Flipper Zero Chat App - RF Signal Analysis via SDR

Glad you enjoyed the training and you are continuing hacking around RF! ❤😊

You should get Jeff Geerling's dad on here to explain all this crazy RF stuff

Hope you'll make some more videos on SDR as you explore further, this was excellent as always!

Nice video! I wish there were more videos where people have problems (and asked for viewers' help).

I'm not 100% sure what chip is used in flipper zero (CC1101 I think?), but it's very possible that it has built-in hardware CRC check and it maybe that URH doesn't send that checksum. I did have similar problem back in 2018 when I started playing with CC1101 and URH but I ended giving up on it back then.

Excellent video!! Hadn't heard of URH prior to this video and now i have a new tool to pair with the HackRF. Thanks and looking forward to more SDR experiments+lessons!

Love the videos, Matt!

I played around with esp32 microcontrollers and 433 mhz rx and TX modules and was able to detect and replay the doorbell at the office. Good for some pranks. I'm going to have to look up those tools you are using.

Thanks for your channel. There's really no one else doing hardware hacking tutorials at this level that I can find. I'm always learning from you. Keep it up and if you ever do a patreon or something, let me know. BTW I can't seem to get into your discord server. W

Thanks for the video, love the range of content!

The Generated Signal looks very overpowerd maybe reduce the Gain and then it works ?

awesome video man!

Interesting stuff.
I've personally never actually seen the Flipper chat actually work. I've picked up transmissions from it for other things, at least as far as verifying frequency.

If I know you by watching all your videos so far you will resolve the myth by extracting the flipper zeros firmware and modify in the way that URH can transmit as is and there we go :)
Joke a side, I always verify my regenenrated signal with another very cheap receive only SDR such as good old RTL-SDR dongle.
It feels like when you de-noise the signal clicking the button couple of times you may be loosing some part of the preamble of the signal.
Keep up the good work!

This was really interesting!

Awesome video 👏🏻😊

i dont know about rf modulation, but can there be any crc in the data being transmitted? incorrect crc will lead to false data but there should be something received on the other side. weird

awesome video!

Keep up the good work. Thanks for another interesting video. I used Arduino w/ an ESP8266 to be able to remotely control a projector w/ IR as well as a remote controlled (315MHz) outlet. It would be interesting to dissect some remotes and get the actual data.

For the problem at the end of the video, first thing comes up in my mind is check the datalink layer integrity protections, like polarity, CRC, there might be some of these checks that make the flipperzero abandoned your message. Just my guess.

In the generator set your carrier to 433Mhz, the information is encoded in shifting frequency an amount from the carrier. The shift amount is visible in your spectrum analyzer graph. Hope that helps.

great video. i love sdr hacking and reverse engineering. maybe combine them to reverse a car key or something? would be cool

Another shot in the dark about your problem, if the carrier frequency is too similar to the signal you are trying to copy, then maybe you could mess with carrier frequency settings or dynamic range. Also, if the preamble is off by 1 bit, it won't work. Just throwing a couple ideas out, don't really know what I'm talking about very well.😂😂

Make sure that you didnt throw anything away like the "1" at the start of the synchronization, 101010..., it could represent a start bit or stop bit.
However, I believe there's a checksum to be placed somewhere at the tailend of the data. Need to figure out how the checksum is calculated and where it should be placed. I believe URH can help with that.

Please do More video on radio stuff ......................

Hi Matt, thank you for your videos. Have you thought about making videos about firmware repacking? Thank you for your motivations!

@13:39, Y axis for amplitude, X axis for Frequency, since you are checking the FFT plot.

it looks like you really need a second sdr device, probably a cheap one, just to check what your main one is sending out

We Ham Radio Operaters use these Software Defined Radios, I have Both SDR play RSP Duo and Dx Models, and a Aldam Pluto, for DATV Reception,

Great Video. You have tried to send some message like aaaaaa,bbbbb,cccc and look if you can find a checksum/CRC.
Or maybe the message is prefixed with a length oder something like that. just Throwing out some ideas that have right know. But sadly i cannot test them because i dont have a sdr

What I would do is write out the generated signal to a file and do the same process as your original capture and see if you get the same thing out (or you can even look at the waveform and see if they seem to match).

Have you tried to change the name of the spoofed flipper? Could your flipper be ignoring the transmission because it thinks it is from itself. Just throwing that out there. I use meshtastic devices for some private communications and it is a mesh network that retransmits messages as a broadcast but the sending device doesn't see the message it originally sent out. Just a hunch but you might enjoy ham radio.

The first bit should probably be deleted and not modulated along with the proper message. When you simply played back the transmission originally and the flipper received it ok, the bad noise bit wasn't modulated. Just a guess.

it looks like it does just transmit and receive plain ascii just modulated. definitely don't repeat it infinitely, the demodulator will think it is junk. The first bit could be a missinterpretation, you never know.
I have studied modulations, but only from electrical stand point, so I have no idea

Is your problem possibly because you're repeating the signal infinitely with no buffer at the beginning and end of the message? How does the device distinguish the trailing bits from the beginning of the next signal without any delay or padding? Have you tried re-capturing the radio you're transmitting and analysing how that may be getting interpreted? Might need a second SDR to test that.

Have you got your udev rules setup? Linux does not know what to do with SDR hardware by default.
Also the 1/4 at the end is probably actually a checksum

Not trying to be a smarty pants but what is this exercise good for aside from a thought experiment? Is there any practical application?

That looks more like PSK than pure FM and as others said, look for the CRC.

WHAT BUTTON DID U CLICK AT 15:42 A COUPLE OF TIMES TO CLEAR SOME NOISE?

Verify your baud rate on both ends.

If you manage to fix it, you could even chat with gps data lolol

Intentional or coincidence that your volume is set to 69% 🤔...

Creepy device, that Flipper zero...no wonder that it get banned more and more...
Stay on it, seems that it will bring out some interesting things, even to me, where my raw knowledge of RF ends on 27Mhz CB radio things some 25yrs ago, that was quite interesting!
😮👍👍

Your waffling all over the place!

First

lots of good stuff, but I frankly have to cringe a lot watching your videos. You need someone to ping these things realtime against. The playback is slow, you can see progress of it - hence why the it replays every so often. Nothing to do with the antennae polarity !