What Can a Flipper Zero Actually Do?

Sub-GHz Radio: Garage Doors, Weather Stations, and Remote Controls

The Flipper Zero's CC1101 transceiver operates across 300-928 MHz, covering the ISM bands used by garage door openers, weather stations, car key fobs, tire pressure sensors, and simple remote controls. It supports digital modulations including 2-FSK, 4-FSK, GFSK, MSK, OOK, and flexible ASK shaping, with a range of up to 50 meters through the integrated multi-band antenna.

In practice, the sub-GHz radio reads and replays fixed-code signals reliably. Older garage door openers that use fixed codes can be captured and replayed in seconds. Weather station sensors broadcasting on 433 MHz show up as readable data. Simple remote-controlled outlets and fans using OOK modulation work without any configuration.

The important limitation is rolling codes. Modern garage doors, car key fobs, and security systems use rolling code protocols where each transmission is unique. The Flipper Zero cannot bypass rolling codes — it can capture the signal, but replaying it does nothing because the code has already been consumed. This is the single biggest gap between TikTok demonstrations and reality. Videos showing people opening garage doors typically feature decades-old fixed-code systems, not anything manufactured after 2000.

Unlike a software-defined radio, the CC1101 cannot capture raw wideband signals. You must pre-configure the modulation parameters before receiving, which means you need to know what protocol a device uses before you can interact with it. For unknown protocols, a HackRF or RTL-SDR is the better tool.

NFC and RFID: Access Cards, Amiibo, and Transit Passes

The Flipper Zero combines two contactless technologies: an ST25R3916 NFC chip operating at 13.56 MHz and a software-implemented 125 kHz RFID reader. This dual-frequency setup covers both legacy low-frequency access cards and modern high-frequency NFC tags.

The 125 kHz RFID module reads and emulates common access card formats including EM4100, HID Prox, and Indala. Many older office buildings, gyms, and parking garages still use these formats. The Flipper can read, store, and emulate these cards — useful for backing up your own credentials or testing physical security during authorized penetration tests.

At 13.56 MHz, the NFC module reads MIFARE Classic, MIFARE Ultralight, NTAG21x, and NFC-A/B/F/V tags. MIFARE Classic cards are particularly interesting because their Crypto-1 encryption was cracked by researchers in 2008, allowing the Flipper to extract keys and clone cards using dictionary attacks. It can also read and write NFC tags for Amiibo emulation — a popular use case among Nintendo Switch owners who want access to all Amiibo figures without buying physical ones.

Modern secure credentials are a hard wall. DESFire EV2/EV3, HID iCLASS SE, HID SEOS, and EMV bank cards cannot be cloned or cracked. The Flipper can identify these card types and read their unprotected metadata, but extracting keys or emulating them is not possible. If your office uses DESFire cards, the Flipper will tell you the card type and UID but nothing more.

Infrared, BadUSB, and GPIO: The Utility Belt

The infrared transceiver (TSOP-75338 receiver, three IR LEDs for transmitting) turns the Flipper Zero into a universal remote control. It ships with a built-in database of IR codes for TVs, air conditioners, projectors, and audio equipment. Point it at a TV, select the brand, and it cycles through codes until it finds the right one. You can also learn new remotes by pointing them at the Flipper's receiver — useful for consolidating remotes or backing up IR codes for devices with proprietary remotes.

BadUSB is where the Flipper crosses into security testing territory. When plugged into a computer via USB-C, it can emulate an HID keyboard and type pre-scripted payloads at machine speed. This is functionally identical to a USB Rubber Ducky — it types commands faster than any human could, executing scripts that can open terminals, download files, or modify settings. The Flipper uses DuckyScript-compatible syntax, so existing Rubber Ducky payloads work with minimal modification. This is a legitimate penetration testing tool for authorized security assessments, and a reminder of why USB ports on public computers should never be trusted.

The GPIO header exposes 18 pins with 3.3V logic levels (5V tolerant on input). This turns the Flipper into a basic hardware debugging tool — it can speak UART, SPI, and I2C to communicate with microcontrollers, sensors, and other embedded devices. Optional expansion modules add WiFi diagnostics (via an ESP32-based dev board), a video game module, and prototype boards. The GPIO ecosystem is where the Flipper overlaps with dedicated development boards like the LilyGo T-Deck, though the T-Deck's ESP32-S3, full keyboard, and LoRa radio make it better suited for sustained embedded projects rather than quick hardware probing.

Custom Firmware: Momentum, RogueMaster, and Unleashed

The stock Flipper Zero firmware is deliberately conservative — it excludes certain sub-GHz frequencies restricted in some jurisdictions, limits transmission power, and ships with a curated app selection. Custom firmware options unlock the device's full hardware potential at the cost of regulatory compliance and stability.

Momentum Firmware is the most actively maintained custom option as of early 2026. It is a continuation of the now-discontinued Xtreme firmware, built by the same developers. Momentum adds eight main menu UI styles, a control center with quick toggles, BLE spam tools for Bluetooth security testing, GPS integration for sub-GHz signal logging, and the largest JavaScript module set (USBDisk, Storage, GUI, BLE, SubGHz) for scripting workflows without writing C.

RogueMaster takes a kitchen-sink approach, merging features from Unleashed and Xtreme into a single build with over 80 bundled applications. It includes enhanced BadUSB payloads, custom animations, a simplified interface mode, and frequent syncs with the official firmware. Unleashed focuses on stability and sub-GHz protocol coverage, adding region-unlocked frequencies while keeping the interface close to stock.

The honest assessment: custom firmware does not magically bypass security protocols. It will not crack rolling codes, clone DESFire cards, or hack WiFi networks. What it does is unlock restricted frequency bands, add community-built applications, and provide UI customization. For learning and authorized security research, Momentum or Unleashed are worthwhile upgrades. For casual users, the stock firmware covers 90% of practical use cases.

What the Flipper Zero Cannot Do

The gap between social media perception and reality is wider for the Flipper Zero than almost any other consumer electronics device. Understanding what it cannot do is more important than cataloging its features.

It cannot hack WiFi. The Flipper Zero has no native WiFi radio. The optional WiFi Dev Board (ESP32-based) adds WiFi scanning and packet monitoring, but it cannot crack WPA2 passwords, perform deauthentication attacks with meaningful range, or intercept encrypted traffic. For WiFi security testing, a laptop with an Alfa adapter and Aircrack-ng is the standard tool.

It cannot unlock modern cars. Modern vehicles use rolling code key fobs with AES-128 or stronger encryption. The Flipper can capture a key fob transmission, but replaying it does nothing — the code is single-use. Videos showing cars being unlocked use either staged demonstrations, cars with aftermarket remotes using fixed codes, or relay attacks that require additional hardware the Flipper does not have.

It cannot clone bank cards. EMV chip cards use dynamic authentication with unique cryptographic keys per transaction. The Flipper can read the publicly broadcast data on a contactless card (card number, expiration date), but this data alone cannot authorize a transaction. Modern payment terminals require the cryptographic challenge-response that only the original card's secure element can produce.

It cannot replace a software-defined radio. The CC1101's narrowband architecture requires knowing the modulation scheme before receiving. A HackRF ($340) or even an RTL-SDR ($30) captures raw wideband signals across a much wider frequency range, making them better tools for reverse-engineering unknown protocols.

It is not a one-click hacking device. Every useful function requires understanding the underlying protocol. Reading an NFC card means nothing if you do not understand MIFARE key sectors. Capturing a sub-GHz signal is pointless without knowing whether it uses fixed or rolling codes. The Flipper Zero is a learning tool that rewards curiosity and punishes the expectation of push-button hacking.