Raw replay of dynamic code doesn't work (Hormann BiSecure)

Sub-GHz
#1

Hi everyone,

I’m playing with FZ and Hoermann BiSecure garage opener.

BiSecure is a dynamic code, which uses a simple counter (that goes up with every key press) which is “AES encrypted” with per-fob key. Communication is one-way, fob-to-the-controller. The controller remembers each fob’s last-used counter value, thus preventing replay attacks. A fairly simple system.

A good description of the arch is here - 34C3 - Uncovering vulnerabilities in Hoermann BiSecur - YouTube

Given the above I still expected to be able to take the fob out of sight of the controller, record fob’s transmission and then play it back to the controller from FZ. In theory this should just work. In practice it doesn’t. The freq is 868.303, 2-FSK @ 472.

Any ideas in which direction to dig?

Thanks

#2

My best guess would be wrong modulation - Flipper has two different FSKs and it’s possible neither of them is the right one. Can you see the signal when doing Read? Does RSSI in raw mode change during the button press?

#3

Thanks for a quick reply.

it’s possible neither of them is the right one

That was my guess too, but

I don’t have an SDR, but if I look at the waterfall plot around 7:00 mark in that 34C3 video, the freq deviation seems to be between 4300 and 4900 Hz – I literally just measured the pixel distance between two bright peaks on bright horizontal lines and divided the pixel distance between 0.000 and 1.000 marks on the axis.

(edit) … though on a second thought I’m no longer sure my math is correct.

Can you see the signal when doing Read?

Read records nothing. If the Bin_RAW option is enabled, it would record between 1 and 3 blobs depending on the try, very inconsistently.

Does RSSI in raw mode change during the button press?

Yes, it does. The graph looks like this ___|__|__|___. The resulting .sub is about 7KB or around 2000 values.

#4

If you are correct, then my guess is right too. Because

  • FM238 — frequency modulation with the bandwidth of 270 kHz and the deviation of 2.380371 kHz.
  • FM476 — frequency modulation with the bandwidth of 270 kHz and the deviation of 47.60742 kHz.

none of them are 4-5kHz. But your Flipper detects the transmission…
Here is their whitepaper. Look for details so as not to guess from video.

1 Like
#5

Quick question - is there a tool to create C1101 initialization sequences for custom profiles? Or do I have to do it the hard way and read the spec? :slight_smile:

That is, what do people commonly use to generate profiles like the one here?

#6

Something interesting for that direction is linked from CC1101 datasheet. There is certainly a tool to create a configuration registers from signal and board parameters.

#7

Yeah, installed it already :slight_smile: Thanks!

#8

An alternative and faster option is to just tweaks either of built-ins and go from there.

1 Like
#9

For HSE4-868-BS, the following work well for me:
Frequency: 868.276 MHz
Modulation: 2FSK with 25k bandwidth

If you have a firmware that supports custom frequencies/modulations, add the following to subghz/assets/settings_user:

Frequency: 868276000
Custom_preset_name: FM25k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 0B 06 08 32 07 04 14 00 13 02 12 04 11 83 10 67 15 40 18 18 19 16 1D 91 1C 00 1B 07 20 FB 22 10 21 56 00 00 C0 00 00 00 00 00 00 00

Then go to Read RAW, select 868.276 frequency and FM25k modulation. Make sure the garage door receiver does not hear the transmission (even if you have a wall switch with the option to disable remote control, the motor still hears the packet and the code is invalidated) by going far away or turning power of the motor off, and record a couple of presses. You can then come close to the motor (or plug it in), and use the codes in the order of recording.
If you want to see the decoded data, you can build a firmware that includes this code:

Hormann Garage Opener
Hormann HSP 4 BiSecur 868 MHz
#10

@user890104 - Good stuff. Back when I looked at this, I managed to narrow it down to 868.300 Mhz, but then ran into some replay issues with Flipper - Raw recording playback is way off the mark. Have you seen these replay artifacts in your tests?

#11

No, I haven’t. I tested the replayed signal with a GNU flow diagram, it decoded fine and then tested with the garage motor itself. Haven’t analyzed the signal from the flipper, as it seems to pass both tests.

#12

Hey @user890104 I just checked it with the latest update of RM and there’s no FM25k there, but it decodes it successfully with FM95, is that expected? Using HSE4-868-BS.

#13

For me the decoder works on FM236, FM15k, Honda1, Honda 2, and of course the custom FM25k. Although the decoder works, it may have issues sending the decoded packet, as the garage door receiver expects a different bandwidth. And raw replaying works only on FM25k.