Hi guys, I’m doing some background research on MIFARE Ultralight EV1 and Nano cards. My goal is to be able to scan the UID and ECC originality signature from an authentic EV1 and emulate these values on a CUID or Magic Card (Gen 4).
I’ll start off by asking, does anybody know if the Magic Card is currently able to emulate ECC signatures? I’ve read their website product page top to bottom, but it only seems to mention that they are capable of customizing the UID.
Ideally, I would like to be able to acquire a hex dump of an authentic Ultralight EV1 or a Nano, edit a few bits (values returned from the GET_VERSION command), and customize the UID & ECC signature.
If this was somehow possible, I believe the Magic Card could be virtually indistinguishable from an authentic MIFARE Ultralight EV1 (minus a few rare exceptions). But as it stands, if the Magic Card is not capable of emulating a custom ECC signature, most systems with fairly decent security mechanisms in place could detect it as illegitimate and flag the user.
One thing I noticed digging through the product data sheets from NXP is that, unlike the rest of the MIFARE Ultralight family, the Nano version comes with an in-built function to customize the originality signature (I have no idea why, this seems like a massive oversight on NXP’s part). But from what I can find, there doesn’t seem to be a card that supports Nano UID customization. While there are some differences in memory structure between the EV1 and the nano, so long as the NFC reader is not utilizing any password functionality, a modifiable Nano should theoretically be able to masquerade as an EV1.
Because these chips are proprietary, I’m having trouble finding out how to conduct memory analysis on them. If anybody has any advice I’d be highly appreciative.
Thanks
