Chameleon Ultra — Hardware Tour

Stub — section skeleton authored 2026-06-27; prose to follow.

2.1 Overview and orientation

Orients the reader to the physical form factor (~2.4 × 4.0 × 0.8 cm), identifies major external features, and sets up the PCB-level tour that follows.

2.2 The nRF52840 SoC

Covers the Nordic nRF52840: ARM Cortex-M4 @ 64 MHz, 1 MB flash, 256 KB RAM, integrated BLE 5.0; explains why the nRF52840 was chosen over simpler MCUs and what the BLE integration enables for the ChameleonUltraGUI control path.

2.2.1 Core specs

Tabulates MCU parameters: core, clock, flash, RAM, BLE version.

2.2.2 Role in dual-band operation

Explains that the nRF52840 handles LF directly through its analog path and orchestrates the MFRC522 for HF; describes the division of labor.

2.2.3 Firmware execution model

Brief note on how the GPL-3.0 firmware runs on the nRF52840 and what that means for open-source extensibility; deferred to Vol 9 for depth.

2.3 The MFRC522 HF reader frontend

Describes the NXP MFRC522 chip: its role as the dedicated 13.56 MHz reader/writer IC, its SPI interface to the nRF52840, and why it enables active HF card reads and Crypto1 attacks — capabilities the Chameleon Lite (no MFRC522) cannot perform.

2.3.1 What the MFRC522 does

Explains the MFRC522’s function: ISO 14443A framing, modulation/demodulation at 13.56 MHz, anticollision, and how it hands card data up to the nRF52840.

2.3.2 Ultra vs Lite: the MFRC522 dividing line

Draws the architectural distinction — Lite has no reader chip, Ultra does — and summarizes the operational consequences (Lite = emulate-only; Ultra = read + attack + emulate).

2.4 The LF analog path

Describes how the nRF52840’s own analog front end handles 125 kHz LF operation; notes the absence of a dedicated LF reader IC and the implications for LF read range vs Proxmark3 RDV4 (see also §9 of Vol 5).

2.4.1 Signal generation and detection

Explains how 125 kHz carrier and modulation are generated and how card responses are detected on the nRF52840 LF path.

2.4.2 Supported LF protocol families

Lists the LF families handled by this path (EM4XX, T5577, HID Prox, Indala, FDX-B, Paradox, AWD, PAC/Stanley); points to Vol 5 for full operational detail.

2.5 Antennas — HF and LF coils

Describes the two antenna coils embedded in the device: the 13.56 MHz HF coil (matched to the MFRC522 frontend) and the 125 kHz LF coil (driven by the nRF52840 analog path); covers coupling geometry and practical read-range notes.

2.5.1 HF coil

Covers the 13.56 MHz coil geometry, matching network, and practical read range in emulation vs active-read mode. [VERIFY: antenna dimensions and matching network topology from community teardown data]

2.5.2 LF coil

Covers the 125 kHz coil and its limitations relative to a Proxmark3 RDV4’s dedicated LF antenna board. [VERIFY: LF coil dimensions]

2.6 Button, RGB LED, and status indicators

Describes the single physical button (slot cycling) and the RGB LED (state/slot indication); maps observed LED colors to device states. [VERIFY: current LED color scheme per firmware version]

2.6.1 Button behavior

Explains that the button cycles the active slot when no BLE session is active; notes behavior during BLE-connected operation.

2.6.2 RGB LED states

Maps LED colors to device states (idle, active-HF slot, active-LF slot, charging, BLE connected, firmware update mode). [VERIFY: exact color-to-state mapping against current firmware]

2.7 Battery and power management

Covers the 90 mAh LiPo cell: capacity, standby life (~6 months noted in Vol 1), charge-via-USB-C behavior, and any low-battery indication. [VERIFY: standby vs active current draw figures from firmware / community measurement]

2.7.1 LiPo cell specs

States confirmed capacity (90 mAh) and estimates standby vs active draw.

2.7.2 Charging behavior

Describes USB-C charge path; notes any charge-status indication via the LED.

2.8 USB-C interface

Describes the USB-C port’s dual role: power/charging and the USB serial CLI interface; briefly introduces the CLI as an alternative to BLE (full CLI reference deferred to Vol 6 and Vol 7).

2.9 The Chameleon Lite — what changes

Summarizes the Chameleon Lite’s hardware delta vs the Ultra: no MFRC522 (emulation-only), button-cell battery (longer standby), smaller/lower-cost form factor; establishes the Lite as a valid tool when the task is purely credential presentation rather than read-attack-emulate.

2.9.1 Hardware comparison table

Side-by-side table: MCU, reader chip, battery type, HF slots, LF slots, attack capability, price tier.

2.9.2 When to choose the Lite

Brief decision guidance — Lite wins on standby life and price when active reading/attacking is never needed; Ultra wins when the full read→attack→emulate loop is required in the field.

2.10 Teardown notes

Summarizes available community teardown data — PCB photos, component callouts, stacking order — and flags any discrepancies between documented specs and physical inspection findings. [VERIFY: community teardown sources — Lab401 product photos, GitHub issues, r/hacking teardown posts]

2.10.1 Known teardown resources

Lists community photo sources for PCB-level inspection. [VERIFY]

2.10.2 Notable observations

Placeholder for anything notable from teardown data once verified — solder quality, antenna construction method, any undocumented testpoints. [VERIFY]