{"id":211,"date":"2021-01-27T11:17:01","date_gmt":"2021-01-27T09:17:01","guid":{"rendered":"http:\/\/kivijakola.fi\/projektit\/?p=211"},"modified":"2026-03-14T10:32:24","modified_gmt":"2026-03-14T08:32:24","slug":"hitag-open-source-tool","status":"publish","type":"post","link":"https:\/\/kivijakola.fi\/projektit\/2021\/01\/27\/hitag-open-source-tool\/","title":{"rendered":"Hitag2 and AES Open Source Key Programmer"},"content":{"rendered":"\n

Hardware<\/strong><\/h2>\n\n\n\n

It is needed some 125kHz RFID reader to be able to communicate with Hitag key tags. In this project we use old Renault car card reader that is fairly well (cheap) available in scrapyards and uses PCF7991 base station IC that has also well documented datasheet available.<\/p>\n\n\n\n

\"\"
Renault card reader connection to Arduino Mega 2560

<\/figcaption><\/figure>\n\n\n\n
\"\"
IO pin connection to PCF7991. Arduino pins defined in source code. As default they are:
din_pin = 21;
dout_pin = 7;
SCK_pin = 6;<\/figcaption><\/figure>\n\n\n\n
\"\"
Power connected from Arduino board directly to card reader pins<\/figcaption><\/figure>\n\n\n\n
\"\"
Data pins are soldered directly to PCF7991 pins as connector pins has input and output multiplexed and using 12V levels. Maybe possible to use pins with some small hw modification. Not investigated yet.<\/figcaption><\/figure>\n\n\n\n
hitag.ino(Update 18.02.2021\/2 Phase compensation calculation fixed)<\/a>Lataa<\/a><\/div>\n\n\n\n
hitag.ino(Update 25.02.2021\/2)<\/a>Lataa<\/a><\/div>\n\n\n\n
hitag.ino(Update 03.03.2021)<\/a>Lataa<\/a><\/div>\n\n\n\n
Hihitag.ino(Update 10.03.2021)<\/a>Lataa<\/a><\/div>\n\n\n\n
hitag.ino (support for VVDI SuperChip 13.6.2021)<\/a>Lataa<\/a><\/div>\n\n\n\n

Source codes available at GitHub: https:\/\/github.com\/kivijakola\/hitager\/tree\/main\/Arduino<\/a><\/p>\n\n\n\n

Now also tested to be compatible with Arduino Nano!<\/strong> Use for example following pin settings:
const int SCK_pin = 6;
const int dout_pin = 7;
const int din_pin = 2;<\/em>
No other changes required. din_pin<\/em> must have external interrupt feature on it! Arduino Mega2560 is also compatible with din_pin = 2<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
PCF7991 Basestation IC datasheet<\/a>Lataa<\/a><\/div>\n\n\n\n
PCF7936AS_NXP Hitag2 tag datasheet<\/a>Lataa<\/a><\/div>\n\n\n\n

New Tag Reader HW version<\/strong><\/h2>\n\n\n\n

I decided to ordered cheap Chinese RFID adapter for IPROG (~12USD) from Aliexpress: https:\/\/www.aliexpress.com\/af\/-RFID-adapter-for-IPROG.html<\/a> Don’t buy full set! Only the adapter! This board has direct interface to PCF7991 via connector. There is also TMS3705 IC on board that may be used for programming tags using FSK modulation. (PCF7991 handles ASK modulation)<\/p>\n\n\n\n

This adapter needs little bit modification. There is no oscillator on the board. There is oscillator pin input but Arduino doesn’t have ability to feed it. So we need to add 4MHz one between PCF7991 pins 6 and 7. Also add 22pF caps between pins and GND. Also remove marked resistor that it is not causing interference to oscillator.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then there is simpe task left to connect adapter to Arduino. Three data pins, GND and +5V<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Tip\/further idea:<\/strong> Someone to design Arduino shield that has oscillator and pin routings for interfacing IPROG reader. Or even full Arduino shield with oscillator(s), PCF7991, TMS3705, switching relay, antenna etc!<\/p>\n\n\n\n

Hitag2 Key Programmer<\/strong><\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

New Set ISK feature (set key easily to factory state). <\/p>\n\n\n\n

AESHitager app now supports also Hitag2 functionality and development is continued there. Please download at bottom of the page!<\/p>\n\n\n\n

Hitag2+EE<\/strong><\/h2>\n\n\n\n

Command set:
Enter XMA state: 00111<\/p>\n\n\n\n

INC_BLOCK_POINTER: 00100 + inv
DEC_BLOCK_POINTER: 00101 + inv
READ_PAGE(0-7): 11XXX + inv
WRITE_PAGE(0-7): 10XXX + inv<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now included to main release (scroll down)<\/p>\n\n\n\n

Hitag AES Key Programmer<\/strong><\/strong> (pre-coder)<\/h2>\n\n\n\n

Cars after 2015 are more common using AES enabled keys. These cards may also need some pre-coding before they can be actually coded to car. <\/p>\n\n\n\n

New cards can be access using XMA that is extension for Hitag2. AES cards have however little bit modified command set compared to Hitag2 XMA. Interface information was not public availble anywhere on Internet. Command set was however quite easy to find out using little bit try and error. There wasn’t even need to capture commands from any existing programmer communication. Just give commands to tag using Arduino serial port and see what card respons.<\/p>\n\n\n\n

In this project we don’t consider encrypted authentication of keys. There wouldn’t even be much benefit of it because even if it could be possible to read memory segment encrypted there is propably lock bits set that can’t be cleared. And if not segment can be configured to plain and accessed without encryption.<\/p>\n\n\n\n

If used key is wanted to use again, there always possibility to clear PCF79xx chip completely and reprogram it using specific in-circuit programmer like VVDI PROG: https:\/\/www.xhorsetool.com\/wholesale\/vvdi-prog-programmer.html<\/a> <\/p>\n\n\n\n

\"\"
AES card state diagram<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Command set for hitag AES<\/p>\n\n\n\n

XMA Access State<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Enter XMA state: i0540 (01000)<\/p>\n\n\n\n

<\/p>\n\n\n\n

READ_PAGE bit format: 11XXX + inv
READ_PAGE0: i0aC1C0
READ_PAGE1: i0aC980
READ_PAGE2: i0ad140
READ_PAGE3: i0ad900
READ_PAGE4: i0ae0c0
READ_PAGE5: i0ae880
READ_PAGE6: i0af040
READ_PAGE7: i0af800<\/p>\n\n\n\n

WRITE_PAGE bit format: 10XXX + inv
WRITE_PAGE0 i0a83c0
WRITE_PAGE1 i0a8B80
WRITE_PAGE2 i0a9340
WRITE_PAGE3 i0a9b00
WRITE_PAGE4 i0aa2c0
WRITE_PAGE5 i0aaa80
WRITE_PAGE6 i0ab240
WRITE_PAGE7 i0aba00<\/p>\n\n\n\n

After WRITE_PAGEX command tag returs given command or nothing if page not writable. After that actual data can be written with command i20XXXXXXXX. Tag does not respond anything for that. And data is there!<\/p>\n\n\n\n

SELECT_SEGMENT bit format: 00XXX + inv
SELECT_SEGMENT0: i0a07c0
SELECT_SEGMENT1: i0a0f80
SELECT_SEGMENT2: i0a1740
SELECT_SEGMENT3: i0a1f00
SELECT_SEGMENT4: i0a26c0
SELECT_SEGMENT5: i0a2e80
SELECT_SEGMENT6: i0a3640
SELECT_SEGMENT7: i0a3e00<\/p>\n\n\n\n

SELECT_BLOCK bit format: 01XXX + inv
SELECT_BLOCK0: i0a45c0
SELECT_BLOCK1: i0a4d80
SELECT_BLOCK2: i0a5540
SELECT_BLOCK3: i0a5d00
SELECT_BLOCK4: i0a64c0
SELECT_BLOCK5: i0a6c80
SELECT_BLOCK6: i0a7440
SELECT_BLOCK7: i0a7c00<\/p>\n\n\n\n

XMA Config State<\/strong><\/p>\n\n\n\n

Enter XMA config state: i05e8 (11101)<\/p>\n\n\n\n

READ_CONFIG bit format: 01XXX + inv
READ_CONFIG0: i0a45c0
READ_CONFIG1: i0a4d80
READ_CONFIG2: i0a5540
READ_CONFIG3: i0a5d00
READ_CONFIG4: i0a64c0
READ_CONFIG5: i0a6c80
READ_CONFIG6: i0a7440
READ_CONFIG7: i0a7c00<\/p>\n\n\n\n

replies are in following format:
0381
8781
8381
0381
0381
8388
8381
8381<\/p>\n\n\n\n

Whrere digits:
1: lock bit for mode
2: mode 0=denied 3=plain 7=crypt
3: lock bit for segment size
4: segment size (blocks)<\/p>\n\n\n\n

WRITE_CONFIG_MSB bit format: 10XXX + inv
WRITE_CONFIG_MSB0 i0a83c0
WRITE_CONFIG_MSB1 i0a8B80
WRITE_CONFIG_MSB2 i0a9340
WRITE_CONFIG_MSB3 i0a9b00
WRITE_CONFIG_MSB4 i0aa2c0
WRITE_CONFIG_MSB5 i0aaa80
WRITE_CONFIG_MSB6 i0ab240
WRITE_CONFIG_MSB7 i0aba00<\/p>\n\n\n\n

WRITE_CONFIG_LSB bit format: 11XXX + inv
WRITE_CONFIG_LSB0: i0aC1C0
WRITE_CONFIG_LSB1: i0aC980
WRITE_CONFIG_LSB2: i0ad140
WRITE_CONFIG_LSB3: i0ad900
WRITE_CONFIG_LSB4: i0ae0c0
WRITE_CONFIG_LSB5: i0ae880
WRITE_CONFIG_LSB6: i0af040
WRITE_CONFIG_LSB7: i0af800<\/p>\n\n\n\n

After WRITE_CONFIGX command tag returs given command or nothing if page not writable. After that mode data MSB(lock bit and mode) or LSB(lock bit and size) can be written with command (one byte) i08XX. Tag does not respond anything for that.
<\/p>\n\n\n\n

Windows Application<\/strong><\/h2>\n\n\n\n

Segment 0 is storing all relevant information for authentication. Key ID is located at 32 first bits (E0 23 95 63). After that there is factory default 128 bit crypto key (11 11 22 22 33 33 44 44 55 66 66 77 77 88 88)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Hitag Pro<\/strong><\/h2>\n\n\n\n

Command set:

Read IDE: 0011

Plain authenticate XMA: 0000 0000 XXXX… Where XXXX is IDE read from the card(32bit)

Segment configuration: 1111 1111 XXXX… Where XXXX is IDE read from the card(32bit)

Select Segment\/block: 1101 1AAA BBBB Where AAA is segment and BBBB block

Read page: 0000 0AAA Where AAA is page address

Write page: 1000 0AAA XXXX… YY.. Where AAA is page address and XXXX data to be written (32bit), YY = CRC8(8bit)

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Hitag2 Extended<\/strong><\/h2>\n\n\n\n

Command set:
Very similar to AES but with minor differences:
Enter XMA state: 00000
READ_PAGE bit format: 11XXX + inv
WRITE_PAGE bit format: 10XXX + inv
SELECT_SEGMENT bit format: 00XXX + inv

Enter XMA config state: 10100
READ_CONFIG bit format: 01XXX + inv
WRITE_CONFIG_MSB bit format: 10XXX + inv
WRITE_CONFIG_LSB bit format: 11XXX + inv
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Hitag2 BMW EE<\/strong><\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

VVDI SuperChip, XT27A<\/strong><\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Hitag AES Encrypted Mode<\/strong><\/h2>\n\n\n\n

Got some crucial help from one friend for AES encrypted protocol. So, here it is implemented.<\/p>\n\n\n\n

Communication is established with secure handshaking. After that Hitag AES transponder goes directly to XMA mode. So, it is not possible to change segment configuration in that mode. Segment configuration is always done in plain mode.<\/p>\n\n\n\n

Ciphered mode offers possibility to check and modify segments that are encrypted and locked.<\/p>\n\n\n\n

Hitag AES encrypted protocol<\/strong><\/h3>\n\n\n\n

Handshaking is done by sending random data (challenge) to transponder. Random number with IDE is used as seed for crypt data. Both sides do the same AES calculation. Next step ABIC sends 16 bit of crypt data to transponder. If that match for transponder calculation, transponder replies next 48 bit of crypt data. ABIC side then verifies data and hadshaking done.<\/p>\n\n\n\n

Next steps are always based on crypting again full output of earlier step crypt data. New data is then used as mask and crypted message is formed with XOR operation with necessary amount of bits.<\/p>\n\n\n\n

Data is not ever decrypted with AES algorithm. XORing algorithm is always used both sides.<\/p>\n\n\n\n

You may test AES encryption with online tool like this: https:\/\/testprotect.com\/appendix\/AEScalc<\/a> <\/p>\n\n\n\n

Visual Studio has crypto class RijndaelManaged that can be used to encrypt messages with mode CipherMode.ECB<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Application<\/strong><\/h3>\n\n\n\n

User can select encrypted protocol by checking check box and giving AES crypto key. AES protocol is high energy consuming. Transponder needs to be carefully located on transmitter coil to tranfer all needed energy.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Hitager AES crypto mode application package (Windows binary only):<\/p>\n\n\n\n

https:\/\/kivijakola.fi\/share\/hitager\/hitager_aes_crypto.zip<\/a><\/p>\n\n\n\n

Source code<\/p>\n\n\n\n

https:\/\/kivijakola.fi\/share\/hitager\/sources_aes_crypt.zip<\/a><\/p>\n\n\n\n

Videos<\/strong><\/h2>\n\n\n\n
\n