My proxmark arrives today, will be doing more deep diving on your videos so I can become familiar with it later today. Many thanks for such great videos about the proxmark, keep up the great work!
That was one of my findings. I was also doing that with no dictionary loaded and it was finding keys so was asking if they were defaults and some how coded into the firmware. Also unable to add the dictionary file using the IOS app. I can select it from files but it wont add it. #FunTimes
I was the one who msg u on twitter lol. Another interesting point which can catch ppl out is if you want to do a reader attack to capture the key from the reader u need to have a hf card loaded denoted by the green led. I had it working then removed a card and couldn't get reader key thought I bricked my ultra but it was all good just needed a loaded card
Thanks for the tips on the dictionary. It's good to know we can just add the Proxmark dictionary. I didn't know. Hope some of these things make it into some documentation for the Chamelion Ultra. It would also be good to show contrast against the Flipper as my testing showed the following: Mifare Classic Mini EV1 says it doesn’t support key recovery, yet Flipper can use its db and unlock most of the card. Interestingly, the Chameleon must have some built-in default keys as “check keys from the dictionary” works before adding a dictionary file, so those must be hardcoded defaults, perhaps. When I read a Mifare Ultralight 11, the Chameleon says tech “other,” yet Flipper can identify it, and I can unlock the card using nonce with the reader. Just wanted to share my findings as I know there is work to be done on the UI, and potentially, this may work via CLI. I still have to test that theory. I hope others will share their experiences so we can contribute to the knowledge base and help make the Chameleon Ultra even better.
Since its a new device and the repositories is being worked on and things changes from day to day. Its rapid and hard to videos about because of it. The flipper uses the proxmark3 dictionary in the bottom and added tons of other keys. Making it quite diluted in the process. The Ultra has a set of hard coded default keys inside. The external dictionary file is something that is easier to modify according to your own needs and wishes. The basis for the traditional MIFARE Classic attacks is there in the Ultra environment but its not hooked up. So lets see what happens. There is a lot of rapid development going on.
Great Video! Why didn't you select a dictionary before recovering keys (from the drop down)? Also, I have a MiFare Classic Card, where the gui does not offer to recover keys. When I dump the HF and write it to another card and read that card, i can suddenly recover the keys and dump the HF properly. The first clone (without recovering keys) does not work, but the clone2 created from clone1 works well Do you have a clue whats happening here? For the original card it shows me "Tech: Other", once its cloned without key recovery it shows "Tech: Mifare Classic 1K"
yeah, the message in the dropdown made me belive it was a debug message. Work in progress.. So I didn't think of it until GameTeclive informed me that the dropdown actually works. Leaves a bit to wish for in the GUI , You can recover keys from the clone in different manners most likely since its a Gen1a.
Hi, I have a problem with chameleon ultra, when using the “Read Card” function, when reading a card, there is no “Check keys from dictionary” option as in the example, only “Read with key” and “Read without key” are displayed. The card's Tech is an Ultralight EV1(41). The mfc_default_keys.dic file provided by you has been added to the “Dictionaries” section of “Saved Cards”. Thank you for your help!
@ ultralight doesn’t have keys. It has a 4 byte password. Now would be the time to read the datasheet in order to understand the differences between them two card technologies.
Hi fist off I love the work you put in I have a question I'm not that good with computers but I like the proxmark3 with the battery + bluetooth so I see the icopy-xs is easy to use is it a app available to control the proxmark3 the same way you control the chameleon ultra thanks for being here for us all
Thank you for your very informative videos! Questions: in the video you loaded a dictionary file. What does that do and you said it came from your proxmark repo so does that mean you had to custom make it?
The dictionary file is a list of known default keys used with MIFARE Classic and has been collected over the years. I use the dictionary file mfc_default_keys.dic from the proxmark3 repo. Its the best one out there.
Correct me if im wrong iceman but It's also not a good idea to have a massive dictionary as it can slow things down alot and with the classics nested or hardnested will probably be quicker for a unknown key
@@nu77byte49 yeah, there is a break point between key recovery time and checking for default keys. Its not as easy as people think or want to believe it is.
First of all, thanks a lot for this clear tutorial. I tried to make the same exercise with some cards i have... and have detected that I don't get the same outcome as you showed us. If I try the info command, i only get some data (no uid, atqa & sak). Through another way I can detect its sak 20, atqa 0344, which gives me by looking up on the internet its a MIFARE DESFire). Is this the reason why i dont get the same results? Also the hf mf fchk results in a error. (seems the command is not known). Are you using an own firmware? FYI, I updated to the latest version. Many thanks
I noticed a flaw in my walk through. You need to select the dictionary in the dropdown meny. Maybe that helps. MIFARE Desfire, its not handled by the ULTRA yet. Its a complete different technology from MIFARE Classic. I do recommend the RFID Hacking discord server.
@@iceman1001thanks for your reply. Looks like the Ultra will be the next device I'll save up for, it looks like a neat little device.. I love the Tiny, but the Ultra looks like it also has 125 KHz too.. It's fully compatible with the CLI like the Proxmark? If so, that's incredible..
My proxmark arrives today, will be doing more deep diving on your videos so I can become familiar with it later today. Many thanks for such great videos about the proxmark, keep up the great work!
One of these days you fall into the rabbit hole.
Cannot wait looking forward to it, Cheers! @@iceman1001
Too funny,
I missed an obvious thing :)
I forgot to actually select the MFC dictionary when doing the "check keys from dictionary"
🤦♂
That was one of my findings. I was also doing that with no dictionary loaded and it was finding keys so was asking if they were defaults and some how coded into the firmware. Also unable to add the dictionary file using the IOS app. I can select it from files but it wont add it. #FunTimes
I was the one who msg u on twitter lol. Another interesting point which can catch ppl out is if you want to do a reader attack to capture the key from the reader u need to have a hf card loaded denoted by the green led. I had it working then removed a card and couldn't get reader key thought I bricked my ultra but it was all good just needed a loaded card
yeah, I need to look into the collect nonces function. A bunch of things is a bit strange a the moment
Thank you, it worked great with that dictionary.
Excellent!
Thanks for the tips on the dictionary. It's good to know we can just add the Proxmark dictionary. I didn't know. Hope some of these things make it into some documentation for the Chamelion Ultra. It would also be good to show contrast against the Flipper as my testing showed the following: Mifare Classic Mini EV1 says it doesn’t support key recovery, yet Flipper can use its db and unlock most of the card.
Interestingly, the Chameleon must have some built-in default keys as “check keys from the dictionary” works before adding a dictionary file, so those must be hardcoded defaults, perhaps. When I read a Mifare Ultralight 11, the Chameleon says tech “other,” yet Flipper can identify it, and I can unlock the card using nonce with the reader. Just wanted to share my findings as I know there is work to be done on the UI, and potentially, this may work via CLI. I still have to test that theory. I hope others will share their experiences so we can contribute to the knowledge base and help make the Chameleon Ultra even better.
Since its a new device and the repositories is being worked on and things changes from day to day. Its rapid and hard to videos about because of it.
The flipper uses the proxmark3 dictionary in the bottom and added tons of other keys. Making it quite diluted in the process.
The Ultra has a set of hard coded default keys inside. The external dictionary file is something that is easier to modify according to your own needs and wishes.
The basis for the traditional MIFARE Classic attacks is there in the Ultra environment but its not hooked up. So lets see what happens. There is a lot of rapid development going on.
Great Video!
Why didn't you select a dictionary before recovering keys (from the drop down)?
Also, I have a MiFare Classic Card, where the gui does not offer to recover keys. When I dump the HF and write it to another card and read that card, i can suddenly recover the keys and dump the HF properly.
The first clone (without recovering keys) does not work, but the clone2 created from clone1 works well
Do you have a clue whats happening here? For the original card it shows me "Tech: Other", once its cloned without key recovery it shows "Tech: Mifare Classic 1K"
yeah,
the message in the dropdown made me belive it was a debug message. Work in progress..
So I didn't think of it until GameTeclive informed me that the dropdown actually works.
Leaves a bit to wish for in the GUI ,
You can recover keys from the clone in different manners most likely since its a Gen1a.
Hi,
I have a problem with chameleon ultra, when using the “Read Card” function, when reading a card, there is no “Check keys from dictionary” option as in the example, only “Read with key” and “Read without key” are displayed.
The card's Tech is an Ultralight EV1(41). The mfc_default_keys.dic file provided by you has been added to the “Dictionaries” section of “Saved Cards”. Thank you for your help!
Mifare ultralight is not Mifare Classic.
Two different card technologies.
@iceman1001 So is it because the technology doesn't support check keys from dictionary?
@ ultralight doesn’t have keys. It has a 4 byte password.
Now would be the time to read the datasheet in order to understand the differences between them two card technologies.
@@iceman1001 Got that.Thank you for your reply.
Hey, I have all the keys except key B from sector 9 and 10... How do I acquire the B keys? Or is that not possible
If you have another device like flipper or a Proxmark you can more easily recover all keys.
Hi fist off I love the work you put in I have a question I'm not that good with computers but I like the proxmark3 with the battery + bluetooth so I see the icopy-xs is easy to use is it a app available to control the proxmark3 the same way you control the chameleon ultra thanks for being here for us all
There is termux on android and an out of date app.
Flipper and CU has modern and up to date apps.
@iceman1001 thanks for responding I'm gonna give both a try the proxmark3 with battery + bluetooth and icopy-xs 👍
Great video. But how do you add the dictionary to the APK? Or is it pre installed? Is it te same file that you added in the Windows app (.dic)?
Thanks
Haven't tested it on a smart phone. It is not pre-installed and yes, the dictionary file are the same one.
Thank you for your very informative videos! Questions: in the video you loaded a dictionary file. What does that do and you said it came from your proxmark repo so does that mean you had to custom make it?
The dictionary file is a list of known default keys used with MIFARE Classic and has been collected over the years.
I use the dictionary file mfc_default_keys.dic from the proxmark3 repo. Its the best one out there.
Correct me if im wrong iceman but It's also not a good idea to have a massive dictionary as it can slow things down alot and with the classics nested or hardnested will probably be quicker for a unknown key
@@nu77byte49 yeah, there is a break point between key recovery time and checking for default keys. Its not as easy as people think or want to believe it is.
@@iceman1001 thank you! I have been wondering where we get the dic file or if we make our own. I'll check the repo
You can use the Proxmark3 default dictionaries. Everyone else is ,
github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries
First of all, thanks a lot for this clear tutorial. I tried to make the same exercise with some cards i have... and have detected that I don't get the same outcome as you showed us. If I try the info command, i only get some data (no uid, atqa & sak). Through another way I can detect its sak 20, atqa 0344, which gives me by looking up on the internet its a MIFARE DESFire). Is this the reason why i dont get the same results? Also the hf mf fchk results in a error. (seems the command is not known). Are you using an own firmware? FYI, I updated to the latest version. Many thanks
I noticed a flaw in my walk through. You need to select the dictionary in the dropdown meny.
Maybe that helps.
MIFARE Desfire, its not handled by the ULTRA yet. Its a complete different technology from MIFARE Classic.
I do recommend the RFID Hacking discord server.
Will this work with the older Chameleon Tiny?
Good question,
Sadly I don't think so since the Chameleon Ultra vs Chameleon Tiny uses a complete different firmware and way to communicate.
@@iceman1001thanks for your reply. Looks like the Ultra will be the next device I'll save up for, it looks like a neat little device.. I love the Tiny, but the Ultra looks like it also has 125 KHz too..
It's fully compatible with the CLI like the Proxmark? If so, that's incredible..
@@linus607 Yeah it has LF and HF. Capable little device.
And it has its own CLI.
Happens to look like the PM3 CLI but it is not the same.
Does it support 7 byte 1k and 4k?
Should support 7 byte out of the box.
I don’t have that because I don’t have a proxmark. How do I get that for my dictionary?
Since its open source...
You look it up, top of google list.
github.com/RfidResearchGroup/proxmark3/tree/master/client/dictionaries
Is this card 125KHz 1326 1386 idhid access Proximity 26-bit Cards / Facility Code 130 rewritable
Depends what chipset it has. If original then you can use a pm3 to examine it more.