Flipper as Hitag 2 Transponder programmer?

I did made a HUGE confusion on the therad about car keys … One thing is the radio portion to open and close the car and another is the little chip inside the key that is used for the imobilizer, etc … The little transponder looks like a RFID BUT WITH ENCRYPTION …

But there are stuff like this :

I would be great if flipper could READ and even write or emulate transponders … Did someone checked this out ?

hitag are encrypted asf with a challenge response system that no one so far has cracked. currently youll not be reading saving or emulating them but you could use the flipper to function as N encoder for brand new hitags

This would be great because even if you can’t clone an existing HTAG2 you would be able to create a new one for a car brand for example and you could then use the car to programm your new emulated HITAG on the flipper to work with the car. Meaning all people would be happy, as there would be no legal problem as well as you would require to use the car to allow the new emulated transponder to work. so yes, if possible pelase do invstigate that for implementation.

Also half of the HITAG 2 chip should be writable and even when using a new HITAG 2 on a car some level of programming is still required so maybe it’s still needed to write something on the new chip (writable part) for it to be able to be accepted by the car?! Don’t know if it’s possible to get that data from the old transponder/HITAG but aparently half of it’s capacity is writable…

The problem here is that Flipper’s LFRFID system can’t work with challenge-response cards, only one-sided communication is supported. This was a sacrifice to support indala cards (which work on 62.5 khz, actually), so Hitag chips are probably out of the question

Thanks for the reply. What about just reading what can be read from old HITAG to write on the writble portion of the new HITAG to programm for example a replacement for a car key ??? Meaning not emulating (that require the full communication) but just write to a new blank HITAG the necessary info needed for it to be accepted to be programmed on the car ?

Ok … I did check further and it would be pointlss for cars …

This is …

Htag2 have unique serial number that can’t be replaced/clone and car itself have info that needs to be placed on the Hitag chip so procedure is :

  • Read car stored info with car programmer (available on ebay for $100 or less.
  • Pre-code the Hitag2
    -Use car programmer to set serial number of Hitag on car…

Flipper wouldn’t be able to link/talk to the car so it would be pointless as one would still require ALLWAYS a programmer to code the unique serial number of the transponder on the car …

BUT it’s another talk regarding the remote for doors lock/unlock … This should be perfectly possible for Flipper.

Hi mate,

Have you tried coping fob keys? cuz I’m trying to copy my fob paxton fob, using Hitag2

I am really confused as I do not have enough knowledge about this stuff ‘’:slight_smile:


Car key fobs have 3 components by norm (older ones). The key itself (metal cutted) thta turns the cylinder, the “transponder” in the sense of Hitag2 (can be other transponder) that mainly deactivate the imobilizer and allow the car to start and then the radio transponder to send radio signal to open/close the car doors, etc … Radio have to be addressed with sub-ghz and HiTag as an Rfid (but most likely flipper will never be able to read/write on those),

I’ve been thinking about this for a while now. There is a project where someone uses a wire on a GPIO pin of a Raspberry PI to transmit at 125khz(many other frequencies too). I don’t currently know if that is possible with the Flipper. I have used a Flipper to read the signals coming from a car trying to communicate with the remote during the keyless entry process but that is as far as I’ve got so far. I haven’t been able to decode them. I’m moving towards an SDR with upconvertor instead of the Flipper to get a better understanding of the signal. The car in question sends a signal to the remote when you touch the handle. For the test I kept the remote out of range because I’m only trying to examine the initial signal that wakes the remote.