It's sort of a self imposed problem as well because the community produces a bunch of pull requests, but only the corporate staff members can approve and merge them into the official firmware. It begs the question why have an official firmware if it's not at least slightly maintained.
> why have an official firmware if it's not at least slightly maintained.
Because it's still useful to have a blessed child so that people getting into the space have somewhere to start. You could accept zero additional PRs and it would still be a useful thing to have.
The hardware is static so the rate of software rot is pretty low. It can effectively not be maintained as long as it's already in a stable state. Adding new features is cool and all but it also adds more bugs.
But the great thing is that there's a community, all using the same hardware, and people can fork. So people can still get those updates that they want. Maybe the only thing to do is create a community fork that is much more open but doesn't come with the same stability promises. But that can still be a lot of work, even if you get community maintainers
In my experience this doesn't work because people in large groups usually demand maintenance for free and donate explicitly for features they personally want.
You usually end up with insufficient donations to move anything, but now gained a bunch of users who think they own the devs and complain about every change which isn't that one thing they donated for...
Much easier fix:
They already open-sourced everything, the official branch is sufficiently stable and feature-rich. People are free to fork and create something new, decoupled from the Flipper team and maybe even financed by donations if they want to.
I would love to contribute towards getting Bluetooth keyboards working on freebsd. They have the drivers and most of the core working, even BT mice work, but keyboards aren't there yet.
yeah in the crypto space there is never consensus on what a developer costs, the donation pools and bounties are priced for a passionate developer in Malaysia as there are very few speculators from the few High Cost of Living places that the builders get opportunities from, in comparison to the rest of the of the world
developers all end up launching their own things and getting all the money up front in some way or another
What makes it a Russian company? The team is allegedly spread across the globe, the company (Flipper Devices Inc.) is registered in DE, USA and there's a London office.
They are registered all over the place yet somehow comply with neither UK nor EU warranty laws, and are unable to provide normal legal B2B documents in EU/UK (https://flipper.net/pages/b2b-and-tax-exemption-policy). Company is run by russians, for a long time they tried hard to hide the fact their servers were still in russia after they claimed to move out.
What's funny, or maybe sad, is that this used to be a solved problem back in the CD-distribution era of software. You buy the software once (or in this case the hardware that comes with a software license). You get bugfix patches and minor updates for a year. Next year the next version releases with major new features, and you either pay the price of an update or you stay on the version you are on. Good incentives for all sides. Development stays aligned with existing users, because otherwise they just stop buying updates. And in return the developer gets predictable revenue.
Then Minecraft pioneered the model of users paying once and getting free lifetime updates. And shortly thereafter various SaaS pioneered the model of the user paying monthly while the software barely changes.
And somehow we pretend like those two business models aren't both broken, and like the first one somehow doesn't work anymore
I don't remember minecraft being a driver of this - I do remember Patio11 on here being very influential in start ups doing subscription software instead of "finished" desktop applications.
That is not to blame him, but I remember his writing being very influential with start up founders.
Maybe popularized is the better word. It probably wasn't the first software ever to do this; free lifetime updates became viable with the internet sometime in the nineties and Minecraft only started doing it in 2009. But at the risk of being proven wrong I'm willing to claim Minecraft was the first software to do this and go mainstream, being recognizable outside its niche
I know Guild Wars had original idea in the era of "lets make new world of warcraft and get rich from subscriptions" to release mmorpg without any subscription, you only buy it once and you can play forever.
It was 2005.
You have your timeline slightly wrong because GW1 (if we take dev time into account) basically launched at the same time as WoW - and WoW wasn't the first subscription MMO. I suppose if this was a major reason, EverQuest would be the one to inspire it.
That's basically a variant of a subscription, but one where the end user churns aggressively.
It's worse in many ways too - it's a lot harder to gauge interest as the developer to understand how well any update will sell, and if the updates "stack", then a user only pays for the newest update to get all older features free. It's also worse from a cashflow perspective for the developer (but better for consumer) since they have to pre-build the update before any chance of getting paid for it.
The principal difference is that things keep working if I stop paying. All other aspects are secondary.
And generally speaking there is a lot of options that are excellent for developers but complete shit for the users. That's obvious, but it's also off the point in the context of fairness.
It's slightly funny that the post says firmly that they aren't doing any form of real time engagement with the community anymore, then ends by announcing an AMA date and time.
Yes, this is the way things should be, imho - let the company building the hardware have the say on the base OS, but then let there be forks/contributions from the wider community, which will keep the hardware alive long past the cutoff valve on the production line.
There are many good examples of this working out great for the community, one that I am playing with recently is the community firmware for the Synthstrom Deluge music production workstation, where the community is just taking it into the stratosphere in terms of capabilities beyond the original factory firmware.
There will always be folks who want to share their work.
Another good example is the pwnagotchi scene, where the project is kept alive by its users due to the open source nature of the original firmware images.
1. They open sourced the entire Software under GPL from the start, and always pushed all their changes to that public github.
2. They supported the first-party firmware for years, including huge rewrites of the interfaces used by applications, etc.
3. They actively involved the community on many topics around the product and were always responsive.
They did their job very well, financed ONLY by one-time sales of hardware. NO subscription or additional licensing fees were ever charged.
There is still alot of potential in the hardware itself (e.g. Bluetooth/BLE, NFC Tag writing,...), and the Community is working on alot of different topics.
--
Tl;DR: The Flipper team is free to go and invest resources elsewhere now. Thanks for your support, keep up the great work!
I wonder whether that future includes sending me the device I initially backed on the very first kickstarter. It's been >4 years of back-and-forth with support.
It is. As the article says, all development goals for FZ had been achieved and even overachieved - providing solid and feature-rich firmware, powerful SDK and developer tools. With that and development shift towards new products, updates to core firmare became infrequent - and we tried to address that.
Src: I'm one of the developers behind Flipper Zero.
Especially since, as that article describes, the "firmware" has a much more limited scope that it used to, now being mostly a loader for app rather that providing user functions.
Worrying about firmware development resources for a Flipper Zero seems a bit like concentrating on your bios instead of ongoing updates to Linux and the applications you use. Yeah, it's important, but it's probably exceedingly rare for the firmware here to need to change much.
> We need to normalize declaring software as finished. Not everything needs continuous updates to function. In fact, a minority of software needs this. Most software works as it is written. The code does not run out of date. I want more projects that are actually just finished, without the need to be continuously mutated and complexified ad infinitum.
To be fair, some software does rot. But when you have control of the hardware and the software, rot is pretty uncommon.
Honestly, I thought the whole point was to make a popular unified platform where the community could come together and expand on it. I really can't imagine a centralized player can predict nor create all features that users might want. But it seems like Flipper did the right thing: make the software flexible and easy to expand upon.
I'm curious if the agentic-based code flows will start to optimize higher-order programming goals in future evolutions.
1. Code works
2. Code works in all situations
3. Code uses defensive practices for unanticipated situations
4. Code is maintainable
5. Code is well architected
6. Code minimizes impact of rot
Right now, it feels like AI coding is ~2.5, if left to its own devices without human guidance.
I think you're over generalizing. Software rot happens for a multitude of reasons
- hardware changes
- firmware changes
- operating system changes
- dependencies change
- bits flip, thanks cosmic rays!
> Right now, it feels like AI coding is ~2.5
A lot of people would argue that it's not even 1. I'd argue it sits between 0.7 and 1.2 given the task.
I don't think it's close to 2. It's hyper fixated on task implementation. It's really bad at abstractions, even when requested. You have to be pretty precise over these instructions. I've only seen it develop well, even with explicit instructions, a handful of times. But hey, that's true about a lot of people too. Though people will not claim to have solved the proper generalization, people will just say "I just care that it works", which is kinda why AI is trained that way. It's not being programmed by your Knuths, it's being programmed by your Zuckerbergs.
That's because we haven't yet started to laugh people out of the room that get uneasy and complain when the rate of updates of something starts slowing down.
I heard a graybeard story about a manager who walked into a new ~90s sysadmin shop and was immediately horrified that everyone was calmly and slowly working.
At his old company, the sysadmins had been constantly putting out emergency fires!
... seeing how the "used to infinitely patched software" generation is unable to parse "done" is interesting.
Why would you need any support for things that are fully open source and flashable yourself?
Most everyone who has a flipper runs something like Unleashed firmware, and most of the functionality is in the apps that people built, not in the actual firmware.
Is... that possible? I thought the whole point is that those were a challenge-response specifically to avoid ever them disclosing over the air the material necessary to impersonate one.
You're thinking of NFC, not RFID, and with NFC the owner might not have changed the default keys.
It's a common mix-up (people barely differentiate between the terms anymore, though I'm surprised nobody in 2 hours mentioned it yet), basically RFID is (historically) an ID; a username. Like an ID field in a database. NFC is near-field communication: bidirectional. It does challenge-response and typically runs on hardened chips. But yeah people will call NFC chips RFID and RFID chips NFC all the time. Both are waterproof devices doing radio transmissions on wireless power and you can't tell them apart without using some equipment to try and read the chip type (even if most phones can do that nowadays), so I can understand the terminology generalisation
> and with NFC the owner might not have changed the default keys
Or the use case doesn't depend on any protected bits. A lot of NFC chips are being used as glorified ID tags even if the hardware could do more. And what actual security the hardware provides varies a lot - it's more like a gradient from dumb ID to full java card than a clean distinction.
Some cards don't have any form of security. For example Konami "e-amusement" cards are just an ID number, which is also written on the back of the card. It is a username so to speak, the password is the PIN you enter when you start the game.
Some cards use some kind of challenge-response but are weak and are easily crackable.
Some cards have an anti-copy protection based on rolling codes, be careful with these. The idea is that when you use it to, say, open a door, the card sends a code to the reader and if correct, that code is burned and the reader replies with the next code, which is stored in the card for the next time, making every other copy (possibly including the original) unusable. If the card emulator doesn't store the rolling code, you are completely locked out.
Some cards have a proper challenge-response mechanism that works and can't be easily copied.
Keyfobs absolutely should use a secure challenge-response protocol in order to prevent cloning. Unfortunately, it's extremely common for RFID devices to simply use the tag ID which is trivially cloneable. Many of the systems that make some attempt at security still fail by using a broken protocol or a flawed implementation.
Many RFID cards are literally just an ID number, and will happily allow you to copy that number to your own RFID card (look up "blue cloner guns", although they have their own downsides). Basically just security through obscurity. Cards that do fancy crypto stuff exist, but odds are your workplace badge, apartment fob, or hotel room key is the simple kind (because those are cheaper)
For a lot of applications someone being able to clone the card is also not that big of a problem. E.g. a hotel will invalidate the code on the card anyway when you check out so it doesn't matter for security whether a past guest has cloned the card.
In my old apartment I was able to copy my fob from my apartment office. In my new one I had to record the interaction with the door and was then able to open the door
I don’t know a whole lot about RFID, but some of the most basic cards can be copied very easily. When scanned, the reader always reads the same bits.
I believe there are some more secure cards, like Mifare DESFire EV3 that do provide some security. You’d be shocked how insecure most RFID readers for security cards are.
Oh yeah that’s how you’re supposed to do it. But it’s entirely possible to set up a system that uses RFID key fobs that uh, doesn’t.
In the case where it was most useful to make copies they did eventually replace the system with one where the keys weren’t copy able. Which was better!
Everything you can capture with Flipper has off-the-shelf cheap simple components you can find in your DIY electronics/maker store: IR leds, 433Mhz antennas. Seeed xiao is also small enough that you can stuff it and a relay into appliances and simulate button presses.
Is this something you do often? I could see a few use cases and also for copying garage keys. But I don't think I would use it enough to justify the investment
If you just want to clone a typical garage door remote, you're way better off buying a generic $5 fob. Almost all the 433MHz garage fobs I've seen are designed to easily clone each other. And if cloning doesn't work, it's probably because you need to access the door controller and hit a few buttons to pair the remote directly. Also trivial, and also often pretty physically insecure. In the smaller apartment buildings I've lived in, the boxes containing these control units have usually just been hidden behind by a couple of screws and a "danger electricity" sticker.
If your current remote has multiple unused buttons on it as they often do, you can already try this out.
> I don't think I would use it enough to justify the investment
This is not a rational purchase - most of the rule breaking done with the zero is for fun or convenience, rather than being truly illegal.
It used to be more fun before the hotels started handing out NFC unlocks with your phone.
Still, being able to send each other a key for a hotel room on Signal is a nice trick if you are traveling with a sufficiently tech savvy group of people.
What a great tool and community they have built. I find my flipper0 is like a computer Swiss Army knife. It’s so fun to carry around a tool of my own trade.
Logical NAND of a laptop featureset. Has things like IR, a subghz HDR, NFC+RFID, USB device support, iButton, and the like.
Some people get a lot of use out of it, but if you just saw that list of hardware and couldn't think of one area you'd apply it in, it's probably not going to be a useful device for you.
Anything you might want to do with a radio or IR device but don’t have specialized hardware for. It’s kind of a swiss knife/leatherman tool for short range communications standards.
I think of it as the browser dev tools of radio. Most people will have no use for it but it brings visibility and interactability in to an otherwise invisible world.
Given they’ve had several skirmishes with customs and law enforcement agencies around the world, this always struck me as similar to the “don’t talk about installing retail Switch games on the Switch modding Discord” type of deal - everyone knows you can do that, but allowing mentions in official channels opens us to liability and causes nothing but headaches for both us and for customers, so if you’re going to do that, you need to talk about it somewhere else. I freely admit that’s an assumption on my part, though, and I don’t know if there’s something uglier there…?
Its one thing to have a skid come in going "I wanna hack the RFID on the gubbmints's doors how can i do that?"
Versus "we forked the firmware to include a wide range of pentesting tools"
And then get banned for even saying the alternate firmware.
And seriously, this little thing is a wonderful hacker multitool. You can seriously fuck shit up with the hardware they included. For fucks sake, thats WHY they created it.
That's how you have to be on Discord, or else your guild gets banned from Discord. I wish we weren't using this crap. On IRC, sometimes you had to deal with cranky netops, but they mostly left you alone.
Absolutely nothing you said refutes anything in the comment you’re replying to. You are just reiterating “I’m angry and this is stupid”. Go write in your journal or something. It’s impossible to engage with someone who isn’t engaging themselves.
IRC is still alive and there is bunch of communities around that are a bit more lax, probably because they're half-dead compared to what they used to be. Today probabably Libera.chat would be the best introduction if you haven't touched IRC before.
Agreed 100% - they bricked the thing with official firmwares, and the "community" is the meanest most awful group of so-called hackers I've ever interacted with. It's more than just COA, they're actively aggressive and insular, not just on discord but reddit and less-known places too (which you can't know because you'll be banned for asking where you could find out).
I can understand why that happened at least remotely. If you do all those things they refused 'officially', it might be easier for stupid government idiots to paint it as a dangerous illegal tool.
Adding the necessary hardware while refusing to support arbitrarily iLLegAl things is the best of both worlds.
This. Many legit, but questionable features blown out of proportion already caused many issues with regulators who just don't want to get into details, but just delist from sales/ban the device.
And once you start talking about "jamming" and other 1337 h4x0r stuff - which is straight up illegal and can get you into trouble - on official platforms, don't get offended when that gets removed.
Sure. I get why you don't want the skids jamming. But hell, it is still in your github commit history. Your all historical work was that of a attacking hacker toolkit. Jamming proves that.
Now, that absolutely does NOT excuse Adkins on the discord from people asking how to get the PSK for garage door openers, and emulating the buttons. And especially since it was being asked by owners of said doors.
But you banned people with legitimate and legal uses too.
Good riddance to you all. I've stayed with 3rd party and steered others towards better actors than yourselves.
Tough spot with community that expects firmware updates while hardware sells only once
It's sort of a self imposed problem as well because the community produces a bunch of pull requests, but only the corporate staff members can approve and merge them into the official firmware. It begs the question why have an official firmware if it's not at least slightly maintained.
The hardware is static so the rate of software rot is pretty low. It can effectively not be maintained as long as it's already in a stable state. Adding new features is cool and all but it also adds more bugs.
But the great thing is that there's a community, all using the same hardware, and people can fork. So people can still get those updates that they want. Maybe the only thing to do is create a community fork that is much more open but doesn't come with the same stability promises. But that can still be a lot of work, even if you get community maintainers
Easy fix: Allow donations, merge updates once donation pool is enough to pay for the maintainers' time.
In my experience this doesn't work because people in large groups usually demand maintenance for free and donate explicitly for features they personally want.
You usually end up with insufficient donations to move anything, but now gained a bunch of users who think they own the devs and complain about every change which isn't that one thing they donated for...
Much easier fix: They already open-sourced everything, the official branch is sufficiently stable and feature-rich. People are free to fork and create something new, decoupled from the Flipper team and maybe even financed by donations if they want to.
has that ever worked, ever?
I've heard people talk about this "solution" for over a decade, especially with crypto trying to justify itself, but I've never seen it successful.
I would love to contribute towards getting Bluetooth keyboards working on freebsd. They have the drivers and most of the core working, even BT mice work, but keyboards aren't there yet.
yeah in the crypto space there is never consensus on what a developer costs, the donation pools and bounties are priced for a passionate developer in Malaysia as there are very few speculators from the few High Cost of Living places that the builders get opportunities from, in comparison to the rest of the of the world
developers all end up launching their own things and getting all the money up front in some way or another
more communities burned
This
Donating to a russian company with all the sanctions in place?
What makes it a Russian company? The team is allegedly spread across the globe, the company (Flipper Devices Inc.) is registered in DE, USA and there's a London office.
They are registered all over the place yet somehow comply with neither UK nor EU warranty laws, and are unable to provide normal legal B2B documents in EU/UK (https://flipper.net/pages/b2b-and-tax-exemption-policy). Company is run by russians, for a long time they tried hard to hide the fact their servers were still in russia after they claimed to move out.
Which is just another way of saying "this is why most developers prefer subscriptions over one-time sales"
What's funny, or maybe sad, is that this used to be a solved problem back in the CD-distribution era of software. You buy the software once (or in this case the hardware that comes with a software license). You get bugfix patches and minor updates for a year. Next year the next version releases with major new features, and you either pay the price of an update or you stay on the version you are on. Good incentives for all sides. Development stays aligned with existing users, because otherwise they just stop buying updates. And in return the developer gets predictable revenue.
Then Minecraft pioneered the model of users paying once and getting free lifetime updates. And shortly thereafter various SaaS pioneered the model of the user paying monthly while the software barely changes.
And somehow we pretend like those two business models aren't both broken, and like the first one somehow doesn't work anymore
I don't remember minecraft being a driver of this - I do remember Patio11 on here being very influential in start ups doing subscription software instead of "finished" desktop applications.
That is not to blame him, but I remember his writing being very influential with start up founders.
Total Commander is pay once, free updates forever. It's over 30 years old now.
RAR / WinRAR - same and it's even older.
Are you sure that minecraft pioneered that model?
It is certainly a very well-known instance of it, but pioneered?
Maybe popularized is the better word. It probably wasn't the first software ever to do this; free lifetime updates became viable with the internet sometime in the nineties and Minecraft only started doing it in 2009. But at the risk of being proven wrong I'm willing to claim Minecraft was the first software to do this and go mainstream, being recognizable outside its niche
I know Guild Wars had original idea in the era of "lets make new world of warcraft and get rich from subscriptions" to release mmorpg without any subscription, you only buy it once and you can play forever. It was 2005.
You have your timeline slightly wrong because GW1 (if we take dev time into account) basically launched at the same time as WoW - and WoW wasn't the first subscription MMO. I suppose if this was a major reason, EverQuest would be the one to inspire it.
Everquest was 1999. Ultima Online was 1997 and had a $10/month subscription price.
I pay for LittleSnitch major releases. I’m kind of forced to, in order to keep up with macOS major releases.
Maybe they can sell the hardware which includes 1 major upgrade release.
Maybe they can have a Kickstarter campaign to fund new releases.
Yeah, they do, but an actually fair to all sides model is that of one-time sales coupled with optional paid-for updates.
That's basically a variant of a subscription, but one where the end user churns aggressively.
It's worse in many ways too - it's a lot harder to gauge interest as the developer to understand how well any update will sell, and if the updates "stack", then a user only pays for the newest update to get all older features free. It's also worse from a cashflow perspective for the developer (but better for consumer) since they have to pre-build the update before any chance of getting paid for it.
I'd be surprised if the churn was as high as the subscription model.
If I buy a product and like it as-is then I don't necessarily want it to change over time.
Buy once is better, buy once with optional updates or periodic version releases is better still.
The principal difference is that things keep working if I stop paying. All other aspects are secondary.
And generally speaking there is a lot of options that are excellent for developers but complete shit for the users. That's obvious, but it's also off the point in the context of fairness.
Then just open source the firmware. We'll update it ourselves.
https://github.com/flipperdevices/flipperzero-firmware/blob/...
It's slightly funny that the post says firmly that they aren't doing any form of real time engagement with the community anymore, then ends by announcing an AMA date and time.
I read the post as implied they were talking about continuous realtime engagement.
Which TBF, answering every monkey with a typewriter on the internet is a huge time commitment from any team.
Everyone I know who owns a flipper almost immediately installs some 3rd party firmware like Momentum on it.
Yes, this is the way things should be, imho - let the company building the hardware have the say on the base OS, but then let there be forks/contributions from the wider community, which will keep the hardware alive long past the cutoff valve on the production line.
There are many good examples of this working out great for the community, one that I am playing with recently is the community firmware for the Synthstrom Deluge music production workstation, where the community is just taking it into the stratosphere in terms of capabilities beyond the original factory firmware.
There will always be folks who want to share their work.
Another good example is the pwnagotchi scene, where the project is kept alive by its users due to the open source nature of the original firmware images.
Might be an unpopular opinion, but:
1. They open sourced the entire Software under GPL from the start, and always pushed all their changes to that public github.
2. They supported the first-party firmware for years, including huge rewrites of the interfaces used by applications, etc.
3. They actively involved the community on many topics around the product and were always responsive.
They did their job very well, financed ONLY by one-time sales of hardware. NO subscription or additional licensing fees were ever charged.
There is still alot of potential in the hardware itself (e.g. Bluetooth/BLE, NFC Tag writing,...), and the Community is working on alot of different topics.
--
Tl;DR: The Flipper team is free to go and invest resources elsewhere now. Thanks for your support, keep up the great work!
I wonder whether that future includes sending me the device I initially backed on the very first kickstarter. It's been >4 years of back-and-forth with support.
Please send me your support ticket ID to pavel[at]flipper.net
Sent!
> TL;DR: We've allocated resources to maintain Flipper Zero firmware and support community contributions.
Is that the tldr? It sure sounds like it's still on minimal life support.
It is. As the article says, all development goals for FZ had been achieved and even overachieved - providing solid and feature-rich firmware, powerful SDK and developer tools. With that and development shift towards new products, updates to core firmare became infrequent - and we tried to address that.
Src: I'm one of the developers behind Flipper Zero.
You guys have done such a good job that I've thought about buying one even though I don't need one at all just to support the project.
You've surely launched a generation of perhaps-someday-responsible hackers into the world.
Why can't something be "done"?
Especially since, as that article describes, the "firmware" has a much more limited scope that it used to, now being mostly a loader for app rather that providing user functions.
Worrying about firmware development resources for a Flipper Zero seems a bit like concentrating on your bios instead of ongoing updates to Linux and the applications you use. Yeah, it's important, but it's probably exceedingly rare for the firmware here to need to change much.
Was just reading something along those lines:
https://infosec.exchange/@millie/115719943870742405
> We need to normalize declaring software as finished. Not everything needs continuous updates to function. In fact, a minority of software needs this. Most software works as it is written. The code does not run out of date. I want more projects that are actually just finished, without the need to be continuously mutated and complexified ad infinitum.
To be fair, some software does rot. But when you have control of the hardware and the software, rot is pretty uncommon.
Honestly, I thought the whole point was to make a popular unified platform where the community could come together and expand on it. I really can't imagine a centralized player can predict nor create all features that users might want. But it seems like Flipper did the right thing: make the software flexible and easy to expand upon.
Software rot is mostly about dependency size, ne?
I'm curious if the agentic-based code flows will start to optimize higher-order programming goals in future evolutions.
Right now, it feels like AI coding is ~2.5, if left to its own devices without human guidance.I think you're over generalizing. Software rot happens for a multitude of reasons
A lot of people would argue that it's not even 1. I'd argue it sits between 0.7 and 1.2 given the task.I don't think it's close to 2. It's hyper fixated on task implementation. It's really bad at abstractions, even when requested. You have to be pretty precise over these instructions. I've only seen it develop well, even with explicit instructions, a handful of times. But hey, that's true about a lot of people too. Though people will not claim to have solved the proper generalization, people will just say "I just care that it works", which is kinda why AI is trained that way. It's not being programmed by your Knuths, it's being programmed by your Zuckerbergs.
That's because we haven't yet started to laugh people out of the room that get uneasy and complain when the rate of updates of something starts slowing down.
I heard a graybeard story about a manager who walked into a new ~90s sysadmin shop and was immediately horrified that everyone was calmly and slowly working.
At his old company, the sysadmins had been constantly putting out emergency fires!
... seeing how the "used to infinitely patched software" generation is unable to parse "done" is interesting.
Eventually, competence means nothing to do.
why it should?
Why would you need any support for things that are fully open source and flashable yourself?
Most everyone who has a flipper runs something like Unleashed firmware, and most of the functionality is in the apps that people built, not in the actual firmware.
Flipper Zero is one of the handiest little pieces of tech I’ve ever owned. Being able to copy RFID keys is occasionally fantastically useful.
Is... that possible? I thought the whole point is that those were a challenge-response specifically to avoid ever them disclosing over the air the material necessary to impersonate one.
You're thinking of NFC, not RFID, and with NFC the owner might not have changed the default keys.
It's a common mix-up (people barely differentiate between the terms anymore, though I'm surprised nobody in 2 hours mentioned it yet), basically RFID is (historically) an ID; a username. Like an ID field in a database. NFC is near-field communication: bidirectional. It does challenge-response and typically runs on hardened chips. But yeah people will call NFC chips RFID and RFID chips NFC all the time. Both are waterproof devices doing radio transmissions on wireless power and you can't tell them apart without using some equipment to try and read the chip type (even if most phones can do that nowadays), so I can understand the terminology generalisation
> and with NFC the owner might not have changed the default keys
Or the use case doesn't depend on any protected bits. A lot of NFC chips are being used as glorified ID tags even if the hardware could do more. And what actual security the hardware provides varies a lot - it's more like a gradient from dumb ID to full java card than a clean distinction.
Some cards don't have any form of security. For example Konami "e-amusement" cards are just an ID number, which is also written on the back of the card. It is a username so to speak, the password is the PIN you enter when you start the game.
Some cards use some kind of challenge-response but are weak and are easily crackable.
Some cards have an anti-copy protection based on rolling codes, be careful with these. The idea is that when you use it to, say, open a door, the card sends a code to the reader and if correct, that code is burned and the reader replies with the next code, which is stored in the card for the next time, making every other copy (possibly including the original) unusable. If the card emulator doesn't store the rolling code, you are completely locked out.
Some cards have a proper challenge-response mechanism that works and can't be easily copied.
Oof, that burned-code scheme sounds like it has some painfully sharp UX edges if something goes awry in the new code resync portion.
But I'm guessing that's for serious security, where going to the guard shack is preferable to letting anyone unauthorized in?
Keyfobs absolutely should use a secure challenge-response protocol in order to prevent cloning. Unfortunately, it's extremely common for RFID devices to simply use the tag ID which is trivially cloneable. Many of the systems that make some attempt at security still fail by using a broken protocol or a flawed implementation.
As others have said, most are dumb, some just slightly less so. A few captured nonce values and a dictionary attack will crack most with ease.
Many RFID cards are literally just an ID number, and will happily allow you to copy that number to your own RFID card (look up "blue cloner guns", although they have their own downsides). Basically just security through obscurity. Cards that do fancy crypto stuff exist, but odds are your workplace badge, apartment fob, or hotel room key is the simple kind (because those are cheaper)
For a lot of applications someone being able to clone the card is also not that big of a problem. E.g. a hotel will invalidate the code on the card anyway when you check out so it doesn't matter for security whether a past guest has cloned the card.
In my old apartment I was able to copy my fob from my apartment office. In my new one I had to record the interaction with the door and was then able to open the door
I don’t know a whole lot about RFID, but some of the most basic cards can be copied very easily. When scanned, the reader always reads the same bits.
I believe there are some more secure cards, like Mifare DESFire EV3 that do provide some security. You’d be shocked how insecure most RFID readers for security cards are.
Oh yeah that’s how you’re supposed to do it. But it’s entirely possible to set up a system that uses RFID key fobs that uh, doesn’t.
In the case where it was most useful to make copies they did eventually replace the system with one where the keys weren’t copy able. Which was better!
Even that process can be flawed, see: Crypto1 and all the shenanigans that followed.
Recent UL-C/AES disclosure too IIRC
RFID keys vary from utterly dumb ID-based, to hackable challenge-response, to actual NFC smartcard (very rare).
Some of that can be trivially cloned.
Depends on where you are. Newer systems are resistant to attack, but not everywhere has upgraded to newer systems.
Most dont :)
I use it to clone remotes of "dumb" devices and emulate them with ESPHome to make them "smart" fully offline under my control.
Can you outline the process here? What transmitters do you use with esp32?
Everything you can capture with Flipper has off-the-shelf cheap simple components you can find in your DIY electronics/maker store: IR leds, 433Mhz antennas. Seeed xiao is also small enough that you can stuff it and a relay into appliances and simulate button presses.
Is this something you do often? I could see a few use cases and also for copying garage keys. But I don't think I would use it enough to justify the investment
If you just want to clone a typical garage door remote, you're way better off buying a generic $5 fob. Almost all the 433MHz garage fobs I've seen are designed to easily clone each other. And if cloning doesn't work, it's probably because you need to access the door controller and hit a few buttons to pair the remote directly. Also trivial, and also often pretty physically insecure. In the smaller apartment buildings I've lived in, the boxes containing these control units have usually just been hidden behind by a couple of screws and a "danger electricity" sticker.
If your current remote has multiple unused buttons on it as they often do, you can already try this out.
> I don't think I would use it enough to justify the investment
This is not a rational purchase - most of the rule breaking done with the zero is for fun or convenience, rather than being truly illegal.
It used to be more fun before the hotels started handing out NFC unlocks with your phone.
Still, being able to send each other a key for a hotel room on Signal is a nice trick if you are traveling with a sufficiently tech savvy group of people.
You can't even clone you garage door opener key anyway.
Flipper Zero and its clones have always been pseudohacker nonsense. Fun little party trick I suppose.
Sometimes you can clone them. My 20+ year-old condo uses non-rolling code "MegaCode". It's hit or miss.
IMO for garage much easier to just add garage door opener that works from your phone.
And then I need to pull my phone to open the garage door? No thanks
Nope! Only occasionally. But it’s handy on those occasions.
What a great tool and community they have built. I find my flipper0 is like a computer Swiss Army knife. It’s so fun to carry around a tool of my own trade.
I get ads for this all the time but still have no idea what I could do with it.
Logical NAND of a laptop featureset. Has things like IR, a subghz HDR, NFC+RFID, USB device support, iButton, and the like.
Some people get a lot of use out of it, but if you just saw that list of hardware and couldn't think of one area you'd apply it in, it's probably not going to be a useful device for you.
Anything you might want to do with a radio or IR device but don’t have specialized hardware for. It’s kind of a swiss knife/leatherman tool for short range communications standards.
I think of it as the browser dev tools of radio. Most people will have no use for it but it brings visibility and interactability in to an otherwise invisible world.
I use mine mostly as a universal IR remote.
i vibed a .ir to tasmota IRSend commands and it is so good.
Can you open source it?
https://github.com/nicman23/flipper_to_IRSend
[flagged]
Please don't fulminate on HN. The guidelines make it clear we're trying for something better here. https://news.ycombinator.com/newsguidelines.html
Given they’ve had several skirmishes with customs and law enforcement agencies around the world, this always struck me as similar to the “don’t talk about installing retail Switch games on the Switch modding Discord” type of deal - everyone knows you can do that, but allowing mentions in official channels opens us to liability and causes nothing but headaches for both us and for customers, so if you’re going to do that, you need to talk about it somewhere else. I freely admit that’s an assumption on my part, though, and I don’t know if there’s something uglier there…?
Its one thing to have a skid come in going "I wanna hack the RFID on the gubbmints's doors how can i do that?"
Versus "we forked the firmware to include a wide range of pentesting tools"
And then get banned for even saying the alternate firmware.
And seriously, this little thing is a wonderful hacker multitool. You can seriously fuck shit up with the hardware they included. For fucks sake, thats WHY they created it.
That's how you have to be on Discord, or else your guild gets banned from Discord. I wish we weren't using this crap. On IRC, sometimes you had to deal with cranky netops, but they mostly left you alone.
Absolutely nothing you said refutes anything in the comment you’re replying to. You are just reiterating “I’m angry and this is stupid”. Go write in your journal or something. It’s impossible to engage with someone who isn’t engaging themselves.
Any advice on good communities or sources of (reliable) information on alternative firmwares and pen testing type tools?
IRC is still alive and there is bunch of communities around that are a bit more lax, probably because they're half-dead compared to what they used to be. Today probabably Libera.chat would be the best introduction if you haven't touched IRC before.
“Furries Forking Flipper Firmware” sounds like a promising and/or true and/or Garden-Path headline
Agreed 100% - they bricked the thing with official firmwares, and the "community" is the meanest most awful group of so-called hackers I've ever interacted with. It's more than just COA, they're actively aggressive and insular, not just on discord but reddit and less-known places too (which you can't know because you'll be banned for asking where you could find out).
What is the current go-to unofficial firmware? Mine had extreme but I think that one’s dead?
I'm currently using https://momentum-fw.dev/
Works well, and compiling modules like the epaper hacker tool is easy.
https://github.com/i12bp8/TagTinker
Thanks for the suggestion!
I would be interested in the names and descriptions of these legit pentesting tools.
I can understand why that happened at least remotely. If you do all those things they refused 'officially', it might be easier for stupid government idiots to paint it as a dangerous illegal tool.
Adding the necessary hardware while refusing to support arbitrarily iLLegAl things is the best of both worlds.
This. Many legit, but questionable features blown out of proportion already caused many issues with regulators who just don't want to get into details, but just delist from sales/ban the device.
And once you start talking about "jamming" and other 1337 h4x0r stuff - which is straight up illegal and can get you into trouble - on official platforms, don't get offended when that gets removed.
Sure. I get why you don't want the skids jamming. But hell, it is still in your github commit history. Your all historical work was that of a attacking hacker toolkit. Jamming proves that.
Now, that absolutely does NOT excuse Adkins on the discord from people asking how to get the PSK for garage door openers, and emulating the buttons. And especially since it was being asked by owners of said doors.
But you banned people with legitimate and legal uses too.
Good riddance to you all. I've stayed with 3rd party and steered others towards better actors than yourselves.
are there any chinese knock offs of the hardware? i've yet to find something that integrates all the features this well
On aliexpress there are but I can't vouch for their quality
> mention ANY of the alternate firmwares on their discord, and you get banned
Does it surprise you that a Russian product team would use these tactics?
Nyet.
Why would they not consider open-sourcing the software side ? Its not like they make any money from the software.
> Why would they not consider open-sourcing the software side ?
What part of their GPL-licensed firmware that is hosted in a public GitHub, do you consider not to be open-source?