[Protocol Request] Hormann, fixed code, 868.35mhz


May i make the request for the following decoder to be added to the firmware:-

Hormann (Garage Doors / Gates etc.)

There is an existing decoder for this brand but it appears to be a newer specification.

This request is relating to the non rolling code 868.35mhz, for which there is a lot of support particularly in Europe.

Sufficient detail for the protocol can be found in this thread.

I will VOTE on this as well.

You can vote for a long time, but until there is a firmware dump, nothing can be done, you need an Aes 128 key from this system

@SkorP I think you are referring to Hormann BiSecur which uses AES encryption and the vulnerability documented here which is relevent for devices manufactured up to 2017?

Earlier Hormann units (Series 1) used an 868mhz fixed code arrangement which is what I am referring to in this request. They are older units but still commonly used.

The remotes use a 40 bit fixed code, i assume the first byte in the 5 byte code remains \x00 always.

Here is an excerpt from the Hormann manual referencing backward compatibility:

Screenshot from 2022-11-26 09-14-51

The procedure for generating a new code and then copying this to the motor’s reciever unit which can be found here is consistent with simply generating a new random code in the handset and then transferring this to the main receiver.

The steps below describe pressing a reset button inside the handset which generates a new fixed code:-

Screenshot from 2022-11-26 09-57-16

Screenshot from 2022-11-26 09-57-32

Following this, the code is learned by the main unit by pressing the program button, and then pressing the button on the remote. Nowhere here is there a learning or exchange of an encryption key as you see in the programming instructions for a BiSecur system.

Screenshot from 2022-11-26 10-01-51

Also most paperwork basically says the blue-button remotes are not BS remotes although I think newer HSE2 remotes can support both systems and the colour represents the frequency.

I did a few tests on an existing remote:

Button 1: XX XX XX 46 01 C0
Button 2: XX XX XX 46 08 C0

I redacted the first 3 bytes although they were the same for both buttons. Using the internal reset button on button 2 reset the code to:

Button 2: 00 DF 39 06 08 C0

In every test I have conducted the first byte remains \x00 and the last remains \xC0.

This is the .sub file for the reset button 2. (37.7 KB)

I derived the 5 bytes using the pulse plotter and manually selecting PWM, Short=512, Long=1024, Sync=12323, Gap=0.

@sedje provided this python script which comes to the same result.


My .sub files from hse4

Lipovaya Garage Right.sub (6.7 KB)
Lipovaya Garage Left.sub (6.3 KB)
Lipovaya Gate.sub (6.7 KB)

@NetHorror Thanks, they parse too and also have \x00 at the start and \xC0 at the end. Do you know the model of your door motor and how old it is?

made around 2004

This post refers to a code grabber which has out of the box support for this garage door controller.

Hopefully they can get all of those to flipper zero too.

I beg you to check. and I need 2+ more entries from these key fobs (DIFFERENT) I think they always transfer from 8 units, I need to check this and set it as a pattern

Here are the 3 different sub files I have from the fixed code remotes:

T2.sub (37.7 KB)

HORMANN.sub (63.3 KB)

garage.sub (15.5 KB)

I already checked them out. protocol added to DEV. you can check if it works or not

Decoded as shown using the latest dev branch. This is a different hex to the one I worked it out to be but the likelihood is I am wrong.

Will check if the code can be sent to the door controller later today and update.

Cool !!! Nice work !

Seems to be working as expected @SkorP, great work putting this feature in to the firmware. Thanks :ok_hand:t3:


