Can the Flipper communicate with Zigbee or Z-Wave devices? It would be very useful if it could act as a button/switch to allow it to be used to open doors/locks that are in those ecosystems.
1 Like
As long as it is sub-GHz there is no chance of getting Zigbee or Z-Wave. Both are in the 2.4GHz band.
1 Like
No they’re not (not just 2.4ghz, they also have a sub GHz range)… Z-wave is 908.42 MHz, and Zigbee is 915 MHz in the US, other regions are similar frequencies.
2 Likes
Zigbee, in domotic applications, uses 2.4Ghz.
Since Flipper has Bluetooth, which operates at 2.4Ghz, can Zigbee be implemented using same hardware?
3 Likes
I make Z-Wave devices. Z-Wave operates at 908.4MHz in the US and should be detectable using the flipper zero.
Z-Wave specifically operates in the 800-900MHz range and does not operate in any GHz bands.
How do I go about enabling this specific band on the device?
3 Likes
Thanks, IDK why people keep posting wrong info here when the correct info is available…
At a minimum, it looks like the Flipper can snoop and duplicate a signal, so it should be possible for it to clone a output from a z-wave button or something like that. I would be interested to learn more about implementation of actual Z-wave/zigbee communication with it though, as it would make a pretty cool home automation remote.
1 Like
Yea I’m not sure either. It’s fairly easy to look up the operating frequencies for Z-Wave.
I have been trying to get the Flipper to properly detect any of the Z-Wave communication that is going on around me. It doesn’t. I cannot seem to detect 908.4MHz no matter what I do. Placing the Flipper Zero near any Z-Wave device or Controller shows nothing. (I may be doing something wrong though)
- I have used the frequency analyzer next to a Z-Wave device and it does not show anything
- Using the Read or Read Raw functions does not allow me to select 908MHz. I can select 868.35MHz, but that is the EU Z-Wave band and not the US band.
I want to be able to read raw packets coming from devices or detect devices broadcasting using Z-Wave (so that I can track down particularly noisy devices). I plan to build a GPIO module to expand on Z-Wave functionality, but I would really like to not have to hook in a Z-Wave co-processor to make this happen.
Thoughts?
Digging around the datasheet for the CC1101 it does say
The circuit is mainly intended for the ISM (Industrial, Scientific and Medical) and SRD (Short Range Device) frequency bands at 315, 433, 868, and 915 MHz, but can easily be programmed for operation at other frequencies in the 300-348 MHz, 387-464 MHz and 779-928 MHz bands.
This tells me that we can configure the Flipper Zero to work with 908.4MHz, but it requires some changes to be made. I am not sure what these changes are yet. I will continue my research and let you know what I find.
First of all, the STM32WB55 MCU that we use DOES support Zigbee.
However, you’ll need to change the radio stack to the zigbee one, and it’ll probably not fit inside the 1MB of flash the MCU has so you’ll have to remove functionality
This has NOTHING to do with the cc1101 chip!
1 Like
Damn, and I was going to start using my Flipper to investigate some Zigbee devices next, too.
So Zigbee is technically feasible, but not realistically so. Bleh - that sucks, but I guess we can’t get everything.
1 Like
Zigbee is not Z-Wave. They operate on very different frequencies. Can you read what I have written and provide me with some information on working with Z-Wave?
Thanks!
PS. I write firmware for Z-Wave devices. Getting this to work with US Z-Wave (908.4MHz) frequencies would be hugely beneficial for my work. If you want me to move this discussion to a dedicated Z-Wave thread, I’m happy to.
1 Like
Maybe it’s possible to make something…
I have tested the Z-Attack with a RfCat with a Texas Instrument CC1101, like FlipperZero, and I had the possibility to intercept and send commands between unsecured devices on a Z-Wave network.
Here is an application to check vulnerabilities: GitHub - CNK2100/VFuzz-public
Here is the project: GitHub - advens/Z-Attack: Z-Wave Packet Interception and Injection Tool
Here is more information about this: Z-Shave. Exploiting Z-Wave downgrade attacks | Pen Test Partners
2 Likes
I don’t know much about how Zwave works under the hood but Zigbee I understand a little better. I would not really want to reprogram the “radio stack” on my Flipper to do Zigbee. It would not be easy to switch back and forth if we could do that at all. I wouldn’t mind adding a ZigBee radio via GPIO if that is possible. There is at least one Zigbee chip that can also handle Matter© so that module could be a 2fer.
1 Like
Any update? Have a few z-wave devices and a flipper and would love to assist if you need any help.
1 Like
I tried Z-wave+ (EU) devices (868.42 MHz): the flipper can capture raw signals (There are really short spikes) but playing them does not work.
So I am also interested if someone had any luck with it.
I understand enough about Zwave and Zigbee to say a simple replay attack “should not work”.** Key sniffing seems more viable to me. Both use encryption to prevent replay attacks.
** There was at least one bad implementation of Zigbee out there that allowed replay. Encryption usually prevents a replay by including a little piece of encrypted information that changes. Researchers found an implementation of zigbee that wasn’t correctly verifying the extra data. Replay might be a valid attack on some product due to negligence. A lot of cheap IOT devices may have cut corners so this might be a valid attack.
Zigbee is mostly mesh, z-wave is not, also frequency is mostly 2,4ghz for zigbee but mostly 8xx-9xx for z-wave devices. Early versions of both have some flaws but recent devices should have some aes128 encryption implemented and be somewhat safer, the pro for 2,4ghz is bigger potential bandwidth, where at z-wave 9xx it is sorta limited to 100kbit/s ish?
very old devices do have some issues where some vendors have devices that just ignore encryption keys but that is device specific.
the pro’s for subghz is potential wider range, so depending on what they need to do i guess they are equally good/bad in most situations, but can have interferrence from other wireless communications where the subghz could be nerfed by other loud microphone or constant variable data streams, where zigbee overlaps with wifi and bt.
but they are not the same thing, except both start with the letter z.
Most of my z-wave devices are using S2 security but I still like to test this and verify. I do have a few zigbee devices but prefer z-wave as there is no interference. Happy to help test and I have the wifi-dev board.
I was able to add 908.42 MHz for manually scanning but the modulation is not currently supported on the flipper zero. See z-wave physical layer | zwave PHY layer basics. Modulation is either FSK or GFSK depending on data rate.
Now we are starting to see thread devices in 2.4ghz hit the market with Matter©.