Issues with UG4 emulating Mifare UL EV1

joosh · December 1, 2025, 9:26pm

Hi all. I’ve run into a problem when using my UG4 implant (and the test card which I’m actually doing the main amount of testing on) to try and emulate hotel room keys, specifically 48 byte Ultralight EV1s. This has happened in two different hotels now which are both using the same MF0UL1101 cards, and for some reason even after copying as much info as I can get my hands on onto the UG4 and test card, the readers simply refuse to even read the cards. Specifically, the information I have put on the magic card is UID, OTP, and signature - using the hf_mf_ultimatecard script - and then I have used dumps of the room keys to compare individual blocks and copy individual blocks over, testing each time I copy a new block, to see if it would work. I am not too familiar with the memory architecture of EV1 cards, so I was cautious to try and check before I copy each block because I didn’t want to brick something, but I ended up with identical dumps anyway and the UG4 card and implant both will not be registered by the reader.

I have attached comparisons of the “hf mfu info” results for the (1) original room key and then the (2) gen4 card I got with my UG4 implant.

[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+]        UID: 04 EB 67 FA 28 16 90
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 00 ( ok )
[+]       BCC1: 54 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 08 00  - 0000100000000000
[+]        OTP: 87 07 EB 25  - 10000111000001111110101100100101

[=] --- Tag Silicon Information
[=]        Wafer Counter: 19055903 ( 0x122C51F )
[=]    Wafer Coordinates: x 235, y 103 (0xEB, 0x67)
[=]            Test Site: 2

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=]  IC signature public key name: NXP Ultralight EV1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A8
[=]                              : 27564E11718E017292FAF23226A96614
[=]                              : B8
[=]     Elliptic curve parameters: secp128r1
[=]              TAG IC Signature: EADECC3AD8BCD778B97AD96CFF52F07C
[=]                              : C39A7CC1BC85BDBB93C22882B6CC3DA4
[+]        Signature verification: successful

[=] --- Tag Version
[=]        Raw bytes: 0004030101000B03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 - 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant
[=]
[=] --- Fingerprint
[=] n/a

And for the test card:

[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) ( NTAG21x )
[+]        UID: 04 EB 67 FA 28 16 90
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 00 ( ok )
[+]       BCC1: 54 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+]        OTP: 87 07 EB 25  - 10000111000001111110101100100101

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=]  IC signature public key name: NXP Ultralight EV1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A8
[=]                              : 27564E11718E017292FAF23226A96614
[=]                              : B8
[=]     Elliptic curve parameters: secp128r1
[=]              TAG IC Signature: EADECC3AD8BCD778B97AD96CFF52F07C
[=]                              : C39A7CC1BC85BDBB93C22882B6CC3DA4
[+]        Signature verification: successful

[=] --- Tag Version
[=]        Raw bytes: 0004030101000B03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 - 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 00000000
[=]                     - strong modulation mode disabled
[=]                     - page 0 and above need authentication
[=]   cfg1 [17/0x11]: 00000000
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 00, Virtual Card Type Identifier is not default
[=]   PWD  [18/0x12]: 00000000 ( cannot be read )
[=]   PACK [19/0x13]: 0000     ( cannot be read )
[=]   RFU  [19/0x13]:     0000 ( cannot be read )

[+] --- Known EV1/NTAG passwords
[+] Password... FFFFFFFF  pack... 0000
[=]
[=] --- Fingerprint
[=] n/a

And the output from programming the gen4 card using the script (ignoring the dumps because it really doesnt change anything, the card simply is not registered by the reader no matter what blocks of memory I update):

[usb] pm3 --> script run hf_mf_ultimatecard -w 1 -t 12 -m 00 -u 04EB67FA281690 -o 8707EB25 -s EADECC3AD8BCD778B97AD96CFF52F07CC39A7CC1BC85BDBB93C22882B6CC3DA4
[+] executing lua C:\{PATH}\prox\ProxSpace-master\pm3\proxmark3\client\luascripts/hf_mf_ultimatecard.lua
[+] args '-w 1 -t 12 -m 00 -u 04EB67FA281690 -o 8707EB25 -s EADECC3AD8BCD778B97AD96CFF52F07CC39A7CC1BC85BDBB93C22882B6CC3DA4'

Starting Ultralight Wipe
Wiping tag
.........................................................................................................................................................................................................................................................


Setting: Ultimate Magic card to NTAG 213
Writing new UID         04E10CDA993C80
Writing new version     0004040201000F03
Writing new UID         04E10CDA993C80
Writing new NTAG PWD    FFFFFFFF
Writing new PACK        0000
Writing new MFUL signature      8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
Setting: Ultimate Magic card to UL-EV1 48
Writing new UID         04112233445566
Writing new OTP         00000000
Writing new version     0004030101000b03
Changing card UL mode to Ultralight EV1
Writing new UID         04EB67FA281690
Writing new OTP         8707EB25
Writing new MFUL signature      EADECC3AD8BCD778B97AD96CFF52F07CC39A7CC1BC85BDBB93C22882B6CC3DA4

[+] finished hf_mf_ultimatecard

Some immediate discrepancies jump out at me, which I don’t exactly know how to approach. The gen4 card’s type comes up as NTAG21X as well, despite using ‘-m 00’ when programming. The lock bits are different, and there is tag information available in cfg0 and cfg1 thats not there on the room key. I haven’t looked in to changing the lock bits, because again, being unfamiliar with EV1’s architecture I’m not entirely certain that it’s going to be something that I can easily undo.

I’ve considered changing the password of the UG4 card (and implant) and also changing the setting ‘-b’ in the ultimatecard script for ‘maximum read/write blocks’. I’m not super comfortable changing the default key, but am considering that the reader runs a check for a key of FFFFFFFF and so changing that may mitigate that issue. I also am uncertain what a maximum read/write block length should be.

The reason I have not made of those changes is because of the nature of the unsuccesful read by the doors. In both EV1 cases I have tried to clone, the door reader will actually scan and flash red for seemingly any 1443a tag (tested with a mifare classic 1k and 4k config of ug4, and some random desfire tag from the cards I have with me). But as soon as I modify the ug4 into an EV1 tag with the UID, it just does not even read the tag. No light, no flashing, no click, nothing. Proxmark and my phone still scan the tag just fine. It leads me to think its some other config issue rather than just a default key check or a read/write block length check, but I’m sort of stuck as to what it is. I’m testing with the DT UG4 test card.

Any help would be appreciated. Cheers.

tac0s · December 1, 2025, 9:56pm

Assuming you have an android phone, what does NXP’s TagInfo have to say about the actual key card–not the clone attempts? Also, have you tried sniffing the exchange with the reader? Some things, such as the PACK feature in NTAG21x transponders, do not work properly–at least during my last tests.

Equipter · December 1, 2025, 10:16pm

will need a hf 14a sniff -r -c of a transaction between the reader and card to determine exacly what is up, but the GTU in the UG4 has a some features its not able to accurately replicate on mifare ultralight tags I.E. if the reader is polling the OTP it will respond with 00s

joosh · December 2, 2025, 10:55am

Well, I got it working. I decided to take the chance to educate myself a bit more on 1443a reader and tag communication and ended up sorting it out. Luckily, as you mentioned @Equipter, the reader was not polling for OTP. The NXP dump was something I did first and pretty much told me the same things as the pm3 did. I ended up doing this sniff:

[usb] pm3 --> hf 14a list
[+] Recorded activity ( 278 bytes )
[=] start = start of start frame. end = end of frame. src = source of transfer.
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52(7)                                                                    |     | WUPA
       2228 |       4596 | Tag |44  00                                                                   |     |
      24912 |      27376 | Rdr |93  20                                                                   |     | ANTICOLL
      28548 |      34372 | Tag |88  04  07  3F  B4                                                       |     |
      54544 |      65072 | Rdr |93  70  88  04  07  3F  B4  C5  31                                       |  ok | SELECT_UID
      66244 |      69764 | Tag |04  DA  17                                                               |  ok |
      90000 |      92464 | Rdr |95  20                                                                   |     | ANTICOLL-2
      93636 |      99460 | Tag |FA  28  16  91  55                                                       |     |
     119648 |     130176 | Rdr |95  70  FA  28  16  91  55  35  6E                                       |  ok | SELECT_UID-2
     131348 |     134932 | Tag |00  FE  51                                                               |  ok |
     169984 |     173600 | Rdr |60  F8  32                                                               |  ok | EV1 VERSION
     174772 |     186420 | Tag |00  04  03  01  01  00  0B  03  FD  F7                                   |  ok |
     208144 |     216368 | Rdr |1B  06  C4  ED  E4  50  29                                               |  ok | PWD-AUTH: 0x06C4EDE4
     217540 |     222276 | Tag |69  3D  8B  46                                                           |  ok |
     324240 |     328944 | Rdr |30  04  26  EE                                                           |  ok | READBLOCK(4)
     330180 |     350980 | Tag |64  EC  BC  6B  B4  5B  9E  48  2C  92  27  50  CC  CD  94  E6  D3  F3   |  ok |
     374480 |     379184 | Rdr |30  08  4A  24                                                           |  ok | READBLOCK(8)
     380420 |     401220 | Tag |7E  08  43  07  38  A2  6E  66  00  00  00  00  00  00  00  00  0C  F6   |  ok |
```

I wasn’t able to get a sniff on the UG4 card for some reason, it would just kick back with a trace len of 0 or crash my pm3. Decoding that whole process showed me that the UG4 card was not able to set the password fully in EV1 mode, and it ended up having to be recorded in memory manually as well as with the script. Using the hf_mf_ultimatecard script with -p 06C4EDE4 -a 693D to set the password and pack was a bit misleading. I’m not sure the specifics of how those arguments work, but setting the password in this way actually did change the EV1 password on the UG4 (ie I then needed the newly set pwd to dump the tag fully instead of it just working with a default pwd) but did not update the config page memory in blocks 18/19 where the spec sheet claims these should be found.

Looking between the reader and tag, after rdr 1B 06 C4 ED E4 50 29 the tag is supposed to respond with its pack + CRC but, despite being set in the script was again not in memory, so was returning 00 00 instead of 69 3D. Dumping the UG4 with the newly set pwd showed:

[=] 18/0x12 | 00 00 00 00 | ? | …
[=] 19/0x13 | 00 00 00 00 | ? | …

Instead of on the real card using its pwd (the same as I was setting on the UG4) :
[=] 18/0x12 | 06 C4 ED E4 | ? | …
[=] 19/0x13 | 69 3D 00 00 | ? | i=..

Simply setting the password and pack using the script or setting the password and pack in memory was not enough. To get the card working, I had to manually hf mfu wbrl using the key after setting it with the script for both the password and the pack before it would finally respond correctly to my raw commands. In my previous attempts at writing memory the pwd auth step (1B …) would always end up failing so I guess what was needed was both the password/pack being set with the script and the password/pack being set manually in memory (after changing the password).
That might address your problem @tac0s. I could also not get the pack working until doing the script set and memory write.

Thanks for your suggestions

joosh · December 2, 2025, 10:59am

And the implant now works as well following the same procedure

GrimEcho · December 3, 2025, 3:48am

Thanks for that detailed write up of your fix! This forum is such a trove of documentation that is hard to find elsewhere or non-existent.