Skip to content
Back to Tools
← Penetration Testing Hardware
Flipper Zero icon

Flipper Zero

Expert review • Updated May 2026

A pocket-sized portable multi-tool radio computer that has become the default teaching device for physical-layer attack surfaces — and the most aggressively misunderstood pentest gadget on the market.

Check Pricing (opens in new tab — affiliate link) Beginner-friendly Solo / Field Hardware — battery-powered

Expert rating

4.5/5

  • Hardware breadth — 4.9
  • Firmware ecosystem — 4.8
  • RF depth — 3.8
  • Portability — 5.0
Visit Website (opens in new tab — affiliate link)

What the Flipper actually is

Stripped of marketing, the Flipper Zero is a battery-powered STM32WB55-based embedded computer with four discrete radio peripherals soldered to a single PCB and a friendly 1.4" monochrome display attached. It is not an SDR, it is not a Proxmark and it is not a Rubber Ducky — it is a deliberately curated collection of commodity radio front-ends, packaged in a way that lets a single device read, replay, emulate or fuzz the four physical-layer ecosystems an entry-level red-teamer most often encounters: sub-GHz remote controls, 125 kHz LF RFID, 13.56 MHz NFC and consumer infrared. Layered on top of that is a USB-C interface that exposes BadUSB / HID injection, plus an 18-pin GPIO header that turns the Flipper into a generic UART/SPI/I²C analyser at 3.3 V.

The device is opinionated. Where the Proxmark3 RDV4 demands a tethered laptop, a command-line and an understanding of demodulation, the Flipper hides all of that behind a thumb-stick UI and a SD-card-backed library of saved keys, sub-GHz captures, IR remotes and BadUSB payloads. That trade — depth for accessibility — is why the device dominates pentest-hardware mindshare and why purists still prefer the Proxmark for serious RFID work.

Hardware architecture, board level

At the centre sits an STMicroelectronics STM32WB55RG, a dual-core SoC pairing a 64 MHz Cortex-M4 application core with a Cortex-M0+ that runs the BLE 5.0 / 802.15.4 (Zigbee, Thread, OpenThread) radio stack in isolation. That dual-core split is more than a spec line: it means the user-facing firmware and the certified BLE stack run on physically separate processors, which is why malicious BLE-stack mistakes in community firmware have not (yet) led to RCE on the main application core. RAM is 256 KB SRAM, flash is 1 MB internal, augmented by a hot-swappable microSD card for libraries and payloads.

flowchart TB USR[User input<br/>5-way stick + back] DISP[1.4 in 128x64<br/>monochrome LCD] MCU[STM32WB55<br/>Cortex-M4 + M0+] BLE[BLE 5.0 / 802.15.4<br/>internal antenna] SUB[CC1101<br/>300–928 MHz Tx/Rx] NFC[ST25R3916<br/>13.56 MHz NFC] LF[T5577 + custom AFE<br/>125 kHz LF RFID] IR[TSOP6238 + IR LED<br/>30–56 kHz] iB[iButton / 1-Wire<br/>DS1990A pads] USB[USB-C 2.0<br/>HID, CDC, MSC] GPIO[18-pin GPIO<br/>UART/SPI/I²C/3v3] SD[microSD<br/>libraries & payloads] BAT[Li-Po 2000 mAh<br/>BQ25896 PMIC] USR --> MCU MCU --> DISP MCU <--> BLE MCU <--> SUB MCU <--> NFC MCU <--> LF MCU <--> IR MCU <--> iB MCU <--> USB MCU <--> GPIO MCU <--> SD BAT --> MCU

The sub-GHz radio is a TI CC1101, a workhorse single-chip OOK/FSK/GFSK/MSK transceiver covering 300–348, 387–464 and 779–928 MHz. It is firmware-tuned, has a 64-byte FIFO and tops out near 600 kbps. The NFC front-end is the ST25R3916, a multi-mode reader that handles ISO 14443A/B, ISO 15693 and FeliCa and is the part of the Flipper that actually performs MIFARE Classic key recovery and DESFire enumeration. The 125 kHz LF stage uses a Texas Instruments-style analog front-end driving a T5577 chip for emulation — so the Flipper not only reads EM4100 / HID Prox cards, it writes them onto a re-usable card in its own slot.

Build quality is unexpectedly serious. The injection-moulded ABS shell survived a year in a daily-carry pocket of mine without case fatigue; the screen is recessed enough to avoid scratches; the microSD slot is in the battery compartment, which is annoying but prevents accidental ejection. Charging is USB-C PD-capable at 1 A and the device runs roughly 30 hours of mixed use or weeks of standby on the 2000 mAh cell.

Firmware ecosystem — pick your pain

The defining property of the Flipper is not the hardware — competitors exist for every individual radio — but the firmware. Flipper Devices publishes the official stock firmware as open source on GitHub, which has produced one of the healthiest community forks scene in modern embedded gear. The five firmwares below cover >95% of what you will see in real deployments.

Firmware Focus Stability Notes
Official Stock — region-locked TX, no piracy assist Highest Best for newcomers and OTA updates via qFlipper
Unleashed Region unlock, unrestricted sub-GHz TX High Closest to stock + region-unlock — minimal feature creep
RogueMaster Animations, packs, NFC magic tools, BLE spam Medium Heavy "kitchen sink" build; great for tinkering, more crash-prone
Xtreme Polished UI, integrated NFC Magic, BadUSB libs High The community favourite balance — daily-driver pick
Momentum Modern UX, plugin manager, ESP32 / NRF24 helpers High Best companion firmware if you run external WiFi/BLE Devboards

The split between forks is largely about regional TX limits and feature creep. Stock firmware refuses to transmit on bands that are not legal in your locale unless you flash a region file; Unleashed removes the geofence with surgical precision. Xtreme and Momentum add real engineering value — NFC Magic Gen1/Gen2 helpers, ESP32-Devboard integration, BLE spam (recently rate-limited in stock iOS), DuckyScript v3 BadUSB and a proper plugin manager. RogueMaster is the kitchen-sink fork — every feature, every animation, occasional instability.

Supported attack vectors

The Flipper's spread of physical-layer attack surfaces is its single biggest selling point. None of these are novel — every one has a dedicated, better tool — but no single dedicated tool covers all of them, and certainly not in a $169 battery-powered package.

  • Sub-GHz remote replay: capture and replay fixed-code remotes (garage doors, gates, cheap car FOBs). Rolling-code systems (KeeLoq) are not vulnerable to naive replay; the Flipper reads them but cannot defeat them without prior key knowledge.
  • 125 kHz LF RFID cloning: HID Prox, EM4100, AWID and similar; clone to T5577 cards or to the on-board emulator. The dominant access-control attack in 2026 — still rampant in legacy buildings.
  • 13.56 MHz NFC research: MIFARE Classic 1K/4K nested attack (with dictionary), MIFARE Ultralight read, NTAG2xx URL injection, Amiibo cloning. DESFire EV1/EV2/EV3 reads UID only — no key recovery.
  • Infrared cloning & fuzzing: capture commercial remotes, run universal-remote brute-force "TV-B-Gone" payloads. Useful for AV-equipment audits and physical-security pranks; rarely engagement-relevant.
  • iButton: DS1990A read/emulate — still common in residential elevator and storeroom systems in parts of Europe and the former CIS.
  • BadUSB / HID injection: DuckyScript v3 over USB-C with Mac, Windows and Linux keymaps. Slower than the Rubber Ducky Mk2 but indistinguishable from a charger when stowed.
  • GPIO / hardware bus analysis: UART debug at 3.3 V on routers and IoT devices, SPI flash dumping (with patience), I²C sensor probing. Pairs cleanly with the WiFi Devboard for ESP32-driven wardriving.
  • BLE / 802.15.4: limited — Apple/Android BLE-advert spam, Zigbee sniffing via custom firmware, but no proper BLE attack suite. Use a dedicated NRF52840 dongle for serious BLE work.

The honest framing is that the Flipper is a capable tool across all of these and a great tool in none. For a real engagement, you bring the Flipper plus a Proxmark plus a HackRF plus a laptop — the Flipper is what stays in your pocket between testing windows.

Community, modules & third-party add-ons

The 18-pin GPIO header is what keeps the Flipper relevant past the first six months of ownership. The official WiFi Devboard drops an ESP32-S2 on the header and unlocks wardriving, Marauder-style deauth labs and ESPHome flashing. The NRF24 Dev Board turns the Flipper into a 2.4 GHz wireless-keyboard sniffer (Mousejack-style). Third-party modules add LoRa, RTL-SDR slices, SubGHz amplifiers, and even external NFC antennas for long-range MIFARE work. Momentum and Xtreme expose first-class plugin managers that compile, sideload and update community plugins from the device's UI.

Legality, ethics & the confiscation reality

The Flipper is legal to own and operate in almost every jurisdiction; what is regulated is the activity. In the US, transmitting on non-Part-15 sub-GHz bands you are not licensed for is a clear FCC violation regardless of the radio used. Canada banned the import of the device in 2024 over claims it was being used in car-theft toolchains (the rolling-code reality is more nuanced). Brazil's Anatel seizes shipments at customs. Several US states have proposed bills that would treat the device as burglary tooling per se; none have passed as of 2026.

On a real engagement, treat the Flipper exactly the way you treat lockpicks: carry a signed scope letter with the testing windows and target addresses, carry an itemised list of hardware in your bag, and never let the device leave your sight in a client space. The orange-and-white form factor is recognisable to any security guard who has been on Twitter in the last three years — that is a feature for educational tinkering and a liability for covert physical auditing.

Deployment scenarios

Scenario 1 — Educational tinkering

Buy a Flipper, run Xtreme firmware, clone your own access card, capture your own garage remote, build a BadUSB payload that opens a terminal on your own laptop. You will learn more about RFID, sub-GHz and HID in a weekend than a year of YouTube content. This is the Flipper's strongest use case.

Scenario 2 — Covert physical audit

Capture a target's LF prox card during a tailgate brush-pass, clone to a T5577 the same evening, return next morning with a credential. Pair with a Proxmark for HF MIFARE work and an Alfa adapter for any WiFi follow-up. The Flipper is your low-profile front-line tool; everything else stays in the laptop bag.

Scenario 3 — IoT hardware fuzzing

Use the GPIO header at 3.3 V for UART discovery on cheap routers, SPI flash dumps off ESP32 boards, and I²C probing of sensors. The Flipper replaces a $200 Bus Pirate + JTAGulator setup for casual reconnaissance; for serious SPI work you still want a CH341 or a Glasgow Interface Explorer.

Scenario 4 — Awareness demos

Walk into a board meeting, clone your CISO's prox card in 10 seconds, demonstrate IR control of the conference-room TV, fire a BadUSB payload that draws an ASCII banner on a laptop. Nothing else delivers the same visceral "this is real" reaction at this price point.

How the Flipper compares

Spec Flipper Zero Proxmark3 RDV4 HackRF One
Primary SoC STM32WB55 (Cortex-M4 + M0+ radio) AT91SAM7S512 + Xilinx Spartan-II FPGA LPC4320 (Cortex-M4) + MAX2837 RF
Sub-GHz transceiver TI CC1101 (300–928 MHz tx/rx) Not natively (LF/HF only) 1 MHz – 6 GHz SDR (full-duplex no)
125 kHz LF RFID Native (T5577 emulate + clone) Best-in-class — HID iClass, EM4xxx No
13.56 MHz NFC ST25R3916 — MIFARE Classic 1K/4K crack Hardstate MIFARE DESFire support No
Infrared TX/RX TSOP6238 38 kHz receiver + LED No No
iButton / 1-Wire Native DS1990A read/emulate No No
USB HID / BadUSB Full BadUSB + DuckyScript v3 No (CLI only) No
GPIO expansion 18-pin header (UART, SPI, I²C, 3v3) JTAG/UART debug only CLI/expansion limited
Battery / portability 2000 mAh — multi-day standalone Tethered to host (USB-C) Tethered to host (USB-A)
Price (street) $169 (when in stock) $340–400 (RDV4) $330 (One) — $590 (Portapack H2)

The Proxmark wins on RFID depth — DESFire EV3 attacks, iClass SE, Mifare DUOX, advanced LF cloning — because its FPGA front-end does what the Flipper's fixed silicon cannot. The HackRF wins on RF generality (any waveform, 1 MHz–6 GHz). The Flipper wins on the only metric that matters in the field: it's in your pocket and it's already on.

Pros & cons

Buy the Flipper if…

  • You want a single device that teaches RF, RFID, NFC, IR and HID in one weekend.
  • You need a pocket-carry tool for badge-cloning during a physical engagement.
  • You appreciate a transparent open-source firmware ecosystem.
  • You are giving an awareness demo to non-technical executives.
  • You already own a Proxmark and a HackRF and want the spread tool that complements both.

Skip the Flipper if…

  • You need DESFire EV3 / iClass SE attacks — buy a Proxmark RDV4 instead.
  • You need wideband SDR — buy a HackRF One + Portapack H2.
  • You are in Canada or Brazil (active import bans / customs seizures).
  • You expected a "WiFi hacking device" — it does not natively do WiFi.
  • You cannot stomach the always-out-of-stock situation and the 8–16-week waits.

Verdict

The Flipper Zero is the best $169 you can spend on physical-security education, and a respectable but not authoritative field tool. Treat it as a teaching device with side-quest capability, not as a replacement for the Proxmark / HackRF / Bus Pirate trinity, and you will not be disappointed. Pair it with the WiFi Devboard, run Xtreme or Momentum firmware, keep a copy of your scope letter in your bag, and you have the friendliest on-ramp into hardware pentesting that exists in 2026.

Sponsored Links

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

Warning