Proxgrind ChameleonTiny
World's smallest portable RFID emulation multi-tool.
Emulate multiple tags and tag types, sniff, crack and infiltrate with this keyring sized device.
Comes in two versions; the Pro version is fully wireless.
Due to the Global Chip Shortage the ChameleonTiny is temporarily replaced with the ChameleonMini RevG Pro, which has the same functionality in a different size.
If you have any questions, please contact contact customer support for more information.
Introduction
The ChameleonTiny is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.
The ChameleonTiny is an impossibly small version of the ChamelonMini, designed as a keychain emulator for all your HF tags.
Emulating, storing and manipulating RFID tags is a vital part of any pentesting assignment. The ChameleonTiny is powerful and discrete, and its tiny physical size means it can be with you all the time.
The ChameleonTiny comes in two versions: Standard & Pro. The Pro Version includes Bluetooth / Wireless functionality.
Practical
Store all your badges on one tiny device.
Portable
Powerful RFID emulator device on your keychain.
Powerful
Highest performance ChameleonMini device available.
Durable
High-quality case & built-in battery with huge standby time.
Overview
The ChameleonTiny is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.
Proxgrind's ChameleonTiny is based on the RevG Framework, but optimised for size and portability.
- Multiple Chipset Emulation
- Read / Emulate Operations
- MFKey32 Crack Support
- UID Sniff
- UID Fuzzing / Manipulation
- Read / Write Lock
- Advanced Sniffing & Logging
- Open-Source
Backed by a strong community of active development, the ChameleonMini is a must have tool for anyone interested in RFID.
Mobile Application Functionality
The ChameleonTiny is controllable on-the-fly via a fully-featured Android App.
- Configure and control all aspects of the device via OTG cable
- Save, restore, analyse and modify data dumps directly on your phone
- Modify SAK/ATQA values in-app
- Detect Sector Keys via reader
- Manage keylists for MIFARE Classic® reading
- Real-time device information
Product Comparison
There are several ChameleonMini devices available. The table below breaks down the differences in detail.
If your are a penetration tester / researcher, or require wireless functionality, Lab401 recommends the ChameleonTiny or the ChameleonTiny Pro.
If you are looking to store all your tags in one device, or size is the most important factor for you, Lab401 recommends the ChameleonTiny.
| Feature | ChameleonTiny (Suspended) | ChameleonTiny Pro (Suspended) | RevG |
RevE Rebooted (Depreciated) |
RevE (Depreciated) |
|---|---|---|---|---|---|
| Overview | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ |
| Performance |
10/10 | 10/10 |
9/10 |
7/10 |
6/10 |
| Compatibility | 9/10 | 10/10 | 8/10 | 6/10 | 4/10 |
| Read Distance | 10/10 | 10/10 |
8/10 | 6/10 |
4/10 |
| Bluetooth | ❌ |
✔️ | ✔️ | ❌ | ❌ |
| Technical Features | |||||
| MF32Key Crack | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Low Power Sleep |
✔️ | ✔️ | ✔️ | ❌ | ❌ |
| RF Field Wakeup | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Auto-Power Off | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Product Features | |||||
| Case | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| Device Size | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ |
| Battery Indicator | ✔️ | ✔️ | ✔️ | ❌ | ❌ |
| Android App | ✔️ | ✔️ | ✔️ | ❌ | ❌ |
Tag Compatibility
Emulation
| Card | Codec | Hardware Support | Software Support | Application Support |
|---|---|---|---|---|
| Mifare Ultralight | ISO 14443 A 106 kbit/s |
✔️ | ✔️ | ✔️ |
| Mifare Ultralight EV1 | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ✔️ |
| Mifare Classic 1K/4K 4B/7B | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ✔️ |
| Mifare DESFire | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate |
🔵 Lower Bitrates |
❌ Work in progress |
| Mifare DESFire EV1 | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate |
🔵 Lower Bitrates |
❌ |
| Mifare DESFire EV2 | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate |
🔵 Lower Bitrates |
❌ |
| Mifare PLUS | ISO 14443 A with higher data rates | 🔵 Lower Bitrates Possibly High Bitrate |
🔵 Lower Bitrates |
❌ |
| NTAG (all types) | ISO 14443 A 106 kbit/s | ✔️ | ✔️ | ❌ |
| LEGIC prime | LEGIC prime ISO 14443 A ISO 15693 |
🔵 Possible ✔️ ✔️ |
❌ 🔵 Work in progress ❌ |
❌ ❌ ❌ |
| HID iCLASS | 125 kHz ISO 15693 ISO 14443 B |
❌ ✔️ ✔️ |
❌ 🔵 Work in progress ❌ |
❌ ❌ ❌ |
| ePass | ISO 14443 A ISO 14443 B |
✔️ ✔️ |
🔵 Lower Bitrates ❌ |
❌ ❌ |
| ISO 15693 (All) | ISO 15693 | ✔️ | 🔵 Work in progress | ❌ |
Sniffing
| Non 13.36MHz Tags | The ChameleonMini framework only supports 13.56MHz tags | |||
| ISO 14443 A 106 kbit/s | ✔️ PCD->PICC direction 🔵 PICC > PCD Possible |
✔️ PCD->PICC direction | ✔️ | |
| ISO 14443 A High bitrates | 🔵 Possible | ❌ | ❌ | |
Reading
| Non 13.36MHz Tags |
The ChameleonMini framework only supports 13.56MHz tags |
|||
| Mifare Ultralight |
✔️ | ✔️ | ✔️ | |
| Mifare Classic 1K/4K 4B/7B | ✔️ | ✔️ | ✔️ | |
| Mifare DESFire | ✔️ | ✔️ | 🔵 Work in progress | |
What's included
- 1x ChameleonTiny RevG by Proxgrind
- 1x Case
- 1x USB-C Cable
- 1x GUI control software
- 1x Android Application "Chameleon"
- 1x iOS Application: "CT Manager"
Shipping & Packaging
- Each Chameleon is dispatched from Europe - no need to worry about slow shipping times, import duties or damaged goods.
- Packed in a sturdy compact 85x130x45mm box.
- We provide worldwide shipping with express options.
Compatible Systems
- Windows: XP, 7, 8, 10 (All Versions)
- OS/X: 10.0 - 10.7 (All Versions)
- Linux: Debian, Ubuntu, CentOS, etc (All Versions)
- Android (via OTG): Specific Builds
Chameleon Resources
Technical DocumentsSoftware Resources
Frequently Asked Questions
Does the ChameleonTiny support Mifare "Magic" commands?
TL;DR: The ChameleonTiny supports both "Magic" mode and "Normal" modes. These modes are easily and quickly configured from cli, or the Android Application.
The Mifare "Magic" commands are a hex sequence, 0x40 0x43 used on generation 1a Mifare "Magic" cards. This command unlocked Block 0 for writing, allowing the UID to be modified.
Once these commands became known, they are also used as a means of detecting cloned Mifare Classic badges. Mifare Classic Readers check if the "0x40 0x43" command is accepted by the card - and if so - reject the tag as false.
The original ChameleonMini RevE and RevG devices set the "Magic" functionality as a compile-time flag in the firmware, which required reflashing the device depending on the use.
The new ChameleonTiny and Proxgrind ChameleonTiny RevG allow for real-time modification of this value via a dedicated command, which can be triggered via the Android Application, or via CLI command.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands
Is the ChameleonTiny detectable as a "magic" card?
As per above, "Magic" functionality is a user-definable setting. When the setting is enabled, the ChameleonTiny is detectable as a magic card.
If the setting is disabled, the ChameleonTiny is not detected as a magic card.
The command is UIDMODE=[0|1] - where 0 disables the Magic commands, 1 enables the Magic commands.
Can the ChameleonTiny write cards?
No. Although the hardware is capable, the current firmware of the ChameleonTiny is designed to emulate cards, not act as a writing device.
We recommend the DL-533N to easily write 13.56MHz cards.
Can the ChameleonTiny update via the RFID Interface?
Not currently, although there are several feature requests for this on the Github repository, and the hardware is capable.
How do I charge the ChameleonTiny?
The ChameleonTiny has a USB-C port, allowing for charging and data transfer. The device will automatically charge when connected, and will stop charging when full. The White LED indicates battery level.
Charging from 0 to 100% takes 2 hours.
What is the battery life of the ChameleonTiny?
Based on a usage of three times per day, with an average use time of 5 seconds, the device can be used for up to one year on a single charge!
The battery has a capacity of 70mAh. Full power mode consumes 65mA; sleep mode consumes 4uA.
What chipsets can the Chameleon Tiny emulate?
Out of the box, the Chameleon Tiny can emulate MIFARE Classic® (1k & 4k, with 4 and 7 byte UIDs) and MIFARE Ultralight® (Standard, EV1 80 and 164 bytes), Vicinity, SL2S2002, TiTag Standard and EM4233.
It also has hardware support (but currently no final public firmware) for MIFARE DESFire®, NTAG, iClass®, ePass, Legic, etc.
It can also perform ISO15693 and ISO14443A sniffing.
How do I configure the Chameleon Tiny?
The Chameleon Tiny is cross platform (Windows / MacOS / Linux / Android) - and can be configured and operated entirely over serial connection / command-line interface.
There is also an excellent Windows-based Chameleon UI tool, which allows for rapid configuration, dump transfer, and several useful analysis tools.
Android users can also control the Chameleon Tiny via USB-C and the Official Chameleon Tiny Android application. Depending on your phone, this may require an OTG adaptor.
Apple / iOS Users can use the "CT Manager" Application, available on the Apple Store.
How do I flash the Chameleon Tiny?
The device can be flashed via any Windows / Linux or MacOS platforms.
For up to date information and step-by-step instructions to flash your Chameleon Tiny, please refer to the official documentation here.
Is the Chameleon Tiny Open Source?
Absolutely. The Proxgrind Chameleon Tiny RevG is based on the open-source NFC tool ChameleonMini. Full source for the Proxgrind Chameleon Mini RevG can be found on the official github repo.
Is the Chameleon Tiny Open Hardware?
Yes, the schematics can be found on the official github repo.
Does the Chameleon Tiny support wireless / Bluetooth ?
No. The ChameleonTiny has a USB-C interface. For a Chameleon Tiny with wireless / Bluetooth interface, please check out the ChameleonMini RevG.
How do I use the Android App with the Chameleon Tiny ?
Download the Chameleon App for Android from Google Play here.
Once installed, connect the Chameleon Tiny to your Android phone and launch the app.
Depending on your phone handset, you may require a USB-C adaptor cable, and / or an OTG adaptor.
Can I crack Mifare keys with a ChameleonTiny ?
The ChameleonTiny supports the MFKey32 attack, otherwise known as the 'Reader Attack'. This attack allows for keys sent by the reader to be decoded.
This decoded keys can then be used to decode a target tag.
This attack is particulally useful for latest generation Mifare tags that have a hardened PRNG system.
The MFKey32 Attack can be performed via the Windows Chameleon UI tool, or via the Chameleon Android App.
Via the Android Application
- Configure the Android Application to use "Detection_1k" or "Detection 4k", depending on your target card.
- Write the original card UID into the "Analog Card Number" column.
If you don't know this value, you can leave it blank.
- Clear the log, if required, by pressing the "Clear" button.
- Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonTiny, and click on the "Decrypt" button. After a short delay, the sectors and keys will be revealed.
- If your Android handset has NFC/RFID functionality, you can place your phone on the original card, which will now be read using the newly cracked keys.
Please note: If you see multiple red LEDs while the device is on the reader - the memory is full. Please reconnect the device and "Clear" the memory.
Via Windows Application
- Load the application, connect the device, and click "Connect" (if the device is not automatically detected)
- Configure the first card slot to use "Detection_1k" or "Detection 4k", depending on your target card and click the "Apply" button.
- Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
- Reconnect the ChameleonTiny, and click on the "MFKey32" button. After a short delay, the sectors and keys will be revealed.
Can I change the SAK with the ChameleonTiny ?
The SAK is a special one-byte value set in Sector 0, Block 0, Position 0x5. It is sometimes used to signal a compatibility mode, but more often used as a clone deterant. The Chameleon Tiny supports custom SAK modes.
By default, the SAK value is 0x08. Changing the SAK is easy:
Via the Android Application
- Click the "SAK Mode" button to toggle the SAK Mode.
Via the Windows Application or CLI
- Issue the command SAKMODE=1 to enable, or SAKMODE=0 to disable the SAK mode.
Once enabled, the device will transmit the SAK value according to the loaded dump.
Unboxing the ChameleonTiny
Get familiar with the ChameleonTiny in our unboxing video.
It's called the tiny, but we are incredibly impressed by just how small it really is.
Along with the full set of accessories, you'll see the ChameleonTiny is not only the smallest RFID emulator that exists, but it's the only choice for professionals.
SHIPPING & PACKAGING INFORMATION
Lab401's engagement is to get your orders to you as quickly as possible in a perfect condition. All packages are insured to 100% of the value, and Lab401 Delivery Protection can be used to ensure immediate re-shipment if a package is lost or damaged.
All orders are securely packaged. Premium and Express orders are further protected in an untearable polyurethane satchel, ensuring that your package is not tampered with during delivery.
To ensure privacy and reduce theft, all packages are anonymous - there is no mention of product contents or Lab401 branding on the outside of the packaging.
Shipping Options
Lab401 provides three types of shipping options:
- Eco Delivery
- Premium Delivery
- Urgent Express Delivery
Eco Delivery is for available light and slim orders, particulaly cards, keyfobs and accessories. It is dispatched by La Poste (French postal system) and tracked.
Premium Delivery is our default shipping option: fast and reliable delivery via courier. Depending on the destination, Premium Delivery use UPS, DHL, FedEx, Chronopost or Colissimo.
Urgent Express Delivery uses the fastest possible delivery method possible: UPS Express, FedEx Express, DHL Express or Chronopost Express.
Lab401 provides same day shipping for Urgent Express orders made before 12PM GST+1.
Do you provide free shipping?
Yes - orders over 650€ excluding taxes have free shipping.
Customers that qualify for free shipping can still select rapid shipping options.
When will I receive my order?
Average order times can be estimated below.
Average shipping estimates can be seen by selecting the destination country / region below.
While actual shipping times may vary - these estimations are built off our real delivery statistics. To receive an order as quickly as possible, we recommend:
- Use the Urgent Express shipping method
- Use same day shipment by placing the order before 12PM GMT+1
Do you ship internationally?
We ship world-wide, but due to logistical or legal restrictions, we are unable to ship to the following countries: Argentina, Belarus, Bolivia, Brazil, Cambodia, Chile, Ecuador, Georgia, India, Iraq, Kazakhstan, Kuwait, Liberia, Libya, Nepal, Oman, Panama, Peru, Russia, South Africa (8 of 9 provinces - only authorized Gauteng), Turkey, Ukraine, Vietnam
Due to the current situation, shipping to the Ukraine is currently not possible.
Where do you ship from?
All items are dispatched from France. You will receive a tracking number upon item dispatch. The address used on your purchase is printed as a label - please double check your address to avoid mistakes.
When will my order be dispatched?
Lab401 dispatches orders Monday - Friday.
All orders placed before 12PM GMT+1 will be dispatched the same day. All orders placed after this cutoff time will be dispatched the next business day.
For example:
- An order placed Friday, 9AM GMT+1 will be dispatched the same day.
- An order placed on Friday, 6PM GMT+1 will be dispatched Monday.
- An order placed on Saturday will be dispatched Monday
For any questions, please contact customer support.
How are import duties / customs handled?
For all European Union destinations, all shipments are DDP - Delivered Duty Paid. This means all applicable VAT/TVA, shipping costs and customs fees are pre-paid.
You will not be charged by the courier service / post office or customs.
For all destinations outside European Union, all shipments are DDU - Delivered Duty Unpaid. This means that your country's custom service impose a VAT/TVA/Import Duty on your shipment.
I am charged VAT ?
Lab401 (ETOILE 401 SAS) is an EU-Registered entity. VAT is applicable to purchases delivered within the EU, with exceptions for VAT Registered entities. VAT is calculated at checkout. For your convenience, you can browse Lab401 with prices Including VAT and Excluding VAT.
Sales are contractual
Please note - a purchase is an explicit agreement of our terms and conditions. Any products refused by clients will not be refunded.
Purchase Security Validation may be applied
To protect against credit card fraud, orders may be flagged for Purchase Security Validation. In this instance, we will reach out to the customer to perform a manual verification process.
Orders that are flagged for Purchase Security Validation are considered to be incomplete until validated. Our delivery deadline obligations begin only when an order is validated.
Delivery Protection
Is my delivery protected?
All Lab401 shipments are insured with the carrier.We also provide an advanced insurance, Lab401 Delivery Protection.
Lab401 Delivery Protection means we remain fully responsible for the package right up to delivery. If the package is lost or damaged, the package can be resent immediately (48 business hours) upon receipt of proof.
For orders without Delivery Protection, lost or damaged packages will pass through the carrier's protocols, which can take well over 30 days.
For orders that are time-sensitive, we recommend Lab401 Delivery Protection.
Delivery Protection can be purchased at checkout easily and cheaply.