top of page

RFID Hacking With The Flipper Zero (Guide)

RFID Hacking With The Flipper Zero (Guide) | Black Hat HQ

Flipper Zero: RFID Hacking


Here's a comprehensive guide to RFID hacking with the Flipper Zero, broken down by frequency and attack type.


Flipper Zero RFID Capabilities


The Flipper has three separate radios for RFID:


Radio

Frequency

Protocols

Range

125 kHz (LF)

125-134 kHz

EM4100, HID Prox, FDX-B, Indala, etc.

~5 cm

13.56 MHz (HF)

13.56 MHz

ISO 14443 (MIFARE), ISO 15693, NFC, FeliCa

~5 cm

Internal NFC

13.56 MHz

NFC-A/B/F/V, NTAG, MIFARE Ultralight

~5 cm


125kHz Low-Frequency Attacks


This is the easiest attack surface. Most older access control badges and implantable chips run at this frequency.


Read and Clone (EM4100 and Many HID Prox Cards)


Flipper Menu → 125 kHz RFID → Read

Hold the card flush against the back of the Flipper (the antenna is on the back, near the top). The Flipper reads the raw ID and identifies the protocol. EM4100 and unencrypted HID Prox cards can be cloned immediately:


Read → Save → Emulate (to replay)

If you want to write the ID to a physical blank tag (T5577):


125 kHz RFID → Saved → [select card] → Write

Hold a T5577 rewritable tag to the back and write. Now you have a physical clone.


HID Prox Card Analysis


HID Prox cards use a 26-bit (or 37-bit, etc.) Wiegand format. After reading, the Flipper shows:


  • FC (Facility Code) — Identifies the building or organization. Usually 0-255 for 26-bit.

  • CN (Card Number) — Individual card ID. Typically 0-65535 for 26-bit.

  • Bit length — 26, 34, 37, 40, etc.


Knowing the facility code lets you brute-force valid card numbers. If FC is 42 and cards are 26-bit, there are only 65,535 possible card numbers. The Flipper can't brute-force directly (it's slow at 125 kHz writes), but you can:


  1. Use a Proxmark3 with lf hid bruteforce or write a script to iterate through T5577 emulations

  2. Use the Flipper NRF24/RFID plugin or custom firmware (like Unleashed or RogueMaster) that adds brute-force scripting


Indala (PSK) Cards


Indala cards use phase-shift keying and are harder to clone to blank T5577 tags. The Flipper can read some Indala formats but can't always write them. For these, you'll want a Proxmark3.


13.56 MHz High-Frequency / NFC Attacks


MIFARE Classic (The Main Target)


MIFARE Classic (1K/4K/S50) is the most common HF access card. It uses a proprietary CRYPTO1 cipher that has been broken since 2008.


Step 1: Detect the card type


NFC → Read

The Flipper displays the SAK/ATQA values. If you see:

  • SAK: 08, ATQA: 00 04 → MIFARE Classic 1K

  • SAK: 18, ATQA: 00 02 → MIFARE Classic 4K


Step 2: Check for default keys and collect nonces


NFC → MIFARE Classic → Detect Reader

This tests the card against a dictionary of known keys. The Flipper's built-in dictionary has common keys like FFFFFFFFFFFF, A0A1A2A3A4A5, B0B1B2B3B4B5, and the standard MIFARE transport keys.


Step 3: Static nested attack (if partially readable)


If Detect Reader recovers at least one sector key, the Flipper can use the static nested attack (a.k.a. MIFARE Classic nested attack) to recover the remaining keys:


MIFARE Classic → [select card] → Run Nested Attack

This exploits a weakness in CRYPTO1 where knowing one key lets you derive others. You'll need to collect several hundred nonces — the Flipper tells you when it has enough.

Step 4: Read and save all sectors


Once all keys are recovered:


[card] → Detect Reader → Read All Sectors

Step 5: Write to a magic card (Gen1/Gen2)


To clone a MIFARE Classic, you need a magic card (also called a Chinese magic card or UID-changeable card):


  • Gen1 (Backdoor) — Responds to a special backdoor command sequence. The Flipper can write these natively.

  • Gen2 (Gen1a) — Uses a password-protected write sequence. The Flipper can write these too.


Saved → [card dump] → Write → [hold magic card to Flipper]

Make sure to write Block 0 (which contains the UID) — this is the whole point of a magic card. Genuine MIFARE Classic chips have a read-only Block 0.


MIFARE Ultralight


Ultralight cards (NTAG series) are used for disposable tickets, hotel keys, and some transit cards. They have no authentication.


NFC → Read → Save → Emulate

These can be cloned to magic Ultralight cards (UID-changeable NTAG 213/215/216). The Flipper supports writing to these directly.


MIFARE DESFire


DESFire (EV1/EV2/EV3) uses actual cryptographic authentication (3DES/AES). The Flipper cannot break DESFire. You'll need a Proxmark3 RDV4 with hf_mfdes and a proper attack toolchain, and even then it's a non-trivial cryptographic attack. Focus on relaying or targeting the reader side instead.


Sniffing and Relaying


Sniff Reader-Card Communication


125 kHz RFID → Extra Actions → Read ASK/PSK RAW

This captures the raw RF signal between a reader and a card. Useful for reverse-engineering unknown protocols.


NFC Sniffing


The Flipper's NFC sniffer captures ISO 14443-3 initialization and anti-collision but not full 14443-4 encrypted sessions. For full sniffer capability, use a Proxmark3.


Custom Firmware Upgrades


Stock Flipper firmware is limited. Flash Unleashed or RogueMaster for:


  • Extended key dictionaries (hundreds more MIFARE keys)

  • Brute-force scripts for HID Prox

  • Additional RFID/NFC plugins

  • MARAUDER-compatible WiFi/NRF24 attacks (if you have the WiFi devboard)


Flashing:


1. Download firmware from github.com/DarkFlippers/unleashed-firmware
2. Connect Flipper via USB
3. Run qFlipper → Install from file → select .dfu or .tgz

Field Operations - What Actually Works


When approaching a real pentest:


Tailgating / Door Access


  1. Walk near the building and look for readers. HID, Indala, and AWID logos on the reader tell you the frequency.

  2. If you can physically touch a reader, a Proxmark3 can often extract the site key by interacting with the reader directly (reader attacks, not card attacks).

  3. If you can borrow or find a valid card for 30 seconds, clone it with the Flipper in LF mode — it takes under 5 seconds.

  4. For HF/MIFARE, you'll need 1-5 minutes with the card depending on whether you need a nested attack. Plan accordingly.


Credential Harvesting


  • A Proxmark3 worn on your wrist in "standalone" mode can silently log every 125 kHz card you walk past. The Flipper can't do this — it requires a button press.

  • For NFC, use the Flipper's NFC Reader plugin (detect mode), but it's not fully passive. Cards must be within ~3 cm.


MIFARE Classic Sector Manipulation


If you recover keys for a card, you can do more than clone — you can modify values:

  • Value blocks (sector trailers with value format): Modify prepaid balances, vending credits, laundry tokens

  • Access control data: Change access bits to escalate privileges on a known facility code system


The Flipper's MIFARE Classic editor lets you modify individual blocks and sectors after reading:


NFC → MIFARE Classic → [saved dump] → Edit Dump

Limitations - When You Need A ProxMark3


The Flipper is an excellent entry tool but hits walls:


Task

Flipper Zero

Proxmark3 / Proxmark3 RDV4

Read/write 125 kHz

Yes

Yes, faster and more formats

Bruteforce HID Prox

No (without mods)

Yes (lf hid bruteforce)

Hardnested attack MIFARE Classic

No

Yes

DESFire attack

No

Yes (with external tools)

iCLASS / PicoPass

No

Yes

Standalone sniffing

No

Yes, full sniff/harvest mode

Reader attacks (extract key from reader)

No

Yes (hf mf hardnested on reader)


If this is a serious engagement, bring both. Use the Flipper for quick clones and NFC interaction, and break out the Proxmark3 for the heavy lifting.


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page