How to sniff Hitag2 communications with an RFIDler
If you want to understand and possibly decode the communications between a Hitag2 reader and a tag the RFIDler is probably the best device to use. Below are instructions for how to sniff a hitag2 reader with the tag in password mode but the code used was actually written by Kevin Sheldrake with sniffing in crypto mode in mind.
First off you need to connect to your RFIDler and make sure it is in hitag2 mode.
>set TAG hitag2
OK
Next you need to make sure your reader is powered on and the antenna coil is in a good place between the reader and the tag, but don't introduce the tag yet.
Now you can set your RFIDLer into sniffing mode. The command to use here is SNIFF-PWM. You should start to see commands fly past in the terminal.
HITAG2> SNIFF-PWM
Waiting for PWM (hit any key to abort/report)...
11000, START_AUTH
11000, START_AUTH
11000, START_AUTH
11000, START_AUTH
11000, START_AUTH
11000, START_AUTH
11000, START_AUTH
The first thing you will hopefully see is a lot of 11000 START_AUTH requests. There may also be some invalid commands. These are probably releated to other protocols. But no fear each START_AUTH resets the whole process.
You can now introduce your tag to the reader and if it is in password mode see the rest of the communication.
11000, START_AUTH
10111101111101011111100011000110, PWD:BDF5E846
1110000011, READ_PAGE:4
1110100010, READ_PAGE:5
1111000001, READ_PAGE:6
1111100010, READ_PAGE:7
11000, START_AUTH
And there it is the password BDF5E846 helpfully labeled PWD. You can also go on to see the reader then ask the tag for the other pages of data followed by another START_AUTH command.
I have only ever managed to see the commands sent from the reader to the tag but luckily this is all you need.
If you want to a live demo of the same code and method being used to sniff a hitag2 tag in crypto mode then watch the codes author demo it here