Hormann HSP 4 BiSecur 868 MHz

Sub-GHz
#1

Hi all!
I’m trying to reply a signal from hand transmitter barrier gate opener.
Here are the Technical data (no FCC ID, I’m in Europe):

Opener is probably using a fixed code, because it doesn’t have any BiSecur gateway.
Flipper doesn’t decode the signal, so I’ve tried to read a raw signal. I’ve tried all modulation settings, but none of them works when I reply the signal (see attached recordings).
868_fm476.sub (27.4 KB)
868_fm238.sub (76.6 KB)
868_am650.sub (172 Bytes)
868_am270.sub (414 Bytes)

Any idea what to try next? How to find the correct modulation if none of predefined works?

#2

@Oldfox Did you manage to make progress?
I’m interested as well.

#3

Unfortunately not yet. I’ve purchased some other tools (HackRF), but I need to get an Ubuntu box for further analysis.

#4

BiSecur uses AES encryption without a key and an algorithm, nothing will work for you, you need firmware from the remote control and then you can try something

#5

Can you provide a longer capture for the AM modulations?

#6

Anything new about this? I’m trying to capture / send Hormann too but no results :-/

Remote what I’m trying to read is Hörmann Hand Transmitter HSE1 868-BS

#7

Sorry for the late reply, been busy.
Ok, I’ll provide longer am capture and recordings from Hackrf later

#8

Here are mine captured with Flipper. Hope it helps.
Am270.sub (438 Bytes)
Am650.sub (196 Bytes)

#9

have a look here: https://tib.flowcenter.de/mfc/medialink/3/deb1359464e0b867ef1d0e0c18700c3516f1174e5066a73086af5e8c9374b7a741/34c3-9029-uncovering_vulnerabilities_in_hoermann_bisecur.pdf

this is an aes-128 encrypted fsk transmission as @SkorP has accurately pointed.
SN (32 bit) is the main variable in the process so the the brute-forcing would be time consuming.

#10

Link is broken. Here’s the right one:
Uncovering Vulnerabilities in Hoermann BiSecur

#11

Even though the title of the paper reads “Uncovering Vulnerabilities…”, it is very unlikely that the Flipper will ever be able to replay/emulate/clone a Hörmann BiSecur remote. Although the paper shows that researchers were able to discover a weakness, it also says that the weakness has been mitigated by the manufacturer. Also, the researchers show that the BiSecur system is actually pretty elaborate in it’s principles.
I think that Hörmann BiSecur should be considered “dynamic” in the wording of the Flipper for now.

However, I would actually like to contribute what I can to make Hörmann BiSecur Remote Signals identify as such by the Flipper. I have access to a couple of Hörmann Garage Doors and Remotes and I’d be more than happy to provide a number or raw captures, I am confident about the frequency selection, but unsure about the modulation. Can anyone advise ?

P.S.: The non-BiSecur System of Hörmann gates and remotes on 868MHz is already implemented (flipperzero-firmware/hormann.h at dev · flipperdevices/flipperzero-firmware · GitHub) and named “Hörmann HSM”, which I am not so sure that this a correct/unique name (I am able to find Hörmann remotes with the name “HSM” that work in the other frequency ranges/systems, therefore I believe HSM is not the name of the system/protocol).
It’s a bit unusual, but Hörmann customers can actually identify their system by the color of the keys on the remote. In that schema, the above mentioned non-secure Hörmann system on 868MHz would be identified by the color blue, maybe hormann.h etc. need to be renamed to hormann_blue.h.
I was not able to find documentation in english language about the button color mapping (german manufacturer), but in german, I have two resources. Luckily, thanks to pictures, they should be understandable in any language: