Chameleon Ultra — LF Emulation

Stub — section skeleton authored 2026-06-27; prose to follow.

5.1 The 8 LF slot model

Explains the 8-slot architecture for LF: each slot independently stores a card type and a credential value; LF slots and HF slots are managed in parallel but operate independently; switching between LF slots follows the same button/BLE mechanism as HF.

5.1.1 LF slot independence

Notes that each LF slot is independently configured with a protocol type (EM410x, HID Prox, T5577, etc.) and credential value; no cross-contamination between slots.

5.1.2 Persistence

States that LF slot data persists across power cycles in nRF52840 flash, same as HF slots.

5.2 LF emulation mechanics on the nRF52840

Describes how the nRF52840 generates the 125 kHz carrier and modulates it to emulate a target LF credential; notes the absence of a dedicated LF reader IC (unlike the HF path’s MFRC522) and the implications for emulation fidelity.

5.2.1 Carrier generation

Explains how the 125 kHz carrier is synthesized by the nRF52840’s hardware timers or PWM peripherals; notes that this is a software-driven analog front end rather than a dedicated chip. [VERIFY: nRF52840 LF carrier generation implementation detail from firmware source]

5.2.2 Modulation and encoding

Describes how the firmware applies AM/ASK modulation and the appropriate encoding (Manchester, Bi-phase, PSK) for each LF protocol family.

5.2.3 Reader-compatibility considerations

Notes any known readers that may not accept nRF52840-generated LF signals due to timing or amplitude differences from the original card. [VERIFY: known compatibility issues from firmware issue tracker]

5.3 EM410x — the simplest LF credential; emulation and capture

Covers EM410x (also EM4100/EM4102): 64-bit ID value, Manchester encoded, read-only, no authentication; the most widely deployed “dumb” LF credential; explains how to load a 10-digit hex ID into a slot and emulate it.

5.3.1 EM410x protocol summary

States the EM410x bit structure (version + facility code + card ID, 64 bits total) and Manchester encoding scheme; cross-references Vol 3 §6.1 for the physics context.

5.3.2 Capturing an EM410x credential

Describes reading an EM410x card using the Chameleon Ultra’s LF read path: card placement, ChameleonUltraGUI read operation, result format.

5.3.3 Loading and emulating an EM410x slot

Step-by-step: configure slot as EM410x, enter the 10-digit ID (or load from a capture), present to reader. [VERIFY: current ChameleonUltraGUI workflow]

5.4 HID Prox — H10301 26-bit and variants; emulation scope

Covers HID Prox: the dominant US corporate access-control LF credential; H10301 is the 26-bit standard format (8-bit facility code + 16-bit card number + parity), but dozens of proprietary HID formats exist; explains which formats the Chameleon Ultra supports and how to load and emulate a HID Prox credential.

5.4.1 H10301 26-bit format

Explains the 26-bit Wiegand bit structure and FSK encoding used by H10301; explains why the reader cares about facility code + card number, not the raw LF waveform.

5.4.2 Extended HID formats

Notes that HID uses many proprietary formats beyond H10301 (35-bit Corporate 1000, 37-bit, etc.); states which are in scope for the Chameleon Ultra. [VERIFY: HID format support list from current firmware]

5.4.3 Capturing and emulating HID Prox

Step-by-step for reading a HID Prox card and loading it into an LF slot. [VERIFY: current ChameleonUltraGUI workflow]

5.5 T5577 emulation and T5577 password brute-force attack

Covers the T5577: the multi-protocol LF writable chip that can be programmed to emulate EM410x, HID Prox, Indala, and others; explains how the Chameleon Ultra emulates T5577 behavior and its T5577 password brute-force capability for locked T5577 cards.

5.5.1 T5577 as a multi-protocol blank

Explains the T5577’s role in the LF ecosystem: it is the writable blank behind most commercial LF “cloner” workflows; the Chameleon Ultra emulates its behavior without requiring physical T5577 media.

5.5.2 T5577 password protection

Explains that T5577 cards can be password-locked to prevent unauthorized writes; notes that many deployed T5577 clones use default or predictable passwords.

5.5.3 T5577 password brute-force on the Chameleon Ultra

Describes the brute-force attack: iterates the 32-bit T5577 password space (or a dictionary of common passwords) against a locked T5577 card until the correct password is found and write access is granted. [VERIFY: attack implementation detail — dictionary vs full brute-force range, estimated time-to-completion from firmware docs or community reports]

5.5.4 Limitations and when to use Proxmark3 instead

Notes that the Proxmark3 RDV4 has a more mature T5577 toolchain for edge cases; cross-links to Vol 9 of the Proxmark3 series.

5.6 Indala

Covers Indala LF emulation: a proprietary format used by Motorola/HID in some access-control deployments; explains the encoding differences from EM410x and HID Prox and the Chameleon Ultra’s emulation scope. [VERIFY exact format support — Indala 26-bit (H10302) and Indala 29-bit, and whether both are supported in current firmware]

5.6.1 Indala encoding

Describes Indala’s PSK encoding and bit structure; notes differences from EM410x (Manchester) and HID Prox (FSK). [VERIFY]

5.6.2 Capturing and emulating Indala

Step-by-step. [VERIFY: current ChameleonUltraGUI workflow and confirmed format variants]

5.7 FDX-B, Paradox, AWD, PAC/Stanley

Brief operational coverage of the remaining supported LF protocol families: FDX-B (ISO 11784/11785, animal identification), Paradox (security panel credentials), AWD, and PAC/Stanley (UK access-control); explains what each is used for and the emulation scope for each. [VERIFY exact emulation scope per protocol against current firmware — some of these may be read-only capture rather than full emulation]

5.7.1 FDX-B (ISO 11784/11785)

Notes FDX-B as the pet/livestock microchip standard; practical use case in the pentest context is reading implanted credentials in authorized TSCM/audit scenarios. [VERIFY: emulation vs read-only in firmware]

5.7.2 Paradox

Brief note on Paradox security panel LF credentials and emulation scope. [VERIFY]

5.7.3 AWD and PAC/Stanley

Brief notes on AWD and PAC/Stanley (UK market access-control) and emulation scope. [VERIFY]

5.8 Reading LF cards — the nRF52840 LF read path vs MFRC522 (HF-only reader)

Clarifies an important architectural point: the MFRC522 is an HF-only chip; LF card reads are performed by the nRF52840’s own analog front end, not by any dedicated LF reader IC. Explains the practical consequences for read reliability, field position sensitivity, and troubleshooting.

5.8.1 The LF read path in detail

Describes signal flow during an LF card read: card placed on coil, carrier is driven by nRF52840, card response is demodulated by the nRF52840 ADC + firmware DSP. [VERIFY: implementation detail from firmware source]

5.8.2 Common LF read failures and fixes

Lists the most common read-failure scenarios: wrong card orientation, insufficient coupling distance, protocol not auto-detected; troubleshooting steps via ChameleonUltraGUI.

5.9 Limitations — LF read range vs Proxmark3 RDV4

Honestly assesses the Chameleon Ultra’s LF read performance limitations relative to the Proxmark3 RDV4: the Proxmark3 uses a purpose-built, swappable LF antenna board and a dedicated FPGA-based demodulator, giving it substantially better LF read range and signal quality. Explains when this matters operationally and when the Chameleon’s LF capability is sufficient.

5.9.1 Where the Chameleon Ultra LF is sufficient

Notes that for mainstream LF credential capture and emulation in close-proximity field use, the Chameleon Ultra’s LF capability covers the common case.

5.9.2 Where Proxmark3 wins

Identifies the cases that require Proxmark3 LF: exotic or degraded cards, long-range read attempts, LF signal analysis/debugging, custom LF protocol research.