Hormann B460 FU Garage Gate

ddlencemc · July 25, 2022, 4:24pm

Hi guys,
I have an access to the Hormann B460 FU Garage Gate.
Key fob characteristics is 868MHz/FSK (DTM868Mhz), rolling code has 104 bit.
Playing RAW doesn’t affected to the garage gate.
Is it possible to implement catching signal via Read function and emulate?

Thanks
Hormann_B460FU_open_pressbt_10x.sub (917 Bytes)
Hormann_B460FU_open_pressbt_long.sub (3.8 KB)

Frisch12 · July 25, 2022, 6:44pm

Hey ddlencemc and Flipper Zero Team,

Some more information. I have the same “problem”. However the code is not a rolling code but a AES encrypted message in the Hormann own protocol BiSecur. There were a vulnerability, however this was fixed in 2017 (here is the 34C3 paper for that https://av.tib.eu/media/34843).
Maybe this information is helpful to create at least a clone app wich can be used to train the flipper zero to the Hormann gate.

Thanks

ddlencemc · July 25, 2022, 7:41pm

Thanks for additional information. I’ve checked of box from key fob, and here is mentioned that key fob has rolling code 104bit. I’m not sure if it using AES, but it might be, because my key fob made in Poland (dtm.pl) and they can apply what they want.

Thanks

anthrax · July 28, 2022, 10:09am

Hormann Garage Doors are interesting for me too. I had also no success with recording raw and replay. In a other thread someone mentioned to press the opener for long time to get the transfer signal between two new remotes.

mathewmeconry · July 28, 2022, 11:26am

Yep I managed to capture the transfer with the normal “Read” function but then the Flipper crashes when I try to send the signal.
I guess we need to write our own implementation to get it running

anthrax · July 28, 2022, 3:08pm

I think the caputured signal will not open the garagedoor, but it might help to get the key for your particular garage out of it.

ddlencemc · July 28, 2022, 4:13pm

It’s true. I can’t open garage door with the captured RAW signal.

Frisch12 · August 1, 2022, 8:57am

If we are able to get the key or implement a “new” remote, that can be trained to the opener, that would be nice. However the protocol that Hoermann ist using is proprietary and closed source. Furthermore it is (most likely) AES encrypted. Also the key transfer is some kind of encrypted as far as I understand from some research papers.
So maybe we need someone who has the ability to get into the microcontroller on the remote and dump the firmware to get some more knowledge about it.