Hormann HSP 4 BiSecur 868 MHz

Hi all!
I’m trying to reply a signal from hand transmitter barrier gate opener.
Here are the Technical data (no FCC ID, I’m in Europe):

Opener is probably using a fixed code, because it doesn’t have any BiSecur gateway.
Flipper doesn’t decode the signal, so I’ve tried to read a raw signal. I’ve tried all modulation settings, but none of them works when I reply the signal (see attached recordings).
868_fm476.sub (27.4 KB)
868_fm238.sub (76.6 KB)
868_am650.sub (172 Bytes)
868_am270.sub (414 Bytes)

Any idea what to try next? How to find the correct modulation if none of predefined works?

@Oldfox Did you manage to make progress?
I’m interested as well.

Unfortunately not yet. I’ve purchased some other tools (HackRF), but I need to get an Ubuntu box for further analysis.

BiSecur uses AES encryption without a key and an algorithm, nothing will work for you, you need firmware from the remote control and then you can try something

Can you provide a longer capture for the AM modulations?

Anything new about this? I’m trying to capture / send Hormann too but no results :-/

Remote what I’m trying to read is Hörmann Hand Transmitter HSE1 868-BS

Sorry for the late reply, been busy.
Ok, I’ll provide longer am capture and recordings from Hackrf later

Here are mine captured with Flipper. Hope it helps.
Am270.sub (438 Bytes)
Am650.sub (196 Bytes)

have a look here: https://tib.flowcenter.de/mfc/medialink/3/deb1359464e0b867ef1d0e0c18700c3516f1174e5066a73086af5e8c9374b7a741/34c3-9029-uncovering_vulnerabilities_in_hoermann_bisecur.pdf

this is an aes-128 encrypted fsk transmission as @SkorP has accurately pointed.
SN (32 bit) is the main variable in the process so the the brute-forcing would be time consuming.

Link is broken. Here’s the right one:
Uncovering Vulnerabilities in Hoermann BiSecur

Even though the title of the paper reads “Uncovering Vulnerabilities…”, it is very unlikely that the Flipper will ever be able to replay/emulate/clone a Hörmann BiSecur remote. Although the paper shows that researchers were able to discover a weakness, it also says that the weakness has been mitigated by the manufacturer. Also, the researchers show that the BiSecur system is actually pretty elaborate in it’s principles.
I think that Hörmann BiSecur should be considered “dynamic” in the wording of the Flipper for now.

However, I would actually like to contribute what I can to make Hörmann BiSecur Remote Signals identify as such by the Flipper. I have access to a couple of Hörmann Garage Doors and Remotes and I’d be more than happy to provide a number or raw captures, I am confident about the frequency selection, but unsure about the modulation. Can anyone advise ?

P.S.: The non-BiSecur System of Hörmann gates and remotes on 868MHz is already implemented (flipperzero-firmware/hormann.h at dev · flipperdevices/flipperzero-firmware · GitHub) and named “Hörmann HSM”, which I am not so sure that this a correct/unique name (I am able to find Hörmann remotes with the name “HSM” that work in the other frequency ranges/systems, therefore I believe HSM is not the name of the system/protocol).
It’s a bit unusual, but Hörmann customers can actually identify their system by the color of the keys on the remote. In that schema, the above mentioned non-secure Hörmann system on 868MHz would be identified by the color blue, maybe hormann.h etc. need to be renamed to hormann_blue.h.
I was not able to find documentation in english language about the button color mapping (german manufacturer), but in german, I have two resources. Luckily, thanks to pictures, they should be understandable in any language:

These remotes use FSK modulation with 25k bandwidth. See here for a detailed explanation: Raw replay of dynamic code doesn't work (Hormann BiSecure) - #9 by user890104