Skip to content
HAI Omni Pro II — omni-pca docs

Find your panel's ControllerKey

You need 32 hex characters. There are four places to look.

Section titled “From a .pca config file (recommended)”

If you have any .pca file PC Access has saved for this panel, it’s in there:

Terminal window
uvx omni-pca decode-pca '/path/to/Your House.pca' --field controller_key

The CLI tries the two known XOR keys (KEY_PC01 and KEY_EXPORT), picks the one that produces the expected PCA03 magic header, and walks the file’s body to the Connection.ControllerKey field. See the file format reference for what’s in the bytes.

From PC Access itself

Section titled “From PC Access itself”

Open the account in PC Access, then:

Setup → Misc → Network

The “Encryption Key 1” field is the 32-hex ControllerKey. Note that PC Access displays it space-separated; strip the spaces.

If you only see “Encryption Key 1” greyed out, the panel’s network module isn’t enabled — see the next section.

From the panel’s keypad / OmniTouch

Section titled “From the panel’s keypad / OmniTouch”

If you don’t have PC Access but you do have physical access to the panel, you can read it directly from a wired console:

  1. Setup → Installer Code → enter the installer code.
  2. Misc → Network
  3. Select Encryption Key 1.

This is the only path that doesn’t require PC Access at any point in the chain. It’s also the path you’ll use to enable the network module if it’s currently off (set the IP, subnet, gateway, then turn the “Network Enabled” toggle on).

Generate a new one

Section titled “Generate a new one”

If the panel doesn’t yet have a key, or you want to rotate it, just generate one and program it back via PC Access or the keypad:

Terminal window
python -c "import secrets; print(secrets.token_hex(16))"

After programming the new key, restart the panel’s network module so it takes effect, then update any client using the old key.

Verify it works

Section titled “Verify it works”

Whichever path you used, smoke-test the key:

Terminal window
uvx omni-pca check-connection \
    --host 192.168.1.9 --port 4369 \
    --controller-key 6ba7b4e9b4656de3cd7edd4c650cdb09

Success looks like Connected: Omni Pro II firmware 2.12r1. A wrong key fails at the secure-session step with InvalidEncryptionKeyError.

Why “ControllerKey”, not just “encryption key”?

Section titled “Why “ControllerKey”, not just “encryption key”?”

The 32-hex value isn’t actually used as the AES session key directly — the protocol does a non-trivial transformation involving a controller-supplied nonce. We call the persistent value “ControllerKey” to distinguish it from the per-session derived AES key. PC Access calls the same field “Encryption Key 1” in its UI, so they’re synonyms in practice.