Chamele-o-nization

Another major change is the chips used. Originally, the Chameleon Mini used the ATxmega128A4U chip, but it was later replaced with the ATxmega32A4U chip (16MHz, 32kb flash, 1kb EEPROM), which is the one found in the Chameleon Mini RevE. Meanwhile, the Ultra version uses the nRF52840 chip. Why the change? Developers argue that it's not only a cheaper chip but also supports Bluetooth BLE 5.0, has 256kb RAM, 64MHz clock speed, consumes very little energy, and offers much better emulation performance and faster response. Previously, they were limited by the SPI protocol clock speed. In short, all advantages — and apparently they discovered this chip almost accidentally. Very curious...

For reading and writing, the Chameleon Ultra uses the MFRC522 chip, which supports a greater variety of tag types than its predecessor.

Summarizing the features of each device. Chameleon Mini RevE features are:

• Firmware support for ISO14443A codec (emulation and reading)
• NFC 13.56 MHz emulation for Mifare Classic 1K/4K, Ultralight/C (4- and 7-byte UIDs)
• 8-bit AVR Processor (ATxmega32A4U @ 32MHz)
• Flash memory (32Kb) and 4Kb RAM
• Hardware support for ASK and BPSK load modulation using a subcarrier
• 8 virtual card slots, up to 8Kb per card in non-volatile memory
• Two programmable buttons and LEDs
• Open-source, modular firmware for easy expansion
• Weight: 31g, Dimensions: 8.6cm x 5.2cm x 0.6cm

Chameleon Ultra features are:

• Firmware support for ISO14443A codec (emulation and reading)
• NFC 13.56 MHz emulation for Mifare Classic 1K/2K/4K, Ultralight/C/EV1, NTAG 210-218, Desfire EV1/2, Mifare Plus
• RFID 125KHz emulation for EM4xx, T5577, FDX-B, Paradox, Keri, Indala, HID Prox, PAC/Stanley, AWD, ioProx, Presco, Viking, Noralsy, NexWatch, Jablotron, Gallagher
• Support for Bluetooth LE (BLE) 5.0
• 32-bit ARM Processor (nRF52840 @ 64MHz)
• Flash memory (1Mb) and 256Kb RAM
• Hardware support for ASK and BPSK load modulation
• Reader mode with fast UID detection support
• 8 dual-frequency virtual card slots up to 64Kb per card
• 90mAh internal LiPo battery
• Two programmable buttons and dynamic RGB LEDs
• Open-source, modular firmware for easy expansion
• Weight: 8g, Dimensions: 4cm x 2.4cm x 0.6cm

What really makes the Chameleon Ultra attractive compared to the Mini is that it is no longer just a "dumb box that carries and emulates tags." Now, besides carrying and emulating tags, it can read tags, perform attacks, use dictionaries, and clone. It’s getting closer to a Proxmark than to its Chameleon predecessors. And not only can it read tags, but it can also modify them by writing onto them. As you can see, it’s a huge step up from the Chameleon Mini: much more powerful and versatile.

And this is the new software's appearance:

But on the fly, we can launch different attacks. In this case, we simply select a dictionary, and this will be the result after applying it:

It will then appear in the Saved Cards section along with others we have:

And we can write it into one of the memory slots if we want:

It also allows importing and exporting tags in .bin and .json file formats (Proxmark3), .nfc (Flipper Zero), and .mfct (Mifare Classic Tool).

In the Device Settings section, among other options, we can program the buttons just like with the Chameleon Mini, so that a short press does one action, and a long press does a different one:

If we have doubts about what type of rewritable card we have, we can use the "Auto-detect Magic Card Type" option to automatically detect it:

Chameleon Mini RevE never had an official app as such, but there were a couple of apps developed by people from the community. I will highlight one that offers functionality very similar to the desktop GUI software from Iceman. It is this Android app from this GitHub repository:

https://github.com/kgamecarter/ChameleonMiniApp

However, the compiled APK is not available in the repository. It used to be available on Google Play Store, but sadly it disappeared from there, so I have prepared a link to the compiled APK (I know what you are thinking, and no, it has no malware, I behaved):

https://mega.nz/file/wJJ0GCzJ#gZTYkAJBciT_AuofHat4QMqBsCPHxvuiLURfAd4dNBY

To use it, you will need to connect your Chameleon Mini RevE to your mobile with an OTG (On-The-Go) cable to the micro-USB port of the Chameleon Mini.

The app looks like this:

There is also a YouTube video of about 20 seconds made by the author of the app, which gives you a good idea of it:

https://www.youtube.com/watch?v=WoU58GzxsAY

As for the Chameleon Ultra, luckily it does have an official app. It is available in Google Play Store, where you can download it:

https://play.google.com/store/apps/details?id=io.chameleon.ultra

There is also an iOS version for Apple devices:

https://apps.apple.com/ve/app/chameleon-ultra-gui/id6462919364

The mobile app for the Chameleon Ultra offers the same functionality as the desktop app, so in my opinion, it is an absolute wonder. This means that, being such a small device and connecting via Bluetooth, we can operate it at 100% capacity anywhere, taking full advantage of it. Bluetooth pairing is extremely easy, and the app allows us to choose the PIN we want for secure connection.

It is also worth mentioning that although connecting via Bluetooth is the usual method, it is possible to connect it with an OTG cable just like we did with the Chameleon Mini, although this time it will have to be USB-C. The app will work perfectly as well.

This is what the mobile app looks like:

Firmware update

Updating the firmware on the Chameleon Mini was a bit more complex. To avoid repeating everything, I will simply reference an article I wrote some time ago where, among other things, the process of updating the firmware of the Chameleon Mini RevE is described:

https://www.hackplayers.com/2021/07/nfc-proxmark3-chameleon.html

On the Chameleon Ultra, updating the firmware could not be easier. There are several methods, but without a doubt, the easiest one is simply to open the GUI application and click on the magic button next to the firmware version. This button will do all the work. It is that simple. It automatically puts the device into DFU (Device Firmware Update) mode, downloads the latest version, flashes it, and so on.

Where to buy it?

It can be purchased in different places like Lab401 store, Hackerwarehouse, or even Amazon, but in my experience it is cheaper to buy it on Aliexpress. That said, you have to distinguish between the original and the imitations.

In this link, I found a comparison between the "Chameleon Ultra" and the "Chamele0n Ultra" (note that the “o” in the imitation is actually a zero “0”). They compare physical components and differences. A very interesting article:

https://shop.mtoolstec.com/whatre-the-differences-between-chameleon-ultra-chamele0n-ultra.html

The truth is that, after reading the article, it seems the imitation does not differ too much from the original, only in small details. But since I have not personally tested the imitation, I recommend buying the original. Nevertheless, it is quite likely that the imitation also works well, although I cannot guarantee it at this moment. Here are a couple of Aliexpress links to good-priced original Chameleons, the ones I personally own.

Original  Chameleon Mini RevE:

https://s.click.aliexpress.com/e/_opkB6kH

Original Chameleon Ultra:

https://s.click.aliexpress.com/e/_oCTviIv

The current prices in 2025 are around 35€ for the Mini and 120€ for the Ultra (original versions). However, these prices always fluctuate slightly (that’s the market, my friend!). On pages like Lab401 or similar, it is somewhat more expensive. The imitation, meanwhile, is around 20 or 25€. I’ll leave a link here as well.

Chamele0n Ultra imitation:

https://s.click.aliexpress.com/e/_ooCcTAl