From HFUnderground

Revision as of 17:05, 25 April 2021 by R4002 (Talk | contribs)
Jump to: navigation, search

Digital enhanced cordless telecommunications (Digital European cordless telecommunications),

usually known by the acronym DECT, is a standard primarily used for creating cordless telephone systems. It originated in Europe, where it is the universal standard, replacing earlier cordless phone standards, such as 900 MHz CT1 and CT2.<ref name=rohde>Template:Cite web</ref>

Beyond Europe, it has been adopted by Australia and most countries in Asia and South America. North American adoption was delayed by United States radio-frequency regulations. This forced development of a variation of DECT called DECT 6.0, using a slightly different frequency range, which makes these units incompatible with systems intended for use in other areas, even from the same manufacturer. DECT has almost universally replaced other standards in most countries where it is used, with the exception of North America.

DECT was originally intended for fast roaming between networked base stations, and the first DECT product was Net3 wireless LAN. However, its most popular application is single-cell cordless phones connected to traditional analog telephone, primarily in home and small-office systems, though gateways with multi-cell DECT and/or DECT repeaters are also available in many private branch exchange (PBX) systems for medium and large businesses, produced by Panasonic, Mitel, Gigaset, Snom, BT Business, Spectralink, and RTX Telecom. DECT can also be used for purposes other than cordless phones, such as baby monitors and industrial sensors. The ULE Alliance's DECT ULE and its "HAN FUN" protocol<ref>HAN FUN, "Home Area Network FUNctional protocol".</ref> are variants tailored for home security, automation, and the internet of things (IoT).

The DECT standard includes the generic access profile (GAP), a common interoperability profile for simple telephone capabilities, which most manufacturers implement. GAP-conformance enables DECT handsets and bases from different manufacturers to interoperate at the most basic level of functionality, that of making and receiving calls. Japan uses its own DECT variant, J-DECT, which is supported by the DECT forum.<ref></ref>

The New Generation DECT (NG-DECT) standard, marketed as CAT-iq by the DECT Forum, provides a common set of advanced capabilities for handsets and base stations. CAT-iq allows interchangeability across IP-DECT base stations and handsets from different manufacturers, while maintaining backward compatibility with GAP equipment. It also requires mandatory support for wideband audio.


Technical features

The DECT standard specifies a means for a portable phone or "Portable Part" to access a fixed telephone network via radio. Base station or "Fixed Part" is used to terminate the radio link and provide access to a fixed line. A gateway is then used to connect calls to the fixed network, such as public switched telephone network (telephone jack), office PBX, ISDN, or VoIP over Ethernet connection.

Typical abilities of a domestic DECT Generic Access Profile (GAP) system include multiple handsets to one base station and one phone line socket. This allows several cordless telephones to be placed around the house, all operating from the same telephone jack. Additional handsets have a battery charger station that does not plug into the telephone system. Handsets can in many cases be used as intercoms, communicating between each other, and sometimes as walkie-talkies, intercommunicating without telephone line connection.

DECT operates in the 1880–1900 MHz band and defines ten frequency channels from 1881.792 MHz to 1897.344 MHz with a band gap of 1728 kHz.

DECT operates as a multicarrier frequency division multiple access (FDMA) and time division multiple access (TDMA) system. This means that the radio spectrum is divided into physical carriers in two dimensions: frequency and time. FDMA access provides up to 10 frequency channels, and TDMA access provides 24 time slots per every frame of 10Template:Nbspms. DECT uses time division duplex (TDD), which means that down- and uplink use the same frequency but different time slots. Thus a base station provides 12 duplex speech channels in each frame, with each time slot occupying any available channelTemplate:Snd thus 10 × 12 = 120 carriers are available, each carrying 32 kbit/s.

DECT also provides frequency-hopping spread spectrum over TDMA/TDD structure for ISM band applications. If frequency-hopping is avoided, each base station can provide up to 120 channels in the DECT spectrum before frequency reuse. Each timeslot can be assigned to a different channel in order to exploit advantages of frequency hopping and to avoid interference from other users in asynchronous fashion.<ref>Template:Cite book</ref>

DECT allows interference-free wireless operation to around Template:Convert outdoors. Indoor performance is reduced when interior spaces are constrained by walls.

DECT performs with fidelity in common congested domestic radio traffic situations. It is generally immune to interference from other DECT systems, Wi-Fi networks, video senders, Bluetooth technology, baby monitors and other wireless devices.

Technical properties

File:Pulse duration measurement of a DECT phone.jpg
DECT pulse duration measurement (100Template:NbspHz, 10Template:Nbspms) on channel 8

ETSI standards documentation ETSI EN 300 175 parts 1–8 (DECT), ETSI EN 300 444 (GAP) and ETSI TS 102 527 parts 1–5 (NG-DECT) prescribe the following technical properties:

Physical layer

The DECT physical layer uses FDMA/TDMA access with TDD.

Gaussian frequency-shift keying (GFSK) modulation is used: the binary one is coded with a frequency increase by 288 kHz, and the binary zero with frequency decrease of 288 kHz. With high quality connections, 2-, 4- or 8-level Differential PSK modulation (DBPSK, DQPSK or D8PSK), which is similar to QAM-2, QAM-4 and QAM-8, can be used to transmit 1, 2, or 3 bits per each symbol. QAM-16 and QAM-64 modulations with 4 and 8 bits per symbol can be used for user data (B-field) only, with resulting transmission speeds of up to 5,068Template:NbspMbit/s.

DECT provides dynamic channel selection and assignment; the choice of transmission frequency and time slot is always made by the mobile terminal. In case of interference in the selected frequency channel, the mobile terminal (possibly from suggestion by the base station) can initiate either intracell handover, selecting another channel/transmitter on the same base, or intercell handover, selecting a different base station altogether. For this purpose, DECT devices scan all idle channels at regular 30Template:Nbsps intervals to generate a received signal strength indication (RSSI) list. When a new channel is required, the mobile terminal (PP) or base station (FP) selects a channel with the minimum interference from the RSSI list.

The maximum allowed power for portable equipment as well as base stations is 250 mW. A portable device radiates an average of about 10 mW during a call as it is only using one of 24 time slots to transmit. In Europe, the power limit was expressed as effective radiated power (ERP), rather than the more commonly used equivalent isotropically radiated power (EIRP), permitting the use of high-gain directional antennas to produce much higher EIRP and hence long ranges.

Data link layer

The DECT media access control layer controls the physical layer and provides connection oriented, connectionless and broadcast services to the higher layers.

The DECT data link layer uses Link Access Protocol Control (LAPC), a specially designed variant of the ISDN data link protocol called LAPD. They are based on HDLC.

GFSK modulation uses a bit rate of 1152 kbit/s, with a frame of 10Template:Nbspms (11520Template:Nbspbits) which contains 24 time slots. Each slots contains 480 bits, some of which are reserved for physical packets and the rest is guard space. Slots 0–11 are always used for downlink (FP to PP) and slots 12–23 are used for uplink (PP to FP).

There are several combinations of slots and corresponding types of physical packets with GFSK modulation:

  • Basic packet (P32)Template:Snd 420 or 424 bits "full slot", used for normal speech transmission. User data (B-field) contains 320 bits.
  • Low-capacity packet (P00)Template:Snd 96 bits at the beginning of the time slot ("short slot"). This packet only contains 64-bit header (A-field) used as a dummy bearer to broadcast base station identification when idle.
  • Variable capacity packet (P00j)Template:Snd 100 + j or 104 + j bits, either two half-slots (0 ≤ j ≤ 136) or "long slot" (137 ≤ j ≤ 856). User data (B-field) contains j bits.
    • P64 (j = 640), P67 (j = 672)Template:Snd "long slot", used by NG-DECT/CAT-iq wideband voice and data.
  • High-capacity packet (P80)Template:Snd 900 or 904 bits, "double slot". This packet uses two time slots and always begins in an even time slot. The B-field is increased to 800 bits..

The 420/424 bits of a GFSK basic packet (P32) contain the following fields:

  • 32 bitsTemplate:Snd synchronization code (S-field): constant bit string AAAAE98AH for FP transmission, 55551675H for PP transmission
  • 388 bitsTemplate:Snd data (D-field), including
    • 64 bitsTemplate:Snd header (A-field): control traffic in logical channels C, M, N, P, and Q
    • 320 bitsTemplate:Snd user data (B-field): DECT payload, i.e. voice data
    • 4 bitsTemplate:Snd error-checking (X-field): CRC of the B-field
  • 4 bitsTemplate:Snd collision detection/channel quality (Z-field): optional, contains a copy of the X-field

The resulting full data rate is 32 kbit/s, available in both directions.

Network layer

The DECT network layer always contains the following protocol entities:

  • Call Control (CC)
  • Mobility Management (MM)

Optionally it may also contain others:

  • Call Independent Supplementary Services (CISS)
  • Connection Oriented Message Service (COMS)
  • Connectionless Message Service (CLMS)

All these communicate through a Link Control Entity (LCE).

The call control protocol is derived from ISDN DSS1, which is a Q.931-derived protocol. Many DECT-specific changes have been made.Template:Specify

The mobility management protocol includes the management of identities, authentication, location updating, on-air subscription and key allocation. It includes many elements similar to the GSM protocol, but also includes elements unique to DECT.

Unlike the GSM protocol, the DECT network specifications do not define cross-linkages between the operation of the entities (for example, Mobility Management and Call Control). The architecture presumes that such linkages will be designed into the interworking unit that connects the DECT access network to whatever mobility-enabled fixed network is involved. By keeping the entities separate, the handset is capable of responding to any combination of entity traffic, and this creates great flexibility in fixed network design without breaking full interoperability.

DECT GAP is an interoperability profile for DECT. The intent is that two different products from different manufacturers that both conform not only to the DECT standard, but also to the GAP profile defined within the DECT standard, are able to interoperate for basic calling. The DECT standard includes full testing suites for GAP, and GAP products on the market from different manufacturers are in practice interoperable for the basic functions.


The DECT media access control layer includes authentication of handsets to the base station using the DECT Standard Authentication Algorithm (DSAA). When registering the handset on the base, both record a shared 128-bit Unique Authentication Key (UAK). The base can request authentication by sending two random numbers to the handset, which calculates the response using the shared 128-bit key. The handset can also request authentication by sending a 64-bit random number to the base, which chooses a second random number, calculates the response using the shared key, and sends it back with the second random number.

The standard also provides encryption services with the DECT Standard Cipher (DSC). The encryption is fairly weak, using a 35-bit initialization vector and encrypting the voice stream with 64-bit encryption. While most of the DECT standard is publicly available, the part describing the DECT Standard Cipher was only available under a non-disclosure agreement to the phones' manufacturers from ETSI.

The properties of the DECT protocol make it hard to intercept a frame, modify it and send it later again, as DECT frames are based on time-division multiplexing and need to be transmitted at a specific point in time.<ref name=Tews-DECT-World-2016/> Unfortunately very few DECT devices on the market implemented authentication and encryption procedures<ref name=Tews-DECT-World-2016>Dr. DECT Secturity: Present, Past, Future. DECT World 2016 Presentations. Erik Tews, University of Birmingham. 31 May 2016.</ref><ref name="25c3"/>Template:Snd and even when encryption was used by the phone, it was possible to implement a man-in-the-middle attack impersonating a DECT base station and revert to unencrypted modeTemplate:Snd which allows calls to be listened to, recorded, and re-routed to a different destination.<ref name="25c3"/><ref name=RSA2009-DECT-Authentication>Lucks, Stefan; Schuler, Andreas; Tews, Erik; Weinmann, Ralf-Philipp; Wenzel, Matthias. Attacks on the DECT Authentication Mechanisms. Fischlin, Marc (Ed.): Topics in CryptologyTemplate:Snd CT-RSA 2009, The Cryptographers' Track at the RSA Conference 2009, San Francisco, CA, USA, April 20–24, 2009.</ref><ref name=Tews-DECT-Security>Erik Tews. DECT Security Analysis (Ph.D. Thesis). Technische Universität Darmstadt</ref>

After an unverified report of a successful attack in 2002,<ref>Template:Cite newsgroup</ref><ref>Template:Cite web</ref> members of the project actually did reverse engineer the DECT Standard Cipher in 2008,<ref name="25c3">Template:Cite news</ref> and as of 2010 there has been a viable attack on it that can recover the key.<ref name="DSC-analysis">Template:Cite web</ref>

In 2012, an improved authentication algorithm, the DECT Standard Authentication Algorithm 2 (DSAA2), and improved version of the encryption algorithm, the DECT Standard Cipher 2 (DSC2), both based on AES 128-bit encryption, were included as optional in the NG-DECT/CAT-iq suite.

DECT Forum also launched the DECT Security certification program which mandates the use of previously optional security features in the GAP profile, such as early encryption and base authentication.


Various access profiles have been defined in the DECT standard:

This site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Some links may be affiliate links. We may get paid if you buy something or take an action after clicking one of these.