Cyberdolphin. The story of Flipper — hacker’s Swiss Army knife

Hacking and pentesting are normally associated with hours-long sitting at your computer, but this is not quite so: many devices and wireless networks can be accessed only personally. In such situations, you need a hacking multitool – portable and suitable for ‘field work’. While some people are only dreaming about such a miraculous device, others are going to launch its mass production soon. The forthcoming tool is called Flipper.

Some portable devices for Wi-Fi interception are already available to hackers, but interaction with hardware currently looks as follows: you take on a mission a laptop, a debugging board with firmware versions for all eventualities, several antennas, adapters, and expansion boards, and an external battery for autonomous work. Plus, you need a bunch of wires to connect all these components together, an organizer to store small stuff, and handmade cases to protect fragile components during the transportation. A familiar picture, huh?

Pavel Zhovner, who introduces himself as a geek, techno freak, and mantis, is well aware of the situation. While being in charge of the CTF contest at ZeroNights 2018 held in St. Petersburg, he developed from scratch a vending machine similitude with a point-of-sale terminal accepting RFID cards. To make the device more durable, he covered the textolite board with installed components with a thin layer of transparent epoxy. This was Pavel’s first experience in the creation of handmade gadgets.

Then another important event occurred: the AirDrop file exchange protocol developed by Apple has attracted the attention of security researchers. An open-source implementation called OpenDrop was created, and it became possible to send files to iPhones from any devices, not only from made-by-Apple ones. Using a Raspberry Pi, you can start sending pics to all bystanders whose iPhones are configured to receive files ‘from all’.

In an interview to Xakep.ru, Pavel told how he had fun exploiting this function.

Prior to the release of iOS 13, when you were sending a picture via AirDrop, its preview had appeared on the phone screen before the recipient could tap “accept” or “decline”. I created a device on the basis of a Raspberry Pi Zero W and a battery to send such pictures. My girlfriend wrote a bot for Telegram @AirTrollBot to generate pictures with suitable captions on the fly. Telephones are often called “Jen’s iPhone” or “Mary’s iPhone”, and I used this to address phone owners by their names.

I was sitting in the subway, seeing up to ten people at once, and bombed them with personalized pictures. Thanks to this device, I got acquainted with many girls and had express dates on my way from the subway to work. The bot can add your Telegram nickname to the picture, and many girls were smart enough to write me. I was also sending various pranks to guys. For instance, I saw an iPhone belonging to John and sent him a picture: “John is looser!” Then I had fun watching him surprisingly looking around.

However, Raspberry Pi has no display, and you cannot see what’s going on inside it. It is also uncomfortable to keep an uncoated fragile piece of textolite in your pocket, while cases made on a 3D printer are unhandy and not stylish. Every time you assemble something from ready-to-use modules and components, you get a lumpish ‘sandwich’ of boards that collapses of any touch.

The pwnagotchi project became another important milestone for Pavel. This virtual pet intercepts handshakes sent by wireless network controllers during the creation of new connections. In the active mode, pwnagotchi intercepts packets with hashes for WPA keys, deauthenticates users, and forces disconnections to expedite the process. The digital pet features neural networks based on short-term memory and deep learning methods. This enables the device to flexibly configure the traffic interception and analysis parameters.

Of course, Flipper is inspired not only by tamagotchi. Seasoned hackers remember Cybiko enabling its users to create dynamic wireless networks in the early 2000s. Various expansion modules granted more possibilities to this handheld computer, including playing MP3 files and reading SmartMedia cards. Thanks to a large (for that period) game and software library, the device quickly became very popular, and a community of dedicated users was formed around it.

Ultimately, the main features of the future device have been defined: (1) it should be a universal pocket hacking tool for wireless networks; (2) the project must be maximally open so that everybody can tweak the gadget for their personal needs; and (3) a cute tamagotchi should attach individuality to the device.

Exterior

The Flipper team spent plenty of time to develop a suitable case. First, it was important to produce an elegant design having an obvious advantage over other hacking tools (many of them are available only as uncoated printed boards with installed components). Second, the device had to be compact, durable, and handy – so that it can be used on the move.

Third, the case had to accommodate all internal antennas for wireless interfaces (see below) and a few sockets. This was a true challenge: the set of available peripherals had changed multiple times; the PCB size and form underwent several iterations as well; and it was necessary to take all these changes into account and adjust the case accordingly.

As you have already noticed, Flipper features an unusual design. A cyberdolphin is the project mascot and tamagotchi. It refers to the story “Johnny Mnemonic” by William Gibson, a pioneer of the cyberpunk genre, and hints about the natural curiosity of dolphins and their sonar using waves to explore the world around. In addition, the case visually resembles a flipper.

The top-notch design of Flipper must be credited to the DesignHeroes studio. Its team has extensive experience in producing cases for various electronic devices. They helped Pavel Zhovner greatly with sketches of the future product, its 3D models, and first printed prototypes.

Screen

Pavel considers screen a key component of the future device. The power consumption of the display backlight is critical for portable tools dependent on the battery: if it consumes too much power, the battery life significantly decreases.

The E Ink screen used in the above-mentioned pwnagotchi is the most power-efficient solution; too bad, its refreshment rate is very low (up to one second), and the navigation through menu tabs may take a while. The partial refreshment mode (without redrawing the entire frame) is not good, too, because a clearly visible image ghosting remains on the screen.

Therefore, it was decided to equip Flipper with a time-honored 1.4-inch liquid-crystal display with the resolution of 128 x 64 pixels. Its monochrome images are very contrast and visible in bright daylight, while the low power consumption (some 400 μA without backlight) allows to display actual information for a long time.

Of course, the best choice for a hacking device would be a sharp memory display refreshing the picture once in a few seconds in the standby mode, while the rest of the device is sleeping. Such displays are used in modern smart watches and fitness trackers. However, their cost is too high yet (some $20) which is inconsistent with the Flipper’s budget.

Processor selection

The main chip selection was of utmost importance because it determines many parameters of the future device.

Raspberry Pi

Initially, the Flipper project was based on cheap ($10) Raspberry Pi Zero W. Launched in 2017, this microcomputer is equipped with a single-core ARM CPU, 512MB RAM, GPIO and USB sockets, and Wi-Fi and Bluetooth wireless interfaces. A large enthusiastic community has been formed around the device. These advantages seemed to outweigh such defects as low processing power and overheating issues.

Then enthusiasts found out how to run the monitor mode with packet injection on a Wi-Fi adapter (nexmon patches), and Kali developers immediately announced the official support of Raspberry Pi in their Linux builds. As a result, a nearly perfect hacking and pentesting tool was created. The only missing components were battery power schemes, sleeping mode functions, and some peripherals.

According to the creators of Flipper, these functions had to be implemented by a separate low-power microcontroller used in combination with the RPi CPU. This microcontroller could be kept on power permanently to attack simple targets, while the CPU was supposed to be used only for challenging tasks.

However, later, the developers had to abandon the idea to use Raspberry Pi. It turned out that none of the suppliers could ship thousands of devices at once. Apparently, Raspberry Pi (or at least its budget version) is sold at a price close to its production cost and only pays for itself without generating any profit. The Raspberry Pi Foundation website recommends to use the Compute Module for industrial and mass production purposes. But it costs $40, which is not acceptable for the Flipper project.

i.MX6

So, the Flipper team decided to redesign the device nearly from scratch on the basis of another SoC (System on a Chip). The choice was pretty limited because not all manufacturers were willing to deal with a small company ordering just a few thousand microchips.

Finally, a new core has been chosen for Flipper: i.MX6 ULZ. This is a cost-efficient consumer version of the one-core Cortex-A7 processor lacking a video unit and some interfaces. i.MX6 is roughly on par with Raspberry Pi by performance but significantly exceeds it by power efficiency.

Unfortunately, the developers weren’t able to find an equally suitable Wi-Fi adapter yet. The potential candidates must meet high requirements, including the support of modern wireless standards and 2.4 and 5 GHz ranges, as well as the possibility to unblock the monitoring regime using third-party patches. In addition, the wholesale price of the adapter must not exceed $10. If you know a suitable model, please contact the developers on their forum.

STM32

While the hardware aspect of the project involving the ‘big’ components (i.e. CPU and Wi-Fi adapter) remains stalled, the rest of the scheme, including the wiring and microcontroller, has been implemented step-by-step. The key element is the STM32L412 microcontroller operating at a frequency of 80 MHz and featuring 128 KB of flash memory and 40 KB of SRAM. Compared with the well-known F4 series, this microprocessor has been released relatively recently – but quickly gained popularity for its low power consumption and extensive set of modern peripherals.

In Flipper, the microcontroller not only reacts to button presses and retransmits them to the CPU, but also communicates with the low-speed wireless interfaces and screen. The tamagotchi dolphin living in the device is serviced by the microcontroller, too, to promptly react to user’s requests. After implementing all these features in hardware and software, members of the Flipper team asked themselves a logical question: isn’t this a ready-to-go device?

This is how Flipper Zero was born.

Flipper Zero

The first device Pavel Zhovner and his team are going to introduce to the world is Flipper Zero, a microcontroller-based Flipper version. The version equipped with a fully featured computer and Wi-Fi module is called Flipper One, and so far, it exists only in projects and design schemes.

433 MHz

Several microchips in the device are responsible for wireless communication. One of them, CC1101, manufactured by Texas Instruments enables Flipper to operate at a frequency of 433 MHz with several modulation types: 2FSK, 4FSK, GFSK, and MSK. Normally, this frequency is used by most primitive devices: detectors, buzzers, lifting gates, etc.

Such devices use common information exchange protocols: KeeLoq, Came, or DoorHan. Using its built-in analyzer, Flipper will tell you what are you currently dealing with. Even if it’s impossible to identify the protocol precisely, the device will be able to replay the recorded response later.

Similarly with other tamagotchi toys, Flipper can communicate with its kin at this frequency, which means that you will be able to play and connect with other device owners hanging around.

RFID

The next wireless interface communicates with access cards equipped with NFC antennas, e.g. EM-4100. Their data storage format is pretty primitive, and Flipper enables you to read, copy, and emulate the existing cards. If necessary, the obtained card ID can be sent to another Flipper.

Infrared port

The majority of modern gadgets are not equipped with infrared transceivers; however, plenty of appliances still use this signal type, including TV sets, air conditioners, audio systems, etc. The Flipper’s memory stores basic commands enabling you to control the most common models. It is easy to teach the device how to communicate with your appliances: just take the original remote control, put it in front of your Flipper, and consequently press the required buttons. Flipper will remember the new combinations and replay them at your command.

GPIO pins

For hackers preferring low-level communication with the attacked/pentested hardware, the developers placed the microcontroller’s GPIO pins on one of the side panels. Aside from the power and basic digital signals, the following peripherals are available: ADC, SPI, UART, I2C, PWM, and many others. This allows to connect other components to Flipper in order to expand its capabilities. It’s still unclear though whether the expansion board concept would be implemented (similar to Arduino or Raspberry Pi) – after all, Flipper is advertised as a ready-to-go device.

USB-C

The initial Flipper version (the one based on RPi Zero) had plenty of sockets: several USB ports, MicroHDMI, and a memory card slot. The STM32-based version features only one USB port for powering and reprogramming (the respective bootloader is hardcoded in the microcontroller). In 2020, USB Type-C has finally become a de facto standard, and if you have a charger for Raspberry Pi 4, you can use it to charge Flipper as well.

The STMF412 microcontroller can operate as a USB Device, and with the respective firmware, Flipper can be connected to your PC as a HID device, a flash card, or a COM port (but, of course, not at once).

Crowdfunding

Today, Flipper exists only in prototypes. Up until mid-spring, new working versions had been manufactured in China and shipped to the Russia-based developers. However, the coronavirus has interfered, and the authors had to revise some deadlines. The Flipper team is planning to launch a crowdfunding campaign very soon. The first devices are expected to be shipped to customers early this winter. Check HackMag for reviews!