Instruction Manual
The PDF version of the Manual for MIFARE Ultralight version only can be found here.
Hardware Features:
- Antenna on flat bottom side, allowing zero minimum separation from reader
- Shielded electronic section outside of antenna area, reducing interference
- Meets and exceeds ISO 14443-A requirements on wireless performance
- Emulates electromagnetic load on proximity coupling device antenna field
- Implements automatic power saving when antenna field is not present
Software Features:
- Supports anti-collision
- Supports parity generation and checking
- Supports CRC generation and checking
- Supports all tag commands and replicates its state diagram
- Replicates all tag timings with precision of 1 carrier cycle
With switch set to Locked position:
- Replicates security behaviour of OTP, lock, block-locking bits, and all other NTAG security functions
- Replicates ACK/NAK answers to all command combinations, and additional statuses 0x1 and 0x4 in NTAG and EV1
With switch set to Unlocked position:
- Allows writing UID, manufacturer, internal bytes, counters and signature
- Allows clearing and setting OTP, lock, block-locking bits
- Allows reading password and acknowledge values of NTAG213 and EV1 that are normally write-only
- Allows enabling one of the two available password sniffing modes, active regardless of the lock switch
Functional Description
Common functions of all firmwares (MIFARE Ultralight, MIFARE Ultralight EV1, NTAG203 and NTAG213):
The Emulator has a switch that can be toggled between one of the two positions: Locked and Unlocked. In the Locked mode, the Emulator operates according to the datasheet of the tag emulated, with a few possible exceptions that can be programmed in the Unlocked mode:
-
Manufacturer byte 0 of page 0 (UID0) can be different from 0x04, internal data byte 1 of page 2 can be different from 0x48,
reserved byte 3 of page 40 in NTAG213 and page 36 in 41-page EV1 can be different from 0xBD, and other reserved bytes can be different
from 0x00. They can be freely changed in Unlocked mode, and their values are stored with no change when the switch is moved from
Unlocked to Locked mode.
WARNING!
Changing manufacturer or internal bytes might render the Emulator unreadable with some hardware or software applications designed to communicate with NFC tags. If such a situation occurs, the entire memory content can be restored back to initial state (see section "Initial Memory Contents") by removing at least one battery and inserting it back after more than 2 seconds.
In the Unlocked mode, all pages are fully writable, with the following exceptions:
- Byte 3 of page 0 (BCC0) always reads the value equal to UID0 ^ UID1 ^ UID2 ^ 0x88, and byte 0 of page 2 (BCC1) always reads the value equal to UID3 ^ UID4 ^ UID5 ^ UID6 (see Table 1), according to ISO 14443-A part 3. Writing arbitrary values to those bytes has no effect, and write operations to pages 0 and 2 always return a positive acknowledge ACK. This allows the user (software) to avoid calculating values of BCC0 and BCC1, which is convenient for manual UID entry.
- Byte 0 of page 1 (UID3) can not be written with value 0x88. If a WRITE (0xA2) command is issued, where byte 0 is 0x88, a NAK is immediately returned and the entire page remains unchanged in the memory array. If a COMPATIBILITY_WRITE command is issued to page 1, the response is always ACK for the first part of the command. For the second part, if byte 0 is 0x88, a NAK is immediately returned and the entire page remains unchanged in the memory array.
These restrictions are always present, and are necessary to keep the Emulator readable. Lack of these restrictions could render the Emulator unreadable both in practice and according to ISO 14443-A part 3.
Table 1: Reserved Byte Definitions
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal |
Specific functions of each emulated tag:
With newly created firmware versions, similarities in features of different tag types have become obvious. For that reason, features are no longer grouped by tag type in this Manual. Instead, a summary of features for each tag is listed in Table 2, and each feature may or may not be present in a tag, depending on tag type.
Table 2: Features of Emulated Tags
| Feature \ Tag: | MIFARE Ultralight | NTAG203 | NTAG213 | 20-page EV1 | 41-page EV1 |
|---|---|---|---|---|---|
| Number of pages in Locked mode | 16 | 42 | 45 | 20 | 41 |
| Dynamic Lock bits | - | Yes (page 40) | Yes (page 40) | - | Yes (page 36) |
| Lock and Block-Locking bit effect | Next REQA / WUPA | Next REQA / WUPA | Immediate | Immediate | Immediate |
| 16-bit one-way counters | 0 | 1 (page 41) | 0 | 0 | 0 |
| 24-bit one-way counters including INCR_CNT command | 0 | 0 | 0 | 3 (pages 43-45) | 3 (pages 43-45) |
| 24-bit NFC counters | 0 | 0 | 1 (page 45) | 0 | 0 |
| ASCII Mirror | - | - | Yes | - | - |
| Signature (pages 46-53) | - | - | Yes | Yes | Yes |
| Configuration Lock | - | - | Yes | Yes | Yes |
| Response modulation index | - | - | Yes | Yes | Yes |
| Password Auth + Sniffer (*new!*) | - | - | Yes | Yes | Yes |
| FAST_READ command | - | - | Yes | Yes | Yes |
| GET_VERSION command | - | - | Yes | Yes | Yes |
| CHECK_TEARING_EVENT command | - | - | - | Yes | Yes |
| VCSL command | - | - | - | Yes | Yes |
Tag feature descriptions:
16-bit one-way counter
The counter in bytes 0 and 1 of page 41 can be written with any value in Unlocked mode by directly writing that value to page 41.
24-bit one-way counters and INCR_CNT command
Writing 24-bit counters with any value is performed in Unlocked mode by writing pages 43, 44 and 45 for counters 0, 1 and 2 respectively.
Those pages are write-only in Unlocked mode and are never available for reading. Increment and read of counters is performed with commands INCR_CNT
and READ_CNT in both Locked and Unlocked modes.
NOTE: page 45 is shared with Password Authentication and Sniffer Mode.
24-bit NFC counter
Writing 24-bit NFC counter with any value is performed in Unlocked mode by writing page 45. This page is write-only in Unlocked mode and is never
available for reading. Increment of this counter is automatic and depends on configuration settings described in NTAG213 datasheet, and read of this counter
is performed with the same command used to read counter 2 in tags that have 3 counters. Alternatively, this counter can be read with ASCII mirror
function.
NOTE: page 45 is shared with Password Authentication and Sniffer Mode.
ASCII mirror
Mirror function works exactly like in original tags in both Locked and Unlocked modes. Suppression of mirrored fields that do not fit into readable range is performed automatically depending on control bits in registers MIRROR_CONF, ACCESS, MIRROR_PAGE, AUTH0 value, and additionally on the position of the lock switch. Unlocked mode opens the entire 45-page memory of NTAG213 for read and write access, extending the possible mirror range up to page 40, independently of PROT bit and AUTH0 value.
Signature
Setting signature (the 32-byte value read with command 0x3C 0x00, normally read-only) is performed by writing pages 46 - 53 in Unlocked mode in a single session, without interrupting the magnetic field from the reader, and without resetting the state machine to IDLE. Pages 46 - 53 can be written in any order, and other commands can be placed in between, as long as the state is not reset to IDLE. If a page within range 46 - 53 is written multiple times, the first value will be stored and all following values will be ignored (with ACK reply to prevent interruption of page loading process). If not all pages 46 - 53 are written in a single session, the signature will not be updated and will keep the previous value. Pages 46 - 53 are write-only, similarly to 24-bit counters. Signature contents are preserved even after removal of batteries, as the signature is stored in a page of Flash memory of the Emulator, unlike the conventional tag memory, which is stored in RAM. Writing signature to Flash takes 9 ms, which exceeds default response timeout for NFC standard. For that reason, the firmware implementation still gives ACK response after the minimal turn-around time, but halts the microcontroller after the ACK response. Therefore, it's not recommended to send any other commands in the same session after writing the signature, as the emulator will become unresponsive for about 9 ms after the response to the last of 8 WRITE or COMPATIBILITY_WRITE commands to pages 46 - 53. Since the real tag's signature is read-only anyway, this increased write timing does not present any emulation problems. Reading the signature takes the same response time as on a real tag and does not interfere with timing of other commands.
Configuration lock
In Unlocked mode, CFGLCK bit 6 of byte 0 of page 42 has no effect, as all lock and block-locking bits.
Response modulation index
STRG_MOD_EN bit 2 of byte 0 of page containing AUTH0 byte has no effect in any mode, and simply retains the value written, like a user memory location. Response modulation index in real tags has effect on tag reading distance only. The Emulator has only one hardware setting for maximum distance.
GET_VERSION command
Response of GET_VERSION command is hard-coded for each tag (Table 3), similarly to responses ATQA and SAK.
Table 3: GET_VERSION responses of emulated tags
| Tag Name | Tag Part Number | GET_VERSION response bytes |
|---|---|---|
| NTAG213 | NT2H1311 | 00 04 04 02 01 00 0F 03 |
| 20-page EV1 | MF0UL1101D | 00 04 03 01 01 00 0B 03 |
| 41-page EV1 | MF0UL2101D | 00 04 03 01 01 00 0E 03 |
CHECK_TEARING_EVENT command
Response of CHECK_TEARING_EVENT command is always 0xBD, regardless of the reserved byte 3 in dynamic lock bit page, as if tearing never occured.
VCSL command
This command behaves exactly like described in tag datasheets in both Locked and Unlocked modes.
Password Authentication and Sniffer Mode (*new!*)
Password and Acknowledge
Password and password-acknowledge (PACK) pages read as all zeros in Locked mode, and reveal the stored information in Unlocked mode.
AUTHENTICATE command
Authentication with command 0x1B works according to the datasheet in Locked mode. In Unlocked mode, the ACTIVE state does not exist: the tag goes to AUTHENTICATED state immediately when it would normally enter the ACTIVE state, as if authentication with the correct password was performed before any user command after the anticollision procedure. The whole tag content becomes readable regardless of AUTH0 byte and PROT bit. However, if an explicit AUTHENTICATE command with wrong password is given in Unlocked mode, the Emulator would still reset the state to IDLE and require a new anticollision procedure before any next user command. If any of the bits 2 - 0 (AUTHLIM) of ACCESS byte is set (the failed authentication counter limit is enabled), the Emulator in Unlocked mode still counts authentication commands with wrong password, and would still respond with status 0x4 if the limit is exceeded. The failed attempt counter is however easily reset in Unlocked mode by writing page 45 (see Table 4 and Table 5).Failed password attempt counter
Setting the number of failed password authentication attempts is performed by writing page 45 in Unlocked mode: refer to Table 4 and Table 5. Page 45 is write-only in Unlocked mode and is never available for reading.
Sniffer modes (*new!*)
The function of revealing the stored password and acknowledge values in Unlocked mode is useless if there is no physical way to replace an original NFC tag with the Emulator during the procedure of setting the password. For that reason, a new method of revealing the password has been introduced in firmware: the password can now be stored in its page not only by writing that page, but also from the argument of the AUTHENTICATE command! There are 2 password sniffing modes currently available:
- PACK mode, in which the password coming from the AUTHENTICATE command overwrites the password stored in the password page before comparison is performed, thus replying internally stored PACK for any password. Note that in this mode a reader could find the emulated tag is not genuine because the correct PACK value might not be known at that stage, before the captured password has been read out by the user in Unlocked mode, and used to authenticate with a real tag being cloned and containing the correct PACK value.
- Timeout mode, in which the password coming from the AUTHENTICATE command also overwrites the password stored in the password page, but the comparison result is forced to be "not equal", thus creating a reply timeout, resetting state machine to IDLE state, and requiring the NFC reader to restart the anticollision procedure, as if the Emulator was removed from the reader right after the AUTHENTICATE command. In this mode the failed password attempt counter is not incremented, in order to prevent the Emulator from responding with status "Authentication counter limit exceeded" (0x4), which is different from the normal timeout response of a wrong password. Such a situation could occur if the NFC reader is repeatedly trying to run its application in which the AUTHENTICATE command is one of the steps, while the Emulator is physically interacting with the reader.
Sharing a 24-bit counter, failed password attempt counter, and sniffer mode settings in the same page
For backwards compatibility of firmware versions, the three completely independent functions have ended up in the same write-only page. Since reading any of the written values is not possible through the same page, modifying values for one function without affecting the others requires additional control. This control is represented by 2 mask bits to enable or disable writing the 24-bit counter and the failed password attempt counter, and by a combination of sniffer mode bits meaning "keep previous state".
Table 4: Sharing counters and sniffer in Unlocked mode
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 45: Write-only | 24-bit counter 2 or NFC counter (LSB 0 - MSB 2) | CNT_WR_CTRL | ||
| Pages 46 - 53: Write-only | Signature | |||
Table 5: CNT_WR_CTRL byte of NTAG213 and EV1 in Unlocked mode
| Bit 7 | Bit 6 | Bit 5 | Bit 4 | Bits 3 - 0 | |
|---|---|---|---|---|---|
| CNT_WR_CTRL | NWR_NFC_CNT | NWR_AUTH_CNT | SNIFF_MODE_1 | SNIFF_MODE_0 | Failed Auth Counter |
NWR_NFC_CNT : writing this bit with 1 will disable writing 24-bit or NFC Counter in the same write operation.
NWR_AUTH_CNT : writing this bit with 1 will disable writing failed authentication counter in the same write operation.
Table 6: Sniffer mode bit settings
| SNIFF_MODE_1 | SNIFF_MODE_0 | Description |
|---|---|---|
| 0 | 0 | Keep previous sniffing mode |
| 0 | 1 | Enable PACK sniffing mode |
| 1 | 0 | Enable Timeout sniffing mode |
| 1 | 1 | Disable sniffing modes (default) |
Memory organizations of emulated tags in Unlocked mode:
MIFARE Ultralight
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal | Lock & Block-Locking | |
| Page 3 | OTP | |||
| Pages 4 - 15 | User Memory | |||
NTAG203
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal | Lock & Block-Locking | |
| Page 3 | OTP | |||
| Pages 4 - 39 | User Memory | |||
| Page 40 | Dynamic Lock & Block-Locking | RFU | ||
| Page 41 | 16-bit Counter | RFU | ||
NTAG213
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal | Lock & Block-Locking | |
| Page 3 | OTP | |||
| Pages 4 - 39 | User Memory | |||
| Page 40 | Dynamic Lock & Block-Locking | RFU | ||
| Page 41 | MIRROR | RFU | MIRROR_PAGE | AUTH0 |
| Page 42 | ACCESS | RFU | ||
| Page 43 | Password | |||
| Page 44 | Password ACK | RFU | ||
| Page 45: Write-only | NFC Counter (LSB 0 - MSB 2) | CNT_WR_CTRL | ||
| Pages 46 - 53: Write-only | Signature | |||
20-page EV1
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal | Lock & Block-Locking | |
| Page 3 | OTP | |||
| Pages 4 - 15 | User Memory | |||
| Page 16 | MOD | RFU | AUTH0 | |
| Page 17 | ACCESS | VCTID | RFU | |
| Page 18 | Password | |||
| Page 19 | Password ACK | RFU | ||
| Pages 20 - 42 | Not Implemented | |||
| Page 43: Write-only | 24-bit Counter 0 (LSB 0 - MSB 2) | RFU | ||
| Page 44: Write-only | 24-bit Counter 1 (LSB 0 - MSB 2) | RFU | ||
| Page 45: Write-only | 24-bit Counter 2 (LSB 0 - MSB 2) | CNT_WR_CTRL | ||
| Pages 46 - 53: Write-only | Signature | |||
41-page EV1
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | UID0 | UID1 | UID2 | BCC0 |
| Page 1 | UID3 | UID4 | UID5 | UID6 |
| Page 2 | BCC1 | Internal | Lock & Block-Locking | |
| Page 3 | OTP | |||
| Pages 4 - 35 | User Memory | |||
| Page 36 | Dynamic Lock & Block-Locking | RFU | ||
| Page 37 | MOD | RFU | AUTH0 | |
| Page 38 | ACCESS | VCTID | RFU | |
| Page 39 | Password | |||
| Page 40 | Password ACK | RFU | ||
| Pages 41 - 42 | Not Implemented | |||
| Page 43: Write-only | 24-bit Counter 0 (LSB 0 - MSB 2) | RFU | ||
| Page 44: Write-only | 24-bit Counter 1 (LSB 0 - MSB 2) | RFU | ||
| Page 45: Write-only | 24-bit Counter 2 (LSB 0 - MSB 2) | CNT_WR_CTRL | ||
| Pages 46 - 53: Write-only | Signature | |||
Initial memory state of each emulated tag:
MIFARE Ultralight
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | 04 | 00 | 00 | 8C |
| Page 1 | 00 | 00 | 00 | 00 |
| Page 2 | 00 | 48 | 00 | 00 |
| Page 3 | 00 | 00 | 00 | 00 |
| Page 4 | FF | FF | FF | FF |
| Pages 5 - 15 | 00 | 00 | 00 | 00 |
NTAG203
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | 04 | 00 | 00 | 8C |
| Page 1 | 00 | 00 | 00 | 00 |
| Page 2 | 00 | 48 | 00 | 00 |
| Page 3 | E1 | 10 | 12 | 00 |
| Page 4 | 01 | 03 | A0 | 10 |
| Page 5 | 44 | 03 | 00 | FE |
| Pages 6 - 41 | 00 | 00 | 00 | 00 |
NTAG213
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | 04 | 00 | 00 | 8C |
| Page 1 | 00 | 00 | 00 | 00 |
| Page 2 | 00 | 48 | 00 | 00 |
| Page 3 | E1 | 10 | 12 | 00 |
| Page 4 | 01 | 03 | A0 | 0C |
| Page 5 | 34 | 03 | 00 | FE |
| Pages 6 - 39 | 00 | 00 | 00 | 00 |
| Page 40 | 00 | 00 | 00 | BD |
| Page 41 | 04 | 00 | 00 | FF |
| Page 42 | 00 | 05 | 00 | 00 |
| Page 43 | FF | FF | FF | FF |
| Page 44 | 00 | 00 | 00 | 00 |
| Page 45 (NFC & Auth. Counters, Sniffer) | 00 | 00 | 00 | 30 |
| Pages 46 - 53 (Signature) | FF | FF | FF | FF |
20-page EV1
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | 04 | 00 | 00 | 8C |
| Page 1 | 00 | 00 | 00 | 00 |
| Page 2 | 00 | 48 | 00 | 00 |
| Pages 3 - 15 | 00 | 00 | 00 | 00 |
| Page 16 | 04 | 00 | 00 | FF |
| Page 17 | 00 | 05 | 00 | 00 |
| Page 18 | FF | FF | FF | FF |
| Page 19 | 00 | 00 | 00 | 00 |
| Pages 20 - 42 | Not Implemented | |||
| Page 43 (Counter 0) | 00 | 00 | 00 | 00 |
| Page 44 (Counter 1) | 00 | 00 | 00 | 00 |
| Page 45 (Counter 2 & Auth., Sniffer) | 00 | 00 | 00 | 30 |
| Pages 46 - 53 (Signature) | FF | FF | FF | FF |
41-page EV1
| Byte 0 | Byte 1 | Byte 2 | Byte 3 | |
|---|---|---|---|---|
| Page 0 | 04 | 00 | 00 | 8C |
| Page 1 | 00 | 00 | 00 | 00 |
| Page 2 | 00 | 48 | 00 | 00 |
| Pages 3 - 35 | 00 | 00 | 00 | 00 |
| Page 36 | 00 | 00 | 00 | BD |
| Page 37 | 04 | 00 | 00 | FF |
| Page 38 | 00 | 05 | 00 | 00 |
| Page 39 | FF | FF | FF | FF |
| Page 40 | 00 | 00 | 00 | 00 |
| Pages 41 - 42 | Not Implemented | |||
| Page 43 (Counter 0) | 00 | 00 | 00 | 00 |
| Page 44 (Counter 1) | 00 | 00 | 00 | 00 |
| Page 45 (Counter 2 & Auth., Sniffer) | 00 | 00 | 00 | 30 |
| Pages 46 - 53 (Signature) | FF | FF | FF | FF |
Power Supply Requirements
The Emulator is powered from 3 batteries 1.5V each. Batteries are included when the device is shipped. The isolator paper with the "PULL" label needs to be removed before use.
Compatible batteries are known under the following names:
AG8, SG8, LR55, SR55, LR1120, SR1120, 191, 381, 391.
The correct battery orientation is with positive side upwards. The smaller (negative) battery terminal should touch the printed circuit board.
The Emulator does not have a power switch, and it does not need any, since its automatic power saving feature reduces power consumption to almost zero when the electromagnetic field of a reader is not acting on the antenna. Batteries are needed to keep the memory state of the emulated NFC tag. If any of the three batteries is removed, the memory content of the emulated tag is reverted back to the initial state when the power is provided the next time, independent of the switch position. The electrical power parameters are provided in Table 7.
Electrical Characteristics
Table 7: Electrical Specifications
| Parameter | Min. | Typ. | Max. | Unit |
|---|---|---|---|---|
| Operating voltage | 3.3 | - | 5.5 | V |
| Battery current consumption (reader field present) | - | 5.6 | 7.1 | mA |
| Battery current consumption (no reader field) | - | 0.2 | 2.1 | µA |
| Carrier signal frequency | - | 13.56 | - | MHz |
| Emulator crystal frequency deviation | - | - | 20 | ppm |
| Reader frequency deviation | - | - | 50 | ppm |
| Antenna input capacitance | - | 18 | - | pF |
| Operating temperature | 0 | - | +60 | °C |
| Storage temperature (no batteries) | −40 | - | +85 | °C |
NFC Reader Compatibility
Any reader compatible with standard tag is also compatible with the Emulator, programmed with firmware for the same tag.
List of Recommended Android Software
MIFARE++ Ultralight, NFC Shell, UltraManager Lite, UltraManager Pro, NFC Tag maker, RFID NFC Tool, NFC TagInfo, and others.
Trademarks
All referenced brands, product names, service names and trademarks are the property of their respective owners.
MIFARE - is a trademark of NXP Semiconductors N.V.
MIFARE Ultralight - is a trademark of NXP Semiconductors N.V.
Warranty
Every Emulator is individually tested for electrical connections and for operation before shipping. The Emulator comes with NO WARRANTY, but technical support may be provided in future. NFC knowledge is recommended when using the Emulator.
Disclamer
The manufacturer can not be held responsible for any consequences that may arise while or after using the Emulator. The user or developer holds the ultimate responsibility in application design or use of the Emulator. All use is at customer's own risk.