Just got my chameleonmini from a batch order with friends and I was eager to do some NFC sniffing!
Let's start with flashing it with latest firmware.
Install all dependencies
brew install avra avrdude brew tap osx-cross/avr brew install avr-libc
git clone the project at
https://github.com/emsec/ChameleonMini and go into
./Firmware/Chameleon-Mini subfolder and run
make. This should compile everthing for you.
Next, you need to flash the firmware to the device by shamelessly copy this command from the guide provided by Chameleonmini folks:
sudo avrdude -c flip2 -p ATXMega128A4U -B 60 -P usb -U application:w:Chameleon-Mini.hex:i -U eeprom:w:Chameleon-Mini.eep:i
Cool, now for mac, i tried using screen but local echo didn't work very well and i cannot see what i was typing to the terminal so I switched to minicom and it was all i needed.
So here is what i did to get everything to work including download/uploading files using xmodem protocols:
Install minicom and lrzsz
brew install minicom lrzsz
minicom: well known tool to interface with serial port (chameleonmini create a virtual usb serial interface when you connect to Mac)
lrzsz: After having trouble with download/upload files using minicom, i realised that I have not installed the package needed for xmodem file transfer protocol, used by minicom. Note that the executable has changed so you will need some extra config.
~/.minirc.dfl with the following content:
pu pname3 YUNYNxmodem pu pname6 YDNYNxmodem pu pprog3 /usr/local/bin/lsx -vv pu pprog6 /usr/local/bin/lrx -vv pu lock /usr/local/Cellar/minicom/2.7/var pu updir /tmp pu downdir /tmp pu escape-key Escape (Meta)
Otherwise, when fire up minicom (jump to the command below for what argument you need), you can modify it in the config by doing the following:
- Metakey(Set to esc for my iterm2) + z
- "O" for changing configuration
- select "File transfer protocols"
- C to select xmodem send program, use enter to swtich to next tab to modify the path to "/usr/local/bin/lsx" instead of "/usr/local/bin/sx"
- Do the same for option "F" for file receive command for xmodem and change it to "/usr/local/bin/lrx" instead of "/usr/local/bin/rx"
Now your config should look like this:
press enter to return back to the configuration screen and change "Filenames and Paths" and configure the download/upload folder to /tmp so we know where all the files are
You are almost done setting up! Now for the command to run and start interacting with Chameleon mini:
minicom -D /dev/tty.usbmodem1421 -C chameleon.log
To have local echo turns on so you can see what you are typing, you will need to do the following:
- Press METAkey + Z
- Press E (which set local Echo on/off..)
You specify the usbmodem device(this may be different in your machine but it should start with /dev/tty.usbmodem*), capturing all input/output to a log file. You dont need to care about baudrate as it's just a virtual device.
You can read all the commands available here:
The Chameleon operates by switching the slot to different application using
CONFIG command. the following command will tell the Chameleon to switch to Sniffing mode and start logging into memory. It also clear the log memory in both FRAM and SRAM, tells the red led to flash when data is being received, trigger the LOGSTORE function to copy SRAM to FRAM using the RBUTTON on the board and lastly, shows the current SRAM memory available. This should show 2048bytes available.
CONFIG=ISO14443A_SNIFF LOGMODE=MEMORY LOGCLEAR LEDRED=CODEC_RX RBUTTON=STORE_LOG LOGMEM?
Now you can unplug the Chameleon mini, switch it on when you want to sniff the traffic.
To dump the traffic you will need to reconnect the chameleonmini to your Mac (duh) and run the
LOGDOWNLOAD command, follow by the following:
- Metakey + Z
- R key to receive file
- Select xmodem
- Enter filename
- The raw sniffing data will now be saved to /tmp/
Don't forget to run
LOGCLEAR when you are done to clear FRAM and SRAM.
Note: FRAM is supposedly to be non-volatile and has larger space than SRAM (2kB) but there maybe a bug in the current firmware where FRAM being cleared at boot. I will investigate this further.
That's it. Enjoy analysing your sniffing packages or cracking that Mifare Classic key by exploiting vulnerability in Crypto-1 :)