MiFare Ultralight EV1

Hey all,

I posted a year ago about trying to clone my MiFare Ultralight EV1 room key to my implanted NeXT and was told that it wouldn’t be possible because “It is not possible to copy any Ultralight or even another NTAG216 to the NTAG216 chip inside the NExT because the NTAG216 chip does not allow for UID changes.”. I was wondering if there were any other implants in the store right now that would be able to achieve this goal or if I’m just gonna have to suck it up and use a dreaded keycard. Any responses would be appreciated!

I’ve included pictures of the TagInfo output.

EDIT: Is this a DESFire EV1?! I assume so in this comment, but I have no idea haha.

The cards can not be cloned, they are secure.
At least they should be, but idk.
Why is there a EV2 version if EV 1 was secure? If you had a DESFire EV1 that you can overwrite the ID of and EV1’s are really broken, you might have a chance to convert it… nah, unlikely.

If it’s just the UID it checks, maybe you could try a flexM1 and set the beggining of your ID as ID?
MAYBE they just check the first 4 byte of any NFC tag to be compatible to most card types?

You could get a flexDF(2) and see if you can enroll it with the help of whoever control your room keys…

This should help you with trying to enroll your implant!

1 Like

It’s actually a different protocol in general. Reading NXP’s site, the Ultralite Type-C cards use DES encryption, but the Ultralite EV1’s use an OTP password feature instead.

If it was Type-C, I’d be inclined to say that cloning it is completely out of the question, but the EV1, I’m not so sure. I’m not familiar enough with the chipsets to say what is possible or not, but the closest I think you could get to cloning it would be copying it’s UID to an xM1, but I’m not sure if that would do anything. :woman_shrugging:

1 Like

I’m looking through the products and I see quite a few options for DESFire and I’m not quite sure what the difference between all of them is. I understand that I would definitely need to overwrite the UID of the chip, but aside from that, I’m trying to understand the benefits of the other chips:

xM1 “magic” 1k vs. flexM1 “Magic” 1k, but the regular xM1 does not offer a choice between the gen 1a and 2 writes. I imagine the x-series defaults to gen 1a?
or
flexDF2 DESFire EV2 vs xDF2DESFire EV2, in which case the benefit seems to be some higher level features on the fles, but if I’m seeking the writable UID, then is it worth it to grab the flex?

and then of course there’s the regular flexDF NFC Chip, but I imagine it would be overshadowed by the DF2. Apologies for the intro questions!

So that there limits your choices to LF chips: xEM, flexEM, flexNExT, flexMT
Or HF chips:
xM1, flexM1, flexMT

I dont think I’ve missed any, the DF chips have a UID that is unchangeable.

Correct xM1 is gen1

1 Like

Your understanding here is correct. The xM1 are only offered in the gen 1a, while you can select between the generations for the flexM1.

The main benefit of getting the flex over the x-series is going to be the antenna size/shape. The actual chips are identical.

The DF/DF2 don’t have writable UIDs at all. The encryption that the DESFire standard is using hasn’t been broken, so there’s no way to clone DESFire cards.

As far as I can tell, yes. The DESFire EV2 are pretty much an overall improvement over the EV1s, so take that as you will.

You don’t have to apologize - this is why we’re here! Trying to figure things out and help each other all out.

To reiterate though, I don’t think your chip is a DESFire. The Ultralight is a different standard from “Classic” (M1 Series) and “DESFire” (DF/DF2), so I don’t think any of the chips that DT offers would be able to fully clone the room key. But, if the readers are able to read the Classic standard, and if they are only checking the UID, you might be able to clone the key’s UID to q Classic chip and use that. But that’s a lot of if’s, and I’m not sure if any of these things are possible in the long run (I’m not familiar with Ultralight). Your best bet would probably be to order a Classic test card and see if you can make it work before committing to the implant.

2 Likes

Thank you so much! I’ve managed to clone the UID to a little blue pucks with from this product. As it stands, the hotel door reader doesn’t recognize my NExT when placed against it, however, after cloning the UID to the puck, the door flashes red, so it read it, but was incorrect. I suspect this means it looks at more than the UID sadly. If this is the case, does this mean I need to go to my systems administrator to register my NExT, or will I need to get a new implant with a compatible chipset for the door reader since it appeared to not even register my NExT?

as @Ottomagne said “You don’t have to apologize”, Mate you have clearly done your research, and that absolutely helps us out when it comes to helping you out.

I would suggest you have a read of this…

https://forum.dangerousthings.com/t/cloning-white-cloner-how-to-dont-do-it-but-incase-you-already-have/5139/3
.
.
.

Hey @Appellus, remember about a year ago ( which is why this thread was sounding very familiar to me)

You will need to ask Amal if this :arrow_heading_down: is still an option, but as of 5 Months ago, this was his comment

So this MIGHT be a solution for you.

Please let us know if you go with this option, I think you may be the first :interrobang:

1 Like

I’ve done some further testing with the reader on my door and lo and behold, when I remove the plastic shield, I am actually able to have the door reader register my NExT. I guess this means I don’t have to worry about a second implant, but if to get a reading I need to remove the shielding every time, I may invest in just grabbing a flexNExT for the increase range (and cause it just looks awesome).

Thank you @Pilgrimsmaster for bringing to my attention that the white cloner is dangerous (I suspected as much, but at $60 CAD the deal was too sweet). I’ll stop using it immediately to ensure I don’t brick the chip. I’ve never had issue reading my HID 125KHz student ID or Ultralight room key, but I’d rather not take any chances as I don’t have a Proxmark here or nearby. I’ll just grab the blue cloner from the DT store to be safe and stick to my phone for the HF side.

As for the door, I can either just bite the bullet and try to talk to my Systems Administrator again about it (granted they complained that by using the chip in a public space I could be advertising the security issues like I don’t see how that’s my fault), or a new idea I’ve had: I do some modding on the door lock with a xEM AC to bypass the issue of using HF altogether. Granted, this modding would have to be some non-invasive stuff for when my lease ends and I’m concerned that I’d have to do some electrical work to get the door lock/reader to power the board but it may be possible.

That’s awesome, though not particularly convenient

Good solution, But as you already have a next, Personally I would recommend for you an FlexMT

Haha, so yeah, if you do get a Blue cloner, definitely get it from DT, as it is the most up to date and the only one with the added AWID functionality.

Just as a heads up

  • The Blue Cloner will write the source ID to your T5577 based product, then set a password after writing. This protects the target T5577 chip from other malicious writers, but it also means your target chip requires a password to write data to it again. This does not affect the Blue Cloner – it will continue to function properly – but if you wish to write to your T5577 chip using any other writer, you will need to ensure the writer can authenticate first using the password 51243648.

if you wish to write to your T5577 chip using any other writer
eg. ProxMark

I guess this is more of a fundamental question but what does the Magic 1k do that the NTAG216 wouldn’t be able to (provided a little bit of tag writing)?

There different chips so can not be equal, I basic terms the mifar (magic) has a feature that let’s you change sector 0 which contains the 4byte NUID.

It also has around 800 bytes of user memory that providing not used by your lock can be used for ndef records (information).

The ntag216 is a fixed 7byte UID and contains 888bytes of user memory.

1 Like