###This is a user friendly documentation for the ChameleonMini (RevG 180125) from Kasper & Oswald GmbH.
###Feel free to add or adapt the documentation
Table of content
- VERSION
- CONFIG
- UID
- READONLY
- UPLOAD
- DOWNLOAD
- RESET
- UPGRADE
- MEMSIZE
- UIDSIZE
- RBUTTON
- RBUTTON_LONG
- LBUTTON
- LBUTTON_LONG
- LEDGREEN
- LEDRED
- LOGMODE
- LOGMEM
- LOGDOWNLOAD
- LOGSTORE
- LOGCLEAR
- SETTING
- CLEAR
- STORE
- RECALL
- CHARGING
- HELP
- RSSI
- SYSTICK
- SEND_RAW
- SEND
- GETUID
- DUMP_MFU
- IDENTIFY
- TIMEOUT
- THRESHOLD
- AUTOCALIBRATE
- FIELD
- CLONE
- Abbreviation
- MIFARE Classic command overview
- MIFARE Classic ACK and NAK
- ATQA and SAK responses
- How to customize the Firmware
^Top
Print the current version of ChameleonMini.
Syntax: version?
101:OK WITH TEXT
ChameleonMini RevG 180125 using LUFA 151115 compiled with AVR-GCC 5.4.0. Based on the open-source NFC tool ChameleonMini. https://github.com/emsec/ChameleonMini commit c6d2968
^Top
Get/Set the configuratopn of the current slot. The "slot" includes the behavior of the Card. The ChameleonMini can emulate differend Cards, and each slot contains one Card.
The slot 8 is configured as "READER" in the default configuration.
Note: The ChameleonMini has 8 possible slots (1-8)
Syntax: config=?
101:OK WITH TEXT
NONE,MF_ULTRALIGHT,MF_ULTRALIGHT|_EV1_80B,MF_ULTRALIGHT|_EV1_164B,MF_CLASSIC_1K,MF_CLASSIC_1K_7B,MF_CLASSIC_4K,MF_CLASSIC_4K_7B,ISO14443A_SNIFF,ISO14443A_READER
Set current slot as a MIFARE classic 4K emulation.
Syntax: config=MF_CLASSIC_4K
101:OK WITH TEXT
Get the value of the current slot
Syntax: config?
101:OK WITH TEXT
MF_CLASSIC_4K
^Top
Print the current uid of the emulated card(slot).
Syntax: uid?
101:OK WITH TEXT
9E63BC03A
Configures the read-only mode to the internal memory. Activates (1) or deactivates (0) the read-only mode (Any writing to the memory is silently ignored.)
Print the possible states.
Syntax: readonly=?
101:OK WITH TEXT
1,0
Print the current state of the accessrights
Syntax: readonly?
101:OK WITH TEXT
0
Activate the read-only mode
Syntax: readonly=1
100:OK
^Top
Waits for an XModem connection in order to upload a new virtualized card into the currently selected slot, with a size up to the current memory size.
Syntax: upload
<ENTER>
^Top
Waits for an XModem connection in order to download a virtualized card with the current memory size.
Syntax: download
<ENTER>
^Top
Reboots the Chameleon, i.e., power down and subsequent power-up. Note: A reset usually requires a new Terminal session.
Syntax: reset
<ENTER>
^Top
Sets the Chameleon into firmware upgrade mode (DFU). This command can be used instead of holding the RBUTTON while power-on to trigger the bootloader.
After run the upgrade
command, you can now start the upgrade process described on Getting Started
Syntax: upgrade
<ENTER>
^Top
Returns the memory size occupied by the current configuration in Byte.
Syntax: memsize?
101:OK WITH TEXT
4096
^Top
Print the size in bytes of the current uid on the emulated card.
Syntax: uidsize?
101:OK WITH TEXT
4
^Top
Returns if the battery is currently being charged (TRUE) or not (FALSE).
Syntax: charging?
120:FALSE
^Top
Returns a comma-separated list of all commands supported by the current firmware.
Syntax: help
101:OK WITH TEXT
VERSION,CONFIG,UID,READONLY,UPL....
^Top
Returns the voltage measured at the antenna of the Chameleon, e.g., to detect the presence of an RF field or compare the field strength of different RFID readers.
Syntax: help
<ENTER>
101:OK WITH TEXT
2648 mV
^Top
Print the value of the left system tick in ms since PowerOn.
Note: An overflow occurs every 65,536 ms.
Syntax: systick?
101:OK WITH TEXT
9C30
^Top
Set/Get the behavior of the green LED.
Possible values are:
Syntax: ledgreen=?
101:OK WITH TEXT
NONE,POWERED,TERMINAL_CONN,TERMINAL_RXTX,SETTING_CHANGE,MEMORY_STORED,MEMORY_CHANGED,CODEC_RX,CODEC_TX,FIELD_DETECTED,LOGMEM_FULL
Get current state:
Syntax: ledgreen?
101:OK WITH TEXT
POWERED
Set value for example:
Syntax: ledgreen=terminal_rxtx
<ENTER>
100:OK
^Top
Set/Get the behavior of the red LED.
Possible values are:
Syntax: ledred=?
101:OK WITH TEXT
NONE,POWERED,TERMINAL_CONN,TERMINAL_RXTX,SETTING_CHANGE,MEMORY_STORED,MEMORY_CHANGED,CODEC_RX,CODEC_TX,FIELD_DETECTED,LOGMEM_FULL
Get current state:
Syntax: ledred?
101:OK WITH TEXT
FIELD_DETECTED
Set value for example:
Syntax: ledred=powered
<ENTER>
100:OK
^Top
Set/Get the behavior of a right button with "short push".
Possible values are:
Syntax: rbutton=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE
Get current value:
Syntax: rbutton?
101:OK WITH TEXT
CYCLE_SETTINGS
Set value for example:
Syntax: rbutton=ui_random
^Top
Set/Get the behavior of a right button with "long push".
Possible values are:
Syntax: rbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE
Get current value:
Syntax: rbuttton_long?
101:OK WITH TEXT
CYCLE_SETTINGS
Set value for example:
Syntax: rbutton_long=uid_random
100:OK
^Top
Set/Get the behavior of a left button with "short push".
Possible values are:
Syntax: lbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE
Get current value:
Syntax: lbutton?
101:OK WITH TEXT
CYCLE_SETTINGS
Set value for example:
Syntax: lbutton=uid_random
100:OK
^Top
Set/Get the behavior of a left button with "long push".
Possible values are:
Syntax: lbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE
Get current value:
Syntax: lbuttton_long?
101:OK WITH TEXT
CYCLE_SETTINGS
Set value for example:
Syntax: lbutton_long=ui_random?
100:OK
^Top
The 'logmode' command set the behavior of the datalogging.
Possible values are:
Syntax: logmode=?
101:OK WITH TEXT
OFF,MEMORY,LIVE
- off -> logging disabled
- LIVE -> log events are written directly to the terminal
- MEMORY -> log events are written to SRAM (uC RAM)
Get current value:
Syntax: logmode?
101:OK WITH TEXT
LIVE
Set logging mode:
Syntax: logmode=MEMORY
100:OK
####Log Entry Format#### The log entries use a TLV (Type Length Value)-like format:
- Entry type -> 1 byte, see possible types on GitHub
- Data length -> 1 byte, the length of the appended data
- Timestamp -> 2 bytes, current systick timestamp value (ms)
- Data -> Data length bytes, it's also possible that no data is appended, then the Data length field is zero
^Top
Returns the remaining free space for logging data to the SRAM (max. 2048 byte).
Syntax: logmem?
101:OK WITH TEXT
18430 (from which 16382 non-volatile)
^Top
Waits for an XModem connection and then downloads the binary log - including any log data in FRAM.
Syntax: logdownload
<ENTER>
^Top
Writes the current log from SRAM to FRAM and clears the SRAM log.
Syntax: logstore?
100:OK
Warning
If the FRAM is full, currently no error message is shown.
If calling LOGMEM?
after executing this command returns any other value than the maximum SRAM log size, there was not sufficient space in the FRAM and nothing has been done.
^Top
Clears the log memory (SRAM on ATMega and FRAM on external RAM IC5)
Syntax: logclear
<ENTER>
100:OK
^Top
Get/Set the current slot (slot 1-8) for the card/reader emulation.
Get the current slot number
Syntax: setting?
101:OK WITH TEXT
1
Switch to slot 2
Syntax: setting=2
100:OK
^Top
Clears the content of the current slot.
Syntax: clear
<ENTER>
100:OK
^Top
Stores the content of the current slot from the external FRAM into the Flash memory.
Syntax: store
<ENTER>
100:OK
^Top
Recalls/restores the content of the current slot from the Flash memory into the external FRAM.
Syntax: recall
<ENTER>
100:OK
^Top
Adds parity bits, sends the given byte string , and returns the cards answer.
Request type A
Syntax: send 26
<ENTER>
101:OK WITH TEXT
0400
0010
PARITY OK
Select card
Syntax: `send 9320'<enter>
101:OK WITH TEXT
BA46A1B2EF
0028
PARITY OK
^Top
Does NOT add parity bits, sends the given byte string and returns the cards answer.
Syntax: send 26
<ENTER>
101:OK WITH TEXT
0400
0010
PARITY OK
^Top
Obtains the UID of a card that is in the range of the antenna and returns it. This command is a Timeout command.
Valid only in 'ISO14443A_READER' mode
Syntax: getuid
<ENTER>
101:OK WITH TEXT
BA46A1B2
Reads the whole content of a Mifare Ultralight card that is in the range of the antenna and returns it. This command is a Timeout command.
Valid only in 'ISO14443A_READER' mode
Syntax: dump_mfu
<ENTER>
101:OK WITH TEXT
04A8DEFAE2B54C809B48000000000000
FFFFFFFF000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
^Top
Identifies the type of a card in the range of the antenna and returns it. This command is a Timeout command.
Valid only in 'ISO14443A_READER' mode (config=iso14443a_reader
)
Syntax: identify
<ENTER>
101:OK WITH TEXT
MIFARE Classic 1k
ATQA:.0400
UID:.BA46A1B2
SAK: 08
^Top
Get/Set the timeout for the current slot in multiples of 128 ms. If set to zero, there is no timeout. See also Timeout commands.
Get the possible range
Syntax: timeout=?
101:OK WITH TEXT
0 = no timeout
1-600 = 100 ms - 60000 ms timeout
Get the current value
Syntax: timeout?
101:OK WITH TEXT
5000 ms
^Top
Get/Set the possible number for the reader threshold.
Get the possible range
Syntax: threshold=?
101:OK WITH TEXT
Any integer from 0 to 4095. Reference voltage will be (VCC * THRESHOLD / 4095) mV
Set the reader threshold. The <NUMBER> influences the reader function and range. Setting a wrong value may result in malfunctioning of the reader. DEFAULT: 400
Syntax: threshold=300
<ENTER>
100:OK
^Top
Automatically finds a good threshold for communicating with the card that currently is on top of the Chameleon. This command is a Timeout command.
Valid only in 'ISO14443A_READER' mode
Syntax: autocalibrate
<ENTER>
101:OK WITH TEXT
128: -
136: -
144: -
.
.
.
1000: +
1008: +
1016: -
^Top
Get/Set the state of the reader field.
Get the possible values
Syntax: field=?
101:OK WITH TEXT
1,0
Switch the reader field on
Syntax: field=1
100:OK
^Top
Change config
and uid
to the identified card (mifare classic 1k/4k or ultralight).
To check the progress, you can set the mod of the LEDs to FIELD_DETECTED (ledred=field_detected
)
(In fact, it's not a really full clone of a card. It will be clone the Card-ID and switch the ChameleonMini in to the same cardtype as the "master". Nevertheless, this is enough to make penetration tests to low level systems, based only of Card-ID and/or Card-Type.)
Syntax: clone
<ENTER>
Hold then the card to be clone on the readers field.
See ISSUE #165
Description | |
---|---|
PICC | Proximity Integrated Circuit Card (MIFARE Card) |
PCD | Proximity Coupling Device (Cardreader) |
ACK | ACKnowledge |
NAK | Not AcKnowledge |
ATQA | Answer To reQuest, Type A |
NUID | Non-Unique IDentifier |
REQA | REQuest command, Type A |
SAK | Select AcKnowledge, type A |
UID | Unique IDentifier |
WUPA | Wake-Up Protocol type A |
Command | ISO/IEC 14443 | Command code (hexadecimal) |
---|---|---|
Request | REQA | 26h (7 bit) |
Wake-up | WUPA | 52h (7 bit) |
Anticollision CL1 | Anticollision CL1 | 93h 20h |
Select CL1 | Select CL1 | 93h 70h |
Anticollision CL2 | Anticollision CL2 | 95h 20h |
Select CL2 | Select CL2 | 95h 70h |
Halt | Halt | 50h 00h |
Authentication with Key A | - | 60h |
Authentication with Key B | - | 61h |
Personalize UID Usage | - | 40h |
SET_MOD_TYPE | - | 43h |
MIFARE Read | - | 30h |
MIFARE Write | - | A0h |
MIFARE Decrement | - | C0h |
MIFARE Increment | - | C1h |
MIFARE Restore | - | C2h |
MIFARE Transfer | - | B0h |
Code (4-bit) | Transfer Buffer Validity | Description |
---|---|---|
Ah | Acknowledge (ACK) | |
0h | valid | invalid operation |
1h | valid | parity or CRC error |
4h | invalid | invalid operation |
5h | invalid | parity or CRC error |
ATQA response of the MF1S70yyX/V1
Sales Type | Hex Value |
---|---|
MF1S00yX | 00 44h |
MF1S03yX | 00 04h |
MF1S700yX | 00 42h |
MF1S703yX | 00 02h |
SAK response of the MF1S70yyX/V1
Sales Type | Hex Value |
---|---|
MF1S70yyX/V1 | 18h |
The asiest way is to setup a toolchain with UBUNTU (Physical or as VM). This example use UBUNTU as a VirtualBox VM.
- Download the UBUNTU Desktop as ISO (i used the Ubuntu 16.04.3 LTS) and create a VM.
-
Install the The AVR GCC Toolchain:
Syntax:
sudo apt-get install gcc-avr binutils-avr gdb-avr avr-libc avrdude
<ENTER> -
Syntax:
apt-get update
<ENTER>
Syntax:apt-get install git-core
<ENTER> -
Clone the ChameleonMini repo to local machine.
- create a target directory like '~git' Syntax:
mkdir ~/git
<ENTER> - change into the new drectory: Syntax:
cd ~/git
<ENTER> - clone the original repository to the current directory:
Syntax:git clone https://github.com/emsec/ChameleonMini.git
<ENTER>
- create a target directory like '~git' Syntax:
-
For remote access to the VM install ssh
Syntax:
sudo apt-get install openssh-server
<ENTER> -
Edit the ChameleonMini source files:
After cloning the git repository, you will find the firmwarefiles under
~/git/ChameleonMini/Firmware/Chameleon-Mini
-
Compile the changes
Syntax:
make
<ENTER>
../LUFA/Build/lufa_build.mk:131: The XMEGA device support is currently EXPERIMENTAL (incomplete and/or non-functional), and is included for preview purposes only.
[INFO] : Begin compilation of project "Chameleon-Mini"...
avr-gcc (GCC) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
[OBJCPY] : Extracting HEX file data from "Chameleon-Mini.elf"
br>avr-objcopy -O ihex -R .eeprom -R .fuse -R .lock -R .signature --set-section-flags=.flashdata="alloc,load" Chameleon-Mini.elf Chameleon-Mini.hex
[OBJCPY] : Extracting EEP file data from "Chameleon-Mini.elf"
mavr-objcopy -O ihex -j .eeprom --set-section-flags=.eeprom="alloc,load" --change-section-lma .eeprom=0 --no-change-warnings Chameleon-Mini.elf Chameleon-Mini.eep || exit 0
[SIZE] : Determining size of "Chameleon-Mini.elf"
avr-size --mcu=atxmega128a4u --format=avr Chameleon-Mini.elf
AVR Memory Usage
----------------
Device: atxmega128a4u
Program: 49218 bytes (35.3% Full)
(.text + .data + .bootloader)
Data: 5537 bytes (67.6% Full)
(.data + .bss + .noinit)
EEPROM: 100 bytes (4.9% Full)
(.eeprom)
[INFO] : Finished building project "Chameleon-Mini".
Now, you will get the needed two compiled files Chameleon-Mini.eep
and Chameleon-Mini.hex
.
-
Upgrade the Firmware
Start the upgrade process descripted on Getting Started with both compiled files
Chameleon-Mini.eep
andChameleon-Mini.hex
.
That's it. Now, you have your own code :-)