HomeMatic AES Encryption

The last days I tried to find out, how the AES handshake of HomeMatic devices is performed. Sadly I’m not anywhere near on finding out.

First of all a dump of the pairing process between LAN configuration tool and HM-LC-Sw1-FM:

Timestamp     Packet
1368178852904 1A0184001F454D0000001900044B45513030323236393510010100
1368178853236 1001A0011C69431F454D00050000000000
1368178853356 0A0180021F454D1C694300
1368178853639 1302A0011C69431F454D000802810A1C0B690C43
1368178853756 0A0280021F454D1C694300
1368178854032 0B03A0011C69431F454D0006
1368178854156 0A0380021F454D1C694300
1368178854453 1904A0041C69431F454D02C4887BDBA42B1400E9AD0C089DDF78
1368178854571 1104A0021F454D1C6943048C9E59C615FD00
1368178854708 1904A0031C69431F454D2C33B1A6DED3B7191ECB484904042979
1368178854824 0E0480021F454D1C6943006F876A4B
1368178855120 1905A0041C69431F454DBFD7BE2E30FCCD4DA28A16F8F0C43B92
1368178855238 1105A0021F454D1C6943042163637E9ED000
1368178855374 1905A0031C69431F454DF07EC9E3A6C76E7D7E5E08A998837F88
1368178855490 0E0580021F454D1C694300D3E531B3
1368178855769 1006A0011C69431F454D00040000000000
1368178855969 1006A0011C69431F454D00040000000000
1368178856099 1606A0101F454D1C6943030281000000000000001C6943
1368178856219 0A0680021C69431F454D00
1368178856346 0C07A0101F454D1C6943030000
1368178856468 0A0780021C69431F454D00
1368178856743 1010A0011C69431F454D01040000000001
1368178856865 0C10A0101F454D1C6943030800
1368178856991 0A1080021C69431F454D00
1368178857119 0C11A0101F454D1C6943030000
1368178857240 0A1180021C69431F454D00
1368178857510 0B1AA0011C69431F454D0103
1368178857642 121AA0101F454D1C6943011F454D0100000000
1368178857763 0A1A80021C69431F454D00
1368178858037 1023A0011C69431F454D01041F454D0103
1368178858168 1623A0101F454D1C694303020000326400FF00FF011463
1368178858285 0A2380021C69431F454D00
1368178858422 1624A0101F454D1C694303820000326400FF00FF211463
1368178858535 0A2480021C69431F454D00
1368178858661 0C25A0101F454D1C6943030000
1368178858783 0A2580021C69431F454D00

And a dump of two handshakes with the same message counter:

1368023994442 0E41A0111C69431F454D0201000000
1368023994570 1141A0021F454D1C6943044D56B7E2609702
1368023994707 1941A0031C69431F454D1F9954768C770D808D9E5CE0B95EC88E
1368023994826 124180021F454D1C6943010100004B1A0F2BE8
1368024726230 0E41A0111C69431F454D0201000000
1368024726358 1141A0021F454D1C694304009B027C618B02
1368024726494 1941A0031C69431F454D297271BA643C69E76DD05893E339DDAA
1368024726613 124180021F454D1C69430101000048612E66B6

I assumed the “A002″ packet is the transmission of a challenge from the switch to the central which the central then encrypts. So I faked a response looking like “11XXA0021F454D1C69430400000000000002″ with the hypothesis that now the “A003″ might always look the same, at least for the same message counter. But sadly no. Here are five packets with the same message counter in response to my constructed packet:

194FA0031C69431F454D A9526AE1310C1EE04AD4621290BDECE8
194FA0031C69431F454D 63BAE81879980E644C612079A23BFA09
194FA0031C69431F454D 98D259D33C6BB56A55FDF662DCA419B7
194FA0031C69431F454D AC53E17504BE22219A5FF00051DCF142
194FA0031C69431F454D 035C86768374B6944DE41963ECE15E3B

The central seems to create a second challenge, which is encrypted in the response, too. I tried a lot of other thinks to find out, how the handshake is encrypted. None of them took me any further understanding it. If you by chance are a cryptographic expert and can help me with this, I would be very happy ;).

2 thoughts on “HomeMatic AES Encryption

  1. Why not making another attempt: Setting a kown security key and learn how this works – if you know, reset and try to guess the unknown key.

    • Hey Andre. Sorry for the late reply… I already tried that, but still couldn’t really decrypt the handshake. Maybe the new key is used in combination with the default key somehow? Or maybe I did something wrong. Any help would be appreciated ;-).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>