Summer Warehouse Closure: July 31 - August 15.

#pentestips - Loading a Custom SAK with the ChameleonTiny

Posted by Lab401 Lee on

Loading a Custom SAK with the ChameleonTiny


- SAK Values, or "Select Acknowledge" values, are manufacturer defined values found in the header of ISO 14443 Type A cards, which include the Mifare family (Ultralight, Mifare 1K, DesFire, etc)


- These values are hard-written during production, and cannot be changed on original badges.


- Non-standard SAK values are rejected by many readers, and most blank badges have fixed SAK values. Some access cards use custom SAK values to attempt to thwart card reading and cloning.


- The ChameleonTiny has a new SAK Mode, which makes using custom SAK values very easy.


- When the "SAK Mode" is enabled, the ChameleonMini will take the SAK mode from the Block0 configuration.

[Load Hex-editor with Mifare 1K dump] (StandardSAK.dmp / png)

- In this Mifare Classic 1K dump, we see that byte 0x5 has a value of "0x08" - the default value for a MIFARE Card.

- If we want to change the SAK value to "88", a code commonly used in Chinese Access Control products, we modify this value to "88". 

- In order for the ChameleonTiny to respect this custom SAK value, we need to enable the special SAK Mode

[Load APP]
[Connect Device]
[Select Badge Slot]
[Upload Dump File ModifiedSak.dmp]
[Click "SAK Mode"]

- The Chameleon is now emulating our Custom SAK mode.
- We can verify this by reading the ChameleonTiny on our phone, while still in the Chameleon Application

[Place ChameleonTiny on the phone, badge will be read with the custom SAK value]

Get your Chameleon tiny Professional: click here

Do you have #pentestips to submit yourself?

We would love to partner with you, contact us at support@lab401.com


Share this post



← Older Post Newer Post →


0 comments

Leave a comment

Please note, comments must be approved before they are published.