00:00 - 00:06

the cameleon ultra is the world's smallest RFID  emulation device featuring Advanced capabilities  

00:06 - 00:12

like low and high frequency emulation Cutting  Edge cracking technology and wireless control  

00:12 - 00:17

all packed in a compact key-chain sized  fully open-source device today's video  

00:17 - 00:27

is how to cameleon ultra [Music] hi, my name  is Sandy from LAB401.com today I am joined by  

00:27 - 00:33

gameTec-Live The Talented team programmer behind  the cameleonultragui and we will go through all  

00:33 - 00:39

the settings of the app on PC Android and iPhone  for you. To begin with where to download the app  

00:39 - 00:47

for iOS devices like the iPhone the iPad iPod  touch and the Mac OS X 10.14 or later you can  

00:47 - 00:53

download the cameleonultragui from the Apple Store  the direct link is available here Additionally you  

00:53 - 00:59

can join test flight to get earlier builds of the  application for Android users the cameleonultragui  

00:59 - 01:06

can can be downloaded from the Google Play Store  the direct link of the app is here there is also  

01:06 - 01:12

an option to download a plain APK version if  needed the chameleonultragui is available for  

01:12 - 01:17

Windows, Linux and Mac OS you can download it  for these platforms from the cameleonultragui  

01:17 - 01:23

GitHub page. additionally for Windows you can  use an Android emulator to download and install  

01:23 - 01:28

the cameleonultragui on your computer or laptop.  now that the app is installed on your device you  

01:28 - 01:34

need to connect the chamelon Ultra. For that you  can use two methods using a USB-C cable and plug  

01:34 - 01:40

the chameleon ultra to your device or connect  through bluetooth. Bluetooth allows a wireless  

01:40 - 01:46

connection on mobile devices IOS and Android  but it is way slower than a wired connection a  

01:46 - 01:51

wired connection on the other hand is faster and  more reliable especially when you are working in  

01:51 - 01:57

an area with strong RF interference but you're  Tethered on your device, note that wired is the  

01:57 - 02:03

only way to connect on desktop devices as there  is no Bluetooth Library support for desktop when  

02:03 - 02:09

connected open the app an image of the device  connected will appear. the app will control the  

02:09 - 02:14

chameleon ultra, the chameleon ultra lite and the  chameleon ultra de kit also note that an image of  

02:14 - 02:19

the chameleon ultra will be displayed when you  are using the chameleon ultra dev kit as there  

02:19 - 02:25

is no way to differentiate the dev kit from the  chameleon Ultra. to interact with a connected chameleon  

02:25 - 02:31

just click or tap on the image note that if there  are multiple chameleons plugged or at Bluetooth  

02:31 - 02:36

range they will all show up on that page when  connected the app will let you know if you are  

02:36 - 02:43

running a 1.0 version of the firmware and offer  you to update it you can update or skip. the app  

02:43 - 02:50

design is pretty intuitive there is a navigation  bar on the left side showing six pages by default  

02:50 - 02:55

you will be on the home page of course, the right side  of the screen will display the functions you can  

02:55 - 03:02

control on each page. the six pages are home so the  home page the slot manager the page to manage the  

03:02 - 03:07

eight Slots of the device eight high frequency  eight low frequency assign cards to the slots  

03:07 - 03:14

and choose emulation modes Etc. then you have Saved cards where you can find your Saved cards of course  

03:14 - 03:19

but it is also the location of the dictionaries  then you have read cards where you can read cards  

03:19 - 03:25

of course crack them use dictionaries to get  missing keys and save them after that we have  

03:25 - 03:31

write card the menu to go if you want to write on  a blank card and find finally the settings page on  

03:31 - 03:38

that page you can access the language UI design  and settings management so import export the  

03:38 - 03:44

about of the app the build version and much more  we'll check all that in details the home page will  

03:44 - 03:49

display crucial information about the chamelon  device on top right the USB port number or  

03:49 - 03:56

Bluetooth ID used to connect to the app then you  have the battery level and the voltage you can  

03:56 - 04:03

see the type of device connected the used slots  indicator so 3/8 will mean three are used  

04:03 - 04:09

from eight possible the eight Slots of the device  with different colors for the ones that are used  

04:09 - 04:15

and the one that are free with arrows on the left  and right side to select a slot you can see the  

04:15 - 04:22

image of the device the current firmware version  and an icon to check for firmware updates you can  

04:22 - 04:28

also find a switch from reader mode to emulator  mode as you may already know the chamelon ultra  

04:28 - 04:39

has two chips the nrf52840 that handles emulation  and a mfrc522 handling the reading and writing by  

04:39 - 04:46

the way the chameleon ultra lite is missing the  mfrc522 so switching between those modes switches  

04:46 - 04:52

who is in charge of the antenna on the chameleon  ultra board you can actually hear the relay click  

04:52 - 04:58

and therefore also switches the possible actions  the chamelonultraGui does its best to handle the  

04:58 - 05:05

switching automatically but in case it is required  to switch manually this button does it finally you  

05:05 - 05:10

can access the device settings using the settings  wheel at the bottom right of the page let's take  

05:10 - 05:15

a look at the device settings sub page here  you can access the firmware management you  

05:15 - 05:22

can enter dfu mode as you may already know dfu  stands for device firmware update this button is  

05:22 - 05:29

intended in case you want to manually switch to  dfu and then perform dfu actions outside of the  

05:29 - 05:36

app using NRF util or similar it's not limited to  just doing firmware updates the second function is  

05:36 - 05:43

Flash firmware via dfu in this mode the device  will enter in dfu mode and Flash to the latest  

05:43 - 05:48

firmware it connects to the internet and download  and install the latest firmware from the official  

05:48 - 05:55

GitHub the first function is flash. zip firmware  via dfu if you want to install a custom firmware  

05:55 - 06:00

you can choose this mode simply click select  the zip file with your your custom firmware  

06:00 - 06:07

and flash next we have the animation control full  is the full animation mode meaning it's a shorter  

06:07 - 06:12

animation mode and known is no animation at all  the animation is being played when the device  

06:12 - 06:18

waks up so when you select no animation the  device starts up instantly that might be the  

06:18 - 06:23

best option then we have the button config there  are two buttons on the chamelon ultra button a  

06:23 - 06:29

and button B two states of the button press will  be configurable normal press and long press long  

06:29 - 06:35

press is around 3 to 5 Seconds there are five  statuses that you can assign to each state of  

06:35 - 06:41

button a and button B disable will disable the  function so nothing will happen in that state  

06:41 - 06:48

forward will switch the slot forward backward will  switch the slot backward clone uid will clone the  

06:48 - 06:54

uid of the card or the batch charge will display  the current battery charge using the eight slots  

06:54 - 07:02

LEDs now you can simply assign a mode for each  button for normal price and a long price next  

07:02 - 07:08

we have the BLE functions by default the BLE  pairing is disabled when enabled the Bluetooth  

07:08 - 07:14

pairing is enabled allowing you to restrict who  can connect to your device so they need to know  

07:14 - 07:20

the pin of course you can clear the bounded  devices and change the password finally in  

07:20 - 07:26

other you can reset settings it will reset all the  settings above or factory reset it will reset the  

07:26 - 07:32

device to its original Factory State okay let's  change the page and go to slot manager in this  

07:32 - 07:39

page we can see the eight slots displayed with the  basic information the slot number the tag name in  

07:39 - 07:45

The High Frequency spot and the low frequency spot  and the settings wheel per slot redirecting to the  

07:45 - 07:50

slot settings to assign a card to a slot simply  click on the slot that you want then you will  

07:50 - 07:56

see a list with the saved cards note that this icon  means it's a low frequency dump and this one means  

07:56 - 08:01

it's a high frequency one click on the card and  the dump dump is automatically assigned to the LF  

08:01 - 08:07

or HF spot of the slot let's take a look at that  slot settings on the top right you can find the  

08:07 - 08:12

export slot data you can choose the frequency slot  to export low frequency or high frequency after  

08:12 - 08:20

choosing the frequency to export you can decide to  save to file to save locally export to new card  

08:20 - 08:26

will create a copy that you can name very useful  after you made changes to the card with the edit  

08:26 - 08:33

slot data you can also decide to update the saved  card back to the slot settings it showcases the  

08:33 - 08:39

HF and LF spot followed by the name of the card  assigned and a switch to activate deactivate the  

08:39 - 08:47

spot, the pen will let you edit the slot data the X  will clear the slot let's take a look at the edit  

08:47 - 08:54

slot data sub page this sub page display changes  regarding the type of tag for frequency tag there  

08:54 - 09:00

is the uid and the type of tag that will be  displayed for mare 1K we will have way more  

09:00 - 09:07

options showing up after the name of the badge  used in a slot we can find the type of badge then  

09:07 - 09:14

the uid if you are new in RFID pentesting I'll  explain a little more what is doing what the uid  

09:14 - 09:22

is a sequence of bytes that uniquely identifies  an RFID tag or an NFC card it's pretty much like  

09:22 - 09:28

a serial number for the card the length of a  uid can vary common length are 4 bytes 7 bytes  

09:28 - 09:35

and 10 bytes when a reader first communicates with  a card it uses the uid to distinguish that card  

09:35 - 09:42

from all the others in environments where multiple  cards are present the uid is crucial for the anti-  

09:42 - 09:47

Collision process ensuring that the reader can  communicate with each card individually the uid  

09:47 - 09:54

is generally read during the initial stages of  the communication process then we have the Sak  

09:54 - 10:00

Sak means select aknowledge after the initial  atqa response so bear with me we will see what  

10:00 - 10:06

is an htqa response after if the reader decides  to communicate with the tag it sends a select  

10:06 - 10:14

command to which the tag responds with the Sak  the Sak is a one byte response that gives more  

10:14 - 10:21

detailed information about the tag such as its  exact type and capabilities for instance it can  

10:21 - 10:27

indicate whether the tag is a simple memory card  a more complex cryptographic card or a card with  

10:27 - 10:34

other specific features the sak helps the reader  to understand how it interacts with the card what  

10:34 - 10:42

protocols to use and functionalities to expect  then we have the ATQA ATQA stands for answer to  

10:42 - 10:49

request a this is a response from an NFC card or  RF id tag when it is first activated by reader RF  

10:49 - 10:56

field the atqa is a two bytes response that provides  the reader with the initial information about the  

10:56 - 11:02

type of card or tag it includes detail details  like the cards RF technology compatibility and  

11:02 - 11:08

its data transmission rate the atqa is part of  the cards anti- Collision mechanism helping  

11:08 - 11:14

to ensure that the correct card is identified and  communicated with when multiple cards are present  

11:14 - 11:23

in the reader field then you can enter an ATS  answerer to select ATS is specific to ISO IEC 14,  

11:23 - 11:29

443 type A cards after the card has been  selected by the reader using the SAK  

11:29 - 11:37

or select an knowledge the card responds with  the ATS if it's operating under the iso 14443  

11:37 - 11:44

-4 the ATS contains information necessary for  the initialization of the protocol parameters  

11:44 - 11:50

for further communication the ATS is important for  establishing a more complex Communication channel  

11:50 - 11:56

between the reader and the card especially for  cards that perform higher level functions like  

11:56 - 12:02

secure transactions or data storage after that  we have the mifair classic emulator settings gen  

12:02 - 12:09

1 a magic mode gen1a magic mode refers to  a specialized type of RFID tag that allows for  

12:09 - 12:15

greater flexibility and control over the tags  data including the ability to rewrite the uid  

12:15 - 12:22

and other normally read only sections while useful  for research and testing well they must be used  

12:22 - 12:28

with consideration for security and legal concerns  then we have the Gen 2 magic mode Gen 2 magic tags  

12:28 - 12:33

are compatible with with most systems supporting  mifare classic cards and offer improved performance  

12:33 - 12:40

they typically have better security features  compared to the Gen1a tags use uid Sak and  

12:40 - 12:47

ATQA from zero block will use the uid SAK and ATQA this functionality is particularly important  

12:47 - 12:53

for custom applications security testing and  scenarios where specific tag behaviors are  

12:53 - 13:00

required how does it differ from other fields  well some cards report a different uid Sak and  

13:00 - 13:08

ATQA to the reader as they have in blog Zero by  default the uid Sak and ATQA are set to the  

13:08 - 13:15

values read by the chameleon but you may want to use  the data from block zero for specific applications  

13:15 - 13:22

collect nonces mfk 32 the process of collecting  nonces typically involves interacting with a  

13:22 - 13:28

mifare classic card multiple times to gather in  of data so nonces for cryptographic analysis each  

13:28 - 13:34

interaction involves a challenge and response  communication where the card generates a nounce  

13:34 - 13:40

by collecting these nonces an attacker can  analyze them to find vulnerabilities in a card  

13:40 - 13:46

security protocol particularly weaknesses in the  random number generation or implementation flows  

13:46 - 13:52

in the encryption algorithm to use this function  you enable MFkey in a slot settings then you  

13:52 - 13:58

present the chameleon ultra to reader note that it  is also working offline so when there is no app  

13:58 - 14:03

connection connection then you return back to the  slot settings and there is a new button recover  

14:03 - 14:10

Keys another page opens you can see the number of  nonces the keys can be recovered from press it and  

14:10 - 14:17

the MFkey32 gets to work the progress bar is a  nice touch it'll take a moment to recover all the

14:17 - 14:27

keys when the keys are recovered you can of  course save them you have three options save  

14:27 - 14:32

recovered keys to file add recovered keys to  existing dictionary and create a new dictionary  

14:32 - 14:38

with the recovered Keys finally don't forget to  remove the mfkey32 option from the slot you were  

14:38 - 14:43

collecting nonces from let's get back to the  edit slot data the last section is the right  

14:43 - 14:51

mode normal the emulation acts like a normal card  accept rights save them to permanent storage Etc  

14:51 - 14:58

decline tells the reader this is a read only card  and decline writing deceive accept writes from  

14:58 - 15:04

the reader but don't save them when the reader  tries to read the data again it's gone nothing  

15:04 - 15:11

happened and it didn't actually right Shadow  accept rights and cash them when the reader  

15:11 - 15:17

tries to read it's still there but as soon as  the device goes to sleep it's back to default  

15:17 - 15:22

as if nothing happened at the bottom right you  can cancel or save the changes the saved cards  

15:22 - 15:28

page is composed of two sections cards where  the cards saved are displayed and dictionaries  

15:28 - 15:33

where you can manage the dictionaries you can  add a card using the plus button on top of the  

15:33 - 15:40

section simply press the button and browse to add  a valid saved card to your computer or phone each  

15:40 - 15:47

saved card shows an icon for LF or HF card the  tag name the type of card and an edit save and  

15:47 - 15:53

edit button when you press the edit button you  are able to modify the uid and other available  

15:53 - 15:58

fields of the specific card when done you have  the option to save or cancel the modification  

15:59 - 16:04

save will offer you to save as a .bin or a  .Json and the trash icon will let you delete  

16:04 - 16:10

the save tag in the dictionaries section you will  see the save dictionaries it's the number of keys  

16:10 - 16:17

in the dictionary and free buttons edit save and  edit pressing the edit button will let you edit  

16:17 - 16:23

the dictionary manually you can add delete modify  the keys when you are done click save or cancel at  

16:23 - 16:28

the bottom of the page the save button will let  you save the dictionary on your computer as a .dic  

16:28 - 16:34

and the trash icon will erase the dictionary  adding a dictionary is fairly simple press the  

16:34 - 16:40

plus icon at the top of the section and select the  file with the store Keys let's change page and go  

16:40 - 16:47

to read cards to read a card or a tag simply put  it very close to the chameleon and press the read 

16:47 - 16:54

button corresponding to the type of frequency used  by this card if you are not sure well just try HF  

16:54 - 17:00

first and then LF for LF card once read you have  the option to save the card you just need to enter  

17:00 - 17:07

a name for that card and press okay now the card  will show up in the saved cards for a mifare high  

17:07 - 17:13

frequency card you can save only the uid so no  keys will be saved if you want to dump with all  

17:13 - 17:19

the keys of the card you need to check the display  Keys a Red Cross means the key is unknown a green  

17:19 - 17:24

check mark means that the key is found let's  take a closer look to the Keys section in order  

17:24 - 17:29

to find the missing keys of a card you need to use  a dictionary if you select no dictionary then you  

17:29 - 17:34

won't be able to find them by default there is an  internal dictionary in the chamelon you have the  

17:34 - 17:40

option to skip it though when you check the skip  default dictionary function when you want to use a  

17:40 - 17:46

custom dictionary under additional key dictionary  select a previously saved dictionary you can see  

17:46 - 17:52

that by default it is empty click and select the  dictionary you want to use then press check keys  

17:52 - 17:58

from dictionary and the chamelon is recovering the  missing keys after that you can dump the card or  

17:58 - 18:07

export the found keys to save a card dump press  dump card save name the card click okay now the  

18:07 - 18:13

card will show up in a saved cards you can also  save the card as a .bin when you want to save  

18:13 - 18:20

the recovered Keys you have three options first  one save recovered keys to file you press enter  

18:20 - 18:26

and enter your name second option add recovered  keys to existing dictionary you have to press  

18:26 - 18:31

and then select the existing dictionary that  you want to add the keys to third option create  

18:31 - 18:37

new dictionary with recovered Keys here you just  have to enter the name of the new dictionary that  

18:37 - 18:43

you want to create next page write card writing a  card is a simple three steps process and all the  

18:43 - 18:48

instructions are on the screen step number one  select the card previously saved then press Next  

18:48 - 18:54

Step number two select Magik card type in this  section pick the type of magic card you want to  

18:54 - 19:00

use if you know it if you're unsure you can also  try the autodetect magic type function press  

19:00 - 19:06

Next Step number three write data simply press  on write data and voila the chameleon is writing  

19:06 - 19:13

on the card and finally last page settings the  first section is sidebar expansion expand show  

19:13 - 19:20

the icons and menu titles Auto automatically  expand or retract the sidebar depending of the  

19:20 - 19:25

window size and retract retract the Side Bar then  we have the theme section with 3 options system  

19:25 - 19:31

will pick the system theme light the light theme  and dark the dark theme then we have color scheme  

19:31 - 19:37

you just pick the color you prefer it works with  light and dark theme then you have the language  

19:37 - 19:42

so you just pick the language that you are more  comfortable with then you have confirm delations  

19:42 - 19:48

toggles whether or not to display a confirmation  dialogue when deleting a card then we have export  

19:48 - 19:55

setting multiple option there cancel if you want  to go back to the previous page QR code press it  

19:55 - 20:01

then you have access to two parameters split size  and error correction split size is the maximum  

20:01 - 20:08

number of characters per QR Code by default  it is set to the maximum size 2048 the more  

20:08 - 20:14

characters the less QR codes needs to be generated  to export all the settings then you have a slider  

20:14 - 20:20

for error Corrections here as well as the value  increases more QR codes will be needed to export  

20:20 - 20:25

all settings under that you can find a test QR  code when you press okay you will see the total  

20:25 - 20:31

number of QR codes needed to fully EXP import  the settings to your phone here we have 28 QR  

20:31 - 20:36

codes that we will need to scan on our phone to  import all the settings from the desktop json  

20:36 - 20:42

file will create a file that you can later Import  in another chameleonultraGui JSON or JavaScript object notation  

20:42 - 20:48

file is a standard text format that is used to  store and transport data as you may already know  

20:48 - 20:54

it's commonly used in web applications for sending  data from server to a client and vice versa next  

20:54 - 21:00

section import settings where you choose how you  want to import for the settings once again 3  

21:00 - 21:06

options here cancel will let you go back to the  previous page QR code press it and you will be ask  

21:06 - 21:13

to start scanning then scan the export QR codes  from your desktop Json press and choose the .json 

21:13 - 21:19

file with the settings that you want to import  from your device then we have the about section  

21:19 - 21:24

it shows the build information of the Gui the list  of developers working on it the license a link to  

21:24 - 21:29

the GitHub and a section to thank the supporters  of the project if you want to support this project  

21:29 - 21:34

yourself a link will be in the description below  and lastly the code contributors and lastly you  

21:34 - 21:40

can activate the debug mode when you press it oh  my God oh my God okay we won't go there in this  

21:40 - 21:46

video thank you for watching this video if you  found it useful or informative please like share  

21:46 - 21:51

and comment and don't forget to subscribe to this  channel we will make sure to keep you updated when  

21:51 - 21:56

updates will be released for the chameleonultragui and the chameleon ultra firmwares so stay  

21:56 - 22:01

tuned I want to thank again GameTec-live and  the other contributors for their hard work and  

22:01 - 22:07

help to make this video possible if you want  a chameleon Ultra a chameleon ultra light or  

22:07 - 22:14

a chameleon dev kit with the best price and the best  service visit LAB401.com take care and see you next

22:14 - 22:27

time [Music]

Unlocking the Mysteries of Chameleon Ultra: The Ultimate Guide

Chameleon Ultra – the world's smallest RFID emulation device with cutting-edge technology and wireless control. In this comprehensive guide, we delve into all aspects of Chameleon Ultra, from downloading the app to device settings, slot management, key recovery, card reading and writing, and even advanced features like magic mode and dictionary management. Let's embark on a journey to uncover the hidden capabilities of Chameleon Ultra and elevate your RFID experience to new heights.

Exploring the Chameleon Ultra Ecosystem

Have you ever wondered how to make the most of your Chameleon Ultra device? Today, we have the privilege of exploring the intricate details of the Chameleonultragui with the brilliant mind behind it – GameTec-Live. Get ready to unleash the full potential of your Chameleon Ultra on various platforms, from PC to Android and iPhone.

Installing the App

To kickstart your Chameleon Ultra experience, you need to download the app tailored for your device. Whether you are an iOS enthusiast or an Android aficionado, we've got you covered. Learn how to get the app from the Apple Store or Google Play Store, or even dive into the open-source world by visiting the Chameleonultragui GitHub page.

Connecting Your Chameleon Ultra

Discover the two methods to connect your Chameleon Ultra – via USB-C cable or Bluetooth. Unveil the pros and cons of each connection method, ensuring you choose the one that suits your needs best. Get hands-on tips on managing multiple Chameleons and updating firmware seamlessly.

Mastering Device Settings

Dive deep into the device settings, where the magic happens. From firmware management to animation control and button configurations, customize your Chameleon Ultra to match your preferences. Uncover the secrets of BLE functions and learn how to reset or restore your device to its factory settings effortlessly.

Slot Management and Card Operations

Gain insights into slot management, assigning cards, and choosing emulation modes effectively. Learn the art of reading cards, cracking keys, and saving valuable information for future use. Explore the nuances of writing cards, from selecting card types to writing data with precision.

Advanced Features Unveiled

Delve into the realm of magic mode, nonces collection, and key recovery processes. Understand the significance of Gen 1 and Gen 2 magic modes, and witness the power of dictionary management in enhancing your RFID testing and security analysis capabilities.

Conclusion: Unlock the Full Potential of Chameleon Ultra

Congratulations on mastering the intricacies of Chameleon Ultra through this detailed guide. Now equipped with in-depth knowledge, you are ready to harness the true power of RFID emulation and take your device usage to the next level. Stay tuned for future updates and innovations, and remember – the world of Chameleon Ultra is yours to explore and conquer!