An engineer's tour of the device, the modules, and the ecosystem — with depth indices into Volumes 2–12

Section	Topic
1	About this Series
2	What the Flipper Is — and Isn’t
· 2.1	The hardware sentence
· 2.2	The framing
· 2.3	What it isn’t
3	The Capability Surface
4	Decision Tree — When to reach for the Flipper
5	Series Topology — Where each volume lives
6	Hardware Status at the time of writing
7	Lab-Discipline Posture
8	What’s next

1. About this Series

This is a twelve-volume engineer-grade reference for the Flipper Zero. It assumes a reader who has shipped firmware before, understands embedded peripherals from the silicon up, and wants schematic-grade theory of operation rather than a tutorial. Volume 12 is the field cheatsheet — print and laminate.

The series is structured as a graph, not a book. Vol 1 (this one) gives you the spine and the decision tree; Vol 2 is the hardware foundation; Vol 3 is the firmware ecosystem; Vols 4–7 are subsystems (sub-GHz, RFID/NFC, IR/ iButton/BadUSB/U2F, GPIO/FAP/JS); Vols 8–10 are the module ecosystem (official, third-party, DIY); Vol 11 is end-to-end workflows; Vol 12 is the cheatsheet. Cross-references between volumes are dense; you don’t need to read in order after Vols 1 and 3.

2. What the Flipper Is — and Isn’t

2.1 The hardware sentence

The Flipper Zero is an STM32WB55-based pocket multitool with onboard sub-1 GHz radio (TI CC1101), 13.56 MHz HF reader (ST ST25R3916), 125 kHz LF RFID, 38 kHz IR transceiver, iButton/1-Wire contact, 18-pin GPIO header, microSD slot, 128×64 monochrome LCD, 2,000 mAh LiPo, USB-C, and a BLE radio core that runs ST’s certified stack. It boots from internal STM32WB55 flash; user files live on the SD.

2.2 The framing

It is best understood as a controller and protocol terminal, not an SDR. It captures, decodes, replays, emulates, and bridges over a fixed catalog of protocols implemented in firmware. For wideband signal analysis or modulation R&E, pair it with a HackRF One or RTL-SDR — see Vol 11 §3 for the recipe.

2.3 What it isn’t

It isn’t an SDR. The CC1101 is a packet-radio narrowband transceiver, not an IQ-streaming front end. Frequency analyzer mode shows RSSI, not spectrum.
It isn’t a Proxmark3. The ST25R3916 is fine for everyday cards (MIFARE Classic, NTAG, DESFire); for unusual LF protocols (HiTag2, EM4x70, LegIC) the Proxmark wins. See ../_shared/comparison.md.
It isn’t an oscilloscope or logic analyzer. The GPIO header can be driven as a SUMP-protocol logic analyzer over USB-CDC (see Vol 9 §19) but you’ll exceed its sample rate fast. Bus Pirate 5 is the right tool for embedded protocol bring-up.
It isn’t an unrestricted RF transmitter. Stock firmware enforces regional TX restrictions; custom firmwares (Momentum, Unleashed, RogueMaster) remove those locks but the legal restrictions don’t go away. See ../_shared/legal_ethics.md.

3. The Capability Surface

Domain	Stock capability	With which module
Sub-GHz capture/replay	300–928 MHz, 5–10 m	External CC1101 amp → 70–150 m (Vol 8 §4)
Wi-Fi attacks	None onboard	Official WiFi Devboard + Marauder (Vol 8 §1); Game Over (Vol 9); AWOK V3 (Vol 9); Apex 5 (Vol 9)
2.4 GHz keyboard injection	None	NRF24 module + Mousejack FAP (Vol 8 §3)
HDMI/DVI video out	None	Video Game Module (Vol 8 §2) — owned
Multi-radio wardriving	None	Game Over module (Vol 9) — owned; AWOK Dual Touch V3 (Vol 9) — owned
13.56 MHz NFC	MIFARE Classic + nested, NTAG, DESFire, FeliCa	—
125 kHz LF RFID	EM4100, HID Prox, Indala, AWID, T5577 clone	—
BadUSB	DuckyScript via USB-HID	—
BLE attacks	BLE Spam, beacon work	WiFi Devboard for higher-power (Vol 8 §1)
GPS / wardriving	None	NEO-6M / u-blox via UART (Vol 9 §15); AWOK V3 onboard
Embedded debug	SWD probe via two FAPs (Vol 9 §18)	Black Magic Probe via WiFi Devboard reflash (Vol 8 §1)
Logic analysis	8-channel SUMP via FAP, slow	—

This table is the framing for Vols 4–10. Each capability has a section in the volume that covers it; each module has a chapter in Vol 8 (official) or Vol 9 (third-party).

4. Decision Tree — When to reach for the Flipper

"I need to do RF / RFID / NFC / IR / BadUSB work, on the bench or in the
 field, and I might need to write a custom application for it."

  ├── Sub-GHz, known protocol catalog, 433/868 MHz?
  │     → Flipper. Start with Sub-GHz → Read or Read RAW.
  │       For 70–150 m range, swap the antenna/amp (Vol 8 §4).
  │       For wideband or arbitrary modulation: HackRF (Vol 4 §11).
  │
  ├── 13.56 MHz NFC card you need to read/clone/emulate?
  │     → Flipper. Mfkey32 + nested attack onboard. Magic cards (Vol 5 §6)
  │       handle UID/sector-0 emulation. For HiTag2/EM4x70/LegIC: Proxmark3.
  │
  ├── 125 kHz LF clone to T5577?
  │     → Flipper. One keypress workflow.
  │
  ├── IR remote, learn or universal?
  │     → Flipper. TSOP75338 + 3-LED bank. For 30–100 ft range,
  │       Rabbit-Labs IR Blaster (Vol 9 §14) — needs Unleashed/RogueMaster.
  │
  ├── BadUSB DuckyScript payload delivery?
  │     → Flipper, with caveat: device enumerates as Flipper unless
  │       firmware spoofs descriptor. For stealth: Hak5 Rubber Ducky.
  │
  ├── Wi-Fi attacks?
  │     → Flipper + WiFi Devboard with Marauder (entry tier);
  │       Flipper + Game Over or AWOK V3 (Vol 9) for multi-radio + standalone;
  │       Flipper + Apex 5 (Vol 9) for 5 GHz Wi-Fi 6;
  │       For sustained dual-radio engagements: WiFi Pineapple (not in lineup).
  │
  ├── 2.4 GHz wireless mouse/keyboard injection (MouseJack)?
  │     → Flipper + NRF24 module. The only MouseJack-capable tool in lineup.
  │
  ├── Wideband RF analysis, modulation reverse-engineering, IQ recording?
  │     → Not Flipper. HackRF One + GNU Radio is the right path.
  │
  ├── Deep embedded protocol bring-up (UART/SPI/I²C/JTAG/SWD/PMBus on an
  │     unknown board)?
  │     → Bus Pirate 5 wins. Flipper handles single-protocol one-offs but
  │       lacks the Bus Pirate's mode catalog and color VT100 UI.
  │
  └── On-the-floor pen-test running Kali / Metasploit / Wireshark?
        → Clockwork uConsole. Flipper rides as a peripheral via qFlipper +
          mobile / desktop UI.

5. Series Topology — Where each volume lives

Vol	Topic	Read for
1	Series overview, decision tree, capability matrix	First read
2	Hardware: STM32WB55, power tree, every subsystem schematic-grade	Anyone touching the device at the bench
3	Firmware ecosystem: Official, Momentum, Xtreme, Unleashed, RogueMaster — install, recovery, BLE re-pair, module-firmware pairing matrix	First-time install + every firmware swap
4	Sub-GHz CC1101: register-level, modulation modes, supported protocols, when external amp helps	Garage doors, key fobs, weather stations, IoT
5	RFID & NFC: 125 kHz LF + 13.56 MHz HF (ST25R3916), magic cards, mfkey32 + nested, where Proxmark wins	Access-card audit, NFC tag programming
6	IR, iButton/1-Wire, BadUSB, U2F	Universal remotes, DS1990A, DuckyScript
7	GPIO header, FAP development with ufbt, JS runtime on Momentum	Writing applications for the device
8	Official Modules — WiFi Devboard, Video Game Module (full chapter), NRF24, official CC1101 amp	tjscientist owns the VGM
9	Third-Party Modules — Ruckus Game Over (full chapter), AWOK Dual Touch V3 (full chapter), Mayhem, Apex 5, EvilCrow, GPS, sensors, ~25 others	tjscientist owns Game Over + AWOK V3
10	DIY Modules: GPIO reference, KiCad templates, mechanical envelope, sample projects, PCB-from-scratch checklist for tjscientist’s lab	When the right module doesn’t exist yet
11	Workflows & recipes: garage-door analysis, RFID badge audit, BLE keyboard pentest, SDR companion mode	Field work
12	Cheatsheet — print/laminate one-pagers	Always carry

6. Hardware Status at the time of writing

tjscientist owns:

Multiple Flipper Zero units (production rev F7B9C6).
Official WiFi Devboard (ESP32-S2 WROVER) — currently running Marauder.
Official Video Game Module (RP2040 + ICM-42688-P + DVI). Full chapter in Vol 8 §2.
NRF24 module (community-sourced, standard 5-pin SPI pinout).
External CC1101 sub-GHz module / amplifier (extends 433 MHz range to ~150 m).
Ruckus // section80 “Game Over” module (third-party multi-radio with OLED). Full chapter in Vol 9 §6.
AWOK Dynamics Dual Touch V3 (third-party Wi-Fi/GPS wardriver). Full chapter in Vol 9 §7.

The decision tree above weights “owned” answers higher than “could be acquired” answers — when a job is doable with what’s on hand, that wins.

7. Lab-Discipline Posture

This series catalogs what the device can do, in detail. What you may legally do with it depends on jurisdiction, the ownership of the target, and the applicable RF / computer-misuse / access-card-fraud regimes.

The standing rule for everything in Hack Tools/:

Own the hardware, or have written authorization. Sub-GHz TX power and frequency restrictions vary by region; jamming is illegal nearly everywhere. NFC/RFID cloning of access systems requires authorization. BadUSB use is computer-attack territory — only against owned hardware.

See ../_shared/legal_ethics.md.

8. What’s next

Vol 2 — Hardware. STM32WB55, power tree, every subsystem from the schematic up. Read with the Main PCB schematic open in another window (02-inputs/schematics/Flipper_MAIN_PCB_F7B9C6.pdf, mirrored to 03-outputs/schematics/).

If you’re reading this on a Flipper-already-in-hand and just want to do something: jump to Vol 3 for firmware install + first-boot checklist, then to whichever Vol 4–11 topic matches your first project. Vol 12 is the field cheatsheet — print it now, read the details later.

Flipper Zero Volume 1 — Series Overview & Decision Tree

Contents