RFID Cloning with the ChameleonMini and Powershell

ChameleonMini RevG

During Citrix Synergy 2017 Remko Weijnen and Geert Braakhekke presented session SYN712: Analysis of a Hack: How to Defend and Protect with Citrix. Although it could be argued that this session was more about hacking and security than protecting Citrix implementations specifically, the information provided was extremely entertaining and informative.

One demo shown during the presentation that intrigued me the most was cloning RFID cards utilizing the ChameleonMini RevG from Kasper Oswald. Remko showed a demonstration utilizing the ChameleonMini to clone hotel key cards, public transportation passes, and even the Citrix Synergy attendee badge.  I knew I had to give it a try.

The ChameleonMini provides the functionality to read RFID cards, as well as store 8 card configurations for later use. There are plenty of other websites dealing with the cloning of RFID and MiFare cards, as well as the ChameleonMini specifically. This post is focused on the PowerShell GUI utility used to interface with the ChameleonMini.

I ordered my own ChameleonMini RevG directly from Kasper Oswald in Germany and patiently waited for it to arrive. I had done my research, and read the documentation posted by Kasper Oswald on their GitHub repository.  It quickly became apparent that the GUI interface, that was shown during the demo at Citrix Synergy, had been developed by someone other than Kasper Oswald since configuration was only available via a terminal session as described in the documentation.

Although configuring the Chameleon from a terminal session would not be a problem, it did not seem like the most convenient or efficient way to make regular changes to the cards that were stored on the device or modify other configuration options.  There were several shortcomings to the command line interface in my mind.

  • Returned Status Code over wrote output from previous command
  • The information from a read card had to be copied out and could not be recalled from the command line to easily store the configuration in a card slot
  • Card information had to be configured individually rather than being able to configure an entire card slot at one time
  • No easy way to see which “Card Slot” was currently being configured without issuing the “Setting?” command
  • No easy way to backup the configuration without using XModem

There had to be another way.  I do not know what language was utilized to create the GUI interface that Remko Weijnen had utilized during his presentation but I decided to utilize Microsoft PowerShell for the creation of my own GUI utility.

Powershell GUI Utility

Smart Card Clone Utility written in Microsoft PowerShell

Connection is made to the Chameleon via a micro USB connection and the card is detected in Microsoft Windows as a USB Serial device.  Utilizing System.IO.SerialPorts allows PowerShell to connect to, read, and write via the COM port to the connected device.

$Port = New-Object System.IO.Ports.SerialPort $PortNum, 9600, None, 8, one
$Port.Open()

Once the COM port being utilized has been opened, the commands for the ChameleonMini can be sent and received via the WriteLine(), ReadLine(), and ReadExisting() PowerShell commands.

  • $Port.WriteLine() – Sends a command to the serial port
  • $Port.ReadLine() – Reads the last line output by the serial port
  • $Port.ReadExisting() – Reads the entire buffer of output generated since last command was issued
$Port.WriteLine("Config?")
$Port.ReadLine()
$Port.ReadExisting()

The only real caveat with sending the serial commands is the requirement to send a carriage return after each command.  This was accomplished by issuing the following command where `r is the PowerShell special character for a carriage return

$Port.WriteLine("`r")

Being able to interface with the ChameleonMini from within PowerShell is great but doesn’t gain you many advantages over a standard terminal client such as Putty.  Enter the PowerShell form created utilizing Sapien PowerShell Studio. Not only does the form allow you to leverage some of the automation of PowerShell but also provides a graphical user interface and a standalone .exe that can be run from any Windows workstation.  This allows users not familiar with the command structure of the ChameleonMini or PowerShell to still interact with and configure the ChameleonMini.

PowerShell Automation

Utilizing PowerShell allows for some automation and functionality that you don’t easily get from the standard ChameleonMini command structure.

  • Easy configuration backup without the need for Xmodem
  • Easy configuration restore without the need for Xmodem
  • Ability to quickly wipe all configuration from the ChameleonMini
  • Easily view configuration of any configuration slot
  • See the Decimal value of a card as it is seen by an RFID reader
  • Write the entire configuration of a read card to an available slot at one time without having to enter separate commands for each piece of the configuration.
  • Configuration via point and click interface when keyboard commands are not convenient
  • No requirement to remember less frequently used ChameleonMini commands

I have made the PowerShell code as well as the .EXE available at the links below.  I hope you find it useful and please reach out with any questions or comments.  You can contact me here at ForensicExpedition.com or on Twitter @4n6Expedition


Downloads

PowerShell Code
Compiled EXE

Note: You will need to install the ChameleonMini driver prior to utilizing the PowerShell Form to configure your ChameleonMini RevG.