β a project of a pocket multi-tool based on Raspberry Pi Zero for IoT pentest and wireless access control systems. And it is also a Tamagotchi in which a cyber dolphin lives. He will be able to:
- Operate in the 433 MHz band β for the study of radio remote controls, sensors, electronic locks and relays.
- NFC β read/write and emulate ISO-14443 cards.
- 125 kHz RFID β read/write and emulate low-frequency cards.
- iButton keys β read/write and emulate contact keys operating on the 1-Wire protocol.
- Wi-Fi - to check the security of wireless networks. The adapter supports packet injection and monitor mode.
- Bluetooth - supported bluez package for Linux
- Bad USB mode - can be connected as a USB-slave and emulate a keyboard, ethernet adapter and other devices for code injection or network penetration testing.
- Tamagotchi! The low power microcontroller operates when the main system is turned off.
I am excited to present my most ambitious project, the idea of ββwhich I have been nurturing for many years. This is an attempt to combine all the often needed tools for physical penetration testing into one device, while adding personality to it so that it is cute as hell. The project is currently in the R&D and feature approval stage, and I invite everyone to participate in the discussion of the features or even accept participation in development. Under the cut is a detailed description of the project.
Why do it?
I love to explore everything around and constantly carry different tools with me for this. In my backpack: WiFi adapter, NFC reader, SDR, Proxmark3, HydraNFC, Raspberry Pi Zero (because of this, there are problems at the airport). All these devices are not so easy to use on the run, when you have a cup of coffee in one hand or you are riding a bicycle. You need to sit down, unfold, get a computer - this is not always convenient. I dreamed of a device that would implement typical attack scenarios, be always on alert and at the same time not be a pack of falling apart circuit boards wound with electrical tape. Raspberry Pi Zero W with UPS-Lite v1.0 battery shield as a standalone flooder for sending pictures to Apple devices via AirDropRecently, after an open source implementation of the AirDrop protocol was published and a study from the guys from HexWay about iOS vulnerabilities , I began to entertain myself in a new way: meeting people on the subway, sending them pictures via AirDrop and collecting their phone numbers. Then I wanted to automate this process and made a standalone dip-peak machine from a Raspberry Pi Zero W and a battery. This topic deserves a separate article, which I just can not finish. Everything would be fine, but this device was extremely inconvenient to carry with you, you couldnβt put it in your pocket, because sharp drops of solder tore the fabric of your pants. I tried to 3D print the case, but I didn't like the result.
Special thanks to Anna Prosvetova, the host of the Telegram channel who, at my request, wrote a Telegram bot , which generates pictures with text, a telegram username and the correct aspect ratio so that they are fully displayed on the preview when sent via Airdrop. You can quickly generate a picture suitable for the situation, it looks like this .
Pwnagotchi complete with e-ink screen and battery shield Then I saw an amazing project . It's like a Tamagotchi, only as food it eats WPA handshakes and PMKID from Wi-Fi networks, which can then be brute-forced on GPU farms. I liked this project so much that I walked the streets with my pwnagotchi for several days and watched him enjoy his new prey. But he had all the same problems: you canβt put it in your pocket normally, there are no controls, so any user input is possible only from a phone or computer. And then I finally realized how I see the ideal multitool, which I lacked. I wrote about it and the idea was liked by my friends industrial designers who make serious electronic things. They offered to make a full-fledged device, instead of a knee-length DIY craft. With real factory production and quality fitting parts. We started looking for a design concept. Clickable. The first sketches of the Flipper Zero design A lot of time was devoted to the case and design, because I was tired that all hacker devices look like a bunch of PCBs wound with electrical tape and they cannot be used normally. The task was to come up with the most convenient and compact body and device that would be easy to use autonomously without a computer or phone, and this is what came of it. The following describes the current not final device concept.
What is Flipper Zero
In fact, Flipper Zero is a few shields and a battery around the Raspberry Pi Zero, packed in a case with a screen and buttons. Kali Linux is used as the OS, since it already contains all the necessary patches and supports rpi0 out of the box. I've looked at many different single board computers: NanoPi Duo2, Banana Pi M2 Zero, Orange Pi Zero, Omega2 but they all lose rpi0 and here's why:
- Built-in Wi-Fi adapter supporting monitor mode and packet injection ( patches)
- Built-in Bluetooth 4.0
- good enough
- Kali Linux is officially supported and has many prebuilt builds like
- Easy access to SD card, large amount of data can be transferred quickly
Surely many will say that the Raspberry Pi is not the best choice for such a device and will find many arguments, such as high power consumption, no sleep mode, not exposed hardware, etc. But if we compare all the pros and cons, I did not find anything better than rpi0. If you have something to say about this, welcome to the developer forum .Flipper Zero is completely self-contained and can be controlled with a 5-way joystick without additional devices such as a computer or phone. From the menu, you can call typical attack scenarios. Of course, not everything can be done with a joystick, so for more control you can connect via SSH via USB or via Wi-Fi / Bluetooth. I decided to use an old-school monochrome LCD with a resolution of 126x64px, like on old Siemens phones. Firstly, it's just cool, the monochrome screen with orange backlight makes me indescribably delight, a kind of retro-military-cyberpunk. It is perfectly visible in bright sunlight and has a very low power consumption, about 400uA with the backlight off. Therefore, it can be kept in Always-On mode and always display an image. The backlight will only turn on when you press the keys.Examples of screens on Siemens phonesSuch screens are still being produced for all sorts of industrial devices and cash registers. At the moment we have chosen . Flipper Zero ports At the ends, Flipper Zero has standard Raspberry Pi ports, a power / light button, a strap hole and an additional service port through which you can access the UART console, charge the battery, upload new firmware.
433 MHz transmitter
Flipper has a built-in 433 MHz antenna and a chip , for <1GHz operation, same as popular device . It can intercept and analyze the signals of radio remote controls, key fobs, all kinds of smart sockets and locks. Supports library work and is able to decode, save and play popular remote control codes, like . For cases where the Raspberry Pi does not have time to process the signal, the CC1111 can be controlled by the built-in microcontroller. In Tamagotchi mode, Flipper can communicate with its own kind and display their names, similar to pwnagotchi.
Bad USB
Flipper can emulate USB slave devices and pretend to be a keyboard for a payload like . And also emulate an ethernet adapter for DNS spoofing, a serial port, etc. There is a ready-made framework for the Raspberry Pi that implements various types of such attacks. The desired attack scenario can be selected from the menu with the joystick. At the same time, debugging information about the state of the attack or something harmless for disguise can be displayed on the screen.
WiFi
The built-in Wi-Fi adapter in the Raspberry Pi does not natively support packet injection monitor mode, but it does that add this feature. Some types of attacks require two independent Wi-Fi adapters. The difficulty lies in the fact that almost all Wi-Fi chips are connected via USB, and we cannot occupy the only USB on rpi0, otherwise the USB Slave mode will break. Therefore, you must use the SPI or SDIO interface to connect the Wi-Fi adapter. I am not aware of any such chip that supports monitor mode and packet injection out of the box, while connecting NOT via USB. If you know of one, please tell me on the forum in the topic
NFC
The NFC module can read/write all ISO-14443 cards, including Mifare, PayPass/PayWave contactless bank cards, ApplePay/GooglePay, and more. Supported by the LibNFC library. There is a 13,56 MHz antenna at the bottom of the Flipper, and to work with the card, it is enough to put it on top of it. At the moment, the issue of card emulation remains open. I would like a full-fledged emulator like , but at the same time I want to be able to work with LibNFC. I don't know any chip options other than NXP PN532, but it can't fully emulate cards. If you know a better option, write about it in the topic
125kHz RFID
The old low-frequency 125 kHz cards are still widely used in intercoms, office passes, etc. A 125 kHz antenna is located on the side of the flipper, it can read EM-4100 and HID Prox cards, save them to memory and emulate previously saved cards. You can also transfer the card ID for emulation over the Internet or enter it manually. Thus, flipper owners can transfer read cards to each other remotely. Bliss.
iButton
iButton is an old type of contact keys that are still popular in the CIS. They work on the 1-Wire protocol and do not have any means of authentication, so they can be easily read. Flipper can read these keys, store IDs in memory, write IDs to blanks and emulate the key on its own so that it can be applied to the reader as a key. Reader mode (1-wire master) In this mode, the device works as a door reader. Leaning the key to the contacts, the flipper reads its ID and saves it in memory. In the same mode, you can write the saved ID to a disc.Key emulation mode (1-wire slave)Stored keys can be emulated in 1-wire slave mode. The flipper acts as a key and can be applied to the reader. The main difficulty was to come up with a contact pad design that could be used both as a reader and as a key at the same time. We found such a form, but I'm sure that it can be made even better, and if you know how, suggest your own version on the forum in the topic
Bluetooth
Built-in Bluetooth adapter in Raspberry Pi. Of course it cannot replace devices like , but it is fully supported by the bluez library, can be used to control the flipper from a smartphone or for various bluetooth attacks like , which allows you to collect sha256 from mobile phone numbers associated with an Apple ID, as well as manage all sorts of IoT devices.
Low power microcontroller
Since the flipper is too cool to turn off, we decided to put a separate low power microcontroller in it that will work when the Raspberry Pi is turned off. It will control the Tamagotchi, control the boot process of the Raspberry Pi until it is ready to control the screen and manage the power. It will also control the CC1111 chip to communicate with other flippers.
Tamagotchi mode
Flipper is a cyber-dolphin hacker who is subject to all digital elements. When the Raspberry Pi is turned off, it enters Tamagotchi mode, which you can play with and find friends on the 433 MHz frequency. In this mode, NFC functions are likely to be partially available. The prototype of the character was a dolphin from the movie who helped brainwash Kiano Reeves and smashed the bad guys with his radiation. Dolphins have a built-in frequency generator with which they explore everything around them, as well as an innate need for entertainment and natural curiosity. We need someone who can come up with the flipper's personality, the whole game design in general, from emotes to mini-games. All your thoughts on this matter can be written to the appropriate section.
About Me
My name is Pavel Zhovner, I live in Moscow. At the moment I am in charge of the Moscow . Since childhood, I love to deeply explore everything around: nature, technology, people. My main specialty is networking, hardware and security. I try to never use the word "hacker" because thanks to the media and the media, it is completely devalued. I like to call myself a βnerdβ, because it reveals the essence more honestly and without pathos. In life, I appreciate passionate people who are deeply emotionally involved in what they are interested in, who can also be safely called nerds. Flipper Zero is my attempt to make something really cool and large-scale, and at the same time beautiful. I believe in open source, so the project will be completely open source. At the moment I have a small team, but we do not have enough people competent in narrow areas, especially in radio. With the help of this post, I hope to find people who want to join the project.
Join the project
I invite everyone who liked this project to participate in the development in any way possible. At this stage, we need to approve the final list of features in order to proceed with the implementation of the first version of the device. There are many technical issues that are currently unresolved.
For developers
We will discuss all our current R&D tasks on the forum . If you are a hardware or software developer, or you have any questions, advice, suggestions, criticism, feel free to write them to the forum. This is the main place where the discussion of all stages of development, crowdfunding, production will take place. Forum discussion is ongoing English only, do not hesitate to write clumsily, the main thing is that the meaning is clear.
Vote for features
It is very important for us to know what functions should be in the flipper. This will determine development priorities. Perhaps I mistakenly believe that some functions are important, or I am missing something. For example, I have doubts about iButton, because it is an outdated technology. So please take a short survey:
send money
When the prototype is completed and the project is ready to enter the crowdfunding platform like KickStarter, it will be possible to pay for the pre-order. For now, you can personally support me with a small food donation through . Regular donations of $1 are much better than a large amount at a time, because they allow you to predict ahead. Link for donations:
Disclaimer
The project is at a very early stage, the site may have errors, crooked layout and other problems, so do not slander too much. Please let me know about any errors or inaccuracies you find. This is the first public mention of the project, and with your help, I hope to eliminate all the rough edges before publishing to the big English-speaking Internet. I publish all project notes in my Telegram channel .
Source: habr.com