[Protocol Request] Hormann, fixed code, 868.35mhz

Hi,

May i make the request for the following decoder to be added to the firmware:-

Hormann (Garage Doors / Gates etc.)

There is an existing decoder for this brand but it appears to be a newer specification.

This request is relating to the non rolling code 868.35mhz, for which there is a lot of support particularly in Europe.

Sufficient detail for the protocol can be found in this thread.

All the best,

cab.

I will VOTE on this as well.

1 Like

You can vote for a long time, but until there is a firmware dump, nothing can be done, you need an Aes 128 key from this system

@SkorP I think you are referring to Hormann BiSecur which uses AES encryption and the vulnerability documented here which is relevent for devices manufactured up to 2017?

Earlier Hormann units (Series 1) used an 868mhz fixed code arrangement which is what I am referring to in this request. They are older units but still commonly used.

The remotes use a 40 bit fixed code, i assume the first byte in the 5 byte code remains \x00 always.

Here is an excerpt from the Hormann manual referencing backward compatibility:

Screenshot from 2022-11-26 09-14-51

The procedure for generating a new code and then copying this to the motor’s reciever unit which can be found here is consistent with simply generating a new random code in the handset and then transferring this to the main receiver.

The steps below describe pressing a reset button inside the handset which generates a new fixed code:-

Screenshot from 2022-11-26 09-57-16

Screenshot from 2022-11-26 09-57-32

Following this, the code is learned by the main unit by pressing the program button, and then pressing the button on the remote. Nowhere here is there a learning or exchange of an encryption key as you see in the programming instructions for a BiSecur system.

Screenshot from 2022-11-26 10-01-51

Also most paperwork basically says the blue-button remotes are not BS remotes although I think newer HSE2 remotes can support both systems and the colour represents the frequency.

I did a few tests on an existing remote:

Button 1: XX XX XX 46 01 C0
Button 2: XX XX XX 46 08 C0

I redacted the first 3 bytes although they were the same for both buttons. Using the internal reset button on button 2 reset the code to:

Button 2: 00 DF 39 06 08 C0

In every test I have conducted the first byte remains \x00 and the last remains \xC0.

This is the .sub file for the reset button 2. (37.7 KB)

I derived the 5 bytes using the pulse plotter and manually selecting PWM, Short=512, Long=1024, Sync=12323, Gap=0.

@sedje provided this python script which comes to the same result.

cab.

1 Like

My .sub files from hse4

Lipovaya Garage Right.sub (6.7 KB)
Lipovaya Garage Left.sub (6.3 KB)
Lipovaya Gate.sub (6.7 KB)

@NetHorror Thanks, they parse too and also have \x00 at the start and \xC0 at the end. Do you know the model of your door motor and how old it is?

made around 2004






This post refers to a code grabber which has out of the box support for this garage door controller.

Hopefully they can get all of those to flipper zero too.

I beg you to check. and I need 2+ more entries from these key fobs (DIFFERENT) I think they always transfer from 8 units, I need to check this and set it as a pattern

Here are the 3 different sub files I have from the fixed code remotes:

T2.sub (37.7 KB)

HORMANN.sub (63.3 KB)

garage.sub (15.5 KB)

I already checked them out. protocol added to DEV. you can check if it works or not

1 Like

Decoded as shown using the latest dev branch. This is a different hex to the one I worked it out to be but the likelihood is I am wrong.

Will check if the code can be sent to the door controller later today and update.

Cool !!! Nice work !

Seems to be working as expected @SkorP, great work putting this feature in to the firmware. Thanks :ok_hand:t3:

Hi

I got a ProMatic4 Hormann garagedoor. I tried the .sub files here but nothing worked.

I got the flipper for a week now and dont know exactly how this all works. The story is i lost my garage key a year ago, when i want to open the garage for my car i need to step inside and open it. Is there a way i can do it with the flipper this would be awesome.

Hola, yo tambien tengo el flipper desde hace dos dias, e subido los ficheros y tampoco funciona pero, tengo los mandos para poder abrir y cerrar, lo que yo me pregunto en tu caso es, como quieres escanear tu llave si al parecer no tienes ninguna?, por que aunque encuentres aqui los archivos, como en mi caso, dudo que puedan abrir la puerta si no escaneas y consigues clonar la llave no?

Hi,

The best solution is to buy a new remote from the internet they are cheap. Then use the instruction manual which is also on the internet to teach your garage door motor the new code this is not difficult.

As you have access to the garage there isn’t any need to try and hack the code. I think the sub files you will find ion this forum are for specific individual doors and will not match the code for your door there are hundreds of thousands of variations.

Good luck.

Gracias, lo bueno es que nadie a parte de yo podra abrirme la puerta :smile: