impossible for me to connect with my android 13 phone
no problem with my android 13 tablet
both are Oppo brand
I tried everything 🤷‍♂️

https://github.com/RfidResearchGroup/ChameleonUltra/blob/main/firmware/application/src/app_cmd.c needs a definition to DATA_CMD_GET_SLOT_DATA in order to enable application to retrieve current Tag from selected slot.

First of all, thank you very much for your contribution. Now you can press the A/B button to copy UID offline. But I don’t know if it is possible to enter the 10/20/30 second waiting time after pressing the A/B button. During this waiting time, any card that enters the range can be copied. I think this feature is helpful in many scenarios. Thanks!

I'm getting the following error when I try to load new firmware.

 ./flash-dfu-full.sh 
[00:00:00] ------   0% [id:9] Failed, [sdfu] [json.exception.type_error.302] type must be string, but is null
Error: One or more program tasks failed

When I built the firmware, this was the report
build.txt

Hi, I used the code from the following video to run my ultra chameleon: https://www.youtube.com/watch?v=VGpAeitNXH0
It worked perfectly, however, after playing around with the MTools Lite with my chameleon ultra, I tried using the same commands as the video: hw mode get -h or set and I now get the following errors:
CLI exception: Traceback (most recent call last):
File "chameleon_cli_main.py", line 219, in startCLI
unit.on_exec(args_parse_result)
File "/Users/XXXX/ChameleonUltra/software/script/chameleon_cli_unit.py", line 236, in on_exec
print(f"- Device Mode ( Tag {'Reader' if self.cmd_standard.is_reader_device_mode() else 'Emulator'} )")
File "/Users/XXX/ChameleonUltra/software/script/chameleon_cmd.py", line 118, in is_reader_device_mode
resp = self.device.send_cmd_sync(DATA_CMD_GET_DEVICE_MODE, 0x00, None)
File "/Users/XXX/ChameleonUltra/software/script/chameleon_com.py", line 345, in send_cmd_sync
raise TimeoutError(f"CMD {cmd} exec timeout")
TimeoutError: CMD 1002 exec timeout

Has this happened to anyone else?

Thanks for your help.

When I running those command, it raise error
ERROR: No debuggers were discovered.
I'm using the mac mini with m1 chip. and I use command JLinkExe -device nRF52 -if SWD tried to find the device. but failed either. How should I solve this problem or how should i update the bootloader and application?

Hi,I just got my ChameleonUltra recently and using it to simulate my access card. After load the bin file dumped with pm3 easy, it works just fine when i use pm3 to validate the data.
However, it can not pass the Access Control, so i use the pm3 to record the communications. Now i'm wondering whether the problem happens because of the latency during the simulation. Here is the trace file i got.
2023-08-24.zip

I'm new to this project. So, maybe, I miss something...

On Debian Buster 10.13 amd64

After installing the code with the last commit (5c62739) and trying to run python3 chameleon_cli_main.py, I get this:
Traceback (most recent call last):
File "chameleon_cli_main.py", line 8, in
import chameleon_cmd
File "/home/jps/Downloads/ChameleonUltra/software/script/chameleon_cmd.py", line 6, in
from chameleon_utils import UnexpectedResponseError, expect_response
File "/home/jps/Downloads/ChameleonUltra/software/script/chameleon_utils.py", line 45, in
def expect_response(accepted_responses: Union[int, list[int]]):
TypeError: 'type' object is not subscriptable

By looking around the history of chameleon_utils.py, I found a change at commit f6e2232 just near the reported error.

I checkout to the previous commit (a349288), build it, and
python3 chameleon_cli_main.py
[Offline] chameleon --> hw connect
{ Chameleon connected }
[USB] chameleon -->

Any help welcome...

JP

Well, with latest commit f80e7fe while I could compile the mfkey and nested, I get an error when compiling darkside

Severity	Code	Description	Project	File	Line	Suppression State
Error	LNK1120	1 unresolved externals	darkside	C:\Users\Hakan\source\repos\ChameleonUltra\software\bin\Release\darkside.exe	1	
Warning	C6011	Dereferencing NULL pointer 'last_keylist'. 	darkside	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\darkside.c	107	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	27	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	28	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	29	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	30	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	31	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32.c	32	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	29	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	30	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	31	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	32	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	33	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	34	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey32v2	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey32v2.c	35	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	44	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	45	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	46	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	47	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	48	
Warning	C6031	Return value ignored: 'sscanf'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	53	
Warning	C26451	Arithmetic overflow: Using operator '*' on a 4 byte value and then casting the result to a 8 byte value. Cast the value to the wider type before calling operator '*' to avoid overflow (io.2).	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	53	
Warning	C6385	Reading invalid data from 'enclen'.	mfkey64	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\mfkey64.c	67	
Warning	C6001	Using uninitialized memory 'bucket.head'.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crapto1.c	192	
Warning	C6262	Function uses '262288' bytes of stack.  Consider moving some data to heap.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crapto1.c	225	
Warning	C6001	Using uninitialized memory 'table'.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crapto1.c	250	
Warning	C6292	Ill-defined for-loop.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crapto1.c	385	
Warning	C26451	Arithmetic overflow: Using operator '<<' on a 4 byte value and then casting the result to a 8 byte value. Cast the value to the wider type before calling operator '<<' to avoid overflow (io.2).	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crypto1.c	46	
Warning	C6297	Arithmetic overflow.  Results might not be an expected value.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crypto1.c	46	
Warning	C26451	Arithmetic overflow: Using operator '<<' on a 4 byte value and then casting the result to a 8 byte value. Cast the value to the wider type before calling operator '<<' to avoid overflow (io.2).	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crypto1.c	47	
Warning	C6297	Arithmetic overflow.  Results might not be an expected value.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\crypto1.c	47	
Warning	C6001	Using uninitialized memory 'keys'.	nested	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\nested.c	201	
Error	LNK2019	unresolved external symbol compare_uint64 referenced in function main	darkside	C:\Users\Hakan\source\repos\ChameleonUltra\software\src\build\darkside.obj	1	

What am I doing wrong? The other executables are all fine.

It would be very useful to have long-press key binding so we can have more offline functions

Hi!
First of all, great and useful project, thanks a lot.
I wonder, can I join development/testing phase?

For example, click the A button to copy the card number。Thanks！

Can chameleon ultra sniff data from a reader ?

I've just compiled and attempted an upload of the FW per the below:

simongeorge@MacBook-Pro-3 firmware % nrfutil device program --firmware objects/dfu-app.zip --traits nordicDfu
WARNING: JLinkARM DLL not found. SEGGER J-Link devices will not be recognized correctly, and J-Link operations will not be available. Install J-Link from https://www.segger.com/downloads/jlink/.

[00:00:00] ------ 0% [2/2 DABF4026FDE6] Failed, [sdfu]
Error: One or more program tasks failed

Device was in DFU mode, connected (Mac) via USB. Device now has two red lights flashing (same as DFU green lights). Lights return to green when reconnected to Mac via USB, but I can't get out of the DFU and reattempts to upload FW result in same.

If it's not possible just close it. If it doesnt make sense because the reader will first deny the connection and only then it works (aka takes more time than just pushing a button) also close it.

In theory could the CU detect the reader and change to the appropriate card in the slot?
Lets say you save the card and you approach it to the reader to save the reader as well with it.

So whe CU is near the reader it switches to the correct card based on the first few keys from reader.

It would be nice to have a feature where we can check the current firmware version number with the latest version of the firmware. This way those who are having trouble compiling the firmware can ensure they have the latest version installed.

Hi @szymex73
There is an issue with autocompletion apparently on all platforms (Linux, Windows, WSL):
hw connect --p<tab> results into hw connect ----port
(4 "-")
Could you have a look? Thanks!

I installed the SEGGER embedded Studio, but how do I open the firmware?

Thanks

1. The part related to the communication protocol cannot be changed at will.
2. Those involving communication command codes and communication return parameters cannot be changed at will.
3. When adding any command, its function definition should be considered, and the functions related to HF should not be placed in the Device category.
4. If you need to delete the command, you can only mark it for deletion, remember not to rearrange the communication command code.
5. In any case, the client must be able to obtain the software version code for compatibility processing.
6. The current firmware version lacks many commands, which will lead to the client's functions being too simple or too difficult to use. It is necessary to wait for the v1.1 version to be released when the firmware is relatively complete, and update iteratively and perform compatibility processing from the v1.1 version.
7. After the v1.1 version of the firmware is released in the future, changes that affect compatibility should be more strictly reviewed to prevent the new firmware from being unable to run on the old client.
8. Ideally, when a user uses a new client with an old device firmware, there should be no compatibility issues. In other words, users can still use the old functions, but only the functions provided by the new version of the firmware cannot be used. (For example, the device firmware v1.2 provides the function of StaticNested decryption, but the GUI/CLI recognizes that the device firmware version used by the user is v1.1, then the user should be prohibited from running this function, and the user should be guided to update the firmware)
9. Starting from version v1.1, a compatibility adaptation document needs to be provided, and any client can perform compatibility adaptation according to the guidance of this document. For example, it is described in the document that the v1.2 version adds the collection command of StaticNested decryption parameters, and describes the specific meaning of the collected parameters, then any client can provide the StaticNested function when it detects that the firmware version is v1.2. (ideally)

Note: We are currently in the stage of ChameleonUltra's firmware function construction and community ecological construction, and we can temporarily ignore the strict restrictions on adding/modifying commands.

As the title asks.

Where can I find any information about the attacks, like how do they work on an firmware level.

Thanks

current main branch (e7264bd) is broken because of NTAG PR.
we should implement checks in the CI like for pm3, to avoid merging blindly code that does not even compile...

I can't seem to scan my LF tag properly using the CLI and the GUI app. The GUI recognized the EM4100 tag, except when saving it it's exporting a 0kb file.

Am I doing something wrong or is this a bug?

This is the specific tag

https://thebuilderssupply.com/3millid-3349-3m-fc200-proximity-keyfob-26bit-fac-200

It can't find it

The current implementation of BLE / BLE UART allows anyone to connect and piar to any chameleon without authorization.
This potentially allows someone to without authorization wipe cards or "steal" cards containing sensitive data from the device.

Suggestion to solve this problem: Either password protect (eg not respond to commands until password is sent) or require the confirmation on hardware via a button press or similar to allow connecting / pairing.

Chameleon Connect fail: 'NoneType' object has no attribute 'startswith'

Not working on WSL1, it seems @iceman1001 use a PowerShell hack to detect it under Windows env. then pass results to scripts

Hi, so I'm trying to emulate an EV1 tag (without signature), and I can get the UID/ATQA/SAK to emulate correctly, but then cannot read any data from the tag. I'm using a proxmark3 generic to verify. Any help would be appreciated.

I'm running the latest firmware and using the latest version of the client.

Edit: this now appears to occur with all 7B UID Mifare classic cards.

My steps:
hw mode set -m e
hw slot change -s 1
hw slot openall
hw slot init -t 3 -s 1
hf mf eload -t hex -f dump.eml
hf mf sim --sak 08 --atqa 4400 --uid 04**********80 (7 byte uid)

Reading on the proxmark:

Chameleon:

[usb] pm3 --> hf 14a info

[+]  UID: 04 ** ** ** ** ** 80
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[#] Auth error
[?] Hint: try `hf mf` commands

[usb] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
[#] Auth error

Actual key:

[usb] pm3 --> hf 14a info

[+]  UID: 04 ** ** ** ** ** 80
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
(omitted)

[usb] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF

[=]   # | sector 00 / 0x00                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | 04 ** ** ** ** ** 80 88 44 00 C8 20 00 00 00 00 | ****

There are several reports (also in other communities) of lack of communication between Ultra/Lite and various OEM readers (for Mifare Classic 1k Full Emulation), so they do not respond at all when an Ultra/Lite approaches.
At the same time, not a single case seems to be reported yet where Full Emulation works properly with OEM readers.
Conversely, there are no problems if the reading tests are performed with the various tools (Proxmarx3 all versions, Chameleon Ultra as a reader, Flipper zero and smartphones), which would seem to be much more tolerant.
But the real purpose of Chameleon is not to use with these devices!

The problem lies in the fact that, while the Anti-collision is completed, the Authentication to the Mifare blocks is not completed (therefore the ReadBlock is not reached).
For this reason the issue concerns the Full emulation: if the OEM application needs only the UID there are no problems, while if it requires the reading of a block it fails (no answer at all).

Various traces (Proxmark3 sniff) have been acquired with Ultra/Lite, from which it can be seen that with the current firmware the authentication phase to the Mifare blocks is not completed. To have a reference of how the communication should be, traces were also acquired with a passive tag and Mini Rev.G (which works fine).

The problem seems to be mainly related to the Frame Delay Time (fdt) after AUTH-B (61xx), which seems to be too short so the reader stops communicating.

As suggested by @doegox, mainly two types of tests were done:

1. disabling Fast Emulation (NFC_MF1_FAST_SIM in nfc_mf1.h)
2. leaving Fast Emulation active but adding a delay (bsp_delay_us(30); in nfc_mf1.c line 558 + #include bsp_delay.h)

Test results:

1. you get an increase in fdt, communication has improved a bit, but the OEM readers still fail to complete authentication.
2. As suggested, delays from 42 to 50 were tested, without success. The first complete reading was obtained with a delay of 30.

These tests were performed with Chameleon Lite because with Ultra it isn't possible to sniff, because the field is too weak (small antenna?) to couple reader ad Ultra with the Proxmark3 (Easy) in the middle (white LED doesn't turn on)
Furthermore, loading this modified FW on Ultra too, it doesn't work. I do not know why.

Not having all the necessary skills to go further, I submitted this issue to you.
I hope it helps as a starting point to get a definitive fix.
If you need, I can help by testing the fix (or trials) on 3 different OEM applications with both Ultra and Lite.

Attachments:

• Doegox suggestion
• Trace of Lite with actual FW: too fast/incomplete authentication
• Trace of Lite with bsp_delay_us(30): quite ok with Lite, still KO with Ultra (idk)
• Trace of Passive Tags: OK
• Trace of Mini Rev.G: OK
• Comparison of traces with different devices (see 1st column)

Lite with actual FW: too fast/incomplete authentication

Lite with bsp_delay_us(30): quite OK with Lite (still KO with Ultra)

Passive Tags: OK

Mini Rev.G: OK

Comparison of traces with different devices (see 1st column). Last 3 raws are derived from pictures in this repo.

It's interesting (for me) that after AUTH-B(16) we have:

Lite w/ FAST_SIM & no delay: fdt 1444 is too fast
Lite w/ FAST_SIM & delay(30): fdt 1924 seems OK!
Lite w/ FAST_SIM & delay(42): fdt 2084 KO! ...slow?
Lite w/ FAST_SIM & delay(60): fdt 2340 KO! ...slow?

BUT

Passive tag: fdt 2036 is OK!
Mini Rev.G: fdt 9332 is OK!
See previous picture.

Thank you very much!

Issue:

using command hw slot nick get -s 1 -st 1 starts at 1 instead of expected 0.

Expected:

Returns slot 1 nickname

Actual:

Returns slot 2 nickname (if it exists)

This happens with all slots. When checking the gui apps it shows slot 2 and above have been named instead of the intended slot 1. Changing the sent slot value from slot_num to int(slot_num-1) works as expected. Not an ideal solution though. if this could be done firmware side instead this would make it easier and will prevent the need to modify the cli code and add hardcoded values.

Before change:

After change:

Consider adding a license to this project, in my opinion a GPL V3 or something similar would fit just fine.

(How do i come to GPL V3? a) I like the GPL V3 b) the Proxmark and some other repos are already licensed under GPL V3, so why not this one?)

It would be nice to be able to use long-press to clone LF UID

Keyfob Im trying to copy is a "NXP MIFARE"

The reader is a Salto Modular XS - EU Wall Reader

Card is successfully read and the keys are aqquired, however upon emulation the reader always denies the chameleon. Running mfkey32 results in keys that are always "FFFFFFFFFFFF".

I have the binary dump, but can't upload it here. Am I missing something to emulate it?

It would be handy to have a few changes to the BLE.

• Documentation update to reflect the inability to pair while connected to the CLI
• Documentation update to show the 123456 as the default pairing key
• A basic how-to for BLE pairing / unpairing with Android app

Hi everybody,

I just received my chameleon ultra in the mail and wanted to test it out. So I installed the cli from this repo on my MacBook. However, many of the commands don't seem to work for me at all.
For example, when I issue the command hw battery, I get the following trace:

[USB] chameleon --> hw battery CLI exception: Traceback (most recent call last): File "/Users/c/ChameleonUltra/software/script/chameleon_cli_main.py", line 164, in startCLI unit.on_exec(args_parse_result) File "/Users/c/ChameleonUltra/software/script/chameleon_cli_unit.py", line 1296, in on_exec resp = self.cmd.battery_informartion() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/Users/c/ChameleonUltra/software/script/chameleon_utils.py", line 56, in error_throwing_func ret = func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "/Users/c/ChameleonUltra/software/script/chameleon_cmd.py", line 755, in battery_informartion return self.device.send_cmd_sync(DATA_CMD_GET_BATTERY_INFO, 0x00) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/Users/c/ChameleonUltra/software/script/chameleon_com.py", line 338, in send_cmd_sync raise CMDInvalidException(f"Device unsupported cmd: {cmd}") chameleon_com.CMDInvalidException: Device unsupported cmd: 1025

Do I need to update the firmware?
Thank you so much!

iCLASS legacy support is the only thing holding me back from buying one

I am the fresh man to use the chameleonultra, I was download the windows application from Gametech-Live/ChameleonUltraGUI.

I was try to activate the developer mode, and use the function " DFU Flash ultra FW".
Device was automatical re-connect and the device is nore more available in GUI.

I was check the WIndows device manager, the ChameleonUltra has become the unknow device of USB(as below snap)

Would you please help me to assist to advice to recovery the device.

Very thanks for you assistance.

A new setting along side copy UID when you hold a button
Its a bit annoying when the chameleon goes sleep when you try to pair/connect by bluetooth

Why not increase the sleep time instead? I like the battery conservation of it going sleep as soon as possible and also it's only in specific usecases you need to connect to bluetooth.

![Uploading 263702988...]
Before update it was smooth, no more delay. After update firmware it really hard to detect the reader.

Hi Everyone,
I am trying to install this library, but i keep failing at the cmake command and i can't seem to understand what is going on.

cmake . -D CMAKE_C_COMPILER="C:\Users\moeya\Desktop\Chamelion\ProxSpace\msys2\mingw64\bin\gcc.exe" -D CMAKE_CXX_COMPILER="C:\Users\moeya\Desktop\Chamelion\ProxSpace\msys2\mingw64\bin\g++.exe"
-- The C compiler identification is GNU 10.3.0
CMake Error at CMakeFiles/3.21.1/CMakeCCompiler.cmake:1 (set):
  Syntax error in cmake code at

    C:/Users/moeya/Desktop/Chamelion/ProxSpace/pm3/ChameleonUltra/software/src/CMakeFiles/3.21.1/CMakeCCompiler.cmake:1

  when parsing string

    C:\Users\moeya\Desktop\Chamelion\ProxSpace\msys2\mingw64\bin\gcc.exe

  Invalid character escape '\U'.
Call Stack (most recent call first):
  CMakeLists.txt:3 (project)

Below are the contents of CMakeLists.txt

cmake_minimum_required (VERSION 3.1)

project (mifare C)

set(EXECUTABLE_OUTPUT_PATH ${CMAKE_CURRENT_SOURCE_DIR}/../bin)
set(SRC_DIR ./)

set(COMMON_FILES
    ${SRC_DIR}/crapto1.c
    ${SRC_DIR}/crypto1.c
    ${SRC_DIR}/bucketsort.c
    ${SRC_DIR}/mfkey.c
    ${SRC_DIR}/parity.c)

include_directories(
    ${SRC_DIR}/
    )


# tools
add_executable(nested ${COMMON_FILES} nested.c)
add_executable(darkside ${COMMON_FILES} darkside.c)
add_executable(mfkey32 ${COMMON_FILES} mfkey32.c)
add_executable(mfkey32v2 ${COMMON_FILES} mfkey32v2.c)
add_executable(mfkey64 ${COMMON_FILES} mfkey64.c)

Where am i going wrong exactly?

Hello everyone, I have copied the UID of my protected Mifare 1k card using Chameleon Rev G by emulating DID and extracting the keys with MFKey32, it finds all the keys within a few seconds. However, with Chameleon Ultra and Lite, it only collects a few nonces (about 5-6) and then only finds FF keys, so it doesn't find the keys for my card. Is it possible to fix the problem? Thank you.

The Chameleon Ultra should support detecting and configuring t55xx chips...

How can I get it to pair/work with the phone?

Thanks in advance

I'm doing some tests with a Proxmark

Some IDs cannot be seen by the Proxmark while some can.
OK: lf em sim --id 0501020304
FAIL: lf em sim --id 0102030405

When digging, it appears the problem comes from the moment emulation stops and LF field is checked before starting again. Maybe this takes too long and next broadcast is desync.

I found that it works fine by removing the following lines, I hope it is safe to do so...

             // 如果广播次数超过上限次数，则重新比较场状态，根据新的场状态选择是否继续模拟标签
             if (m_send_id_count >= LF_125KHZ_BORADCAST_MAX) {
                 m_send_id_count = 0;                                        // 广播次数达到上限，重新识别场状态并且重新统计广播次数
-                ANT_NO_MOD();                                               // 确保天线不短路而导致无法获得RSSI状态
-                nrfx_timer_disable(&m_timer_send_id);                       // 关闭广播场的定时器
-
-                // 我们不需要任何的事件，仅仅需要检测一下场的状态
-                NRF_LPCOMP->INTENCLR = LPCOMP_INTENCLR_CROSS_Msk | LPCOMP_INTENCLR_UP_Msk | LPCOMP_INTENCLR_DOWN_Msk | LPCOMP_INTENCLR_READY_Msk;
                 if (lf_is_field_exists()) {
                     nrf_drv_lpcomp_disable();
-                    nrfx_timer_enable(&m_timer_send_id);                    // 打开广播场的定时器，继续模拟
-                    m_is_send_reboardcast_last_edge = true;                 // 如果继续的话需要发送0的后一个沿
                 } else {
+                    nrfx_timer_disable(&m_timer_send_id);                       // 关闭广播场的定时器
                     // 开启事件中断，让下次场事件可以正常出入
                     g_is_tag_emulating = false;                             // 重设模拟中的标志位
                     m_is_lf_emulating = false;

And all code related to m_is_send_reboardcast_last_edge can then be removed also.

As this repository already owns the chameleonultra.com domain it might be useful to enable a github pages deployment and point it to the docs folder.

This would automatically set up a Markdown web builder. One could then link this markdown web builder to a subdomain (like docs.chameleonultra.com) by creating a CNAME file and have a quick and short link to web docs.

Benefits:
No practical ones, but its pretty, a short link and its "cleaner" without all of the github interface. It might also load faster, but that doesnt really matter, does it? + Its literally free...

I'm sharing here personal notes, in the hope it can help other people willing to contribute to development from a Linux environment (I'm using a Debian testing).
Things are still a big foggy so I prefer to not merge what is working for me in the official doc yet.
Thanks to the early hackers who shared useful findings not yet merged at the time of writing ( https://github.com/RfidResearchGroup/ChameleonUltra/pull/15/files and https://github.com/RfidResearchGroup/ChameleonUltra/pull/14/files)

Tools

arm-none-eabi-gcc

I'm trying to use the latest version 12.2.1 from Debian (apt install gcc-arm-none-eabi) but one can also use locally the vesion 10.3 with gcc-arm-none-eabi-10.3-2021.10-x86_64-linux.tar.bz2 from https://developer.arm.com/downloads/-/gnu-rm

nrfutil

From https://www.nordicsemi.com/Products/Development-tools/nrf-util

mkdir tools
(
  cd tools
  wget https://developer.nordicsemi.com/.pc-tools/nrfutil/x64-linux/nrfutil
  ./nrfutil install nrf5sdk-tools
  ./nrfutil install device
)

mergehex

From https://www.nordicsemi.com/Products/Development-tools/nrf-command-line-tools/download

wget https://nsscprodmedia.blob.core.windows.net/prod/software-and-other-downloads/desktop-software/nrf-command-line-tools/sw/versions-10-x-x/10-22-0/nrf-command-line-tools_10.22.0_amd64.deb
sudo dpkg -i nrf-command-line-tools_10.22.0_amd64.deb

Compiling FW

Using Debian gcc-arm-none-eabi 12.2.1, the compilation emits a few warnings from the nRF SDK.
As we're using the system ARM cross-compiler, we can configure firmware/Makefile.defs in a very generic manner:

GNU_INSTALL_ROOT ?= 
GNU_PREFIX ?= arm-none-eabi

This could become the default choice in the repo code...

One last thing, with ARM GCC 12.2.1 I got an error about the bootloader to be 128b too large. So I changed the boundaries as follows.

firmware/application/application.ld:

-  FLASH (rx) : ORIGIN = 0x27000, LENGTH = 0xCC000
+  FLASH (rx) : ORIGIN = 0x27000, LENGTH = 0xCB000

firmware/bootloader/bootloader.ld:

-  FLASH (rx) : ORIGIN = 0xF3000, LENGTH = 0xB000
+  FLASH (rx) : ORIGIN = 0xF2000, LENGTH = 0xC000

Now we can compile the firmware:

(
  cd firmware
  rm -rf objects
)
(
  cd firmware/bootloader
  make
) || exit 1

(
  cd firmware/application
  make
) || exit 1

(
  cd firmware
  ../tools/nrfutil settings generate --family NRF52840 --application objects/application.hex --application-version 1 --bootloader-version 1 --bl-settings-version 2 objects/settings.hex
  mergehex --merge objects/bootloader.hex objects/settings.hex --output objects/bootloader_settings.hex
  mergehex --merge objects/bootloader_settings.hex objects/application.hex nrf52_sdk/components/softdevice/s140/hex/s140_nrf52_7.2.0_softdevice.hex --output objects/project.hex
)

The final image is firmware/objects/project.hex

Flashing FW

With stlink v2:

Connect

• Ultra <> Stlink V2 (translucent green)
• Vcc left disconnected
• SWC <> 4:SWCLK
• SWD <> 6:SWDIO
• GND <> 7:GND
• SWO left disconnected

Do not connect over USB at same time, it will work over battery.

openocd -f interface/stlink.cfg -f target/nrf52.cfg -c "flash init; init; reset halt; flash erase_sector 0 1 last; exit"
openocd -f interface/stlink.cfg -f target/nrf52.cfg -c "program firmware/objects/project.hex verify reset ; shutdown"

With jlink:

Connect

• Ultra <> Jlink
• Vcc left disconnected
• SWC <> 9:SWCLK
• SWD <> 7:SWDIO
• GND <> 8:GND
• SWO left disconnected

openocd -f interface/jlink.cfg -c "transport select swd" -f target/nrf52.cfg -c "flash init; init; reset halt; flash erase_sector 0 1 last; exit"
openocd -f interface/jlink.cfg -c "transport select swd" -f target/nrf52.cfg -c "program firmware/objects/project.hex verify reset ; shutdown"

Compiling FW for DFU

Stealing @gentilkiwi recipe...

(
  cd firmware
  rm -rf objects
)
(
  cd firmware/bootloader
  make
) || exit 1

(
  cd firmware/application
  make
) || exit 1

../tools/nrfutil nrf5sdk-tools pkg generate \
    --application firmware/objects/application.hex --application-version 1 \
    --bootloader firmware/objects/bootloader.hex --bootloader-version 1 \
    --hw-version 0 \
    --sd-req 0x100 --sd-id 0x100 \
    --softdevice firmware/nrf52_sdk/components/softdevice/s140/hex/s140_nrf52_7.2.0_softdevice.hex \
    --sd-boot-validation NO_VALIDATION \
    --app-boot-validation NO_VALIDATION \
    --key-file resource/dfu_key/chameleon.pem Ultra.DFU.zip

Flashing FW via DFU

echo "Wait for device to be off"
echo "Press B and plug"
echo "LEDS 4 & 5 should blink"
while :; do
  lsusb|grep -q 1915:521f && break
  sleep 1
done
../tools/nrfutil device program --firmware Ultra.DFU.zip --traits nordicDfu

Software

Setup

(
  cd software/src
  rm -rf tmp
  mkdir tmp
  cd tmp
  cmake ..
  make
  echo "DONE. bins in software/bin"
)

Python CLI

Setup

(
  cd software/script
  virtualenv venv
  source venv/bin/activate
  pip install -r requirements.txt
  deactivate
)

Usage

(
  cd software/script
  source venv/bin/activate
  python chameleon_cli_main.py
  deactivate
)

To connect once in the CLI:

hw connect -p /dev/ttyACM0

Forgive me if I've overlooked something but there's no user guide or basic instructions on how to use it?
Not even a description of what each button does?

It would be cool if we could use LEDs to signal if offline clone worked

Can't set magic card block: 0

https://github.com/RfidResearchGroup/ChameleonUltra/blob/main/firmware/application/src/app_cmd.c needs a definition to DATA_CMD_GET_BATT_INFO in order to enable application to retrieve current battery information.

When building firmware I need to clean "bootloader" and "application" folder, every time I'm doing the build.
and when I'm also flashing both I need to be sure that there is no build for the other.
My idea is to clean both folders and than build.
add;

(
  cd bootloader
  make clean
)

(
  cd application
  make clean
)

around line 23 just after "set -xe"