Introduction
The ChameleonUltra is built on a highly capable framework, making it a powerful RFID development platform. While the ChameleonUltra has been optimised for size, the ChameleonUltra Devkit has been optimised for development.
Flashing and debug break-out points are easily accessible; the PCBA and silkscreen are arranged in logical groups for easy access and development.
The Chameleon Ultra is the ultimate RFID emulation device : Low and high-frequency emulation, full read & write capabilities, bleeding-edge cracking, wireless control : all wrapped up in a key-chain sized, fully open-sourced device.
The Chameleon Ultra is the result of exceptional engineering ingenuity : the development team discovered that little-known RFID function in a popular Bluetooth controller could be pushed to provide high-performance, multi-frequency RFID reading, writing and cracking - and emulation performance almost identical to that of a physical card.
Lab401 is the exclusive distributor for the Chameleon Ultra in Europe.
Low & High Frequency Emulation
"Frame Delay Time" is the most important metric in emulation: slower performance means that emulation doesn't meet protocol specifications, data can be lost, and ultimately, the emulation can fail.
The Chameleon Ultra has the world's most precise emulation: it's the most precise emulator in the world.
Optimised MIFARE Classic® Cracking
The Chameleon Ultra's powerful chip supports all known MIFARE Classic® cracking algorithms - at speeds faster than the Proxmark!
The device supports all classic and modern attacks, including MFKEY32 v2, Darkside, Nested, StaticNested and Hardnested attacks - for incredibly quick key recovery.
Low & High Frequency Reading / Writing
The Chameleon Ultra hardware supports high and low frequency reading and writing - allowing it to be used as a standalone or connected reader/writer device.
For High Frequency, the device supports ISO14443A chipsets: MIFARE Classic® (1K/2K/4K, 4-byte &, 7-byte UID), NTAG® (210 - 218), Ultralight® (Standard, C, EV1), DESFire® (EV1 & 2) and MIFARE® Plus.
For Low Frequency, the device supports ASK, FSK and PSK modulations - almost 99% of 125KHz chipsets: EM410x, T5577, HID Prox, Indala, FDX-B, Paradox, AWD, PAC/Stanley, etc.
Wireless, UI and CLI Control
The Chameleon Ultra can be controlled and updated in several ways.
Firmware can be flashed via USB-C or Over-the-Air; badge dumps can be uploaded and downloaded via wireless or wired connections.
Likewise, the device can be controlled via GUI Tool, mobile phone, or via CLI - depending on your workflow.
The CLI and UI tools are continuously updated by the community, with new functionality and stability being constantly added.
Incredible hardware
The ChameleonUltra's hardware has been pushed to its limits : despite its size, it boasts better emulation than the Flipper Zero and even Proxmark 3 - and can run for 6 months off a single battery charge!
The device itself is beautiful - a masterpiece of copper, epoxy, fiberglass and stainless steel.
100% Open Source
The Chameleon Ultra is fully open-source : all firmware, hardware, software and resources are available on the Chameleon Ultra Github page.
The frequent contributions from RFID superstars such as iceman and doegox ensure that the Chameleon Ultra is a well-supported, high-performance device.
Understand the ChameleonUltra
The Chameleon Ultra's primary use is for RFID Emulation. Instead of needing physical cards, you can emulate multiple different types of chips and different frequencies with one device.
The Chameleon Ultra also has several other powerful features : cracking, reading, writing.
When working with RFID tags, there are typically five required functions:
- Identification - identifying the badge : frequency, modulation, chipset, protocol, etc. Most tags can be easily identified. However, some tags need to be manually identified, requiring specialty hardware such as the Proxmark.
- Cracking - many common chipsets (MIFARE Classic®, etc) require keys to read or write the contents of the badge. If the keys are unknown, they need to be cracked. The ChameleonUltra cracking capabilities equal to Proxmark.
- Reading - Reading the data from a badge.
- Emulation - Emulation allows for simulating a badge digitally. Instead of needing multiple physical cards, they can be replaced with an emulator. Further, emulated data and chipsets can be customised completely - something impossible with physical cards.
- Writing - Writing data to an existing badge, or cloning data to a new badge.
The below table shows the coverage that the ChameleonUltra provides in each of these categories, and how it compares to other tools.
For users that don't require advanced identification or rapid cloning, the ChameleonUltra could be the perfect match for your needs.
ChameleonUltra Community and Ecosystem
The Chameleon Ultra is fully open-source : all firmware, hardware, software and resources are available on the Chameleon Ultra Github page.
The frequent contributions from RFID superstars such as iceman and doegox ensure that the Chameleon Ultra is a well-supported, high-performance device.
ChameleonUltra Product Presentation
ChameleonUltra Unboxing
What's included
- 1x ChameleonUltra DEvKit
- 1x USB-A - USB-C Cable
- 2-year guarantee
Device Specifications
- Processor + Memory:
- NRF52840
- ARM Cortex-M4 32-bit 64 MHz (Application Processor)
- 1MB Flash
- 256KB RAM
- Tactile Controls: 2x Physical Buttons
- Internal Battery: LiPo 90mAh (6 months without charge)
- Connectivity: USB 2.0, Type-C
- Dimensions: 40 x 24 x 8 mm
- Weight: 8g
Technical Resources
- ChameleonUltra UI Tools (Windows/MacOS/Linux/Android)
- Official Github
- Community Discord Server
RFID Specifications
- Reading, Emulation
- High Frequency / 13.56MHz
- ISO-14443A
- Mifare Classic® (1K / 2K / 4K - 4-byte & 7-byte UID)
- Ultralight® (Standard, C & EV1)
- NTAG® (210 - 218)
- Low Frequency / 125KHz
- Modulation: AM / PSK / FSK
- Supported Cards:
- EM4XX / T5577
- HID Prox / Indala / PAC/Stanley
- FDX-B / Paradox / Keri
- etc (full list below)
- Cracking
- MIFARE Classic®
- MFKey32v2 (Key Calculation from sniffed exchanges)
- DarkSide (Key derivation from no known keys)
- Nested (Key derivation from one known key)
- StaticNested (Key derivation from static PRNG)
- HardNested (Key derivation from hardened PRNG)
- Low Frequency / 125KHz
- T5577 Password Bruteforcing
- UID Bruteforcing
Chameleon Ultra Chipset Datasheets
Device Comparison
Summary of functionality across similar devices.
Device | Chameleon Ultra | Flipper Zero | Keysy | Proxmark |
---|---|---|---|---|
High-Frequency | ||||
ISO14443A Emulation | ✔️ | 🟡 | ❌ | 🟡 |
Full MIFARE® Emulation | ✔️ | 🟡 | ❌ | ✔️ |
ISO14443A Reading | ✔️ | 🟡 | ❌ | ✔️ |
Low-Frequency | ||||
LF Emulation | ✔️ | ✔️ | ✔️ | ✔️ |
LF Reading | ✔️ | ✔️ | ✔️ | ✔️ |
Cracking | ||||
Darkside | ✔️ | ❌ | ❌ | ✔️ |
Nested | ✔️ | ✔️ | ❌ | ✔️ |
StaticNested | ✔️ | ❌ | ❌ | ✔️ |
HardNested | ✔️ | ❌ | ❌ | ✔️ |
Relay attack | ✔️ | ❌ | ❌ | ✔️ |
High Frequency Cracking Support
Current support levels (hardware / firmware / application) support for High-Frequency Chipsets. Sniffing is not supported.
Attack | Chipset | Hardware Support | Firmware Support | Application Support |
---|---|---|---|---|
MFKEY32 V2 | MIFARE Classic® | ✔️ | ✔️ | ✔️ |
Darkside | MIFARE Classic® | ✔️ | 🟡 | ✔️ |
Nested | MIFARE Classic® | ✔️ | 🟡 | ✔️ |
StaticNested | MIFARE Classic® | ✔️ | ✔️ | 🟡 |
HardNested | MIFARE Classic® | ✔️ | ✔️ | 🟡 |
Relay attack | ISO14443A | ✔️ | ✔️ | 🟡 |
High Frequency Reading Support
Current support levels (hardware / firmware / application) support for High-Frequency Chipsets. Only ISO14443A chipsets are supported,
Chipset | Encoding | Hardware Support | Software Support | Application Support |
---|---|---|---|---|
NTAG® 21x (210-218) | ISO14443A/106 kbit/s | ✔️ | ✔️ | 🟡 |
Mifare® Ultralight | ISO14443A/106 kbit/s | ✔️ | ✔️ | 🟡 |
Mifare® Ultralight Ev1 | ISO14443A/106 kbit/s | ✔️ | ✔️ | 🟡 |
Mifare® Ultralight C | ISO14443A/106 kbit/s | ✔️ | ✔️ | 🟡 |
Mifare® Classic 1K/2K/4K : 4b/7b | ISO14443A/106 kbit/s | ✔️ | ✔️ | ✔️ |
Mifare® DESFire® | ISO14443A High Rate | Low bitrate only | Low bitrate only | 🟡 |
Mifare® DESFire® EV1 | ISO14443A High rate | Low bitrate only | Low bitrate only | 🟡 |
Mifare DESFire EV2 | ISO14443A High rate | Low bitrate only | Low bitrate only | 🟡 |
Mifare® PLUS | ISO14443A High rate | Low bitrate only | Low bitrate only | 🟡 |
Low Frequency Support
Current support levels (hardware / firmware / application) support for LowFrequency Chipsets. Only ASK/PSK/FSK modulation is supported.
Card Type | Chipset | Hardware Support | Firmware Support | Application Support |
---|---|---|---|---|
EM410x | ASK | ✔️ | ✔️ | ✔️ |
T5577 | ASK | ✔️ | ✔️ | 🟡 |
HID Prox | FSK | ✔️ | ✔️ | 🟡 |
Indala | PSK | ✔️ | ✔️ | 🟡 |
FDX-B | ASK | ✔️ | ✔️ | 🟡 |
Paradox | FSK | ✔️ | ✔️ | 🟡 |
Keri | PSK | ✔️ | ✔️ | 🟡 |
AWD | FSK | ✔️ | ✔️ | 🟡 |
ioProx | FSK | ✔️ | ✔️ | 🟡 |
securakey | ASK | ✔️ | ✔️ | 🟡 |
gallagher | ASK | ✔️ | ✔️ | 🟡 |
PAC/Stanley | ASK | ✔️ | ✔️ | 🟡 |
Presco | ASK | ✔️ | ✔️ | 🟡 |
Visa2000 | ASK | ✔️ | ✔️ | 🟡 |
Viking | ASK | ✔️ | ✔️ | 🟡 |
Noralsy | ASK | ✔️ | ✔️ | 🟡 |
NexWatch | PSK | ✔️ | ✔️ | 🟡 |
Jablotron | ASK | ✔️ | ✔️ | 🟡 |