Materials
ReDECTed Building an SDR based DECT sniffer May 27th, 2015 | HITB HAXPO | Marc Newlin What is a DECT sniffer? • DECT is the ubiquitous wireless protocol used by cordless phones • A DECT sniffer uses an SDR to decode packets from nearby DECT devices Why build a DECT sniffer? • DECT has a high adoption rate worldwide • Writing SDR protocol decoders is fun! • Hacking on a sniffer is a great way to learn a new protocol • Existing DECT sniffers rely on hardware that is no longer produced • SDRs are highly available Dedicated DECT hardware • COM-ON-AIR cards from DOSCH-AMAND • PCMCIA DECT transceiver • Can be used as a generic DECT device • No longer produced; increasingly difficult to find Prior DECT sniffer work • deDECTed • Released open source firmware/driver for COM-ON-AIR cards • Reverse engineered the DECT Standard Authentication Algorithm • Osmocom DECT • DECT stack for Linux • Works with COM-ON-AIR cards to function as a DECT handset or basestation Some Important Terms Acronym Meaning RFP Radio Fixed Part (basestation) PP Portable Part (handset) RFPI Radio Fixed Part Identifier (5octet globally unique identifier) C-plane Control Plane TDMA Time Division Multiple Access LSIG Link Signature PMID Portable MAC Identifier DECT Physical Layer • 1.152 MHz sample rate per channel • 1.728 MHz channel spacing • 5 channels (8.64 MHz) in North America, and 10 channels everywhere else (17.28 MHz) • DECT is called “DECT 6.0” in North America, but this is for strictly marketing reasons • Typically between 1880 MHz and 1930 MHz, but also found at 900 MHz, 2 GHz, and 2.4 GHz • GFSK modulation (required) • DQPSK, D8PSK, QAM16, QAM64 modulation (optional) • TDMA channel access Project goals • Build a DECT sniffer that works on both a Linux computer and an Android phone • Keep complexity to a minimum • Signal processing is computationally expensive • Lower complexity means lower power consumption • Future self is not smart (keep code simple and well documented!!) • Decode all 5 North American DECT channels simultaneously (requires a fancy SDR) • Support single channel decoding with an inexpensive SDR • Most importantly, learn something! SDR hardware USRP B210 $1100 USD 56 MHz bandwidth 70 MHz – 6 GHz 12-bit samples USB 3.0 RTL-SDR E400 $50 USD 3.2 MHz bandwidth 52 MHz – 2.2 GHz 8-bit samples USB 2.0 What do we need to build? Channelizer In the case of 5 DECT channels, this will take the 8.64 MHz input, and split it into 5x 1.728 MHz streams FM Demodulator Turns the output of each channelized stream into bits Frame / slot / packet recovery Take the demodulated bits, and figure out what the DECT hardware is doing Keep it simple • SDR doesn’t have to be complicated… Things requiring a Ph.D to understand Other things MS Word page formatting Software Defined Radio Host Environment Linux Host • • • • • Intel C Compiler Intel Performance Primitives Intel Thread Building Blocks AVX2 and SSE4 SIMD intrinsics Any Intel Core processor Android Host • • • • Android NDK Project Ne10 ARM NEON SIMD intrinsics Quad core ARMv7a processor Talking to the SDR • What is required to get I/Q samples from the SDR’s? USRP B210 • UHD • Boost • libusb RTL-SDR E4000 • librtlsdr • libusb PFB Channelizer 1. Generate low pass filter coefficients for one channel • For N channels, the number of filter coefficients must be an integer multiple of N 2. Low pass filter each channel • For N channels, each Nth sample belongs to the same channel • Each channel is filtered by every Nth coefficient • Given 5 channels, channel 2’s samples are 2, 7, 12, etc, which are filtered by coefficients 2, 7, 12, etc 3. Send the filtered samples through an N-bin FFT 4. Deinterleave the output (at which point each output stream contains samples from one channel) PFB Channelizer – Linux PFB Channelizer - Android FM Demodulator 1. Multiply a sample by the complex conjugate of the previous sample. 2. Compute the phase angle of the result. 3. Positive phase angle means bit 1, negative phase angle means bit 0. FM Demodulator - Linux FM Demodulator - Android Timing Recovery The DECT device clock and SDR clock will typically be offset by a small amount. We need to correct this offset in order to produce accurate bits. 1. With no offset, the phase angle representing a 1 bit will be the absolute value of the phase angle representing a 0 bit. 2. Use the offset (error value) to determine the clock difference between the DECT device and the SDR. 3. Interpolate the output value based on the error value. Timing Recovery – Linux Timing Recovery - Android DECT TDMA Frames and Slots • 1 frame = 24 time slots (10ms) • 1 slot = 480 symbols (480 samples/bits with GFSK modulation) • 12 downlink slots are followed by 12 uplink slots • Slots are used in pairs: [0, 12], [1, 13], etc • Full and double slots start at slot symbol offset 0 • Half slots start at symbol offset 0 or 240 Fixed Capacity Packets Packet Type P0 • 96 symbols • 1 timeslot Packet Type P32 • 420 or 424 symbols • 1 timeslot Packet Type P80 • 900 or 904 symbols • 2 timeslots Variable Capacity Packets Packet Type P00j • Variable length • Half slot, full slot, or double slot DECT TDMA Multiframe • 1 multiframe = 16 frames • RFP’s transmit a multiframe marker in frame 8 of each multiframe • Multiframes are used a unit of duration • Multiframes are numbered when encryption is enabled DECT Packet Structure Field Description S field preamble and sync word D field payload A field MAC header and tail, protected by a 16 bit CRC, unencrypted B field data (voice, control data, etc), can be encrypted X field 32 bit CRC computed over the B field Z field last 4 symbols from the D-field, used to detect interference from unsynchronized transmitters sliding into adjacent timeslots S-field Detector RFP S-field: AA-AA-E9-8A PP S-field: 55-55-16-75 • S-field begins with a preamble of alternating 1’s and 0’s, followed by a sync word • Preamble can be optionally extended by an additional 16 bits • The PP S-field is the inverse of the RFP S-field • Packet detector maintains a ring buffer of incoming bits and bytes • After each new bit, the ring buffer is checked against both the PP and RFP S- fields • When a match is found, the potential packet is passed up to the MAC layer S-field Detector A-field Validator • Detecting an S-field doesn’t mean we have a valid packet • A-field validator calculates the 16 bit CRC, and continues only if it matches • If we have a valid A-field, we proceed to determine the slot and frame indexes of this packet A-field Validator Recovering TDMA Timing • Not all packets contain unique identifiers • Must achieve TDMA sync to infer transceiver state • Multiframe markers transmit system information once per multiframe • There are 12 multiframe marker types, transmitted at periodic intervals C-plane Frames • Frames are fragmented and sent in multiple A-field tails • Protected by a 16-bit CRC • CRC is XOR’d with the LSIG (lower 16 bits of PMID) • Common single-fragment C-plane messages allow us to reverse the LSIG • Once we know the LSIG for a given connection (timeslot), we can CRC-validate and decode multiple fragment frames Reversing the LSIG Reassembling C-plane Frames Cleartext A-Field Data • Static System Information (RFP) • TDMA timing details • Supported frequencies • Number of transceivers • Supported and required encryption • Voice codecs • Lots of other fun stuff • MAC Control (RFP, PP) • Connection establishment • MAC layer encryption setup Paging Tail (RFP) ◦ Timeslot availability details ◦ Supported modulation types Identity Information (RFP) ◦ RFPI (globally unique identifier) ◦ Type of basestation (residential, enterprise, etc) Identity Information (PP) ◦ RFPI of the associated RFP C-plane (Control Plane) (RFP, PP) ◦ Call control management ◦ Caller ID details Conclusions • SDR’s are a viable platform for DECT research • A low complexity DECT sniffer can decode 5 channels simultaneously with a modern Android phone or Linux computer Join me next time for more adventures with SDR and DECT!
© Copyright 2024