Chameleon Ultra — RFID/NFC Primer

Stub — section skeleton authored 2026-06-27; prose to follow.

3.1 Why a primer here

Note: this volume is a condensed orientation. The iCopy-X series has a complete 55 KB RFID/NFC primer at vol3.md — readers who need the physics and protocol depth should read that first. Cross-link: ../../iCopy-X/02-inputs/volume_sources/vol3.md.

Explains the role of this condensed primer: it exists to make vols 4 and 5 self-contained for readers arriving directly at the Chameleon Ultra series, without duplicating the full physics treatment from the iCopy-X primer. Readers who have already worked through the iCopy-X series or another RFID primer can skip to Vol 4.

3.2 LF physics — 125 kHz, inductive coupling, modulation schemes

Covers the 125 kHz band at the level needed to understand LF emulation in Vol 5: inductive (magnetic-field) coupling, the reader’s continuous carrier wave, how a passive LF card modulates it, and the common encoding schemes (Manchester, Bi-phase, PSK) used by the families the Chameleon supports.

3.2.1 Inductive coupling at 125 kHz

Explains how energy and data transfer occurs between reader and card through coupled coils; notes practical read-range implications for LF (~10 cm nominal vs HF’s ~5 cm nominal — both highly geometry-dependent). [VERIFY: Chameleon Ultra actual LF read range]

3.2.2 Modulation and encoding

Briefly explains ASK modulation and the FSK/PSK/Manchester/Bi-phase encoding schemes used by EM410x, HID Prox, T5577, and Indala; deferred to Vol 5 for per-protocol breakdown.

3.3 HF physics — 13.56 MHz, near-field coupling, load modulation

Covers the 13.56 MHz band: near-field (magnetic) coupling like LF, but at higher frequency enabling faster data rates; load modulation as the card-to-reader back-channel; ISO 14443A’s 106 kbps data rate.

3.3.1 Near-field coupling at 13.56 MHz

Same inductive coupling principle as LF; explains why 13.56 MHz is used for ISO 14443A (MIFARE, NFC) while 125 kHz persists for legacy access-control LF.

3.3.2 Load modulation and subcarrier

Explains how ISO 14443A cards reply to the reader by switching a load across their coil; the subcarrier encoding scheme (847.5 kHz subcarrier, Miller / Manchester variants).

3.4 ISO 14443A — the HF standard the Chameleon cares about most

Provides the condensed reference for ISO 14443A: the four-part standard structure (power/signal, initialisation, anticollision, transmission protocol), the UID select-and-anticollision loop, APDU framing, and the specific card families that live under it (MIFARE Classic, Ultralight, NTAG, DESFire, Plus).

3.4.1 Initialisation and anticollision

Describes the REQA/ATQA/SELECT sequence the Chameleon must faithfully replay when emulating an ISO 14443A card.

3.4.2 UID types — 4-byte, 7-byte, 10-byte

Explains the three UID sizes in ISO 14443A; notes the Chameleon Ultra supports 4B and 7B UIDs for MIFARE Classic.

3.4.3 Card families under ISO 14443A

Brief index of each card family in the Chameleon’s scope (MIFARE Classic 1K/2K/4K, Ultralight, NTAG 210–218, DESFire EV1/EV2, MIFARE Plus) pointing forward to Vol 4 for operational detail.

3.5 MIFARE Classic — Crypto1, sector structure, why it cracks

Explains the MIFARE Classic security model in enough depth to understand the attack suite in Vol 4: 16 sectors / 64 blocks for 1K (or 40 sectors / 160 blocks for 4K), Key A and Key B per sector, the Crypto1 stream cipher, and the stream of PRNG weaknesses that the DarkSide/Nested/HardNested/MFKEY32 suite exploits.

3.5.1 Sector and block layout

Tabulates 1K vs 4K sector/block counts; explains the sector trailer (keys + ACL bits).

3.5.2 Crypto1 — the broken cipher

Describes Crypto1 at the conceptual level: a proprietary 48-bit LFSR, its PRNG initialization, and the class of weaknesses (predictable PRNG, key XOR exposure in certain reader behaviors) that make it vulnerable to the attacks the Chameleon implements.

3.5.3 Why the attack suite exists

Explains why five complementary attack paths are needed: DarkSide for zero-known-key starts, Nested for card-to-full propagation, HardNested for readers with hardened PRNGs, MFKEY32 v2 for reader-sniff recovery; StaticNested for the small class of cards that use the same PRNG seed across sectors.

3.6 LF protocols in scope — EM410x, HID Prox, T5577

Condensed reference for the LF protocol families the Chameleon Ultra handles, at the level needed to understand Vol 5.

3.6.1 EM410x

The simplest LF credential: 64-bit ID, Manchester encoded at 125 kHz, read-only; the baseline for most $5 LF duplicator tests.

3.6.2 HID Prox

The dominant US corporate access-control LF standard: H10301 26-bit Wiegand + proprietary variants; covers encoding scheme and why UID emulation is sufficient for door readers.

3.6.3 T5577

The multi-protocol LF blank chip: configurable to emulate EM410x, HID Prox, Indala, and others; the Chameleon’s T5577 emulation mode and the T5577 password brute-force capability are covered in depth in Vol 5.

3.6.4 Other families (Indala, FDX-B, Paradox, AWD, PAC/Stanley)

Brief paragraph on each remaining supported LF family; pointers to Vol 5 §6 and §7 for emulation scope per protocol. [VERIFY: exact support level per family against current firmware]

3.7 What the Chameleon Ultra can and cannot do at the protocol layer

Provides a clean protocol-capability summary table before the reader enters the operational detail of Vols 4 and 5; flags the known limits (DESFire EV1/EV2 emulation scope, iCLASS/SEOS out of scope, HF protocols outside ISO 14443A require Proxmark3).

3.7.1 In-scope capabilities table

Table: protocol family → emulate (Y/N) → read/write (Y/N) → attack capability → vol reference.

3.7.2 Out-of-scope protocols

Notes the protocols the Chameleon does not support: ISO 15693 (HF vicinity), iCLASS SE/SEOS, FeliCa, Legic, ISO 14443B; cross-links to Proxmark3 RDV4 and iCopy-X for coverage of those.