This is NOT the official repository of ChameleonMini, a freely programmable portable tool for NFC security analysis that can emulate and clone contactless cards, read RFID tags, and sniff/log RF data. This repository brings support for the Chameleon Tiny.
Our Project is based on the open-source project ChameleonMini RevG by Kasper & Oswald. They also have their own Webshop.
- Information:
- Chameleon Tiny Site: Here
- Chameleon BLE API: Here
- Doxygen: Here
- Documentation (RfidResearchgroup):
- Source: Here
- Need to manually download and view
- Open Doc/Doxyfile and then in application
Show HTML Output
- Source: Here
- Documentation (emsec):
- Tools:
- Phone APP:
- Android: Chameleon
- The Android APP is currently NOT compatible with the official firmware
- IOS: ChameleonTiny Manager
- The IOS APP is currently NOT compatible with the official firmware
- Credit to bettse
- Password: e4g1
- Android: Chameleon
- Optional GUI (Winodws Only):
- Chameleon Firmware:
- Compile the latest firmware: Here
- Or use the precompiled: Here
- The Chameleon Mini REV.G version uses the same firmware for both the Mini with Bluetooth version and Tiny
- The hardware design of the RF part is exactly the same
- The hardware is also compatible with the official firmware of the KAOS brothers
- Compile the latest firmware: Here
- Terminal APP:
- Putty or similar APP
- DFU driver:
- The DFU driver comes from ATMEL's official LIBUSB driver library
- You can download it yourself or from the repo: Here
- DFU Programmer:
- Zip file from SourceForge: Here
- Phone APP:
- Resellers:
- Repository Structure:
- Doc: A folder for doxygen documentation
- Drivers: Chameleon drivers for Windows and Linux
- Dumps: Dumps of different smartcards
- Hardware: The layout and schematics of the PCB
- Firmware: The complete firmware including a modified Atmel DFU bootloader and LUFA
- Software: Contains a python tool for an easy configuration (and more) of the ChameleonMini
- WARNING: This is currently under construction
- RevE: Contains the entire contents of the discontinued RevE repository
- RevE-light: Contains our development files for the RevE-light
- WARNING: This is currently not supported / not functional
- Optional GUI (Windows Only)
- Terminal APP
- Firmware
- DFU Driver
- DFU Programmer
- Create a directory to work from
- Place the Chameleon firmware in the directory
- Unzip the DFU Programmer folder to the working directory
- If you are using the auto install on Windows, place ChameleonFirmwareUpgrade.bat in the working directory as well
Method 1: GUI (Windows Only)
-
Mini or Tiny:
- If it is a Chameleon Mini, ensure it is in the
OFF
position - Connect it via USB cable to your computer
- On the Mini, it may be a good idea to remove the battery before putting the device into
DFU
mode
- On the Mini, it may be a good idea to remove the battery before putting the device into
- Under the
Settings
tab, Send theUpgrade
command while the Chameleon is connected- This only puts the Chameleon in
DFU
mode - It does NOT start installing the firmware at all
- This only puts the Chameleon in
- Chameleon should now be in
DFU
mode
- If it is a Chameleon Mini, ensure it is in the
-
Further information:
Method 2: CLI
-
Mini:
- With the Chameleon in the
OFF
state, press and hold the black (Rev E) or yellow (Rev G) button near the USB while inserting it into the USB port- It may be a good idea to remove the battery before putting the device into
DFU
mode
- It may be a good idea to remove the battery before putting the device into
- Use your favorite terminal application to connect to it. Type
upgrade
and hitEnter
- This only puts the Chameleon in
DFU
mode - It does NOT start installing the firmware at all
- This only puts the Chameleon in
- Chameleon should now be in
DFU
mode
- With the Chameleon in the
-
Tiny:
- Press and hold the B button while inserting it into the USB port
- Use your favorite terminal application to connect to it. Type
upgrade
and hitEnter
- This only puts the Chameleon in
DFU
mode - It does NOT start installing the firmware at all
- This only puts the Chameleon in
- Chameleon should now be in
DFU
mode
Windows
- Mini or Tiny:
- Download the drivers from the repo
- Ensure you have connected your Chameleon and that it is in
DFU
mode - You should have an unknow USB device in device manager
- Update the device with the driver files from the repo
- You should now have an 'ATxmega*' device
Method 1: Automatic (Windows Only)
- Mini or Tiny:
- If you haven't already, place ChameleonFirmwareUpgrade.bat in your working directory with your firmware and other tools
- Ensure Chameleon is in
DFU
mode - Run the
ChameleonFirmwareUpgrade.bat
file AS ADMIN to automatically start the firmware upgrade - It usually takes 2 - 5 seconds
- After the progress bar is complete, the firmware upgrade is complete
Method 2: Manual
- Optional GUI
- Terminal APP
- Phone APP
- Firmware
- Press any button on the Mini and the white battery light should come
ON
- You can now connect via Bluetooth
- Open the APP again and click
Connect
to automatically connect the Chameleon
- In the
Device Information
column, pressBLE CMD Version
5 times - On the
OTA upgrade
page, clickAuto Upgrade
- The APP will immediately start to upgrade to the latest Bluetooth firmware that comes with it
- The APP will automatically exit after the upgrade is complete
-
Tools:
- Optional GUI
- Terminal APP
- Phone APP
-
Connect to the Chameleon Mini or Tiny using the APP
- Connect via USB or Bluetooth
- Note:
- Both the Chameleon Mini and Tiny support direct connection to the mobile phone USB port
- For the Mini, an additional OTG adapter needs to be purchased
- Tiny uses its own dual-headed TYPE-C data cable to connect directly to TYPE-C mobile phones
- Chameleon Mini has built-in Bluetooth BLE4.0. Press any button to wake up Bluetooth
- Turn Bluetooth
ON
on your phone and the APP will automatically connect
- Both the Chameleon Mini and Tiny support direct connection to the mobile phone USB port
- After connecting, click on a single card slot and select
MF_DETECTION_1K
orMF_DETECTION_4K
in theCard Slot
mode - This card slot will now have the
Detection
mode turnedON
- Write the original card number in the
UID Card Number
column- If you don't know the UID number, you can fill in it at will
- Then click the
Clear
button below to clear the last detection record
- Take the Chameleon to the access control reader and swipe it across
- The key and access traces are recorded by the Chameleon when you swipe
- Connect back to the mobile phone and press the
Crack
button - After a few seconds, the APP will automatically solve and list the results, as shown in the figure below:
- The list shows which blocks the read head just visited, and what password was used for each access
- Click the
History
button. The APP will automatically list the keys separately and save them for other software to use - If your mobile phone comes with an NFC function, you can put the original key directly on the mobile phone
- The APP will automatically use the key in the list to read the entire card, and after it is successful, it will automatically save the entire card data file on the mobile phone
- Note:
- Multiple red LEDs are on at the same time during detection, which means the memory is full, just clear the memory.
- Use QQ to send the card data file to the mobile phone QQ
- Or connect the mobile phone to the computer and transfer the file to any directory on the mobile phone
- Open the APP and click the
Dump
column - Click the
Scanner
in the plus sign in the upper right corner - Click the three horizontal line buttons in the upper left corner and select this phone
- Select the root directory of the QQ receiving file or the previously copied directory, and click
Allow Access
- All card data files will be automatically scanned into the
Dump
file interface, which can be uploaded or edited at will - Click the card data file in the
Dump
column below, and clickUpload
below to upload to the card slot corresponding to the Chameleon
- Click the button
UID Changeable (GEN1a)
in the APP or directly send the commandUIDMODE = 1
to turn itON
UIDMODE = 0
to turn itOFF
- After the UID mode is turned
ON
, the card simulated by Chameleon will become a GEN1a card- Commonly known as a UID card or Chinese magic card
- The current card slot takes effect
- Click the
SAK Mode
button in the APP or directly send the commandSAKMODE = 1
to turn itON
SAKMODE = 0
to turn itOFF
- After the
SAK Mode
is turnedON
, the card will feedback the real SAK value when it is found - The SAK value is determined by the 0 sector, 0 block, and the position is the position of the sixth byte immediately after the UID number
- If the
SAK Mode
is not turned on, the SAK is a fixed value of 08, and 0 blocks of data are ignored- This function is useful when special SAK values cannot be used normally after being copied
- This achieves better compatibility
- The current card slot takes effect
Option | Type | Length of UID | Memory Size |
---|---|---|---|
MF_classic_1K 4B/7B | M1 S50 | 4 Byte / 7 Byte | 1024 byte |
MF_classic_4K 4B/7B | M1 S70 | 4 Byte / 7 Byte | 4096 byte |
MF_classic_mini_4B | M1 mini S20 | 4 Byte / 7 Byte | 320 byte |
MF_ultralight_C | M0 ultralight | 7 Byte | 192 byte |
MF_ultralight_EV1_80B | M0 ultralight | 7 Byte | 80 byte |
MF_ultralight_EV1_164B | M0 ultralight | 7 Byte | 164 byte |
Vicinity | - | 8 Byte | 8192 byte |
SL2S2002 | - | 8 Byte | 8192 byte |
TITAGITSTANDARD | - | 8 Byte | 44 byte |
EM4233 | - | 8 Byte | 208 byte |
Option | Ability | Cracking Type | APP Supported |
---|---|---|---|
MF_DETECTION_1K | Detecting reader to obtain keys | MFKEY32V2 | List results directly |
MF_DETECTION_4K | Detecting reader to obtain keys | MFKEY32V2 | List results directly |
ISO14443A_READER | Reader Mode | - | Display UID |
ISO14443A_SNIFF | Sniffing | - | Not supported |
ISO15693_SNIFF | Sniffing | - | Supported |
Option names | Description |
---|---|
NONE | Set this button to have no function |
UID_RANDOM | Randomly generated UID number in the current card slot after pressing |
UID_LEFT_INCREMENT | After pressing, the highest byte of the UID number plus one (hexadecimal) |
UID_RIGHT_INCREMENT | After pressing the lowest byte of the UID number plus one (hexadecimal) |
UID_LEFT_DECREMENT | After pressing, the highest byte of the UID number is reduced by one (hexadecimal) |
UID_RIGHT_DECREMENT | After pressing, the lowest byte of the UID number is reduced by one (hexadecimal) |
CYCLE_SETTINGS | Card slot number sequence will increase after pressing |
CYCLE_SETTINGS_DEC | Card slot number sequence decreases after pressing |
STORE_MEM | Immediately after pressing, the current card data in the temporary buffer is overwritten into the memory |
RECALL_MEM | Immediately after pressing, the current card data in the memory is overwritten into the temporary buffer (Can be used to quickly restore card data) |
TOGGLE_FIELD | Click once to turn off the antenna and click again to turn on the antenna function |
STORE_LOG | Write the log data in the temporary cache to the memory, which can be saved even when power is off |
CLEAR_LOG | Clear log data immediately after pressing |
CLONE | Read the UID card number immediately after pressing, continue searching, and simulate immediately after reading the card |
CLONE_MFU | Clones a Mifare Ultralight card that is in the range of the antenna to the current slot, which is then accordingly configured to emulate it |
- Any time you connect USB, it will automatically start charging
- The Mini will have a white light while the Tiny will have a red light over the USB port to indicate if it is charging
- Charging method: Plug in the USB at any time and start charging immediately
- Battery type: LIR2032H replaceable lithium-ion rechargeable battery
- Charging time: 2 hours @ 0-100%
- Charging current: 40mA
- Start-up current: 38mA
- Card reading current: 65mA
- Sleep current: 5uA (9uA-MAX)
- Battery capacity: 70mAh
- Duration: Swipe the card 3 times a day for 5 seconds each time, and it can be used for one year on a single charge
- Sleeping time: Fully charged, it can be left for two years when it is turned off and sleeping
- Port type:
- Mini: MicroUSB
- Tiny: Type-C
- If the memory is full during dense flow detection, multiple red LEDs will be abnormally lit
- When the power is
OFF
, press any button once to turnON
the Bluetooth power, and at the same time, display the current power with a white LED - With the Bluetooth in the
ON
state, click any button to turnOFF
the Bluetooth power, the power LED goes out, and the system sleeps - Bluetooth will sleep automatically after no operation for 15 seconds
- Press any button once to shut down immediately
- With the Bluetooth in the
ON
state, double click any button- Or in the
OFF
state, triple click any button times to turnON
the Chameleon
- Or in the
- The red LED lights up to indicate the slot number
- Chameleon will automatically sleep and shut down after no operation for 5 seconds
- Section A1: Here
- Chameleon Mini: Here
- ChameleonMini RevG In Lab Demo / Technical Explanation of Command Line Interface
- Mifare Reader Attack: Sniffing, Cracking, Emulation, Open! LAB401 Academy - CHAMELEON MINI Tutorial
- How to use the new Proxgrind Chameleon Tiny and Mini with the APP
- With the Chameleon in the
OFF
state, press theA button
once to turnON
the Chameleon power - The red LED lights up to indicate the slot number
- Chameleon will automatically sleep and shut down after no operation for 5 seconds
- This can be adjusted in the APP
- Section A1: Here
Same as the Mini?
- How to use the new Proxgrind Chameleon Tiny and Mini with the APP
- ChameleonTiny 8 Prox in1 & Sniff - Crack RFID ~ NFC ~ UID
- Chameleontiny pro -Standalone clone of a MIFARE 1K UID
- | Rev.G Official by KAOS | Rev.E Old Rdv2.0 by ProxGrind | Rev.G by ProxGrind | Rev.G Tiny by ProxGrind |
---|---|---|---|---|
Simulation | Good performance, has blind area | Poor compatibility | Perfect performance | no blind area |
As a reader | 1-2cm for white tag | 0cm for keyfob | × | 5-6cm for white tag |
Read current | 170mA | × | 65mA | 60mA |
BLE nrf52832 | × | × | √ | × |
Li-ion battery | √ | × | √ | √ |
Battery indicator | × | × | √ | × |
Low power sleep | × | × | √ | √ |
RF field wakeup | × | √ | √ | √ |
Button wakeup | × | √ | √ | √ |
Auto power off | × | √ | √ | √ |
Official firmware compatible | √ | √ | √ | √ |
Replaceable Antenna | × | × | √ | × |
MFKEY32 crack | × | √ | √ | √ |
8 LED for slot | × | √ | √ | √ |
Android APP | × | × | √ | √ |
Firmware anti lost | × | × | √ | × |
Rev.G Official By KAOS | Rev.E old RDV2.0 By PROXGRIND | Rev.G new RDV2.0 By PROXGRIND | M1 white tag | |
---|---|---|---|---|
122U r/w full data | 1-2 sector only | Smooth | Smooth | Smooth |
122U Range | 61mm | 41mm | 73mm | 71mm |
PM3 r/w full data | 1-2 sector only | Smooth | Smooth | Smooth |
PM3 Range | 57mm | 74mm | 88mm | 89mm |
Phone NFC r/w full data | No | Smooth | Smooth | Smooth |
Phone NFC Range | 25mm | 18mm | 33mm | 32mm |
Magic back door | By default | No | Dual mode | No |
SAK ATQA Support | No | No | Modifiable | No |
Command | Effect Range | Description |
---|---|---|
UIDMODE? | All slot | Returns the configuration of the all slot |
UIDMODE=? | All slot | Returns a list of all supported configurations |
UIDMODE=[0;1] | All slot | Activates(1),deactivates(0),the magic card mode(It will has Chinese magic card back door) |
SAKMODE? | Current slot | Returns the configuration of the current slot |
SAKMODE=? | Current slot | Returns a list of all supported configurations |
SAKMODE=[0;1] | Current slot | Activates(1),deactivates(0),the real SAK ATQA mode (the SAK ATQA will be mapped from block 0) |
CONFIG=MF_DETECTION_1K | Current slot | Set current slot to detection 1K mode. |
CONFIG=MF_DETECTION_4K | Current slot | Set current slot to detection 4K mode. |
DETECTION=0 | Device | Clears the detection log memory |
DETECTION? | Device | Wait for an XModem connection and then downloads the binary detection log data. |
- Instruction Sheet: Here
- emsec: Here
- AndreasBujok/ChameleonMini
- emsec: Here
Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
---|---|---|---|---|---|
Non13.56MHz | No | No | No | ||
Mifare Ultralight | ISO14443A/106 kbit/s | Support | Support | Support | |
Mifare Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Support | |
MifareClassic1K/4K 4B/7B | ISO14443A/106 kbit/s | Support | Support | Support | |
Mifare DESFire | ISO14443A High Rate | Supports low rates, or possibly higher rates | Only supported Low rate | No | |
Mifare DESFire EV1 | ISO14443A High rate | Supports low rates, or possibly higher rates | Only supported Low rate | No | Backward compatible |
Mifare DESFire EV2 | ISO14443A High rate | Supports low rates, or possibly higher rates | Only supported | Low rate | No |
Mifare PLUS | ISO14443A High rate | Supports low rates, or possibly higher rates | Only supported Low rate | No | |
Sniff Mode NTAG | ISO14443A 106 kbit/s | Support | Support | No | |
LEGIC prime | LEGICprime/ ISO14443A/ ISO15693 | Possible but not supported | Possible but not supported | No | |
HID iCLASS | 125kHz/ISO15693/ISO14443B | Possible but not supported | Possible but not supported | No | |
Epass | ISO14443A/B | Supported / Supported | Low rate only / not supported | No | |
TiTagIT Standard | ISO15693 | Support | Support | Support | |
EM4233 | ISO15693 | Support | Support | Support |
Encoding type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
---|---|---|---|---|
Non-13.56MHz | Not Supported | Not Supported | Not Supported | |
ISO 14443 A 106 kbit/s | Reader -> card Direction sniffing | Maybe support the other direction | Currently only supported Reader -> card Direction sniffing | |
ISO 15693 | Support | Support | Support | Single subcarrier only |
Card type | Encoding type | Whether the hardware stand by | Whether the software stand by | Whether the application layer supports | Note |
---|---|---|---|---|---|
Non13.56MHz | Not Supported | Not Supported | Not Supported | ||
Mifare Ultralight | ISO14443A 106 kbit/s | Support | Support | SupportCommand: dump_mfu | |
MifareClassic1K/4K 4B/7B | ISO14443A 106 kbit/s | Support | Support | Not Supported | No card reading instruction, encryption function has been implemented |
- Iceman
- Philippe Teuwen
- Willok
- DXL
- ProxGrind aka Olaf