Mifare Ultralight ev1 48 bytes (MF0UL1101)

Aliendennis · 2016-04-09 18:01:14

Hi All,

Pretty new here.

I am trying to clone a mifare ultralight ev1 48 bytes (MF0UL1101)

Manufacturer: NXP Semiconductors Germany.

UID: 04 64 f0 42 ea 40 81

Can any kind soul guide me through this ?

What card do I need for this ? Normal Mifare 1k ?

Thanks all in advance.

iceman · 2016-04-09 19:04:06

you will need a mifare ultralight ev1 tag to clone it upon.
or use a pm3 to simulate it.

Read up on the "hf mfu" commands on this forum, the wiki, github etc..

Aliendennis · 2016-04-10 02:27:44

yes i have a pm3. i dont have the tag yet. will probably order them soon.

iceman · 2016-04-10 07:55:28

then you can simulate with the pm3

tristanik · 2016-04-11 11:26:29

Mifare ultralight ev1 magic does not exist. Full clone is not possible

iceman · 2017-11-08 23:04:12

To rewive an old thread,

...well no, but almost, today there exists a magic ntag. All extended commands doesnt work but it does clone a lot of these kinds of tags.

tristanik · 2017-11-27 11:57:01

Iceman , where I can buy this tag?

iceman · 2017-11-27 13:28:22

three shops has it.
mine, lab401 and rfxsecure.

tristanik · 2017-11-27 13:56:43

But this clonable card have One-Way counters as ev1 original?

iceman · 2017-11-27 14:57:17

well, for NTAG213,215,216, yes. I don't think I ever tested it when configured for UL EV1...

tristanik · 2017-11-28 13:03:37

the instructions say this:

It can also perform limited1 emulation of:

NTAG 210
NTAG 212
NTAG I2C 1K
NTAG 12C 2K
NTAG I2C 1K Plus
NTAG 12C 2K Plus
Ultralight EV1 48k
Ultralight EV1 128k

1 Limited Emulation means that the tag will simulate (identify and respond) as the selected card, but counter and tearing emulation are not 1:1 with original chipsets.

bogito · 2017-12-01 18:24:58

Indeed. I tried the emulation of UL-EV1 and everything works great using iceman's script, except for the counters and the tearing.

I tried following the guide "Cloning password-protected NTAG213 and EV1 tags" in emutag's how-to page (which was the only reference I found regarding setting counters), where they suggest to "write previously recorded values to pages 43, 44, 45 for counters 0, 1, 2 respectively" for an EV1 card. But no such luck.

Afterwards, I noticed in iceman's script that he writes the signature in address F2+ so I was wondering if we can set the counters in some addresses like that. But then again, the tearing check will always fail.

iceman · 2017-12-02 09:04:52

I'm belive the counters/tearing is different between ULEv1 and NTAG, hence the magic NTAG doesn't support it.
I also belive its doable to get a new remake of the magic NTAG to support the missing parts for "genuine" UL Ev1 support. However like all Research & Development, there will not be any if the current magic ntag doesn't have any sales. If market is not interested in such a product, the product will be end-of-life very soon. If market finds it great, then the bigger production is possible and the price drops will happen. Just like a uid changeable mifare classic 1k/s50 (gen 1a), which sells for 3rmb (perfect ones) and less than 1rbm for the rest.

Having been one of the ppl who driven the research forward for new uid-changeable tags, I can say that the market is not really interested in it. It seems its just me who are excited about it. Thats a shame.

Proxmark3 community

Announcement

#1 2016-04-09 18:01:14

Mifare Ultralight ev1 48 bytes (MF0UL1101)

#2 2016-04-09 19:04:06

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#3 2016-04-10 02:27:44

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#4 2016-04-10 07:55:28

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#5 2016-04-11 11:26:29

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#6 2017-11-08 23:04:12

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#7 2017-11-27 11:57:01

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#8 2017-11-27 13:28:22

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#9 2017-11-27 13:56:43

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#10 2017-11-27 14:57:17

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#11 2017-11-28 13:03:37

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#12 2017-12-01 18:24:58

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

#13 2017-12-02 09:04:52

Re: Mifare Ultralight ev1 48 bytes (MF0UL1101)

Board footer