🤔Inspect and find promo codes waiting to be discovered!🤔

Tech Security Tools

Magic Card Gen 4 Shadow Mode | Flipper Zero | Proxmark3

Understanding and activating Shadow Mode in the Gen 4 Magic Card.

Table of Contents

Video Demonstration

Understanding Shadow Mode

Shadow mode is a function in the Gen 4 card that restores the card to its initial state after being scanned by a reader. This mode is divided into four states: Off (Pre-Write), On (On Restore), Don’t Care, and High-Speed Read and Write.

To use Shadow mode, please follow these steps:

  1. Enter the Pre-Write mode.
  2. Write the full card data.
  3. After writing, set the mode to On.

In the On state, the first time you read the newly written data, subsequent reads will display the pre-written data. This operation is supported by all modes.

Please note that using any block to read and write in this mode may yield incorrect results.

How to activate Shadow Mode

So far, we are not aware of any method to activate Shadow mode with the Flipper Zero. This option may be added in the near future, and we will keep you updated. For now, we must use the Proxmark3.

To activate Shadow mode with the Proxmark3, we will first set our Gen 4 magic card to function as a Mifare Ultralight card, as we are using it with a Mifare Ultralight card in this example.

There are two ways to manipulate a Magic card Gen 4 with the Proxmark3:

  1. Use the hf 14a commands (hf stands for High Frequency and 14a refers to the ISO standard for contactless cards ISO 14443-type A)
  2. Use the lua scripts

In our case we will use the lua scripts since it is much simpler and works just fine. Here is the list of commands with the lua scripts:

This script enables easy programming of an Ultimate Mifare Magic card
script run hf_mf_ultimatecard -h -k -c -w -u -t -p -a -s -o -v -q -g -z -m -n

-h this help
-c read magic configuration
-u UID (8-20 hexsymbols), set UID on tag
-t tag type to impersonate:
1 = Mifare Mini S20 4-byte
2 = Mifare Mini S20 7-byte 15 = NTAG 210
3 = Mifare Mini S20 10-byte 16 = NTAG 212
4 = Mifare 1k S50 4-byte 17 = NTAG 213
5 = Mifare 1k S50 7-byte 18 = NTAG 215
6 = Mifare 1k S50 10-byte 19 = NTAG 216
7 = Mifare 4k S70 4-byte 20 = NTAG I2C 1K
8 = Mifare 4k S70 7-byte 21 = NTAG I2C 2K
9 = Mifare 4k S70 10-byte 22 = NTAG I2C 1K PLUS
*** 11 = UL-C – NOT WORKING FULLY 24 = NTAG 213F
12 = UL EV1 48b 25 = NTAG 216F
13 = UL EV1 128b
*** 14 = UL Plus – NOT WORKING YET

-p NTAG password (8 hexsymbols), set NTAG password on tag.
-a NTAG pack ( 4 hexsymbols), set NTAG pack on tag.
-s Signature data (64 hexsymbols), set signature data on tag.
-o OTP data (8 hexsymbols), set `One-Time Programmable` data on tag.
-v Version data (16 hexsymbols), set version data on tag.
-q ATQA/SAK (<2b ATQA><1b SAK> hexsymbols), set ATQA/SAK on tag.
-g GTU Mode (1 hexsymbol), set GTU shadow mode.
-z ATS (<1b length><0-16 ATS> hexsymbols), Configure ATS. Length set to 00 will disable ATS.
-w Wipe tag. 0 for Mifare or 1 for UL. Fills tag with zeros and put default values for type selected.
-m Ultralight mode (00 UL EV1, 01 NTAG, 02 UL-C, 03 UL) Set type of UL.
-n Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode
-k Ultimate Magic Card Key (IF DIFFERENT THAN DEFAULT 00000000)

script run hf_mf_ultimatecard -t 12

By writing this command on our Proxmark3 to the Gen 4 it then becomes a Mifare Ultralight EVI 48-bit (you now which type of card you have when you read your original card watch the video at the end). With the flipper all you have to do is simply read the card, save it in the Flipper Zero’s memory and then write the data to the Gen 4.

Now we can run the command to set our Gen 4 into Shadow mode. This is the command to use:

script run hf_mf_ultimatecard -g 00

Great now we can use write the data of our card and it will be in shadow mode. After this we could write the data with the Flipper Zero which is much simpler.

Leave a Comment

Your email address will not be published. Required fields are marked *


Scroll to Top