Cloning a Dorm Room Card

Moonman0922 · August 26, 2019, 6:49pm

Hi!
Moving into my new dorm on Sunday! I’m really excited! Mostly because they use NFC LOCKS! That means my XNT should work. I am having trouble with NFC tools copying the tag though. It scans just fine but it wont when I try to copy.
I installed another NFC copy app and it warns that it will be permanent. Is that just a warning for people who don’t know how to use another app or should I be fine? I attached the full scan from taginfo.

** TagInfo scan (version 4.24.4) 2019-08-26 13:09:57 **
Report Type: External

– IC INFO ------------------------------

IC manufacturer:

NXP Semiconductors

IC type:

MIFARE Ultralight EV1 (MF0UL11)

– NDEF ------------------------------

No NDEF data storage populated:

– EXTRA ------------------------------

Memory size:

48 bytes user memory

12 pages, with 4 bytes per page

IC detailed information:

Full product name: MF0UL1101DUx
Capacitance: 17 pF

Version information:

Vendor ID: NXP
Type: MIFARE Ultralight
Subtype: 17 pF
Major version: EV1
Minor version: V0
Storage size: 48 bytes
Protocol: ISO/IEC 14443-3

Configuration information:

AFC counter values:

Counter #0: 0
Counter #1: 0
Counter #2: 0

Originality check:

Signature verified with NXP public key

Virtual Card Type Identifier:

[not accessible]

– FULL SCAN ------------------------------

Technologies supported:

ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

Android technology information:

Tag description:

TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.NdefFormatable]
Maximum transceive length: 253 bytes
Default maximum transceive time-out: 618 ms

Detailed protocol information:

ID: 04:D1:4E:EA:33:5B:80
ATQA: 0x4400
SAK: 0x00

Memory content:

[00] * 04:D1:4E 13 (UID0-UID2, BCC0)
[01] * EA:33:5B:80 (UID3-UID6)
[02] x 02 48 08 00 (BCC1, INT, LOCK0-LOCK1)
[03] x 5E:07:01:20 (OTP0-OTP3)
[04] . 06 0A 00 21 |…!|
[05] . 00 00 00 00 |…|
[06] . 00 00 5E CE |…^.|
[07] . 1F 8A A4 9D |…|
[08] . 54 98 C8 D3 |T…|
[09] . 5D 5E AE D0 |]^…|
[0A] . 7C C2 5E 5E ||.^^|
[0B] . A1 5E 5E 51 |.^^Q|
[0C] . 5E 5E 5E 5E |^^^^|
[0D] . 5E 5E 5E 5E |^^^^|
[0E] . 5E 5E 5E 00 |^^^.|
[0F] . A7 92 A7 B8 |…|
[0F] ?p XX XX XX XX (LOCK2-LOCK4, CHK)
[10] ?p XX – -- – (AUTH0)
[11] ?p XX XX – -- (ACCESS, VCTID)
[12] +P XX XX XX XX (PWD0-PWD3)
[13] +P XX XX – -- (PACK0-PACK1)

*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only

bepiswriter · August 26, 2019, 9:19pm

So just to be clear, you can scan the tag on the reader and have it deny you access but when you clone to the tag the door will not read it at all?

My best guess here is the lock is using the UID of the tag and you’d need to program your ID into it or wait until we find some chip that can clone Ultralight C-style UIDs.

turbo2ltr · August 26, 2019, 9:49pm

The xNT is not clonable. Not sure what you are copying. The lock MAY use just the UID, or since it’s an EV1 may use the crypto features which the xNT has none of.

Sadly you will not get anywhere trying to do what you are doing. If you get buddy buddy with the people that provision the cards, you might be able to convince them to try enrolling your xNT. But that may not work even if you get them to try. You may need the flexDF (you would still need to get them to enroll it for you, it;s not clonable)

What you really need is the EV1 with the chinese back door, then I think you could clone the card. But that isn’t available anymore.

amal · August 27, 2019, 1:05am

See page 02 that has the data 02 48 08 00? Well the 3rd byte 08 dictates that some memory pages be locked read-only, which includes the capability container (page 03) which does not look like a standard NFC compliant capability container value, and since these are bit-flipped OTP bytes, you might not be able to update your CC to match this one… and any changes that are attempted would be permanent since these bits are OTP (one time programmable).

Actually you’ve been fooled by marketing. The “EV1” of the Ultralight chip does not use anything fancy. It is a simple password scheme like the xNT (NTAG216) … they use “EV1” for a ton of “new versions” of each type of tag they release, not all of which use good encryption or any encryption at all, like the Ultralight EV1.

The bottom line is that the “copy” function of NFC Tools is a pile of misleading crap. It can “copy” the user memory of a tag, but not the UID (serial number), meaning that basically 100% of systems that are trying to read the copied tag are going to try to check the UID against it’s records and it will fail. Many systems stop there, and never do anything with the user memory… but some systems typically only check or do anything with user memory once the serial number is validated… so basically because you can’t copy the UID to the xNT, you can’t make a complete and full copy of the source card. It’s kinda like you went to copy a key and it copied all the ridges from the source key to the new copy, but the copy has the wrong shape so it won’t even go into the lock… know what I mean?

aqua-dream · September 26, 2019, 2:26pm

UST student? I’m searching for information about this card. Have you successfully cloned it?