Flipper Zero External Modules: What They Can Do

Flipper Zero is often called a hacker’s multitool, and hackers are people who love to tinker with everything themselves. The developers knew this well and provided Flipper with full schematics, firmware source code, applications, and all the necessary tools. The community appreciated this and started creating not only software but also custom modules for Flipper Zero. Today, we’ll talk about these modules.

There are currently about 85 different modules for our cyber-dolphin available on Tindie alone, and the number keeps growing. Besides Tindie, many Russian-speaking creators sell in specialized chats via Telegram and Discord. In total, there are roughly a hundred available modules.

I bought several modules that seemed interesting to me—mainly from Rabbit Labs—and I’m sharing the results of my testing below.

Some of the Modules in This Review

Additionally, some modules can be made yourself. I’ll show three such DIY modules in this article.

Almost all the modules in today’s review only work if you have unofficial firmware installed on your Flipper Zero. I recommend Unleashed as the most refined and stable, but XFW and even RogueMaster (which is generally not recommended for any purpose) will also work. If a module works on official firmware, I’ll mention it specifically.

Death Star Module

Where to buy: Tindie ($28)

The portable “Death Star” may not let you destroy entire planets with your Flipper, but it’s quite effective at taking control of various IR-controlled equipment.

To use the module, you need to enable 5V on the GPIO header in the settings (GPIO → 5V on GPIO → ON) and enable debug mode (Settings → System → Debug → ON). In the latest Unleashed firmware, debug mode is no longer required.

Power Supply

Flipper Zero modules can work at different voltages. Most run on 3.3V, but to connect such a module, you’ll need to use the wide header (shown at the bottom in the picture), as only it has the appropriate output.

Modules that require 5V can be fully connected to the short header (shown at the top), making them more compact when using the built-in step-down regulator from 5V to 3.3V (if the module needs 3.3V). This also allows the module to be powered from a much less noisy source than the Flipper’s built-in +3.3V line. That’s why 5V modules are generally preferable, though you’ll usually need to enable the 5V output manually before each use.

After setup, the LED on the front will indicate readiness. You can open any remote and use it as usual. Note that the IR LEDs are on the back of the module, so you’ll need to point the Flipper’s back toward the receiver (TV, projector, air conditioner, etc.), which isn’t very convenient. The solution overall isn’t very user-friendly, as without a secure mount to the Flipper, it’s easy to bump and break the module.

Another issue with almost all external IR modules is that if you remove and reinsert the module, the 5V on the external header disappears, and you need to exit remote mode, enable 5V in settings, and go through the four-level remote selection again. Since this is a hardware issue, it’s nearly impossible to fix with software. The protection disables the 5V module due to the high capacitance of the power circuit capacitors, which causes a current spike during charging, making Flipper think the device is faulty.

I tested the range in an open field with a projector. Stable control was possible at 35 meters (about 43 steps by my count).

I also got a version of the module in a case with a lens. The case is simple, 3D-printed, but holds up well. Inside, it’s the same module as before, even labeled “Death Star.”

However, the test results were disappointing. I hoped the lens would focus the beam and increase range, but it only reached 35 steps (about 28 meters), almost 20% less. However, aiming at the receiver was easier, so the lens is likely a diffuser, not a focusing lens. A new version with an adjustable lens is expected in September 2023 to improve range.

The cased module also leaves less room for a case, so if your Flipper is in a case, this module might not fit. That’s just my guess, as I don’t use a case.

Both versions claim reverse polarity protection. I tested this by inserting one backwards (the correct way is when the “death ray” points at your eye). Nothing burned out, and the module worked fine when reinserted correctly. However, there’s no indication of incorrect connection, so you might think it’s broken at first.

IR Blaster

Where to buy: Tindie ($43)

This is another IR module from the same developer. It differs in shape, power, and the ability to turn off the indicator LED.

Because of the angled contacts, you can plug this module into the Flipper and use it facing forward, not backward. The indicator LED, which used to shine in your eyes, now points away, and you can turn it off with a switch.

It’s also much harder to accidentally break this module, as it sits firmly in the GPIO sockets and doesn’t stick out. It’s also easier and safer to hold during use.

As for range, it reached an impressive 52 steps, about 42 meters. That’s 33% more than the lens module, or 17% more than the non-lens version.

Interestingly, during indoor testing, I found that up to about 20 meters, it didn’t matter which way the LEDs were pointed—everything worked fine, even with your back to the projector. This might be due to the white walls in the room, but overall, I was very pleased with the module.

NRF24 Module

Where to buy: Tindie ($45), AliExpress (about $1 for a DIY version)

This is one of the few modules you can make yourself, and it works with official firmware.

This module is used to attack vulnerable wireless keyboards and mice that use NRF24 for data transmission. With some luck, you can run a BadUSB script over the air on the target machine, turning Flipper into a powerful weapon, though with many limitations.

To attack, find the channel where the vulnerable device operates using the Scanner app (all apps for this attack are in Apps → GPIO). Then, note the device address, open Mouse Jacker, select the BadUSB script you want to run, and launch the code. You can see a full demo of the attack on YouTube.

The attack is possible because vulnerable devices don’t encrypt or sign packets, and the receiver blindly emulates keyboard commands, even if it came with a mouse. The security of such systems relies on no one knowing the device address, but it’s easily found with a cheap sniffer module.

DIY Version

If you don’t want to buy a ready-made module, you can make a temporary setup from wires and a cheap Chinese module from AliExpress. It’ll work about the same but will take up more space and be powered from the noisier 3.3V line, while the store-bought version has its own regulator.

I ended up burning out my DIY module by reversing the power polarity. Learn from my mistake and be careful: bare modules have no reverse polarity protection. The store-bought one also lacks protection diodes, so I didn’t test it that way. I wanted at least one working module left!

Module Adapter

Where to buy: Tindie ($21)

This board itself doesn’t do anything useful. It’s almost a passive adapter for connecting other modules, allowing you to quickly swap them. It also provides extra 3.3V to the small header on the right and helps avoid damaging the built-in contacts inside Flipper Zero. I find this useful since I often connect different add-ons. Note: I don’t use a case for my Flipper, and this module is completely incompatible with cases.

Besides standard 5V modules, you can also connect Chinese modules like CC1101. And, of course, the NRF24 module works great with this adapter.

If you want to save money and have both CC1101 and NRF24, this is a great option. Together with the adapter, they’ll cost about $30, which is cheaper than the simplest standalone CC1101 module. But that’s not counting shipping, which may reduce the savings.

External Radio Module

Where to buy: Tindie ($40) / Direct order in Russia (2000 RUB)

The external CC1101 radio module does the same as the chip inside Flipper Zero, but much better. Thanks to its external placement, external antenna, higher gain, and less noisy power, the signal reception range increased from 12m to about 65m with a stubby antenna, as shown in the photo.

This module is fully supported even by official firmware. However, you can do much more with it in Unleashed and its forks, where module authors implement support and new features appear faster and work better.

This module is also needed to connect external antennas (the Flipper Zero itself can’t do this). In one of my tests, with the stock antenna, the range didn’t even reach 70m, but with a dipole antenna from China, I received a signal from 350m! This was even without direct line of sight (cars were passing between transmitter and receiver) right in downtown Warsaw, full of interference.

To use, just connect the module to Flipper Zero, go to SubGHz → Radio Settings, and set Module to External. Now, with the external module connected, all apps will use it; if it’s not connected, they’ll use the internal one. No manual setup needed. Magic!

The module is optimized for 433 MHz and shouldn’t be used for much higher frequencies. Reportedly, with the stock antenna, it works well at 315 and 443 MHz, but at 868 MHz, it’s less effective than the Flipper’s internal module. For the record, I’ve only ever caught anything at 315 or 443 MHz.

There’s also a “budget” option: connect a Chinese module with wires and use the +3.3V line. Or plug it into the adapter module mentioned above.

900 MHz External Radio Module

Where to buy: Tindie ($22)

The main problem with the previous module is that it was designed for 443 MHz and similar frequencies (like 315 MHz). But what if you need to work in the upper part of the CC1101-supported range? Frequencies like 868 and 915 MHz, where many devices operate, are barely covered by Flipper, and this module aims to fix that. The chip’s circuitry and board design are optimized for high frequencies, reducing noise and increasing efficiency. The chip is even under a metal shield for protection from interference.

The module also has an SMA connector for a more powerful antenna if needed.

This module is pin-compatible with other CC1101 implementations, so you can use it with adapters from other manufacturers or just plug it into the module adapter, which is what I did. It even glows nicely in the dark!

Of course, I had to test it. With the same remote as before and a 433 MHz antenna (I don’t have a 900 MHz antenna or devices, but the module claims 443 MHz support), the range was about 57m, and with a dipole antenna, an impressive 170m. The difference compared to the 443 MHz module is likely due to non-optimal circuitry for this frequency range.

News from TehRabbitt

I managed to talk to TehRabbitt, the author of some modules in this review. Among other things, he announced an upgraded 443 MHz radio module, a new IR blaster, several Wi-Fi boards based on ESP32 (I’ll explain how to make your own below), an adapter for using Flipper Zero as an RS232 bridge, and a project for wireless emulation of various USB devices (how it will work is still a mystery to me). TehRabbitt also gave me the promo code above. If readers like this article, I’ll try to get more modules and release another part. Stay tuned!

ESP32 Marauder

This is a very cool module that lets you attack Wi-Fi networks. The catch is that it’s rarely available ready-to-use, and to get it working, you’ll need to flash it, configure it, and watch some tutorials.

You can buy a suitable board directly from the official Flipper Zero store for $29, but thrifty tinkerers can look for ESP32-WROOM boards (about $4) or similar and make their own. That’s what I did.

Of course, both the official Wi-Fi module and store-bought or DIY modules need the right firmware. Previously, you had to compile it yourself, which discouraged many. Now there’s a script called FZEasyMarauderFlash that automatically downloads and flashes the right binary to your board. You’ll just need to tell it which board you have.

Suppose you have the same ESP32-WROOM module as me and you’re using Windows. You’ll need to download the CP210x driver (for USB-UART flashing), Git for Windows (for downloading firmware binaries), and Python with pip.

Now, download the repository, install dependencies (pip install -r requirements.txt), and get ready to run the script (python EasyInstall.py, but don’t run it yet).

Hold the BOOT button on the board, connect it to your computer, release the button, and run the script. If all goes well, it will download the binaries and show a menu like the one below.

Now select your board model (even the official Wi-Fi DevBoard is supported)—in my case, it’s option 5. If the driver is installed correctly, flashing will start right away.

At the end, you should see a message about successful flashing. If you see extra errors after that, you can ignore them—the board is already flashed and will work fine.

Now disconnect the board from your computer and connect it to Flipper as follows:

• ESP32 RX0 → Flipper TX (pin 13)
• ESP32 TX0 → Flipper RX (pin 14)
• GND on both devices connected together
• ESP32 3V3 → Flipper 3V3 (pin 9)

If everything is correct, the Flipper’s red indicator LED will light up.

Now you can launch the ESP32 Marauder app (in the GPIO folder in the latest Unleashed) and start experimenting. For example, you can enable the ghost network generator. SSIDs can be random or from a preset list.

You can capture handshakes for later password cracking (Sniff function), forcibly deauthenticate clients, or set up a phishing portal for fake authentication. Of course, only do this with your own devices or for authorized penetration testing. Otherwise, don’t!

If you’re a beginner pentester, this opens up huge possibilities. It’s a good and cheap alternative to some well-known wireless attack tools, though there aren’t many usage guides and the entry barrier is higher.

Conclusion

Flipper Zero, though sometimes seen by serious pentesters as a toy, already has many modules for all sorts of use cases. This review didn’t cover modules for magnetic stripe cards, cameras, or Frankenstein modules made from several parts, but all of these are widely available online.

I’d like to thank the awesome people JustCallMeKoKo, TehRabbitt, Dr.B0rk, quen0n, and AWOK for their huge contributions to the Flipper Zero community. Thanks to them, we have what we love about the Flipper.

The sad part is that TikTok “hackers” keep damaging the device’s reputation, leading to bans in more countries, making it harder for real security researchers (and geeks) to get one. Still, it’s possible for now, so let’s enjoy the freedom we have. Hack the Planet!