For more information, please visit the official website [link removed by eBay]. 3D printer users: please use external 5V DC power to avoid firmware corruption. More info. Emulator OverviewThis Emulator has been designed to emulate NFC Forum Type 2 tags (ISO 14443 type "A" modulation) with EEPROM memory up to 192 bytes long. The current firmware releases can emulate the following NFC tags:
In addition to replicating the wireless interface of tags, their memory architecture, and internal state machine, the Emulator offers features of programming a custom UID, manufacturer byte, internal data byte, as well as resetting OTP bits, lock and block-locking bits to their initial state of logic 0. All one-way counters of NTAG2x3 and EV1 can be programmed with any value at any time. NTAG213 and EV1 firmware also offers reading out the stored authentication password and ackowledge fields which are write-only on original tags, as well as instantly removing read and write protection imposed by PROT and AUTH0 fields. The new Password Sniffer Mode introduced in 2017 allows storing the password from AUTHENTICATE command argument. The 32-byte signature of NTAG213 and EV1 can be programmed by a series of 8 writes to 8 pages in a single NFC session. All this makes the Emulator ideal for software development, system testing, and application support, in cases where project development or system administration require many test-case scenarios involving memory areas with security restrictions. With a flip of a switch, the Emulator is turned from a functional clone into a fully writable memory array, and vice-versa. Hardware Features:
Software Features:
With switch set to Locked position:
With switch set to Unlocked position:
Functional DescriptionMIFARE Ultralight- compatible features:The Emulator has a switch that can be toggled between one of the two positions: Locked and Unlocked. In the Locked mode, the Emulator operates according to the datasheet of the tag emulated, with a few possible exceptions that can be programmed in the Unlocked mode:
In the Unlocked mode, all pages are fully writable, with the following exceptions:
These restrictions are always present, and are necessary to keep the Emulator readable. Lack of these restrictions could render the Emulator unreadable both in practice and according to ISO 14443-A part 3. Table 1: Reserved Byte Definitions
Firmware-specific features:Updating lock and block-locking bitsNew configuration of lock and block-locking bits has effect immediately in NTAG213. 24-bit NFC counterWriting 24-bit NFC counter with any value is performed in Unlocked mode by writing page 45. This page is write-only in Unlocked mode and is never
available for reading. Increment of this counter is automatic and depends on configuration settings described in NTAG213 datasheet, and read of this counter
is performed with the same command used to read counter 2 in tags that have 3 counters. Alternatively, this counter can be read with ASCII mirror
function. ASCII mirrorMirror function works exactly like in original tags in both Locked and Unlocked modes. Suppression of mirrored fields that do not fit into readable range is performed automatically depending on control bits in registers MIRROR_CONF, ACCESS, MIRROR_PAGE, AUTH0 value, and additionally on the position of the lock switch. Unlocked mode opens the entire 45-page memory of NTAG213 for read and write access, extending the possible mirror range up to page 40, independently of PROT bit and AUTH0 value. SignatureSetting signature (the 32-byte value read with command 0x3C 0x00, normally read-only) is performed by writing pages 46 - 53 in Unlocked mode in a single session, without interrupting the magnetic field from the reader, and without resetting the state machine to IDLE. Pages 46 - 53 can be written in any order, and other commands can be placed in between, as long as the state is not reset to IDLE. If a page within range 46 - 53 is written multiple times, the first value will be stored and all following values will be ignored (with ACK reply to prevent interruption of page loading process). If not all pages 46 - 53 are written in a single session, the signature will not be updated and will keep the previous value. Pages 46 - 53 are write-only, similarly to 24-bit counters. Signature contents are preserved even after removal of batteries, as the signature is stored in a page of Flash memory of the Emulator, unlike the conventional tag memory, which is stored in RAM. Writing signature to Flash takes 9 ms, which exceeds default response timeout for NFC standard. For that reason, the firmware implementation still gives ACK response after the minimal turn-around time, but halts the microcontroller after the ACK response. Therefore, it's not recommended to send any other commands in the same session after writing the signature, as the emulator will become unresponsive for about 9 ms after the response to the last of 8 WRITE or COMPATIBILITY_WRITE commands to pages 46 - 53. Since the real tag's signature is read-only anyway, this increased write timing does not present any emulation problems. Reading the signature takes the same response time as on a real tag and does not interfere with timing of other commands. Configuration lockIn Unlocked mode, CFGLCK bit 6 of byte 0 of page 42 has no effect, as all lock and block-locking bits. Response modulation indexSTRG_MOD_EN bit 2 of byte 0 of page containing AUTH0 byte has no effect in any mode, and simply retains the value written, like a user memory location. Response modulation index in real tags has effect on tag reading distance only. The Emulator has only one hardware setting for maximum distance. GET_VERSION commandResponse of GET_VERSION command is hard-coded with values "00 04 04 02 01 00 0F 03" for NTAG213, similarly to responses ATQA and SAK. Password Authentication and Sniffer Mode (*new!*)Password and AcknowledgePassword and password-acknowledge (PACK) pages read as all zeros in Locked mode, and reveal the stored information in Unlocked mode. AUTHENTICATE commandAuthentication with command 0x1B works according to the datasheet in Locked mode. In Unlocked mode, the ACTIVE state does not exist: the tag goes to AUTHENTICATED state immediately when it would normally enter the ACTIVE state, as if authentication with the correct password was performed before any user command after the anticollision procedure. The whole tag content becomes readable regardless of AUTH0 byte and PROT bit. However, if an explicit AUTHENTICATE command with wrong password is given in Unlocked mode, the Emulator would still reset the state to IDLE and require a new anticollision procedure before any next user command. If any of the bits 2 - 0 (AUTHLIM) of ACCESS byte is set (the failed authentication counter limit is enabled), the Emulator in Unlocked mode still counts authentication commands with wrong password, and would still respond with status 0x4 if the limit is exceeded. The failed attempt counter is however easily reset in Unlocked mode by writing page 45 (see Table 2 and Table 3).Failed password attempt counterSetting the number of failed password authentication attempts is performed by writing page 45 in Unlocked mode: refer to Table 2 and Table 3. Page 45 is write-only in Unlocked mode and is never available for reading. Sniffer modes (*new!*)The function of revealing the stored password and acknowledge values in Unlocked mode is useless if there is no physical way to replace an original NFC tag with the Emulator during the procedure of setting the password. For that reason, a new method of revealing the password has been introduced in firmware: the password can now be stored in its page not only by writing that page, but also from the argument of the AUTHENTICATE command! There are 2 password sniffing modes currently available:
Sharing a 24-bit counter, failed password attempt counter, and sniffer mode settings in the same pageFor backwards compatibility of firmware versions, the three completely independent functions have ended up in the same write-only page. Since reading any of the written values is not possible through the same page, modifying values for one function without affecting the others requires additional control. This control is represented by 2 mask bits to enable or disable writing the 24-bit counter and the failed password attempt counter, and by a combination of sniffer mode bits meaning "keep previous state". Table 2: Sharing counters and sniffer in Unlocked mode
Table 3: CNT_WR_CTRL byte in Unlocked mode
NWR_NFC_CNT : writing this bit with 1 will disable writing NFC Counter in the same write operation. Table 4: Sniffer mode bit settings
Memory organization in Unlocked mode:Table 5: NTAG213 memory organization in Unlocked mode
Initial memory state:Table 6: NTAG213 initial memory state
Power Supply RequirementsThe Emulator is powered from 3 batteries 1.5V each. Batteries are included when the device is shipped. The isolator paper with the "PULL" label needs to be removed before use. Compatible batteries are known under the following names: The correct battery orientation is with positive side upwards. The smaller (negative) battery terminal should touch the printed circuit board. The Emulator does not have a power switch, and it does not need any, since its automatic power saving feature reduces power consumption to almost zero when the electromagnetic field of a reader is not acting on the antenna. Batteries are needed to keep the memory state of the emulated NFC tag. If any of the three batteries is removed, the memory content of the emulated tag is reverted back to the initial state when the power is provided the next time, independent of the switch position. The electrical power parameters are provided in Table 7. Electrical CharacteristicsTable 7: Electrical Specifications
NFC Reader CompatibilityAny reader compatible with standard tag is also compatible with the Emulator, programmed with firmware for the same tag. List of Recommended Android SoftwareMIFARE++ Ultralight, NFC Shell, UltraManager Lite, UltraManager Pro, NFC Tag maker, RFID NFC Tool, NFC TagInfo, and others. WarrantyEvery Emulator is individually tested for electrical connections and for operation before shipping. The Emulator comes with NO WARRANTY, but technical support may be provided in future. NFC knowledge is recommended when using the Emulator. Listing TermsPlease be advised that this item is currently in stock and available for immediate shipping. In the event that this item will become unavailable for immediate shipping, the buyer will be made aware of the situation. You, the buyer, have the option of waiting for the item to become available or requesting a full refund. Package Contents
All items will be shipped in envelopes wrapped in air-bubble protective material. Shipping
Return Policy
DisclamerThe manufacturer can not be held responsible for any consequences that may arise while or after using the Emulator. The user or developer holds the ultimate responsibility in application design or use of the Emulator. All use is at customer's own risk. |