Card cloning/emulating with the Chameleon Mini

The Chameleon mini is smartcard emulator working in the 13.56Mhz frequency which is HF and has 8 virtual card slots of 8KB per slot. In the HF space we often find hotel cards, Mifare cards, iClass etc etc.

DISCLAIMER: Obtaining access to areas that you are not authorised is illegal!

As it is a very small piece of hardware it is convenient to carry during traveling and to test out hotel key cards. I can’t see myself using this in a professional environment (i.e physical security assessments) but it appeals more to the hobby side of things.

I’ve had the Chameleon Mini for a couple of years now but never got down to actually putting it into good usage as it was almost always pushed to the side from my Proxmark.   On top of that the lack of detailed documentation made it a bit hard for me to follow.  Some areas as still grey for me but this blog post serves as a depiction of my understanding and also for the reader to correct me in the areas I am wrong. 

This post will not go through the entire setup process or through all the available commands and it will serve as a starting point to begin fiddling with the Chameleon mini.

In the following examples i make the assumption that the authorisation for the cards is based solely on the UID. If we have a Mifare card which uses only the UID for authorisation we can use the Chameleon mini to read the UID and then store it into one of the slots. That UID can be replayed back to the reader from the Chameleon without the need for the actual card.

The UID is most commonly 4-7 bytes long. The Chameleon supports both lengths with either MF_CLASSIC_1K, MF_CLASSIC_4K, MF_CLASSIC_1K_7B and MF_CLASSIC_4K_7B but no need to bother with these at this stage.

Assuming that the setup is completed and we have access to the Chameleon interface we begin by putting the Chameleon to the reader mode with:

CONFIG=? 

101:OK WITH TEXT
NONE,MF_ULTRALIGHT,MF_ULTRALIGHT_EV1_80B,MF_ULTRALIGHT_EV1_164B,MF_CLASSIC_1K,MF_CLASSIC_1K_7B,MF_CLASSIC_4K,MF_CLASSIC_4K_7B,ISO14443A_SNIFF,ISO14443A_READER

CONFIG=ISO14443A_READER

100:OK

The first command will show the available configurations for the Chameleon mini and the second will put it into the reader mode.

The next command checks if the reader field is enabled or not. If the response is 0 that means the field is inactive and therefore we won’t be able to read the card so we need to enable it.

FIELD?

101:OK WITH TEXT
0

FIELD=1

100:OK

The first command will show the current status of the field and the second will enable it. I noticed that every couple of reads the field goes back to 0 and i needed to reenable it. I am not sure about this behaviour but i always enable the field when i need to read a card. To make sure i always notice it when the field is not enabled i have changed the behaviour or the red led to turn on when the field is active.

LEDRED=FIELD_DETECTED

The next step would be to identify what kind of card we have.  

IDENTIFY

MIFARE Classic 1k
ATQA: 0400
UID: D3D0A25B
SAK: 08

And then get the UID from the card although we can see if from the above output as well

GETUID

D3D0A25B

Assuming that the authorisation from the reader is done based on the UID we can clone the UID from the card to one of the slots and emulate the card.

SETTING?

101:OK WITH TEXT
1

The above command will show which slot is active, in my case slot 1.

Then we need to change the mode from reading to emulating. Since the card is a MIFARE Classic 1k with 4 bytes of UID we change the configuration to:

CONFIG=MF_CLASSIC_1K

100:OK

Then assign the UID to the slot and verify that it is saved.

UID=D3D0A25B

UID?

101:OK WITH TEXT

D3D0A25B

So at this stage the UID D3D0A25B is stored to slot 1.

If we have a second card we want to emulate we follow the same process of putting the Chameleon to the reader mode and dump the UID. Then we change to slot #2 or any other slot number between 1-8 that we want to save the UID. In my case i chose slot 2.

SETTING=2

100:OK

Then change the mode back to the MIFARE_CLASSIC_1K and change the UID to the UID of the second card.

The Chameleon mini has 2 buttons that can be customised to our needs. In essence, there are 4 buttons as both buttons have a short and long press functionality. The configurations available are:

LBUTTON – Left button

RBUTTON – Right button

LBUTTON_LONG – Left button long press

RBUTTON_LONG – Right button long press

Each of the above can be configured to perform and of the following:

NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE

A few selected ones are:

UID_RANDOM – Set a random UID of the current slot

UID_LEFT_INCREMENT – Increment the UID of the current slot using little-endian format

UID_RIGHT_INCREMENT – Increment the UID of the current slot using big-endian format

UID_LEFT_DECREMENT – Decrement the UID of the current slot using little-endian format

UID_RIGHT_DECREMENT – Decrement the UID of the current slot using big-endian

CYCLE_SETTINGS – Cycle through the slots

STORE_MEM – Stores the current setting into the permanent flash memory

TOGGLE_FIELD – Activates the reader field if it was deactivated and vice versa

The output below is from setting the RBUTTON to randomise the UID with RBUTTON=UID_RANDOM and pressing the button a few times producing random UIDs.

UID?
101:OK WITH TEXT
D3D0A25B

UID?
101:OK WITH TEXT
0E13DCD4

UID?
101:OK WITH TEXT
EE4A7F63

UID?
101:OK WITH TEXT
DF94B584

UID?
101:OK WITH TEXT
44C67D75

Now assuming you want to dump the entire contents of a MIFARE Ultralight card the Chameleon is able to pull that off. Here i am dumping the contents of 2 cards from the same establishment

DUMP_MFU

101:OK WITH TEXT
04612EC3327A598495480800BE07310CA7DA32D06C010A6703D614D2DD2449FC8D96E2A2E42E2CD1000000000000000000000000000000000000000000000000

DUMP_MFU

101:OK WITH TEXT

045EA674627D5980C6480800860AFE111FEEF15C705D7C6D250C516B5EFFF0685216678B397D81EF000000000000000000000000000000000000000000000000

 

One thing i noticed is that the GETUID command will return 7 bytes  and the DUMP_MFU command returns 8 bytes for the UID. Here is the output of the commands for comparison.

Card 1

DUMP _MFU  04 5E A6 74 62 7D 59 80 …

GETUID         04 5E A6 62 7D 59 80

Card 2 

DUMP_MFU  04 61 2E C3 32 7A 59 84 …

GETUID        04 61 2E 32 7A 59 84

So it seems that GETUID skips the 0x74 byte for the first card and the 0xC3 for the second card. I am not quite sure what causes this behaviour other than for checksum but comparing the results with the NFC Tools app for Android it seems that the correct UIDs are 04 5E A6 62 7D 59 80  for the first card and 04 61 2E 32 7A 59 84  for the second card so the GETUID command output is correct.

Now let’s say you want to have the Chameleon ready to sniff a card at any time. This is easy due to the fact that the Chameleon is battery operated therefore there is not need  for a laptop or other device.

1) CONFIG=ISO14443A_SNIFF

2) LOGMODE=MEMORY

3) LOGCLEAR

4) RBUTTON=CYCLE_SETTINGS

5) LBUTTON=STORE_LOG

 

Line 1 will put the Chameleon into the sniffer mode. Line 2 tells the Chameleon to store the logs into the SRAM and Line 3 to clear the previous current logs. The RBUTTON will cycle through the slots if pressed in order to be able to store multiple cards into other slots if needed. Lastly Line 5 will move the current logs from the volatile SRAM to the permanent FRAM and clear the SRAM. 

The dumps will be saved on the device and can be downloaded with the LOGDOWNLOAD command. In the references below i link a very useful article to help you with the steps. 

Thats all, if you have any comments/questions that i might be able to answer let me know on Twitter -> @sec_groundzero

 

References and credits:

CONFidence 2018: A 2018 practical guide to hacking RFID/NFC slides

CONFidence 2018: A 2018 practical guide to hacking RFID/NFC  video

ebfwe.pw  for the macOS setup

Documentation – Github Repo