Unveiling Key Recovery: Chameleon Ultra GUI Deep Dive

My proxmark arrives today, will be doing more deep diving on your videos so I can become familiar with it later today. Many thanks for such great videos about the proxmark, keep up the great work!

I was the one who msg u on twitter lol. Another interesting point which can catch ppl out is if you want to do a reader attack to capture the key from the reader u need to have a hf card loaded denoted by the green led. I had it working then removed a card and couldn't get reader key thought I bricked my ultra but it was all good just needed a loaded card

Too funny,
I missed an obvious thing :)
I forgot to actually select the MFC dictionary when doing the "check keys from dictionary"
🤦‍♂

Thanks for the tips on the dictionary. It's good to know we can just add the Proxmark dictionary. I didn't know. Hope some of these things make it into some documentation for the Chamelion Ultra. It would also be good to show contrast against the Flipper as my testing showed the following: Mifare Classic Mini EV1 says it doesn’t support key recovery, yet Flipper can use its db and unlock most of the card.
Interestingly, the Chameleon must have some built-in default keys as “check keys from the dictionary” works before adding a dictionary file, so those must be hardcoded defaults, perhaps. When I read a Mifare Ultralight 11, the Chameleon says tech “other,” yet Flipper can identify it, and I can unlock the card using nonce with the reader. Just wanted to share my findings as I know there is work to be done on the UI, and potentially, this may work via CLI. I still have to test that theory. I hope others will share their experiences so we can contribute to the knowledge base and help make the Chameleon Ultra even better.

Thank you, it worked great with that dictionary.

Great Video!
Why didn't you select a dictionary before recovering keys (from the drop down)?
Also, I have a MiFare Classic Card, where the gui does not offer to recover keys. When I dump the HF and write it to another card and read that card, i can suddenly recover the keys and dump the HF properly.
The first clone (without recovering keys) does not work, but the clone2 created from clone1 works well
Do you have a clue whats happening here? For the original card it shows me "Tech: Other", once its cloned without key recovery it shows "Tech: Mifare Classic 1K"

Hi fist off I love the work you put in I have a question I'm not that good with computers but I like the proxmark3 with the battery + bluetooth so I see the icopy-xs is easy to use is it a app available to control the proxmark3 the same way you control the chameleon ultra thanks for being here for us all

Great video. But how do you add the dictionary to the APK? Or is it pre installed? Is it te same file that you added in the Windows app (.dic)?
Thanks

First of all, thanks a lot for this clear tutorial. I tried to make the same exercise with some cards i have... and have detected that I don't get the same outcome as you showed us. If I try the info command, i only get some data (no uid, atqa & sak). Through another way I can detect its sak 20, atqa 0344, which gives me by looking up on the internet its a MIFARE DESFire). Is this the reason why i dont get the same results? Also the hf mf fchk results in a error. (seems the command is not known). Are you using an own firmware? FYI, I updated to the latest version. Many thanks

Thank you for your very informative videos! Questions: in the video you loaded a dictionary file. What does that do and you said it came from your proxmark repo so does that mean you had to custom make it?

Does it support 7 byte 1k and 4k?

I don’t have that because I don’t have a proxmark. How do I get that for my dictionary?

Will this work with the older Chameleon Tiny?

Is this card 125KHz 1326 1386 idhid access Proximity 26-bit Cards / Facility Code 130 rewritable