When I first read about the Flipper Zero, I was intrigued to back the kickstarter campaign.
But all that description text, videos and graphics looked far too good to be true.
Two years later I found that the Flipper was not another kickstarter scam, but a real and even a pretty gorgeous device. I wanted to get hands on it.
As some may have noticed, I am working with Team RevvoX on Toniebox figurines, their emulation and custom tags etc. for a while now.
First I wanted Flipper Zero to read and write NXP SLIX-L tags, which use the ISO15693 protocol, adding some extensions.
Acquiring a Flipper Zero
But getting that Flipper Zero was not easy. It was sold out and some people “ebay kleinanzeigen” were running massive scam offers. Out of 20 offers, 19 were obvious scam, telling you that the seller “has currently no access to his bank account” and you should “send the money via paypal friends” into a foreign country.
The worst story of all was a guy who – allegedly – was from greece, selling the Flipper for his – allegedly – turkish friend. Of course the article was located in germany. But the money should go to an Paypal account with a cyrillic name. Can’t even remember all the details, but you get the point.
Of course, I did not fall for any scam.
After days of scaping the internet, I contacted the shop at https://lab401.com/, if they happen to have one available for me, explaining them what my plans were with that flipper. And what should I say – thanks to them, I got my hands on a Flipper Zero some other customer returned.
Thanks guys, I really appreciate your support!
Visit the Lab401 shop at https://lab401.com/
The real work
Having the Flipper in my hands for a few weeks now, playing around and getting confident, I started the real work now: implementing ISO15693 specific features.
The hardware itself is capable of the protocol, in particular reading is implemented in the ST25R3916 itself, which is the chip they used.
Unfortunately it only implements a protocol stack for reader mode, which means reading toniebox figurines is simple, but emulating them requires manual low level stuff, using the “transparent mode” and modulating RF using GPIO.
However the Toniebox puts the SLIX-L chips of the figurines in their “privacy mode”, so they never answer to any request of a reader. Also not those of the Flipper Zero. They answer only one command – the “GET RANDOM NUMBER”. When the reader issues this command, the SLIX-L responds with a random number that has to be used with the next command “SET PASSWORD”.
If you knew the correct password, the SLIX-L will reveal itself as a fully functional ISO15693 tag with 32 bytes of user memory.
Alternatively you could use the Toniebox to unlock the tag and prematurely pull it away from the box, so it will not get placed in privacy mode again. This is also known as the “knock method“.
Software can be complex
The Flipper Zero does not know about this speciality, and thus I started implementing the menus and the functionality behind.
Digging into their sources I must admit, I was a bit lost. Too many layers of abstraction (CAL – Crap Abstraction Layer?) to simply get started sending some basic ISO15693 frames.
After a day of digging in their sources, I was sure I was missing the QtDesigner generator step somewhere. It simply cannot be that this small device has 70 handcrafted C files just in the NFC menu, all being a GUI menu or sceen, with some kind of state machine.
After trying to get my code running, I started to understand why they are doing it. The user interface feels very well animated, features context menus and all that stuff you intuitively expect. There are even cross references between menus, e.g. loading a file after saving allows you to emulate a tag (if supported) the same way as if you just read it from another tag. Pretty solid.
However this is not my world. I am no GUI guy, I prefer the low level stuff. So it’s not that easy or attractive for me fiddling with 10 source files just to get one task done: unlock SLIX-L chips
The Results
In the end the first results are finally there – unlocking (a.k.a disable privacy mode) Tonie figurines using a Flipper Zero. The code is available on github and the flipper devs are aware of it. After their big API update, I will focus the code cleanup and create a pull request to make it part of the main firmware.
I absolutely love the device and am soo happy being able to use it. Also great respect for all you Flipper Zero developers, you made a really great device, that combines all that RF / BLE / USB / IR / NFC / LF-NFC / …. tinker projects one would do into a single device. Just amazing.
Just programming the GUI is – ooofh – a bit complex? Maybe there will be a simple API somewhen, where you just pass a struct of menu entries and all that condenses down to a single file :)
Update (17.01.23):
Meanwhile I implemented full emulation and the flipper can read all tonies using the “Unlock Slix-L” menu entry.
It saves UID and all content and stuff, ready for emulation. This can be used to take all your Tonies with you, when on a road trip.
A fork of the original firmware, RogueMaster, already merged my code and I am trying to get it merged into the original firmware as well.
Github: https://github.com/g3gg0/flipperzero-firmware/tree/ISO15693
Binary: See RogueMaster firmware releases
(place it in the SD card within the update folder and execute the “update” files using Flipper’s browser)
One Comment