Open Source Hitag Programmer

[rellullapaasee]

Nope, I already tried all possible orientations of the key. I'm not able to read it anymore, don't know why.
Driving the device with Effi it's always working at first try.

Maybe you could also try debug version attached. It is printing pulses that Arduino receives.

For example good samples:
ISRcnt:3D
32, 33, 30, 33, 30, 33, 32, 33, 30, 33, 32, 65, 62, 65, 62, 65, 28, 37, 62, 65, 28,

Low and high times are same length. double pulses are double the time compared to single pulses.

Bad samples (incorrect offset):
ISRcnt:36
12, 49, 16, 75, 58, 35, 28, 35, 32, 29, 36, 63, 32, 33, 64, 31, 34, 29, 34, 29, 34, 31, 32,
Low times are much shorter than high times. Double pulses can't be separated.

Edit: Actually there could be permanent debug mode...
Debug mode can be enabled with command d01 and disabled d00.

[XProfig]

Are you using Zedbull interface now in your setup? Could you take a photo of setup? What is exact type of transponder? Some link?

I use Zed-Bull Mini v508 china clone https://www.aliexpress.com/i/32833866751.html

Below is a picture of my wiring. I know it looks a bit messy, but for first development it should work. At least communication Arduino <-> ABIC seems stable.

As PCF7945 I use a chinese pcb with chip type 26A0700 marked with NXP. It has also 868MHz remote.



I'll try to debug as you proposed in the evening when I'm back from work

[XProfig]

Thanks again for spending so much effort for this!

In the meanwhile I tried out the debug version. I was able to read out the chip 2 times correctly (with approx. 20 tries). But I had to use g02 setting. The interesting thing is that the successful tries were try 2 and try 4. After that it worked never again.

Here is the output of a failed readout with enabled debug output:

Sending: o
adapt target:13


adapt samplingT:A6


adapt readval:FF


RFON
Sending: i05C0
transfer
length bits: 5
Received command:C0,
ISRcnt:38


34, 31, 32, 33, 32, 33, 30, 33, 32, 63, 30, 33, 62, 67, 62, 65, 30, 33, 30, 35, 30, 35, 30, 33, 30, 37, 62, 65, 30, 35, 62, 67, 62, 65, 30, 35, 62, 33, 30, 33, 30, 67, 62, 65, 30, 33, 64, 65, 60, 33, 30, 33, 32, 235, 38, 15,
++++++++++++++++++++++++
RESP:94094E97
++++++++++++++++++++++++
EOF
1234567821AEF740
Sending: i401234567821AEF740
transfer
length bits: 64
Received command:12, 34, 56, 78, 21, AE, F7, 40,
ISRcnt:36


18, 95, 40, 49, 14, 77, 20, 47, 52, 39, 24, 71, 26, 37, 28, 35, 30, 33, 30, 37, 62, 65, 30, 35, 62, 33, 30, 33, 32, 65, 32, 33, 62, 67, 62, 65, 30, 33, 62, 65, 30, 35, 62, 33, 32, 157, 240, 9, 18, 15, 18, 47, 12, 235,
++++++++++++++++++++++++
RESP:NORESP


++++++++++++++++++++++++
EOF


CRYPT ERROR
Sending: f
RFOFF

Maybe it would be interesting to find out what is the difference between the ABIC communication with original Atmega2561 compared to ABIC communication with Hitager Arduino?
Seems that ABIC itself is always able to read PCF7945 key correctly (always working with Effi). So there must be an issue with Hitager Arduino communication with ABIC. Do you agree?
But I wonder why Hitager always reads IDE correctly, and everything afterwards is unstable.


Edit: I managed to get one successful reading with debug mode enabled. Have a look at the attachment. The last try in the .txt was the successful one. At this try I held the key ~3cm away from reader coil and gain was 0.

Edit2: Tried a bit more. I can reproduce it. When I hold the key ~ 1 - 2 cm away from reader coil, reading is successful nearly every time, with g0

I could take a I2C sniffer and capture the I2C communication between Atmega2561 and ABIC when used with Effi. Maybe we can learn how the original tool is configuring the ABIC. Or I will play around with the different configuration parameters of the ABIC and see if there is any improvement. For this I could use Hitager debug feature.

[rellullapaasee]

Thanks again for spending so much effort for this!

In the meanwhile I tried out the debug version. I was able to read out the chip 2 times correctly (with approx. 20 tries). But I had to use g02 setting. The interesting thing is that the successful tries were try 2 and try 4. After that it worked never again.

Here is the output of a failed readout with enabled debug output:



Maybe it would be interesting to find out what is the difference between the ABIC communication with original Atmega2561 compared to ABIC communication with Hitager Arduino?
Seems that ABIC itself is always able to read PCF7945 key correctly (always working with Effi). So there must be an issue with Hitager Arduino communication with ABIC. Do you agree?
But I wonder why Hitager always reads IDE correctly, and everything afterwards is unstable.


Edit: I managed to get one successful reading with debug mode enabled. Have a look at the attachment. The last try in the .txt was the successful one. At this try I held the key ~3cm away from reader coil and gain was 0.

Edit2: Tried a bit more. I can reproduce it. When I hold the key ~ 1 - 2 cm away from reader coil, reading is successful nearly every time, with g0

I could take a I2C sniffer and capture the I2C communication between Atmega2561 and ABIC when used with Effi. Maybe we can learn how the original tool is configuring the ABIC. Or I will play around with the different configuration parameters of the ABIC and see if there is any improvement. For this I could use Hitager debug feature.

This is quite interesting case! Definetely there is some crusial difference in communication. It just have to find out! And it is good to find these problems as I can't find all problems by myself.

Seems that read result of IDE is very good. Gain and offset settings should be best as default values. After that there is no response at all. Just random noise. So, problem is probably on transmitter side. There is not many settings on PCF7991 that have effect for transmitter.

Communication is started with 5 bit command and transponder replies IDE. After that 64 bit authentication message is sent. Maybe these transponders cope with 5 bit command but not any more 64 bit. That could be timing issue of transmitting '1' and '0' I had some problems with these at the begining but it has been working after that. But I haven't very wide collection of different transponders.

There is new version where timings can be adjusted on Tag Debugger tab. Please try one step increment/decrement at time and compare if there is some difference. Shouldn't need big changes as it is working occasionally already

[rellullapaasee]

Now also support for plain authentication for example with some PCF7936 and PCF7941.

[Catalizator]

Hello. the author of the project is a great inventor, I appreciate his work. but in my opinion, the program does not need extra buttons and commands, an ordinary user will get confused and will not understand the purpose of everything. the simpler the more convenient. In no case, this is not a comment, only an opinion. good luck!

[XProfig]

Hello. the author of the project is a great inventor, I appreciate his work. but in my opinion, the program does not need extra buttons and commands, an ordinary user will get confused and will not understand the purpose of everything. the simpler the more convenient. In no case, this is not a comment, only an opinion. good luck!

Basically I agree. But as project is in development phase yet, the additional buttons are necessary as they help debuggin.
Maybe they could easily be removed and then only showed when selecting an "advanced user" option? This makes sense when the project is in the end phase.


In the meanwhile, rellullapaasee provided an update again. With this, the reading in Zed-Bull v508 Clone got a lot more stable. I attached the log of some subsequent readings of my blank PCF7945.
Here my Observations:
- At the beginning it read all pages very often (~ 12 times out of 20 tries)
- Pg 4...7 seems to be read correctly
- Pg 3 content is wrong at most tries
- After waiting (e.g. after I wrote this post), reading nearly works never again. After resetting Arduino, it works again.

[XProfig]

Now I found out how the original communication from Zed-Bull clone with Effi is done. I attached two screens with oscilloscope.

Zed-Bull is using WRITE_TAG_N command 00011000, which means that the PCF7991 ABIC automatically sets the duration of the Zero-Phase of each pulse send to the transponder. The last bits 1000 specify that the duration of every zero will be 8*T0 which is 64us. See attached WRITE_TAG_N.jpg

After that command, 6 pulses are sent to the ABIC Din input (6_Pulses_to_Transponder.jpg). At every rising edge sent to ABIC, antenna is turned of for 64us (Zero-Phase), then it is automatically switched back on (One-Phase) until the next rising edge at ABIC Din input. The duration between two consecutive rising edges at Din input are defining if a logical 1 or 0 is transmitted to the transponder. The greater distance in my measurement is 228us, which indicates a 1.

Maybe this is exactly the problem in Arduino code of this project? It is using the WRITE_TAG_N command but instead of letting the ABIC form the LOW pulses, it does the complete pulse-forming itself?

[rellullapaasee]

Now I found out how the original communication from Zed-Bull clone with Effi is done. I attached two screens with oscilloscope.

Zed-Bull is using WRITE_TAG_N command 00011000, which means that the PCF7991 ABIC automatically sets the duration of the Zero-Phase of each pulse send to the transponder. The last bits 1000 specify that the duration of every zero will be 8*T0 which is 64us. See attached WRITE_TAG_N.jpg

After that command, 6 pulses are sent to the ABIC Din input (6_Pulses_to_Transponder.jpg). At every rising edge sent to ABIC, antenna is turned of for 64us (Zero-Phase), then it is automatically switched back on (One-Phase) until the next rising edge at ABIC Din input. The duration between two consecutive rising edges at Din input are defining if a logical 1 or 0 is transmitted to the transponder. The greater distance in my measurement is 228us, which indicates a 1.

Maybe this is exactly the problem in Arduino code of this project? It is using the WRITE_TAG_N command but instead of letting the ABIC form the LOW pulses, it does the complete pulse-forming itself?

Thanks for debugging! However, I think that this is not the problem. Arduino is using same approach for pulsing. There is command writePCF7991Reg(0x15,8); when starting to write data. There is one T0 difference but I think that it does not make big difference as it seems to work even with much more bigger or smaller values.

[rellullapaasee]

Decided to enable ABIC hysteresis function. This needed also some other fixes to be done but now reading should work much stable. Please test and comment! Also removed some debug features that didn't have much effect.

There is also some Hitag Pro functionality included as I got PCF7939FA tag but seems that at least this does not have very much to read in plain mode. So, mainly untested and writing does not work.

[rellullapaasee]

Noticed that there is some video showing some Range Rover Hitag Pro reading: https://cartools.lv/Robin/HITAG/htprrkey.mp4 Segment configuration is displayed there at 'C'. First 8 bytes are segment sizes and 8 next are access levels. Noticed also that 'F' is plain readable. WTF!? Used tag has crypto key plain readable! What a security hole! Should be also possible to test with Hitager now.

[XProfig]

Just tested the most recent changes. Full reading of my PCF7945 is now working in nearly every try (3 times crypt error @ 20 readings).
But content of Page 3 is still wrong in nearly every case. But Page 4...7 seems always correct.

Setting Hysteresis on seems to improve things. Just compared directly, with hysteresis 20% crypt error @ 10 readings, without hysteresis 90% crypt error @ 10 readings

[XProfig]

I played a little bit with different setting.
The following I changed:
writePCF7991Reg(0x15,8) --> writePCF7991Reg(0x19,8)
writePCF7991Reg(0x40 | (gain<<2) , 8) --> writePCF7991Reg(0x40 | (gain<<2) | 0x02, 8) ;

Now we have 100% successful readings @ 20 tries!!!
I think the second change (Filter_H = 1) made this. I changed it because I see Effi uses this setting, too.

Nevertheless, Page 3 always gets different readings. I'm not sure, but I think Page 3 is the first one read after the crypto init. So maybe we could try to read Pg3 again at the end, when readings have stabilized?
Somehow, if I send the crypto initialization command, e.g. i409A81BA2FB4AE6AF8 by "send Raw" function. The transponder does not respond.

Edit:
Just tried with Gain = 2.

========================
Now seems everything finally works!!!
========================

Made 20 readings, all 20 are good. Pg3 is always the same with data 08AA4854 --> correct!

I say big thanks again for this amazing project. Can't say it often enough ;-)

Edit2:
Two improvement proposals for the GUI:
- Description "Remote Data" should be added to Pg4...7 block on the right
- Pg4...7 should be diesplayed in the left block if BSEL=1 (currently it's on the right block)

[Catalizator]

with new arduino firmware, no pcf reading. this has been tested several times. loading from 25.02, everything is fine

[XProfig]

If you like you could test with code I changed.

You should also try Setting Gain to 2.