Emulating Mifare 4K Tags with the ChameleonMini RevE-2

August 10, 2015

The first batch of ChameleonMinis made at Rysc Corp use the ATXmega32a4u MCU. This chip is short on SRAM and doesn't seem to have enough to keep a 4K tag in memory.

It also looks as if the current firmware will need some tweaking to properly support 4K tags since the code relies on a constant value called MEMORY_SIZE_PER_SETTING when determining upload/download sizes. For example, if the DOWNLOAD command is issued, 1024 bytes of memory will be transferred even if the ChameleonMini is configured to be a 4K tag.

Details on the issue are available here. One possible workaround is to modify the firmware to store the tag in flash memory instead of SRAM. This has already been implemented in an older version of the firmware but has the drawback of relying on flash which is slower than SRAM. Certain readers are more sensitive to timing than others and the delay involved in fetching data from flash could cause some readers to fail.

For those looking to emulate Mifare 4K tags, the best course of action at present is to load the RevE-DirectFlashWriteThru firmware.

Follow the steps below to load the DirectFlashWriteThru firmware.

  1. Download the firmware -- Chameleon-Mini.hex
  2. Download the EEPROM file -- Chameleon-Mini.eep
  3. Hold the button on the ChameleonMini while connecting it to a PC running Linux
  4. Run the lsusb command and confirm that an "Atmel" device is in the list (ex. Bus 002 Device 059: ID 03eb:2fe4 Atmel Corp.)
  5. Install dfu-programmer (version 0.7.1 works well) 
  6. Get root privileges with su or sudo
  7. Run "dfu-programmer atxmega32a4u erase"
  8. Run "dfu-programmer atxmega32a4u flash Chameleon-Mini.hex"
  9. Run "dfu-programmer atxmega32a4u flash --eeprom Chameleon-Mini.eep"
  10. Disconnect and reconnect the ChameleonMini

In order to upload 4K tag contents, you will probably need a terminal emulator and hex editor. Card contents are transferred to the ChameleonMini over XModem. We recommend using TeraTerm and HxD on Windows. We've also managed to get socat and sx/rx (from the lrzsz package on Ubuntu) working on Linux but these tools do not seem to work reliably with the current XModem implementation in the ChameleonMini's firmware.

Next, install TeraTerm or some other terminal emulator with support for serial connections and XModem. 

Download the ChameleonMini LUFA CDC driver. Right click the file and click "Install". Follow the on-screen dialogs until installation is complete. Once installed, your ChameleonMini should show up as a COM port in Device Manager.

 Configure TeraTerm as shown below.


Output from the "VERSION?" command should resemble the following image.

Place the ChameleonMini in 4K mode by entering "CONFIG=MF_CLASSIC_4K".

Next, download the sample card.bin. These are the binary card contents we would like to upload to the ChameleonMini.

Issue the "UPLOAD" command and you should receive the response below.

Now quickly click "File" -> "Transfer" -> "XModem" and select card.bin. Once the card has been uploaded, fire up your favorite reader and you should see that the first and last sectors are those from our card.bin. Here is the first and last sector as shown in Cardpeek.

Related Blog Entries:

Also in Blog

Getting Started with MagSpoof R3 firmware on macOS
Getting Started with MagSpoof R3 firmware on macOS

April 25, 2017

Follow this step by step guide to get started using the MagSpoof R3 firmware on macOS.

View full article →

MagSpoof R3 on GitHub
MagSpoof R3 on GitHub

April 25, 2017

Hardware and software sources for the MagSpoof R3 are now available at https://github.com/RyscCorp/magspoof_r3.



View full article →

Getting Started with MagSpoof using Arduino IDE
Getting Started with MagSpoof using Arduino IDE

March 27, 2017

This guide covers the process of getting started with the MagSpoof using Arduino IDE.

View full article →