Help for GDM cloning MIFARE Ultralaght EV1

sfsdfsdfds · March 24, 2026, 10:22am

hi i need to clone this:
[usb] pm3 → hf mfu info

[=] — Tag Information --------------------------
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] UID: 04 02 99 0A 46 22 91
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 17 ( ok )
[+] BCC1: FF ( ok )
[+] Internal: 48 ( default )
[+] Lock: 00 00 - 0000000000000000
[+] OTP: 00 00 00 00 - 00000000000000000000000000000000

[=] — Tag Counters
[=] [0]: 00 00 00
[+] - BD tearing ( ok )
[=] [1]: 00 00 00
[+] - BD tearing ( ok )
[=] [2]: 00 00 00
[+] - BD tearing ( ok )

[=] — Tag Signature
[=] IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: C8252CDE6AAD9CC7F0794321C7F7C95B5E9E7FFA6E3E4DD9C03FCBEECFF497B6
[+] Signature verification ( successful )

[=] — Tag Silicon Information
[=] Wafer Counter: 19155137 ( 0x12448C1 )
[=] Wafer Coordinates: x 258, y 153 (0x102, 0x99)
[=] Test Site: 2

[=] — Tag Version
[=] Raw bytes: 0004030101000B03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0B, (64 ↔ 32 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant

[=] — Tag Configuration
[=] cfg0 [16/0x10]: 000000FF
[=] - strong modulation mode disabled
[=] - pages don’t need authentication
[=] cfg1 [17/0x11]: 00050000
[=] - Unlimited password attempts
[=] - NFC counter disabled
[=] - NFC counter not protected
[=] - user configuration writeable
[=] - write access is protected with password
[=] - 05, Virtual Card Type Identifier is default
[=] PWD [18/0x12]: 00000000 ( cannot be read )
[=] PACK [19/0x13]: 0000 ( cannot be read )
[=] RFU [19/0x13]: 0000 ( cannot be read )

[+] — Known EV1/NTAG passwords
[+] Password… FFFFFFFF pack… 0000
[=]
[=] — Fingerprint
[=] n/a

i have a gen4 GDM USCUID, can i emulate the source card? do i need to pay attention to anything?
i just dumped this card with command hf mfu dump.
thankyou @Aoxhwjfoavdlhsvfpzha @Equipter @Pilgrimsmaster

Equipter · March 24, 2026, 8:39pm

is it a UL USCUID?
run hf 14a info on it please.

sfsdfsdfds · March 25, 2026, 5:55am

[usb] pm3 → hf 14a info

[=] ---------- ISO14443-A Information ----------
[+] UID: 96 BF 94 21 ( ONUID, re-used )
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Prng detection… weak

[?] Hint: use hf mf gdm* magic commands
[?] Hint: try hf mf commands

[usb] pm3 →

Aoxhwjfoavdlhsvfpzha · March 25, 2026, 6:04am

Do you still have the Gen4 GTU?

sfsdfsdfds · March 25, 2026, 6:05am

yes
@Aoxhwjfoavdlhsvfpzha after past experience i prefer to use directly the gdm

sfsdfsdfds · March 25, 2026, 6:16am

[usb] pm3 → hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008
[+] Write ( ok )
[?] try hf mf gdmcfg to verify
[usb] pm3 → hf mf gdmcfg

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 7AFF00000000000000005A5A00000008
[+] 7AFF… Magic wakeup enabled with GDM cfg block access
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …00… Key B use allowed when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …00… MFC EV1 perso. 4B UID from Block 0
[+] …5A… Shadow mode enabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …00… MFC EV1 signature disabled
[+] …00.. n/a
[+] …08 SAK

this is the actual configuration, i read here:

github.com/wh201906/proxmark3-rrg

doc/magic_cards_notes.md

master

<a id="top"></a>

# Notes on Magic Cards, aka UID changeable
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372

Useful docs:
* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)


# Table of Contents
- [Low frequency](#low-frequency)
  * [T55xx](#t55xx)
  * [EM4x05](#em4x05)
  * [ID82xx series](#id82xx-series)
    * [ID8265](#id8265)
    * [ID-F8268](#id-f8268)
    * [K8678](#k8678)
  * [H series](#h-series)
    * [H1](#h1)
    * [H5.5 / H7](h55--h7)

This file has been truncated. show original

but i don’t find all possible configuration to write (or more probably i’m stupid)

85000000000000000000000000000008
      ^^^^^^    ^^          ^^   >> ??? Mystery ???
^^^^                             >> Gen1a mode (works with bitflip)
    ^^                           >> Magic wakeup command (00 for 40-43; 85 for 20-23)
            ^^                   >> Block use of Key B if readable by ACL
              ^^                 >> CUID mode
                  ^^             >> MFC EV1 CL2 Perso config*
                    ^^           >> Shadow mode**
                      ^^         >> Magic Auth command
                        ^^       >> Static encrypted nonce mode
                          ^^     >> Signature sector
                              ^^ >> SAK***

To enable an option, set it to 5A.
* 5A - unfused F0. C3 - F0: CL2 UID; A5 - F1: CL2 UID with anticollision shortcut; 87 - F2: CL1 Random UID; 69 - F3: CL1 non-UID. Anything else is going to be ignored, and set as 4 bytes.
** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer.
*** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead.

Aoxhwjfoavdlhsvfpzha · March 25, 2026, 6:33am

The GDM doesn’t support multiple modes like the GTU does, it can’t do ultralight unfortunately

sfsdfsdfds · March 25, 2026, 6:34am

ok i’ll try thankyou

Aoxhwjfoavdlhsvfpzha · March 25, 2026, 6:39am

hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FB

And then

script run hf_mf_ultimatecard -w 1 -t 12 -u 0402990A462291

I think is probably a good place to start