- Have you ever wondered how contactless card systems, e.g., used for door openers and micro payments, work and whether they provide protection against digital fraud?
- Did you ever want to check the security level of an NFC / RFID access control system?
- Do you want to develop your own NFC tag or contactless card, including your own state machine and security algorithms, or even your own physical specification for an RFID system?
These and many more applications were the reason for the "birth" of ChameleonMini: a versatile NFC emulator, log tool, and (after this kickstarter project) a basic RFID reader.
As a result of this kickstarter project, we will develop and produce the new open-source hardware revision "Rev.G" of the ChameleonMini. A compatible firmware will be provided after the creation and production of the new ChameleonMini in the existing github project. We regard this project as non-profit and intend to make the device available worldwide at a low cost.
In case of quality problems with the intro video, or the other videos, we have uploaded the full HD version here.
The credit-card shaped ChameleonMini is a versatile tool for practical NFC and RFID security analysis, compliance and penetration tests, and various end-user applications. The freely programmable platform can create perfect clones of various existing commercial smartcards, including cryptographic functions and the Unique Identifier (UID). It can be employed to assess security aspects in RFID and NFC environments in different attack scenarios, such as replay or relay attacks, state restoration attacks, sniffing of NFC communication, or functional tests of RFID equipment. New firmware for the ChameleonMini can be comfortably uploaded via a USB bootloader. A convenient, human-readable command set allows to configure its behavior and update the settings and content of up to eight internally stored, virtualized contactless cards. During battery-powered stand-alone operation, the integrated buttons and LEDs enable user interaction and feedback.
The new hardware to be developed supports Amplitude-Shift Keying (ASK) modulation (10% and 100%), can generate ASK or Binary Phase-Shift Keying (BPSK) load modulation with a subcarrier, and can decode the requests of an NFC reader. Thus, the ChameleonMini hardware is capable to emulate various ISO 14443, NFC, and ISO 15693 cards, as well as other types of RFID transponders operating at 13.56 MHz. Cards that the ChameleonMini can emulate in principle include: NXP Mifare Classic, Plus, Ultralight, Ultralight C, ntag, ICODE, DESfire / DESfire EV1, TI Tag-it, HID iCLASS, LEGIC Prime and Advant, Infineon my-d, and many other NFC tags. Note that the open-source firmware will initially only support a subset of these tags (for details see Section "Firmware" below).
The ChameleonMini Rev.G hardware comprises a PCB antenna, which can be driven by power transistors on the board to generate a 13.56 MHz RFID field. This will allow the Rev.G to work as a basic active RFID reader. An on-board Li-Ion battery can be recharged via USB and allows for stand-alone operation for approximately one hour.
The core of the hardware is formed by an Atmel ATXMega128A4U microcontroller. It provides RF encoding and decoding functions, the USB interface, and the state machine giving life to the Chameleon. The AES and DES hardware engines in the microcontroller enable very fast computation of these cryptographic algorithms: In our tests, the ChameleonMini performs a 3DES in CBC mode (as used in Mifare DESfire cards) three times faster than the original card (219µs vs. 690µs) and an AES-128 in “chained” CBC mode (as used in Mifare DESfire EV1 cards) five times faster than the original card (438µs vs. 2.2ms). Of course, emulating such cryptographic cards or transponders is only possible knowing the cryptographic keys.
The firmware of ChameleonMini can be uploaded and set up via USB to
- emulate a passive NFC device (e.g. a contactless card)
- act as an active NFC device (e.g. an RFID reader)
- sniff the communication (i.e. monitor the bits on the RF interface)
- log the communication (during emulation and sniffing)
The ChameleonMini can be interfaced with a standard terminal software, via the command line, or controlled by user-written scripts and applications. The modular firmware structure allows for easy expandability to other not yet supported cards and standards. Various functions and settings can be assigned to the buttons and LEDs. Card contents can be easily uploaded and downloaded via USB using X-MODEM.
The new firmware to be developed for this project will be released in the existing open source project on github and fully support emulation of Mifare Classic 1k and 4k cards as well as Mifare Ultralight cards. However, we have other card types in the development pipeline (for example Mifare DESfire, Mifare Ultralight C, and ISO 15693 RFIDs). In addition, we also hope for the open-source community to contribute other card types in the future. Further, a basic ISO14443 reader functionality will be provided by the firmware. The rudimentary RFID reader is not intended as a full replacement for an NFC reader, for example, the operating range may be relatively short. However, the new feature may allow the Chameleon to clone certain cards autonomously. The firmware will provide a good starting point for future developments and improvements.
On the PC software side, we aim to develop Python scripts for configuring the Chameleon and for comfortably using the log mode.
The ChameleonMini in card emulation mode can be employed to virtualize up to eight personal cards (maximum size of 8kB per card) in one device. It can serve as a counterpart for an active NFC device, for example a smartphone in reader mode. For a first impression, we recommend to watch the following 10-minute video, practically demonstrating the capabilities of ChameleonMini as a card emulator at hand of typical real-world examples: opening NFC-enabled doors, creating a spare key for hotel rooms, renting bicycles, operating barriers of parking lots, and charging credit to virtualized payment cards.
Please note that these tests were only carried out with out own cards and devices - it is your responsibility to use the Chameleon in accordance with your local laws. Further, to avoid confusion, the ChameleonMini hardware will be delivered without the "Card Emulator" (CE) sticker that can be spotted in the videos.
There appears to be a problem with the following video embed, if it does not show click here.
In addition to the emulator function as presented in the video, the Chameleon can appear completely passive in a sniff mode, log the RFID communication, and act as a basic RFID reader. Since all sources will be public, the ChameleonMini is highly suitable for educational purposes, e.g., for RFID / NFC lab courses teaching practical know-how starting from the physical layer (encoding of zeroes and ones) until to the logic layer (protocols, state machine, crypto algorithms, memory management) for both RFID readers and NFC cards. Researchers have already verified the suitability of ChameleonMini for implementing efficient, lightweight cryptography for RFID, experiments with physical layer security, cloning physically unclonable functions (PUFs), and long range NFC communication. We thus recommend universities and other academic institutions to support the project with the "Lab Pack" of 20 Rev.G.
A Bit of History ...
The following slides (pdf) give a short summary about the development of the Chameleon card emulator and its history, starting in 2006 with a coffee-cup tag, reviewing the home-cooked "primal Chameleon" as published in 2011, the first ChameleonMini Rev.D in 2013, and Rev.E in 2014. In the past year 2015, we have not been lazy and have already designed a first internal prototype towards the kickstarter project, termed Rev.F: The slides also cover his prototype and thus give an promising outlook to the outcome of this Kickstarter project.
Rev.G will be designed on the basis of Rev.E, as published in the ChameleonMini github project, taking into account all our experience with the previous ChameleonMini versions. We have successfully tested the processor upgrade and integration of FRAM memory with a modified Rev.E:
The path to integrate the new Rev.G features in this project involves:
- upgrade of the microcontroller to an ATXMega128, with 128 kB Flash, 8kB SRAM, 2kB EEPROM, AES/DES Crypto Engine, and integrated USB Transceiver
- completely revised, differential HF antenna design
- power transistors in H-bridge configuration driving the antenna coil to generate a 13.56 MHz RFID field
- improved, transistor-based load modulation generator and decoder
- two buttons for user-interaction
- external 128 kBit FRAM to store the current virtual card and logged/sniffed data
- on-board rechargeable Lithum-Ion battery and charging circuitry for charging via USB
- power switch (a battery-saving and privacy-preserving feature)
- free-to-use auxiliary pin to connect external equipment (door lock, or other Internet-of-Things objects)
The following video illustrates the improvements and new features of Rev.G:
Summary of ChameleonMini Rev.G
NFC Card Emulator, RFID Reader, Sniffer and Data Logger in one tool.
- Low Level Implementation: By avoiding the use of commercial chips for RFID systems, we make sure you are able to look at, understand, and modify every layer of RFID systems from the physical layer to the card logic.
- Open Source: We make sure that you can benefit from your financial effort by making design files and source code openly available to anyone under a permissive license. This way you will be able to learn from the existing code, make adjustments to your liking or completely develop new parts even with reusing existing functionality.
- Easy Configuration and Setup: The ChameleonMini uses a standard USB connection to enumerate as a Virtual Serial Port and easily accepts easy-to-use text commands on its interface. This way you can use simple terminal software like TeraTerm or HyperTerminal to fully control the Chameleon and even upload or download memory dumps using X-Modem functionality. But this is not all! The text interface has been specifically designed to not only by easily used by humans, but also by your own scripts and desktop applications, using an ASCII protocol that is easy to interface.
- Mobile Use: Thanks to its rechargeable battery, the Chameleon is a fully portable device that can be used without connecting it to a desktop computer or laptop.
- Firmware upgrade: By using an integrated bootloader using the USB DFU standard, we make sure you can easily program upgrades or your own modified firmware versions to the ChameleonMini without using any additional hardware - just by using the USB interface.
The standard color of the Rev.G (and Rev.E Light, see below) PCB will be RED.
The sourcecode and hardware design files of the ChameleonMini Rev.G (and Rev.E light, see below) for you to modify and re-use them under a permissive license in our public github repo, PC-side drivers for Windows (not required for Linux), and getting-started instructions for the ChameleonMini.
Those supporting the project will further get the rewards as indicated in the pledges / "Belohnungen".
As a German company, for supporters in Germany unfortunately we have to raise 19% VAT (Mehrwertsteuer) according to the tax law. We solve this problem by including the VAT as "Shipping to Germany" in the pledges.
Command Set and In-Lab Demo
The following video presents an in-lab demo of our hand-soldered Rev.F prototype. Watching the video, you learn more about
- breaking off the breakable antenna extension of ChameleonMini
- the serial terminal / USB command set in detail
- typical configuration of ChameleonMini
Warning: The video has a technical content, and is about 8 minutes long. Thus, watching it is recommended only for those of you who really want to learn as many details as possible about our project before supporting it.
Rev.E Light: The Low-Cost ChameleonMini
Last but not least, for Rev.E fans and those hackers and makers running on a low budget, we have decided to create a new "Rev.E Light" variant of the Chameleon with the same technical capabilities as the current Rev.E (see the github project for details). Some components of the Rev.E have become obsolete, e.g., the external data flash, thus it has become difficult to produce the device.
Rev.E Light shall serve as a replacement for the discontinued Rev.E variant. The Rev.E Light can thus emulate cards, but lacks the reader function and other (costly) major improvements of Rev.G. In contrast to Rev.E, the microcontroller of Rev.E Light will be upgraded to an ATXMega128A4U, however, in order to cut cost there will be neither an external data flash nor an external FRAM on the Rev.E Light board. The function of these external memories will be compensated in software (using the internal flash of the XMega). Further, there will be circuitry for charging a Lithium-Ion battery, however, the battery is not included on the PCB and has to be bought and soldered yourself to the respective pads on the PCB.
We plan to release a firmware that corresponds to the current, stable state of Rev.E and freeze the Rev.E Light development at this point. Note that we plan no further developments and support for the Rev.E / Rev.E Light devices, but will in the future rather focus on improving Rev.G.
The development starts immediately after the project goal is reached. The first production run is scheduled for June 2016. The shipping of the freshly manufactured and tested Chameleons is planned end of Summer 2016.
KAOS thanks Florian Bache, Arne Benzing, Patrick Edwards, Susi Engels, Georg Land, Lena Meier, André Kasper, Simon Küppers, Ingo von Maurich, Jelena Ninic, Martin Novotný, Endres Puschner, Julius Schmalz, Alexander Simonov, Simon Yorkston, Marian Such, Michael Lev Svítek, Adéla Svítková, and many more anonymous supporters for their contributions to the previous Chameleon versions and help with this Kickstarter project.
KAOS further thanks everyone who has read this Kickstarter page to the very end and of course all supporters of the project.
Let's bring the Chameleon to life together!
Risks and challenges
The project can be considered relatively unrisky. We already have done a prototyping manufacturing run for an earlier revision and are in the 4th hardware iteration cycle. We have long-term experience with manufacturing embedded systems and respective in-factory testing procedures, etc. Thus far the main problems that have arisen in the past are the temporary unavailability of certain key hardware components that are being used on the Chameleon. For Rev.G we will take special care to choose components with a long availability. We always try to use parts that have a second source supplier available.Learn about accountability on Kickstarter
- (45 days)