Questions - Manufacturer's code, "Secure Learning"

[santomet]

Hello, I have a few questions. In the first Issue you have mentioned two interesting things:

1. That you might have some manufacturer's keys
2. That you use this for cracking seed codes.

So my questions are:

1. Do you have manufacturer's key for HCS200, with ID 00BD016?
2. How exactly can Seed codes help me if I utilize the Secure Learning function?

[neo7530]

I might have some of them... 😉

There are usually 3 types of remotes. Some uses the "normal learning" Feature, where the device Key depends only on the serial number of the hcs-Chip. They are easy to decrypt if you have the manufacturer Key. Others uses, what we call, simple learning. There is the manufacturer Key in every remote, so no extra Key-deviation is used. If you have these man-Key, you can also decrypt all remotes. The secure learn Feature used by some vendors uses the most "secure" feature-set of these Chips. You have to own the manufacturer Key, the serial of the remote and a seed code. If you gain access to the man-key, you have to sniff at least 2 hopping Codes. When you have it, you have to brute the seed Code, as long the 2 decrypted hopping codes differs only by 1 in the counter.

Your last question... The manufacturer doesn't use fixed serial ranges, so idk if i have your specific man Key. I need the whole transmission to Check.

I hope this helps...

[santomet]

Thanks for the answers! However, now I have even more questions if you don't mind :)

Now, more "help" would be helpful for the tool - I thought that you need put three hops to the input and the fourth parameter is probably a starting key. Then, in the output, it shows: [Possible key] [Decrypted HOP 1 from input] / [-||- HOP2] / [-||- HOP3] Counter: [?] So,

• [EDIT] in the meantime I understood that because you do not take ID as an input, the possible key value needs to be the final crypt-key already derived from the man-key and ID...
• [EDIT] In the meantime I also learned that HOP is not only encrypted counter, but counter, ID and buttons. So what is the Counter: [] value?
• How exactly do you use the tool to brute the seed code? I still do not see it.

Then, I have one idea, maybe slightly naive: Let's say that you have the binary of the firmware of the receiver. Does it make sense to write a tool that has a 64-bit window and move it bit-by-bit through the binary, testing it for the man-key together with one full transmission?

Finally, the full transmission of the remote I got is as follows: raw bytes: CE68657E680BD004 As detected by rtl_433:

model     : Microchip-HCS200                       id        : 00BD016
Battery   : 0            Button    : 1             Learn mode: 0             Repeat    : 1             encrypted : 7EA61673

I also managed to get the Seed by pressing all of the buttons, which is 63601FF4 if it helps in any way. Thanks