HITAG 2 DOCUMENTATION

This document is supplied only to my friends, no commercial value, do not distribute it

Army
Hitag 2 software is located under transponder tab

GENERAL VIEW OF THE SOFTWARE

1 File:This tab is used for saving whole content of transponder memory as a HTG file, or
loading previously saved .HTG file.

2 Factory configuration:
All the blank transponders are loaded with the default secret key value.
default secret key value is 4F 4E 4D 49 4B 52
Factory config button loads the default secret key value to the related boxes.
3 Used for choosing type of 46 transponder, when tansponder is read it automatically detects the type.
Only pcf7936 is like regular carbon transponder, it does not have remote memory pages,
all the others are IC type of transponders which have remote and transponder functions together.
4 Transponder mode describes the type of communication between transponder and the base station
(car, zed-bull, etc.)
Password mode: the communication between transponder and base station is plain, not encrypted
the secret key is default secret key.
Cipher mode: the communction between transponder and base station is encrypted, the secret key
is default secret key.
Locked mode: the communication between transponder and base station is encrypted like in cipher mode
Secret key is different than default secret key.
5 Frequency mode: this is the coding type of the signals sent or received.
If the base station sends commands or data in manchester coding, transponder mode should be adjusted
to manchester coding as well. same applies for bi phase mode.

6 These pages are the memory pages related with transponder only
7 these pages are the memory pages related with remote only

8 The buttons are used for reading and wrting to transponder and remote pages, R buttons are used for reading
W buttons are used for writing to the remote and transponder pages.
9 the boxes turns green when successfull reading or writing operation is done, or turns red when unsuccessfull
reading or wrting is done.
10 TMCF:Transponder memory configuration; it is the bitwise display of the most significant byte of page 3.

Each bit is used for different configuration for transponder.

SKL:secret key lock bit, if it is 1 secret key is locked against writing, if locked once, can not be unlocked
PGL3: page 3 lock bit, if it is 1, page 3 is locked against writing, if locked once, can not be unlocked
PWP1: page write protect 1, if it is set to 1, pages 4,5 are locked against writing, it can be unlocked by writing 0
PWP0:Page write protect 0, if it is set to 1, pages 5,6 are locked against writing, it can be unlocked by writing 0
ENC:Enable crypto mode, if it is set to 1, transponder mode is cipher mode, if it is 0 transponder mode is password
MS1 and MS0: if these bits are set to 1, certain pages of transponder can only be read. Not used in practice.
Datacoding select: If this bit is set to 1 transponder data coding is in bi phase, if it is 0 transponder data coding
is in manchester mode:

PRACTICAL INFORMATION

If Zed-BULL reads transponder as:

Cipher- manchester, password-manchester, password- bi phase or cipher- bi phase, the transponder has the default
secret key 4F 4E 4D 49 4B 52
If Zed-BULL reads transponder as locked
the secret key is different than the default secret key

Without knowing the secret key of the transponder it is not possible to read or write to any of the pages.
Knowing the secret key of the transponder means unlocking the transponder.
If the correct secret key of the transponder is written to factory configuration section, transponder will let user to edit all its
pages if and only if some of the pages are not locked irreversably.

ALways first read the transponder with zed-bull, according to the data displayed on zed-bull screen
choose appropriate modes and then read the pages of transponder. If let's say, transponder is in cipher mode
and password mode is chosen on the software, it won't read any of the pages.