19 SUBGHZ
Sub-GHz refers to radio frequencies below 1 GHz—common bands including 315 MHz, 433 MHz, 868 MHz (EU) and 902–928 MHz (US). This mode works with the CC1101 sub‑GHz radio module.
| Command | Description |
|---|---|
scan |
Scan supported bands and report RSSI peaks to find and pick the most active frequency |
sweep |
Sweep over a band; estimates activity + confidence per frequency |
sniff |
Raw frame sniffer at the current selected frequency (GDO0 async data) |
trace |
On‑device real‑time logic trace of GDO0 (oscilloscope‑style view on the screen) |
decode |
Analyze captured frames and guess encoding (pulse‑length / Manchester / PWM), bitrate, and possible protocol |
replay |
Record up to 64 raw frames and play them back |
bruteforce |
Transmit bruteforce sequences for 12 bit keys protocols (Nice/Came/Ansonic/Holtek/Linear/Chamberlain) |
jam |
Transmit random bursts at band or specific frequency, prompts for frequence hold time and burst gap |
load |
Load and select .sub files from the LittleFS storage |
listen |
Convert real-time RSSI variations from the SubGHz radio into audible tones (choose frequency and threshold) |
setfrequency |
Set the operating frequency (choose a band list or enter a Custom MHz value) |
config |
Interactive setup of SPI pins and GDO0, then initializes CC1101 |
- Emitting RF energy may be regulated or illegal in your jurisdiction without a license or outside ISM limits.
- Jamming can interfere with legitimate devices (alarms, remotes, sensors). Use only in controlled lab environments and ensure compliance with local laws.
- Keep output power and duty cycle minimal when testing. You are responsible for how you use these features.
Configure the CC1101 pins/params:
- CS (CSN, Chip Select)
- SCK / MISO / MOSI
- GDO0 (data pin)
- VCC 3.3v
- CC1101 Pinout
The load command can play back Sub-GHz files from the Flipper Sub-GHz DB.
-
Upload the file(s)
In the Web UI, open Files → LittleFS and drop your.subfiles. -
Load from the device
In SubGHz mode, run:load
- Pick a
.subfrom the list. - You can send frames by selecting the index.
- Pick a
-
Transmit
Auto-configure the CC1101 from the file’s metadata (frequency, preset, protocol).
If multiple frames are present, you can iterate and replay as needed.
- TI CC1101 modules are inexpensive and widely available.
-
scanandsweephelp discover active carriers;sweepgives a more nuanced confidence estimation by combining peak level and activity ratio. - A few kHz offset can degrade reception; fine‑tune around the discovered peak.
- To discover a device’s frequency: run
scan, repeatedly press the remote or listen the signal for a few seconds, then stop and pick the highest peak frequency. -
bruteforceis an adapted version from the Bruce firmware (https://github.com/pr3y/Bruce). -
listenuses the I2S pins for audio output, which are configured by default if a speaker is present on the device. - For better reliability, prefer USB Serial logging over Wi‑Fi (lower latency).
config # Configure SPI pins and GDO0, initialize CC1101
setfrequency # Choose a band or enter a custom MHz value
scan # Scan band and print RSSI peaks (press ENTER to stop)
sweep # Slow sweep with activity/confidence per frequency
sniff # Raw pulse capture at current freq (press ENTER to stop)
trace # Live logic trace of GDO0 on device screen
decode # Guess encoding/bitrate/protocol from a captured frame
replay # Record frames then replay them
bruteforce # Try fixed-code space for selected protocol (lab only)
jam # Choose a frequency/band and start jamming (lab only)
load # Load .sub files from LittleFS
listen # RSSI variation to audio tone
