ProxGrind ChameleonTiny

World’s smallest portable RFID emulation multi-tool.

Emulate multiple tags and tag types, sniff, crack and infiltrate with this keyring sized device.

Comes in two versions; the Pro version is fully wireless.

£89.99

Only 2 left in stock (can be backordered)

Description

INTRODUCTION

The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.

The ChameleonTiny is an impossibly small version of the Chamelon Mini RevG, designed as a keychain emulator for all your HF tags.

Emulating, storing and manipulating RFID tags is a vital part of any pentesting assignment. The ChameleonTiny is powerful and discrete, and its tiny physical size means it can be with you all the time.

PRACTICAL

Store all your badges on one tiny device.

PORTABLE

Powerful RFID emulator device on your keychain.

POWERFUL

Highest performance ChameleonMini device available.

DURABLE

High-quality case & built-in battery with huge standby time.

OVERVIEW

The ChameleonMini is an RFID Emulation Device, capable of simulating multiple types of RFID Tag Formats in one device.

Proxgrind’s ChameleonTiny is based on the RevG Framework, but optimised for size and portability.

  • Multiple Chipset Emulation
  • Read / Emulate Operations
  • MFKey32 Crack Support
  • UID Sniff
  • UID Fuzzing / Manipulation
  • Read / Write Lock
  • Advanced Sniffing & Logging
  • Open-Source

Backed by a strong community of active development, the Chameleon Mini is a must have tool for anyone interested in RFID.

MOBILE APPLICATION FUNCTIONALITY

The ChameleonTiny RevG is controllable on-the-fly via a fully-featured Android App.

  • Configure and control all aspects of the device via OTG cable
  • Save, restore, analyse and modify data dumps directly on your phone
  • Modify SAK/ATQA values in-app
  • Detect Sector Keys via reader
  • Manage keylists for MIFARE Classic® reading
  • Real-time device information

PRODUCT COMPARISON

There are several ChameleonMini devices available. The table below breaks down the differences in detail.

If your are a penetration tester / researcher, or require wireless functionality, Lab401 recommends the ChameleonMini RevG by Proxgrind.

If you are looking to store all your tags in one device, or size is the most important factor for you, Lab401 recommends the ChameleonTiny.

FeatureRevG
(Proxgrind)
RevG
(Original)
RevG TinyRevE Rebooted
(Depreciated)
Overview⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐
Performance10/105/108/106/10
Compatibility10/108/1010/104/10
Read Distance10/103/108/106/10
Bluetooth✔️
Technical Features
MF32Key Crack✔️✔️✔️
Low Power Sleep✔️✔️
RF Field Wakeup✔️✔️✔️
Button Wakeup✔️✔️✔️
Auto-Power Off✔️✔️✔️
Product Features
Case✔️✔️✔️
Li-ion Battery✔️✔️✔️
Replaceable Antenna✔️
8 LED Slots✔️✔️✔️
Battery Indicator✔️
Android App✔️

TAG COMPATIBILITY

EMULATION

CardCodecHardware SupportSoftware SupportApplication Support
Mifare UltralightISO 14443 A 106 kbit/s✔️✔️✔️
Mifare Ultralight EV1ISO 14443 A 106 kbit/s✔️✔️✔️
Mifare Classic 1K/4K 4B/7BISO 14443 A 106 kbit/s✔️✔️✔️
Mifare DESFireISO 14443 A with higher data rates🔵
Lower Bitrates
Possibly High Bitrate
🔵
Lower Bitrates

Work in progress
Mifare DESFire EV1ISO 14443 A with higher data rates🔵
Lower Bitrates
Possibly High Bitrate
🔵
Lower Bitrates
Mifare DESFire EV2ISO 14443 A with higher data rates🔵
Lower Bitrates
Possibly High Bitrate
🔵
Lower Bitrates
Mifare PLUSISO 14443 A with higher data rates🔵
Lower Bitrates
Possibly High Bitrate
🔵
Lower Bitrates
NTAG (all types)ISO 14443 A 106 kbit/s✔️✔️
LEGIC primeLEGIC prime
ISO 14443 A
ISO 15693
🔵 Possible
✔️
✔️

🔵 Work in progress


HID iCLASS125 kHz
ISO 15693
ISO 14443 B

✔️
✔️

🔵 Work in progress


ePassISO 14443 A
ISO 14443 B
✔️
✔️
🔵 Lower Bitrates

ISO 15693 (All)ISO 15693✔️🔵 Work in progress

SNIFFING

Non 13.36MHz TagsThe ChameleonMini framework only supports 13.56MHz tags
ISO 14443 A 106 kbit/s✔️ PCD->PICC direction
🔵 PICC > PCD Possible
✔️ PCD->PICC direction✔️
ISO 14443 A High bitrates🔵 Possible

READING

Non 13.36MHz TagsThe ChameleonMini framework only supports 13.56MHz tags
Mifare Ultralight✔️✔️✔️
Mifare Classic 1K/4K 4B/7B✔️✔️✔️
Mifare DESFire✔️✔️🔵 Work in progress

WHAT’S INCLUDED

COMPATIBLE SYSTEMS

  • Windows: XP, 7, 8, 10 (All Versions)
  • OS/X: 10.0 – 10.7 (All Versions)
  • Linux: Debian, Ubuntu, CentOS, etc (All Versions)
  • Android (via OTG): Specific Builds

CHAMELEON RESOURCES

Technical Documents

 

FREQUENTLY ASKED QUESTIONS

 

DOES THE CHAMELEONTINY SUPPORT MIFARE “MAGIC” COMMANDS?

The ChameleonTiny supports both “Magic” mode and “Normal” modes. These modes are easily and quickly configured from cli, or the Android Application.

The Mifare “Magic” commands are a hex sequence, 0x40 0x43 used on generation 1a Mifare “Magic” cards. This command unlocked Block 0 for writing, allowing the UID to be modified.

Once these commands became known, they are also used as a means of detecting cloned Mifare Classic badges. Mifare Classic Readers check if the “0x40 0x43” command is accepted by the card – and if so – reject the tag as false.

The original ChameleonMini RevE and RevG devices set the “Magic” functionality as a compile-time flag in the firmware, which required reflashing the device depending on the use.

The new ChameleonTiny and Proxgrind ChameleonTiny RevG allow for real-time modification of this value via a dedicated command, which can be triggered via the Android Application, or via CLI command.

The command is UIDMODE=[0|1] – where 0 disables the Magic commands, 1 enables the Magic commands

IS THE CHAMELEONTINY DETECTABLE AS A “MAGIC” CARD?

As per above, “Magic” functionality is a user-definable setting. When the setting is enabled, the ChameleonTiny is detectable as a magic card.

If the setting is disabled, the ChameleonTiny is not detected as a magic card.

The command is UIDMODE=[0|1] – where 0 disables the Magic commands, 1 enables the Magic commands.

CAN THE CHAMELEONTINY WRITE CARDS?

No. Although the hardware is capable, the current firmware of the ChameleonTiny is designed to emulate cards, not act as a writing device.

We recommend the DL-533N to easily write 13.56MHz cards.

CAN THE CHAMELEONTINY UPDATE VIA THE RFID INTERFACE?

Not currently, although there are several feature requests for this on the Github repository, and the hardware is capable.

HOW DO I CHARGE THE CHAMELEONTINY?

The ChameleonTiny has a USB-C port, allowing for charging and data transfer. The device will automatically charge when connected, and will stop charging when full. The White LED indicates battery level.

Charging from 0 to 100% takes 2 hours.

WHAT IS THE BATTERY LIFE OF THE CHAMELEONTINY?

Based on a usage of three times per day, with an average use time of 5 seconds, the device can be used for up to one year on a single charge!

The battery has a capacity of 70mAh. Full power mode consumes 65mA; sleep mode consumes 4uA.

WHAT CHIPSETS CAN THE CHAMELEON TINY EMULATE?

Out of the box, the Chameleon Tiny can emulate MIFARE Classic® (1k & 4k, with 4 and 7 byte UIDs) and MIFARE Ultralight® (Standard, EV1 80 and 164 bytes), Vicinity, SL2S2002, TiTag Standard and EM4233.

It also has hardware support (but currently no final public firmware) for MIFARE DESFire®, NTAG, iClass®, ePass, Legic, etc.

It can also perform ISO15693 and ISO14443A sniffing.

HOW DO I CONFIGURE THE CHAMELEON TINY?

The Chameleon Tiny is cross platform (Windows / MacOS / Linux / Android) – and can be configured and operated entirely over serial connection / command-line interface.

There is also an excellent Windows-based Chameleon UI tool, which allows for rapid configuration, dump transfer, and several useful analysis tools.

Android users can also control the Chameleon Tiny via USB-C and the Official Chameleon Tiny Android application. Depending on your phone, this may require an OTG adaptor.

HOW DO I FLASH THE CHAMELEON TINY?

The device can be flashed via any Windows / Linux or MacOS platforms.
For up to date information and step-by-step instructions to flash your Chameleon Tiny, please refer to the official documentation here.

IS THE CHAMELEON TINY OPEN SOURCE?

Absolutely. The Proxgrind Chameleon Tiny RevG is based on the open-source NFC tool ChameleonMini. Full source for the Proxgrind Chameleon Mini RevG can be found on the official github repo.

IS THE CHAMELEON TINY OPEN HARDWARE?

Yes, the schematics can be found on the official github repo.

DOES THE CHAMELEON TINY SUPPORT WIRELESS / BLUETOOTH ?

No. The ChameleonTiny has a USB-C interface. For a Chameleon Tiny with wireless / Bluetooth interface, please check out the ChameleonMini RevG.

HOW DO I USE THE ANDROID APP WITH THE CHAMELEON TINY ?

Download the Chameleon App for Android from Google Play here.
Once installed, connect the Chameleon Tiny to your Android phone and launch the app.

Depending on your phone handset, you may require a USB-C adaptor cable, and / or an OTG adaptor.

CAN I CRACK MIFARE KEYS WITH A CHAMELEONTINY ?

The ChameleonTiny supports the MFKey32 attack, otherwise known as the ‘Reader Attack’. This attack allows for keys sent by the reader to be decoded.

This decoded keys can then be used to decode a target tag.

This attack is particulally useful for latest generation Mifare tags that have a hardened PRNG system.

The MFKey32 Attack can be performed via the Windows Chameleon UI tool, or via the Chameleon Android App.

Via the Android Application

  1. Configure the Android Application to use “Detection_1k” or “Detection 4k”, depending on your target card.
  2. Write the original card UID into the “Analog Card Number” column.
    If you don’t know this value, you can leave it blank.
  3. Clear the log, if required, by pressing the “Clear” button.
  4. Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
  5. Reconnect the ChameleonTiny, and click on the “Decrypt” button. After a short delay, the sectors and keys will be revealed.
  6. If your Android handset has NFC/RFID functionality, you can place your phone on the original card, which will now be read using the newly cracked keys.

Please note: If you see multiple red LEDs while the device is on the reader – the memory is full. Please reconnect the device and “Clear” the memory.

Via Windows Application

  1. Load the application, connect the device, and click “Connect” (if the device is not automatically detected)
  2. Configure the first card slot to use “Detection_1k” or “Detection 4k”, depending on your target card and click the “Apply” button.
  3. Unplug the ChameleonTiny, and then place the ChameleonTiny on the target reader and swipe the original tag. Keys will be detected and saved.
  4. Reconnect the ChameleonTiny, and click on the “MFKey32” button. After a short delay, the sectors and keys will be revealed.

CAN I CHANGE THE SAK WITH THE CHAMELEONTINY ?

The SAK is a special one-byte value set in Sector 0, Block 0, Position 0x5. It is sometimes used to signal a compatibility mode, but more often used as a clone deterant. The Chameleon Tiny supports custom SAK modes.

By default, the SAK value is 0x08. Changing the SAK is easy:

Via the Android Application

  • Click the “SAK Mode” button to toggle the SAK Mode.

Via the Windows Application or CLI

  • Issue the command SAKMODE=1 to enable, or SAKMODE=0 to disable the SAK mode.

Once enabled, the device will transmit the SAK value according to the loaded dump.

Shipping & Packaging

  • Free shipping on £50+ UK orders and £100+ Worldwide
  • Free priority shipping on all orders above £200
  • Our products are dispatched from the UK/Europe
  • No need to worry about slow shipping times or EU import duties
  • We provide worldwide shipping