Chameleon mini Rev G (MF Detection/Reader attack)

[nico0481]

Hello,

Is the Chameleon mini Rev G able to do reader attack (MF Detection). With which firmware? I can't find a way to do this.

Thank you

Best regards

Nico

[ghost]

Not with standard firmware. I had experimented with it a bit, hadn't tested it yet and hadn't finished it. Need to check my local repos ;)

[ghost]

I've attempted to bodge this feature into the current Rev G firmware and I'm clueless. I've asked the devs for the RevE Rebooted if they could assist with adding this feature to my fork of the Rev G firmware but they just tell me to go here. Would be nice if they could help out, and if not then we'll have to pray that someone gets this working on the rev g or pray we can afford to purchase a rev e rebooted.

https://github.com/lavanoid/ChameleonMini/commit/0ad00933b5aeca77cb0722e145d630c656dbe768 https://github.com/iceman1001/ChameleonMini-rebooted/issues/139

Currently the RevG just locks up with a red LED and I don't know why.

[ghost]

hi @lavanoid I tried the same time ago. found my local repo and pushed it now c8249d5 .

There I don't get problems with red LED. But I am not sure if its working.

Have no experience with detection function and are not sure what exactly is needed. Maybe it is working, but I need some more tests or hints how to test. Any Ideas?

I checked your code. Looks almost identical what I have done.

What have I done:

1. Set MF Classic & UID
2. Set Detection
3. Hold on reader
4. Use GUI and mfkey

[ghost]

I just built the firmware with your commits and it seems to be working, however I have no idea what GUI to use to run mfkey. The latest build of ChameleonMini-rebootedGUI hides the mfkey option when detecting the Rev G.

I thought maybe something would be stored in the Chameleon device logs but I don't seem to have anything in there.

This is the video I watched, to get an idea of how the MF_DETECT function works: https://www.youtube.com/watch?v=1VpXC3-eKhc

[ghost]

Try my GUI fort Rev G

https://gitlab.com/Gtpy/ChameleonMini-RevG_GUI It Support the mfkey.

Gesendet von ProtonMail mobile

-------- Original-Nachricht -------- An 25. Aug. 2019, 19:04, Lava Git schrieb:

I just built the firmware with your commits and it seems to be working, however I have no idea what GUI to use to run mfkey. The latest build of ChameleonMini-rebootedGUI hides the mfkey option when detecting the Rev G.

I thought maybe something would be stored in the Chameleon device logs but I don't seem to have anything in there.

This is the video I watched, to get an idea of how the MF_DETECT function works: https://www.youtube.com/watch?v=1VpXC3-eKhc

[ghost]

That seems to work! Requires a few retries and doesn't always find the keys (might just be because I'm using Mifare Classic Tool on Android and not an actual reader) but it does indeed work.

One bug with the GUI is that it doesn't let me change the UID of the tag, so I have to use another tool to do that.

[ghost]

UID changes worked. Enter UID --> Change UID. (doesn't work in detection mode - need to set for example mf_classic_1k) If it doesn't work, give a short info, then I fix it.

How you check it with MCT? I never tried this :)

[ghost]

(doesn't work in detection mode - need to set for example mf_classic_1k) If it doesn't work, give a short info, then I fix it. I'll give it a try when I'm booted into Windows again (only use Windows for games, so not signed into anything personal).

How you check it with MCT? I never tried this :) I have a few key files from previous tags I have dumped. In MCT, I do this:

1.) Select "Read Tag" 2.) Select the key file I have, from a previous tag 3.) Select "Start mapping and read tag"

MCT will then attempt to authenticate with the Chameleon with the keys I told it to use, just like what a reader would do :)

[ghost]

Ok thanks. Need to use MCT more :) Me too - only Linux user - Win only for games and some GUI stuff

[ghost]

Greetings, my fellow Linux user 🐱

• Windows for games & password cracking with hashcat (pain controlling GPU overclocks and fan speeds on any Linux distro)
• Manjaro Linux for everything else except Netflix (cuz DRM)
• macOS for Netflix (faster than Windows, 1080p Netflix support on special titles, unix)

[nico0481]

Hi Gtpy,

Thanks for the job!

I use your GUI Ver.: 1.1.0.4 and firmware update on chameleon is done. Here are infor from GUI. "ChameleonMini RevG 190321 using LUFA 151115 compiled with AVR-GCC 8.3.0. Based on the open-source NFC tool ChameleonMini. https://github.com/emsec/ChameleonMini commit 8a2755e"

MF_DETECTION is now in the pick list (new configuration), but I get "202:INVALID PARAMETER" in configuration field as soon as I try to select it. Any idea of this issue?

Thank you Best regards

Nico

[ghost]

Hi Nico,

I think you compiled the firmware from emsec/Chameleon-Mini: Master Branch , right? Because emsec not merged the detection feature yet, you’ll need to clone from my fork(gtpy:mfDetection) look at PR: #229

[nico0481]

Hi Gtpy,

Indeed I think it is my mistake. I 've used Chameleon-Mini.eep and https://github.com/emsec/ChameleonMini/commit/8ffa1aad959408bd07fe48f62b48597d5d23373c#diff-5c136db2684df0e3b594562be6cce930 Chameleon-Mini.hex https://github.com/emsec/ChameleonMini/commit/8ffa1aad959408bd07fe48f62b48597d5d23373c#diff-5c136db2684df0e3b594562be6cce930 from master branch. Unfortunately, I feel not very comfortable with compiling fork. I'm going to wait it will be merged, or if anyone could do the job, it will be appreciated...

Thanks

Regards

Le jeu. 12 sept. 2019 à 17:52, Gtpy notifications@github.com a écrit :

Hi Nico,

I think you compiled the firmware from emsec/Chameleon-Mini: Master Branch , right? Because emsec not merged the detection feature yet, you’ll need to clone from my fork(gtpy:mfDetection) look at: #229 https://github.com/emsec/ChameleonMini/pull/229

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/emsec/ChameleonMini/issues/226?email_source=notifications&email_token=AKYE7IAGUYJRVJZUVM5J23TQJJQS7A5CNFSM4ILRM2UKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6SLTGI#issuecomment-530889113, or mute the thread https://github.com/notifications/unsubscribe-auth/AKYE7IFQZRK3EYYX3QLKF6TQJJQS7ANCNFSM4ILRM2UA .

[ghost]

Check out my repo for MF Detection support on the Rev G. It has had some changes made to it, for readers that check the card capacity.

Here is a pre-compiled version with the latest commits in my repo: https://github.com/lavanoid/ChameleonMini/releases/tag/BETA-RevG

[ceres-c]

I think it might be time to close this issue @geo-rg @david-oswald

[Walter-Bishop]

I tried to use gtpy's code in #229 but it seems their GUI is not available any more 😢: https://gitlab.com/Gtpy/ChameleonMini-RevG_GUI

@nico0481 do you (or anyone else) still have a copy of it and could upload it here?

I changed the iceman firmware so that it allows to use the mfkey32 attack but it just returns a CRC checksum error. I assume there is some difference in how the data is being transmitted in the Rev. E rebooted firmware and in #229 but I couldn't find any specific difference yet.