Hardware components | ||||||
 |
| × | 1 | |||
 |
| × | 1 | |||
The Flipper Zero ecosystem has grown to become a large community hardware hacking research toolkit. However, certain regions are unable to obtain the Flipper Zero directly, making it out-of-reach or very expensive through resellers and scalpers.
It is well known that no one can "clone" the Flipper Zero for the same price point due to the economies of scale. This is mentioned by the creator on Reddit: https://www.reddit.com/r/flipperzero/comments/vwtbm8/is_the_hardware_open_source/
In addition, while the schematic is open source, the exact Gerber manufacturing files are not. With the same reasoning, it is also why we don’t see exact clones of other things such as Raspberry Pi due to the entry barrier of replicating the design and the manufacturing economies of scale.
Although there have been attempts by other hobbyists to make a clone of the Flipper Zero, it misaligned with my goal because of the need for custom PCB assembly. It does not make sense to replicate 1-for-1 using the same components as it will definitely be more expensive at low-quantities.
Other hobbyists base their projects around different platforms such as ESP32 or Pi Pico. This obviously departs from the goal it is not compatible with the original firmware/ecosystem.
Therefore, I will introduce my "FCFZ" project. My goal is to make a Fully Compatible version of the Flipper Zero, but using as few specialised processes and as many off-the-shelf hobby modules. I will explain the drawbacks behind off-the-shelf modules as well. Importantly though, the device must be compatible with the official firmware, such as the OTA updater and the mobile app.
Lastly before we begin, the design files will not be published for legal reasons. Do support the creators by buying the original device.
The Flipper Zero is a powerful tool intended for educational and professional use. This project aims to understand the engineering efforts and design choices behind the electronics of the Flipper Zero. Readers are to abide by all applicable laws and ethical guidelines when utilizing such devices.Main Components:
Let us first understand the main components. Thanks to the open-source nature of the project, the schematics are all open-sourced. However, take note that there is no Gerber files.
We first need to identify the main IC chips:
Wow what a long list. It is of no doubt that the Flipper Zero is professionally made. As I plan to use off-the-shelf components, let's go through possible compromises.
Compromises:Firstly, there are many power filtering, ESD protection diodes and passive elements to ensure the system is stable. Unfortunately for the sake of accessibility, all these will have to go.
The LP5562 Driver is pretty expensive, so we will remove the LED too. Goodbye rechargeable battery. Goodbye ESD protection. We are on a tight budget.
Also to save some trouble with the BLE Antenna circuit, we can use the STM32WB5MMG or the NUCLEO-WB55RG.
The Sub-1GHz Antenna Multiplexer is a clever design to choose the antenna matching circuit to choose between 315MHz, 433MHz and 868MHz. Sadly, we will boot it as well, and I can live with my sub-1GHz becoming sub-optimal in range.
There is also a logic gate/capacitor circuitry to achieve the Reset button combination. While not expensive, I will remove it too for ease of prototyping. I will use a physical Reset button instead.
The logic gate/capacitor circuitry is used to achieve this function:"If your Flipper Zero freezes and fails to respond to button presses, reboot the device by pressing and holding the LEFT and BACK buttons for 5 seconds."Breadboard Prototype:
Prior to the design, I needed a proof-of-concept that the firmware will be interoperable. I found a compatible LCD display module and did testing with several module kits.
I used the STM32WB5MM-DK Development Board to upload the official Flipper Zero firmware using the STM32CubeProgrammer. Here we realize that the proof-of-concept is promising. The firmware is able to run without any fuss!
After assessing the functionality of the circuit, we can come up with the minimal BOM.
For the LCD display, it is a ST7565-compatible display with 128x64 pixels. I bought a white-on-blue and a black-on-white display to check out the difference.
I used KiCad to form the schematic.
And also the PCB design
The final product is expected to look like this 3D render.
The PCB can be soldered manually as much as possible. However, the only possible challenge is the STM32WB5MMG module which has no larger alternative.
I decided to do SMT assembly for this. However, it is possible to solder it by-hand if we have access to a hot air machine at a university lab.
This is what the PCB looks like for the SMT assembly. The rest of the through-hole (THT) components are unpopulated. I will solder them manually.
We will be flashing the firmware next, so I soldered the USB-C port and the buttons first. This is so we can enter bootloader mode on the STM32.
For flashing, hold down the "OK" button which is also the PH3/BOOT0 pin and plug in the USB to go into the USB bootloader mode.
The completed soldering looks like this. We will connect the modules onto the header pins later on
I first used the official qFlipper app to attempt to install the firmware. The app detected the device however it failed to flash. After debugging using command line, I see the full error code as follows:
$ ./qFlipper-x86_64-1.3.3.AppImage cli -d 2
2 [CLI] Performing full firmware update...
2 [CLI] Waiting for devices...
137 [REG] Detected new device: VID_0x483:PID_0xdf11
151 [DBG] Device is not idle, resetting...
198 [DBG] Device reported transfer size: 1024
201 [DBG] Bytes uploaded: 32 100%
201 [DBG] Upload has finished.
202 [DBG] Illegal character in the device name
203 [REG] Device initialization failed: Failed to read device factory information
203 [CLI] An error has occurred: BackendError::InvalidDevice. Exiting.The error corresponds to this line in the source code:
It appears that qFlipper checks for OTPData in the STM32WB Option Byte. In the source code, we see that the OTP address of 0x1FFF7000 is checked:
I borrowed a real Flipper Zero and dumped out the OTP Address 0x1FFF7000. We see that some information is burned in such as some region configurations and the character name of the device.
Warning: Flashing the OTP data (One-Time-Programmable) data is permanent and irreversible.
So for my own device, I have to generate the OTP data. The following script is found in the official firmware repo:
This is an example how to generate the OTP data into a file
$ cd flipperzero-firmware/scripts
$ ./otp.py generate --version $((0x0c)) --firmware $((0x07)) --body $((0x09)) --connect $((0x06)) --display "mgg" --color "transparent" --region "world" --name "Lopito" myotp
2024-08-02 11:37:13,181 [INFO] Generating OTP
2024-08-02 11:37:13,181 [INFO] Generated files: myotp_first.bin and myotp_second.binNext, you can flash it like so
# PREPARE
$ cat myotp_first.bin myotp_second.bin > myotp.bin
# FLASH
$ STM32_Programmer_CLI -c port=USB1 reset=HWrst -d myotp.bin 0x1FFF7000Now try again with qFlipper and we see it successfully update and able to detect.
After the update process was successful, the device booted up and we can also see the character name we have chosen.
The details are shown on the qFlipper app, like so. Of course, since we have no battery controller installed, the boot up screen shows an error regarding the battery.
I installed the firmware for another board too with the different color screen
This is a comparison of the white LCD and the blue LCD. The Flipper was designed for a black text, so the blue LCD will appear to have negative-tone images.
Using the white screen, it may be possible to replicate the original Flipper display by DIY replacing the backlight (replace white LED to orange LED).
----------------------------------------------------------------------------------
We are now done with the manufacturing of the device. Let's do some real-life testing!
From the first impressions above, the miscellaneous items (push buttons, LCD display, buzzer, vibration sensor, SD card) are all proven to be working. In the following parts, we will go through the major features of the Flipper Zero.
[Infrared]This video demos the cloning of IR signal from a remote control.
Interestingly, as the sensor is not enclosed in a proper IR casing, it sometimes picks up some interference from my camera (my phone uses an infrared light for the camera auto-focus sensor).
The IR playback works quite well.
When I launched the NFC function, I met with this error.
This was when I realized that I bought the wrong NFC chip. I was supposed to buy X-NUCLEO-NFC06A1 which uses ST25R3916. However that board is now obsolete and no longer produced (NRND).
I bought the recommended replacement X-NUCLEO-NFC08A1 which uses ST25R3916B without much thought into whether there are any differences.
By enabling the Flipper CLI logging, it turns out that the chip identity are different, which causes this part of the code to fail.
Indeed following the datasheet, we see there is a different 5-bit identifier for ST25R3916 and ST25R3916B.
As a workaround, I made the following changes in the source code ./lib/drivers/st25r3916_reg.h and recompiled it.
Thankfully, the different NFC chips have the same functionality for our purposes. After using the modified firmware, the NFC module works quite nicely on many targets too.
This software workaround was only because I bought the X-NUCLEO-NFC08A1 (ST25R3916B) instead of the X-NUCLEO-NFC06A1 (ST25R3916).
It appears that the correct replacement for the ST25R3916 is the ST25R3918, as the chip IDs are exactly the same too.
I will try sourcing for the ST25R3918 in an update project.
[Sub-GHz]It is also able to detect and replay a car key fob on 433 MHz.
Note that since the RF multiplexer was omitted, you must swap out separate CC1101 Sub-GHz modules if you want to use 315MHz, 433MHz or 868MHz respectively.
Bad USB functionality also worked properly without issues.
The official mobile app is fully compatible too. We are able to pair and do remote controls.
I was also able to download Flipper apps from store.
I also soldered the ESP8266 Deauther Module to the GPIO Expansion Port and was able to do WiFi tasks
The FAP file can be downloaded from here:
the secure enclave keys are programmed at Flipper Zero factory and it is not known to public. The keys are used for KeeLoq MF codes and the U2F (Universal 2nd Factor) token. Unfortunately, there are no workarounds for this.
As of writing, the iButton and 125kHz-RFID board connections had some mistakes on my end, and I was unable to interface to it. I will address it in a future project update. However I am glad the majority of the project went through smoothly.
Ending off, lets check the overall cost of production...
The PCB Assembly consists of all surface mount components. The majority of the cost is to the STM32WB5MMG module, along with some small passive components. With a minimum order quantity of 5 pieces, the final cost including delivery is $140.
This is a summary price breakdown (in US$) and is inclusive of shipping.
- PCB Assembly with STM32WB5MMG module: $140 / 5pcs = $28
- ST7567 LCD Module: $5
- CC1101 Wireless Transceiver: $4
- Vibration Motor Module: $1
- Push Buttons: $0.5
- Passive Buzzer: $0.5
- SD Card Module: $1
- IR Transmitter & Receiver Modules: $2
- 125kHz RFID Module: $3
- 13.56MHz RFID/NFC Module [X-NUCLEO-NFC08A1]: $45
Overall, each "FCFZ" device can be made within $90. This is a pretty reasonable price. Of course, take note that the circuit performance has limitations & compromises as discussed above. Another big downside is the reduced portability.
This is a summary of limitations so far:
- There is no built-in rechargeable battery
- It is 2-3 times larger than the original Flipper Zero
- Separate CC1101 Sub-GHz modules must be used to switch between 315MHz, 433MHz or 868MHz
- iButton and 125kHz-RFID functionality is not completed (yet)
- U2F Security Keys is unavailable
To conclude, this has been a great achievement in order to prove that such a compatible device can exist at a reasonable production price. Indeed, the Flipper Zero community has grown really big in terms of software support and I hope this "FCFZ" project will showcase its potential hardware modularity as well.
Comments