diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c
index 3e1d39720..ea38f395a 100644
--- a/armsrc/hitagS.c
+++ b/armsrc/hitagS.c
@@ -34,6 +34,7 @@
 #include "crc.h"
 #include "protocols.h"
 #include "hitag.h"
+#include "appmain.h"    // tearoff_hook()
 
 #define CRC_PRESET 0xFF
 #define CRC_POLYNOM 0x1D
@@ -55,6 +56,7 @@ static struct hitagS_tag tag = {
 };
 static uint8_t page_to_be_written = 0;
 static int block_data_left = 0;
+static bool enable_page_tearoff = false;
 
 typedef enum modulation {
     AC2K = 0,
@@ -957,7 +959,7 @@ static void hts_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint3
     DBG Dbhexdump(ra_i, edges, false);
 }
 
-static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) {
+static int hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) {
 
     LogTraceBits(tx, txlen, HITAG_T_WAIT_SC, HITAG_T_WAIT_SC, true);
 
@@ -975,6 +977,10 @@ static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_
     // Transmit the reader frame
     hitag_reader_send_frame(tx, txlen, ledcontrol);
 
+    if (enable_page_tearoff && tearoff_hook() == PM3_ETEAROFF) {
+        return PM3_ETEAROFF;
+    }
+
     // Enable and reset external trigger in timer for capturing future frames
     AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
 
@@ -1046,6 +1052,8 @@ static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_
         LogTraceBits(rx, k, resptime, resptime, false);
     }
     *prxbits = k;
+
+    return PM3_SUCCESS;
 }
 
 static int hts_select_tag(const lf_hitag_data_t *packet, uint8_t *tx, size_t sizeoftx, uint8_t *rx, size_t sizeofrx, int t_wait, bool ledcontrol) {
@@ -1402,7 +1410,13 @@ void hts_write_page(const lf_hitag_data_t *payload, bool ledcontrol) {
     crc = CRC8Hitag1Bits(tx, txlen);
     txlen = concatbits(tx, txlen, &crc, 0, 8);
 
-    hts_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, false);
+    enable_page_tearoff = g_tearoff_enabled;
+
+    if (hts_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, false) == PM3_ETEAROFF) {
+        res = PM3_ETEAROFF;
+        enable_page_tearoff = false;
+        goto write_end;
+    }
 
     if ((rxlen != 2) || (rx[0] >> (8 - 2) != 0x01)) {
         res = PM3_ESOFT; //  write failed
diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md
index a22dde7c0..8f4f38593 100644
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@@ -205,6 +205,13 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
 
 * Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8268](#id-f8268) when set CON1 AUT bit
 * No password protection
+* tearoff time
+  * The OTP bits do not appear to be erased first. Write done time is less than 735µs
+  * nochange 0-735µs
+  * bit flip 735-740µs
+  * wiped 740-3250µs
+  * bit flip 3250-3350µs
+  * write done 3350µs+
 * page 1 default: `CA 24 00 00`
   * CON0 RES0 enable some extended TTFM
     * TTFM 01: page 4, page 5, page 6