Chamele-o-nization
Returning to the worlds of NFC
and RFID, I recently got my hands on the Chameleon Ultra, and naturally, here
we are to review it and compare it a bit with my old Chameleon Mini (RevE)
RDV2.0 Rebooted from Proxgrind. This article will discuss both devices,
touching on their origins, physical aspects, and technical specs. Let’s get
started!
A bit of history
The Chameleon is not a device
that was created overnight. Kasper Oswald was the person who started it all.
Back in 2006, he created a contraption, a coffee cup that emulated a tag in a
very rudimentary way, known as the «Coffee Cup Tag Emulator.» This
was the father, or rather the great-great-grandfather, of the Chameleon family.
In 2007, he created the
«Fake Tag.» We won’t go into details about each prototype, just
mention them to show the device’s evolution.
In 2010, the original Chameleon
was created, resembling a bit more what we have today.
In 2013, the first Chameleon Mini
was released. The RevD.
From there, the Chameleon Mini
RevE came out in 2014, followed by the RevE Rebooted, RevF, RevG (which had
Bluetooth), Chameleon Tiny, and Chameleon Lite, leading up to the Chameleon
Ultra and the Chameleon Ultra Dev Kit. As you can see, the chameleon is an
animal that adapts and evolves.
In this article, we will focus on
the Chameleon Mini RevE Rebooted and the Chameleon Ultra simply because those
are the ones I own.
Let’s look at some photos to get
familiar with them and differentiate them. It’s worth mentioning that the size
of the Chameleon Ultra has significantly reduced compared to the Chameleon
Mini; it barely measures 4 cm and is available in various colors (black, blue,
and white).
|
|
Hardware changes and technical specifications
The Chameleon Mini RevE connects via USB with a micro-USB cable, whereas
the Chameleon Ultra uses a USB-C connector and also supports Bluetooth BLE 5.0.
The Chameleon Mini only supports NFC (13.56Mhz), while the Chameleon
Ultra supports both NFC and 125Khz RFID.
The Chameleon Mini had 8 slots for NFC storage, while the Chameleon Ultra
has 8 dual-frequency slots, meaning you can store an NFC tag and an RFID tag in
each, effectively 16 memory slots (8hf and 8lf).
The Mini version is powered by a CR-2032 battery, while the Chameleon
Ultra features a 90mAh internal battery that, thanks to its low power
consumption, can last for months depending on usage. The RevE’s battery lasted
quite well, but it’s a problem when you discover it’s drained just when you
urgently need the device. So, having an internal battery is another big
advantage.
Another major change is the chips used. Originally, the Chameleon Mini
used the ATxmega128A4U chip, but it was later replaced with the ATxmega32A4U
chip (16MHz, 32kb flash, 1kb EEPROM), which is the one found in the Chameleon
Mini RevE. Meanwhile, the Ultra version uses the nRF52840 chip. Why the change?
Developers argue that it’s not only a cheaper chip but also supports Bluetooth
BLE 5.0, has 256kb RAM, 64MHz clock speed, consumes very little energy, and
offers much better emulation performance and faster response. Previously, they
were limited by the SPI protocol clock speed. In short, all advantages — and
apparently they discovered this chip almost accidentally. Very curious…
For reading and writing, the Chameleon Ultra uses the MFRC522 chip, which
supports a greater variety of tag types than its predecessor.
Summarizing the features of each device. Chameleon Mini RevE features
are:
- Firmware
support for ISO14443A codec (emulation and reading) - NFC
13.56 MHz emulation for Mifare Classic 1K/4K, Ultralight/C (4- and 7-byte UIDs) - 8-bit
AVR Processor (ATxmega32A4U @ 32MHz) - Flash
memory (32Kb) and 4Kb RAM - Hardware
support for ASK and BPSK load modulation using a subcarrier - 8
virtual card slots, up to 8Kb per card in non-volatile memory - Two
programmable buttons and LEDs - Open-source,
modular firmware for easy expansion - Weight:
31g, Dimensions: 8.6cm x 5.2cm x 0.6cm
Chameleon Ultra features are:
- Firmware
support for ISO14443A codec (emulation and reading) - NFC
13.56 MHz emulation for Mifare Classic 1K/2K/4K, Ultralight/C/EV1, NTAG
210-218, Desfire EV1/2, Mifare Plus - RFID
125KHz emulation for EM4xx, T5577, FDX-B, Paradox, Keri, Indala, HID Prox,
PAC/Stanley, AWD, ioProx, Presco, Viking, Noralsy, NexWatch, Jablotron,
Gallagher - Support
for Bluetooth LE (BLE) 5.0 - 32-bit
ARM Processor (nRF52840 @ 64MHz) - Flash
memory (1Mb) and 256Kb RAM - Hardware
support for ASK and BPSK load modulation - Reader mode
with fast UID detection support - 8
dual-frequency virtual card slots up to 64Kb per card - 90mAh
internal LiPo battery - Two
programmable buttons and dynamic RGB LEDs - Open-source,
modular firmware for easy expansion - Weight:
8g, Dimensions: 4cm x 2.4cm x 0.6cm
What really makes the Chameleon Ultra attractive compared to the Mini is
that it is no longer just a «dumb box that carries and emulates
tags.» Now, besides carrying and emulating tags, it can read tags, perform
attacks, use dictionaries, and clone. It’s getting closer to a Proxmark than to
its Chameleon predecessors. And not only can it read tags, but it can also
modify them by writing onto them. As you can see, it’s a huge step up from the
Chameleon Mini: much more powerful and versatile.
Maybe the meme exaggerates a bit, because the Proxmark is still far more
versatile and can do things the Chameleon cannot, but the Chameleon Ultra can
perform many tasks in a very simple way, thanks to its intuitive and
straightforward interface.
Of course, it can still be used simply as a «dumb box that carries
and emulates tags.»
However, let’s not forget that in this version, this «dumb box»
is capable of carrying many more types of tags and has more slots available. The
difference is that before, you needed to clone using a Proxmark, save a dump of
the tag, and then write it into the Chameleon using specific software, and now
with the Chameleon Ultra, you can directly read a tag, attack if necessary (in
case not all sectors are readable), and clone it on the fly. This saves many
steps and simplifies the process, ultimately saving a lot of time.
Supported attacks
Currently, the Chameleon Ultra supports different attacks when reading a
tag and not all its sectors can be read completely. Besides dictionary attacks,
it supports MFKEY32, Darkside, Nested, and StaticNested attacks. If you want
more information about these attacks, I refer you to another article I wrote
some time ago here on Hackplayers:
https://www.hackplayers.com/2021/11/hacking-nfc.html
What is not yet supported are the HardNested attack and the Relay attack.
owever, it’s just a matter of time, since the hardware is capable of supporting
them and the development team already has it on their to-do list.
It’s also anticipated that sniffing on high frequency (NFC) will not be
supported (unlike the Proxmark), although sniffing on low frequency is
supported, even though it’s not fully developed yet. As we can see, there’s
still some road ahead…
Software
There are several different software options. There is a command-line
interface (CLI) console for advanced users, but the graphical user interface
(GUI) software is more than enough for most mortals, myself included, so that’s
what we’ll talk about here. Later, we’ll also discuss the mobile apps.
The software is similar to the old Chameleon software but with a new
look, much nicer and more modern, and packed with more functionalities, however,
the slot management window still keeps the same basic philosophy. This was the
old GUI for the Chameleon Mini (Iceman version):
And this is the new software’s appearance:
As we mentioned earlier, we can directly read tags using the Chameleon
Ultra. You can choose to save just the UID (we know many poorly secured NFC systems
only check the UID), or save the complete tag. But to do this, you must fully
read it. If we encounter a tag that we can’t read entirely, we’ll see a screen
like this:
But on the fly, we can launch different attacks. In this case, we simply
select a dictionary, and this will be the result after applying it:
As you can see, it managed to read everything, so we could now clone the
tag. If there were still sectors left to read, the Chameleon Ultra would
automatically launch different attacks to retrieve the missing data, a real
marvel. Once successfully read, we save the tag:
It will then appear in the Saved Cards section along with others we have:
And we can write it into one of the memory slots if we want:
It also allows importing and exporting tags in .bin and .json file
formats (Proxmark3), .nfc (Flipper Zero), and .mfct (Mifare Classic Tool).
In the Device Settings section, among other options, we can program the
buttons just like with the Chameleon Mini, so that a short press does one
action, and a long press does a different one:
As we mentioned before, besides writing into the memory slots, we can
also write directly onto a tag (as long as the tag supports the kind of writing
we’re trying to do).
If we have doubts about what type of rewritable card we have, we can use
the «Auto-detect Magic Card Type» option to automatically detect it:
As you can see, all processes are very straightforward.
Thus, we have covered the main functionalities. However, I encourage you
to play with it, because it’s truly fun and seems like a great advance in the
evolution of the Chameleon family. If you have time and curiosity, there’s an
English-language video that meticulously explains all aspects and fields of the
software:
https://www.youtube.com/watch?v=9jtKNJ5-kVY
Mobile software
Another of the advantages of these gadgets is the availability of
software versions for mobile applications, which are very useful. They give us
mobility and, if we are on a “mission” (always official, ethical, with
permission and all that, you know), they also provide some discretion by
allowing us to operate the device simply by having a mobile phone in hand,
something that is socially accepted and discreet. It is well known that if you
pull out a laptop, some cables, and a «weird» device, people might look
at you suspiciously or wonder what you are doing. This makes mobile versions
very useful in this regard.
Chameleon Mini RevE never had an official app as such, but there were a
couple of apps developed by people from the community. I will highlight one
that offers functionality very similar to the desktop GUI software from Iceman.
It is this Android app from this GitHub repository:
https://github.com/kgamecarter/ChameleonMiniApp
However, the compiled APK is not available in the repository. It used to
be available on Google Play Store, but sadly it disappeared from there, so I
have prepared a link to the compiled APK (I know what you are thinking, and no,
it has no malware, I behaved):
https://mega.nz/file/wJJ0GCzJ#gZTYkAJBciT_AuofHat4QMqBsCPHxvuiLURfAd4dNBY
To use it, you will need to connect your Chameleon Mini RevE to your
mobile with an OTG (On-The-Go) cable to the micro-USB port of the Chameleon
Mini.
The app looks like this:
There is also a YouTube video of about 20 seconds made by the author of
the app, which gives you a good idea of it:
https://www.youtube.com/watch?v=WoU58GzxsAY
As for the Chameleon Ultra, luckily it does have an official app. It is
available in Google Play Store, where you can download it:
https://play.google.com/store/apps/details?id=io.chameleon.ultra
There is also an iOS version for Apple devices:
https://apps.apple.com/ve/app/chameleon-ultra-gui/id6462919364
The mobile app for the Chameleon Ultra offers the same functionality as
the desktop app, so in my opinion, it is an absolute wonder. This means that,
being such a small device and connecting via Bluetooth, we can operate it at
100% capacity anywhere, taking full advantage of it. Bluetooth pairing is
extremely easy, and the app allows us to choose the PIN we want for secure
connection.
It is also worth mentioning that although connecting via Bluetooth is the
usual method, it is possible to connect it with an OTG cable just like we did
with the Chameleon Mini, although this time it will have to be USB-C. The app
will work perfectly as well.
This is what the mobile app looks like:
Firmware update
Updating the firmware on the Chameleon Mini was a bit more complex. To
avoid repeating everything, I will simply reference an article I wrote some
time ago where, among other things, the process of updating the firmware of the
Chameleon Mini RevE is described:
https://www.hackplayers.com/2021/07/nfc-proxmark3-chameleon.html
On the Chameleon Ultra, updating the firmware could not be easier. There
are several methods, but without a doubt, the easiest one is simply to open the
GUI application and click on the magic button next to the firmware version.
This button will do all the work. It is that simple. It automatically puts the
device into DFU (Device Firmware Update) mode, downloads the latest version,
flashes it, and so on.
Where to buy it?
It can be purchased in different places like Lab401 store,
Hackerwarehouse, or even Amazon, but in my experience it is cheaper to buy it
on Aliexpress. That said, you have to distinguish between the original and the
imitations.
In this link, I found a comparison between the «Chameleon
Ultra» and the «Chamele0n Ultra» (note that the “o” in the
imitation is actually a zero “0”). They compare physical components and
differences. A very interesting article:
https://shop.mtoolstec.com/whatre-the-differences-between-chameleon-ultra-chamele0n-ultra.html
The truth is that, after reading the article, it seems the imitation does
not differ too much from the original, only in small details. But since I have
not personally tested the imitation, I recommend buying the original.
Nevertheless, it is quite likely that the imitation also works well, although I
cannot guarantee it at this moment. Here are a couple of Aliexpress links to
good-priced original Chameleons, the ones I personally own.
Original Chameleon Mini RevE:
https://s.click.aliexpress.com/e/_opkB6kH
Original Chameleon Ultra:
https://s.click.aliexpress.com/e/_oCTviIv
The current prices in 2025 are around 35€ for the Mini and 120€ for the
Ultra (original versions). However, these prices always fluctuate slightly
(that’s the market, my friend!). On pages like Lab401 or similar, it is
somewhat more expensive. The imitation, meanwhile, is around 20 or 25€. I’ll
leave a link here as well.
Chamele0n Ultra imitation:
Special thanks
Thanks to the usual suspects.
Hackplayers, who put in the effort, to the developers of the NFC/RFID world
including Iceman (@herrmann1001), Gator96100 (@Gator96100), kgamecarter, and so
many others. Thanks to L1k0rd3b3ll0t4 for the support and for going crazy
buying the gadget after a simple comment. To the Spanish pentesting crew for
keeping the J0n3C0n alive, and to my partner without whom I wouldn’t be able to
“waste” so much time in researchings, etc.
Useful links
- GitHub firmware/drivers Chameleon RevE: https://github.com/iceman1001/ChameleonMini-rebooted
- GitHub software Chameleon RevE: https://github.com/iceman1001/ChameleonMini-rebootedGUI
- GitHub firmware/drivers Chameleon Ultra: https://github.com/RfidResearchGroup/ChameleonUltra
- GitHub software Chameleon Ultra: https://github.com/GameTec-live/ChameleonUltraGUI
- Android Playstore app Chameleon Ultra: https://play.google.com/store/apps/details?id=io.chameleon.ultra
- iOS Appstore app Chameleon Ultra: https://apps.apple.com/app/chameleon-ultra-gui/id6462919364
- GitHub source of the Chameleon Mini RevE app: https://github.com/kgamecarter/ChameleonMiniApp
- Android Chameleon Mini RevE Compiled APK: https://mega.nz/file/wJJ0GCzJ#gZTYkAJBciT_AuofHat4QMqBsCPHxvuiLURfAd4dNBY
- Discord RFiD Hacking Iceman: https://discord.gg/QfPvGFRQxH
Author:
- Óscar Alfonso Díaz / OscarAkaElvis / v1s1t0r
- Twitter – X (https://x.com/OscarAkaElvis)
- Contributor at Hackplayers
- Main author of airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon
- Contributor to Evil-WinRM: https://github.com/Hackplayers/evil-winrm
- Contributor to the CWP Wi-Fi certification:
- Spanish – https://academy.wifichallenge.com/courses/certified-wifichallenge-professional-cwp-esp?ref=c02137
- English – https://academy.wifichallenge.com/courses/certified-wifichallenge-professional-cwp?ref=c02137
- Passionate about cyber-in-security in general
Spanish Edition
eh! no olvidamos que el blog de Hackplayers es un blog escrito principalmente en español castellano, si quieres ver el post en la lengua de Cervantes sigue este link:
Powered by WPeMatico
