📡 Connection
The app communicates with the ChameleonUltra over Bluetooth Low Energy (BLE) or USB serial. Both methods are available from the main screen.
BLE (Bluetooth)
Tap Scan BLE. Nearby ChameleonUltra devices appear in the list with name, address and signal strength (RSSI).
Tap a device in the list. The app stops scanning and connects. The status indicator turns green when connected.
Tap Disconnect at any time. BLE pairing settings can be managed under Settings.
USB (CDC-ACM serial)
Connect the ChameleonUltra via USB. The device appears as /dev/ttyACM* or /dev/ttyUSB*.
Tap ↺ to refresh the port list, then pick the correct port from the dropdown.
Tap Connect USB. USB mode is required for firmware flashing.
Reader vs Emulator mode
The device operates in one of two modes. In Reader mode it actively polls for tags. In Emulator mode it presents itself as a tag to external readers. You can toggle this from the pull-down menu on most pages, or from Device Info.
🔍 HF Scan 13.56 MHz
Scan and interact with ISO14443-A cards including MIFARE Classic, MIFARE Ultralight, NTAG, and ISO14443-4 cards. The device must be in Reader mode.
Scan Tag
Tap Scan Tag to perform a full ISO14443-A anticollision and display the UID, ATQA, SAK, and ATS (if present). The SAK byte identifies the card family.
Detect Mifare
After a scan, tap Detect Mifare to confirm whether the card responds to MIFARE Classic authentication. This is needed before running attacks.
PRNG Type
Available once a MIFARE card is detected. Identifies whether the tag uses a weak (predictable) or hard PRNG. Weak PRNG tags are vulnerable to the Darkside attack. Hard PRNG tags require Hardnested.
Mifare Block Read / Write
Enter a block number (0–255), select Key A or Key B, and enter the 12-hex-char key. Tap Read Block to fetch 16 bytes of block data. Fill in 32 hex chars and tap Write Block to write.
Raw ISO14443-A
Send arbitrary hex bytes as a raw ISO14443-A frame. Options:
| Option | Effect |
|---|---|
| Keep RF | RF field stays active after the command (chain multiple frames) |
| Add CRC | App appends ISO14443-A CRC automatically (enabled by default) |
Copy to Slot
After a successful scan, a panel appears at the bottom allowing you to copy the tag's UID/ATQA/SAK/ATS directly into any of the 8 emulation slots.
⚔️ HF Key Attacks MIFARE
Tools for recovering MIFARE Classic keys using cryptographic attacks. All attacks require the device to be in Reader mode with a MIFARE Classic card in the field.
Found Keys
Keys recovered by any attack are collected here automatically. They are also added to the key dictionary used for subsequent Check Keys runs.
Known Key (shared input)
Most attacks need at least one known key to start. Enter the block number, key type (A or B), and a 12-hex-char key value (default FFFFFFFFFFFF).
NT Distance Detection
Measures the distance between PRNG nonces. Required as a first step before running the Nested attack. Uses the known key entered above. Result is displayed and remembered for the session.
Nested Attack
Recovers an unknown key for a target block using a known key. Run NT Distance Detection first. Enter the target block and key type, then tap Nested. The recovered key appears in Found Keys.
Static Nested Attack
A variant of nested for tags where the PRNG does not advance between authentication attempts (static nonce). Tap Static Nested after entering known and target block details.
Darkside Attack
Works against tags with a weak PRNG (no known key required). Configure:
| Parameter | Description |
|---|---|
| Sync max | Maximum number of synchronisation attempts (default 30) |
| First recover | When enabled, stops after the first successful key candidate |
Tap Darkside Acquire. Data is collected on-device; the result appears in the status area.
Hardnested Attack
For tags with a hard PRNG. Requires a known key. Enable Slow mode for better reliability on difficult tags. Tap Hardnested Acquire. The collected nonces are processed on the device and the key is returned automatically.
mfkey32 — Crack from Detection Log
Uses the MF1 emulator's detection log to recover keys that a real reader used to authenticate against the ChameleonUltra emulator.
Go to MF1 Emulator and enable Detection mode. Present the ChameleonUltra to the real reader and let it authenticate.
Tap Crack on Device. The app downloads the log, groups authentication pairs, and runs mfkey32v2 on the device for each pair.
Recovered keys appear in Found Keys. The PC command list shows mfkey32v2 commands you can also run manually on a PC.
Check Keys on Block / All Sectors
Try a list of known keys against a single block or all 16/32/40 sectors in one go.
| Dictionary action | Description |
|---|---|
| Load Default | Loads the built-in key dictionary bundled with the app |
| Save found keys | Saves all recovered keys to ~/chameleon-found.keys |
| Load found keys file | Merges ~/chameleon-found.keys into the active dictionary |
| Import .keys File | Load any custom .keys file by path |
| Extra keys | Type extra keys directly (one per line, 12 hex chars each) |
Found keys are always automatically included in the check even if not in the dictionary.
Manual mfkey32v2
Paste raw nonce data in the format uid nt nr0 ar0 nt1 nr1 ar1 (space-separated hex) and tap Run mfkey32v2 to recover a key on the device.
💳 ISO14443-4 / T=CL HF
Tools for ISO14443-4 (T=CL) contactless cards including EMV payment cards, DESFire, and custom JavaCard applications.
Emulation Anti-Collision
Set the UID (4 or 7 bytes), ATQA (4 hex chars), SAK (2 hex chars), and optionally ATS that the device presents in emulator mode. Tap Set Anti-Collision. This controls how the device is seen during card discovery.
Static APDU Responses
Pre-program command → response pairs. When a reader sends a matching APDU, the device replies automatically without needing the phone. Useful for emulating simple card applications.
- Enter the APDU command pattern in hex (e.g.
00A4040007A0000000031010) - Enter the response in hex (e.g.
6F...9000) - Tap Add Response
- Tap Clear All to remove all pairs (requires confirmation)
Live APDU Exchange (Emulator mode)
Manually handle incoming APDUs in real time. Tap Wait for APDU (recv) — the app blocks until a reader sends an APDU. The received command is shown in hex. Enter a response and tap Send APDU Response.
Reader APDU (Reader mode)
Send an ISO14443-4 APDU directly to a real card in the field. Enter the command hex and tap Send Reader APDU. The card's response is displayed.
EMV / ISO14443-4 Scan
Performs card detection and returns the UID, ATQA, SAK, and ATS of any ISO14443-4 card in the field. Useful for identifying EMV cards before sending APDUs.
🃏 MF1 Emulator Config HF
Configure how the ChameleonUltra behaves when emulating a MIFARE Classic card. Pull down to refresh configuration from the device.
Mode Flags
Responds to the UID backdoor command sequence. Enables tools that use the "magic" Gen1a unlock to write to block 0 directly. Enable if cloning a Gen1a magic card.
Allows direct writes to block 0 (manufacturer block) without authentication. Required for tools that write the UID this way.
Suppresses the UID during the anticollision loop. The card is not seen until SELECT is sent. Useful for advanced emulation scenarios.
Resets all emulator state when the RF field drops. Ensures the card always starts from a clean state when re-presented to a reader.
Write Mode
| Mode | Behaviour |
|---|---|
| Normal | Accepts writes and stores them persistently |
| Denied | NACKs all write commands — card appears read-only |
| Deceive | ACKs writes (reader thinks it succeeded) but discards data |
| Shadow | Stores writes in RAM only — changes are lost when field drops |
Detection Mode
When enabled, the device records every authentication attempt: UID, nonce, encrypted reader response. Tap Get Count to see how many events are stored. Tap Fetch Detection Log to download and display them. The log is used by the mfkey32 attack in HF Key Attacks to recover keys.
Anti-Collision Data
Get or set the UID, SAK, and ATQA the emulated card presents during anticollision. Enter a 4- or 7-byte UID in hex, SAK byte, and ATQA (4 hex chars), then tap Set Anti-Coll Data.
Emulator Block Data
Read or write raw block data in the emulator's flash storage. Enter start block and count, then tap Read Emu Blocks. To write, enter 32 hex chars (16 bytes) and tap Write Emu Block.
🏷️ MFU / NTAG Emulator HF
Configure emulation of MIFARE Ultralight and NTAG tags. Pull down to refresh config or page count.
Emulator Flags
Allows writing to pages 0 and 1 (UID pages) without authentication — enables cloning tools to set the UID directly.
Logs authentication attempts to flash. Use with the detection log functions to analyse reader interactions.
Same four modes as MF1: Normal, Denied, Deceive, Shadow. Controls how write commands are handled.
Page Data
Enter a start page and count, then tap Read Pages to view raw page data (4 bytes per page). To write, enter hex data (multiples of 8 hex chars = 4 bytes) and tap Write Pages.
Counters
NTAG21x tags have three 24-bit counters (indices 0, 1, 2). Select a counter and tap Read. To set a value, enter a number and optionally enable Reset tearing flag, then tap Write Counter. Tap Reset Auth Cnt to clear the authentication attempt counter.
Version & Signature
Read the 8-byte version data and 32-byte ECC signature stored in the emulator. You can also set custom version data (16 hex chars) or signature (64 hex chars) to match a specific physical tag.
📻 LF Scan 125 kHz
Scan and clone low-frequency access control credentials. Switch to Reader mode before scanning.
Supported Tag Formats
5-byte ID. The most common 125 kHz proximity credential format.
Wiegand-based access cards (26-bit H10301 and many others). Displays Facility Code and Card Number.
4-byte card ID used in Viking/Farpointe readers.
8-byte ASCII card ID used in PAC and Stanley Security systems.
Kantech ioProx format with Version, Facility Code, and Card Number fields.
Motorola/EM4x05 tag — supports optional password authentication.
For HIDProx, select the format (H10301, Indala, Tecom, etc.) from the dropdown before scanning, or leave on Auto-detect. Scanned FC and CN are pre-filled for writing.
Write to T55xx
Clone a scanned ID (or enter one manually) onto a T55xx blank card. Select the target protocol, fill in the ID, and tap Write to T55xx. For HIDProx, enter Facility Code and Card Number and choose the write format.
Generic T55xx Block Write
Write an arbitrary 4-byte value to any T55xx block (0–7). Optionally supply a password and enable Use password for password-protected tags.
ioProx Decode / Compose
Decode raw ioProx hex bytes to extract Version, FC, and CN. Or compose an ioProx ID from numeric Version, FC, and CN fields — the result can then be written directly to a T55xx.
LF Sniff
Captures raw 125 kHz field data for a configurable timeout (default 2000 ms). After capture:
- The app automatically decodes EM4100 (ASK/Manchester) and HID Prox (FSK) from the waveform
- Tap Plot waveform to see the raw ADC signal with mean and threshold lines
- Use Zoom in / out and Pan left / right to inspect specific parts of the capture
- Tap Auto range to zoom to the region where the tag was modulating
- Tap Copy hex to clipboard to export raw data for external analysis
ADC Voltage
Reads the analogue field voltage in millivolts. Useful for checking antenna coupling and field strength.
📳 LF Emulator IDs 125 kHz
Set the IDs emitted by the ChameleonUltra for each LF protocol. Each field shows the currently programmed value; tap Get to read from the device and Set to write.
| Protocol | ID format | Length |
|---|---|---|
| EM410X | Hex bytes | 10 hex chars (5 bytes) |
| HIDProx | Raw Wiegand payload | 26 hex chars |
| Viking | Hex uint32 | 8 hex chars (4 bytes) |
| PAC/Stanley | Hex ASCII | 16 hex chars (8 bytes) |
| ioProx | Raw ioProx payload | 32 hex chars |
📂 Slot Manager
The ChameleonUltra has 8 independent slots, each holding one HF and one LF tag profile simultaneously. Pull down to refresh, or to save slot configuration to flash.
Slot list
Each slot card shows the HF and LF nicknames, tag type, UID/ID, and whether the slot is currently active. Tap a slot to open Slot Detail.
Slot Detail
From the detail page you can:
Enter a human-readable label for the HF and LF profiles (e.g. "Office badge", "Parking fob"). Tap the enter key or the Set button to save.
Makes this slot the active one. The device will immediately present this tag to readers.
Select the MIFARE/NTAG/ISO14443-4 type. Tap Set HF Type to apply, or Reset HF Default to restore factory-default data for that type.
Select the LF protocol for this slot and tap Set LF Type.
Disabled slots are skipped when cycling through slots with the hardware buttons.
⚙️ Settings
Pull down to save settings to flash or reset to factory defaults.
LED Animation
Choose how the LEDs behave: Full animation, Minimal, No animation, or Symmetric. Changes are saved to flash immediately when you select an option.
Button A & Button B
Each hardware button has a short-press and a long-press action. Options:
| Action | Effect |
|---|---|
| None | Button does nothing |
| Next slot | Cycles to the next enabled slot |
| Previous slot | Cycles to the previous enabled slot |
| Clone tag | Reads the tag in the field and copies it to the current slot |
| Show battery | Displays battery level on the LEDs |
| Toggle field gen | Enables/disables the RF field generator |
BLE Pairing
Enable Require pairing key to require a PIN before BLE connections are accepted. Tap Delete all BLE bonds to clear all paired devices (confirmation required).
🔬 Advanced EXPERT
Low-level tools for sniffing, raw configuration, and device diagnostics. Some actions here are irreversible.
HF Sniff 13.56 MHz
Passively captures all ISO14443-A traffic between a reader and a card for the configured timeout (default 5000 ms). After capture:
- Frames are decoded and displayed with direction arrows: >>> reader→card, <<< card→reader
- Common frames are labelled:
[REQA],[WUPA],[ATQA],[SELECT CL1],[MFC AUTH_A],[APDU SELECT FILE], ISO7816 status words, etc. - Tap Copy decoded to copy the annotated frame log to the clipboard
- Tap Copy raw hex to copy the unprocessed hex buffer
Sniff — Auth Nonces
If any MIFARE Classic authentication exchanges are captured, they are extracted and shown below the frame log. Each entry shows the block, key type, UID, nonce (nt), and encrypted reader values (nr, ar).
Depending on what was captured, the app shows the correct offline cracking command:
| Situation | Command shown |
|---|---|
| One auth captured and the tag responded (at present) | mfkey64 uid nt nr ar at |
| Two auths captured for the same block/key | mfkey32v2 uid nt0 nr0 ar0 nt1 nr1 ar1 |
| One auth, no tag response | No command (insufficient data) |
Tap the command text to copy it to the clipboard. Tap Crack on device to run the attack locally — the result appears in green (key found) or red (not found). Tap Copy next to the recovered key to copy just the key hex.
HF14A Config
Read or write the raw HF14A configuration blob (advanced hardware register settings). Tap Get HF Config to read the current value, edit the hex, then tap Set HF Config.
MF1 Emulator Extras
Quick toggles for Block anti-collision mode and Field-off do reset (same as in MF1 Emulator page). Also shows the current detection event count inline.
Device Info
Fetch and display the raw capabilities blob, settings blob, and enabled slot list as hex data.
Danger Zone IRREVERSIBLE
Erases all data in the device's flash data storage — slots, keys, nicknames, settings. The device returns to factory blank state.
Reboots the device into DFU (Device Firmware Upgrade) bootloader mode. Required for manual firmware recovery. USB connection needed.
💾 Firmware Update
Flash new firmware to the ChameleonUltra over USB. A USB connection is required — BLE is not supported for flashing.
Plug in the cable and connect via USB from the main screen. Firmware flashing is only enabled in USB mode.
Use the built-in file browser to navigate to the DFU package (.zip). Tap a folder to enter it or tap the path label / Up button to go up. Tap a .zip file to select it (highlighted in blue).
Tap Flash Firmware via USB. A progress bar and log show upload status. Do not unplug the cable during flashing.
When complete, the log shows ✓ Done — device rebooting. The device restarts into the new firmware automatically.