Getting started
Some directions for ChameleonMini RevE Rebooted beginners, so that they can quickly start to use it.
Do Windows before anything else if your goal is to get RevE working fast. It is the easiest way. On Linux and OSX, the GUI might not work depending on the firmware version you have, flashing may be a pain, and tempted to build firmwares or play with serial terminal, you might burn too much time on some traditional compilation and environment issues. This is for Windows 10, but might work on 7 and 8. Working on a Windows VM is possible.
Your can simply test and use (A and B), or learn the basics (1 to 5) by just reading the whole page:
- Step 1 or A : Plug & play start check with GUI
- Step 2 : Get or compile a firmware
- Step 3 : Get ready to flash: "bootloader" mode
- Step 4 : Flash your firmware
- Step 5 or B : ChameleonMini RevE Rebooted Usage 101
- Bonus step : No more light - go back to stock.
Just check your device can be talked with on Windows. This should be plug & play. Plug your device in USB port, and fire a GUI tool up:
- the one from this repo creator, rebootedGUI
- the latest one from Lab401, based on ChameleonMini Rebooted GUI.
The first one (rebootedGUI) is always the safest choice, as it is meant to work with this repo and associated firmwares.
A red LED should be lighted on on the RevE. The output console of GUI tool should say Success, found ChameleonMini device on 'COMX' with Firmware RevE rebooted installed, and the "Settings" tab of GUI should show "CONNECTED" green strap. If not, try to click "Connect", plug/unplug device, change USB cable and other basic USB devices trial & error kungfu
From now on, you can learn how to flash a firmware in next steps, or jump straight into usage.
Get existing firmware, or build a new one from this repo sources:
- Existing one:
- original manufacturer one (the one probably built-in when you purchase)
- a latest manufacturer compiled one (could be newer)
- files
.eepand.hex(just as if you compiled it yourself), from the Releases page of this repo
- Build your one from this repo:
- I do not advise to compile a firmware for a quick startup. If you want to however, carefully read the associated Wiki pages
- ff you choose to compile anyway, and succeeded to do so, just get the
.hexand.eepfiles built by successful compilation and consider it firmware
The RevE need to be put in so called "bootloader" mode, so that we can set internal program.
Put your RevE in boot loader mode, directly from the GUI ("Settings" tab, then "Upgrade" button). Your RevE should be connected back as a new unknown USB device, and LED should stop lighting. Close the GUI.
If need be, you can also put in bootloader mode by unplugging USB, pressing the black button, and plugging the USB while still pressing the button (the "black button" way).
Setup the Atmel DFU drivers for your "bootloader" mode plugged RevE, so that device is correctly recognized and can be flashed. To do so in Windows:
- get the "Drivers" files from this repo. The better choice would be to get all files from this repo by choosing "Clone or Download", and then "Download ZIP", on the main repo page)
- in Windows, open "Devices manager". Open Windows start menu and type "Devices manager", or right click on computer icon in desktop, select "Properties", then "Device manager" in the left pane
- right click on unknown USB device within "Devices manager" devices tress, and choose "Update driver". Then points the driver setup assistant to the "Drivers" directory you downloader from this repo, and DFU driver will be setup. You can also right-click the ".inf" file in Drivers / DFU Driver, then select "Install", but the "Devices manager" graphical way will give you immediate and visual results on driver setup success
- you should then see your previously unknown USB device marked as Atmel USB Devices / ATxmega32A4U on the "Devices manager" devices tree
Setup Windows C++ Redistributable for Visual Studio 2013 (VC 12.0). These will be needed for the flasher utility to work in Windows. If you use a 64bits Windows, you ALSO have to setup the x86 ones (the flash utility does not start if you do not have the x86 VC 12.0 redistributable on a 64bits system). Both (x64 and x86) can be downloaded from Microsoft here.
Flash your firmware with BOOT_LOADER_EXE.exe if you have 2 .bin files, or flash.bat if you have 1 .hex and 1 .eep file (you need both):
- you will find required tools from this repo (Software / Flashing-Windows)
- for a downloaded and prepared firmware: put the
myfile.binandmyfilee.binfiles (that you downloaded in ZIP files during previous step in the same folder thanBOOT_LOADER_EXE.exe, and double click theBOOT_LOADER_EXE.exe - for a compiled (or not prepared) firmware: put the
.hexand.eepfiles you got from compiling in previous step in the same folder, and fireflash.batup - if
BOOT_LOADER_EXE.exeorflash.batdoes not start/work at all, remove (or rename) anylibusb0.dllfile from yourBOOT_LOADER_EXE.exedirectory.
A successful firmware flash will show this:
old_driver_bootloader
Erasing flash... Success
Checking memory from 0x0 to 0x6FFF... Empty.
0% 100% Programming 0x20 bytes...
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Success
0% 100% Reading 0x400 bytes...
0% 100% Programming 0x5B00 bytes...
[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>] Success
0% 100% Reading 0x7000 bytes...
load_success!
More detailed instructions on flashing, including case where you compiled your firmware, can be found in "Flashing" section of this Wiki.
Close GUI, disconnect USB RevE, connect it back and fire the GUI (you got from first step) up once again. Now you should be all set.
For now, RevE can only help getting a first auth key from a dialogue with a reader, randomize/set UIDs to simulate on readers, and simulate various copied cards, on MIFARE setups only.
RevE can be used "stand-alone", while not plugged, if you put a CR2032 button battery in it. You have to open the device (with help of a plastic card or plectrum, but no metallic tool, to avoid damage).
RevE has 1 usage button (the black one), with a "short press" (referred as BUTTON in commands and GUI), "long press" (BUTTON_LONG), and "long press while plugging USB" usage (bootloader mode).
The red button is used to power-on the device when used stand-alone on battery, and not self-powered by a RFID reader. You have to keep the red button pressed to use the black one when using RevE stand-alone on battery.
Once set and plugged, a RevE is seen as a USB modem, and can be talked with using a "serial" terminal, with AT compliant commands, or with a GUI, like the one you got from the first step.
Some GUI also have a terminal functionality, in case you want to play with commands instead of clicking, or use commands that are not yet implemented in GUI. Just note that for some original/old firmwares, you must add MY suffix at the end of each command. (i.e. commands names all end with "MY"). If you compiled the firmware by yourself from this repo recently, you should not have the "MY" suffix.
RevE has 8 cards "slots" you can use to simulate cards/UIDs and:
- each slot can be setup with its own configuration (reader sniff, card copy emulation, or UID player), called "Mode" in GUI, and "CONFIG" in command line. You have to select the slots you want to set in the GUI by ticking the slot check, tuning settings, then clicking "Apply" first
- you can simulate/upload 4K dumps on the 1st slot ONLY (slot n° 0 in Terminal), because of memory limitations for now
- to simulate a card, you have to "Upload Dump" on current "active" slot, that you can choose with "Set Active" on GUI
- RevE does not copy cards. You can copy/dump cards with another reader device like proxmark3, and cheapest SLC3711 or ACR122 readers
- slots are numbered from 1 to 8 in GUI, but from 0 to 7 in command line
- button function can be set for short ("Button" in GUI, "BUTTON" in command line) and long press ("Btn Long" in GUI, "BUTTON_LONG" in command line), and can be set to "SWITCHCARD" (go to next slot), "CLOSED" (no operation), "READONLY" (switch dump to read-only), or various UID change functions (increment, decrement, random)
- in command line terminal, you set an active slot with
SETTING=X(where X is a slot number, from 0 to 7). Then you can set "CONFIG" ("Mode" in GUI), "BUTTON", "BUTTON_LONG" and so. Uploading a dump is done with XMODEM and will most probably be painful to achieve.
"MF_DETECTION" configuration (or "Mode" in GUI) is set to implement the "reader attack", which will try to infer a MIFARE key from data sent by reader. Once this scenario played out in stand-alone, you have to get back to GUI, select the "MF_DETECTION" set slot, and use the "mfkey32" button to try and get a MIFARE key that would fit an associated MIFARE card. You can then proceed with other attacks on card using this key. This is briefly explained in a video from Lab401.
The "Dump Management" GUI tab is useful to open cards dumps and change them if needed. Use a "Template" to highlight cards keys and ACL. If you open a dump here, then you won't be able to upload the same file in a slot while loaded. Save your opened dump in another file, or close and reopen GUI.
If you played too much with firmware flashing tools, end up with a bricked non lighting RevE, that is not even recognized as ATxmega32a4U on Windows devices tree in bootloader mode, and get such a message while flashing following this guide:
old_driver_bootloader
dfu-old-driver: no device present.
Then you may have "soft-bricked" your device. Do not panic and go back to stock brick, doing so:
- go back to Windows
- get the
.hexfiles from Firmware / Orignal-Compiled directory in this repo - rename:
-
ChameleonMiniRDV2.0_ATxmega32A4U.hexasChameleonMini.eep -
ITS_A_CARD.hexasChameleonMini.hex
-
- go in bootloader mode the "black button" way
- flash the
.hexand.eepfiles as described in this page (and NOT another way!), just like if it was a firmware you compiled, withflash.bat
If you cannot fire BOOT_LOADER_EXE.exe or flash.bat up (errors while launching), get sure to have required Visual C++ Redistributable, reinstall DFU driver if need be, and remove any libusb0.dll file from your BOOT_LOADER_EXE.exe directory if any.
Now your RevE should be blinking again (but may not be functioning normally yet). You can proceed to flash it again with a sane functioning firmware like told in this page.
If this still does not work, you may have killed it by doing not as told in this page at all... You will still be able to flash it using specific programming adapter, then running these steps again.