Skip to content

Latest commit

 

History

History
802 lines (558 loc) · 20.3 KB

README.md

File metadata and controls

802 lines (558 loc) · 20.3 KB

ChameleonMini Rev.G

alt text

###This is a user friendly documentation for the ChameleonMini (RevG 180125) from Kasper & Oswald GmbH.
###Feel free to add or adapt the documentation

Table of content

Annex


VERSION

^Top

Print the current version of ChameleonMini.

Syntax: version?
101:OK WITH TEXT
ChameleonMini RevG 180125 using LUFA 151115 compiled with AVR-GCC 5.4.0. Based on the open-source NFC tool ChameleonMini. https://github.com/emsec/ChameleonMini commit c6d2968

CONFIG

^Top

Get/Set the configuratopn of the current slot. The "slot" includes the behavior of the Card. The ChameleonMini can emulate differend Cards, and each slot contains one Card. The slot 8 is configured as "READER" in the default configuration.
Note: The ChameleonMini has 8 possible slots (1-8)

Syntax: config=?
101:OK WITH TEXT NONE,MF_ULTRALIGHT,MF_ULTRALIGHT|_EV1_80B,MF_ULTRALIGHT|_EV1_164B,MF_CLASSIC_1K,MF_CLASSIC_1K_7B,MF_CLASSIC_4K,MF_CLASSIC_4K_7B,ISO14443A_SNIFF,ISO14443A_READER

Set current slot as a MIFARE classic 4K emulation.
Syntax: config=MF_CLASSIC_4K
101:OK WITH TEXT

Get the value of the current slot
Syntax: config?
101:OK WITH TEXT
MF_CLASSIC_4K

UID

^Top

Print the current uid of the emulated card(slot).
Syntax: uid?
101:OK WITH TEXT
9E63BC03A

READONLY

Configures the read-only mode to the internal memory. Activates (1) or deactivates (0) the read-only mode (Any writing to the memory is silently ignored.)

Print the possible states.
Syntax: readonly=?
101:OK WITH TEXT
1,0

Print the current state of the accessrights
Syntax: readonly?
101:OK WITH TEXT
0

Activate the read-only mode
Syntax: readonly=1
100:OK

UPLOAD

^Top

Waits for an XModem connection in order to upload a new virtualized card into the currently selected slot, with a size up to the current memory size.

Syntax: upload<ENTER>

DOWNLOAD

^Top

Waits for an XModem connection in order to download a virtualized card with the current memory size.

Syntax: download<ENTER>

RESET

^Top

Reboots the Chameleon, i.e., power down and subsequent power-up. Note: A reset usually requires a new Terminal session.

Syntax: reset<ENTER>

UPGRADE

^Top

Sets the Chameleon into firmware upgrade mode (DFU). This command can be used instead of holding the RBUTTON while power-on to trigger the bootloader.

After run the upgrade command, you can now start the upgrade process described on Getting Started

Syntax: upgrade<ENTER>

MEMSIZE

^Top

Returns the memory size occupied by the current configuration in Byte.

Syntax: memsize?
101:OK WITH TEXT
4096

UIDSIZE

^Top

Print the size in bytes of the current uid on the emulated card.

Syntax: uidsize?
101:OK WITH TEXT
4

CHARGING

^Top

Returns if the battery is currently being charged (TRUE) or not (FALSE).

Syntax: charging?
120:FALSE

HELP

^Top

Returns a comma-separated list of all commands supported by the current firmware.

Syntax: help
101:OK WITH TEXT
VERSION,CONFIG,UID,READONLY,UPL....

RSSI

^Top

Returns the voltage measured at the antenna of the Chameleon, e.g., to detect the presence of an RF field or compare the field strength of different RFID readers.

Syntax: help<ENTER>
101:OK WITH TEXT
2648 mV

SYSTICK

^Top

Print the value of the left system tick in ms since PowerOn.
Note: An overflow occurs every 65,536 ms.

Syntax: systick?
101:OK WITH TEXT
9C30

LEDGREEN

^Top

Set/Get the behavior of the green LED.

Possible values are:
Syntax: ledgreen=?
101:OK WITH TEXT
NONE,POWERED,TERMINAL_CONN,TERMINAL_RXTX,SETTING_CHANGE,MEMORY_STORED,MEMORY_CHANGED,CODEC_RX,CODEC_TX,FIELD_DETECTED,LOGMEM_FULL

Get current state:
Syntax: ledgreen?
101:OK WITH TEXT
POWERED

Set value for example:
Syntax: ledgreen=terminal_rxtx<ENTER>
100:OK

LEDRED

^Top

Set/Get the behavior of the red LED.

Possible values are:
Syntax: ledred=?
101:OK WITH TEXT
NONE,POWERED,TERMINAL_CONN,TERMINAL_RXTX,SETTING_CHANGE,MEMORY_STORED,MEMORY_CHANGED,CODEC_RX,CODEC_TX,FIELD_DETECTED,LOGMEM_FULL

Get current state:
Syntax: ledred?
101:OK WITH TEXT
FIELD_DETECTED

Set value for example:
Syntax: ledred=powered<ENTER>
100:OK

RBUTTON

^Top

Set/Get the behavior of a right button with "short push".

Possible values are:
Syntax: rbutton=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE

Get current value:
Syntax: rbutton?
101:OK WITH TEXT
CYCLE_SETTINGS

Set value for example:
Syntax: rbutton=ui_random

RBUTTON_LONG

^Top

Set/Get the behavior of a right button with "long push".

Possible values are:
Syntax: rbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE

Get current value:
Syntax: rbuttton_long?
101:OK WITH TEXT
CYCLE_SETTINGS

Set value for example:
Syntax: rbutton_long=uid_random
100:OK

LBUTTON

^Top

Set/Get the behavior of a left button with "short push".

Possible values are:

Syntax: lbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE

Get current value:
Syntax: lbutton?
101:OK WITH TEXT
CYCLE_SETTINGS

Set value for example:
Syntax: lbutton=uid_random
100:OK

LBUTTON_LONG

^Top

Set/Get the behavior of a left button with "long push".

Possible values are:
Syntax: lbutton_long=?
101:OK WITH TEXT
NONE,UID_RANDOM,UID_LEFT_INCREMENT,UID_RIGHT_INCREMENT,UID_LEFT_DECREMENT,UID_RIGHT_DECREMENT,CYCLE_SETTINGS,STORE_MEM,RECALL_MEM,TOGGLE_FIELD,STORE_LOG,CLONE

Get current value:
Syntax: lbuttton_long?
101:OK WITH TEXT
CYCLE_SETTINGS

Set value for example:
Syntax: lbutton_long=ui_random?
100:OK

LOGMODE

^Top

The 'logmode' command set the behavior of the datalogging.

Possible values are:
Syntax: logmode=?
101:OK WITH TEXT
OFF,MEMORY,LIVE

  • off -> logging disabled
  • LIVE -> log events are written directly to the terminal
  • MEMORY -> log events are written to SRAM (uC RAM)

Get current value:
Syntax: logmode?
101:OK WITH TEXT
LIVE

Set logging mode:
Syntax: logmode=MEMORY
100:OK

####Log Entry Format#### The log entries use a TLV (Type Length Value)-like format:

  • Entry type -> 1 byte, see possible types on GitHub
  • Data length -> 1 byte, the length of the appended data
  • Timestamp -> 2 bytes, current systick timestamp value (ms)
  • Data -> Data length bytes, it's also possible that no data is appended, then the Data length field is zero

LOGMEM

^Top

Returns the remaining free space for logging data to the SRAM (max. 2048 byte).

Syntax: logmem?
101:OK WITH TEXT
18430 (from which 16382 non-volatile)

LOGDOWNLOAD

^Top

Waits for an XModem connection and then downloads the binary log - including any log data in FRAM.

Syntax: logdownload<ENTER>

LOGSTORE

^Top

Writes the current log from SRAM to FRAM and clears the SRAM log.

Syntax: logstore?
100:OK

Warning
If the FRAM is full, currently no error message is shown.
If calling LOGMEM? after executing this command returns any other value than the maximum SRAM log size, there was not sufficient space in the FRAM and nothing has been done.

LOGCLEAR

^Top

Clears the log memory (SRAM on ATMega and FRAM on external RAM IC5)

Syntax: logclear<ENTER>
100:OK

SETTING

^Top

Get/Set the current slot (slot 1-8) for the card/reader emulation.

Get the current slot number
Syntax: setting?
101:OK WITH TEXT
1

Switch to slot 2
Syntax: setting=2
100:OK

CLEAR

^Top

Clears the content of the current slot.

Syntax: clear<ENTER>
100:OK

STORE

^Top

Stores the content of the current slot from the external FRAM into the Flash memory.

Syntax: store<ENTER>
100:OK

RECALL

^Top

Recalls/restores the content of the current slot from the Flash memory into the external FRAM.

Syntax: recall<ENTER>
100:OK

SEND_RAW

^Top

Adds parity bits, sends the given byte string , and returns the cards answer.

Request type A
Syntax: send 26<ENTER>
101:OK WITH TEXT
0400
0010
PARITY OK

Select card
Syntax: `send 9320'<enter>
101:OK WITH TEXT
BA46A1B2EF
0028
PARITY OK

SEND

^Top

Does NOT add parity bits, sends the given byte string and returns the cards answer.

Syntax: send 26<ENTER>
101:OK WITH TEXT
0400
0010
PARITY OK

GETUID

^Top

Obtains the UID of a card that is in the range of the antenna and returns it. This command is a Timeout command.

Valid only in 'ISO14443A_READER' mode

Syntax: getuid<ENTER>
101:OK WITH TEXT
BA46A1B2

DUMP_MFU

Top

Reads the whole content of a Mifare Ultralight card that is in the range of the antenna and returns it. This command is a Timeout command.

Valid only in 'ISO14443A_READER' mode

Syntax: dump_mfu<ENTER>
101:OK WITH TEXT
04A8DEFAE2B54C809B48000000000000
FFFFFFFF000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

IDENTIFY

^Top

Identifies the type of a card in the range of the antenna and returns it. This command is a Timeout command.

Valid only in 'ISO14443A_READER' mode (config=iso14443a_reader)

Syntax: identify<ENTER>
101:OK WITH TEXT
MIFARE Classic 1k
ATQA:.0400
UID:.BA46A1B2
SAK: 08

TIMEOUT

^Top

Get/Set the timeout for the current slot in multiples of 128 ms. If set to zero, there is no timeout. See also Timeout commands.

Get the possible range
Syntax: timeout=?
101:OK WITH TEXT
0 = no timeout
1-600 = 100 ms - 60000 ms timeout

Get the current value
Syntax: timeout?
101:OK WITH TEXT
5000 ms

THRESHOLD

^Top

Get/Set the possible number for the reader threshold.

Get the possible range
Syntax: threshold=?
101:OK WITH TEXT
Any integer from 0 to 4095. Reference voltage will be (VCC * THRESHOLD / 4095) mV

Set the reader threshold. The <NUMBER> influences the reader function and range. Setting a wrong value may result in malfunctioning of the reader. DEFAULT: 400

Syntax: threshold=300<ENTER>
100:OK

AUTOCALIBRATE

^Top

Automatically finds a good threshold for communicating with the card that currently is on top of the Chameleon. This command is a Timeout command.

Valid only in 'ISO14443A_READER' mode

Syntax: autocalibrate<ENTER>
101:OK WITH TEXT
128: -
136: -
144: -
.
.
.
1000: +
1008: +
1016: -

FIELD

^Top

Get/Set the state of the reader field.

Get the possible values
Syntax: field=?
101:OK WITH TEXT
1,0

Switch the reader field on
Syntax: field=1
100:OK

CLONE

^Top

Change config and uid to the identified card (mifare classic 1k/4k or ultralight). To check the progress, you can set the mod of the LEDs to FIELD_DETECTED (ledred=field_detected)

(In fact, it's not a really full clone of a card. It will be clone the Card-ID and switch the ChameleonMini in to the same cardtype as the "master". Nevertheless, this is enough to make penetration tests to low level systems, based only of Card-ID and/or Card-Type.)

Syntax: clone<ENTER>
Hold then the card to be clone on the readers field.

See ISSUE #165

Annex

Abbreviation

Description
PICC Proximity Integrated Circuit Card (MIFARE Card)
PCD Proximity Coupling Device (Cardreader)
ACK ACKnowledge
NAK Not AcKnowledge
ATQA Answer To reQuest, Type A
NUID Non-Unique IDentifier
REQA REQuest command, Type A
SAK Select AcKnowledge, type A
UID Unique IDentifier
WUPA Wake-Up Protocol type A

MIFARE Classic command overview

NXP Datasheet 4K

Command ISO/IEC 14443 Command code (hexadecimal)
Request REQA 26h (7 bit)
Wake-up WUPA 52h (7 bit)
Anticollision CL1 Anticollision CL1 93h 20h
Select CL1 Select CL1 93h 70h
Anticollision CL2 Anticollision CL2 95h 20h
Select CL2 Select CL2 95h 70h
Halt Halt 50h 00h
Authentication with Key A - 60h
Authentication with Key B - 61h
Personalize UID Usage - 40h
SET_MOD_TYPE - 43h
MIFARE Read - 30h
MIFARE Write - A0h
MIFARE Decrement - C0h
MIFARE Increment - C1h
MIFARE Restore - C2h
MIFARE Transfer - B0h

MIFARE Classic ACK and NAK

Code (4-bit) Transfer Buffer Validity Description
Ah Acknowledge (ACK)
0h valid invalid operation
1h valid parity or CRC error
4h invalid invalid operation
5h invalid parity or CRC error

ATQA and SAK responses

ATQA response of the MF1S70yyX/V1

Sales Type Hex Value
MF1S00yX 00 44h
MF1S03yX 00 04h
MF1S700yX 00 42h
MF1S703yX 00 02h

SAK response of the MF1S70yyX/V1

Sales Type Hex Value
MF1S70yyX/V1 18h

How to customize the Firmware

The asiest way is to setup a toolchain with UBUNTU (Physical or as VM). This example use UBUNTU as a VirtualBox VM.

  1. Download the UBUNTU Desktop as ISO (i used the Ubuntu 16.04.3 LTS) and create a VM.

alt text

  1. Install the The AVR GCC Toolchain:

    Syntax: sudo apt-get install gcc-avr binutils-avr gdb-avr avr-libc avrdude<ENTER>

  2. Install git (HowTo):

    Syntax: apt-get update<ENTER>
    Syntax: apt-get install git-core<ENTER>

  3. Clone the ChameleonMini repo to local machine.

    • create a target directory like '~git' Syntax: mkdir ~/git<ENTER>
    • change into the new drectory: Syntax: cd ~/git<ENTER>
    • clone the original repository to the current directory:
      Syntax: git clone https://github.com/emsec/ChameleonMini.git<ENTER>
  4. For remote access to the VM install ssh

    Syntax: sudo apt-get install openssh-server<ENTER>

  5. Edit the ChameleonMini source files:

    After cloning the git repository, you will find the firmwarefiles under ~/git/ChameleonMini/Firmware/Chameleon-Mini

  6. Compile the changes

    Syntax: make<ENTER>
    ../LUFA/Build/lufa_build.mk:131: The XMEGA device support is currently EXPERIMENTAL (incomplete and/or non-functional), and is included for preview purposes only. [INFO] : Begin compilation of project "Chameleon-Mini"...

    avr-gcc (GCC) 4.9.2
    Copyright (C) 2014 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

    [OBJCPY] : Extracting HEX file data from "Chameleon-Mini.elf"br> avr-objcopy -O ihex -R .eeprom -R .fuse -R .lock -R .signature --set-section-flags=.flashdata="alloc,load" Chameleon-Mini.elf Chameleon-Mini.hex
    [OBJCPY] : Extracting EEP file data from "Chameleon-Mini.elf"
    mavr-objcopy -O ihex -j .eeprom --set-section-flags=.eeprom="alloc,load" --change-section-lma .eeprom=0 --no-change-warnings Chameleon-Mini.elf Chameleon-Mini.eep || exit 0
    [SIZE] : Determining size of "Chameleon-Mini.elf"

    avr-size --mcu=atxmega128a4u --format=avr Chameleon-Mini.elf
    AVR Memory Usage
    ----------------
    Device: atxmega128a4u

    Program: 49218 bytes (35.3% Full)
    (.text + .data + .bootloader)

    Data: 5537 bytes (67.6% Full)
    (.data + .bss + .noinit)

    EEPROM: 100 bytes (4.9% Full)
    (.eeprom)


    [INFO] : Finished building project "Chameleon-Mini".

Now, you will get the needed two compiled files Chameleon-Mini.eep and Chameleon-Mini.hex.

  1. Upgrade the Firmware

    Start the upgrade process descripted on Getting Started with both compiled files Chameleon-Mini.eep and Chameleon-Mini.hex.

That's it. Now, you have your own code :-)