Hello NFC community,
MIFARE® Ultralight-based tickets offer an ideal solution for low-cost, high-volume applications such as public transport, loyalty cards and event ticketing. They serve as a perfect contactless replacement for magnetic stripe, barcode, or QR-code systems. The introduction of the contactless MIFARE Ultralight® ICs for limited-use applications can lead to reduced system installation and maintenance costs. As you may know the MIFARE family has the Ultralight C tag which is a contactless IC supporting 3DES cryptography is mostly used in limited use applications such smart ticketing, this tag complies with ISO 14443-3 type A and it is defined as type 2 tag, in this document I want to show you the procedure to change the default key to a custom key also to protect certain areas in the tag so the authentication is needed to perform a read or write operation.

---------------------------------------------------------------------------------------------------

For this document I used :

• MFEV710: PEGODA Contactless Smart Card Reader
  • 
• RFIDDiscover Software
  • Lite version 
  • Full Version Available in Docstore
• Mifare Ultralight c
  
  • 

---------------------------------------------------------------------------------------------------

Information

• Old Key : 49454D4B41455242214E4143554F5946
• New Key : 88776655443322117766554433221199
• Data sheet

----------------------------------------------------------------------------------------------------

• First we start with the procedure to activate the tag and the anticollision procedure explained in the ISO/IEC 14443-3.

Command Direction

•    ">" this direction is command send from PCD (Reader) to PICC(Ultralight c)
•    "<" this direction is command send from PICC (Ultralight c) to PCD (Reader)
•    "=" Prepare this command before sending

UID = 045983E1ED2580

 ** the following procedure is explained in section 7.5.5 from the datasheet**

[AUTHENTICATED]

Then according to  section 7.5.7 of the datasheet the sections  where the 3DES key are saved are the 2C (Page 44) to the 2F (Page 47).

We proceed to  write our new key using the A2 (WRITE command)

[RESET FIELD]
[Authenticate with new key]

[AUTENTICATED WITH NEW KEY]

we proceed to define from which sector the authentication is needed in order to read or write, to do this we use a write command to the AUTH0 (AUTH0 defines the page address from which the authentication is required. Valid address values for byte AUTH0 are from 03h to 30h.)

the AUTH0 is located on the section 2A please check table 5 from #datasheet.

**for this example we will define that from page 6 (06) we will need authentication to perform a read or write operation**

Now the Read capabilities from page 06  require an Authentication in order to be read or written.

Hope you find this document useful to get a better understanding of the behavior of the Ultralight C and how its security features can help you in your applications.

Have a great day!

BR

Jonathan