Proxgrind's ChameleonTiny is based on the RevG Framework, but optimised for size and portability.
Backed by a strong community of active development, the ChameleonMini is a must have tool for anyone interested in RFID.
The ChameleonTiny is controllable on-the-fly via a fully-featured Android App.
There are several ChameleonMini devices available. The table below breaks down the differences in detail.
Frequently Asked Questions
Does the ChameleonTiny support Mifare "Magic" commands?
TL;DR: The ChameleonTiny supports both "Magic" mode and "Normal" modes. These modes are easily and quickly configured from cli, or the Android Application.
The Mifare "Magic" commands are a hex sequence, 0x40 0x43 used on generation 1a Mifare "Magic" cards. This command unlocked Block 0 for writing, allowing the UID to be modified.
Once these commands became known, they are also used as a means of detecting cloned Mifare Classic badges. Mifare Classic Readers check if the "0x40 0x43" command is accepted by the card - and if so - reject the tag as false.
The original ChameleonMini RevE and RevG devices set the "Magic" functionality as a compile-time flag in the firmware, which required reflashing the device depending on the use.
The new ChameleonTiny and Proxgrind ChameleonTiny RevG allow for real-time modification of this value via a dedicated command, which can be triggered via the Android Application, or via CLI command.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands
Is the ChameleonTiny detectable as a "magic" card?
As per above, "Magic" functionality is a user-definable setting. When the setting is enabled, the ChameleonTiny is detectable as a magic card.
If the setting is disabled, the ChameleonTiny is not detected as a magic card.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands.
Can the ChameleonTiny write cards?
No. Although the hardware is capable, the current firmware of the ChameleonTiny is designed to emulate cards, not act as a writing device.
We recommend the DL-533N to easily write 13.56MHz cards.
Can the ChameleonTiny update via the RFID Interface?
Not currently, although there are several feature requests for this on the Github repository, and the hardware is capable.
How do I charge the ChameleonTiny?
The ChameleonTiny has a USB-C port, allowing for charging and data transfer. The device will automatically charge when connected, and will stop charging when full. The White LED indicates battery level.
Charging from 0 to 100% takes 2 hours.
What is the battery life of the ChameleonTiny?
Based on a usage of three times per day, with an average use time of 5 seconds, the device can be used for up to one year on a single charge!
The battery has a capacity of 70mAh. Full power mode consumes 65mA; sleep mode consumes 4uA.
What chipsets can the Chameleon Tiny emulate?
Out of the box, the Chameleon Tiny can emulate MIFARE Classic® (1k & 4k, with 4 and 7 byte UIDs) and MIFARE Ultralight® (Standard, EV1 80 and 164 bytes), Vicinity, SL2S2002, TiTag Standard and EM4233.
It also has hardware support (but currently no final public firmware) for MIFARE DESFire®, NTAG, iClass®, ePass, Legic, etc.
It can also perform ISO15693 and ISO14443A sniffing.
How do I configure the Chameleon Tiny?
The Chameleon Tiny is cross platform (Windows / MacOS / Linux / Android) - and can be configured and operated entirely over serial connection / command-line interface.
There is also an excellent Windows-based Chameleon UI tool, which allows for rapid configuration, dump transfer, and several useful analysis tools.
Android users can also control the Chameleon Tiny via USB-C and the Official Chameleon Tiny Android application. Depending on your phone, this may require an OTG adaptor.
Apple / iOS Users can use the "CT Manager" Application, available on the Apple Store.
How do I flash the Chameleon Tiny?
The device can be flashed via any Windows / Linux or MacOS platforms.
For up to date information and step-by-step instructions to flash your Chameleon Tiny, please refer to the official documentation here.
Is the Chameleon Tiny Open Source?
Absolutely. The Proxgrind Chameleon Tiny RevG is based on the open-source NFC tool ChameleonMini. Full source for the Proxgrind Chameleon Mini RevG can be found on the official github repo.
Is the Chameleon Tiny Open Hardware?
Yes, the schematics can be found on the official github repo.
Does the Chameleon Tiny support wireless / Bluetooth ?
No. The ChameleonTiny has a USB-C interface. For a Chameleon Tiny with wireless / Bluetooth interface, please check out the ChameleonMini RevG.
How do I use the Android App with the Chameleon Tiny ?
Download the Chameleon App for Android from Google Play here.
Once installed, connect the Chameleon Tiny to your Android phone and launch the app.
Depending on your phone handset, you may require a USB-C adaptor cable, and / or an OTG adaptor.
Can I crack Mifare keys with a ChameleonTiny ?
The ChameleonTiny supports the MFKey32 attack, otherwise known as the 'Reader Attack'. This attack allows for keys sent by the reader to be decoded.
This decoded keys can then be used to decode a target tag.
This attack is particulally useful for latest generation Mifare tags that have a hardened PRNG system.
The MFKey32 Attack can be performed via the Windows Chameleon UI tool, or via the Chameleon Android App.
Via the Android Application
- Configure the Android Application to use "Detection_1k" or "Detection 4k", depending on your target card.
- Write the original card UID into the "Analog Card Number" column.
If you don't know this value, you can leave it blank.
- Clear the log, if required, by pressing the "Clear" button.
- Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonTiny, and click on the "Decrypt" button. After a short delay, the sectors and keys will be revealed.
- If your Android handset has NFC/RFID functionality, you can place your phone on the original card, which will now be read using the newly cracked keys.
Please note: If you see multiple red LEDs while the device is on the reader - the memory is full. Please reconnect the device and "Clear" the memory.
Via Windows Application
- Load the application, connect the device, and click "Connect" (if the device is not automatically detected)
- Configure the first card slot to use "Detection_1k" or "Detection 4k", depending on your target card and click the "Apply" button.
- Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonTiny, and click on the "MFKey32" button. After a short delay, the sectors and keys will be revealed.
Can I change the SAK with the ChameleonTiny ?
The SAK is a special one-byte value set in Sector 0, Block 0, Position 0x5. It is sometimes used to signal a compatibility mode, but more often used as a clone deterant. The Chameleon Tiny supports custom SAK modes.
By default, the SAK value is 0x08. Changing the SAK is easy:
Via the Android Application
- Click the "SAK Mode" button to toggle the SAK Mode.
Via the Windows Application or CLI
- Issue the command SAKMODE=1 to enable, or SAKMODE=0 to disable the SAK mode.
Once enabled, the device will transmit the SAK value according to the loaded dump.
Get familiar with the ChameleonTiny in our unboxing video.
It's called the tiny, but we are incredibly impressed by just how small it really is.
Along with the full set of accessories, you'll see the ChameleonTiny is not only the smallest RFID emulator that exists, but it's the only choice for professionals.
