Emulating Mifare 4K Tags with the ChameleonMini RevE-2

August 10, 2015

The first batch of ChameleonMinis made at Rysc Corp use the ATXmega32a4u MCU. This chip is short on SRAM and doesn't seem to have enough to keep a 4K tag in memory.

It also looks as if the current firmware will need some tweaking to properly support 4K tags since the code relies on a constant value called MEMORY_SIZE_PER_SETTING when determining upload/download sizes. For example, if the DOWNLOAD command is issued, 1024 bytes of memory will be transferred even if the ChameleonMini is configured to be a 4K tag.

Details on the issue are available here. One possible workaround is to modify the firmware to store the tag in flash memory instead of SRAM. This has already been implemented in an older version of the firmware but has the drawback of relying on flash which is slower than SRAM. Certain readers are more sensitive to timing than others and the delay involved in fetching data from flash could cause some readers to fail.

For those looking to emulate Mifare 4K tags, the best course of action at present is to load the RevE-DirectFlashWriteThru firmware.

Follow the steps below to load the DirectFlashWriteThru firmware.

  1. Download the firmware -- Chameleon-Mini.hex
  2. Download the EEPROM file -- Chameleon-Mini.eep
  3. Hold the button on the ChameleonMini while connecting it to a PC running Linux
  4. Run the lsusb command and confirm that an "Atmel" device is in the list (ex. Bus 002 Device 059: ID 03eb:2fe4 Atmel Corp.)
  5. Install dfu-programmer (version 0.7.1 works well) 
  6. Get root privileges with su or sudo
  7. Run "dfu-programmer atxmega32a4u erase"
  8. Run "dfu-programmer atxmega32a4u flash Chameleon-Mini.hex"
  9. Run "dfu-programmer atxmega32a4u flash --eeprom Chameleon-Mini.eep"
  10. Disconnect and reconnect the ChameleonMini

In order to upload 4K tag contents, you will probably need a terminal emulator and hex editor. Card contents are transferred to the ChameleonMini over XModem. We recommend using TeraTerm and HxD on Windows. We've also managed to get socat and sx/rx (from the lrzsz package on Ubuntu) working on Linux but these tools do not seem to work reliably with the current XModem implementation in the ChameleonMini's firmware.

Next, install TeraTerm or some other terminal emulator with support for serial connections and XModem. 

Download the ChameleonMini LUFA CDC driver. Right click the file and click "Install". Follow the on-screen dialogs until installation is complete. Once installed, your ChameleonMini should show up as a COM port in Device Manager.

 Configure TeraTerm as shown below.

 

Output from the "VERSION?" command should resemble the following image.

Place the ChameleonMini in 4K mode by entering "CONFIG=MF_CLASSIC_4K".

Next, download the sample card.bin. These are the binary card contents we would like to upload to the ChameleonMini.

Issue the "UPLOAD" command and you should receive the response below.

Now quickly click "File" -> "Transfer" -> "XModem" and select card.bin. Once the card has been uploaded, fire up your favorite reader and you should see that the first and last sectors are those from our card.bin. Here is the first and last sector as shown in Cardpeek.

Related Blog Entries:






Also in Blog

MagSpoof V2 - Now Available for Pre-Order
MagSpoof V2 - Now Available for Pre-Order

February 13, 2017

We are pleased to announce that the MagSpoof V2 is now available for pre-order. Orders yours today.

View full article →

Identifying unknown tags using the ChameleonMini Rev.G
Identifying unknown tags using the ChameleonMini Rev.G

January 06, 2017

Follow these steps to identify an unknown HF tag (13.56 MHz) with the ChameleonMini Rev.G.

View full article →

Reading Tags with the ChameleonMini Rev.G
Reading Tags with the ChameleonMini Rev.G

January 06, 2017

Follow these steps to read a HF tag (13.56 MHz) with the ChameleonMini Rev.G.

View full article →