YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

DECT 6.0 Cordless Phone Eavesdropping {Install GR-DECT2 and Decode with HackRF SDR} or E4000 RTL SDR


  1. lishinn lou

    Hi there are some gnuradio blocks are missing, do yo have any update version that we can download?

  2. Anonymous

    Is there a way to get this to work with the PlutoSDR (since it can technically tune up to the DECT frequencies and should have the bandwidth necessary for decoding)? I replaced the source block with the PlutoSDR source block, and managed to get to the part where after pressing the Play button in GNURadio, gr-dect shows the decoding window and the occupied channels, but my decoded sound is all hisses and pops.

    The DECT phones I am using for the test are the Philips CD440, in intercom mode. From what I know, these should not implement encryption so decoding should work.

  3. Mark

    hi, and do you know something more about encrypted DECT phones ? In a text above write about DECT encryption is known to be weak, and can be broken with some effort. What that means actually, do you know practically how to do that ? Thanks in advance

  4. Not Sure

    Very interesting indeed.

    I went the other way, and bought a Com-on-air device (PCMCIA), so I had to buy an adapter to mount that in my PC. AND I had to run it under 32 bit image. Not cheap.

    However, the performance was lacking, so I opened it, and soldered a suitable external antenna connector to improve range.

    But WOW did it work well. And sorry to say its functionality looked somewhat more ‘refined’ than your demo. The downside being that it only dumped to a .wav file or something – long time since I’ve used it. But in the built-up place that is the UK – there were LOTS of unencrypted handsets to listen to, and the Com-on-air changed freq with the handsets too.

    I saw that someone paid a developer to pipe that output to audio in real time, and not just dump to a file. Almost considered that too, but you know how life gets in the way…

    I will try this with my ettus device, given that I saw a .grc file in your video for it.

    • Corrosive of SignalsEverywhere

      The com-on-air is some NICE hardware. I agree 100% and the scanning is superb but man is it expensive.

      You know you can listen in near-real time with that. I paid a developer to modify it years ago.

      Just re-compile the above into the folder over top of your existing installation.
      That’ll do live playback and it’ll start on the US band.

      It’s an older video but I do have a demo of the com-on-air card as well.

      oh, I see you’ve already found the software XD Yeah that was me.

      I’m working to improve the dect2 software to auto-follow the handset freq. Hopefully that will go as planned.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>