YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2
Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.
DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.
In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.
Hi there are some gnuradio blocks are missing, do yo have any update version that we can download?
just use the dragon os live install . it has this program and more.
Hi, do you have some time for a quick phone call regarding Dect 6 ?
Is there a way to get this to work with the PlutoSDR (since it can technically tune up to the DECT frequencies and should have the bandwidth necessary for decoding)? I replaced the source block with the PlutoSDR source block, and managed to get to the part where after pressing the Play button in GNURadio, gr-dect shows the decoding window and the occupied channels, but my decoded sound is all hisses and pops.
The DECT phones I am using for the test are the Philips CD440, in intercom mode. From what I know, these should not implement encryption so decoding should work.
the reason why hackrf works well for this is because the space of your sdr spectrum that it can pick up is wide enough. pluto sdr may not be wide enough ,
hi, and do you know something more about encrypted DECT phones ? In a text above write about DECT encryption is known to be weak, and can be broken with some effort. What that means actually, do you know practically how to do that ? Thanks in advance
Looking into that also.
Hi.
Are these the DECT PCMCIA you are talking about?
https://www.ebay.es/itm/Telefonica-DECT-PCMCIA-Karte-TYP-III-COM-ON-AIR-dedected-compatible/162090759805
For the listed price I’m tempted to give it a try 🙂
Refards,
EMM
Those work but are type 3 cards. Good luck finding a capable PC with a type 3 slot at a good price.
You want type 2
Very interesting indeed.
I went the other way, and bought a Com-on-air device (PCMCIA), so I had to buy an adapter to mount that in my PC. AND I had to run it under 32 bit image. Not cheap.
However, the performance was lacking, so I opened it, and soldered a suitable external antenna connector to improve range.
But WOW did it work well. And sorry to say its functionality looked somewhat more ‘refined’ than your demo. The downside being that it only dumped to a .wav file or something – long time since I’ve used it. But in the built-up place that is the UK – there were LOTS of unencrypted handsets to listen to, and the Com-on-air changed freq with the handsets too.
I saw that someone paid a developer to pipe that output to audio in real time, and not just dump to a file. Almost considered that too, but you know how life gets in the way…
I will try this with my ettus device, given that I saw a .grc file in your video for it.
The com-on-air is some NICE hardware. I agree 100% and the scanning is superb but man is it expensive.
You know you can listen in near-real time with that. I paid a developer to modify it years ago.
https://github.com/KR0SIV/dedected
Just re-compile the above into the folder over top of your existing installation.
That’ll do live playback and it’ll start on the US band.
It’s an older video but I do have a demo of the com-on-air card as well.
https://www.youtube.com/watch?v=MycM38SjHjg
…
oh, I see you’ve already found the software XD Yeah that was me.
I’m working to improve the dect2 software to auto-follow the handset freq. Hopefully that will go as planned.