Can I clone this transport card?

A rechargeable transport card has just been released in my neighbourhood and I’d like to know how likely it is that I could clone it. pm3 has this to say about it:

[usb] pm3 → hf mfu info

[=] — Tag Information --------------------------
[+] TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+] UID: 04 56 24 A2 43 15 91
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: FE ( ok )
[+] BCC1: 65 ( ok )
[+] Internal: 48 ( default )
[+] Lock: 00 00 - 0000000000000000
[+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000

[=] — Tag Counters
[=] [0]: FF FF 01
[+] - BD tearing ( ok )
[=] [1]: 00 00 00
[+] - BD tearing ( ok )
[=] [2]: 00 07 00
[+] - BD tearing ( ok )

[=] — Tag Silicon Information
[=] Wafer Counter: 19048564 ( 0x122A874 )
[=] Wafer Coordinates: x 342, y 36 (0x156, 0x24)
[=] Test Site: 2

[=] — Tag Version
[=] Raw bytes: 00 04 03 01 01 00 0E 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0E, (128 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant

[=] — Tag Configuration
[=] cfg0 [37/0x25]: 00 00 00 FF
[=] - strong modulation mode disabled
[=] - pages don’t need authentication
[=] cfg1 [38/0x26]: 00 05 00 00
[=] - Unlimited password attempts
[=] - NFC counter disabled
[=] - NFC counter not protected
[=] - user configuration writeable
[=] - write access is protected with password
[=] - 05, Virtual Card Type Identifier is default
[=] PWD [39/0x27]: 00 00 00 00 - (cannot be read)
[=] PACK [40/0x28]: 00 00 - (cannot be read)
[=] RFU [40/0x28]: 00 00 - (cannot be read)

[+] — Known EV1/NTAG passwords
[+] Found default password FF FF FF FF pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory…
[=] ------------------------------------------------------------

[usb] pm3 →

The FlexMN has been discontinued

Magic Ultralight tags do exist, but they are kind of pricy https://labs.ksec.co.uk/product/magic-ntag-21x-ntag-i2c-mifare-ultralight-ev1-compatible-tag/

The flexUG4 might work for this

Let’s find out!
I’ve gathered together the transport card, the PM3 and the Ultimate Magic Card (as a stand-in for the flexUG4).
What next?

definitely can

hf mfu dump -k ffffffff

e2a: as for configuring the UMC to act as a ultralight ev1 with this dump uploaded I’m gonna call in the cavelry @MDT he’s got this on lock.

the only issue i see with this working is the counter, which cant yet be put on UMCs but the only issue this would create is your original is going to stop working (maybe) which wouldn’t be much of an issue if you intend to get this done on an implant as you’d not need the external card anymore anyway

editedit2add: what transport system is this anyways

@Equipter Hey Buddy!

@LabRat Hello!
Give this a try to configure your UMC, see if you’re able to get your dump onto it properly with this config.
hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC191010111213141516440000008000

If its too small try this:
hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FF00

Sorry, I should mention that after setting your UMC you’ll still need to change your UID (In the magic notes in the Iceman Repo there’s good instructions) and you’ll also need to load your dump to the card with hf mfu restore

And after reading this again you’re going to also have to expand the size past what I posted earlier, sorry, distracted proxmarking.

Part of the journey is learning right? haha sorry

Whoops, I haven’t been paying attention lately that the FlexUG4 exists

@LabRat , hello, did you have any success cloning it?
@MDT , I have the same transport ticket, I tried to do a dump when it was loaded, then I used the ticket and tried to do a restore using the original loaded dump, but at this point the ticket no longer works, can you help me understand why ?!
N.b the only difference was the counters , the rest was all the same.