ChameleonUltra is a powerful tool for recovering the keys the reader uses to authenticate the tag. Before starting the recovery process, you must prepare the anti-collision and dump data.

# Button functionality

• Edit keys: Edit the known keys, which will be used to read the tag, in hex format one key per line. If no keys are provided, the well-known keys will be used.
• Read Tag: Read the anti-collision data and blocks of tag via ChameleonUltra. Unreadable blocks will be filled with pre-defined data.
• New dump: Generate a new dump corresponding to current anti-collision data.
• Edit dump: Edit the dump data in hex format, one block per line. If anti-collision data exists within the block 0, it will be overwritten.
• Import file: Import dump from file and extract the associated keys. If anti-collision data exists within the file or block 0, it will be overwritten. Supported file ext.: bin, json, eml, mct.
• Export file: Export dump to a file. Supported file ext.: bin, json, eml, mct.

# Anti-collision data and its necessity

Anti-collision data comprises UID, ATQA, SAK, and ATS. Some reader will use different keys based on specific anit-collision data. Therefore, it may not be possible to recover the matched keys without the correct anti-collision data.

# Read data from tag

If you have a tag, the preferred method is to use the keys to read the tag via ChameleonUltra. If you already have some keys of the tag, you can update them by clicking "Edit keys". Otherwise, you can leave the keys input empty to begin with the well-known keys. Subsequently, you can click "Read Tag".

# Generate new blank dump

If you don't have a tag, you can modify the anti-collision data and click "New dump" to create a new blank dump. Since the actual dump data is unknown, only a subset of the keys that the reader uses to authenticate the tag can be recovered.

# Export dump before closing

To preserve your data, click "Export file" to save the data to a file. You may restore dump data later by clicking "Import file". Please ensure that you export the dump before closing the page to avoid data loss!

To recover the keys, emulate the dump through ChameleonUltra, let the genuine reader to read ChameleonUltra at least twice to gather failed authentication logs, and subsequently read the logs to recover the keys.

# Button functionality

• Emulate: Write the dump data to a selected ChameleonUltra slot and start emulation with detection mode enabled. Note that this action will overwrite any existing data in the selected slot.
• Recover: Read logs from ChameleonUltra to recover the keys. This process may take a long time. Successfully recovered keys will be automatically appended to the known keys list.

# Repeat to recover more keys

The more similarity between the dump data and the tag, the more keys can be recovered. You can repeat the workflow (read tag, emulate, recover) and try to recover more keys of previously unreadable blocks.

# Learn more about MFKey32

If you want to learn more about MFKey32, please refer to the Flipper documentation "Recovering MIFARE Classic keys" and MTools Tec documentation "How to use mfkey32 on ChameleonUltra devices".