Proxgrind Chameleon Ultra

ultra-logo2000×252 33.1 KB

ultra-overview830×245 60.6 KB

INTRODUCTION

After some serious consideration do I need a chameleon ultra, I’ve decided to purchase one.
Ordered it last week, and after some drama with customs, as usual, it arrived at my door today.
What the Chameleon ultra is ? LF/HF emulator, in a tiny form factor.
The product comes in a small black box. Inside you will find the device itself, a silicon case(which is great and prevent the clear coating from scratching, usb-a to usb-c cable, a small screw driver with two spare screws in case you need to take the thing apart.
First impressions - it’s small and it looks beautiful.
Device has 8 slots which can be configured to run lf, hf or both per slot. On paper battery should give you 6 months of juice.

IMG_20230906_0248281920×1440 161 KB

IMG_20230906_0436301920×1440 107 KB

IMG_20230906_0256411920×1440 195 KB

TESTING INCLIDING READ RANGES

Initial testing of reading range with KBR1 ~ 4-5 cm on the HF
Testing agains flipper zero - hf 3-4 cm, lf ~2cm

First thing I did after taking the chameleon out of the bag it comes in was to put it in the silicon case so it does not get scratched. Second was to start playing with the python client. In the github repo you can find everything you would need(really). Under software scripts there is a requirements txt which you need to feed into pip, and then just run chameleon_cli_main.py with device connected. People who like cli will find this client pretty useful, otherwise there is a gui which can be found under the app stores of apple and google. Gui client has the option of flashing the firmware of the device from the latest master. Tried this from both my android phone and my mac, both successfully executed.

After the firmware was updated to latest I’ve decided to test how the thing is dealing with reading cards and implants. I was using both t5577 and Mifare gen1a s50 proxgrind cards I got with the pm3rdv4.
First I’ve tried reading em4100 emulated with flipper with id ffffffffff That went fine. Next I tried to write it to the t5577 test card, this went fine as well. Bare in mind that writing for now works only via the python cli client. Next I’ve tried to read my both implants(which are again t5577, operating as em4100) and both reads were successful. Following this I tried the same with mifare classic card. Reding it just fine. Bruteforcing the keys also worked and I was able to dump the content. Unfortunately the Chameleon had no success reading my xMagic hf side(which has the same chip as the test card) nor my NeXT which is with ntag216. I have no idea what is going on, maybe tomorrow I will try better coupling angle.
After playing a lil bit more with the cli, I’ve reset all the slots, then started populating them with dumps. Again this worked pretty well.
Something I really need to mention here - the project is under heavy development and some features are missing or not coded yet. For example long pressing buttons doesn’t clone the tag id to the slot(and it sucks for fast and dirty)
Few more things on the usability side of things. The Chameleon goes into sleep around 5 seconds after a button is pressed. It goes out of sleep when detect a field of a reader, which is really neat. If you like blink and rgb shit( there are some animations on the device behaviour on unlock when brought out of sleep, but for me this just put more cycles on the leds).

TEARDOWN
I did not took it apart because I think if I try to take it out of the silicone case it may damage the case.

PROs
• Very fast and responsive emulator with ability to exec attacks against mifare classic

• Small form factor (can be carried on a keychain or in a pocket easily)

• Beautiful design

• Long lasting battery life

CONs

• Not all functionalities are yet present ( heavy development ongoing )

• Form factor - it can be easily lost

PRICE
USD$ - no idea
BGP 109 from KSEC
EUR 155 from lab401

SUMMARY:

Chameleon Ultra does what it’s supposed to partially right now, but it’s pretty functional and fun toy.
Does it replace stuff like flipper zero or even a proxmark - hell no, but it gives you agility, where form factor is crucial.

LINKS AND RESOURCES

POLL

Rating by the community

PLEASE ONLY VOTE IF YOU HAVE ONE OR HAVE USED ONE

=

=

=

=

=

PRIDUCT NAME 1-5

• 1
• 2
• 3
• 4
• 5

0 voters

IMG_20230907_0036091920×2560 222 KB

IMG_20230907_0036011920×2560 151 KB

IMG_20230907_0037231920×2560 311 KB

Second day of usage. Decided to take off the silicon case to check the device internals. Well silicone case got busted. The antenna PCB edges are pretty sharp and they will cut the silicon. Next the resin on the back is soft as butter. As you can see it got already scratched. How it happened, I have no freaking idea. Device was in my pocket for two hours and it was sitting on my desk the rest of the time. What a shame.

Same resin as it’s precessor. But mine came with a little leather case that protects it pretty well

This resin design sucks so bad!
Another thing that really sucks is, there are no replacement silicone sleeves for the device which is insane. They would cost cents to manufacture and yet they are not available.
Btw, I got some wet sand paper grid 2500 today and sanded the resin. At least there are no scratches that annoys me like hell. I would try to get more fine sandpaper and sand a lil bit more.

Light heat might work better

Drama day - 4th in a row. Went to RFID Hacking by iceman Discord server(because this is the official place of “contact”) and started asking questions from where I can get a silicone sleeve/cover. Silence is disturbing. Seems like either noone cares or noone knows. Being a customer and paying those folks for their products, I would at least expect some communication in return. I can start bitching to the seller but most probably he would hit the same brick wall I did. I have very hard time understanding this kind of business model!
Other than that the software development is going strong.
Now I really appreciate and I am extremely grateful for the awesome communication channels Amal built.
Most probably this will be the last post of this review since I really cannot say much more.

They are generally pretty good, but it sounds like an unfortunate experience.

My first thought about a replacement cover for you was, itll be unlikely becausr its such a new product, but I thought I would check Sneak Technology.
Unfortunately they didn’t, but they do have the “leather” ones for the original and pro that might do you until the silicone ones are available.

Only $2.50 and you get a free T5577 Disc (around 15mm)

Yeah I know about the leather case, but I do not like the look of it. Totally destroys the aesthetics of the device in my opinion.
Btw. I succeeded to read my ntag216 and the uid of my apex, but I cannot read my xMagic mifare

I thought that was a known limitation based on software atm

I purely meant as temporary protection to prevent scratches and damage to the resin

Another day, this time a small success.
First I found this Leather Case for Chameleon - MTools Tec
from China, and ordered two, just in case. 2.5 bucks for a piece was 1/2 of the shipping cost lol
Not the best option but whatever.
Next, I never worked with epoxy resins before. After educating myself on the topic, it seems the way to go is to sand the scratches then polish till you reach mirror finish. Found a store that sells resins and consumables, then ordered wet sandpaper grid 3000 and 4000, also two polishing pastes for finishing the process.
Since I got already grid 2500 I’ve started sanding with it, then I went up to 3000 and then 4000.
Finished with the polishing paste on some special sponge they provided delivered amazing results.
Also I was able to sand a remains of a bursted bubble that was on the surface of the resin.
Hopefully someone finds this useful. Here is the finished result.

IMG_20230912_1419321920×2560 130 KB

On the other hand development of the firmware of this thing is going with really crazy speeds. It’s like bunch of peeps decided to make a startup and push sh** everyday. The chameleon gui clients build and upload the latest master branch, so it’s kinda fun to be on the bleeding edge. Now this thing thinks my ntag is mifare

I don’t know if the resin is similar enough, but for acrylic watch crystals, I’ve used polishing paste like Polywatch to great success on its own to remove surface scratches. It’s an abrasive polishing paste that also apparently softens the plastic, helping to fill in scratches.

Poly paste for the win. Before I used that I was using mother’s mag and aluminum polish with similar results

Full Disclosure, I have a ChameleonUltra and I think it’s a pretty good product so far.

I do think though that you’re being unrealistic expecting case replacements at this time. Not all US orders have been shipped/arrived. It’s not for sale in the US yet.

This would lead me (personally) to the conclusion to just hang out and give it a month or two before asking about replacement/new accessories.

An FYI in case people reading don’t know. Iceman (Chris Herrmann) has a full time day job, so this ( proxmark3/CU/questions) is a hobby for him.
Another FYI, the lovely 15 year old teenager that’s making the GUI is making really HUGE progress for a project in his spare time.

Yes, I’m frustrated with some bits of the ChameleonUltra, but for a product that’s functionally a MONTH or less old, and the focus on the hardware above all else before release, I’m grateful that they have made as much progress as they have, and expect a usable product sometime around February.