Know your magic cards

History of Magic Cards

In the beginning there was the MIFARE CLASSIC® 1K card.
Compared to the 125KHz tags at the time, which simply burped out a string of data, the MIFARE CLASSIC® 1K was an advanced card.

Each individual card had an individual Unique ID. These UIDs blocks were managed between manufacturers to ensure that no two cards ever had the same UID.

The MIFARE CLASSIC® 1K also featured a plurality of data sectors, access control lists and keys.

As the MIFARE CLASSIC® 1K became more popular, many companies and access control solutions started using the UID as a security feature - relying on the UID to authenticate cards, users, purchases and more.

The MIFARE CLASSIC® 1K's cipher system, combined with a poor Pseudo-Random-Number-Generator (PRNG) were cracked - now meaning cards could be cracked and dumped.

At a similar time, Chinese companies, most notably FUDAN, started creating 'Compatible' chipsets - and some of these chipsets evolved special, even.. magical.. abilities - including forging the sacred UID.

The original generations of MIFARE CLASSIC® Compatible / Magic chips required a special sequence to 'Unlock' the badge. Once unlocked - the entire card, including the UID and ACL sections could be read and written.

The unlock code, 0x43 / 0x40 became so well known - that many card reader systems would query this code to all badges. If a tag responded - it was deemed a clone card, and refused.

In response, "Magic" cards evolved other abilities - some allowed "Direct Writing" to anywhere on the card, without unlock codes - and others allowed the UID to be changed only one time.

With each iteration, the chipsets also became more and more stable, and could also emulate more and more badge types.

Today - the most modern "Magic" cards can withstand a fair bit of user abuse (writing incorrect values, corrupting the manufacturer sectors etc) - but should in general be treated with care - as to not 'brick' them.

Recently, the "Ultimate Magic Card" was released. Also known as a "Gen 4", this card is a highly configurable 13.56MHz card emulator.

It can natively emulate NTAG / MIFARE / Ultralight tags (and all their variations), supports complete control over ATQA/SAK/ATS values, UID and UID length (4, 7 and 10 byte) and has advanced functionality including Recovery Mode, Shadow Mode and automatic BCC Calculation.

↑ Back to top

Common Magic Card Cheat Sheet

Although now literally hundreds of types of magic cards can be found in the wild, for the purposes of cloning cards, the following magic cards are the most commonly available, most supported and most compatible cards/chipsets available.

MIFARE Classic Magic Cards

Advanced Magic Cards

↑ Back to top

Low Frequency Cards

T55xx

The temic T55xx/Atmel ATA5577 is the most commonly used chip for cloning LF RFIDs.

Characteristics

• 28/24 bytes of user memory (without/with password)
• Universal output settings (data rate, modulation, etc)
• Password protection (4 bytes), usually "19920427"
• Lock bits per page
• Analog frontend setup
• Other names:
  • 5577
  • 5200 (CN) - Cut down version of T55xx chip
  • H2 (RU) - Seems to be renamed 5200 chip
  • RW125T5 (RU)

Detect

[usb] pm3 --> lf search
...
[+] Chipset detection: T55xx

↑ Back to top

EM4x05

The EM4305 and EM4205 (and 4469/4569) chips are the 2nd most common used chips for cloning LF RFIDs. It is also used by HID Global (but with a custom chip) for HIDProx credentials.

Characteristics

• 36 bytes of user memory
• Output settings are limited (ASK only, FSK added on HID variant)
• Password protection (4 bytes), usually "84AC15E2"
• Lock page used
• Other names:
  • H3 (RU)
  • RW125EM (RU)

Detect

[usb] pm3 --> lf search
...
[+] Chipset detection: EM4x05 / EM4x69

↑ Back to top

ID82xx Series

These are custom Chinese chips mainly used to clone EM IDs. Often times, these are redesigned clones of Hitag chips.

ID8265

This is the cheapest and most common ID82xx chip available. It is usually sold as T55xx on AliExpress, with excuses to use cloners.

Characteristics:

• Chip is likely a cut down version of Hitag µ (micro) clone
• UID 00 00 00 00 00 00
• Password protection (4b), usually "00000000"(default) or "9AC4999C"(FURUI)
• Config block 0xFF
• Currently unimplemented in proxmark3 client
• Other names: ID8210 (CN), H-125 (CN), H5 (RU)

ID8211

This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.

Characteristics:

• Chip is likely a cut down version of Hitag S2048 clone
• No password protection
• Page 1 fully changeable, default: CA 24 00 00
• Pages 41-43 contain unknown readonly data
• Pages 44-63 readonly to 00 00 00 00

ID-F8268

This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.

Characteristics:

• Chip is likely a cut down version of Hitag S2048 clone
• Password protection (4b), usually "BBDD3399"(default) or "AAAAAAAA"
• Page 1 fully changeable, default: DA A4 00 00
• Other names: F8278 (CN), F8310 (CN), K8678 manufactured by Hyctec

↑ Back to top

H Series

These are chips sold in Russia, manufactured by iKey LLC. Often times these are custom.

H1

Simplest EM ID cloning chip available. Officially discontinued.

Characteristics:

• Currently almost all structure is unknown
• No locking or password protection
• "OTP" chip is same chip, but with EM ID of zeroes. Locked after first write
• Other names: RW64bit, RW125FL

H5.5 / H7

First "advanced" custom chip with H naming.

Characteristics:

• Currently all structure is unknown
• No password protection
• Only supported by Russian "TMD"/"RFD" cloners
• H7 is advertised to work with "Stroymaster" access control
• Setting ID to "3F0096F87E" will make the chip show up like T55xx

↑ Back to top

ISO14443A Cards

Identifying Broken ISO14443A Magic Cards

When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.

Here are some tips if the card doesn't react or gives error on a simple hf 14a reader:

Let's force a 4b UID anticollision and see what happens:

hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip
hf 14a reader

If it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision:

hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip
hf 14a reader

At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards.

To restore anticollision config of the Proxmark3:

hf 14a config --std

↑ Back to top

MIFARE Classic

Referred as M1, S50 (1k), S70 (4k)

MIFARE Classic Block 0

UID 4b: (actually NUID as there are no more "unique" IDs on 4b)

11223344440804006263646566676869
^^^^^^^^                         UID
        ^^                       BCC
          ^^                     SAK(*)
            ^^^^                 ATQA
                ^^^^^^^^^^^^^^^^ Manufacturer data

(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)

Computing BCC on UID 11223344: analyse lrc -d 11223344 = bf

UID 7b:

04112233445566884400c82000000000
^^                               Manufacturer byte
^^^^^^^^^^^^^^                   UID
              ^^                 SAK(*)
                ^^^^             ATQA
                    ^^^^^^^^^^^^ Manufacturer data

(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)

↑ Back to top

MIFARE Classic Gen1A (aka UID)

Other names: ZERO (RU)

Identify

hf mf info
...
[+] Magic capabilities... Gen 1a

Magic Commands

• Wipe: 40(7), 41 (use 2000ms timeout)
• Read: 40(7), 43, 30xx+crc
• Write: 40(7), 43, A0xx+crc, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+crc

Characteristics

• UID: Only 4b versions
• ATQA: all cards play blindly the block0 ATQA bytes, beware!
• SAK: behavior varies by flavour
• BCC: all cards play blindly the block0 BCC byte, beware!
• ATS: no card with ATS

Flavours

Flavour	SAK	PRNG	Wipe
1	Play blindly block0 SAK	static 01200145	filled with 0xFF
2	Play blindly block0 SAK	static 01200145	filled with 0x00
3	08	static 01200145	filled with 0xFF
4	08	weak	timeout, no wipe
5	08	weak	reply ok but no wipe
6	08 or 88 if block0_SAK MSB set	weak	timeout, no wipe
7	08 or 88 if block0_SAK MSB set	weak	filled with 0x00

Proxmark3 Commands

hf mf csetuid
hf mf cwipe
hf mf csetblk
hf mf cgetblk
hf mf cgetsc
hf mf cload
hf mf csave
hf mf cview

When "soft-bricked" (by writing invalid data in block0), these ones may help:

# MFC Gen1A 1k:
hf mf cwipe -u 11223344 -a 0004 -s 08
# MFC Gen1A 4k:
hf mf cwipe -u 11223344 -a 0044 -s 18

or just fixing block0:

# MFC Gen1A 1k:
hf mf csetuid -u 11223344 -a 0004 -s 08
# MFC Gen1A 4k:
hf mf csetuid -u 11223344 -a 0044 -s 18

↑ Back to top

MIFARE Classic Gen1B

Similar to Gen1A, but supports directly read/write after command 40

Identify

hf mf info
...
[+] Magic capabilities... Gen 1b

Magic Commands

• Read: 40(7), 30xx
• Write: 40(7), A0xx+crc, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+crc

↑ Back to top

MIFARE Classic DirectWrite (Gen2 / CUID)

Also referred as MCT compatible by some sellers

Other names: MF-8 (RU), MF-3 (RU), MF-3.2 (RU)

Identify

hf mf info
...
[+] Magic capabilities... Gen 2 / CUID

Magic Commands

Android (MTools) compatible - issue regular write to block0

Characteristics

• UID: 4b and 7b versions
• ATQA: some cards play blindly the block0 ATQA bytes, some use fixed ATQA
• SAK: some cards play blindly the block0 SAK byte, some use fixed SAK
• BCC: some cards play blindly the block0 BCC byte, some compute proper BCC
• ATS: some cards don't reply to RATS, some reply with an ATS

Proxmark3 Commands

hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force

hf mf wipe --gen2

When "soft-bricked", use hf 14a config to force ATQA/BCC settings.

↑ Back to top

MIFARE Classic Gen3 (APDU)

Identify

hf mf info
...
[+] Magic capabilities... Gen 3 / APDU ( possibly )

Magic Commands

Android (MTools) compatible - issue special APDUs

cla  ins p1  p2  len
 90  F0  CC  CC  10 <block0>  - write block 0
 90  FB  CC  CC  07 <uid>     - change uid (independently of block0 data)
 90  FD  11  11  00           - lock permanently

Characteristics

• UID: 4b and 7b versions
• ATQA/SAK: fixed
• BCC: auto
• ATS: none

Proxmark3 Commands

# change just UID:
hf mf gen3uid
# write block0:
hf mf gen3blk
# lock (uid/block0?) forever:
hf mf gen3freeze

↑ Back to top

MIFARE Classic QL88

Tags designed for use with the "CopyKey X5" cloning device. These cards implement custom features as a form of rudimentary DRM (Digital Rights Management) to prevent the CopyKey from working with other blank tags. Manufactured by QinLin neighbor technology, these cards are named after their distinctive SAK value of 88 in Block 0.

Identify

hf mf info
...
[=] --- PRNG Information
[+] Prng................. hard

Characteristics

• UID: 4b versions
• ATQA/SAK: SAK value of 88 stored in Block 0 (not used during anticollision)
• BCC: computed
• ATS: none
• PRNG: hard
• Signature: Contains signature data in Sector 17
• Custom Keys: Sector 17 uses custom Key A (0x2612C6DE84CA) and Key B (0x707B11FC1481)
• Manufacturer Data: Block 0 always contains 88980020 000000F8
• Sector 16: Fully user-writable

Proxmark3 Commands

# Read Sector 17 with custom keys:
hf mf rdsc --sec 17 -a 2612C6DE84CA -b 707B11FC1481

# Verify manufacturer data in Block 0:
hf mf rdbl --blk 0 -k FFFFFFFFFFFF

↑ Back to top

MIFARE Classic HUID

A variation of the QL88 tag that appears to use a custom Key Derivation Function (KDF) for key generation. Despite the custom keying mechanism, the underlying structure and behavior remain similar to QL88 cards. Analysis suggests these are essentially CUID tags with custom keys applied.

Characteristics

• UID: 4b versions
• Key Generation: Uses custom KDF (Key Derivation Function)
• Base Type: Appears to be CUID tag with custom keys
• Compatibility: Same key structure as QL88

↑ Back to top

MIFARE Classic USCUID

These magic cards have a 16 byte long configuration page, which usually starts with 0x85. All of the known tags using this configuration are listed here.

Characteristics

• UID: 4/7 bytes
• ATQA: always read from block 0
• SAK: read from backdoor or configuration
• BCC: read from memory, beware!
• ATS: no/unknown

Identify

hf mf info
...
[+] Magic capabilities... Gen 4 GDM / USCUID ( Magic Auth/Gen1 Magic Wakeup/Alt Magic Wakeup )

Magic Commands

• Magic authentication: select, 8000+crc, [Crypto1 Auth: 000000000000]
• Magic wakeup (A: 00): 40(7), 43
• Magic wakeup (B: 85): 20(7), 23
• Backdoor read: 38xx+crc
• Backdoor write: A8xx+crc, [16 bytes data]+crc
• Read configuration: E000+crc
• Write configuration: E100+crc, [16 bytes data]+crc

USCUID Configuration Guide

Configuration format:

85000000000000000000000000000008
      ^^^^^^    ^^          ^^   >> ??? Mystery ???
^^^^                             >> Gen1a mode (works with bitflip)
    ^^                           >> Magic wakeup command (00 for 40-43; 85 for 20-23)
            ^^                   >> Block use of Key B if readable by ACL
              ^^                 >> CUID mode
                  ^^             >> MFC EV1 CL2 Perso config
                    ^^           >> Shadow mode
                      ^^         >> Magic Auth command
                        ^^       >> Static encrypted nonce mode
                          ^^     >> Signature sector
                              ^^ >> SAK

To enable an option, set it to 5A.

Proxmark3 Commands

# Read config block from card
hf mf gdmcfg

# Write config block to card
hf mf gdmsetcfg

# Parse config block to card
hf mf gdmparsecfg

# Write block to card
hf mf gdmsetblk

Known Variations

Factory Configuration	Name
850000000000000000005A5A00000008	GDM
850000000000005A00FF005A00000008	GDCUID
850000000000005A0000005A5A5A0008	UCUID
8500000000005A00005A005A005A0008	"7 byte hard"
7AFF850102015A00005A005A005A0008	M1-7B
7AFF85000000000000FF000000000008	FUID
7AFF000000000000BAFA358500000008*	PFUID
7AFF000000000000BAFA000000000008	UFUID
7AFF0000000000000000000000000008	ZUID

*Not all tags are the same! UFUID, ZUID and PFUID are not full implementations of USCUID.

↑ Back to top

MIFARE Classic Super

It behaves like regular Mifare Classic but records reader auth attempts.

MIFARE Classic Super Gen1

Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands.

• UID: 4b version
• ATQA/SAK: fixed
• BCC: auto
• ATS: fixed, 0978009102DABC1910F005

ATQA/SAK matches 1k card, but works as 4k card.

MIFARE Classic Super Gen2

New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces.

Card always answers ff ff ff ff as at, so reading/writing it via Mifare protocol is impossible.

• UID: 4b and 7b versions
• ATQA/SAK: fixed
• BCC: auto
• ATS: changeable, default as Gen1

Identify

hf mf info
...
[+] Magic capabilities... Super card ( Gen ? )

Proxmark3 Commands

hf mf supercard

↑ Back to top

MIFARE Ultralight

MIFARE Ultralight Blocks 0..2

SN0  SN1  SN2  BCC0
SN3  SN4  SN5  SN6
BCC1 Int  LCK0 LCK1

UID is made of SN0..SN6 bytes

Computing BCC0 on UID 04112233445566: analyse lrc -d 88041122 = bf

Computing BCC1 on UID 04112233445566: analyse lrc -d 33445566 = 44

Int is internal, typically 0x48

Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C

↑ Back to top

MIFARE Ultralight Gen1A

Proxmark3 Commands

script run hf_mfu_setuid -h

When "soft-bricked" (by writing invalid data in block0), these ones may help:

hf 14a config -h
script run hf_mf_magicrevive -u

↑ Back to top

MIFARE Ultralight DirectWrite

Identify

hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID

It seems so far that all MFUL DW have an ATS response in factory configuration.

Magic Commands

Issue three regular MFU write commands in a row to write first three blocks.

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: some cards play blindly the block0 BCC0 and block2 BCC1 bytes, some compute proper BCC
• ATS: all cards reply with an ATS

Proxmark3 Commands

hf mfu setuid -h

Equivalent: don't use hf mfu wrbl as you need to write three blocks in a row, but do, with proper BCCx:

hf 14a raw -s -c -k a2 00 041122bf
hf 14a raw    -c -k a2 01 33445566
hf 14a raw    -c    a2 02 44480000

libnfc Commands

nfc-mfultralight -h

See --uid and --full

Android (MTools)

MIFARE++ Ultralight

↑ Back to top

MIFARE Ultralight EV1 DirectWrite

Similar to MFUL DirectWrite

Identify

hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
• ATS: all cards reply with an ATS

↑ Back to top

MIFARE Ultralight C Gen1A

Similar to MFUL Gen1A

↑ Back to top

MIFARE Ultralight C DirectWrite

Similar to MFUL DirectWrite

Identify

hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards compute proper BCC0 and BCC1 in anticollision
• ATS: all cards reply with an ATS

↑ Back to top

MIFARE Ultralight USCUID-UL

These magic cards, like the MFC USCUIDs have a 16 byte long configuration page, comprised of 4 blocks of 4 bytes each. This usually starts with 0x85.

Characteristics

• UID: 7 bytes
• ATQA: always read from hidden block F6
• SAK: always read from hidden block F6
• BCC: read from blocks 0-1 per Ultralight specification
• ATS: These respond to an ATS request with the config page in factory mode

Identify

In factory config state:

hf 14a info
...
[=] -------------------------- ATS --------------------------
[!] ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
[+] ATS: 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]

Magic Commands

• Magic wakeup (A: 00): 40(7), 43
• Magic wakeup (B: 85): 20(7), 23
• Backdoor read main and hidden block: 30xx+crc
• Backdoor write main and hidden block: A2xx[4 bytes data]+crc
• Read configuration: E050+crc
• Write configuration: E2[offset*4, 1b][data, 4b]+crc

Known Variations

Factory Configuration	Name
850000A0 00000AC3 00040301 01000B03	UL-11
850000A0 00000A3C 00040301 01000E03	UL-21
850000A0 0A000A00 00000000 00000000	UL-C
850085A0 00000AA5 00040402 01000F03	NTAG213
850000A0 00000A5A 00040402 01001103	NTAG215
850000A0 00000AAA 00040402 01001303	NTAG216

↑ Back to top

NTAG

NTAG213 DirectWrite

Similar to MFUL DirectWrite

Identify

hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
• ATS: all cards reply with an ATS

↑ Back to top

NTAG21x

Identify

hf 14a info
...
[+] Magic capabilities : NTAG21x

Characteristics

Emulates fully NTAG213, 213F, 215, 216, 216F

Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS

Anticol shortcut (CL1/3000): fails

Proxmark3 Commands

script run hf_mfu_magicwrite -h

Version and Signature

Don't forget configure maximum read/write blocks:

hf 14a raw -s -c -t 1000 CF000000006BFB

Note: 0xFB = 251

Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249.

↑ Back to top

DESFire

"DESFire" APDU, 7b UID

Magic Commands

Android (MTools) compatible - issue special APDUs

Characteristics

• ATQA: 0344
• SAK: 20
• ATS: 0675338102005110 or 06757781028002F0

Only mimics DESFire anticollision (but wrong ATS), no further DESFire support

Proxmark3 Commands

UID 04112233445566

hf 14a raw -s -c 0200ab00000704112233445566

or equivalently

hf 14a apdu -s 00ab00000704112233445566

↑ Back to top

"DESFire" APDU, 4b UID

Magic Commands

Android (MTools) compatible - issue special APDUs

Characteristics

• ATQA: 0008 (This is FM1208-9, NOT DESFire!)
• SAK: 20
• ATS: 0675338102005110 or 06757781028002F0

Only mimics DESFire anticollision (but wrong ATS), no further DESFire support

Proxmark3 Commands

UID 04112233445566

hf 14a raw -s -c 0200ab00000411223344

or equivalently

hf 14a apdu -s 00ab00000411223344

↑ Back to top

ISO14443B

Tiananxin TCOS CPU Card

This is a card sold on Taobao for testing readers. ISO14443-4 compliant.

Identify

hf 14a apdu -s 90B2900000 // Get Card OS version
>>> 90 B2 90 00 00
<<< 54 43 4F 53 20 56 31 2E 34 2E 30 90 00 | TCOS V1.4.0..

Magic Commands

All commands in APDU.

CL IN P1 P2 Lc Data
90 F4 CC CC 01 [..1 ] // Change protocol used              (1: ISO14443 [AA - type A, BB - type B])
90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed)
90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value         (1: FF: static, AB: random)
90 F8 DD DD 01 [..1 ] // Set UID length                    (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly))
90 F8 EE EE 0B [... ] // Set UID/PUPI value                (FF+enter UID value here). To clear, use Lc=01; data=00.
90 FA CC CC 01 [FSCI] // Set FSCI                          (1: value 0-8)
90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!)   (1: value 0-E)
90 FE CC CC 01 [FWI ] //  FWI (DO NOT SET BELOW 4!!!)   (value 0-E)

↑ Back to top

ISO15693

ISO15693 Magic

Proxmark3 Commands

Always set a UID starting with E0.

hf 15 csetuid E011223344556677

or (ignore errors):

script run hf_15_magic -u E004013344556677

↑ Back to top

Multi-Protocol Cards

Ultimate Magic Card (UMC)

A.k.a ultimate magic card, most prominent feature is shadow mode (GTU) and optional password protected backdoor commands.

Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data.

Identify

hf 14a info
[+] Magic capabilities : Gen 4 GTU

The card will be identified only if the password is the default one. One can identify manually such card if the password is still the default one, with the command to get the current configuration:

hf 14a raw -s -c -t 1000 CF00000000C6

If the card is an Ultimate Magic Card, it returns 30 or 32 bytes.

Magic Commands

There are two ways to program this card:

1. Use the raw commands designated by the hf 14a examples.
2. Use the hf_mf_ultimatecard.lua script commands. This script is not fully compatible with new version UMC.

Special raw commands summary:

CF <passwd> 32 <00-04>                           // Configure GTU shadow mode
CF <passwd> 34 <1b length><0-16b ATS>            // Configure ATS
CF <passwd> 35 <2b ATQA><1b SAK>                 // Configure ATQA/SAK (swap ATQA bytes)
CF <passwd> 68 <00-02>                           // Configure UID length
CF <passwd> 69 <00-01>                           // (De)Activate Ultralight mode
CF <passwd> 6A <00-03>                           // Select Ultralight mode
CF <passwd> 6B <1b>                              // Set Ultralight and M1 maximum read/write sectors
CF <passwd> C6                                   // Dump configuration
CF <passwd> CC                                   // Version info, returns `00 00 00 [03 A0 (old) / 06 A0 (new) ]`
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number>                 // Backdoor read 16b block
CF <passwd> CF <1b param>                        // (De)Activate direct write to block 0
CF <passwd> F0 <30b configuration data>          // Configure all params in one cmd
CF <passwd> F1 <30b configuration data>          // Configure all params in one cmd and fuse the configuration permanently
CF <passwd> FE <4b new_password>                 // change password

Default <passwd>: 00000000

Characteristics

• UID: 4b, 7b and 10b versions
• ATQA/SAK: changeable
• BCC: computed
• ATS: changeable, can be disabled
• Card Type: changeable
• Shadow mode: GTU
• Backdoor password mode

Proxmark3 Commands

# view contents of tag memory:
hf mf gview
# Read a specific block via backdoor command:
hf mf ggetblk
# Write a specific block via backdoor command:
hf mf gsetblk
# Load dump to tag:
hf mf gload
# Save dump from tag:
hf mf gsave

Change ATQA / SAK

hf 14a raw -s -c -t 1000 CF<passwd>35<2b ATQA><1b SAK>

Example: ATQA 0044 SAK 28, default pwd

hf 14a raw -s -c -t 1000 CF0000000035440028

OR (Note the script will correct the ATQA correctly)

script run hf_mf_ultimatecard -q 004428

Change ATS

hf 14a raw -s -c -t 1000 CF<passwd>34<1b length><0-16b ATS>

• <length>: ATS length byte, set to 00 to disable ATS
• When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on
• ATS CRC will be added automatically, don't configure it
• Max ATS length: 16 bytes (+CRC)

Example: ATS to 0606757781028002F0, default pwd

hf 14a raw -s -c -t 1000 CF000000003406067577810280

Or

script run hf_mf_ultimatecard -z 06067577810280

Set UID Length (4, 7, 10)

hf 14a raw -s -c -t 1000 CF<passwd>68<1b param>

• <param>
  • 00: 4 bytes
  • 01: 7 bytes
  • 02: 10 bytes

Example: set UID length to 7 bytes, default pwd

hf 14a raw -s -c -t 1000 CF000000006801

Set 14443A UID

UID is configured according to block0 with a backdoor write.

Example: preparing first two blocks:

hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F
hf 14a raw -s -c -t 1000 CF00000000CD01101112131415161718191A1B1C1D1E1F
hf 14a reader

MFC mode 4b UID

⇒ UID 00010203

script run hf_mf_ultimatecard -t 4 -u 00010203

MFC mode 7b UID

⇒ UID 00010203040506

script run hf_mf_ultimatecard -t 5 -u 00010203040506

MFC mode, 10b UID

⇒ UID 00010203040506070809

script run hf_mf_ultimatecard -t 6 -u 00010203040506070809

(De)Activate Ultralight Mode

hf 14a raw -s -c -t 1000 CF<passwd>69<1b param>

• <param>
  • 00: MIFARE Classic mode
  • 01: MIFARE Ultralight/NTAG mode

Example: activate Ultralight protocol, default pwd

hf 14a raw -s -c -t 1000 CF000000006901

Or

script run hf_mf_ultimatecard -n 01

In this mode, if SAK=00 and ATQA=0044, it acts as an Ultralight card

Select Ultralight Mode

hf 14a raw -s -c -t 1000 CF<passwd>6A<1b param>

• <param>
  • 00: UL EV1
  • 01: NTAG
  • 02: UL-C
  • 03: UL

Example: set Ultralight mode to Ultralight-C, default pwd

hf 14a raw -s -c -t 1000 CF000000006A02

Or

script run hf_mf_ultimatecard -m 02

Now the card supports the 3DES UL-C authentication.

Set Shadow Mode (GTU)

hf 14a raw -s -c -t 1000 CF<passwd>32<1b param>

• <param>
  • 00: pre-write, shadow data can be written
  • 01: restore mode (WARNING: new UMC (06a0) cards return garbage data when using 01)
  • 02: disabled
  • 03: disabled, high speed R/W mode for Ultralight?
  • 04: split mode, work with new UMC. With old UMC is untested.

Direct Block Read and Write

Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card.

Backdoor read 16b block:

hf 14a raw -s -c -t 1000 CF<passwd>CE<1b block number>

Backdoor write 16b block:

hf 14a raw -s -c -t 1000 CF<passwd>CD<1b block number><16b block data>

Read/Write operations work on 16 bytes, no matter the Ultralight mode.

Example: read block0, default pwd

hf 14a raw -s -c -t 1000 CF00000000CE00

Example: write block0 with factory data, default pwd

hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000

(De)Activate Direct Write to Block 0

This command enables/disables direct writes to block 0.

hf 14a raw -s -c -t 1000 CF<passwd>CF<1b param>

• <param>
  • 00: Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic)
  • 01: Deactivate direct write to block 0 (Same behaviour of vanilla cards)
  • 02: Default value. (Same behaviour as 00 (?))

Change Backdoor Password

All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is 00000000.

Change password:

hf 14a raw -s -c -t 1000 CF <passwd> FE <4b new_password>

Example: change password from 00000000 to AABBCCDD

hf 14a raw -s -c -t 1000 CF00000000FEAABBCCDD

Dump Configuration

hf 14a raw -s -c -t 1000 CF<passwd>C6

Default configuration:

00000000000002000978009102DABC191010111213141516040008006B024F6B
                                                            ^^^^ CRC, type unknown
                                                          ^^ cf cmd cf: block0 direct write setting
                                                        ^^ cf cmd 6b: maximum read/write sectors
                                                      ^^ cf cmd 6a: UL mode
                                                ^^^^^^ cf cmd 35: ATQA/SAK
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content
            ^^ cf cmd 32: GTU mode
    ^^^^^^^^ cf cmd fe: password
  ^^ cf cmd 68: UID length
^^ cf cmd 69: Ultralight protocol

Fast Configuration

hf 14a raw -s -c -t 1000 CF<passwd>F0<30b configuration data>

See Dump configuration for configuration data description.

Example: Write factory configuration, using default password

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B

Presets

Here are some presets available in the FuseTool (but with all ATS disabled)

MIFARE Mini S20 4-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000900

MIFARE Mini S20 7-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000900

MIFARE 1k S50 4-byte UID (this is the factory setting)

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800

MIFARE 1k S50 7-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000800

MIFARE 4k S70 4-byte UID

hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151602001800

MIFARE 4k S70 7 byte UID

hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151642001800

Ultralight

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003FB

Ultralight-C

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002FB

Ultralight EV1

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FB

NTAG21x

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001FB

↑ Back to top