coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3708] No subject

Browse Source
This commit is contained in:
CPol 2022-12-24 23:50:44 +00:00 committed by gitbook-bot
parent 12940764ae
commit a67c8751d7
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
7 changed files with 158 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SUMMARY.md
View File

@ -675,6 +675,7 @@
* [iButton](todo/radio-hacking/ibutton.md)
* [Flipper Zero](todo/radio-hacking/flipper-zero/README.md)
* [FZ - NFC](todo/radio-hacking/flipper-zero/fz-nfc.md)
* [FZ - Sub-Ghz](todo/radio-hacking/flipper-zero/fz-sub-ghz.md)
* [FZ - Infrared](todo/radio-hacking/flipper-zero/fz-infrared.md)
* [FZ - iButton](todo/radio-hacking/flipper-zero/fz-ibutton.md)
* [FZ - 125kHz RFID](todo/radio-hacking/flipper-zero/fz-125khz-rfid.md)

96
todo/radio-hacking/flipper-zero/README.md
View File

@ -12,94 +12,16 @@
</details>
## Sub-Ghz
### Frequency Analyser
{% hint style="info" %}
How to find which frequency is the remote using
{% endhint %}
When analysing, Flipper Zero is scanning signals strength (RSSI) at all the frequencies available in frequency configuration. Flipper Zero displays the frequency with the highest RSSI value, with signal strength higher than -90 [dBm](https://en.wikipedia.org/wiki/DBm).
To determine the remote's frequency, do the following:
1. Place the remote control very close to the left of Flipper Zero.
2. Go to **Main Menu** **→ Sub-GHz**.
3. Select **Frequency Analyzer**, then press and hold the button on the remote control you want to analyze.
4. Review the frequency value on the screen.
### Read
{% hint style="info" %}
Find info about the frequency used (also another way to find which frequency is used)
{% endhint %}
The **Read** option **listens on the configured frequency** on the indicated modulation: 433.92 AM by default. If **something is found** when reading, **info is given** in the screen. This info could be use to replicate the signal in the future.
While Read is in use, it's possible to press the **left button** and **configure it**.\
At this moment it has **4 modulations** (AM270, AM650, FM328 and FM476), and **several relevant frequencies** stored:
<figure><img src="../../../.gitbook/assets/image (28).png" alt=""><figcaption></figcaption></figure>
You can set **any that interests you**, however, if you are **not sure which frequency** could be the one used by the remote you have, **set Hopping to ON** (Off by default), and press the button several times until Flipper captures it and give you the info you need to set the frequency.
{% hint style="danger" %}
Switching between frequencies takes some time, therefore signals transmitted at the time of switching can be missed. For better signal reception, set a fixed frequency determined by Frequency Analyzer.
{% endhint %}
### **Read Raw**
{% hint style="info" %}
Steal (and replay) a signal in the configured frequency
{% endhint %}
The **Read Raw** option **records signals** send in the listening frequency. This can be used to **steal** a signal and **repeat** it.
By default **Read Raw is also in 433.92 in AM650**, but if with the Read option you found that the signal that interest you is in a **different frequency/modulation, you can also modify that** pressing left (while inside the Read Raw option).
### Add Manually
{% hint style="info" %}
Add signals from a configured list of protocols
{% endhint %}
#### List of [supported protocols](https://docs.flipperzero.one/sub-ghz/add-new-remote) <a href="#3iglu" id="3iglu"></a>
| Princeton\_433 (works with the majority of static code systems) | 433.92 | Static |
| ---------------------------------------------------------------- | ------ | ------- |
| Nice Flo 12bit\_433 | 433.92 | Static |
| Nice Flo 24bit\_433 | 433.92 | Static |
| CAME 12bit\_433 | 433.92 | Static |
| CAME 24bit\_433 | 433.92 | Static |
| Linear\_300 | 300.00 | Static |
| CAME TWEE | 433.92 | Static |
| Gate TX\_433 | 433.92 | Static |
| DoorHan\_315 | 315.00 | Dynamic |
| DoorHan\_433 | 433.92 | Dynamic |
| LiftMaster\_315 | 315.00 | Dynamic |
| LiftMaster\_390 | 390.00 | Dynamic |
| Security+2.0\_310 | 310.00 | Dynamic |
| Security+2.0\_315 | 315.00 | Dynamic |
| Security+2.0\_390 | 390.00 | Dynamic |
### Supported Sub-GHz vendors
Check the list in [https://docs.flipperzero.one/sub-ghz/supported-vendors](https://docs.flipperzero.one/sub-ghz/supported-vendors)
### Suppoerted Frequencies by region
Check the list in [https://docs.flipperzero.one/sub-ghz/frequencies](https://docs.flipperzero.one/sub-ghz/frequencies)
### Test
{% hint style="info" %}
Get dBms of the saved frequencies
{% endhint %}
## 125 kHz RFID
With [**Flipper Zero**](https://flipperzero.one/) you can:
* **Listen/Capture/Replay radio frequencies:** [**Sub-GHz**](fz-sub-ghz.md)****
* **Read/Capture/Emulate NFC cards:** [**NFC**](fz-nfc.md)****
* **Read/Capture/Emulate 125kHz tags:** [**125kHz RFID**](fz-125khz-rfid.md)****
* **Read/Capture/Send Infrared signals:** [**Infrared**](fz-infrared.md)****
* **Read/Capture/Emulate iButtons:** [**iButton**](../ibutton.md)****
* **Use is as Bad USB**
* **Use it as security key (U2F)**
* **Play Snake**
<details>

8
todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
View File

@ -12,6 +12,14 @@
</details>
## Intro
For more info about how 125kHz tags work check:
{% content-ref url="../../../radio-hacking/pentesting-rfid.md" %}
[pentesting-rfid.md](../../../radio-hacking/pentesting-rfid.md)
{% endcontent-ref %}
## Actions
For more info about these types of tags [**read this intro**](../../../radio-hacking/pentesting-rfid.md#low-frequency-rfid-tags-125khz).

8
todo/radio-hacking/flipper-zero/fz-ibutton.md
View File

@ -12,6 +12,14 @@
</details>
## Intro
For more info about what is an iButton check:
{% content-ref url="../ibutton.md" %}
[ibutton.md](../ibutton.md)
{% endcontent-ref %}
## Design
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.

8
todo/radio-hacking/flipper-zero/fz-infrared.md
View File

@ -12,6 +12,14 @@
</details>
## Intro <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
For more info about how Infrared works check:
{% content-ref url="../infrared.md" %}
[infrared.md](../infrared.md)
{% endcontent-ref %}
## IR Signal Receiver in Flipper Zero <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
Flipper uses a digital IR signal receiver TSOP, which **allows intercepting signals from IR remotes**. There are some **smartphones** like Xiaomi, which also have an IR port, but keep in mind that **most of them can only transmit** signals and are **unable to receive** them.

8
todo/radio-hacking/flipper-zero/fz-nfc.md
View File

@ -12,6 +12,14 @@
</details>
## Intro <a href="#9wrzi" id="9wrzi"></a>
For info about RFID and NFC check the following page:
{% content-ref url="../../../radio-hacking/pentesting-rfid.md" %}
[pentesting-rfid.md](../../../radio-hacking/pentesting-rfid.md)
{% endcontent-ref %}
## Supported NFC cards <a href="#9wrzi" id="9wrzi"></a>
{% hint style="danger" %}

116
todo/radio-hacking/flipper-zero/fz-sub-ghz.md Normal file
View File

@ -0,0 +1,116 @@
# FZ - Sub-Ghz
<details>
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
##
## Actions
### Frequency Analyser
{% hint style="info" %}
How to find which frequency is the remote using
{% endhint %}
When analysing, Flipper Zero is scanning signals strength (RSSI) at all the frequencies available in frequency configuration. Flipper Zero displays the frequency with the highest RSSI value, with signal strength higher than -90 [dBm](https://en.wikipedia.org/wiki/DBm).
To determine the remote's frequency, do the following:
1. Place the remote control very close to the left of Flipper Zero.
2. Go to **Main Menu** **→ Sub-GHz**.
3. Select **Frequency Analyzer**, then press and hold the button on the remote control you want to analyze.
4. Review the frequency value on the screen.
### Read
{% hint style="info" %}
Find info about the frequency used (also another way to find which frequency is used)
{% endhint %}
The **Read** option **listens on the configured frequency** on the indicated modulation: 433.92 AM by default. If **something is found** when reading, **info is given** in the screen. This info could be use to replicate the signal in the future.
While Read is in use, it's possible to press the **left button** and **configure it**.\
At this moment it has **4 modulations** (AM270, AM650, FM328 and FM476), and **several relevant frequencies** stored:
<figure><img src="../../../.gitbook/assets/image (28).png" alt=""><figcaption></figcaption></figure>
You can set **any that interests you**, however, if you are **not sure which frequency** could be the one used by the remote you have, **set Hopping to ON** (Off by default), and press the button several times until Flipper captures it and give you the info you need to set the frequency.
{% hint style="danger" %}
Switching between frequencies takes some time, therefore signals transmitted at the time of switching can be missed. For better signal reception, set a fixed frequency determined by Frequency Analyzer.
{% endhint %}
### **Read Raw**
{% hint style="info" %}
Steal (and replay) a signal in the configured frequency
{% endhint %}
The **Read Raw** option **records signals** send in the listening frequency. This can be used to **steal** a signal and **repeat** it.
By default **Read Raw is also in 433.92 in AM650**, but if with the Read option you found that the signal that interest you is in a **different frequency/modulation, you can also modify that** pressing left (while inside the Read Raw option).
### Add Manually
{% hint style="info" %}
Add signals from a configured list of protocols
{% endhint %}
#### List of [supported protocols](https://docs.flipperzero.one/sub-ghz/add-new-remote) <a href="#3iglu" id="3iglu"></a>
| Princeton\_433 (works with the majority of static code systems) | 433.92 | Static |
| ---------------------------------------------------------------- | ------ | ------- |
| Nice Flo 12bit\_433 | 433.92 | Static |
| Nice Flo 24bit\_433 | 433.92 | Static |
| CAME 12bit\_433 | 433.92 | Static |
| CAME 24bit\_433 | 433.92 | Static |
| Linear\_300 | 300.00 | Static |
| CAME TWEE | 433.92 | Static |
| Gate TX\_433 | 433.92 | Static |
| DoorHan\_315 | 315.00 | Dynamic |
| DoorHan\_433 | 433.92 | Dynamic |
| LiftMaster\_315 | 315.00 | Dynamic |
| LiftMaster\_390 | 390.00 | Dynamic |
| Security+2.0\_310 | 310.00 | Dynamic |
| Security+2.0\_315 | 315.00 | Dynamic |
| Security+2.0\_390 | 390.00 | Dynamic |
### Supported Sub-GHz vendors
Check the list in [https://docs.flipperzero.one/sub-ghz/supported-vendors](https://docs.flipperzero.one/sub-ghz/supported-vendors)
### Suppoerted Frequencies by region
Check the list in [https://docs.flipperzero.one/sub-ghz/frequencies](https://docs.flipperzero.one/sub-ghz/frequencies)
### Test
{% hint style="info" %}
Get dBms of the saved frequencies
{% endhint %}
## 125 kHz RFID
<details>
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>