MIFARE ULTRALIGHT AND NTAG2x3 EMULATOR

Instruction Manual

The PDF version of the Manual for MIFARE Ultralight version only can be found here.


Hardware Features:


Software Features:

With switch set to Locked position:

With switch set to Unlocked position:


Functional Description

Common functions of all firmwares (MIFARE Ultralight, MIFARE Ultralight EV1, NTAG203 and NTAG213):

The Emulator has a switch that can be toggled between one of the two positions: Locked and Unlocked. In the Locked mode, the Emulator operates according to the datasheet of the tag emulated, with a few possible exceptions that can be programmed in the Unlocked mode:

In the Unlocked mode, all pages are fully writable, with the following exceptions:

These restrictions are always present, and are necessary to keep the Emulator readable. Lack of these restrictions could render the Emulator unreadable both in practice and according to ISO 14443-A part 3.

Table 1: Reserved Byte Definitions

Byte 0Byte 1Byte 2Byte 3
Page 0UID0UID1UID2BCC0
Page 1UID3UID4UID5UID6
Page 2BCC1Internal

Specific functions of each emulated tag:

With newly created firmware versions, similarities in features of different tag types have become obvious. For that reason, features are no longer grouped by tag type in this Manual. Instead, a summary of features for each tag is listed in Table 2, and each feature may or may not be present in a tag, depending on tag type.

Table 2: Features of Emulated Tags

Feature \ Tag:MIFARE UltralightNTAG203NTAG21320-page EV141-page EV1
Number of pages in Locked mode1642452041
Dynamic Lock bits-Yes
(page 40)
Yes
(page 40)
-Yes
(page 36)
Lock and Block-Locking bit effectNext REQA / WUPANext REQA / WUPAImmediateImmediateImmediate
16-bit one-way counters01
(page 41)
000
24-bit one-way counters
including INCR_CNT command
0003
(pages 43-45)
3
(pages 43-45)
24-bit NFC counters001
(page 45)
00
ASCII Mirror--Yes--
Signature (pages 46-53)--YesYesYes
Configuration Lock--YesYesYes
Response modulation index--YesYesYes
Password Auth + Sniffer (*new!*)--YesYesYes
FAST_READ command--YesYesYes
GET_VERSION command--YesYesYes
CHECK_TEARING_EVENT command---YesYes
VCSL command---YesYes

Tag feature descriptions:

16-bit one-way counter

The counter in bytes 0 and 1 of page 41 can be written with any value in Unlocked mode by directly writing that value to page 41.

24-bit one-way counters and INCR_CNT command

Writing 24-bit counters with any value is performed in Unlocked mode by writing pages 43, 44 and 45 for counters 0, 1 and 2 respectively. Those pages are write-only in Unlocked mode and are never available for reading. Increment and read of counters is performed with commands INCR_CNT and READ_CNT in both Locked and Unlocked modes.
NOTE: page 45 is shared with Password Authentication and Sniffer Mode.

24-bit NFC counter

Writing 24-bit NFC counter with any value is performed in Unlocked mode by writing page 45. This page is write-only in Unlocked mode and is never available for reading. Increment of this counter is automatic and depends on configuration settings described in NTAG213 datasheet, and read of this counter is performed with the same command used to read counter 2 in tags that have 3 counters. Alternatively, this counter can be read with ASCII mirror function.
NOTE: page 45 is shared with Password Authentication and Sniffer Mode.

ASCII mirror

Mirror function works exactly like in original tags in both Locked and Unlocked modes. Suppression of mirrored fields that do not fit into readable range is performed automatically depending on control bits in registers MIRROR_CONF, ACCESS, MIRROR_PAGE, AUTH0 value, and additionally on the position of the lock switch. Unlocked mode opens the entire 45-page memory of NTAG213 for read and write access, extending the possible mirror range up to page 40, independently of PROT bit and AUTH0 value.

Signature

Setting signature (the 32-byte value read with command 0x3C 0x00, normally read-only) is performed by writing pages 46 - 53 in Unlocked mode in a single session, without interrupting the magnetic field from the reader, and without resetting the state machine to IDLE. Pages 46 - 53 can be written in any order, and other commands can be placed in between, as long as the state is not reset to IDLE. If a page within range 46 - 53 is written multiple times, the first value will be stored and all following values will be ignored (with ACK reply to prevent interruption of page loading process). If not all pages 46 - 53 are written in a single session, the signature will not be updated and will keep the previous value. Pages 46 - 53 are write-only, similarly to 24-bit counters. Signature contents are preserved even after removal of batteries, as the signature is stored in a page of Flash memory of the Emulator, unlike the conventional tag memory, which is stored in RAM. Writing signature to Flash takes 9 ms, which exceeds default response timeout for NFC standard. For that reason, the firmware implementation still gives ACK response after the minimal turn-around time, but halts the microcontroller after the ACK response. Therefore, it's not recommended to send any other commands in the same session after writing the signature, as the emulator will become unresponsive for about 9 ms after the response to the last of 8 WRITE or COMPATIBILITY_WRITE commands to pages 46 - 53. Since the real tag's signature is read-only anyway, this increased write timing does not present any emulation problems. Reading the signature takes the same response time as on a real tag and does not interfere with timing of other commands.

Configuration lock

In Unlocked mode, CFGLCK bit 6 of byte 0 of page 42 has no effect, as all lock and block-locking bits.

Response modulation index

STRG_MOD_EN bit 2 of byte 0 of page containing AUTH0 byte has no effect in any mode, and simply retains the value written, like a user memory location. Response modulation index in real tags has effect on tag reading distance only. The Emulator has only one hardware setting for maximum distance.

GET_VERSION command

Response of GET_VERSION command is hard-coded for each tag (Table 3), similarly to responses ATQA and SAK.

Table 3: GET_VERSION responses of emulated tags

Tag NameTag Part NumberGET_VERSION response bytes
NTAG213NT2H131100 04 04 02 01 00 0F 03
20-page EV1MF0UL1101D00 04 03 01 01 00 0B 03
41-page EV1MF0UL2101D00 04 03 01 01 00 0E 03

CHECK_TEARING_EVENT command

Response of CHECK_TEARING_EVENT command is always 0xBD, regardless of the reserved byte 3 in dynamic lock bit page, as if tearing never occured.

VCSL command

This command behaves exactly like described in tag datasheets in both Locked and Unlocked modes.

Password Authentication and Sniffer Mode (*new!*)

Password and Acknowledge

Password and password-acknowledge (PACK) pages read as all zeros in Locked mode, and reveal the stored information in Unlocked mode.

AUTHENTICATE command

Authentication with command 0x1B works according to the datasheet in Locked mode. In Unlocked mode, the ACTIVE state does not exist: the tag goes to AUTHENTICATED state immediately when it would normally enter the ACTIVE state, as if authentication with the correct password was performed before any user command after the anticollision procedure. The whole tag content becomes readable regardless of AUTH0 byte and PROT bit. However, if an explicit AUTHENTICATE command with wrong password is given in Unlocked mode, the Emulator would still reset the state to IDLE and require a new anticollision procedure before any next user command. If any of the bits 2 - 0 (AUTHLIM) of ACCESS byte is set (the failed authentication counter limit is enabled), the Emulator in Unlocked mode still counts authentication commands with wrong password, and would still respond with status 0x4 if the limit is exceeded. The failed attempt counter is however easily reset in Unlocked mode by writing page 45 (see Table 4 and Table 5).

Failed password attempt counter

Setting the number of failed password authentication attempts is performed by writing page 45 in Unlocked mode: refer to Table 4 and Table 5. Page 45 is write-only in Unlocked mode and is never available for reading.

Sniffer modes (*new!*)

The function of revealing the stored password and acknowledge values in Unlocked mode is useless if there is no physical way to replace an original NFC tag with the Emulator during the procedure of setting the password. For that reason, a new method of revealing the password has been introduced in firmware: the password can now be stored in its page not only by writing that page, but also from the argument of the AUTHENTICATE command! There are 2 password sniffing modes currently available:

  1. PACK mode, in which the password coming from the AUTHENTICATE command overwrites the password stored in the password page before comparison is performed, thus replying internally stored PACK for any password. Note that in this mode a reader could find the emulated tag is not genuine because the correct PACK value might not be known at that stage, before the captured password has been read out by the user in Unlocked mode, and used to authenticate with a real tag being cloned and containing the correct PACK value.
  2. Timeout mode, in which the password coming from the AUTHENTICATE command also overwrites the password stored in the password page, but the comparison result is forced to be "not equal", thus creating a reply timeout, resetting state machine to IDLE state, and requiring the NFC reader to restart the anticollision procedure, as if the Emulator was removed from the reader right after the AUTHENTICATE command. In this mode the failed password attempt counter is not incremented, in order to prevent the Emulator from responding with status "Authentication counter limit exceeded" (0x4), which is different from the normal timeout response of a wrong password. Such a situation could occur if the NFC reader is repeatedly trying to run its application in which the AUTHENTICATE command is one of the steps, while the Emulator is physically interacting with the reader.
Sniffer modes perform their functions in both Locked and Unlocked modes of the Emulator. Please refer to Table 5 and Table 6 for sniffer mode bit settings.

Sharing a 24-bit counter, failed password attempt counter, and sniffer mode settings in the same page

For backwards compatibility of firmware versions, the three completely independent functions have ended up in the same write-only page. Since reading any of the written values is not possible through the same page, modifying values for one function without affecting the others requires additional control. This control is represented by 2 mask bits to enable or disable writing the 24-bit counter and the failed password attempt counter, and by a combination of sniffer mode bits meaning "keep previous state".

Table 4: Sharing counters and sniffer in Unlocked mode

Byte 0Byte 1Byte 2Byte 3
Page 45: Write-only 24-bit counter 2 or NFC counter (LSB 0 - MSB 2)CNT_WR_CTRL
Pages 46 - 53: Write-only Signature

Table 5: CNT_WR_CTRL byte of NTAG213 and EV1 in Unlocked mode

Bit 7Bit 6Bit 5Bit 4Bits 3 - 0
CNT_WR_CTRLNWR_NFC_CNTNWR_AUTH_CNTSNIFF_MODE_1SNIFF_MODE_0Failed Auth Counter

NWR_NFC_CNT : writing this bit with 1 will disable writing 24-bit or NFC Counter in the same write operation.
NWR_AUTH_CNT : writing this bit with 1 will disable writing failed authentication counter in the same write operation.

Table 6: Sniffer mode bit settings

SNIFF_MODE_1SNIFF_MODE_0Description
00Keep previous sniffing mode
01Enable PACK sniffing mode
10Enable Timeout sniffing mode
11Disable sniffing modes (default)

Memory organizations of emulated tags in Unlocked mode:

MIFARE Ultralight

Byte 0Byte 1Byte 2Byte 3
Page 0 UID0UID1UID2BCC0
Page 1 UID3UID4UID5UID6
Page 2 BCC1InternalLock & Block-Locking
Page 3 OTP
Pages 4 - 15 User Memory

NTAG203

Byte 0Byte 1Byte 2Byte 3
Page 0 UID0UID1UID2BCC0
Page 1 UID3UID4UID5UID6
Page 2 BCC1InternalLock & Block-Locking
Page 3 OTP
Pages 4 - 39 User Memory
Page 40 Dynamic Lock & Block-LockingRFU
Page 41 16-bit CounterRFU

NTAG213

Byte 0Byte 1Byte 2Byte 3
Page 0 UID0UID1UID2BCC0
Page 1 UID3UID4UID5UID6
Page 2 BCC1InternalLock & Block-Locking
Page 3 OTP
Pages 4 - 39 User Memory
Page 40 Dynamic Lock & Block-LockingRFU
Page 41 MIRRORRFUMIRROR_PAGEAUTH0
Page 42 ACCESSRFU
Page 43 Password
Page 44 Password ACKRFU
Page 45: Write-only NFC Counter (LSB 0 - MSB 2)CNT_WR_CTRL
Pages 46 - 53: Write-only Signature

20-page EV1

Byte 0Byte 1Byte 2Byte 3
Page 0 UID0UID1UID2BCC0
Page 1 UID3UID4UID5UID6
Page 2 BCC1InternalLock & Block-Locking
Page 3 OTP
Pages 4 - 15 User Memory
Page 16 MODRFUAUTH0
Page 17 ACCESSVCTIDRFU
Page 18 Password
Page 19 Password ACKRFU
Pages 20 - 42 Not Implemented
Page 43: Write-only 24-bit Counter 0 (LSB 0 - MSB 2)RFU
Page 44: Write-only 24-bit Counter 1 (LSB 0 - MSB 2)RFU
Page 45: Write-only 24-bit Counter 2 (LSB 0 - MSB 2)CNT_WR_CTRL
Pages 46 - 53: Write-only Signature

41-page EV1

Byte 0Byte 1Byte 2Byte 3
Page 0 UID0UID1UID2BCC0
Page 1 UID3UID4UID5UID6
Page 2 BCC1InternalLock & Block-Locking
Page 3 OTP
Pages 4 - 35 User Memory
Page 36 Dynamic Lock & Block-LockingRFU
Page 37 MODRFUAUTH0
Page 38 ACCESSVCTIDRFU
Page 39 Password
Page 40 Password ACKRFU
Pages 41 - 42 Not Implemented
Page 43: Write-only 24-bit Counter 0 (LSB 0 - MSB 2)RFU
Page 44: Write-only 24-bit Counter 1 (LSB 0 - MSB 2)RFU
Page 45: Write-only 24-bit Counter 2 (LSB 0 - MSB 2)CNT_WR_CTRL
Pages 46 - 53: Write-only Signature

Initial memory state of each emulated tag:

MIFARE Ultralight

Byte 0Byte 1Byte 2Byte 3
Page 0 0400008C
Page 1 00000000
Page 2 00480000
Page 3 00000000
Page 4 FFFFFFFF
Pages 5 - 15 00000000

NTAG203

Byte 0Byte 1Byte 2Byte 3
Page 0 0400008C
Page 1 00000000
Page 2 00480000
Page 3 E1101200
Page 4 0103A010
Page 5 440300FE
Pages 6 - 41 00000000

NTAG213

Byte 0Byte 1Byte 2Byte 3
Page 0 0400008C
Page 1 00000000
Page 2 00480000
Page 3 E1101200
Page 4 0103A00C
Page 5 340300FE
Pages 6 - 39 00000000
Page 40 000000BD
Page 41 040000FF
Page 42 00050000
Page 43 FFFFFFFF
Page 44 00000000
Page 45 (NFC & Auth. Counters, Sniffer) 00000030
Pages 46 - 53 (Signature) FFFFFFFF

20-page EV1

Byte 0Byte 1Byte 2Byte 3
Page 0 0400008C
Page 1 00000000
Page 2 00480000
Pages 3 - 15 00000000
Page 16 040000FF
Page 17 00050000
Page 18 FFFFFFFF
Page 19 00000000
Pages 20 - 42 Not Implemented
Page 43 (Counter 0) 00000000
Page 44 (Counter 1) 00000000
Page 45 (Counter 2 & Auth., Sniffer) 00000030
Pages 46 - 53 (Signature) FFFFFFFF

41-page EV1

Byte 0Byte 1Byte 2Byte 3
Page 0 0400008C
Page 1 00000000
Page 2 00480000
Pages 3 - 35 00000000
Page 36 000000BD
Page 37 040000FF
Page 38 00050000
Page 39 FFFFFFFF
Page 40 00000000
Pages 41 - 42 Not Implemented
Page 43 (Counter 0) 00000000
Page 44 (Counter 1) 00000000
Page 45 (Counter 2 & Auth., Sniffer) 00000030
Pages 46 - 53 (Signature) FFFFFFFF

Power Supply Requirements

The Emulator is powered from 3 batteries 1.5V each. Batteries are included when the device is shipped. The isolator paper with the "PULL" label needs to be removed before use.

Compatible batteries are known under the following names:
AG8, SG8, LR55, SR55, LR1120, SR1120, 191, 381, 391.

The correct battery orientation is with positive side upwards. The smaller (negative) battery terminal should touch the printed circuit board.

The Emulator does not have a power switch, and it does not need any, since its automatic power saving feature reduces power consumption to almost zero when the electromagnetic field of a reader is not acting on the antenna. Batteries are needed to keep the memory state of the emulated NFC tag. If any of the three batteries is removed, the memory content of the emulated tag is reverted back to the initial state when the power is provided the next time, independent of the switch position. The electrical power parameters are provided in Table 7.


Electrical Characteristics

Table 7: Electrical Specifications

ParameterMin.Typ.Max.Unit
Operating voltage 3.3-5.5V
Battery current consumption (reader field present) -5.67.1mA
Battery current consumption (no reader field) -0.22.1µA
Carrier signal frequency -13.56-MHz
Emulator crystal frequency deviation --20ppm
Reader frequency deviation --50ppm
Antenna input capacitance -18-pF
Operating temperature 0-+60°C
Storage temperature (no batteries) −40-+85°C

NFC Reader Compatibility

Any reader compatible with standard tag is also compatible with the Emulator, programmed with firmware for the same tag.


List of Recommended Android Software

MIFARE++ Ultralight, NFC Shell, UltraManager Lite, UltraManager Pro, NFC Tag maker, RFID NFC Tool, NFC TagInfo, and others.


Trademarks

All referenced brands, product names, service names and trademarks are the property of their respective owners.

MIFARE - is a trademark of NXP Semiconductors N.V.

MIFARE Ultralight - is a trademark of NXP Semiconductors N.V.


Warranty

Every Emulator is individually tested for electrical connections and for operation before shipping. The Emulator comes with NO WARRANTY, but technical support may be provided in future. NFC knowledge is recommended when using the Emulator.


Disclamer

The manufacturer can not be held responsible for any consequences that may arise while or after using the Emulator. The user or developer holds the ultimate responsibility in application design or use of the Emulator. All use is at customer's own risk.