Chameleon mini with MacOSX 101

Just got my chameleonmini from a batch order with friends and I was eager to do some NFC sniffing!

Let's start with flashing it with latest firmware.

Install all dependencies

brew install avra avrdude  
brew tap osx-cross/avr  
brew install avr-libc  

git clone the project at https://github.com/emsec/ChameleonMini and go into ./Firmware/Chameleon-Mini subfolder and run make. This should compile everthing for you.

Next, you need to flash the firmware to the device by shamelessly copy this command from the guide provided by Chameleonmini folks:

sudo avrdude -c flip2 -p ATXMega128A4U -B 60 -P usb -U application:w:Chameleon-Mini.hex:i -U eeprom:w:Chameleon-Mini.eep:i  

Cool, now for mac, i tried using screen but local echo didn't work very well and i cannot see what i was typing to the terminal so I switched to minicom and it was all i needed.

So here is what i did to get everything to work including download/uploading files using xmodem protocols:

Install minicom and lrzsz

brew install minicom lrzsz  

minicom: well known tool to interface with serial port (chameleonmini create a virtual usb serial interface when you connect to Mac)
lrzsz: After having trouble with download/upload files using minicom, i realised that I have not installed the package needed for xmodem file transfer protocol, used by minicom. Note that the executable has changed so you will need some extra config.

Creat file ~/.minirc.dfl with the following content:

pu pname3           YUNYNxmodem  
pu pname6           YDNYNxmodem  
pu pprog3           /usr/local/bin/lsx -vv  
pu pprog6           /usr/local/bin/lrx -vv  
pu lock             /usr/local/Cellar/minicom/2.7/var  
pu updir            /tmp  
pu downdir          /tmp  
pu escape-key       Escape (Meta)  

Otherwise, when fire up minicom (jump to the command below for what argument you need), you can modify it in the config by doing the following:

  • Metakey(Set to esc for my iterm2) + z
  • "O" for changing configuration
  • select "File transfer protocols"
  • C to select xmodem send program, use enter to swtich to next tab to modify the path to "/usr/local/bin/lsx" instead of "/usr/local/bin/sx"
  • Do the same for option "F" for file receive command for xmodem and change it to "/usr/local/bin/lrx" instead of "/usr/local/bin/rx"

Now your config should look like this:

press enter to return back to the configuration screen and change "Filenames and Paths" and configure the download/upload folder to /tmp so we know where all the files are

You are almost done setting up! Now for the command to run and start interacting with Chameleon mini:

minicom -D /dev/tty.usbmodem1421 -C chameleon.log  

To have local echo turns on so you can see what you are typing, you will need to do the following:

  • Press METAkey + Z
  • Press E (which set local Echo on/off..)

You specify the usbmodem device(this may be different in your machine but it should start with /dev/tty.usbmodem*), capturing all input/output to a log file. You dont need to care about baudrate as it's just a virtual device.

You can read all the commands available here:
https://rawgit.com/emsec/ChameleonMini/master/Doc/Doxygen/html/Page_CommandLine.html

The Chameleon operates by switching the slot to different application using CONFIG command. the following command will tell the Chameleon to switch to Sniffing mode and start logging into memory. It also clear the log memory in both FRAM and SRAM, tells the red led to flash when data is being received, trigger the LOGSTORE function to copy SRAM to FRAM using the RBUTTON on the board and lastly, shows the current SRAM memory available. This should show 2048bytes available.

CONFIG=ISO14443A_SNIFF  
LOGMODE=MEMORY  
LOGCLEAR  
LEDRED=CODEC_RX  
RBUTTON=STORE_LOG  
LOGMEM?  

Now you can unplug the Chameleon mini, switch it on when you want to sniff the traffic.

To dump the traffic you will need to reconnect the chameleonmini to your Mac (duh) and run the LOGDOWNLOAD command, follow by the following:

  • Metakey + Z
  • R key to receive file
  • Select xmodem
  • Enter filename
  • The raw sniffing data will now be saved to /tmp/

Don't forget to run LOGCLEAR when you are done to clear FRAM and SRAM.

Note: FRAM is supposedly to be non-volatile and has larger space than SRAM (2kB) but there maybe a bug in the current firmware where FRAM being cleared at boot. I will investigate this further.

That's it. Enjoy analysing your sniffing packages or cracking that Mifare Classic key by exploiting vulnerability in Crypto-1 :)

comments powered by Disqus