Geoffrey C Grabow <gcg@pb.net> writes:
The key doesn't need to be found in real time! You can always record the call and decrypt it later. If the information deals with an event in the future, you could have plenty of time to crack it.
US 900 MHz digital cordless phones use MSK modulation on one of 40 channel pairs at 902.59-903.59 and 926.59-927.59 MHz. Privacy is achieved by XORing a PN sequence with the CODEC data. The sequence offset is determined by a 16-bit code derived from the base unit's serial number (handset's codes are programmed when placed in the base unit). Simple scrambling, not any "encryption" worthy of the name. A little experimentation with a cordless phone, a scanner with an MSK demodulator, a sound board, and some simple code to capture serial data on your computer's printer port would yield all of the frame information you need, and could then be used to capture real-world data for analysis. Post-processing of the captured data would yield the scrambling code in a matter of a day or so, and then you'd have the code for that target phone. -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/