Skip to content

Instantly share code, notes, and snippets.

@herrfeder

herrfeder/dect_hacking.md

Last active September 20, 2023 11:57
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save herrfeder/f394380a774b65069311c1e4b23c1211 to your computer and use it in GitHub Desktop.
Save herrfeder/f394380a774b65069311c1e4b23c1211 to your computer and use it in GitHub Desktop.
Download ZIP
Notes for DECT hacking
Raw
dect_hacking.md

Theoretical on DECT

General Terms

  • Range: 1.88 - 1.9 GHz

  • Channel Spacing: 1.728 MHz

  • Number Carriers: 10

  • Speech codec: ADPCM with 32kbps speech rate

  • DMAP DECT Multimedia Access Profile

  • DPRS DECT Packet Radio Service

  • (R)FP Fixed Part - the base station

  • GAP Generic Access Profile

  • GSM Global System for Mobile telecommunications

  • IMT-2000 International Mobile Telecommunications 2000

  • PP Portable Part - the handset

  • RES Radio Equipment Systems

One DECT frame is 10ms long and consists of 24 timeslots. 12 Slots for downstreaming from FP and 12 Slots for upstreaming to FP.

One Time slot = preamble(16bits) + sync(16bits) + A field(64 bits) + B field(320 bits) + X field(4 bits) + Guard bits(60bits)

A field = Header(8 bits) + Data(40 bits) + CRC(16 bits) B field= Data(64bits) +CRC(16 bits) +Data + CRC+Data +CRC +Data +CRC

Sniff DECT

This repository https://github.com/znuh/re-DECTed makes it possible to use any suitable SDR hardware to sniff DECT packages. After downloader, we only have to do:

  • make
  • create dummy0 interface: modprobe dummy *start the dummy0 interface: ifconfig dummy0 up
  • run dectrcv as root: ./dectrcv
  • start the SDR part: ./dectrx.py
  • set channel, gain values and ppm
  • enjoy the DECT packets in wireshark

Extract Audio from DECT

To extract audiostream from dect capture we can use pcapstein from dedected https://github.com/LucaBongiorni/dedected ./dedected/com-on-air_cs-linux/tools/pcapstein phillips_avent_sniff2.pcap.pcapng

This will create .ima files that includes raw audio data. We can observe it with Audacity by importing raw data or using a specific decoder http://www.ps-auxw.de/g72x++.tar.bz2 .

This will extract the audio stream from the .ima files. decode-g72x -4 -a phillips_avent_dect.pcap_fp.ima | sox -r 8000 -b 8 -c 1 -e a-law -t raw - -t wav fpcall.wav

The Phillips Avent SCD525 uses probably the DECT encryption, as the audio files only contains noise.

http://www.rfwireless-world.com/Tutorials/DECT-tutorial.html

@mluis
Copy link

mluis commented Jan 14, 2020

I'm having the same issue with Sagemcom D22T. Have you confirmed the issue was encryption?

@herrfeder
Copy link
Author

Hi, I had an discussion with a colleague about this topic after my findings. He was suggesting encryption, too, as the reason for this but I never confirmed it. I experienced similar noises for other audio based encrypted radio transmissions.
Thank you for asking.

@lishinnlou
Copy link

Hi

I can successfully get packet from wireshark with E4000 chip rtl-sdr dongle. I see DEC RTP and PP on protocol, but I am not sure if I can see more details about packets, by saying that if there is any decrypt process need to do on wireshark. and also in dectrx_38 grc there is an file ouput as .cf32 format, with what program I can read the contents.

Final thing, how come my dummy0 interface is dumpping packet to eth port so the packets show RSSI =0, is that right?, but I see zunch snapshot show RSSI value.

@lishinnlou
Copy link

Hi anyone can give me some advise on PP catch, I have followed the re-DECTed and I can catch FP 80-90 packets per second, but for PP it is randomly catch some but not all, even there is no error-CRC.
any idea? should I change any thing in the dectrcv.c or I need to change anything in dected_38.grc?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment