-
Notifications
You must be signed in to change notification settings - Fork 393
Home
The Chameleon Project has been started by the Chair for Embedded Security at the Ruhr University in Bochum, Germany. More than 1700 backers on kickstarter made it possible for KAOS to develop the improved Revision G of the ChameleonMini. The whole project is published under an open-source license to let everyone benefit from the work that has been done so far.
For ordering a ChameleonMini directly from its creators, please use our webshop.
Introducing the new ChameleonMini Revision G:
- Have you ever wondered how contactless card systems, e.g., used for door openers and micro payments, work and whether they provide protection against digital fraud?
- Did you ever want to check the security level of an NFC / RFID access control system?
- Do you want to develop your own NFC tag or contactless card, including your own state machine and security algorithms, or even your own physical specification for an RFID system?
These and many more applications were the reason for the "birth" of ChameleonMini: a versatile NFC emulator, log tool, and a basic RFID reader.
The credit-card shaped ChameleonMini is a versatile tool for practical NFC and RFID security analysis, compliance and penetration tests, and various end-user applications. The freely programmable platform can create perfect clones of various existing commercial smartcards, including cryptographic functions and the Unique Identifier (UID). It can be employed to assess security aspects in RFID and NFC environments in different attack scenarios, such as replay or relay attacks, state restoration attacks, sniffing of NFC communication, or functional tests of RFID equipment. New firmware for the ChameleonMini can be comfortably uploaded via a USB bootloader. A convenient, human-readable command set allows to configure its behavior and update the settings and content of up to eight internally stored, virtualized contactless cards. During battery-powered stand-alone operation, the integrated buttons and LEDs enable user interaction and feedback.
Hardware
The new hardware supports Amplitude-Shift Keying (ASK) modulation (10% and 100%), can generate ASK or Binary Phase-Shift Keying (BPSK) load modulation with a subcarrier, and can decode the requests of an NFC reader. Thus, the ChameleonMini hardware is capable to emulate various ISO 14443, NFC, and ISO 15693 cards, as well as other types of RFID transponders operating at 13.56 MHz. Cards that the ChameleonMini can emulate in principle include: NXP Mifare Classic, Plus, Ultralight, Ultralight C, ntag, ICODE, DESfire / DESfire EV1, TI Tag-it, HID iCLASS, LEGIC Prime and Advant, Infineon my-d, and many other NFC tags. Note that the inital firmware only supports a subset of these tags.
The ChameleonMini Rev.G hardware comprises a PCB antenna, which can be driven by power transistors on the board to generate a 13.56 MHz RFID field. This will allow the Rev.G to work as a basic active RFID reader. An on-board Li-Ion battery can be recharged via USB.
We are always looking forward to any means of contributing or contacting us. If you find RFID systems worldwide where ChameleonMini is useful, please let us know: Feel free to send us pics and videos, we will then summarize all practical use cases here on github. You can contact us by writing to [email protected].
- Firmware support for ISO14443A Codec (emulation and reader)
- Firmware support for Mifare Classic 1K and 4K emulation (4 and 7-byte UID)
- Firmware support for Mifare Ultralight emulation
- Hardware support for ASK modulation (Both 10% and 100%) to cover almost any card standard available
- Hardware support for ASK and BPSK load modulation using a subcarrier
- Modular firmware structure allows for easy expandability of other cards and standards
- Support for quick and reliable firmware update via Atmel DFU bootloader, thus programming hardware is required only once
- Can be controlled using a fully documented AT-like command set via CDC using the LUFA USB stack
- Up to eight virtualized cards with a size of up to 8 kB per card can be stored in the non-volatile memory of ChameleonMini
- Card contents can be easily uploaded and downloaded by means of the command line and X-MODEM
- UID of ISO14443A cards can be obtained easily in reader mode
- Identifying the type (Mifare Ultralight, Mifare Classic 1k etc.) of ISO14443A cards is also possible in reader mode
- Transparent/manual ISO14443A reader: send custom bit strings and obtain the cards answer
- Thus allowing the ChameleonMini to be interfaced with standard terminal software as well as user written scripts and applications
- Collection of new (2016) KAOS Videos about the latest ChameleonMini Revision G
- Talk of Timo on ACM CCS with ChameleonMini RevG, starting after minute 33
- Authenticating at e-mobility stations in Germany
- 34C3 talk about German e-mobility stations
- 36C3 talk about hacking an NFC toy
- Attacking commercial PUF-based RFID tags with ChameleonMini slides, paper
- Paper describing the "Chameleon" (previous version)
- Security Analysis Of Pervasive Wireless Devices
- An Embedded System for Practical Security Analysis of Contactless Smartcards