MKesenheimer
commented
3 years ago Dear Dennis,
thank you for your request and for the commendation.
Unfortunately, I did not have much time to investigate this further in the last weeks. However, I really would like to go into more details and further investigate this protocol.
I did not try a replay attack yet. Since they are using is a rolling key algorithm, the remote must be out of range or in a faraday cage to eavesdrop on the commands. This is already on my agenda :)
Feel free to investigate on your own. And if you find anything interesting, please let me know! Additionally, if you need help or have questions, feel free to contact me again.
Cheers!
GraceGRD
mcarbonne
Velocet
Thanks for sharing your reverse engineering article on the Somfy IO: https://www.google.com/amp/s/deralchemist.wordpress.com/2021/05/10/reverse-engineering-remote-controlled-somfy-blinds-part-1/amp/
I really enjoyed reading it... Did you already have some progress on the digital signal as it is probably encrypted. Hopefully we can extract some more information like the encryption method/ standard shared key.
How does the payload look between the remote and device if you reset the remote and join the device again?
Did you achieve anything with a simple replay of the payload?