Chameleon Tiny - UID not changeable

[Bowski81]

Hello Everybody.

I need some help.

I followed the first step guide on GitHub to setup my chameleon tiny.

It is working properly and I am able to read several tags and get the correct UID.

However, while trying to simulate an ISO14443 Tag and setting the UID it won't let me change the UID.

Here is a screenshot of the problem:

As you can see I'm trying to change the UID to 395A431D. As you can see the value does change to another one every time. In this case it changed to 399A733D. So I am not able to change it to the value I want.

I have a Proxmark 3 in use also which is working as expected. However the chameleon tiny does not.

Am I missing something?

Any advise would be helpful.

[Akisame-AI]

could you test a UID of 00000000? I had a similar problem

[Phreak87]

same problem here. any news on that topic?

[Akisame-AI]

It depends. Are all sectors the same? Or if all sectors have some random numbers in some places in stead of zeros it means you have permanently flipped some of the bits of the MRAM (Magnetic Random Access Memory) with a magnetic field. This is irrecoverable.

[Phreak87]

All slots are the same UID and they are not filled with zeros. i tried with a few different firmwares but it remains the same. what do you think goes wrong and how to fix it?

[Akisame-AI]

Could you upload a dump (.eml) from a slot? I want to confirm it is indeed the same issue. I had the same issue and I tried everything to fix it. I think you need some highly specialized equipment to actually fix it. I contacted the manufacturer and they send me a new chameleon tiny. You can check https://github.com/RfidResearchGroup/ChameleonMini/issues/29 to check how I troubleshoot'ed this problem when I first encountered it.

[Phreak87]

Sure, i got slot#1 dump. i´ve tried a few times update firmware and clean the fmem. today i contacted the manufacturer too and try with them to figure out the problem. 1.zip

one idea from my side was now to complete overwrite the FRAM with zeros but i need some code snippets to compile a "cleaner-firmware". i will check the link now - maybe it will help.

Thank you for your support!

[Akisame-AI]

the tiny doesn't have FRAM. it has MRAM. Believe me. I tried it all including writing 50 cycles of 1's and 0's, degaussing on professional equipment etc etc. if you messed up your MRAM it is dead. Could you upload an .eml file? I can't easily check .bin.

[Phreak87]

Oh, sorry - here you have it - my thinking was its the same except the ending 1 (2).zip

[Phreak87]

For this dump i uploaded the mifare1k.mfd and downloaded the .eml in the gui. I Hope its the right content you need. If Not please Guide me to get what you need

[Akisame-AI]

Yeah, this confirmed it for me. You have about 14 bits that are stuck in your MRAM. You have accidentally exposed your tiny to a magnet. Most of the bits that are stuck are very significant bits (meaning you can still access quite a few UID's so long as those bits are on). If you still have your warranty you should contact the manufacturer. They will ship you a replacement. Unless you have very specialized equipment this can't be fixed.

[Phreak87]

Thank you very much! How do you figure Out the corrupted Bytes?

[Akisame-AI]

convert the hex (which is supposed to be 0) to binary and check which bits are 1

[Phreak87]

🤔 seems easy. My big question is: why These 14 Bits affects all of the slots and assign the Same id for all? My thinking was that the memory is separated into slots. Each 4 kb.

[Akisame-AI]

Well your active slot is loaded into the MRAM and thus get affected by the stuck bits. It seems that they reuse a certain part of the MRAM repeatedly. I'm not too sure why. It seems the stuck bits repeats every 64 bits so it might be stacked that way. You would have to ask DennisRRG or @Olaf-PROXGRIND-CTO on the discord server

[Phreak87]

Hmmm bad 🤔. The reseller will send me a new device. I think about a source code modifikation to use the old device only with 1 slot another way to not move it to trash

[Akisame-AI]

Together with project walrus you can still use it as a low profile reader for copying UID'S.

[SHMAUS-Carter]

Why does the tiny use mram is there a reason they chose to use it? it seems like the magnet weakness is rather critical vulnerability.

[Akisame-AI]

We don't know. I imagine the MRAM is physically smaller, I know for sure it is a LOT faster (nearly twice as fast) or it might be because MRAM has unlimited endurance and infinite Read/Write cycles; FRAM Reads are destructive and eventually lead to wear-out.

[SHMAUS-Carter]

I thought only FRAM writes where destructive.