Open Source Hitag Programmer

[rellullapaasee]

There has been discussion that Renault Ecu Tool needs separate tag programmer for AES in AKL. Those programmers tend to be expensive. What could be correct price? How about free?

RET users probably have Renault card reader lying around. Or some other PCF7991 based tag HW. Also some Arduino board could be nice to have.

I wrote a piece of SW to interface Hitag2 tags using C# and Arduino. Those are available at https://kivijakola.fi/projektit/2021...n-source-tool/ This is just for demonstration that interfacing with tags is possible. Next target would be to interface with AES tags. However, some help is now needed: It seems that there is not any interface specification available for communication or at least I couldn't find. It would be very big help if someone could provide some information about handshaking, reading and writing memory etc.

[godfathertre]

Why do you not try to contact developer of tool and see if can come out with working aes reader programmer that would be great news .

---

---

[Catalizator]

has everyone forgotten the Chinese? who copy and make money on it. free equipment is not needed. each author and owner must protect their development.

[rellullapaasee]

I'm also the developer. And I know that Chinese copy everything. That is why this is published as open project. I don't want to spend years to protecting all interfaces and making things really difficult. Basically there is only few bits that must be transmitted and received. It is not worth for massive protection. This project is just for investigating things for fun and giving some kick to companies that are requesting thousands about the simplicity. And for Chinese, try to steal something that is free

I'm also working with AES but there is some difficulties with it. There is not any datasheets available about interfacing. I don't have any device that could read it either. I only have CN900 that is reading card ID.

CN900 has also PCF7991 as rf interface. I captured data and noticed following:
CN900 sends command 11110 and PCF7945 replies FFAEDD25. That is displaed as device ID. I don't know is that a real one...

Then CN900 sends 11101 and tag responses FE882AAA (not full 32 bit, tail is crap)
Now tag is at some kind of read page mode and some data can be read out with command 01abc 10def where abc is page address and def are bit inverted. So, there is commands and replies:
01000 10111 repl:F0381555
01001 10110 repl:F87815AA
01010 10101 repl:F83811AA
01011 10100 repl:F0381555
01100 10011 repl:F0381540
01101 10010 repl:F8388000
01110 10001 repl:F8381C00
01111 10000 repl:F8381000

And open source serial port commands:
o
i05f0
i05e8 (may need to resend for sync)
i0a45c0
i0a4d80
i0a5540
i0a5d00
i0a64c0
i0a6c80
i0a7440
i0a7c00



Those replies are not full 32 bit words and not idea is there any sense with that data at all. CN900 is not displaying or using that anyhow. However that is everything I have. I really hope that there is no need for AES authentication with empty card. There is lot of algorithm implementations available but I'm pretty sure that algorithm is obfuscated. Interface could be easy to reverse engineer if someone could send me that 1000eur existing device Or tag source code or datasheet or anything

[rellullapaasee]

Project page updated with wiring details to arduino!

Addition to what there is for AES communication: As it is possible to send some commands and receive replies from card, it is proof that communication is possible with cards/tags and physical layer/modulations are as Hitag2. Everything just depends on SW.

[rellullapaasee]

Some testing... Megane AES card (right) is responsing to commands (11110...) but Clio card (left) is just silent. CN900 is not either finding anything with Megane card. Some new approach is needed...

[fred77]

Why do you not try to contact developer of tool and see if can come out with working aes reader programmer that would be great news .

---

---

come on seriously - they'd laugh in your face. Commercial info never shared even if cloned.

-------------------------

Very interesting project tho - And maybe expensive as see dev kits available from NXP for $1000 with latest AES Keyless Go.

Searched https://hackaday.com/
But very little info.

BTW I've just bought a handsfree kit off ebay £40 - just to see (cheaper cough x2) technology used (hopefully chips labels not removed).

But expect my project idea different to yours -

If you need a HiTag programmer go buy one - or call an autolocksmith! Those programmers pay back in a couple of jobs !!!
Know it's interesting but really the tools are a 'price' for a reason - even say Chinese need to feed n cloth emselves

[rellullapaasee]

Damit, some basic mistake with RF! That Clio card is using FSK modulation. I was thinking that FSK would be used only with remote part but it comprices also RFID part. So, there is also needed tms3705 or similar to reader side as PCF7991 can handle only ASK.

[TERMINATOR1000]

Hello
R.E.T waiting to much for me
- For Abrites anniversary , Protag + AVDI + RR012 was sale for 799€ , money back in one week ! ( including Fiat Pre-code ,AES ,4C fuctions ... )
- UCO no need TagKey for all Renault AES cards

For this two reason , i thing R.E.T let développement down

& i let it down R.E.T !

[rellullapaasee]

Some playing with AES tag and random commands. Here is the output (some cleaning) of terminal:
length bits: 5
Received command:40,
++++++++++++++++++++++++
RESP:03810000
++++++++++++++++++++++++
length bits: 10
Received command:C1, C0,
++++++++++++++++++++++++
RESP:FAEDD251
++++++++++++++++++++++++
length bits: 10
Received command:C9, 80,
++++++++++++++++++++++++
RESP:11112222
++++++++++++++++++++++++
length bits: 10
Received command1, 40,
++++++++++++++++++++++++
RESP:33334444
++++++++++++++++++++++++
length bits: 10
Received command9, 0,
++++++++++++++++++++++++
RESP:55556666
++++++++++++++++++++++++
length bits: 10
Received command:E0, C0,
++++++++++++++++++++++++
RESP:77778888
++++++++++++++++++++++++
length bits: 10
Received command:E8, 80,
++++++++++++++++++++++++
RESP:00000000
++++++++++++++++++++++++
length bits: 10
Received command:F0, 40,
++++++++++++++++++++++++
RESP:22221111
++++++++++++++++++++++++
length bits: 10
Received command:F8, 0,
++++++++++++++++++++++++
RESP:C0000091
++++++++++++++++++++++++


Combining readings:
FA ED D2 51 11 11 22 22 33 33 44 44 55 55 66 66
77 77 88 88 00 00 00 00 22 22 11 11 C0 00 00 91

Can you see something?! Seems that we have first command set for hitag AES!!!

Enter XMA state: i0540
READ_PAGE0: i0aC1C0
READ_PAGE1: i0aC980
READ_PAGE2: i0ad140
READ_PAGE3: i0ad900
READ_PAGE4: i0ae0c0
READ_PAGE5: i0ae880
READ_PAGE6: i0af040
READ_PAGE7: i0af800

Could that be some bad joke? Seems to be too easy! Where are all Chinese cloners??? There wasn't even any need for encryption...

Next should find block pointer inc/dec, protection bits and writing.

[rellullapaasee]

Seems that writing is possible with simple commands that are well aligned with hitag2 command set:
WRITE_PAGE0 i0a83c0
WRITE_PAGE1 i0a8B80
WRITE_PAGE2 i0a9340
WRITE_PAGE3 i0a9b00
WRITE_PAGE4 i0aa2c0
WRITE_PAGE5 i0aaa80
WRITE_PAGE6 i0ab240
WRITE_PAGE7 i0aba00


After WRITE_PAGEX command tag returs given command or nothing if page not writable. After that actual data can be written with command i20XXXXXXXX. Tag does not respond anything for that. And data is there!

Still have to check lockings... Also needs some investigation if this command set is supported by all AES tags. Or is this just some chinese tag addon...

BTW: There is those cheap Chinese Iprog RFID adapters that have both tms3705 and PCF7991 chips assembled. Just have to add oscillator because that signal is coming from Iprog board itself. I will investigate that more when board arrives. Price was ~12usd
Attachment 783012

[rellullapaasee]

XMA config pages are found. Seems that they can be read when giving command 11101 at wait state (this is same as wondering at first phase). After that they can be read with command 01000..01111. Return data is 16bit. Writing can be triggered with command 10000..10111 but I haven't found yet what is the format of actual write data.

So, command set for XMA config:
Enter config state: i05e8
READ_CONFIG0: i0a45c0
READ_CONFIG1: i0a4d80
READ_CONFIG2: i0a5540
READ_CONFIG3: i0a5d00
READ_CONFIG4: i0a64c0
READ_CONFIG5: i0a6c80
READ_CONFIG6: i0a7440
READ_CONFIG7: i0a7c00

replies:
0381
8781
8381
0381
0381
8388
8381
8381

Whrere digits:
1: lock bit for mode
2: mode 0=denied 3=plain 7=crypt
3: lock bit for segment size
4: segment size

In XMA mode segment can be selected using commands:
0: i0a07c0
1: i0a0f80
2: i0a1740
3: i0a1f00
4: i0a26c0
5: i0a2e80
6: i0a3640
7: i0a3e00

And block within any segment can be selected with these:
0: i0a07c0
1: i0a0f80
2: i0a1740
3: i0a1f00
4: i0a26c0
5: i0a2e80
6: i0a3640
7: i0a3e00

Segment consists of blocks that consists of pages (32bit).

Only config page writing left. Then need to implement some simple GUI

[TERMINATOR1000]

what are you talking about ???? no one understand nothing , it's not an engineering forum !

avdi promo 2.JPG

only stupid guys had not hitag programmer for free now ( + fiat tranponder + rr012 + NO NEED AMS BECAUSE NO ONLINE OPTIONS )

AND other tool UCO do it without hitag programmer

[rellullapaasee]

And still one good new! Clio AES (chinese) key that I was using for testing previously had bad coil assembled! Replaced coil and it started working with basic Renault card reader setup! So, there is still not need for any FSK. Everything seems to be just ASK!!!

[rellullapaasee]

what are you talking about ???? no one understand nothing , it's not an engineering forum !



only stupid guys had not hitag programmer for free now ( + fiat tranponder + rr012 + NO NEED AMS BECAUSE NO ONLINE OPTIONS )

AND other tool UCO do it without hitag programmer

Is that tool set only capable to program Hitag2? And it still costs 800€ Where is the free lunch? And how about AES eeprom (XMA) configuration?