Ultimate Magic Card (Gen4)

INTRODUCTION

The Ultimate Magic Card is a multi-protocol emulation card, capable of emulating all variants of the MIFARE Classic® (1K, 4K, Mini), MIFARE Ultralight®, MIFARE Ultralight® families, with 4-byte, 7-byte and 10-byte UIDs.

More importantly, everything can be configured - card characteristics: ATQA, SAK, ATS values.. and even card functionality (Read-Only mode, Read/Write Mode, "Shadow Mode", etc).

Essentially, it's a completely configurable emulation platform in card format.

For many years, magic cards have been progressively adding functionality: this card, the "Gen4" is the result of years of work: it is the ultimate magic card - and a must-have for pentesters, security professionals and enthusiasts.

Configurable Card Types
The Ultimate Magic Card contains presets of multiple card types:

• MIFARE Mini
• MIFARE 1k S50 4 byte UID
• MIFARE 1k S50 7 byte UID
• MIFARE 1k S50 10 byte UID
• MIFARE 4k S70 4 byte UID
• MIFARE 4k S70 7 byte UID
• MIFARE 4k S70 10 byte UID
• Ultralight
• Ultralight-C
• Ultralight Ev1
• NTAG

As below, all ATQA/ATS/ATS values are freely configurable allowing for emulation of other or custom chipsets

Configurable Parameters
The card supports configuration of the following parameters:

• Preset Card Type
• UID
• UID Length (4-byte / 7-byte / 10-byte)
• SAK (1 byte)
• ATQA (2 bytes)
• ATS (Custom length / Disable)

Configurable Functionality
The card has several modes of operation, depending on your requirements

• Shadow Mode
  Shadow Mode, or "Write once then forget" mode, allows the card to be pre-configured with data. When next updated (ie, via a card reader / access control reader), modifications are temporarily maintained.
  
  The modified data can be read once, and then the card reverts to its pre-configured state.
  
  Shadow Mode is purpose built for in-the-field operations. Previously a card would have to be written, used, read and re-written manually; Shadow Mode takes care of this without any additional hardware.
  
• Recovery Mode
  If the card is poorly configured, it can be pushed back into Recovery Mode - preventing unintentional bricking.
  
• Auto-BCC Calculation
  The card automatically calculates BCC values, saving time and avoiding making the card undetectable.
• Password Protection / One-Time-Write Emulation
  Configuration commands can be protected with a customisable password; it will not respond to magic commands or direct writes to restricted values unless the correct password is given, allowing the card to function as a "One-Time-Write" card.

Programming Compatibility
The card can be programmed on multiple platforms:

• Proxmark / iCopy-XS (via the menu with LUA scripts)
• Android / iOS via MTools
• Flipper Zero
• LibNFC (via manual commands)
• Windows Platforms + LibNFC reader/writer (via GUI software)

Hands on: See the card in action

Depending on your tools, there are multiple ways to program this card:

• MTools on Android / iOS: Simple UI with Full configuration options
• Proxmark / iCopy-X: Via raw commands or the LUA Script (not all features implemented)
• Flipper Zero: Simple configuration via the NFC Application
• LibNFC: via tamashell. Manual commands.

Proxmark / iCopy-X

There are two ways to program this card:

1. Use the raw commands designated by the examples.
2. Use the hf_mf_ultimatecard.lua script commands. This script is not fully compatible with new version UMC.

Special raw commands summary:

Default :

Characteristics

• UID: 4b, 7b and 10b versions
• ATQA/SAK: changeable
• BCC: computed
• ATS: changeable, can be disabled
• Card Type: changeable
• Shadow mode: GTU
• Backdoor password mode

Proxmark3 Commands

Change ATQA / SAK

Example: ATQA 0044 SAK 28, default pwd

OR (Note the script will correct the ATQA correctly)

Change ATS

• : ATS length byte, set to to disable ATS
• When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on
• ATS CRC will be added automatically, don't configure it
• Max ATS length: 16 bytes (+CRC)

Example: ATS to 0606757781028002F0, default pwd

Or

Set UID Length (4, 7, 10)

• • : 4 bytes
  • : 7 bytes
  • : 10 bytes

Example: set UID length to 7 bytes, default pwd

Set 14443A UID

UID is configured according to block0 with a backdoor write.

Example: preparing first two blocks:

MFC mode 4b UID

⇒ UID

MFC mode 7b UID

⇒ UID

MFC mode, 10b UID

⇒ UID

(De)Activate Ultralight Mode

• • : MIFARE Classic mode
  • : MIFARE Ultralight/NTAG mode

Example: activate Ultralight protocol, default pwd

Or

In this mode, if SAK= and ATQA=, it acts as an Ultralight card

Select Ultralight Mode

• • : UL EV1
  • : NTAG
  • : UL-C
  • : UL

Example: set Ultralight mode to Ultralight-C, default pwd

Or

Now the card supports the 3DES UL-C authentication.

Set Shadow Mode (GTU)

• • : pre-write, shadow data can be written
  • : restore mode (WARNING: new UMC (06a0) cards return garbage data when using 01)
  • : disabled
  • : disabled, high speed R/W mode for Ultralight?
  • : split mode, work with new UMC. With old UMC is untested.

Direct Block Read and Write

Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card.

Backdoor read 16b block:

Backdoor write 16b block:

Read/Write operations work on 16 bytes, no matter the Ultralight mode.

Example: read block0, default pwd

Example: write block0 with factory data, default pwd

(De)Activate Direct Write to Block 0

This command enables/disables direct writes to block 0.

• • : Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic)
  • : Deactivate direct write to block 0 (Same behaviour of vanilla cards)
  • : Default value. (Same behaviour as (?))

Change Backdoor Password

All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is .

Change password:

Example: change password from 00000000 to AABBCCDD

Dump Configuration

Default configuration:

Fast Configuration

See Dump configuration for configuration data description.

Example: Write factory configuration, using default password

Presets

Here are some presets available in the FuseTool (but with all ATS disabled)

MIFARE Mini S20 4-byte UID

MIFARE Mini S20 7-byte UID

MIFARE 1k S50 4-byte UID (this is the factory setting)

MIFARE 1k S50 7-byte UID

MIFARE 4k S70 4-byte UID

MIFARE 4k S70 7 byte UID

Ultralight

Ultralight-C

Ultralight EV1

NTAG21x

Live Demonstration - Proxmark Raw commands

Live Demonstration - Proxmark Built-in commands

LibNFC / Tamashell Commands for Gen4 Cards

LibNFC and Tamashell provide an alternative method to interact with Ultimate Magic Cards (Gen4/GTU) using raw commands through PN53x-based readers like the DL533N.

Command Format

LibNFC/Tamashell commands require a specific preamble before each Gen4 command:

Starting Tamashell

This will open an interactive session with your PN53x-based NFC reader.

Dump Configuration

Read the current Gen4 card configuration (default password 00000000):

Returns 32 bytes of configuration data.

Get Version Info

Check the Gen4 card version:

Returns version information:

• Old UMC:
• New UMC:

Backdoor Read Block

Read a 16-byte block via backdoor (example: block 0):

Replace at the end with the desired block number.

Backdoor Write Block

Write a 16-byte block via backdoor (example: change UID to AA BB CC DD):

Format:

Change ATQA/SAK

Set ATQA and SAK values (example: ATQA 0044, SAK 18 for 4K card):

Configure ATS

Set ATS (Answer To Select) data:

Format:

• Set length to to disable ATS
• ATS CRC is added automatically
• Maximum ATS length: 16 bytes (+CRC)

Set UID Length

Configure UID length (4, 7, or 10 bytes):

4-byte UID:

7-byte UID:

10-byte UID:

Write 7-byte UID

After setting UID length to 7 bytes, write the UID to block 0:

The UID starts with (cascade tag) followed by the 6 UID bytes.

Set GTU Shadow Mode

Configure shadow mode operation:

Pre-write mode:

Disabled:

Split mode (new UMC):

(De)Activate Direct Write to Block 0

Deactivate (vanilla card behaviour):

Activate (Gen2-like behaviour):

Switch to Ultralight Mode

Activate Ultralight protocol:

Switch back to MIFARE Classic:

Select Ultralight Mode

After activating Ultralight protocol, select specific mode:

Ultralight EV1:

NTAG:

Ultralight-C:

Ultralight:

Fast Configuration

Set all parameters at once (example: MIFARE 1K 4-byte UID factory default):

Change Backdoor Password

Change the backdoor password from default (00000000) to a new value:

Using New Password

After changing password, use the new password in all commands:

Replace with your new password in all commands.

Presets

Common card configurations using fast configuration command:

MIFARE Mini S20 4-byte UID:

MIFARE 1K S50 4-byte UID (factory default):

MIFARE 1K S50 7-byte UID:

MIFARE 4K S70 4-byte UID:

MIFARE 4K S70 7-byte UID:

Ultralight:

Ultralight-C:

Ultralight EV1:

NTAG21x:

Exit Tamashell

Notes

• All commands require the initialization before the command
• Default password is
• Commands are case-insensitive for hex values
• Spaces between hex bytes are required
• LibNFC/Tamashell works with PN53x-based readers (ACR122U, PN532, etc.)

Live Demonstration - LibNFC / Tamashell commands

Unbricking

"Soft-bricking" refers to when a magic card has been configured in a way that prevents it from being detected. Ways of soft-bricking tags include:

• Incorrect BCC
• Incorrect SAK
• Incorrect ATQA
• Incorrect ATS
• Incorrect ACL (Access Control) Values

Some "soft-brick" situations can be resolved with special commands. If your MIFARE Mini® Compatible 4-byte UID Modifiable is "soft-bricked", you can try recovering it with the following methods:

With Proxmark / iCopy-X

Via external reader/writer and MTOOLS

Select the "UID Changer" function in MTools, select "bricked" and run the task

Via LibNFC & tamashell

IMPORTANT:

Lab401 cannot provide refunds under any circumstances for cards that were 'bricked' due to incorrect configurations.

Technical Resources

• Ultimate Magic Card Command Documentation
• Proxmark / iCopy-XS LUA Script Documentation
• Programming Tool (Windows)