Fritzbox 7270 Sniffer project

The AVM Fritzbox 7270 can be partially used as a sniffer for the DECT protocol.

Getting the PRNG output of a DECT phone

Every DECT phone needs to implement a PRNG algorithm for generating random numbers used in the DECT protocol. The AVM Fritzbox 7270 can be used to capture these numbers. When a phone is paired with the build in base station, the phone transmitts a random number, which can later be found in the debug messages of the kernel driver running on the Fritzbox 7270.
You only need to install the software freetz on the Fritzbox. Then it is possible to sniff the random numbers in the following way.

To capture these numbers, you need to do the following steps:

  1. Connect the Fritzbox with a computer.
  2. Install freetz on your Fritzbox:
  3. Install PuTTY on a computer:
  4. Open the web interface of the Fritzbox per typing in the address bar.
  5. Start PuTTY and open a new session using:
    • HostName:
    • Connection type: Telnet
  6. In the opening PuTTY window type:
    • user: root
    • password: depends on your freeze settings
  7. It is possible to save the debug messages on a usb flash drive connected to the Fritzbox. You need to change in the right directory: cd /var/media/ftp/uStor00
  8. Clean all debug messages to get only the messages during the pairing per cat /dev/debug
  9. Start pairing. The description here is based on the experience with Siemens phones. Choice the menu item 'MT anmelden'. The PIN you are offered to enter is standard 0000. Now you have to push the DECT button on the Fritzbox until the Info LED is blinking. Wait until the Info LED stops blinking.
  10. Per cat/dev/debug | tee log.txt you save the debug messages in the text file log. Naturally you can choice every other file name.
  11. Open the log.txt in the web interface.
  12. The random numbers sent by the DECT phone you find in the 'key allocation'-part.
Last modified 10 years ago Last modified on Dec 28, 2008, 8:00:58 PM