RFID Hacking With The Flipper Zero (Guide)
- Biohazard

- 3 days ago
- 5 min read

Flipper Zero: RFID Hacking
Here's a comprehensive guide to RFID hacking with the Flipper Zero, broken down by frequency and attack type.
Flipper Zero RFID Capabilities
The Flipper has three separate radios for RFID:
Radio | Frequency | Protocols | Range |
125 kHz (LF) | 125-134 kHz | EM4100, HID Prox, FDX-B, Indala, etc. | ~5 cm |
13.56 MHz (HF) | 13.56 MHz | ISO 14443 (MIFARE), ISO 15693, NFC, FeliCa | ~5 cm |
Internal NFC | 13.56 MHz | NFC-A/B/F/V, NTAG, MIFARE Ultralight | ~5 cm |
125kHz Low-Frequency Attacks
This is the easiest attack surface. Most older access control badges and implantable chips run at this frequency.
Read and Clone (EM4100 and Many HID Prox Cards)
Flipper Menu → 125 kHz RFID → Read
Hold the card flush against the back of the Flipper (the antenna is on the back, near the top). The Flipper reads the raw ID and identifies the protocol. EM4100 and unencrypted HID Prox cards can be cloned immediately:
Read → Save → Emulate (to replay)
If you want to write the ID to a physical blank tag (T5577):
125 kHz RFID → Saved → [select card] → Write
Hold a T5577 rewritable tag to the back and write. Now you have a physical clone.
HID Prox Card Analysis
HID Prox cards use a 26-bit (or 37-bit, etc.) Wiegand format. After reading, the Flipper shows:
FC (Facility Code) — Identifies the building or organization. Usually 0-255 for 26-bit.
CN (Card Number) — Individual card ID. Typically 0-65535 for 26-bit.
Bit length — 26, 34, 37, 40, etc.
Knowing the facility code lets you brute-force valid card numbers. If FC is 42 and cards are 26-bit, there are only 65,535 possible card numbers. The Flipper can't brute-force directly (it's slow at 125 kHz writes), but you can:
Use a Proxmark3 with lf hid bruteforce or write a script to iterate through T5577 emulations
Use the Flipper NRF24/RFID plugin or custom firmware (like Unleashed or RogueMaster) that adds brute-force scripting
Indala (PSK) Cards
Indala cards use phase-shift keying and are harder to clone to blank T5577 tags. The Flipper can read some Indala formats but can't always write them. For these, you'll want a Proxmark3.
13.56 MHz High-Frequency / NFC Attacks
MIFARE Classic (The Main Target)
MIFARE Classic (1K/4K/S50) is the most common HF access card. It uses a proprietary CRYPTO1 cipher that has been broken since 2008.
Step 1: Detect the card type
NFC → Read
The Flipper displays the SAK/ATQA values. If you see:
SAK: 08, ATQA: 00 04 → MIFARE Classic 1K
SAK: 18, ATQA: 00 02 → MIFARE Classic 4K
Step 2: Check for default keys and collect nonces
NFC → MIFARE Classic → Detect Reader
This tests the card against a dictionary of known keys. The Flipper's built-in dictionary has common keys like FFFFFFFFFFFF, A0A1A2A3A4A5, B0B1B2B3B4B5, and the standard MIFARE transport keys.
Step 3: Static nested attack (if partially readable)
If Detect Reader recovers at least one sector key, the Flipper can use the static nested attack (a.k.a. MIFARE Classic nested attack) to recover the remaining keys:
MIFARE Classic → [select card] → Run Nested Attack
This exploits a weakness in CRYPTO1 where knowing one key lets you derive others. You'll need to collect several hundred nonces — the Flipper tells you when it has enough.
Step 4: Read and save all sectors
Once all keys are recovered:
[card] → Detect Reader → Read All Sectors
Step 5: Write to a magic card (Gen1/Gen2)
To clone a MIFARE Classic, you need a magic card (also called a Chinese magic card or UID-changeable card):
Gen1 (Backdoor) — Responds to a special backdoor command sequence. The Flipper can write these natively.
Gen2 (Gen1a) — Uses a password-protected write sequence. The Flipper can write these too.
Saved → [card dump] → Write → [hold magic card to Flipper]
Make sure to write Block 0 (which contains the UID) — this is the whole point of a magic card. Genuine MIFARE Classic chips have a read-only Block 0.
MIFARE Ultralight
Ultralight cards (NTAG series) are used for disposable tickets, hotel keys, and some transit cards. They have no authentication.
NFC → Read → Save → Emulate
These can be cloned to magic Ultralight cards (UID-changeable NTAG 213/215/216). The Flipper supports writing to these directly.
MIFARE DESFire
DESFire (EV1/EV2/EV3) uses actual cryptographic authentication (3DES/AES). The Flipper cannot break DESFire. You'll need a Proxmark3 RDV4 with hf_mfdes and a proper attack toolchain, and even then it's a non-trivial cryptographic attack. Focus on relaying or targeting the reader side instead.
Sniffing and Relaying
Sniff Reader-Card Communication
125 kHz RFID → Extra Actions → Read ASK/PSK RAW
This captures the raw RF signal between a reader and a card. Useful for reverse-engineering unknown protocols.
NFC Sniffing
The Flipper's NFC sniffer captures ISO 14443-3 initialization and anti-collision but not full 14443-4 encrypted sessions. For full sniffer capability, use a Proxmark3.
Custom Firmware Upgrades
Stock Flipper firmware is limited. Flash Unleashed or RogueMaster for:
Extended key dictionaries (hundreds more MIFARE keys)
Brute-force scripts for HID Prox
Additional RFID/NFC plugins
MARAUDER-compatible WiFi/NRF24 attacks (if you have the WiFi devboard)
Flashing:
1. Download firmware from github.com/DarkFlippers/unleashed-firmware
2. Connect Flipper via USB
3. Run qFlipper → Install from file → select .dfu or .tgz
Field Operations - What Actually Works
When approaching a real pentest:
Tailgating / Door Access
Walk near the building and look for readers. HID, Indala, and AWID logos on the reader tell you the frequency.
If you can physically touch a reader, a Proxmark3 can often extract the site key by interacting with the reader directly (reader attacks, not card attacks).
If you can borrow or find a valid card for 30 seconds, clone it with the Flipper in LF mode — it takes under 5 seconds.
For HF/MIFARE, you'll need 1-5 minutes with the card depending on whether you need a nested attack. Plan accordingly.
Credential Harvesting
A Proxmark3 worn on your wrist in "standalone" mode can silently log every 125 kHz card you walk past. The Flipper can't do this — it requires a button press.
For NFC, use the Flipper's NFC Reader plugin (detect mode), but it's not fully passive. Cards must be within ~3 cm.
MIFARE Classic Sector Manipulation
If you recover keys for a card, you can do more than clone — you can modify values:
Value blocks (sector trailers with value format): Modify prepaid balances, vending credits, laundry tokens
Access control data: Change access bits to escalate privileges on a known facility code system
The Flipper's MIFARE Classic editor lets you modify individual blocks and sectors after reading:
NFC → MIFARE Classic → [saved dump] → Edit Dump
Limitations - When You Need A ProxMark3
The Flipper is an excellent entry tool but hits walls:
Task | Flipper Zero | Proxmark3 / Proxmark3 RDV4 |
Read/write 125 kHz | Yes | Yes, faster and more formats |
Bruteforce HID Prox | No (without mods) | Yes (lf hid bruteforce) |
Hardnested attack MIFARE Classic | No | Yes |
DESFire attack | No | Yes (with external tools) |
iCLASS / PicoPass | No | Yes |
Standalone sniffing | No | Yes, full sniff/harvest mode |
Reader attacks (extract key from reader) | No | Yes (hf mf hardnested on reader) |
If this is a serious engagement, bring both. Use the Flipper for quick clones and NFC interaction, and break out the Proxmark3 for the heavy lifting.




Comments