██╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗██╗ ██╗███████╗███████╗
██║ ██║██╔══██╗██╔══██╗██╔═══██╗██║ ██║██║ ██╔╝██╔════╝██╔════╝
███████║███████║██║ ██║██║ ██║██║ ██║█████╔╝ █████╗ █████╗
██╔══██║██╔══██║██║ ██║██║ ██║██║ ██║██╔═██╗ ██╔══╝ ██╔══╝
██║ ██║██║ ██║██████╔╝╚██████╔╝╚██████╔╝██║ ██╗███████╗███████╗
╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝
A password manager that looks like a fighting game.
HADOUKEE is a stealth password manager for Flipper Zero disguised as a Street Fighter mini-game. Your passwords are protected by fighting game combos - input the right moves and Ryu types your password via USB HID.
┌─────────────────────────────────────────┐
│ │
│ To the untrained eye: a game │
│ To you: military-grade crypto │
│ │
│ ╭─────╮ │
│ │ RYU │ ← ↓ → Back Center │
│ ╰──┬──╯ │
│ │ │
│ ▼ │
│ 🔥 HADOUKEN! 🔥 │
│ Password typed to PC │
│ │
└─────────────────────────────────────────┘
| Feature | Description |
|---|---|
| Combo Authentication | 6-move sequences act as your password |
| AES-256-GCM Encryption | Industry-standard authenticated encryption |
| USB HID Typing | Passwords typed directly - no clipboard exposure |
| Hardware Key Binding | Encrypted to YOUR Flipper's unique key slot |
| Plausible Deniability | Looks like a silly game to anyone watching |
| Multiple Stores | Separate .json files for different vaults |
INPUT MOVE CHAR
───── ──── ────
↑ SHORYUKEN 'U' ╭───╮
(uppercut) │ ↗ │ Rising dragon punch
╰───╯
↓ LOW KICK 'D' ___
(sweep) / \ Leg sweep
← LEFT PUNCH 'L' ●◄───
(jab) Quick jab
→ RIGHT PUNCH 'R' ───►●
(straight) Power cross
OK JUMP KICK 'C' /
(center) ● Flying kick
\
BACK ROUNDHOUSE 'B' ╭─●
(spin kick) ──╯ Spinning back kick
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
COMBO HADOUKEN! ~~~●))) ───► ⌨️
MATCH! (fireball) Password sent via USB
A 6-move combo like ↓ → ↓ → CENTER BACK becomes the string "DRDRCB" internally.
┌──────────────┐
Your Combo ───► │ SHA-256 │ ───► 32-byte Key
"DRDOB" └──────────────┘
│
▼
┌──────────────┐
Master Key ◄─── │ Flipper's │
(hardware) │ Key Slot 11 │
└──────────────┘
│
┌──────────────┴──────────────┐
▼ ▼
┌─────────────┐ ┌─────────────┐
│ AES-256 │ │ GCM │
│ Encrypt │ │ Auth │
└─────────────┘ └─────────────┘
│ │
└──────────────┬──────────────┘
▼
┌─────────────────┐
│ Stored as hex │
│ in .json file │
└─────────────────┘
Your combo isn't used directly. Instead:
- Combo → SHA-256 Hash - The 6-character combo string is hashed
- Hardware Master Key - Flipper's secure key slot 11 provides the master key
- Key Combination - Both are fed into AES-GCM as key + AAD (Additional Authenticated Data)
| Attack | Protection |
|---|---|
| Stolen .json file | Useless without the exact Flipper device |
| Shoulder surfing | Combo looks like game inputs |
| Brute force | 6^6 = 46,656 combos × hardware key = infeasible |
| Tampering | GCM authentication detects any modification |
{
"keys": [
{
"name": "Super Kungfu Attack",
"iv": "a1b2c3d4e5f6...",
"data": "encrypted_hex...",
"tag": "gcm_auth_tag..."
}
]
} 1. Launch app → Ryu appears on beach
2. Press OK → Lock into combo entry mode
3. Enter 6 moves → Your secret combo
4. Hold OK (2 sec) → Generate random password
- OR -
Hold DOWN (2 sec) → Enter password manually
5. Done! → Encrypted & saved
1. Launch app → Ryu appears
2. Enter your combo → Must match exactly
3. Fireball! → Password typed via USB
Hold LEFT to browse files and select different password stores.
┌─────────────┐
│ WELCOME │
└──────┬──────┘
│
├── OK ──────────────────┬─────────────────────────────┐
│ │ │
│ [has entries] [empty store]
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ MAIN SCREEN │◄──────────────────────┤
│ └──────┬──────┘ │
│ │ │
│ ┌──────────────┼──────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ [D-pad moves] [OK+Back hold] [Back hold 3s] │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌───────────┐ ┌──────────┐ │
│ │ COMBO │ │ NEW ENTRY │ │ QUITTING │ │
│ │ CHECK │ └─────┬─────┘ └──────────┘ │
│ └────┬────┘ │ │
│ │ ▼ │
│ ┌────┴────┐ ┌─────────────┐ │
│ │ │ │ MODE SELECT │◄─────────────────────┘
│ ▼ ▼ └──────┬──────┘
│ MATCH NO MATCH │
│ │ │ ▼
│ ▼ ▼ ┌───────────────┐
│ ┌─────┐ ┌──────┐ │REGISTER COMBO │
│ │SEND │ │DEFEAT│ └───────┬───────┘
│ └─────┘ └──────┘ │
│ ┌─────┴─────┐
│ │ │
│ ▼ ▼
│ [combo exists] [success]
│ │ │
│ ▼ ▼
│ ┌─────────┐ ┌─────────┐
│ │ ERROR │ │ SUCCESS │
│ └─────────┘ └────┬────┘
│ │
└── > ──► [Create new store] ───┘
What it shows: Title screen with animated flames and HADOUKEE logo.
| Input | Action |
|---|---|
| OK | Load default store (hadoukee.json) |
| > | Create new store (hadoukee2.json, etc.) |
What it shows: Ryu in idle stance on beach with palm tree. Six dots at top indicate combo progress.
| Input | Action |
|---|---|
| ↑ | Shoryuken (uppercut) - adds 'U' to combo |
| ↓ | Low kick (sweep) - adds 'D' to combo |
| ← | Left punch (jab) - adds 'L' to combo |
| → | Right punch (straight) - adds 'R' to combo |
| OK | Jump kick - adds 'C' to combo |
| Back | Roundhouse - adds 'B' to combo |
| OK + Back (hold 2s) | Enter new password registration |
| Back (hold 3s) | Quit application |
What it shows: Password generation mode selection before registering a new combo.
| Mode | Description |
|---|---|
| FULL (20 chars) | All printable ASCII characters |
| SAFE (30 chars) | Letters only (keyboard-compatible) |
| Input | Action |
|---|---|
| ↑ | Toggle between FULL/SAFE mode |
| OK | Confirm mode and start combo entry |
| Back | Cancel and return |
What it shows: Combo registration screen. User must enter the same 6-move combo 3 times.
| Element | Meaning |
|---|---|
| Attempt X of 3 | Current verification attempt |
| Dots/Letters | Combo progress (filled = entered) |
| [FULL]/[SAFE] | Selected password mode |
| Input | Action |
|---|---|
| D-pad/OK/Back | Enter combo moves |
What it shows: Error when trying to register a combo that's already in use.
Behavior: Displays for 2 seconds, then returns to combo entry (step 1).
What it shows: Confirmation that a new password was generated and saved.
| Element | Meaning |
|---|---|
| Key #N | Index of the new entry |
| Name | Auto-generated Street Fighter-themed name |
Behavior: Auto-transitions to main game screen after ~3 seconds.
What it shows: Overlay when holding OK+Back to create a new password entry.
Behavior: Progress dots animate while holding. Releases after 2 seconds to enter registration.
What it shows: Overlay when holding Back to quit the application.
Behavior: Progress dots animate. App exits after 3 seconds of holding.
What it shows: Ryu throwing a fireball after a successful combo match. Progress bar shows typing progress.
| Element | Meaning |
|---|---|
| Progress bar | Password typing progress (0-100%) |
| #N: Name | Which entry is being sent |
| Fireball | Animated projectile traveling right |
Behavior: Password is typed via USB HID. Ryu celebrates with victory pose during smoke animation.
What it shows: Ryu defeated on the ground after an invalid combo.
Behavior: Displays "NO MATCH" with large X. Returns to idle after animation completes.
/ext/apps_data/hadoukee/
├── hadoukee.json # Default store
├── hadoukee2.json # Additional store
└── ...
# Install ufbt
pip install ufbt
# Clone and build
git clone https://github.com/YOUR_USERNAME/hadoukee.git
cd hadoukee
ufbtOutput: dist/hadoukee.fap
Download hadoukee.fap from the Releases page and copy to your Flipper's SD card:
/ext/apps/Tools/hadoukee.fap
- Sometimes the app crashes when generating a new pass
- The app can prompt the Quitting screen while generating
- Ryu looks like shit
- Add first layer authentication, maybe even encrypt the whole JSON first
- Expiration ? 30 min inactivity quits the app
- Import passwords and secure delete source
- Also note that the combo is perfectly readable from the JSON file. It is pretty useless without the content of enclave 11, and can actually be a password recovery feature, but for now, without first layer auth and expiration, I consider it a security issue.
Built for Flipper Zero. Inspired by the timeless art of throwing fireballs.
.---.
/ \
| () () |
\ ^ / "SHORYUKEN!"
|||||
|||||
Fight for your passwords.