Hardware: LilyGo T-Embed CC1101
- Introduction
- History
- Flashing the Firmware
- Installing Launcher
- Navigation Guide
- SD Card Setup
- Flipper Zero Compatibility
- Configuration (nautilus.json)
- Applications
- Tips and Tricks
- Troubleshooting
Nautilus is a custom firmware for the LilyGo T-Embed CC1101 that brings Flipper Zero-like functionality to your device. It supports:
- Sub-GHz radio transmission/reception (300-928 MHz)
- Infrared capture and playback
- NFC tag reading (13.56 MHz)
- WiFi scanning and analysis
- Portal captive portal for security testing
- File management with SD card support
- LED control (WS2812)
- Audio playback
Nautilus was originally conceived as an extension of the LilyGo T-Embed CC1101 Factory Test firmware. I had tried using several popular firmwares for this device, and was not satisfied with the user interfaces nor the technical capabilities. In contrast, I thought the Factory Test was modern and aesthetically pleasing. I wanted to learn the deep details of working with the CC1101 transceiver at a low level, and this device seemed like a great one to expand my ESP32 skills beyond the M5Stack devices I've spent most of my time working on. As I got more comfortable and confident, I tried to build firmware to turn this into a device I really wanted to carry with me. Where possible, I analyzed Momentum-Firmware for the Flipper Zero to ensure files are cross-compatible. The larger Flipper Zero community has also done some great analysis of RF signals, and of course I'm also familiar with older groundbreaking work from the SDR community, such as argilo/secplus. Inspired by those, I've created some thoughtful reimplementations of a few key SubGHz protocols that I encounter most often. Most of these required several hours of research and experimentation with tools like HackRF One + Universal Radio Hacker.
Like most of my projects, this started out as a personal challenge to myself just to see if I could do it. Perhaps you'll like it as much as I do.
-
Visit the web flasher:
- Navigate to: nautilus.h-i-r.net
- Or use: https://bmorcelli.github.io/Launcher/webflasher.html
-
Put device in bootloader mode (if flashing fails):
- Hold the BOOT button (center of encoder)
- While holding BOOT, press and release the RESET button (back of device)
- Release the BOOT button
- Device is now in bootloader mode
-
Connect and flash:
- Click "Connect Device" in the web browser
- Select your device's COM port
- Click "Flash Firmware"
- Wait for completion (2-5 minutes)
-
Reboot:
- After flashing completes, press the RESET button on the back of the device
If the device won't enter flash mode automatically:
- Symptom: Web flasher or PlatformIO can't detect device
- Solution: Manually enter bootloader mode:
- 1️⃣ Press and hold BOOT button (don't release)
- 2️⃣ Press and release RESET button
- 3️⃣ Release BOOT button
- Verify: Device should now be detected by flasher
The Launcher allows you to switch between multiple firmware images stored on your SD card without reflashing.
- Visit: https://bmorcelli.github.io/Launcher/webflasher.html
- Put device in bootloader mode (if needed - see above)
- Flash the Launcher firmware to your device
Download nautilus.bin from the link on the Nautilus Web Flasher page
- Insert SD card into computer
- (Optional) Create a folder for firmware files:
/firmware/(if it doesn't exist) - Copy
nautilus.binto the appropriate folder on your SD card - Eject SD card and insert into device
- Power on device with Launcher firmware
- Navigate to Apps menu
- Select nautilus.bin
- Device will boot into Nautilus firmware
| Control | Function |
|---|---|
| Rotary Encoder | Scroll through menus and options |
| Encoder Press | Select highlighted item |
| User Button (top side) | Back / Sleep device |
- Location: Top-left corner of most screens
- Function: Navigate back to previous screen
- Access: Scroll to it with encoder, then press
- Location: Physical button on top edge of device
- Functions:
- Single press: Go back one screen
- Long press: Sleep device
- Press during sleep: Wake device
Many items support long-press for additional options:
- Sub-GHz files: Long-press to Rename/Delete
- IR buttons: Long-press to Edit/Delete
- Remote files: Long-press for context menu
- Signal transmission: Long-press to continuously transmit
When entering text (e.g., naming files, setting frequencies):
- Encoder rotation: Move cursor between characters
- Encoder press: Select character
- Navigate to OK: Press encoder to confirm
- Navigate to Cancel: Press encoder to abort
Keyboard tips:
- Special characters available via character selection
- Use encoder to quickly navigate
- Look for "Shift" button to toggle uppercase
- Type: microSD card
- Size: Up to 32GB (FAT32 formatted)
- Recommended brand: SanDisk
- Note: Some cards may not work - use SanDisk for best compatibility
After first boot, Nautilus creates these folders:
/
├── nautilus.json # Main configuration file
├── ir/ # Infrared signal files (.ir)
├── rf/ # Sub-GHz signal files (.sub)
├── sgremotes/ # Sub-GHz remote definitions (.txt)
├── nfc/ # NFC tag dumps
├── remotes/ # IR remote definitions
├── portal/ # Captive portal files
│ ├── index.html # Custom portal page (optional)
│ ├── post.html # Post-login page (optional)
│ └── creds.txt # Captured credentials (auto-created)
├── music/ # Audio files for playback
Note: The SD card should always mounted during normal operation.
- Navigate to SD Card app from main menu
- Browse folders and files
- Supported actions:
- View
.txtfiles - Play
.mp3audio files - Navigate directories
- View
- Unmount the SD Card from the SD Card screen
- Remove SD card
- Remain in the SD Card screen while card is removed for best results
- Re-insert into device
- Mount SD card
SD Card may also be safely be removed and reinserted while in deep sleep mode (long-press user button)
Nautilus is designed for Flipper Zero file format compatibility.
Nautilus can create, read and transmit Flipper Zero .sub files.
Compatible protocols:
- Princeton
- CAME
- Security+ v1.0 (garage door openers)
- Security+ v2.0 (garage door openers)
- BinRAW (raw captures)
Example .sub file format:
Filetype: Flipper SubGhz Key File
Version: 1
Frequency: 315000000
Preset: FuriHalSubGhzPresetOok650Async
Protocol: Princeton
Bit: 24
Key: 00 00 00 00 00 45 AB CD
Where to get files:
- Capture signals using Nautilus Record feature
- Download from Flipper Zero repositories
- Copy from your Flipper Zero's SD card (
/subghz/)
Nautilus supports Flipper Zero .ir file format.
Example .ir file format:
Filetype: IR signals file
Version: 1
#
name: Power
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 9357 4487 621 531 625 532 622...
#
name: Volume_Up
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 9298 4529 662 482 665 485...
Where to get files:
- Capture IR signals using Nautilus IR Capture
- Download from Flipper Zero IR database
- Copy from Flipper Zero SD card (
/infrared/)
From Flipper Zero to Nautilus:
- Remove SD card from Flipper Zero
- Copy
.subfiles from/subghz/to Nautilus/rf/ - Copy
.irfiles from/infrared/to Nautilus/ir/ - Insert SD card into Nautilus device
From Nautilus to Flipper Zero:
- Remove SD card from Nautilus
- Copy
.subfiles from/rf/to Flipper/subghz/ - Copy
.irfiles from/ir/to Flipper/infrared/ - Insert SD card into Flipper Zero
The nautilus.json file stores all device settings.
/nautilus.json (root of SD card)
{
"version": "1.0",
"ws2812": {
"color": 65280,
"brightness": 1,
"mode": 0
},
"wifi": {
"ssid": "",
"password": "",
"portal": {
"ssid": "Nautilus WiFi"
}
},
"subghz": {
"custom_frequencies": [],
"mod": "am650",
"raw": {
"last_frequency": 315
},
"scan": {
"thresh": -60,
"type": "custom",
"range": "300-928"
}
},
"display": {
"rotation": 3,
"theme": 0
},
"audio": {
"volume": 8
}
}"ws2812": {
"color": 65280, // RGB color (0-16777215)
"brightness": 1, // 0-255
"mode": 0 // Animation mode
}"wifi": {
"ssid": "MyNetwork", // WiFi network name
"password": "MyPassword", // WiFi password
"portal": {
"ssid": "Free WiFi" // Portal hotspot name
}
}"subghz": {
"custom_frequencies": [315000000, 433920000], // Custom freq list (Hz)
"mod": "am650", // Modulation: am650, am270, fm238, fm476
"raw": {
"last_frequency": 315 // Last used freq (MHz)
},
"scan": {
"thresh": -60, // RSSI threshold (dBm)
"type": "custom", // single, band, custom
"range": "300-928" // Frequency range
}
}Modulation options:
am650- AM (OOK) 650kHz bandwidtham270- AM (OOK) 270kHz bandwidthfm238- FM 238kHz deviationfm476- FM 476kHz deviation
"display": {
"rotation": 3, // Screen rotation (0-3)
"theme": 0 // 0=Dark, 1=Light
}"audio": {
"volume": 8 // 0-21 (higher = louder)
}- Remove SD card from device
- Insert into computer
- Edit
nautilus.jsonwith text editor - Validate JSON syntax (use jsonlint.com)
- Save and eject SD card
- Re-insert into device and reboot
Transmit and receive radio signals in the 300-928 MHz range.
- Navigate to Sub-G > Record Raw
- Select frequency (or use last frequency)
- Press encoder to start recording
- Trigger the remote you want to capture
- Press encoder to stop recording
- Signal saved automatically to
/rf/capture_N.sub
- Navigate to Sub-G > Scan/Record
- Configure scan settings:
- Modulation: AM270 / AM650 / FM238 / FM476 (press to cycle through them)
- Frequency Mode: Single / Range / Custom
- RSSI Threshold: -40 to -80 dBm (more negative = more sensitive; -80 captures weak signals, -40 requires stronger or closer transmissions)
- Press Start Scan
- Stop scanning and select "Save" to write the most recently identified signal to a .sub file
- if Auto is selected, all detected signals are automatically saved
Tip: For best results detecting unknown signals:
- Use Range mode (e.g., 300-348 MHz)
- Set threshold to -60 dBm
- Try scanning multiple times in the same frequency range
- Navigate to Sub-G > Playback
- Shows files and folders in
/rf/folder - Select a
.subfile - Single press encoder: Preview signal details
- Press and hold encoder: Transmit signal
- Keep holding: Continuous transmission (for protocols that need it)
Tips:
- Long-pressing is required for some garage door openers and gate systems.
- Supported rolling codes can be incremented and decremented for testing
Create custom remote controls with multiple buttons.
- Navigate to Sub-G > Remotes
- Select existing remote or create new
- Add buttons:
- Select "(New Button)"
- Browse to
.subfile - Enter button name
- Use remote:
- Select button
- Press encoder to transmit once
- Long-press to continuously transmit
Add your own frequencies for scanning/recording.
- Navigate to Sub-G > Custom Frequencies
- Select "(Add Frequency)"
- Enter frequency in MHz (e.g., 315.00)
- Frequency added to custom list
- Available in frequency selectors
Useful frequencies:
- 315 MHz - US garage doors, car remotes
- 433.92 MHz - EU remotes, sensors
- 868 MHz - EU alarm systems
- 915 MHz - US ISM band
Capture and replay infrared remote control signals.
Universal TV power-off transmitter.
- Navigate to Infrared > TV-B-Gone
- Select region: Americas or Europe/Middle East/Africa
- Press encoder to start transmission
- Aim at TV (within 5 meters)
- Cycles through all known TV power codes
- Press encoder to stop
Tip: IR transmitter is on opposite end of the screen from the encoder dial. Point directly at TV sensor for best results.
Create custom multi-button remotes.
- Navigate to Infrared > Remotes
- Create new remote or edit existing
- Add buttons:
- Capture new signal or select from file
- Name the button (e.g., "Power", "Vol+")
- Use remote:
- Select button from list
- Press to transmit
- Long-press for context menu (Edit/Delete/Test)
Read and interact with 13.56 MHz RFID/NFC tags. Very basic support only at this time.
Supported tag types:
- Mifare Classic (1K, 4K)
- NTAG (203, 213, 215, 216)
- Other ISO14443A tags
Not supported:
- 125kHz low-frequency cards
- CPU cards / EMV credit cards
- Encrypted cards (Mifare DESFire, etc.)
- Navigate to NFC > Read Tag
- Place tag on side of device (NFC antenna is next to the screen opposite the user/back button))
- Wait for detection
- Tag information displayed:
- UID
- Tag type
- Memory size
- NDEF data (if present)
Tip: UI will freeze until an NFC tag is detected or will time out in 15 seconds
- Read tag (see above)
- Select "Save" option
- Enter filename
- Tag data saved to
/nfc/folder
Note: NFC writing is not yet supported.
- Select a saved tag from the NFC (Beta) screen.
- Select the "Details" button to examine NDEF records.
Scan and analyze WiFi networks.
- Navigate to WiFi > Scanner
- Press encoder to start scan
- View detected networks:
- SSID
- Signal strength (RSSI)
- Channel
- Encryption type
- Select network: View details
Detect WiFi deauthentication attacks.
- Navigate to WiFi > Deauth Hunter
- Select threshold for # of packets to trigger the alarm and calibrate the RSSI meter. -20 dBm is usually good.
- Press start
- Deauth attacks are shown in real-time
- Press the pause button to lock the channel and stop the alarm
- Use the RSSI meter to help you find the source of the signal
Use case: Detect WiFi jamming attacks
Detect rogue access points (PineAP/WiFi Pineapple).
- Navigate to WiFi > PineAP Hunter
- Select threshold for # of SSIDs on a single access point (recommend 3 or 5), and calibrate the RSSI meter.
- Start scan. Green light shines while scanning. UI will be unresponsive while lit up.
- Multiple scans are required to make a positive pineapple identification. Alarm will sound.
- Suspicious BSSIDs highlighted
- Select a BSSID to stop the alarm, view SSIDs and RSSI meter.
- Use the RSSI meter to help you find the source of the signal.
WARNING: For authorized security testing only (pentests, CTFs, education).
Create a WiFi captive portal.
- Navigate to Portal from main menu
- Portal SSID shown (configured in
nautilus.json) - Press Start Portal
- Device creates WiFi hotspot
- Credentials saved to
/portal/creds.txt
- While portal running, navigate to View Data
- Credentials displayed on screen
- Also accessible at:
http://172.0.0.1/creds
- Create
/portal/index.htmland/portal/post.htmlon SD card - Design your own HTML form (login page, survey, announcements, etc)
- POST form data to
/postendpoint - All form variables will be stored in
/portal/post.json - Users will be redirected to
/portal/post.html
Example HTML:
<form method="POST" action="/post">
<input name="email" placeholder="Email">
<input name="password" type="password" placeholder="Password">
<button type="submit">Login</button>
</form>- Navigate back in Portal menu
- Select Stop Portal
- WiFi hotspot disabled
Option 1: Edit SSID Directly
- Select "Edit" button on the Nautilus Portal screen
- Use On-Screen Keyboard to change the SSID
Your new SSID will be saved to Nautilus.json
Option 2:
Edit nautilus.json:
"wifi": {
"portal": {
"ssid": "Coffee Shop Free WiFi"
}
}Authorization Required: Only use in:
- Authorized penetration tests
- CTF competitions
- Security education/research
- With explicit permission
Browse and manage files on SD card.
- Navigate to SD Card from main menu
- Browse folders
- File actions:
- Text files (.txt/.html/.json): View contents
- Audio files (.mp3): Play audio
- SubGHz files (.sub): Jump to SubGHz app with file pre-loaded
- Navigate folders: Select to enter
- Long-press for context menu
- Navigate to Battery from main menu
- View battery status:
- State of charge (%)
- Voltage
- Current
- Temperature
- Charging status
- Time remaining
- Navigate to WS2812 from main menu
- Adjust settings:
- Color wheel: Select RGB color
- Brightness: 0-255
- Mode: Animation patterns
Changes saved to nautilus.json.
- Navigate to Settings from main menu
- Configure:
- Screen rotation: 0-3 (90° increments)
- Theme: Dark / Light
- SD card info
Long-press to transmit:
- Most Sub-GHz remotes (garage doors, gates) require long-press
- Hold encoder while transmitting
- Release to stop transmission
Try receiving multiple times:
- If a signal shows as "RAW" protocol:
- Capture the same signal 2-3 times
- This helps protocol detection
- System learns pattern recognition
Frequency selection:
- US: 315 MHz, 390 MHz, 915 MHz
- EU: 433.92 MHz, 868 MHz
- General: Try 315 and 433.92 first
RSSI threshold:
- -40 dBm: Very strong signals only (close range)
- -60 dBm: Balanced (recommended)
- -80 dBm: Very sensitive (may pick up noise)
Capture distance:
- Hold remote 5-15 cm from device
- Point at top edge (IR receiver location)
- Avoid bright sunlight interference
Tag placement:
- Place card on side of device (antenna is next to SD card slot)
- Hold steady for 1-2 seconds
Reading problems:
- Remove phone case if using phone NFC
- Try different positions near NFC antenna
- Some metal cases block NFC
Save battery:
- Lower WS2812 LED brightness
- Long-press user button to sleep
SD card:
- Use SanDisk brand for reliability
- Format as FAT32
- Max size: 32GB
- Back up important files regularly
Encoder tips:
- Rotate slowly for precise control
- Quick rotation for fast scrolling
- Press firmly to select
Symptoms:
- "SD card not found" error
- Files not appearing
Solutions:
- Try a different SD card (SanDisk recommended)
- Reformat card as FAT32
- Use 32GB or smaller capacity
- Check card is fully inserted
- Reboot device after inserting card
Symptoms:
- Web flasher can't connect
- Upload timeout errors
Solutions:
- Enter bootloader mode manually (see Flashing section)
- Try different USB cable (use data cable, not charge-only)
- Try different USB port
- Close other serial programs (Arduino IDE, etc.)
- Restart computer
Symptoms:
- Device powers on but screen black
Solutions:
- Press RESET button on back of device
- Check battery is charged
- Connect USB power
- Try entering bootloader mode and reflashing
Symptoms:
- Files load but nothing transmits
Solutions:
- Check frequency matches your region
- Verify
.subfile format is correct - Try long-pressing encoder (required for some protocols)
- Check antenna connection
Symptoms:
- Tags not detected
Solutions:
- Place tag directly over antenna (next to SD card slot)
- Hold tag steady for 2+ seconds
- Verify tag type is supported (Mifare Classic, NTAG)
- Try different tag
- Check PN532 is initialized (main menu shows NFC option)
Symptoms:
- Signals captured but won't control devices
Solutions:
- Point directly at device IR sensor
- Try from closer distance (1-2 meters)
- Use long-press for volume/channel controls
- Verify frequency is 38kHz (most common)
- Some devices use uncommon protocols
Symptoms:
- Settings reset after reboot
Solutions:
- Verify
nautilus.jsonexists on SD card - Check JSON syntax (use jsonlint.com)
- Ensure SD card is not write-protected
- Format SD card and try again
Symptoms:
- Portal won't create hotspot
Solutions:
- Check
nautilus.jsonhas portal SSID configured - Verify
/portal/folder exists on SD card - Disconnect from any WiFi networks first
- Reboot device and try again
Sub-GHz and IR transmission:
- Ensure compliance with local RF regulations
- Do not interfere with emergency or licensed frequencies
- Use responsibly and legally
Portal feature:
- For authorized security testing only
- Requires explicit permission
- Educational and defensive use only
NFC:
- Do not clone access cards without authorization
- Respect privacy and security policies
Nautilus Firmware:
- Based on LilyGo T-Embed-CC1101 factory firmware
- Flipper Zero protocol implementations
- Community contributions and beta testers
Hardware:
- LilyGo T-Embed CC1101
- ESP32-S3 microcontroller
- CC1101 Sub-GHz transceiver
- PN532 NFC module
Document Version: 1.0 Last Updated: 2025-12-24