Proxgrind ChameleonTiny

  • €119.00

World's smallest portable RFID emulation multi-tool. 

Emulate multiple tags and tag types, sniff, crack and infiltrate with this keyring sized device.

Comes in two versions; the Pro version is fully wireless.


Introduction

The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.

The ChameleonTiny is an impossibly small version of the Chamelon Mini RevG, designed as a keychain emulator for all your HF tags.

Emulating, storing and manipulating RFID tags is a vital part of any pentesting assignment. The ChameleonTiny is powerful and discrete, and its tiny physical size means it can be with you all the time.

The ChameleonTiny comes in two versions: Standard & Pro. The Pro Version includes Bluetooth / Wireless functionality.

Practical

Store all your badges on one tiny device.

Portable

Powerful RFID emulator device on your keychain.

Powerful

Highest performance ChameleonMini device available.

Durable

High-quality case & built-in battery with huge standby time.

Overview

The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.

Proxgrind's ChameleonTiny is based on the RevG Framework, but optimised for size and portability.

  • Multiple Chipset Emulation
  • Read / Emulate Operations
  • MFKey32 Crack Support
  • UID Sniff
  • UID Fuzzing / Manipulation
    • Read / Write Lock
      • Advanced Sniffing & Logging
      • Open-Source

      Backed by a strong community of active development, the Chameleon Mini is a must have tool for anyone interested in RFID.

      Mobile Application Functionality

      The ChameleonTiny RevG is controllable on-the-fly via a fully-featured Android App.

      • Configure and control all aspects of the device via OTG cable
      • Save, restore, analyse and modify data dumps directly on your phone
      • Modify SAK/ATQA values in-app
      • Detect Sector Keys via reader
      • Manage keylists for MIFARE Classic® reading
      • Real-time device information

      Product Comparison

      There are several ChameleonMini devices available. The table below breaks down the differences in detail.

      If your are a penetration tester / researcher, or require wireless functionality, Lab401 recommends the ChameleonMini RevG by Proxgrind or the ChameleonTiny Pro.

      If you are looking to store all your tags in one device, or size is the most important factor for you, Lab401 recommends the ChameleonTiny.

      Feature RevG
      (Proxgrind)
      RevG
      (Original)
      RevG Tiny
      RevG Tiny Pro
      RevE Rebooted
      (Depreciated)
      Overview ⭐⭐⭐⭐⭐ ⭐⭐⭐ ⭐⭐⭐⭐ ⭐⭐⭐⭐⭐ ⭐⭐⭐
      Performance
      10/10 5/10
      8/10
      9/10
      6/10
      Compatibility 10/10 8/10 10/10 10/10 4/10
      Read Distance 10/10 3/10
      8/10 8/10
      6/10
      Bluetooth ✔️
      ✔️
      Technical Features
      MF32Key Crack ✔️ ✔️ ✔️ ✔️
      Low Power Sleep
      ✔️ ✔️ ✔️
      RF Field Wakeup ✔️ ✔️ ✔️ ✔️
      Button Wakeup
      ✔️ ✔️ ✔️ ✔️

      Auto-Power Off
      ✔️ ✔️ ✔️ ✔️
      Product Features
      Case ✔️ ✔️ ✔️ ✔️
      Li-ion Battery ✔️ ✔️ ✔️ ✔️
      Replaceable Antenna ✔️ ✔️
      8 LED Slots ✔️ ✔️ ✔️
      Battery Indicator ✔️ ✔️
      Android App ✔️ ✔️

      Tag Compatibility

      Emulation

      Card Codec Hardware Support Software Support Application Support
      Mifare Ultralight ISO 14443 A 106 kbit/s
      ✔️ ✔️ ✔️
      Mifare Ultralight EV1 ISO 14443 A 106 kbit/s ✔️ ✔️ ✔️
      Mifare Classic 1K/4K 4B/7B ISO 14443 A 106 kbit/s ✔️ ✔️ ✔️
      Mifare DESFire ISO 14443 A with higher data rates 🔵
      Lower Bitrates
      Possibly High Bitrate
      🔵
      Lower Bitrates

      Work in progress
      Mifare DESFire EV1 ISO 14443 A with higher data rates 🔵
      Lower Bitrates
      Possibly High Bitrate
      🔵
      Lower Bitrates
      Mifare DESFire EV2 ISO 14443 A with higher data rates 🔵
      Lower Bitrates
      Possibly High Bitrate
      🔵
      Lower Bitrates
      Mifare PLUS ISO 14443 A with higher data rates 🔵
      Lower Bitrates
      Possibly High Bitrate
      🔵
      Lower Bitrates
      NTAG (all types) ISO 14443 A 106 kbit/s ✔️ ✔️
      LEGIC prime LEGIC prime
      ISO 14443 A
      ISO 15693
      🔵 Possible
      ✔️
      ✔️

      🔵 Work in progress




      HID iCLASS 125 kHz
      ISO 15693
      ISO 14443 B

      ✔️
      ✔️

      🔵 Work in progress


      ePass ISO 14443 A
      ISO 14443 B
      ✔️
      ✔️
      🔵 Lower Bitrates


      ISO 15693 (All) ISO 15693 ✔️ 🔵 Work in progress

      Sniffing

      Non 13.36MHz Tags The ChameleonMini framework only supports 13.56MHz tags
      ISO 14443 A 106 kbit/s
      ✔️ PCD->PICC direction
      🔵 PICC > PCD Possible

      ✔️ PCD->PICC direction ✔️
      ISO 14443 A High bitrates
      🔵 Possible

      Reading

      Non 13.36MHz Tags The ChameleonMini framework only supports 13.56MHz tags
      Mifare Ultralight

      ✔️ ✔️ ✔️
      Mifare Classic 1K/4K 4B/7B
      ✔️ ✔️ ✔️
      Mifare DESFire
      ✔️ ✔️ 🔵 Work in progress

      What's included

      Shipping & Packaging

      • Each Chameleon is dispatched from Europe - no need to worry about slow shipping times, import duties or damaged goods.
      • Packed in a sturdy compact 85x130x45mm box.
      • We provide worldwide shipping with express options.

      Compatible Systems

      • Windows: XP, 7, 8, 10 (All Versions)
      • OS/X: 10.0 - 10.7 (All Versions)
      • Linux: Debian, Ubuntu, CentOS, etc (All Versions)
      • Android (via OTG): Specific Builds

      Chameleon Resources

      Technical Documents

      Frequently Asked Questions

      Does the ChameleonTiny support Mifare "Magic" commands?

      TL;DR: The ChameleonTiny supports both "Magic" mode and "Normal" modes. These modes are easily and quickly configured from cli, or the Android Application.

      The Mifare "Magic" commands are a hex sequence, 0x40 0x43 used on generation 1a Mifare "Magic" cards. This command unlocked Block 0 for writing, allowing the UID to be modified.

      Once these commands became known, they are also used as a means of detecting cloned Mifare Classic badges. Mifare Classic Readers check if the "0x40 0x43" command is accepted by the card - and if so - reject the tag as false.

      The original ChameleonMini RevE and RevG devices set the "Magic" functionality as a compile-time flag in the firmware, which required reflashing the device depending on the use.

      The new ChameleonTiny and Proxgrind ChameleonTiny RevG allow for real-time modification of this value via a dedicated command, which can be triggered via the Android Application, or via CLI command.

      The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands

      Is the ChameleonTiny detectable as a "magic" card?

      As per above, "Magic" functionality is a user-definable setting. When the setting is enabled, the ChameleonTiny is detectable as a magic card.

      If the setting is disabled, the ChameleonTiny is not detected as a magic card.

      The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands.

      Can the ChameleonTiny write cards?

      No. Although the hardware is capable, the current firmware of the ChameleonTiny is designed to emulate cards, not act as a writing device.

      We recommend the DL-533N to easily write 13.56MHz cards.

      Can the ChameleonTiny update via the RFID Interface?

      Not currently, although there are several feature requests for this on the Github repository, and the hardware is capable.

      How do I charge the ChameleonTiny?

      The ChameleonTiny has a USB-C port, allowing for charging and data transfer. The device will automatically charge when connected, and will stop charging when full. The White LED indicates battery level.

      Charging from 0 to 100% takes 2 hours.

      What is the battery life of the ChameleonTiny?

      Based on a usage of three times per day, with an average use time of 5 seconds, the device can be used for up to one year on a single charge!

      The battery has a capacity of 70mAh. Full power mode consumes 65mA; sleep mode consumes 4uA.

      What chipsets can the Chameleon Tiny emulate?

      Out of the box, the Chameleon Tiny can emulate MIFARE Classic® (1k & 4k, with 4 and 7 byte UIDs) and MIFARE Ultralight® (Standard, EV1 80 and 164 bytes), Vicinity, SL2S2002, TiTag Standard and EM4233.

      It also has hardware support (but currently no final public firmware) for MIFARE DESFire®, NTAG, iClass®, ePass, Legic, etc.

      It can also perform ISO15693 and ISO14443A sniffing.

      How do I configure the Chameleon Tiny?

      The Chameleon Tiny is cross platform (Windows / MacOS / Linux / Android) - and can be configured and operated entirely over serial connection / command-line interface.

      There is also an excellent Windows-based Chameleon UI tool, which allows for rapid configuration, dump transfer, and several useful analysis tools.

      Android users can also control the Chameleon Tiny via USB-C and the Official Chameleon Tiny Android application. Depending on your phone, this may require an OTG adaptor.

      How do I flash the Chameleon Tiny?

      The device can be flashed via any Windows / Linux or MacOS platforms.
      For up to date information and step-by-step instructions to flash your Chameleon Tiny, please refer to the official documentation here.

      Is the Chameleon Tiny Open Source?

      Absolutely. The Proxgrind Chameleon Tiny RevG is based on the open-source NFC tool ChameleonMini. Full source for the Proxgrind Chameleon Mini RevG can be found on the official github repo.

      Is the Chameleon Tiny Open Hardware?

      Yes, the schematics can be found on the official github repo.

      Does the Chameleon Tiny support wireless / Bluetooth ?

      No. The ChameleonTiny has a USB-C interface. For a Chameleon Tiny with wireless / Bluetooth interface, please check out the ChameleonMini RevG.

      How do I use the Android App with the Chameleon Tiny ?

      Download the Chameleon App for Android from Google Play here.
      Once installed, connect the Chameleon Tiny to your Android phone and launch the app.

      Depending on your phone handset, you may require a USB-C adaptor cable, and / or an OTG adaptor.

      Can I crack Mifare keys with a ChameleonTiny ?

      The ChameleonTiny supports the MFKey32 attack, otherwise known as the 'Reader Attack'. This attack allows for keys sent by the reader to be decoded.

      This decoded keys can then be used to decode a target tag.

      This attack is particulally useful for latest generation Mifare tags that have a hardened PRNG system.

      The MFKey32 Attack can be performed via the Windows Chameleon UI tool, or via the Chameleon Android App.

      Via the Android Application

      1. Configure the Android Application to use "Detection_1k" or "Detection 4k", depending on your target card.
      2. Write the original card UID into the "Analog Card Number" column.
        If you don't know this value, you can leave it blank.
      3. Clear the log, if required, by pressing the "Clear" button.

      4. Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
      5. Reconnect the ChameleonTiny, and click on the "Decrypt" button. After a short delay, the sectors and keys will be revealed.
      6. If your Android handset has NFC/RFID functionality, you can place your phone on the original card, which will now be read using the newly cracked keys.

      Please note: If you see multiple red LEDs while the device is on the reader - the memory is full. Please reconnect the device and "Clear" the memory.

      Via Windows Application

      1. Load the application, connect the device, and click "Connect" (if the device is not automatically detected)
      2. Configure the first card slot to use "Detection_1k" or "Detection 4k", depending on your target card and click the "Apply" button.
      3. Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.

      4. Reconnect the ChameleonTiny, and click on the "MFKey32" button. After a short delay, the sectors and keys will be revealed.

      Can I change the SAK with the ChameleonTiny ?

      The SAK is a special one-byte value set in Sector 0, Block 0, Position 0x5. It is sometimes used to signal a compatibility mode, but more often used as a clone deterant. The Chameleon Tiny supports custom SAK modes.

      By default, the SAK value is 0x08. Changing the SAK is easy:

      Via the Android Application

      • Click the "SAK Mode" button to toggle the SAK Mode.

      Via the Windows Application or CLI

      • Issue the command SAKMODE=1 to enable, or SAKMODE=0 to disable the SAK mode.

      Once enabled, the device will transmit the SAK value according to the loaded dump.

      Unboxing the ChameleonTiny

      Get familiar with the ChameleonTiny in our unboxing video.
      It's called the tiny, but we are incredibly impressed by just how small it really is.

      Along with the full set of accessories, you'll see the ChameleonTiny is not only the smallest RFID emulator that exists, but it's the only choice for professionals.

      SHIPPING & PACKAGING

      • Products are dispatched from Europe - no need to worry about slow shipping times, import duties or damaged goods.
      • Packed in sturdy packaging to protect your product.
      • We provide world-wide shipping with express options.

      If you are an educational-facility, reseller or need several units, please contact us.