Magic NTAG213 – UID Changeable (Gen3)

Magic NTAG213 – UID Changeable (Gen3) by KSec

Example cards shows response as NTAG213, however the UID can be changed.

[usb] pm3 --> hf 14a info
[+]  UID: 04 15 91 00 02 3E AD 
[+] ATQA: 00 44
[+]  SAK: 00 [2]
[+] MANUFACTURER: NXP Semiconductors Germany

You can change the UID of the magic NTAG213 via the following command. 

[usb] pm3 --> hf mfu setuid --uid 00159100023EAD

This command will verify it has changed

[usb] pm3 --> hf mfu info
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: NTAG 213 504bytes (NT2H1511G0DU) 
[+]        UID: 04 15 91 00 02 3E AD 
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 08 ( ok )
[+]       BCC1: 91 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: E1 10 3E 00  - 11100001000100000011111000000000
[=] --- NDEF Message
[+] Capability Container: E1 10 3E 00 
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   3E: Physical Memory Size: 496 bytes
[+]   3E: NDEF Memory Size: 496 bytes
[+]   00: Additional feature information
[+]   00000000
[+]   xxx..... - 00: RFU ( ok )
[+]   ...x.... - 00: don't support special frame
[+]   ....x... - 00: don't support lock block
[+]   .....xx. - 00: RFU ( ok )
[+]   .......x - 00: IC don't support multiple block reads
[=] --- Tag Counter
[=]        [02]: 00 00 00 
[+]             - 00 tearing ( fail )
[=] --- Tag Signature
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 47EB7A20B49EEFC22E8F0632AFDFD47E8FF7F666E051EC60227605AE726EF42E
[+]        Signature verification ( fail )
[=] --- Tag Silicon Information
[=]        Wafer Counter: 21479488 ( 0x147C040 )
[=]    Wafer Coordinates: x 277, y 913 (0x115, 0x391)
[=]            Test Site: 0
[=] --- Tag Version
[=]        Raw bytes: 00 04 04 02 01 00 11 03 
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: NTAG
[=]  Product subtype: 02, 50pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 11, (512 <-> 256 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant
[=] --- Tag Configuration
[=]   cfg0 [131/0x83]: 04 00 00 FF 
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [132/0x84]: 00 00 00 00 
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 00, Virtual Card Type Identifier is not default
[=]   PWD  [133/0x85]: 00 00 00 00 - (cannot be read)
[=]   PACK [134/0x86]: 00 00       - (cannot be read)
[=]   RFU  [134/0x86]:       00 00 - (cannot be read)
[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

IMPORTANT The UID of NTAG 213 UID Changeable Tags is comprised of two parts: the UID itself, and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, tag will be rejected by the reader.

Most RFID tools, such as the Proxmark, LibNFC, MCT etc automatically calculate the BCC when the UID is modified. If you are modifying the UID by hand, it is vital that the BCC is correctly calculated.

No support or refunds under any circumstances will be provided for cards that were ‘bricked’ due to incorrect UID/BCC configuration.