Derek- I just want to thank you. I've spent 40+ hours trying to decode an rf remote signal and replicate it on an Arduino. I was frustrated beyond belief until I found your videos. Thanks to you, everything finally clicked. Glad to be a subscriber and looking forward to watching your other videos.
Very cool, thanks for sharing! Is your project on github somewhere to check out? I know some people are interested in replicating Flipper Zero signals for IR, SubGHz, etc. on lower cost hardware such as PI or Arduino!
Glad you like them! I'm focused on GPIO at the moment, but I'll go back and try to do a few more on subghz in the next couple of weeks -- plus I need to finish my rock-paper-scissors subghz game.
Thanks. I'm glad you liked it. There are so many videos & projects I'd like to make about the Flipper Zero. For a v0.8 product, I think it's fairly robust, it's just lacking documentation. I'll continue to try to release Flipper Zero tutorials on GitHub and videos on UA-cam -- I'm trying to balance quality vs. quantity. If you have ideas for future tutorials, please let me know.
This was so awesome, very concentrated content, dearly appreciate it - mostly found videos that are uncomprehendable explanations if you are still exploring the cpabilities without having tachnical, dev or engineering background.
Thanks for the feedback. Sometimes my videos are also too technical, or I forget to explain why the listener actually cares about the topic. My wife typically reviews the videos; but since she heard me talk non-stop about the content that week, her brain probably fills in a lot of the gaps. 🤣
Very interesting, those kind of data looks horrible when you don't know how to read them, but makes so much sense once I've seen your video. Thank you!
Thanks. I’ve been thinking about doing a video about BIN_RAW format, because it’s super helpful to be able to read as well. Eventually you start to see patterns in this stuff, then when you go on to IR files, you are like - hey, this is the same just without the minus signs. 🤓
Thanks for watching! A similar technique is used for RAW IR signals (except they are all positive numbers, so you just have to keep track of even/odd.)
Hello! Thank you for sharing. I'm trying to write a simple RP Pico program to replay this raw FlipperZero data. (Byron DoorBell) - Using those cheap 433Mhz TX boards. Since this data in the RAW Sub file is 'On/Off Keying' . I just assumed the carrier wave would be HIGH for (if the tone data was > 500) for 'silence' duration and LOW if tone data < 500 for the paired 'silence' duration. I think I'm confused by your use of term 'silence'. Thank you. What is the number 650 for? Is this the length in time in uSec needed to be high for the value '1' ?
Since you are writing for Pico, there will be a GPIO pin connected to the CC1101 if you are in transmitting in async mode; when the pin is HIGH it will transmit carrier and when pin is LOW it will not transmit. When looking at a Flipper Zero RAW file, the positive numbers are the number of uSec that a signal is transmitted (ON), where GDO0 is set. The negative numbers are the number of uSec that the signal is not transmitted (OFF), where GDO0 is cleared. I've never written an app for the Pico, but it sounds like a super interesting project that I'd enjoy working on. I have a Video Game Module for the Flipper Zero (which is RP Pico) and I think it exposes enough GPIO pins to do that project? If you need help, you can reach out to me on Discord, I'm @codeallnight.
The RSSI value is not in stored in the .SUB file. For a signal with OOK modulation, positive values are length of signal detected (in microseconds). Negative numbers are the length of no-signal detected (in microseconds). In 2-FSK (Flipper calls it FM) I think the positive are for frequencies detected above the carrier frequency and the negative are for frequencies below the carrier frequency [or not detected].
Hey Derek I'm looking at the csv file for my garage clicker and I found a pattern of 69 millisecond silences every 51 lines, then 48 lines, then 51 lines, then 48, etc, and when I was trying to decode the bits in between, it really wasn't obvious which lines were 0s and which were 1s. None of the tones or silences are over 1000. Any ideas?
That doesn’t sound right. Maybe you are getting interference? Try changing the RSSI value? Also, if it is garage door, good chance of rolling code. You can reach out to me on Discord at codeallnight. You may also want ua-cam.com/video/VxMDdYuRITE/v-deo.html if the durations are short.
also a question, this method will work correctly only assuming my modulation is correct right ? if I capture with incorrect modulation I would just get garbage ? 10x
Yeah, that is a great callout. It seems everything I own is using OOK-650KHz! I should do a video on modulation (I just finished reading the CC1101 spec.)
Hi Dan! Hopefully you find the following video helpful... ua-cam.com/video/tzLmMl9HlTY/v-deo.html Also, in the comments of that video is another channel that is doing good work and has a video on modulation that might be useful.
If it's a known protocol, you can use the CLI to take the RAW file and decode it... - lab.flipper.net/cli - subghz decode_raw /ext/subghz/demo1.sub Next week, I'll try to add a feature to be able to decode into BIN_RAW for unknown protocols, which makes it a little easier to work with. I'll update the wiki once it works... github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz
Also, if you just want to convert to CSV, there are some python tools from people in my discord channel. They do graphing, convert to CSV, etc. Invite to discord is discord.com/invite/NsjCvqwPAd
Hello great tutorials, I was stuck on this step. So after turning the subfile into CVS file, I found the data you showed in Studio Visual Code (where the data looks like it is paralel, I understood the rest of it is the noise) and after that I found silence of 9.5ms every 90 lines. Is this normal? And between these silences, I can not find a tone that is higher than 1000. All of them are under 1000! What should I do? How can atribute the binary code to the lines with the tones, if all of them are under 1000ms?
When you load the original RAW recorded file via Saved, choose Emulate, and then press Send, does the device respond? (I'm trying to confirm the original RAW file is good.) If it works, can you share a link to the file? If you want to message me on Discord, my handle is CodeAllNight#1337.
@@MrDerekJamison I managed to decode a rolling code with the inbuild decoder, but I was wondering if I could do it myself....or at least learn how to do it myself. And I'm stuck at the part after i find the long silences, and counting the bits. 🤦♀ So the RAW file wouldn't work beacuse it is a rolling code.
@@Nyano161 For rolling code you need to be careful not to have pressed remote so many times that the vehicle gets out of sync. For me, I typically capture the signal + send it to the vehicle (or I use a remote for a vehicle I no longer own & don't care if it gets out of sync.) Hopefully you can count the bits and then see some patterns. The rolling part you aren't likely going to figure out, but you might see the patterns in the non-rolling parts. Here are some captures from a Chevy HHR I no longer own... github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/samples/chevy-hhr-2006
@@MrDerekJamison Haha, well I can't do it on my Ford, the keyfob also hops frequencies. But I recorded one single "opening" signal from the access point barrier, and after that it auto decoded, so now I have a rolling code remote on my device. But so yeah, the barrier doesen't get out of sync, I was just wondering what happens behind the decoding.
I haven't looked into NFC with Flipper Zero yet. 3 years ago, I made a video about reprogramming Mifare cards (using NFC device + Arduino): ua-cam.com/video/XxgqlmkxAFg/v-deo.html -- the short answer is it depends on the card, the keys and the data you need to write. Also, if it's running code, then it's likely not worth the effort to clone. If you search the internet for Mifare cards and Flipper, you will probably find lots of videos... ua-cam.com/video/wjbSBDCMuXs/v-deo.html looks like legit information. I'm focused on GPIO tutorials right now; but at some point, I'll try to make some videos on NFC for Flipper.
Thanks. I'd recommend you double-check that your latest pen test ROE (Rules of Engagement) document includes NFC cards as *in-scope*. Access control is typically not as bad as payment; but you never know how a client is going to react when you show them the attack you figured out. Make sure you understand what disclosure looks like too; it can be super exciting when you first bypass something using your Flipper Zero (it's similar to that feeling when you get your first set of lock picks & start unlocking all the things!)
![[16] Flipper Zero - Hand-crafted subghz RAW files!](http://i.ytimg.com/vi/ihWnDep_Pfw/mqdefault.jpg)
![[16] Flipper Zero - Hand-crafted subghz RAW files!](/img/tr.png)
![[76] Flipper Zero - Rolling Codes Part 1 : Security+1.0](http://i.ytimg.com/vi/fmCzYAX7O38/mqdefault.jpg)
![[84] Flipper Zero - How SubGHz protocol decoders/encoders work](http://i.ytimg.com/vi/O4bEuYwytv0/mqdefault.jpg)
![[80] Flipper Zero - "Rolling Flaws" application](/img/n.gif)
Derek- I just want to thank you. I've spent 40+ hours trying to decode an rf remote signal and replicate it on an Arduino. I was frustrated beyond belief until I found your videos. Thanks to you, everything finally clicked. Glad to be a subscriber and looking forward to watching your other videos.
Very cool, thanks for sharing! Is your project on github somewhere to check out? I know some people are interested in replicating Flipper Zero signals for IR, SubGHz, etc. on lower cost hardware such as PI or Arduino!
Great series of videos, finally some in-depth and to-the-point subghz material. keep it up.
Glad you like them! I'm focused on GPIO at the moment, but I'll go back and try to do a few more on subghz in the next couple of weeks -- plus I need to finish my rock-paper-scissors subghz game.
definitely needed this! There isn't really good documentation or explanation on this stuff and I've had my flipper for over a year!
Thanks. I'm glad you liked it. There are so many videos & projects I'd like to make about the Flipper Zero. For a v0.8 product, I think it's fairly robust, it's just lacking documentation. I'll continue to try to release Flipper Zero tutorials on GitHub and videos on UA-cam -- I'm trying to balance quality vs. quantity. If you have ideas for future tutorials, please let me know.
This was so awesome, very concentrated content, dearly appreciate it - mostly found videos that are uncomprehendable explanations if you are still exploring the cpabilities without having tachnical, dev or engineering background.
Thanks for the feedback. Sometimes my videos are also too technical, or I forget to explain why the listener actually cares about the topic. My wife typically reviews the videos; but since she heard me talk non-stop about the content that week, her brain probably fills in a lot of the gaps. 🤣
Very interesting, those kind of data looks horrible when you don't know how to read them, but makes so much sense once I've seen your video.
Thank you!
Thanks. I’ve been thinking about doing a video about BIN_RAW format, because it’s super helpful to be able to read as well. Eventually you start to see patterns in this stuff, then when you go on to IR files, you are like - hey, this is the same just without the minus signs. 🤓
Great video! thank you for your time doing it.
Thanks for watching! A similar technique is used for RAW IR signals (except they are all positive numbers, so you just have to keep track of even/odd.)
Hello! Thank you for sharing. I'm trying to write a simple RP Pico program to replay this raw FlipperZero data. (Byron DoorBell) - Using those cheap 433Mhz TX boards. Since this data in the RAW Sub file is 'On/Off Keying' . I just assumed the carrier wave would be HIGH for (if the tone data was > 500) for 'silence' duration and LOW if tone data < 500 for the paired 'silence' duration. I think I'm confused by your use of term 'silence'. Thank you. What is the number 650 for? Is this the length in time in uSec needed to be high for the value '1' ?
Since you are writing for Pico, there will be a GPIO pin connected to the CC1101 if you are in transmitting in async mode; when the pin is HIGH it will transmit carrier and when pin is LOW it will not transmit. When looking at a Flipper Zero RAW file, the positive numbers are the number of uSec that a signal is transmitted (ON), where GDO0 is set. The negative numbers are the number of uSec that the signal is not transmitted (OFF), where GDO0 is cleared.
I've never written an app for the Pico, but it sounds like a super interesting project that I'd enjoy working on. I have a Video Game Module for the Flipper Zero (which is RP Pico) and I think it exposes enough GPIO pins to do that project? If you need help, you can reach out to me on Discord, I'm @codeallnight.
@@MrDerekJamison Thank you so much, Derek. Your last comment was enough to fix my Pico code! I've put it up on Github if people are interested.
@@johnwilson3918 glad you got it working! you may want to create a new comment about github.com/johnnyw66/picoflipperzero, so more people see it.
Thank you very much , good explanation 👍
Glad you liked it. Let me know if there are other topics you want me to cover.
Sure it's not the other way round? First column should be length of the signal, second is the rssi which is negative, no?
The RSSI value is not in stored in the .SUB file. For a signal with OOK modulation, positive values are length of signal detected (in microseconds). Negative numbers are the length of no-signal detected (in microseconds). In 2-FSK (Flipper calls it FM) I think the positive are for frequencies detected above the carrier frequency and the negative are for frequencies below the carrier frequency [or not detected].
Hey Derek I'm looking at the csv file for my garage clicker and I found a pattern of 69 millisecond silences every 51 lines, then 48 lines, then 51 lines, then 48, etc, and when I was trying to decode the bits in between, it really wasn't obvious which lines were 0s and which were 1s. None of the tones or silences are over 1000. Any ideas?
That doesn’t sound right. Maybe you are getting interference? Try changing the RSSI value? Also, if it is garage door, good chance of rolling code. You can reach out to me on Discord at codeallnight. You may also want ua-cam.com/video/VxMDdYuRITE/v-deo.html if the durations are short.
also a question, this method will work correctly only assuming my modulation is correct right ? if I capture with incorrect modulation I would just get garbage ? 10x
Yeah, that is a great callout. It seems everything I own is using OOK-650KHz!
I should do a video on modulation (I just finished reading the CC1101 spec.)
@@MrDerekJamison I'll be waiting for it 🙂
Hi Dan! Hopefully you find the following video helpful... ua-cam.com/video/tzLmMl9HlTY/v-deo.html Also, in the comments of that video is another channel that is doing good work and has a video on modulation that might be useful.
Great video! Do you believe there is a program available to convert this programatically?
If it's a known protocol, you can use the CLI to take the RAW file and decode it...
- lab.flipper.net/cli
- subghz decode_raw /ext/subghz/demo1.sub
Next week, I'll try to add a feature to be able to decode into BIN_RAW for unknown protocols, which makes it a little easier to work with. I'll update the wiki once it works... github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz
Also, if you just want to convert to CSV, there are some python tools from people in my discord channel. They do graphing, convert to CSV, etc. Invite to discord is discord.com/invite/NsjCvqwPAd
Hello great tutorials, I was stuck on this step.
So after turning the subfile into CVS file, I found the data you showed in Studio Visual Code (where the data looks like it is paralel, I understood the rest of it is the noise) and after that I found silence of 9.5ms every 90 lines. Is this normal? And between these silences, I can not find a tone that is higher than 1000. All of them are under 1000!
What should I do? How can atribute the binary code to the lines with the tones, if all of them are under 1000ms?
When you load the original RAW recorded file via Saved, choose Emulate, and then press Send, does the device respond? (I'm trying to confirm the original RAW file is good.) If it works, can you share a link to the file? If you want to message me on Discord, my handle is CodeAllNight#1337.
@@MrDerekJamison I managed to decode a rolling code with the inbuild decoder, but I was wondering if I could do it myself....or at least learn how to do it myself. And I'm stuck at the part after i find the long silences, and counting the bits. 🤦♀ So the RAW file wouldn't work beacuse it is a rolling code.
@@Nyano161 For rolling code you need to be careful not to have pressed remote so many times that the vehicle gets out of sync. For me, I typically capture the signal + send it to the vehicle (or I use a remote for a vehicle I no longer own & don't care if it gets out of sync.)
Hopefully you can count the bits and then see some patterns. The rolling part you aren't likely going to figure out, but you might see the patterns in the non-rolling parts. Here are some captures from a Chevy HHR I no longer own... github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/samples/chevy-hhr-2006
@@MrDerekJamison Haha, well I can't do it on my Ford, the keyfob also hops frequencies. But I recorded one single "opening" signal from the access point barrier, and after that it auto decoded, so now I have a rolling code remote on my device. But so yeah, the barrier doesen't get out of sync, I was just wondering what happens behind the decoding.
Omg dude, so good :)
Thanks! 😁 The IR files are similar, but I think they get rid of the negative signs (you just have to keep track of on/off).
Just a question if i want to change the credit of an nfc card (example=cofee card/swimming pool card) how do i do that?
I haven't looked into NFC with Flipper Zero yet. 3 years ago, I made a video about reprogramming Mifare cards (using NFC device + Arduino): ua-cam.com/video/XxgqlmkxAFg/v-deo.html -- the short answer is it depends on the card, the keys and the data you need to write. Also, if it's running code, then it's likely not worth the effort to clone.
If you search the internet for Mifare cards and Flipper, you will probably find lots of videos... ua-cam.com/video/wjbSBDCMuXs/v-deo.html looks like legit information.
I'm focused on GPIO tutorials right now; but at some point, I'll try to make some videos on NFC for Flipper.
@@MrDerekJamison thank you so much
@@MrDerekJamison I’m gonna follow you
Thanks. I'd recommend you double-check that your latest pen test ROE (Rules of Engagement) document includes NFC cards as *in-scope*. Access control is typically not as bad as payment; but you never know how a client is going to react when you show them the attack you figured out. Make sure you understand what disclosure looks like too; it can be super exciting when you first bypass something using your Flipper Zero (it's similar to that feeling when you get your first set of lock picks & start unlocking all the things!)