Skip to content
Ultimate Magic Card (Gen4)

Ultimate Magic Card (Gen4)

€29.00 - €29.00
€29.00 - €29.00

The only 13.56MHz Magic Card you need. Emulate everything, configure everything. 
Photo for reference only: one card per pack.
🟢 In Stock
🟢 Dispatched today
Less than 40 minutues remaining for same-day shipping!
In Stock (🇪🇺 EU & 🇺🇸 US)
Dispatched
⏰ Order within for same day shipping

INTRODUCTION

The Ultimate Magic Card is a multi-protocol emulation card, capable of emulating all variants of the MIFARE Classic® (1K, 4K, Mini), MIFARE Ultralight®, MIFARE Ultralight® families, with 4-byte, 7-byte and 10-byte UIDs.

More importantly, everything can be configured - card characteristics: ATQA, SAK, ATS values.. and even card functionality (Read-Only mode, Read/Write Mode, "Shadow Mode", etc).

Essentially, it's a completely configurable emulation platform in card format.

For many years, magic cards have been progressively adding functionality: this card, the "Gen4" is the result of years of work: it is the ultimate magic card - and a must-have for pentesters, security professionals and enthusiasts.

Configurable Card Types
The Ultimate Magic Card contains presets of multiple card types:

  • MIFARE Mini
  • MIFARE 1k S50 4 byte UID
  • MIFARE 1k S50 7 byte UID
  • MIFARE 1k S50 10 byte UID
  • MIFARE 4k S70 4 byte UID
  • MIFARE 4k S70 7 byte UID
  • MIFARE 4k S70 10 byte UID
  • Ultralight
  • Ultralight-C
  • Ultralight Ev1
  • NTAG

As below, all ATQA/ATS/ATS values are freely configurable allowing for emulation of other or custom chipsets

Configurable Parameters
The card supports configuration of the following parameters:

  • Preset Card Type
  • UID
  • UID Length (4-byte / 7-byte / 10-byte)
  • SAK (1 byte)
  • ATQA (2 bytes)
  • ATS (Custom length / Disable)

Configurable Functionality
The card has several modes of operation, depending on your requirements

  • Shadow Mode
    Shadow Mode, or "Write once then forget" mode, allows the card to be pre-configured with data. When next updated (ie, via a card reader / access control reader), modifications are temporarily maintained.

    The modified data can be read once, and then the card reverts to its pre-configured state.

    Shadow Mode is purpose built for in-the-field operations. Previously a card would have to be written, used, read and re-written manually; Shadow Mode takes care of this without any additional hardware.
  • Recovery Mode
    If the card is poorly configured, it can be pushed back into Recovery Mode - preventing unintentional bricking.
  • Auto-BCC Calculation
    The card automatically calculates BCC values, saving time and avoiding making the card undetectable.
  • Password Protection / One-Time-Write Emulation
    Configuration commands can be protected with a customisable password; it will not respond to magic commands or direct writes to restricted values unless the correct password is given, allowing the card to function as a "One-Time-Write" card.

Programming Compatibility
The card can be programmed on multiple platforms:

  • Proxmark / iCopy-XS (via the menu with LUA scripts)
  • Android / iOS via MTools
  • Flipper Zero
  • LibNFC (via manual commands)
  • Windows Platforms + LibNFC reader/writer (via GUI software)
Technical Specifications
Feature Information Notes
Chipsets MIFARE Mini
MIFARE 1k S50 4 byte UID
MIFARE 1k S50 7 byte UID
MIFARE 1k S50 10 byte UID
MIFARE 4k S70 4 byte UID
MIFARE 4k S70 7 byte UID
MIFARE 4k S70 10 byte UID
Ultralight
Ultralight-C
Ultralight Ev1
NTAG
Memory Size 144 bytes - 4K
UID Size 4-byte / 7-byte / 10-byte
UID Modifiable ✔️
ATQA / SAK Configurable ✔️
ATS Configurable ✔️ Custom length / Disable
Write Capabilities
UID Modifiable Unlock Required DirectWrite / Block 0 One Time Write Notes
✔️ ✔️ ✔️ One Time Write is reversible
Device Compatibility
Compatibility UID R/W Config Notes
Flipper Zero ✔️ ✔️ ✔️
Proxmark / iCopy-X ✔️ ✔️ ✔️
Android & iOS ✔️ ✔️ ✔️ Configuration via MTools
LibNFC ✔️ ✔️ ✔️ Configuration via raw commands
ChameleonUltra ✔️ ✔️ ✔️ Configuration via MTools

Hands on: See the card in action

Depending on your tools, there are multiple ways to program this card:

  • MTools on Android / iOS: Simple UI with Full configuration options
  • Proxmark / iCopy-X: Via raw commands or the LUA Script (not all features implemented)
  • Flipper Zero: Simple configuration via the NFC Application
  • LibNFC: via tamashell. Manual commands.

Proxmark / iCopy-X

There are two ways to program this card:

  1. Use the raw commands designated by the hf 14a examples.
  2. Use the hf_mf_ultimatecard.lua script commands. This script is not fully compatible with new version UMC.

Special raw commands summary:

CF <passwd> 32 <00-04>                           // Configure GTU shadow mode
CF <passwd> 34 <1b length><0-16b ATS>            // Configure ATS
CF <passwd> 35 <2b ATQA><1b SAK>                 // Configure ATQA/SAK (swap ATQA bytes)
CF <passwd> 68 <00-02>                           // Configure UID length
CF <passwd> 69 <00-01>                           // (De)Activate Ultralight mode
CF <passwd> 6A <00-03>                           // Select Ultralight mode
CF <passwd> 6B <1b>                              // Set Ultralight and M1 maximum read/write sectors
CF <passwd> C6                                   // Dump configuration
CF <passwd> CC                                   // Version info, returns `00 00 00 [03 A0 (old) / 06 A0 (new) ]`
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number>                 // Backdoor read 16b block
CF <passwd> CF <1b param>                        // (De)Activate direct write to block 0
CF <passwd> F0 <30b configuration data>          // Configure all params in one cmd
CF <passwd> F1 <30b configuration data>          // Configure all params in one cmd and fuse the configuration permanently
CF <passwd> FE <4b new_password>                 // change password

Default <passwd>: 00000000

Characteristics

  • UID: 4b, 7b and 10b versions
  • ATQA/SAK: changeable
  • BCC: computed
  • ATS: changeable, can be disabled
  • Card Type: changeable
  • Shadow mode: GTU
  • Backdoor password mode

Proxmark3 Commands

# view contents of tag memory:
hf mf gview
# Read a specific block via backdoor command:
hf mf ggetblk
# Write a specific block via backdoor command:
hf mf gsetblk
# Load dump to tag:
hf mf gload
# Save dump from tag:
hf mf gsave

Change ATQA / SAK

hf 14a raw -s -c -t 1000 CF<passwd>35<2b ATQA><1b SAK>
Warning:
  • ATQA bytes are swapped in the command
  • ATQA bytes that result in iso14443a card select failed can be corrected with hf 14a config --atqa force
  • When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on, otherwise the card may not be recognized by some readers!
  • Never set SAK bit 3 (e.g. SAK=04), it indicates an extra cascade level is required

Example: ATQA 0044 SAK 28, default pwd

hf 14a raw -s -c -t 1000 CF0000000035440028

OR (Note the script will correct the ATQA correctly)

script run hf_mf_ultimatecard -q 004428

Change ATS

hf 14a raw -s -c -t 1000 CF<passwd>34<1b length><0-16b ATS>
  • <length>: ATS length byte, set to 00 to disable ATS
  • When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on
  • ATS CRC will be added automatically, don't configure it
  • Max ATS length: 16 bytes (+CRC)

Example: ATS to 0606757781028002F0, default pwd

hf 14a raw -s -c -t 1000 CF000000003406067577810280

Or

script run hf_mf_ultimatecard -z 06067577810280

Set UID Length (4, 7, 10)

hf 14a raw -s -c -t 1000 CF<passwd>68<1b param>
  • <param>
    • 00: 4 bytes
    • 01: 7 bytes
    • 02: 10 bytes

Example: set UID length to 7 bytes, default pwd

hf 14a raw -s -c -t 1000 CF000000006801

Set 14443A UID

UID is configured according to block0 with a backdoor write.

Example: preparing first two blocks:

hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F
hf 14a raw -s -c -t 1000 CF00000000CD01101112131415161718191A1B1C1D1E1F
hf 14a reader

MFC mode 4b UID

⇒ UID 00010203

script run hf_mf_ultimatecard -t 4 -u 00010203

MFC mode 7b UID

⇒ UID 00010203040506

script run hf_mf_ultimatecard -t 5 -u 00010203040506

MFC mode, 10b UID

⇒ UID 00010203040506070809

script run hf_mf_ultimatecard -t 6 -u 00010203040506070809

(De)Activate Ultralight Mode

hf 14a raw -s -c -t 1000 CF<passwd>69<1b param>
  • <param>
    • 00: MIFARE Classic mode
    • 01: MIFARE Ultralight/NTAG mode

Example: activate Ultralight protocol, default pwd

hf 14a raw -s -c -t 1000 CF000000006901

Or

script run hf_mf_ultimatecard -n 01

In this mode, if SAK=00 and ATQA=0044, it acts as an Ultralight card

Warning: Only the first four bytes of each block will be mapped in the Ultralight memory map (so the Ultralight block numbers follow backdoor R/W block numbers).

Select Ultralight Mode

hf 14a raw -s -c -t 1000 CF<passwd>6A<1b param>
  • <param>
    • 00: UL EV1
    • 01: NTAG
    • 02: UL-C
    • 03: UL
Warning: It supposes Ultralight mode was activated (cf command 69)

Example: set Ultralight mode to Ultralight-C, default pwd

hf 14a raw -s -c -t 1000 CF000000006A02

Or

script run hf_mf_ultimatecard -m 02

Now the card supports the 3DES UL-C authentication.

Set Shadow Mode (GTU)

hf 14a raw -s -c -t 1000 CF<passwd>32<1b param>
  • <param>
    • 00: pre-write, shadow data can be written
    • 01: restore mode (WARNING: new UMC (06a0) cards return garbage data when using 01)
    • 02: disabled
    • 03: disabled, high speed R/W mode for Ultralight?
    • 04: split mode, work with new UMC. With old UMC is untested.

Direct Block Read and Write

Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card.

Backdoor read 16b block:

hf 14a raw -s -c -t 1000 CF<passwd>CE<1b block number>

Backdoor write 16b block:

hf 14a raw -s -c -t 1000 CF<passwd>CD<1b block number><16b block data>

Read/Write operations work on 16 bytes, no matter the Ultralight mode.

Example: read block0, default pwd

hf 14a raw -s -c -t 1000 CF00000000CE00

Example: write block0 with factory data, default pwd

hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000

(De)Activate Direct Write to Block 0

This command enables/disables direct writes to block 0.

hf 14a raw -s -c -t 1000 CF<passwd>CF<1b param>
  • <param>
    • 00: Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic)
    • 01: Deactivate direct write to block 0 (Same behaviour of vanilla cards)
    • 02: Default value. (Same behaviour as 00 (?))

Change Backdoor Password

All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is 00000000.

Warning: New UMC (06A0) returns 6300 when issuing password change command. Please write the password using F0 and entering the full configuration, but with the new password.

Change password:

hf 14a raw -s -c -t 1000 CF <passwd> FE <4b new_password>

Example: change password from 00000000 to AABBCCDD

hf 14a raw -s -c -t 1000 CF00000000FEAABBCCDD

Dump Configuration

hf 14a raw -s -c -t 1000 CF<passwd>C6

Default configuration:

00000000000002000978009102DABC191010111213141516040008006B024F6B
                                                            ^^^^ CRC, type unknown
                                                          ^^ cf cmd cf: block0 direct write setting
                                                        ^^ cf cmd 6b: maximum read/write sectors
                                                      ^^ cf cmd 6a: UL mode
                                                ^^^^^^ cf cmd 35: ATQA/SAK
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content
            ^^ cf cmd 32: GTU mode
    ^^^^^^^^ cf cmd fe: password
  ^^ cf cmd 68: UID length
^^ cf cmd 69: Ultralight protocol

Fast Configuration

hf 14a raw -s -c -t 1000 CF<passwd>F0<30b configuration data>

See Dump configuration for configuration data description.

Example: Write factory configuration, using default password

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B
Warning: Variant with command F1 instead of F0 will set and fuse permanently the configuration. Backdoor R/W will still work.

Presets

Here are some presets available in the FuseTool (but with all ATS disabled)

MIFARE Mini S20 4-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000900

MIFARE Mini S20 7-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000900

MIFARE 1k S50 4-byte UID (this is the factory setting)

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800

MIFARE 1k S50 7-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000800

MIFARE 4k S70 4-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151602001800

MIFARE 4k S70 7 byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151642001800

Ultralight

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003FB

Ultralight-C

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002FB

Ultralight EV1

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FB

NTAG21x

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001FB

Live Demonstration - Proxmark Raw commands

Live Demonstration - Proxmark Built-in commands

LibNFC / Tamashell Commands for Gen4 Cards

LibNFC and Tamashell provide an alternative method to interact with Ultimate Magic Cards (Gen4/GTU) using raw commands through PN53x-based readers like the DL533N.

Command Format

LibNFC/Tamashell commands require a specific preamble before each Gen4 command:

$ pn53x-tamashell
4a 01 00          # Initialize communication
42 <Gen4 command> # Execute Gen4 command

Starting Tamashell

pn53x-tamashell

This will open an interactive session with your PN53x-based NFC reader.

Dump Configuration

Read the current Gen4 card configuration (default password 00000000):

> 4a 01 00
> 42 CF 00 00 00 00 C6

Returns 32 bytes of configuration data.

Get Version Info

Check the Gen4 card version:

> 4a 01 00
> 42 CF 00 00 00 00 CC

Returns version information:

  • Old UMC: 00 00 00 03 A0
  • New UMC: 00 00 00 06 A0

Backdoor Read Block

Read a 16-byte block via backdoor (example: block 0):

> 4a 01 00
> 42 CF 00 00 00 00 CE 00

Replace 00 at the end with the desired block number.

Backdoor Write Block

Write a 16-byte block via backdoor (example: change UID to AA BB CC DD):

> 4a 01 00
> 42 CF 00 00 00 00 CD 00 AA BB CC DD 1C 00 00 11 77 81 85 BA 18 00 00 00

Format: CD <block> <16 bytes data>

Change ATQA/SAK

Set ATQA and SAK values (example: ATQA 0044, SAK 18 for 4K card):

> 4a 01 00
> 42 CF 00 00 00 00 35 44 00 18
Warning:
  • ATQA bytes are swapped in the command
  • When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on
  • Never set SAK bit 3 (e.g. SAK=04)

Configure ATS

Set ATS (Answer To Select) data:

> 4a 01 00
> 42 CF 00 00 00 00 34 06 06 75 77 81 02 80

Format: 34 <length> <ATS data>

  • Set length to 00 to disable ATS
  • ATS CRC is added automatically
  • Maximum ATS length: 16 bytes (+CRC)

Set UID Length

Configure UID length (4, 7, or 10 bytes):

4-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 68 00

7-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 68 01

10-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 68 02

Write 7-byte UID

After setting UID length to 7 bytes, write the UID to block 0:

> 4a 01 00
> 42 CF 00 00 00 00 CD 00 04 AA BB CC DD EE FF 08 44 00 18 00 00 00 00 00 00

The UID starts with 04 (cascade tag) followed by the 6 UID bytes.

Set GTU Shadow Mode

Configure shadow mode operation:

Pre-write mode:

> 4a 01 00
> 42 CF 00 00 00 00 32 00

Disabled:

> 4a 01 00
> 42 CF 00 00 00 00 32 02

Split mode (new UMC):

> 4a 01 00
> 42 CF 00 00 00 00 32 04

(De)Activate Direct Write to Block 0

Deactivate (vanilla card behaviour):

> 4a 01 00
> 42 CF 00 00 00 00 CF 01

Activate (Gen2-like behaviour):

> 4a 01 00
> 42 CF 00 00 00 00 CF 00

Switch to Ultralight Mode

Activate Ultralight protocol:

> 4a 01 00
> 42 CF 00 00 00 00 69 01

Switch back to MIFARE Classic:

> 4a 01 00
> 42 CF 00 00 00 00 69 00

Select Ultralight Mode

After activating Ultralight protocol, select specific mode:

Ultralight EV1:

> 4a 01 00
> 42 CF 00 00 00 00 6A 00

NTAG:

> 4a 01 00
> 42 CF 00 00 00 00 6A 01

Ultralight-C:

> 4a 01 00
> 42 CF 00 00 00 00 6A 02

Ultralight:

> 4a 01 00
> 42 CF 00 00 00 00 6A 03

Fast Configuration

Set all parameters at once (example: MIFARE 1K 4-byte UID factory default):

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 00 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 04 00 08 00
Warning: Using command F1 instead of F0 will permanently fuse the configuration. Backdoor R/W will still work, but configuration cannot be changed.

Change Backdoor Password

Change the backdoor password from default (00000000) to a new value:

> 4a 01 00
> 42 CF 00 00 00 00 FE AA BB CC DD
Warning:
  • New UMC (06A0) may return error 6300 with this command
  • For new UMC, use the F0 fast configuration command with the new password
  • If password is lost, it cannot be recovered!

Using New Password

After changing password, use the new password in all commands:

> 4a 01 00
> 42 CF AA BB CC DD C6

Replace 00 00 00 00 with your new password AA BB CC DD in all commands.

Presets

Common card configurations using fast configuration command:

MIFARE Mini S20 4-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 00 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 04 00 09 00

MIFARE 1K S50 4-byte UID (factory default):

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 00 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 04 00 08 00

MIFARE 1K S50 7-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 01 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 44 00 08 00

MIFARE 4K S70 4-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 00 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 02 00 18 00

MIFARE 4K S70 7-byte UID:

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 01 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 42 00 18 00

Ultralight:

> 4a 01 00
> 42 CF 00 00 00 00 F0 01 01 00 00 00 00 03 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 44 00 00 03 FB

Ultralight-C:

> 4a 01 00
> 42 CF 00 00 00 00 F0 01 01 00 00 00 00 03 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 44 00 00 02 FB

Ultralight EV1:

> 4a 01 00
> 42 CF 00 00 00 00 F0 01 01 00 00 00 00 03 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 44 00 00 00 FB

NTAG21x:

> 4a 01 00
> 42 CF 00 00 00 00 F0 01 01 00 00 00 00 03 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 44 00 00 01 FB

Exit Tamashell

> exit

Notes

  • All commands require the 4a 01 00 initialization before the 42 command
  • Default password is 00 00 00 00
  • Commands are case-insensitive for hex values
  • Spaces between hex bytes are required
  • LibNFC/Tamashell works with PN53x-based readers (ACR122U, PN532, etc.)

Live Demonstration - LibNFC / Tamashell commands

Unbricking

"Soft-bricking" refers to when a magic card has been configured in a way that prevents it from being detected. Ways of soft-bricking tags include:

  • Incorrect BCC
  • Incorrect SAK
  • Incorrect ATQA
  • Incorrect ATS
  • Incorrect ACL (Access Control) Values
Some "soft-brick" situations can be resolved with special commands. If your MIFARE Mini® Compatible 4-byte UID Modifiable is "soft-bricked", you can try recovering it with the following methods:

With Proxmark / iCopy-X

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800

Via external reader/writer and MTOOLS

Select the "UID Changer" function in MTools, select "bricked" and run the task

Via LibNFC & tamashell

> 4a 01 00
> 42 CF 00 00 00 00 F0 00 00 00 00 00 00 02 00 09 78 00 91 02 DA BC 19 10 10 11 12 13 14 15 16 04 00 08 00

IMPORTANT:

Lab401 cannot provide refunds under any circumstances for cards that were 'bricked' due to incorrect configurations.

Technical Resources