ReDECTed Building an SDR based DECT sniffer May 27 th, 2015 HITB HAXPO Marc Newlin
What is a DECT sniffer? DECT is the ubiquitous wireless protocol used by cordless phones A DECT sniffer uses an SDR to decode packets from nearby DECT devices
Why build a DECT sniffer? DECT has a high adoption rate worldwide Writing SDR protocol decoders is fun! Hacking on a sniffer is a great way to learn a new protocol Existing DECT sniffers rely on hardware that is no longer produced SDRs are highly available
Dedicated DECT hardware COM-ON-AIR cards from DOSCH-AMAND PCMCIA DECT transceiver Can be used as a generic DECT device No longer produced; increasingly difficult to find
Prior DECT sniffer work dedected Released open source firmware/driver for COM-ON-AIR cards Reverse engineered the DECT Standard Authentication Algorithm Osmocom DECT DECT stack for Linux Works with COM-ON-AIR cards to function as a DECT handset or basestation
Some Important Terms Acronym RFP PP Meaning Radio Fixed Part (basestation) Portable Part (handset) RFPI Radio Fixed Part Identifier (5- octet globally unique identifier) C-plane TDMA LSIG PMID Control Plane Time Division Multiple Access Link Signature Portable MAC Identifier
DECT Physical Layer 1.152 MHz sample rate per channel 1.728 MHz channel spacing 5 channels (8.64 MHz) in North America, and 10 channels everywhere else (17.28 MHz) DECT is called DECT 6.0 in North America, but this is for strictly marketing reasons Typically between 1880 MHz and 1930 MHz, but also found at 900 MHz, 2 GHz, and 2.4 GHz GFSK modulation (required) DQPSK, D8PSK, QAM16, QAM64 modulation (optional) TDMA channel access
Project goals Build a DECT sniffer that works on both a Linux computer and an Android phone Keep complexity to a minimum Signal processing is computationally expensive Lower complexity means lower power consumption Future self is not smart (keep code simple and well documented!!) Decode all 5 North American DECT channels simultaneously (requires a fancy SDR) Support single channel decoding with an inexpensive SDR Most importantly, learn something!
SDR hardware USRP B210 $1100 USD 56 MHz bandwidth 70 MHz 6 GHz 12-bit samples USB 3.0 RTL-SDR E400 $50 USD 3.2 MHz bandwidth 52 MHz 2.2 GHz 8-bit samples USB 2.0
What do we need to build? Channelizer In the case of 5 DECT channels, this will take the 8.64 MHz input, and split it into 5x 1.728 MHz streams FM Demodulator Turns the output of each channelized stream into bits Frame / slot / packet recovery Take the demodulated bits, and figure out what the DECT hardware is doing
Keep it simple SDR doesn t have to be complicated Things requiring a Ph.D to understand MS Word page formatting Other things Software Defined Radio
Host Environment Linux Host Intel C Compiler Intel Performance Primitives Intel Thread Building Blocks AVX2 and SSE4 SIMD intrinsics Any Intel Core processor Android Host Android NDK Project Ne10 ARM NEON SIMD intrinsics Quad core ARMv7a processor
Talking to the SDR What is required to get I/Q samples from the SDR s? USRP B210 UHD Boost libusb RTL-SDR E4000 librtlsdr libusb
PFB Channelizer 1. Generate low pass filter coefficients for one channel For N channels, the number of filter coefficients must be an integer multiple of N 2. Low pass filter each channel For N channels, each Nth sample belongs to the same channel Each channel is filtered by every Nth coefficient Given 5 channels, channel 2 s samples are 2, 7, 12, etc, which are filtered by coefficients 2, 7, 12, etc 3. Send the filtered samples through an N-bin FFT 4. Deinterleave the output (at which point each output stream contains samples from one channel)
PFB Channelizer Linux
PFB Channelizer - Android
FM Demodulator 1. Multiply a sample by the complex conjugate of the previous sample. 2. Compute the phase angle of the result. 3. Positive phase angle means bit 1, negative phase angle means bit 0.
FM Demodulator - Linux
FM Demodulator - Android
Timing Recovery The DECT device clock and SDR clock will typically be offset by a small amount. We need to correct this offset in order to produce accurate bits. 1. With no offset, the phase angle representing a 1 bit will be the absolute value of the phase angle representing a 0 bit. 2. Use the offset (error value) to determine the clock difference between the DECT device and the SDR. 3. Interpolate the output value based on the error value.
Timing Recovery Linux
Timing Recovery - Android
DECT TDMA Frames and Slots 1 frame = 24 time slots (10ms) 1 slot = 480 symbols (480 samples/bits with GFSK modulation) 12 downlink slots are followed by 12 uplink slots Slots are used in pairs: [0, 12], [1, 13], etc Full and double slots start at slot symbol offset 0 Half slots start at symbol offset 0 or 240
Fixed Capacity Packets Packet Type P0 96 symbols 1 timeslot Packet Type P32 420 or 424 symbols 1 timeslot Packet Type P80 900 or 904 symbols 2 timeslots
Variable Capacity Packets Packet Type P00j Variable length Half slot, full slot, or double slot
DECT TDMA Multiframe 1 multiframe = 16 frames RFP s transmit a multiframe marker in frame 8 of each multiframe Multiframes are used a unit of duration Multiframes are numbered when encryption is enabled
DECT Packet Structure Field S field D field A field B field X field Z field Description preamble and sync word payload MAC header and tail, protected by a 16 bit CRC, unencrypted data (voice, control data, etc), can be encrypted 32 bit CRC computed over the B field last 4 symbols from the D-field, used to detect interference from unsynchronized transmitters sliding into adjacent timeslots
S-field Detector RFP S-field: AA-AA-E9-8A PP S-field: 55-55-16-75 S-field begins with a preamble of alternating 1 s and 0 s, followed by a sync word Preamble can be optionally extended by an additional 16 bits The PP S-field is the inverse of the RFP S-field Packet detector maintains a ring buffer of incoming bits and bytes After each new bit, the ring buffer is checked against both the PP and RFP S- fields When a match is found, the potential packet is passed up to the MAC layer
S-field Detector
A-field Validator Detecting an S-field doesn t mean we have a valid packet A-field validator calculates the 16 bit CRC, and continues only if it matches If we have a valid A-field, we proceed to determine the slot and frame indexes of this packet
A-field Validator
Recovering TDMA Timing Not all packets contain unique identifiers Must achieve TDMA sync to infer transceiver state Multiframe markers transmit system information once per multiframe There are 12 multiframe marker types, transmitted at periodic intervals
C-plane Frames Frames are fragmented and sent in multiple A-field tails Protected by a 16-bit CRC CRC is XOR d with the LSIG (lower 16 bits of PMID) Common single-fragment C-plane messages allow us to reverse the LSIG Once we know the LSIG for a given connection (timeslot), we can CRC-validate and decode multiple fragment frames
Reversing the LSIG
Reassembling C-plane Frames
Cleartext A-Field Data Static System Information (RFP) TDMA timing details Supported frequencies Number of transceivers Supported and required encryption Voice codecs Lots of other fun stuff MAC Control (RFP, PP) Connection establishment MAC layer encryption setup Paging Tail (RFP) Timeslot availability details Supported modulation types Identity Information (RFP) RFPI (globally unique identifier) Type of basestation (residential, enterprise, etc) Identity Information (PP) RFPI of the associated RFP C-plane (Control Plane) (RFP, PP) Call control management Caller ID details
Conclusions SDR s are a viable platform for DECT research A low complexity DECT sniffer can decode 5 channels simultaneously with a modern Android phone or Linux computer Join me next time for more adventures with SDR and DECT!