How can I clone a MIFARE Ultraight EV1 using proxmark3?

Support
1

Good afternoon everyone.

I’m a super noob to all things RFID. Back in college I did some projects with duplicating and manipulating magnetic stripe cards, but that’s trivial compared to what I’m trying to do now.

I just got my proxmark3 today. My dorm room key is a MIFARE Ultralight EV1. I’m trying to get some practice in by copying this key. I’m not sure how to interpret the below dump, but based on what I know about where I live, I would assume it has low security.

My goal is to just successfully clone this card as a “Hello World!” type of test, just to verify that everything is working and gain a level of understanding with the proxmark3. I have no idea how to even start. I’ve been at it for a few hours now, reading reddit and here. So now I’m just going to ask.

Below is the dump. Where should I go from here? Is it password protected?

EDIT: block#'s 0/0x00, 1/0x01, and 2/0x02 are in red. Those entire lines appear red. For block# 3/0x03, the “1” under lck is red, it’s the only red thing on that line.

[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] Reading tag memory...
[?] Hint: Try using a password

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 04 03 01 01 00 0B 03
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... FD D2 A7 66 53 4F 13 0F 68 28 A2 89 61 32 BC B9
[=]              29 27 DD E2 55 35 E4 4A 14 C8 17 E8 45 E1 F7 47
[=] Counter 0... 00 00 00
[=] Tearing 0... BD
[=] Counter 1... 00 00 00
[=] Tearing 1... BD
[=] Counter 2... 00 00 00
[=] Tearing 2... BD
[=] Max data page... 15 ( 64 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 2B CB 6C |   | .+.l
[=]   1/0x01 | E2 71 67 80 |   | .qg.
[=]   2/0x02 | 74 48 08 00 |   | tH..
[=]   3/0x03 | 2B 01 EB 1D | 1 | +...
[=]   4/0x04 | EA EF 18 D4 | 0 | ....
[=]   5/0x05 | 5A C2 D6 B2 | 0 | Z...
[=]   6/0x06 | 44 FC 4F DC | 0 | D.O.
[=]   7/0x07 | 8D 59 1A F4 | 0 | .Y..
[=]   8/0x08 | 2C 32 48 F7 | 0 | ,2H.
[=]   9/0x09 | A2 CB CD A5 | 0 | ....
[=]  10/0x0A | 00 00 00 00 | 0 | ....
[=]  11/0x0B | 00 00 00 00 | 0 | ....
[=]  12/0x0C | 00 00 00 00 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
2

First question is… what are you going to clone it to? RFID transponders from legitimate companies like NXP are not writable in this way… you can’t just overwrite a legit ultralight ev1 chip with data from a different one.

if your goal is to have the proxmark pretend to be this tag, that is called emulation. If you really want to copy this tag to another transponder, you will need to find a magic chip made by gray market criminal Chinese factories violating intellectual property laws. Luckily, these products are fairly easy to find :slight_smile: you might want to check out the flexUG4 for starters… though the proxmark3 Lua script used to change the “mode” the flexUG4 chip is in seems kinda busted at the moment and doesn’t work well for setting up and cloning ultralight and ultralight ev1 chips.

The other thing you need to worry about is if the system uses any of the security aspects or features of the ev1 version of the ultralight chip. The original ultralight chip basically had no security whatsoever, just a serial number and writable memory. The ultralight c which came out later is more like today’s ntag216… it had an admin section of memory and basically an admin password in order to change permissions and do basic authentication. The ev1 version is an entirely new release that has the same memory structure as the original ultralight, but implements additional security features. If the system doesn’t care about those features and just looks at the serial number, then cloning should be easy. If not, then it gets harder. I’m not even sure flexUG4 chip can emulate the security features of the ultralight ev1… maybe it can just pretend without actually implementing those features.

2 Likes
3

Two different levels of knowledge.

  1. Card technology
  2. The System the card is being used with

For 1, you start with reading the official datasheet from NXP. You got the name of the card tech being used: MIFARE Ultralight EV1 48bytes (MF0UL1101)

For 2, you will need to identify from which system. I can tell yours is from a VINGCARD hospitality system

3 Likes