Chamele-o-nization

Returning to the worlds of NFC and RFID, I recently got my hands on the Chameleon Ultra, and naturally, here we are to review it and compare it a bit with my old Chameleon Mini (RevE) RDV2.0 Rebooted from Proxgrind. This article will discuss both devices, touching on their origins, physical aspects, and technical specs. Let’s get started!

A bit of history

The Chameleon is not a device that was created overnight. Kasper Oswald was the person who started it all. Back in 2006, he created a contraption, a coffee cup that emulated a tag in a very rudimentary way, known as the "Coffee Cup Tag Emulator." This was the father, or rather the great-great-grandfather, of the Chameleon family.

In 2007, he created the "Fake Tag." We won't go into details about each prototype, just mention them to show the device's evolution.

In 2010, the original Chameleon was created, resembling a bit more what we have today.

In 2013, the first Chameleon Mini was released. The RevD.

From there, the Chameleon Mini RevE came out in 2014, followed by the RevE Rebooted, RevF, RevG (which had Bluetooth), Chameleon Tiny, and Chameleon Lite, leading up to the Chameleon Ultra and the Chameleon Ultra Dev Kit. As you can see, the chameleon is an animal that adapts and evolves.

In this article, we will focus on the Chameleon Mini RevE Rebooted and the Chameleon Ultra simply because those are the ones I own.

Physical appearance

Let's look at some photos to get familiar with them and differentiate them. It's worth mentioning that the size of the Chameleon Ultra has significantly reduced compared to the Chameleon Mini; it barely measures 4 cm and is available in various colors (black, blue, and white).


Hardware changes and technical specifications

The Chameleon Mini RevE connects via USB with a micro-USB cable, whereas the Chameleon Ultra uses a USB-C connector and also supports Bluetooth BLE 5.0.

The Chameleon Mini only supports NFC (13.56Mhz), while the Chameleon Ultra supports both NFC and 125Khz RFID.

The Chameleon Mini had 8 slots for NFC storage, while the Chameleon Ultra has 8 dual-frequency slots, meaning you can store an NFC tag and an RFID tag in each, effectively 16 memory slots (8hf and 8lf).

The Mini version is powered by a CR-2032 battery, while the Chameleon Ultra features a 90mAh internal battery that, thanks to its low power consumption, can last for months depending on usage. The RevE’s battery lasted quite well, but it’s a problem when you discover it’s drained just when you urgently need the device. So, having an internal battery is another big advantage.

Another major change is the chips used. Originally, the Chameleon Mini used the ATxmega128A4U chip, but it was later replaced with the ATxmega32A4U chip (16MHz, 32kb flash, 1kb EEPROM), which is the one found in the Chameleon Mini RevE. Meanwhile, the Ultra version uses the nRF52840 chip. Why the change? Developers argue that it's not only a cheaper chip but also supports Bluetooth BLE 5.0, has 256kb RAM, 64MHz clock speed, consumes very little energy, and offers much better emulation performance and faster response. Previously, they were limited by the SPI protocol clock speed. In short, all advantages — and apparently they discovered this chip almost accidentally. Very curious...

For reading and writing, the Chameleon Ultra uses the MFRC522 chip, which supports a greater variety of tag types than its predecessor.

Summarizing the features of each device. Chameleon Mini RevE features are:

  • Firmware support for ISO14443A codec (emulation and reading)
  • NFC 13.56 MHz emulation for Mifare Classic 1K/4K, Ultralight/C (4- and 7-byte UIDs)
  • 8-bit AVR Processor (ATxmega32A4U @ 32MHz)
  • Flash memory (32Kb) and 4Kb RAM
  • Hardware support for ASK and BPSK load modulation using a subcarrier
  • 8 virtual card slots, up to 8Kb per card in non-volatile memory
  • Two programmable buttons and LEDs
  • Open-source, modular firmware for easy expansion
  • Weight: 31g, Dimensions: 8.6cm x 5.2cm x 0.6cm

Chameleon Ultra features are:

  • Firmware support for ISO14443A codec (emulation and reading)
  • NFC 13.56 MHz emulation for Mifare Classic 1K/2K/4K, Ultralight/C/EV1, NTAG 210-218, Desfire EV1/2, Mifare Plus
  • RFID 125KHz emulation for EM4xx, T5577, FDX-B, Paradox, Keri, Indala, HID Prox, PAC/Stanley, AWD, ioProx, Presco, Viking, Noralsy, NexWatch, Jablotron, Gallagher
  • Support for Bluetooth LE (BLE) 5.0
  • 32-bit ARM Processor (nRF52840 @ 64MHz)
  • Flash memory (1Mb) and 256Kb RAM
  • Hardware support for ASK and BPSK load modulation
  • Reader mode with fast UID detection support
  • 8 dual-frequency virtual card slots up to 64Kb per card
  • 90mAh internal LiPo battery
  • Two programmable buttons and dynamic RGB LEDs
  • Open-source, modular firmware for easy expansion
  • Weight: 8g, Dimensions: 4cm x 2.4cm x 0.6cm

What really makes the Chameleon Ultra attractive compared to the Mini is that it is no longer just a "dumb box that carries and emulates tags." Now, besides carrying and emulating tags, it can read tags, perform attacks, use dictionaries, and clone. It’s getting closer to a Proxmark than to its Chameleon predecessors. And not only can it read tags, but it can also modify them by writing onto them. As you can see, it’s a huge step up from the Chameleon Mini: much more powerful and versatile.

Maybe the meme exaggerates a bit, because the Proxmark is still far more versatile and can do things the Chameleon cannot, but the Chameleon Ultra can perform many tasks in a very simple way, thanks to its intuitive and straightforward interface.

Of course, it can still be used simply as a "dumb box that carries and emulates tags."

However, let's not forget that in this version, this "dumb box" is capable of carrying many more types of tags and has more slots available. The difference is that before, you needed to clone using a Proxmark, save a dump of the tag, and then write it into the Chameleon using specific software, and now with the Chameleon Ultra, you can directly read a tag, attack if necessary (in case not all sectors are readable), and clone it on the fly. This saves many steps and simplifies the process, ultimately saving a lot of time.

Supported attacks

Currently, the Chameleon Ultra supports different attacks when reading a tag and not all its sectors can be read completely. Besides dictionary attacks, it supports MFKEY32, Darkside, Nested, and StaticNested attacks. If you want more information about these attacks, I refer you to another article I wrote some time ago here on Hackplayers:

https://www.hackplayers.com/2021/11/hacking-nfc.html

What is not yet supported are the HardNested attack and the Relay attack. owever, it’s just a matter of time, since the hardware is capable of supporting them and the development team already has it on their to-do list.

It’s also anticipated that sniffing on high frequency (NFC) will not be supported (unlike the Proxmark), although sniffing on low frequency is supported, even though it’s not fully developed yet. As we can see, there’s still some road ahead…

Software

There are several different software options. There is a command-line interface (CLI) console for advanced users, but the graphical user interface (GUI) software is more than enough for most mortals, myself included, so that's what we’ll talk about here. Later, we'll also discuss the mobile apps.

The software is similar to the old Chameleon software but with a new look, much nicer and more modern, and packed with more functionalities, however, the slot management window still keeps the same basic philosophy. This was the old GUI for the Chameleon Mini (Iceman version):

And this is the new software's appearance:

As we mentioned earlier, we can directly read tags using the Chameleon Ultra. You can choose to save just the UID (we know many poorly secured NFC systems only check the UID), or save the complete tag. But to do this, you must fully read it. If we encounter a tag that we can’t read entirely, we’ll see a screen like this:

But on the fly, we can launch different attacks. In this case, we simply select a dictionary, and this will be the result after applying it:

As you can see, it managed to read everything, so we could now clone the tag. If there were still sectors left to read, the Chameleon Ultra would automatically launch different attacks to retrieve the missing data, a real marvel. Once successfully read, we save the tag:

It will then appear in the Saved Cards section along with others we have:

And we can write it into one of the memory slots if we want:

It also allows importing and exporting tags in .bin and .json file formats (Proxmark3), .nfc (Flipper Zero), and .mfct (Mifare Classic Tool).

In the Device Settings section, among other options, we can program the buttons just like with the Chameleon Mini, so that a short press does one action, and a long press does a different one:

As we mentioned before, besides writing into the memory slots, we can also write directly onto a tag (as long as the tag supports the kind of writing we're trying to do).


If we have doubts about what type of rewritable card we have, we can use the "Auto-detect Magic Card Type" option to automatically detect it:



As you can see, all processes are very straightforward.

Thus, we have covered the main functionalities. However, I encourage you to play with it, because it’s truly fun and seems like a great advance in the evolution of the Chameleon family. If you have time and curiosity, there's an English-language video that meticulously explains all aspects and fields of the software:

https://www.youtube.com/watch?v=9jtKNJ5-kVY

Mobile software

Another of the advantages of these gadgets is the availability of software versions for mobile applications, which are very useful. They give us mobility and, if we are on a “mission” (always official, ethical, with permission and all that, you know), they also provide some discretion by allowing us to operate the device simply by having a mobile phone in hand, something that is socially accepted and discreet. It is well known that if you pull out a laptop, some cables, and a "weird" device, people might look at you suspiciously or wonder what you are doing. This makes mobile versions very useful in this regard.

Chameleon Mini RevE never had an official app as such, but there were a couple of apps developed by people from the community. I will highlight one that offers functionality very similar to the desktop GUI software from Iceman. It is this Android app from this GitHub repository:

https://github.com/kgamecarter/ChameleonMiniApp

However, the compiled APK is not available in the repository. It used to be available on Google Play Store, but sadly it disappeared from there, so I have prepared a link to the compiled APK (I know what you are thinking, and no, it has no malware, I behaved):

https://mega.nz/file/wJJ0GCzJ#gZTYkAJBciT_AuofHat4QMqBsCPHxvuiLURfAd4dNBY

To use it, you will need to connect your Chameleon Mini RevE to your mobile with an OTG (On-The-Go) cable to the micro-USB port of the Chameleon Mini.

The app looks like this:

There is also a YouTube video of about 20 seconds made by the author of the app, which gives you a good idea of it:

https://www.youtube.com/watch?v=WoU58GzxsAY

As for the Chameleon Ultra, luckily it does have an official app. It is available in Google Play Store, where you can download it:

https://play.google.com/store/apps/details?id=io.chameleon.ultra

There is also an iOS version for Apple devices:

https://apps.apple.com/ve/app/chameleon-ultra-gui/id6462919364

The mobile app for the Chameleon Ultra offers the same functionality as the desktop app, so in my opinion, it is an absolute wonder. This means that, being such a small device and connecting via Bluetooth, we can operate it at 100% capacity anywhere, taking full advantage of it. Bluetooth pairing is extremely easy, and the app allows us to choose the PIN we want for secure connection.

It is also worth mentioning that although connecting via Bluetooth is the usual method, it is possible to connect it with an OTG cable just like we did with the Chameleon Mini, although this time it will have to be USB-C. The app will work perfectly as well.

This is what the mobile app looks like:

Firmware update

Updating the firmware on the Chameleon Mini was a bit more complex. To avoid repeating everything, I will simply reference an article I wrote some time ago where, among other things, the process of updating the firmware of the Chameleon Mini RevE is described:

https://www.hackplayers.com/2021/07/nfc-proxmark3-chameleon.html

On the Chameleon Ultra, updating the firmware could not be easier. There are several methods, but without a doubt, the easiest one is simply to open the GUI application and click on the magic button next to the firmware version. This button will do all the work. It is that simple. It automatically puts the device into DFU (Device Firmware Update) mode, downloads the latest version, flashes it, and so on.

Where to buy it?

It can be purchased in different places like Lab401 store, Hackerwarehouse, or even Amazon, but in my experience it is cheaper to buy it on Aliexpress. That said, you have to distinguish between the original and the imitations.

In this link, I found a comparison between the "Chameleon Ultra" and the "Chamele0n Ultra" (note that the “o” in the imitation is actually a zero “0”). They compare physical components and differences. A very interesting article:

https://shop.mtoolstec.com/whatre-the-differences-between-chameleon-ultra-chamele0n-ultra.html

The truth is that, after reading the article, it seems the imitation does not differ too much from the original, only in small details. But since I have not personally tested the imitation, I recommend buying the original. Nevertheless, it is quite likely that the imitation also works well, although I cannot guarantee it at this moment. Here are a couple of Aliexpress links to good-priced original Chameleons, the ones I personally own.

Original  Chameleon Mini RevE:

https://s.click.aliexpress.com/e/_opkB6kH

Original Chameleon Ultra:

https://s.click.aliexpress.com/e/_oCTviIv

The current prices in 2025 are around 35€ for the Mini and 120€ for the Ultra (original versions). However, these prices always fluctuate slightly (that’s the market, my friend!). On pages like Lab401 or similar, it is somewhat more expensive. The imitation, meanwhile, is around 20 or 25€. I’ll leave a link here as well.

Chamele0n Ultra imitation:

https://s.click.aliexpress.com/e/_ooCcTAl


Special thanks

Thanks to the usual suspects. Hackplayers, who put in the effort, to the developers of the NFC/RFID world including Iceman (@herrmann1001), Gator96100 (@Gator96100), kgamecarter, and so many others. Thanks to L1k0rd3b3ll0t4 for the support and for going crazy buying the gadget after a simple comment. To the Spanish pentesting crew for keeping the J0n3C0n alive, and to my partner without whom I wouldn't be able to “waste” so much time in researchings, etc.

Useful links

Author:

Spanish Edition

eh! no olvidamos que el blog de Hackplayers es un blog escrito principalmente en español castellano, si quieres ver el post en la lengua de Cervantes sigue este link:

Comentarios

Publicar un comentario