How to use mfkey32 on ChameleonUltra devices

What’s mfkey32?

mfkey32 is a tool applied in cracking MIFARE Classic chips. It uses a technique known as the “darkside” attack that leverages certain information (like timing of attempts at password) to conjecture potential keys. This method not only saves a lot of time in cracking attempts but also requires a minimal number of password attempts.

Why use mfkey32?

On some Mifare Classic card, the darkside attack is fixed and you cannot attack the card with PN532, ACR122U or Proxmark3. The usage of mfkey32 can be a good replacement method go further. Card is not vulnerable to nested attack.

Here’s an example using RFID Tools App with ACR122U reader but not working on this card, and the mfkey32 can solve the issues.

Which Chameleon Ultra devices support mfkey32?

How to use mfkey32 with MTools BLE?

MTools BLE provides quick functions to simulate and enable mfkey32 functions.

  1. Connect ChameleonUltra with Bluetooth in MTools BLE.
    The Bluetooth needs to be searched in the App but not the system Bluetooth settings. If it’s the first time you cannot the Chameleon Ultra and PIN required, connect and input the PIN also.

2. Switch to an empty slot. The default UID of new slot is DEADBEEF.
You can also long press the Slot to set the HF tag type to Mifare Classic 1K.

3. Click Read to enter reader mode and ead origin tag. Then click simulate to simulate as the Mifare Classic 1K card with same UID and all default sector data and default key FFFFFFFFFFFF on all 16 sectors.

4. Go to settings and enable Detection Mode. That will enable mfkey32 detection log function on ChameleonUltra devices.

5. Flash Chameleon Ultra on the ordinary reader for several times. It will shows the error of course. But that’s no problem. We just need to get the error log or named the detection log with keys information.

6. Reconnect and check mfkey32 results.

The result shows the mfkey32 log with UID, block index and keys information. And it may include 1 or more blocks.

7. Check Mifare Keys History Keys

Now read the original tag with the known keys.

That’s how mfkey32 works and get the Mifare keys super easy.

2 thoughts on “How to use mfkey32 on ChameleonUltra devices

  1. Andrey Valinov says:

    Good and very useful article for all Chameleon users. Congratulations for the idea. Reading the steps I come across missing ones. For example, there is a lack of clarity between steps 4/5 and 5/6. A short video that would show everything would be very convenient.

Leave a Reply

Your email address will not be published. Required fields are marked *