning in to some extra tone generation, as per the the instructions listed in that technical publication that we mentioned above.

Before long, hardware heads and electronics enthusiasts started exploring ways to get a more solid — and indeed, more subtle — foothold into the network. After all, standing in a phonebox, playing away on a pipe organ might invite some unwanted attention, right?

Some of the first "phreaking boxes" were born shortly thereafter. Below, is a picture of such a phreak box — the Blue box, was a numeric keypad tone generator, with some extra buttons, mapped to other line control tones, including one that was set to send that magic 2,600 Hz tone, in order to obtain a "free line." No really, now we're in.

Along with the Blue box, came a whole rainbow of other colorful boxes, with each color attributed to a certain function or feature set — able to do things like fool payphones into thinking you've just fed them a roll of quarters — Red box — or take your prank calls to the next level, by spoofing caller ID info with the Orange box.

It's a fascinating culture, but really, it's a very long segue that comes back around to my original point. When it comes to phreaking a system based on electronic hardware, the right tools can open up a whole world of back doors and exploits, that you can approach, verify — and, of course — responsibly disclose to the relevant manufacturers.

(Because these days, it's about the bug bounties.)

So what's my phreaking point with this history lesson in hacker culture - is there even one, or am I just being a weirdo?

Of course there is a point, and that's why we're here. We're going to take a look at the Flipper Zero, which aims to be the right tool — for every job!

Designed by Pavel Zhovner, Flipper wants to fulfill all your phreaking prerequisites. Presenting itself as a portable, practical pentesting platform pocket-tool (phew!), this slick looking little gadget contains goodies galore, and is able to operate in a number of tailored modes, giving you a range of application specific approaches to the walled gardens you are trying to gain access to.

The phreaking boxes of days gone by were able to cover a range of functions, with names bound to the visible spectrum. If we were to use the same scale of comparison, we'd have to expand out to the entire electromagnetic spectrum when considering the functionality offered by Flipper!

Let's dive in review the many features and functions found within Flipper!

Cutting straight to the core of the device, we start our teardown focusing on the chosen MCU, a STMicroelectronics STM32L412, a Cortex-M4 core, clocked at 80MHz, and featuring a whopping 1MB of flash and 128KB of RAM, Flipper is no slouch in the processor department.

That much memory will come in very handy for programming in all the functions offered by the numerous peripherals incorporated into the device, or storing samples, interrogated from a target I2C interface.

Flipper's front face sports a good old monochrome LCD panel, a display technology chosen not only for it's low power operation (with the backlight off) but also for it's proven readability under sunlight — something worth keeping in mind when designing a portable device that will be used in a range of lighting conditions!

With a decent resolution 128 x 64 pixels, the display is backed by a controller that looks likely to be a ST7565. A popular part, with great libraries — like this one from Adafruit - this proven panel setup has fantastic support when it comes to existing code examples and BMP conversion utilities — good news if perhaps you want to get down and dirty with your own display driver!

An array of tactile switches provides a solid way of navigating a menu-system HMI, displayed on the LCD. It's simple, it's robust, and it's effective — a solid way of approaching things here.

Along with the HMI function, this board is also home to a few interesting interfaces, including an Infrared transmitter — handy for spoofing some remote control signals, and a 125kHz RFID reader (which I'm pretty sure looks like it's going to be a NXP PN532), capable of reading a range of RFID cards, using that frequency.

If it is indeed using a PN532, then there's great library support — something that will be easy to integrate when writing your own applications or code, thanks to full support for the Flipper from within the Arduino and VSCode IDEs, on all platforms.

A self-installing package, providing all the support files needed, on any platform is a really nice touch to a product with as many options as this one!

A rad little radio chip...

A TI CC1101 RF Transceiver provides a Sub-1 GHz radio interface. That doesn't sound like much when you say it, but the number of devices that use this part of the RF spectrum for radio control is huge.

With the the CC1101 having the capability to tune into Sub-GHz bands, like 315, 433, 868 or 915 MHz — as a few commonly used examples — you have the potential to have complete on-air control. You can sniff, sample, and spoof captured radio packets with ease!

Infrared and sub-GHz radio communications cover the vast majority of home automation systems, so Flipper already has the potential to do things like allow you to find out how to fire up the AC and flick on the lights from the comfort of your own hardware.

It's important to note, that the Kickstarter lists the antenna as one tuned for 434 MHz. This is something for backers over in the EU to consider, with the equivalent spectrum allocation in these areas residing up at 868 MHz, that's where you'll want to look for devices being operated in these regions.

There will need to be some modification to the component set and CC1101 register configurations in order to look at frequencies other than the default 434 MHz — but modifying the hardware here will still be trivial, compared to a ground up effort of your own!

Other curiosities, like the 1-Wire / iButton interface — an example of which is shown above — along with their common application as access control tags, are left to the users imagination for now.

Aside from using the USB-C connection to flash new application code over the virtual serial connection, Flipper also has the option to be controlled remotely from a host PC, offering even more functionality to compliment your workbench arsenal.

With options for use including USB to the various usual serial protocols — UART, SPI and I2C are all supported — Flipper can give you some insight as to what signals are flying around your target hardware.

Flipper can even flash firmwares onto various SPI memories, and by that logic, should also be able to read them back, for storage. That could be a very handy tool for backing up board EEPROMS on the fly, without the need to bust out a dedicated programmer, only to find you've forgotten where the accompanying software utility has been filed away...

You can even — ahem — flip things around, and have Flipper function as an HID device, such as an HID keyboard, or further fool around with fuzzing the USB stack from a low-level perspective. If this sounds familiar, the functionality is very much that of a well-known pentesting tool, the USB Rubber Ducky, from Hak5.

Yes, Flipper really is filled with functionality, and although I feel we haven't yet touched on the ins and outs of the feature set with the level of detail i'd like to think you're used to me delivering in my articles, we'll revisit the design once the source is released — at the end of the Kickstarter campaign, where you can support the production efforts, and find out how to get hold of a your own Flipper — and all the phreaking phun that can be had with poking and prodding at proprietary protocols and the PCBs that are speaking them!

Until then, we can keep an eye on the HaD project page for Flipper, and make sure we keep an eye out on Zhovner's GitHub for the project — perhaps get keep him tagged for future update notifications!