Introduction
The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.
The Chameleon Mini RevG by Proxgrind is newest and most powerful Chameleon Mini, providing enhanced performance, Bluetooth, and an expanded command toolset.
European Exclusive to Lab401 and the cheapest on the market. Now's the time to add this killer tool to your RFID toolkit.
Professional
Built for professionals: highest quality construction & performance.
Portable
Built in Bluetooth and bundled Android App for on-the-fly use.
Powerful
Highest performance ChameleonMini device available.
Durable
High-quality case & built-in battery with huge standby time.
Overview
The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.
Proxgrind's ChameleonMini RevG is the most capable RFID emulation tool available, providing:
- Multiple Chipset Emulation
- Read / Emulate Operations
- MFKey32 Crack Support
- Bluetooth & Android App
- UID Sniff
- UID Fuzzing / Manipulation
- Read / Write Lock
- Advanced Sniffing & Logging
- Open-Source
Backed by a strong community of active development, the Chameleon Mini is a must have tool for anyone interested in RFID.
Wireless Functionality
The Proxgrind ChameleonMini RevG is the first and only version of the device to include wireless functionality via Bluetooth. This patented technology, in conjunction with the free companion application for Android allows for unprecedented functionality for pentesters and researchers alike.
- Configure and control all aspects of the device wirelessly
- Save, restore, analyse and modify data dumps directly on your phone
- Modify SAK/ATQA values in-app
- Detect Sector Keys via reader
- Manage keylists for MIFARE Classic® reading
- Real-time device information
Product Comparison
There are several ChameleonMini devices available. The table below breaks down the differences in detail.
If your are a penetration tester / researcher, or require wireless functionality, Lab401 recommends the ChameleonMini RevG by Proxgrind or the ChameleonTiny Pro.
If you are looking to store all your tags in one device, or size is the most important factor for you, Lab401 recommends the ChameleonTiny.
Feature | RevG (Proxgrind) | RevG (Original) | RevG Tiny | RevG Tiny Pro | RevE Rebooted (Depreciated) |
---|---|---|---|---|---|
Overview | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ |
Performance | 10/10 | 5/10 | 8/10 | 9/10 | 6/10 |
Compatibility | 10/10 | 8/10 | 10/10 | 10/10 | 4/10 |
Read Distance | 10/10 | 3/10 | 8/10 | 8/10 | 6/10 |
Bluetooth | ✔️ | ❌ | ❌ | ✔️ | ❌ |
Technical Features | |||||
MF32Key Crack | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
Low Power Sleep | ✔️ | ❌ | ✔️ | ✔️ | ❌ |
RF Field Wakeup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
Button Wakeup | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
Auto-Power Off | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
Product Features | |||||
Case | ✔️ | ❌ | ✔️ | ✔️ | ✔️ |
Li-ion Battery | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Replaceable Antenna | ✔️ | ❌ | ❌ | ✔️ | ❌ |
8 LED Slots | ✔️ | ❌ | ✔️ | ❌ | ✔️ |
Battery Indicator | ✔️ | ❌ | ❌ | ✔️ | ❌ |
Android App | ✔️ | ❌ | ❌ | ✔️ | ❌ |
Tag Compatibility
Emulation
Card | Codec | Hardware Support | Software Support | Application Support |
---|---|---|---|---|
Mifare Ultralight | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ✔️ |
Mifare Ultralight EV1 | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ✔️ |
Mifare Classic 1K/4K 4B/7B | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ✔️ |
Mifare DESFire | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate | 🔵 Lower Bitrates | ❌ Work in progress |
Mifare DESFire EV1 | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate | 🔵 Lower Bitrates | ❌ |
Mifare DESFire EV2 | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate | 🔵 Lower Bitrates | ❌ |
Mifare PLUS | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate | 🔵 Lower Bitrates | ❌ |
NTAG (all types) | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ❌ |
LEGIC prime | LEGIC prime ISO 14443 A ISO 15693 | 🔵 Possible ✔️ ✔️ | ❌ 🔵 Work in progress ❌ | ❌ ❌ ❌ |
HID iCLASS | 125 kHz ISO 15693 ISO 14443 B | ❌ ✔️ ✔️ | ❌ 🔵 Work in progress ❌ | ❌ ❌ ❌ |
ePass | ISO 14443 A ISO 14443 B | ✔️ ✔️ | 🔵 Lower Bitrates ❌ | ❌ ❌ |
ISO 15693 (All) | ISO 15693 | ✔️ | 🔵 Work in progress | ❌ |
Sniffing
Non 13.36MHz Tags | The ChameleonMini framework only supports 13.56MHz tags | |||
ISO 14443 A 106 kbit/s | ✔️ PCD->PICC direction 🔵 PICC > PCD Possible | ✔️ PCD->PICC direction | ✔️ | |
ISO 14443 A High bitrates | 🔵 Possible | ❌ | ❌ |
Reading
Non 13.36MHz Tags | The ChameleonMini framework only supports 13.56MHz tags | |||
Mifare Ultralight | ✔️ | ✔️ | ✔️ | |
Mifare Classic 1K/4K 4B/7B | ✔️ | ✔️ | ✔️ | |
Mifare DESFire | ✔️ | ✔️ | 🔵 Work in progress |
What's included
- 1x Chameleon RevG by Proxmark
- 1x Case
- 1x Micro USB Cable
- 1x GUI control software
- 1x Android Application "Chameleon"
Shipping & Packaging
- Each Chameleon is dispatched from Europe - no need to worry about slow shipping times, import duties or damaged goods.
- Packed in a sturdy compact 85x130x45mm box.
- We provide worldwide shipping with express options.
Compatible Systems
- Windows: XP, 7, 8, 10 (All Versions)
- OS/X: 10.0 - 10.7 (All Versions)
- Linux: Debian, Ubuntu, CentOS, etc (All Versions)
- Android: Specific Builds
Chameleon Resources
Technical DocumentsIMPORTANT
The ChameleonMini RevG by Proxgrind implements patented technology from Info Wise Limited. Licence for use of the device for non-commercial purposes is included with device purchase.
All commercial use of the ChameleonMini RevG by Proxgrind is subject to licence from Info Wise Limited.
Frequently Asked Questions
Does the ChameleonMini RevG support Mifare "Magic" commands?
TL;DR: The Chameleon Mini RevG supports both "Magic" mode and "Normal" modes. These modes are easily and quickly configured from cli, or the Android Application.
The Mifare "Magic" commands are a hex sequence, 0x40 0x43 used on generation 1a Mifare "Magic" cards. This command unlocked Block 0 for writing, allowing the UID to be modified.
Once these commands became known, they are also used as a means of detecting cloned Mifare Classic badges. Mifare Classic Readers check if the "0x40 0x43" command is accepted by the card - and if so - reject the tag as false.
The original ChameleonMini RevE and RevG devices set the "Magic" functionality as a compile-time flag in the firmware, which required reflashing the device depending on the use.
The new ChameleonTiny and Proxgrind ChameleonMini RevG allow for real-time modification of this value via a dedicated command, which can be triggered via the Android Application, or via CLI command.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands
Is the ChameleonMini RevG detectable as a "magic" card?
As per above, "Magic" functionality is a user-definable setting. When the setting is enabled, the ChameleonMini RevG is detectable as a magic card.
If the setting is disabled, the ChameleonMini RevG is not detected as a magic card.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands.
Can the ChameleonMini RevG write cards?
No. Although the hardware is capable, the current firmware of the ChameleonMini RevG is designed to emulate cards, not act as a writing device.
We recommend the DL-533N to easily write 13.56MHz cards.
Can the ChameleonMini RevG update via the RFID Interface?
Not currently, although there are several feature requests for this on the Github repository, and the hardware is capable.
How do I charge the ChameleonMini RevG?
The ChameleonMini RevG has a MicroUSB port, allowing for charging and data transfer. The device will automatically charge when connected, and will stop charging when full. The White LED indicates battery level.
Charging from 0 to 100% takes 2 hours.
What is the battery life of the ChameleonMini RevG?
Based on a usage of three times per day, with an average use time of 5 seconds, the device can be used for up to one year on a single charge!
The battery has a capacity of 70mAh. Full power mode consumes 65mA; sleep mode consumes 4uA.
What chipsets can the Chameleon Mini RevG emulate?
Out of the box, the Chameleon Mini RevG can emulate MIFARE Classic® (1k & 4k, with 4 and 7 byte UIDs) and MIFARE Ultralight® (Standard, EV1 80 and 164 bytes), Vicinity, SL2S2002, TiTag Standard and EM4233.
It also has hardware support (but currently no final public firmware) for MIFARE DESFire®, NTAG, iClass®, ePass, Legic, etc.
It can also perform ISO15693 and ISO14443A sniffing.
How do I configure the Chameleon Mini RevG?
The Chameleon Mini RevG is cross platform (Windows / MacOS / Linux / Android) - and can be configured and operated entirely over serial connection / command-line interface.
There is also an excellent Windows-based Chameleon UI tool, which allows for rapid configuration, dump transfer, and several useful analysis tools.
Android users can also control the Chameleon Mini RevG via BLE or MicroUSB and the Official Chameleon Mini RevG Android application.
How do I flash the Chameleon Mini RevG?
The device can be flashed via any Windows / Linux or MacOS platforms.
For up to date information and step-by-step instructions to flash your Chameleon Mini RevG, please refer to the official documentation here.
Is the Chameleon Mini RevG Open Source?
Absolutely. The Proxgrind Chameleon Mini RevG is based on the open-source NFC tool ChameleonMini. Full source for the Proxgrind Chameleon Mini RevG can be found on the official github repo.
Is the Chameleon Mini RevG Open Hardware?
Yes, the schematics can be found on the official github repo.
Does the Chameleon Mini RevG support wireless / Bluetooth ?
Absolutely. The ChameleonMini RevG supports wired and wireless communication via BLE. All functionality supported via cable is supported via wireless.
How do I use the Android App with the Chameleon Mini RevG ?
Download the Chameleon App for Android from Google Play here.
Once installed, connect the Chameleon Mini RevG to your Android phone and launch the app.
Can I crack Mifare keys with a ChameleonMini RevG ?
The ChameleonMini RevG supports the MFKey32 attack, otherwise known as the 'Reader Attack'. This attack allows for keys sent by the reader to be decoded.
This decoded keys can then be used to decode a target tag.
This attack is particulally useful for latest generation Mifare tags that have a hardened PRNG system.
The MFKey32 Attack can be performed via the Windows Chameleon UI tool, or via the Chameleon Android App.
Via the Android Application
- Configure the Android Application to use "Detection_1k" or "Detection 4k", depending on your target card.
- Write the original card UID into the "Analog Card Number" column.
If you don't know this value, you can leave it blank.
- Clear the log, if required, by pressing the "Clear" button.
- Place the ChameleonMini RevG on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonMini RevG, and click on the "Decrypt" button. After a short delay, the sectors and keys will be revealed.
- If your Android handset has NFC/RFID functionality, you can place your phone on the original card, which will now be read using the newly cracked keys.
Please note: If you see multiple red LEDs while the device is on the reader - the memory is full. Please reconnect the device and "Clear" the memory.
Via Windows Application
- Load the application, connect the device, and click "Connect" (if the device is not automatically detected)
- Configure the first card slot to use "Detection_1k" or "Detection 4k", depending on your target card and click the "Apply" button.
- Place the ChameleonMini RevG on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonMini RevG, and click on the "MFKey32" button. After a short delay, the sectors and keys will be revealed.
Can I change the SAK with the ChameleonMini RevG ?
The SAK is a special one-byte value set in Sector 0, Block 0, Position 0x5. It is sometimes used to signal a compatibility mode, but more often used as a clone deterant. The Chameleon Mini RevG supports custom SAK modes.
By default, the SAK value is 0x08. Changing the SAK is easy:
Via the Android Application
- Click the "SAK Mode" button to toggle the SAK Mode.
Via the Windows Application or CLI
- Issue the command SAKMODE=1 to enable, or SAKMODE=0 to disable the SAK mode.
Once enabled, the device will transmit the SAK value according to the loaded dump.
Unboxing the ChameleonMini RevG
Get familiar with the ChameleonMini RevG in our unboxing video.
As with all other Proxgrind hardware - the device is incredibly professional from packaging. The device is compact and discreet with a very nice soft-touch finish on the case. Although this is a wireless RFID emulator, the MicroUSB port is used for charging, and can be also used for data transfer - so a cable is included.