For more information, please visit the official website [link removed by eBay].

3D printer users: please use external 5V DC power to avoid firmware corruption. More info.

Emulator Overview

This Emulator has been designed to emulate NFC Forum Type 2 tags (ISO 14443 type "A" modulation) with EEPROM memory up to 192 bytes long.

The current firmware releases can emulate the following NFC tags:

MF0ICU1 MIFARE Ultralight
MF0UL1101D MIFARE Ultralight EV1 (20 pages)
MF0UL2101D MIFARE Ultralight EV1 (41 pages)
NT2H0301 NTAG203
NT2H1311 NTAG213 <== THIS VERSION

In addition to replicating the wireless interface of tags, their memory architecture, and internal state machine, the Emulator offers features of programming a custom UID, manufacturer byte, internal data byte, as well as resetting OTP bits, lock and block-locking bits to their initial state of logic 0. All one-way counters of NTAG2x3 and EV1 can be programmed with any value at any time. NTAG213 and EV1 firmware also offers reading out the stored authentication password and ackowledge fields which are write-only on original tags, as well as instantly removing read and write protection imposed by PROT and AUTH0 fields. The new Password Sniffer Mode introduced in 2017 allows storing the password from AUTHENTICATE command argument. The 32-byte signature of NTAG213 and EV1 can be programmed by a series of 8 writes to 8 pages in a single NFC session. All this makes the Emulator ideal for software development, system testing, and application support, in cases where project development or system administration require many test-case scenarios involving memory areas with security restrictions. With a flip of a switch, the Emulator is turned from a functional clone into a fully writable memory array, and vice-versa.

Hardware Features:

Antenna on flat bottom side, allowing zero minimum separation from reader
Shielded electronic section outside of antenna area, reducing interference
Meets and exceeds ISO 14443-A requirements on wireless performance
Emulates electromagnetic load on proximity coupling device antenna field
Implements automatic power saving when antenna field is not present

Software Features:

Supports anti-collision
Supports parity generation and checking
Supports CRC generation and checking
Supports all tag commands and replicates its state diagram
Replicates all tag timings with precision of 1 carrier cycle

With switch set to Locked position:

Replicates security behaviour of OTP, lock, block-locking bits, and all other NTAG security functions
Replicates ACK/NAK answers to all command combinations, and additional statuses 0x1 and 0x4

With switch set to Unlocked position:

Allows writing UID, manufacturer, internal bytes, counter and signature
Allows clearing and setting OTP, lock, block-locking bits independently
Allows reading password and acknowledge values of NTAG213 that are normally write-only
Allows enabling one of the two available password sniffing modes, active regardless of the lock switch

Functional Description

MIFARE Ultralight- compatible features:

The Emulator has a switch that can be toggled between one of the two positions: Locked and Unlocked. In the Locked mode, the Emulator operates according to the datasheet of the tag emulated, with a few possible exceptions that can be programmed in the Unlocked mode:

Manufacturer byte 0 of page 0 (UID0) can be different from 0x04, internal data byte 1 of page 2 can be different from 0x48, reserved byte 3 of page 40 can be different from 0xBD, and other reserved bytes can be different from 0x00. They can be freely changed in Unlocked mode, and their values are stored with no change when the switch is moved from Unlocked to Locked mode.
WARNING!
Changing manufacturer or internal bytes might render the Emulator unreadable with some hardware or software applications designed to communicate with NFC tags. If such a situation occurs, the entire memory content can be restored back to initial state (see section "Initial Memory Contents") by removing at least one battery and inserting it back after more than 2 seconds.

In the Unlocked mode, all pages are fully writable, with the following exceptions:

Byte 3 of page 0 (BCC0) always reads the value equal to UID0 ^ UID1 ^ UID2 ^ 0x88, and byte 0 of page 2 (BCC1) always reads the value equal to UID3 ^ UID4 ^ UID5 ^ UID6 (see Table 1), according to ISO 14443-A part 3. Writing arbitrary values to those bytes has no effect, and write operations to pages 0 and 2 always return a positive acknowledge ACK. This allows the user (software) to avoid calculating values of BCC0 and BCC1, which is convenient for manual UID entry.
Byte 0 of page 1 (UID3) can not be written with value 0x88. If a WRITE (0xA2) command is issued, where byte 0 is 0x88, a NAK is immediately returned and the entire page remains unchanged in the memory array. If a COMPATIBILITY_WRITE command is issued to page 1, the response is always ACK for the first part of the command. For the second part, if byte 0 is 0x88, a NAK is immediately returned and the entire page remains unchanged in the memory array.

These restrictions are always present, and are necessary to keep the Emulator readable. Lack of these restrictions could render the Emulator unreadable both in practice and according to ISO 14443-A part 3.

Table 1: Reserved Byte Definitions

	Byte 0	Byte 1	Byte 2	Byte 3
Page 0	UID0	UID1	UID2	BCC0
Page 1	UID3	UID4	UID5	UID6
Page 2	BCC1	Internal

Firmware-specific features:

Updating lock and block-locking bits

New configuration of lock and block-locking bits has effect immediately in NTAG213.

24-bit NFC counter

Writing 24-bit NFC counter with any value is performed in Unlocked mode by writing page 45. This page is write-only in Unlocked mode and is never available for reading. Increment of this counter is automatic and depends on configuration settings described in NTAG213 datasheet, and read of this counter is performed with the same command used to read counter 2 in tags that have 3 counters. Alternatively, this counter can be read with ASCII mirror function.
NOTE: page 45 is shared with Password Authentication and Sniffer Mode.

ASCII mirror

Mirror function works exactly like in original tags in both Locked and Unlocked modes. Suppression of mirrored fields that do not fit into readable range is performed automatically depending on control bits in registers MIRROR_CONF, ACCESS, MIRROR_PAGE, AUTH0 value, and additionally on the position of the lock switch. Unlocked mode opens the entire 45-page memory of NTAG213 for read and write access, extending the possible mirror range up to page 40, independently of PROT bit and AUTH0 value.

Signature

Setting signature (the 32-byte value read with command 0x3C 0x00, normally read-only) is performed by writing pages 46 - 53 in Unlocked mode in a single session, without interrupting the magnetic field from the reader, and without resetting the state machine to IDLE. Pages 46 - 53 can be written in any order, and other commands can be placed in between, as long as the state is not reset to IDLE. If a page within range 46 - 53 is written multiple times, the first value will be stored and all following values will be ignored (with ACK reply to prevent interruption of page loading process). If not all pages 46 - 53 are written in a single session, the signature will not be updated and will keep the previous value. Pages 46 - 53 are write-only, similarly to 24-bit counters. Signature contents are preserved even after removal of batteries, as the signature is stored in a page of Flash memory of the Emulator, unlike the conventional tag memory, which is stored in RAM. Writing signature to Flash takes 9 ms, which exceeds default response timeout for NFC standard. For that reason, the firmware implementation still gives ACK response after the minimal turn-around time, but halts the microcontroller after the ACK response. Therefore, it's not recommended to send any other commands in the same session after writing the signature, as the emulator will become unresponsive for about 9 ms after the response to the last of 8 WRITE or COMPATIBILITY_WRITE commands to pages 46 - 53. Since the real tag's signature is read-only anyway, this increased write timing does not present any emulation problems. Reading the signature takes the same response time as on a real tag and does not interfere with timing of other commands.

Configuration lock

In Unlocked mode, CFGLCK bit 6 of byte 0 of page 42 has no effect, as all lock and block-locking bits.

Response modulation index

STRG_MOD_EN bit 2 of byte 0 of page containing AUTH0 byte has no effect in any mode, and simply retains the value written, like a user memory location. Response modulation index in real tags has effect on tag reading distance only. The Emulator has only one hardware setting for maximum distance.

GET_VERSION command

Response of GET_VERSION command is hard-coded with values "00 04 04 02 01 00 0F 03" for NTAG213, similarly to responses ATQA and SAK.

Password Authentication and Sniffer Mode (new!)

Password and Acknowledge

Password and password-acknowledge (PACK) pages read as all zeros in Locked mode, and reveal the stored information in Unlocked mode.

AUTHENTICATE command

Authentication with command 0x1B works according to the datasheet in Locked mode. In Unlocked mode, the ACTIVE state does not exist: the tag goes to AUTHENTICATED state immediately when it would normally enter the ACTIVE state, as if authentication with the correct password was performed before any user command after the anticollision procedure. The whole tag content becomes readable regardless of AUTH0 byte and PROT bit. However, if an explicit AUTHENTICATE command with wrong password is given in Unlocked mode, the Emulator would still reset the state to IDLE and require a new anticollision procedure before any next user command. If any of the bits 2 - 0 (AUTHLIM) of ACCESS byte is set (the failed authentication counter limit is enabled), the Emulator in Unlocked mode still counts authentication commands with wrong password, and would still respond with status 0x4 if the limit is exceeded. The failed attempt counter is however easily reset in Unlocked mode by writing page 45 (see Table 2 and Table 3).

Failed password attempt counter

Setting the number of failed password authentication attempts is performed by writing page 45 in Unlocked mode: refer to Table 2 and Table 3. Page 45 is write-only in Unlocked mode and is never available for reading.

Sniffer modes (new!)

The function of revealing the stored password and acknowledge values in Unlocked mode is useless if there is no physical way to replace an original NFC tag with the Emulator during the procedure of setting the password. For that reason, a new method of revealing the password has been introduced in firmware: the password can now be stored in its page not only by writing that page, but also from the argument of the AUTHENTICATE command! There are 2 password sniffing modes currently available:

PACK mode, in which the password coming from the AUTHENTICATE command overwrites the password stored in the password page before comparison is performed, thus replying internally stored PACK for any password. Note that in this mode a reader could find the emulated tag is not genuine because the correct PACK value might not be known at that stage, before the captured password has been read out by the user in Unlocked mode, and used to authenticate with a real tag being cloned and containing the correct PACK value.
Timeout mode, in which the password coming from the AUTHENTICATE command also overwrites the password stored in the password page, but the comparison result is forced to be "not equal", thus creating a reply timeout, resetting state machine to IDLE state, and requiring the NFC reader to restart the anticollision procedure, as if the Emulator was removed from the reader right after the AUTHENTICATE command. In this mode the failed password attempt counter is not incremented, in order to prevent the Emulator from responding with status "Authentication counter limit exceeded" (0x4), which is different from the normal timeout response of a wrong password. Such a situation could occur if the NFC reader is repeatedly trying to run its application in which the AUTHENTICATE command is one of the steps, while the Emulator is physically interacting with the reader.

Sniffer modes perform their functions in both Locked and Unlocked modes of the Emulator. Please refer to Table 3 and Table 4 for sniffer mode bit settings.

Sharing a 24-bit counter, failed password attempt counter, and sniffer mode settings in the same page

For backwards compatibility of firmware versions, the three completely independent functions have ended up in the same write-only page. Since reading any of the written values is not possible through the same page, modifying values for one function without affecting the others requires additional control. This control is represented by 2 mask bits to enable or disable writing the 24-bit counter and the failed password attempt counter, and by a combination of sniffer mode bits meaning "keep previous state".

Table 2: Sharing counters and sniffer in Unlocked mode

	Byte 0	Byte 1	Byte 2	Byte 3
Page 45: Write-only	NFC counter (LSB 0 - MSB 2)			CNT_WR_CTRL
Pages 46 - 53: Write-only	Signature

Table 3: CNT_WR_CTRL byte in Unlocked mode

	Bit 7	Bit 6	Bit 5	Bit 4	Bits 3 - 0
CNT_WR_CTRL	NWR_NFC_CNT	NWR_AUTH_CNT	SNIFF_MODE_1	SNIFF_MODE_0	Failed Auth Counter

NWR_NFC_CNT : writing this bit with 1 will disable writing NFC Counter in the same write operation.
NWR_AUTH_CNT : writing this bit with 1 will disable writing failed authentication counter in the same write operation.

Table 4: Sniffer mode bit settings

SNIFF_MODE_1	SNIFF_MODE_0	Description
0	0	Keep previous sniffing mode
0	1	Enable PACK sniffing mode
1	0	Enable Timeout sniffing mode
1	1	Disable sniffing modes (default)

Memory organization in Unlocked mode:

Table 5: NTAG213 memory organization in Unlocked mode

	Byte 0	Byte 1	Byte 2	Byte 3
Page 0	UID0	UID1	UID2	BCC0
Page 1	UID3	UID4	UID5	UID6
Page 2	BCC1	Internal	Lock & Block-Locking
Page 3	OTP
Pages 4 - 39	User Memory
Page 40	Dynamic Lock & Block-Locking			RFU
Page 41	MIRROR	RFU	MIRROR_PAGE	AUTH0
Page 42	ACCESS	RFU
Page 43	Password
Page 44	Password ACK		RFU
Page 45: Write-only	NFC Counter (LSB 0 - MSB 2)			CNT_WR_CTRL
Pages 46 - 53: Write-only	Signature

Initial memory state:

Table 6: NTAG213 initial memory state

	Byte 0	Byte 1	Byte 2	Byte 3
Page 0	04	00	00	8C
Page 1	00	00	00	00
Page 2	00	48	00	00
Page 3	E1	10	12	00
Page 4	01	03	A0	0C
Page 5	34	03	00	FE
Pages 6 - 39	00	00	00	00
Page 40	00	00	00	BD
Page 41	04	00	00	FF
Page 42	00	05	00	00
Page 43	FF	FF	FF	FF
Page 44	00	00	00	00
Page 45 (NFC & Auth. Counters, Sniffer)	00	00	00	30
Pages 46 - 53 (Signature)	FF	FF	FF	FF

Power Supply Requirements

The Emulator is powered from 3 batteries 1.5V each. Batteries are included when the device is shipped. The isolator paper with the "PULL" label needs to be removed before use.

Compatible batteries are known under the following names:
AG8, SG8, LR55, SR55, LR1120, SR1120, 191, 381, 391.

The correct battery orientation is with positive side upwards. The smaller (negative) battery terminal should touch the printed circuit board.

The Emulator does not have a power switch, and it does not need any, since its automatic power saving feature reduces power consumption to almost zero when the electromagnetic field of a reader is not acting on the antenna. Batteries are needed to keep the memory state of the emulated NFC tag. If any of the three batteries is removed, the memory content of the emulated tag is reverted back to the initial state when the power is provided the next time, independent of the switch position. The electrical power parameters are provided in Table 7.

Electrical Characteristics

Table 7: Electrical Specifications

Parameter	Min.	Typ.	Max.	Unit
Operating voltage	3.3	-	5.5	V
Battery current consumption (reader field present)	-	5.6	7.1	mA
Battery current consumption (no reader field)	-	0.2	2.1	µA
Carrier signal frequency	-	13.56	-	MHz
Emulator crystal frequency deviation	-	-	20	ppm
Reader frequency deviation	-	-	50	ppm
Antenna input capacitance	-	18	-	pF
Operating temperature	0	-	+60	°C
Storage temperature (no batteries)	−40	-	+85	°C

NFC Reader Compatibility

Any reader compatible with standard tag is also compatible with the Emulator, programmed with firmware for the same tag.

List of Recommended Android Software

MIFARE++ Ultralight, NFC Shell, UltraManager Lite, UltraManager Pro, NFC Tag maker, RFID NFC Tool, NFC TagInfo, and others.

Warranty

Every Emulator is individually tested for electrical connections and for operation before shipping. The Emulator comes with NO WARRANTY, but technical support may be provided in future. NFC knowledge is recommended when using the Emulator.

Listing Terms

Please be advised that this item is currently in stock and available for immediate shipping. In the event that this item will become unavailable for immediate shipping, the buyer will be made aware of the situation. You, the buyer, have the option of waiting for the item to become available or requesting a full refund.

Package Contents

1 x Emulator
3 x new AG8 batteries

All items will be shipped in envelopes wrapped in air-bubble protective material.

Shipping

Our standard shipping service is free, your order will be processed within 1-2 business days after your payment. Transit time varies from 2-10 business days.
For any express shipping request, please contact me through eBay for a quote. Additional fees will be required.
We ship worldwide, however some countries are excluded. We do not ship to Africa, Middle East, and China. We only ship to the confirmed Paypal address. We reserve the right to cancel any order for any reason at any time, you'll be advised in that case.
We are not responsible for undeliverable addresses. If you have any last minute request or address change, make sure to add them in the comment section in the Payout.
For multiple items shipping custom fees may apply.

Return Policy

Prior to contact us before making any request.
We offer a 14 day return policy from checkout winning date. Message us for return instructions only in a case of a defective items.
Items defective upon receipt must be packaged in their retail packaging as if new, and returned with a detailed description of the problem.
Return shipping fees are paid by the buyer and are not refundable.
We reserve the right to decline any returns if the above guidelines are not followed.

Disclamer

The manufacturer can not be held responsible for any consequences that may arise while or after using the Emulator. The user or developer holds the ultimate responsibility in application design or use of the Emulator. All use is at customer's own risk.