ChameleonUltra is a powerful tool for recovering the keys the reader uses to authenticate the tag. Before starting the recovery process, you must prepare the anti-collision and dump data.
Anti-collision data comprises UID, ATQA, SAK, and ATS. Some reader will use different keys based on specific anit-collision data. Therefore, it may not be possible to recover the matched keys without the correct anti-collision data.
If you have a tag, the preferred method is to use the keys to read the tag via ChameleonUltra. If you already have some keys of the tag, you can update them by clicking "Edit keys". Otherwise, you can leave the keys input empty to begin with the well-known keys. Subsequently, you can click "Read Tag".
If you don't have a tag, you can modify the anti-collision data and click "New dump" to create a new blank dump. Since the actual dump data is unknown, only a subset of the keys that the reader uses to authenticate the tag can be recovered.
To preserve your data, click "Export file" to save the data to a file. You may restore dump data later by clicking "Import file". Please ensure that you export the dump before closing the page to avoid data loss!
To recover the keys, emulate the dump through ChameleonUltra, let the genuine reader to read ChameleonUltra at least twice to gather failed authentication logs, and subsequently read the logs to recover the keys.
The more similarity between the dump data and the tag, the more keys can be recovered. You can repeat the workflow (read tag, emulate, recover) and try to recover more keys of previously unreadable blocks.
If you want to learn more about MFKey32, please refer to the Flipper documentation "Recovering MIFARE Classic keys" and MTools Tec documentation "How to use mfkey32 on ChameleonUltra devices".