Skip to content

Instantly share code, notes, and snippets.

@herrfeder

herrfeder/dect_hacking.md

Last active September 20, 2023 11:57
Show Gist options
  • Save herrfeder/f394380a774b65069311c1e4b23c1211 to your computer and use it in GitHub Desktop.
Save herrfeder/f394380a774b65069311c1e4b23c1211 to your computer and use it in GitHub Desktop.
Download ZIP
Notes for DECT hacking
Raw
dect_hacking.md

Theoretical on DECT

General Terms

  • Range: 1.88 - 1.9 GHz

  • Channel Spacing: 1.728 MHz

  • Number Carriers: 10

  • Speech codec: ADPCM with 32kbps speech rate

  • DMAP DECT Multimedia Access Profile

  • DPRS DECT Packet Radio Service

  • (R)FP Fixed Part - the base station

  • GAP Generic Access Profile

  • GSM Global System for Mobile telecommunications

  • IMT-2000 International Mobile Telecommunications 2000

  • PP Portable Part - the handset

  • RES Radio Equipment Systems

One DECT frame is 10ms long and consists of 24 timeslots. 12 Slots for downstreaming from FP and 12 Slots for upstreaming to FP.

One Time slot = preamble(16bits) + sync(16bits) + A field(64 bits) + B field(320 bits) + X field(4 bits) + Guard bits(60bits)

A field = Header(8 bits) + Data(40 bits) + CRC(16 bits) B field= Data(64bits) +CRC(16 bits) +Data + CRC+Data +CRC +Data +CRC

Sniff DECT

This repository https://github.com/znuh/re-DECTed makes it possible to use any suitable SDR hardware to sniff DECT packages. After downloader, we only have to do:

  • make
  • create dummy0 interface: modprobe dummy *start the dummy0 interface: ifconfig dummy0 up
  • run dectrcv as root: ./dectrcv
  • start the SDR part: ./dectrx.py
  • set channel, gain values and ppm
  • enjoy the DECT packets in wireshark

Extract Audio from DECT

To extract audiostream from dect capture we can use pcapstein from dedected https://github.com/LucaBongiorni/dedected ./dedected/com-on-air_cs-linux/tools/pcapstein phillips_avent_sniff2.pcap.pcapng

This will create .ima files that includes raw audio data. We can observe it with Audacity by importing raw data or using a specific decoder http://www.ps-auxw.de/g72x++.tar.bz2 .

This will extract the audio stream from the .ima files. decode-g72x -4 -a phillips_avent_dect.pcap_fp.ima | sox -r 8000 -b 8 -c 1 -e a-law -t raw - -t wav fpcall.wav

The Phillips Avent SCD525 uses probably the DECT encryption, as the audio files only contains noise.

http://www.rfwireless-world.com/Tutorials/DECT-tutorial.html

@lishinnlou
Copy link

Hi anyone can give me some advise on PP catch, I have followed the re-DECTed and I can catch FP 80-90 packets per second, but for PP it is randomly catch some but not all, even there is no error-CRC.
any idea? should I change any thing in the dectrcv.c or I need to change anything in dected_38.grc?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment