It is needed some 125kHz RFID reader to be able to communicate with Hitag key tags. In this project we use old Renault car card reader that is fairly well (cheap) available in scrapyards and uses PCF7991 base station IC that has also well documented datasheet available.
Now also tested to be compatible with Arduino Nano! Use for example following pin settings:
const int SCK_pin = 6;
const int dout_pin = 7;
const int din_pin = 2;
No other changes required. din_pin must have external interrupt feature on it! Arduino Mega2560 is also compatible with din_pin = 2
New Tag Reader HW version
I decided to ordered cheap Chinese RFID adapter for IPROG (~12USD) from Aliexpress: https://www.aliexpress.com/af/-RFID-adapter-for-IPROG.html Don’t buy full set! Only the adapter! This board has direct interface to PCF7991 via connector. There is also TMS3705 IC on board that may be used for programming tags using FSK modulation. (PCF7991 handles ASK modulation)
This adapter needs little bit modification. There is no oscillator on the board. There is oscillator pin input but Arduino doesn’t have ability to feed it. So we need to add 4MHz one between PCF7991 pins 6 and 7. Also add 22pF caps between pins and GND. Also remove marked resistor that it is not causing interference to oscillator.
Then there is simpe task left to connect adapter to Arduino. Three data pins, GND and +5V
Tip/further idea: Someone to design Arduino shield that has oscillator and pin routings for interfacing IPROG reader. Or even full Arduino shield with oscillator(s), PCF7991, TMS3705, switching relay, antenna etc!
Hitag2 Key Programmer
New Set ISK feature (set key easily to factory state).
AESHitager app now supports also Hitag2 functionality and development is continued there. Please download at bottom of the page!
Enter XMA state: 00111
INC_BLOCK_POINTER: 00100 + inv
DEC_BLOCK_POINTER: 00101 + inv
READ_PAGE(0-7): 11XXX + inv
WRITE_PAGE(0-7): 10XXX + inv
Now included to main release (scroll down)
Hitag AES Key Programmer (pre-coder)
Cars after 2015 are more common using AES enabled keys. These cards may also need some pre-coding before they can be actually coded to car.
New cards can be access using XMA that is extension for Hitag2. AES cards have however little bit modified command set compared to Hitag2 XMA. Interface information was not public availble anywhere on Internet. Command set was however quite easy to find out using little bit try and error. There wasn’t even need to capture commands from any existing programmer communication. Just give commands to tag using Arduino serial port and see what card respons.
In this project we don’t consider encrypted authentication of keys. There wouldn’t even be much benefit of it because even if it could be possible to read memory segment encrypted there is propably lock bits set that can’t be cleared. And if not segment can be configured to plain and accessed without encryption.
If used key is wanted to use again, there always possibility to clear PCF79xx chip completely and reprogram it using specific in-circuit programmer like VVDI PROG: https://www.xhorsetool.com/wholesale/vvdi-prog-programmer.html
Command set for hitag AES
XMA Access State
Enter XMA state: i0540 (01000)
READ_PAGE bit format: 11XXX + inv
WRITE_PAGE bit format: 10XXX + inv
After WRITE_PAGEX command tag returs given command or nothing if page not writable. After that actual data can be written with command i20XXXXXXXX. Tag does not respond anything for that. And data is there!
SELECT_SEGMENT bit format: 00XXX + inv
SELECT_BLOCK bit format: 01XXX + inv
XMA Config State
Enter XMA config state: i05e8 (11101)
READ_CONFIG bit format: 01XXX + inv
replies are in following format:
1: lock bit for mode
2: mode 0=denied 3=plain 7=crypt
3: lock bit for segment size
4: segment size (blocks)
WRITE_CONFIG_MSB bit format: 10XXX + inv
WRITE_CONFIG_LSB bit format: 11XXX + inv
After WRITE_CONFIGX command tag returs given command or nothing if page not writable. After that mode data MSB(lock bit and mode) or LSB(lock bit and size) can be written with command (one byte) i08XX. Tag does not respond anything for that.
Segment 0 is storing all relevant information for authentication. Key ID is located at 32 first bits (E0 23 95 63). After that there is factory default 128 bit crypto key (11 11 22 22 33 33 44 44 55 66 66 77 77 88 88)
Example of AES key programming with Renault ECU Tool programmer to precode cards: http://www.immo-tools.lt/site/files/failai/X98_AllCardsLost.pdf Yes! you can do the same with this open source projet!