Yealink IP phones and Sennheiser DW Pro wireless headsets – what’s the magic within the EHS36 box?

If you’ve ever come across wireless headsets for office phones, you might have noticed that “wireless” in this case actually results in a lot more wires on your desk than using a regular wired headset: At least the charging / base station will need an additional power supply, and maybe also an adapter cable to fit the particular phone’s headset jack, since those base stations are rarely sold in multiple variants, tailored to a specific phone model, unlike the most simple wired headsets.

Now there’s one more advantage to wireless than just reducing the chance of accidentally pulling on the cable with an arm (or office chair): You can even leave the desk during calls. Thus it would be great to pickup and hangup calls remotely with a button on the headset – but how should the base station then signal this to the phone?

In mobile phones, this kind of button was considered for wired headsets right from the beginning: The de-facto standard means simply shorting the MIC+ line to GND (directly or with a certain resistor value to distinguish between additional functions like track skipping or volume control).

However, this was never a requirement for desk phones, so the information about ringing, accepting a call or hanging up usually needs to be transmitted out-of-band: Back in the days of analog phones, the most common approach involved mechanical handset lifters that would actually physically move the handset upwards from the phone, so the hook switch would be released or closed when the user presses the button on the headset, thus accepting the call or hanging up.

While this “standard” used to be widely compatible (it just needed to fit the gap underneath the handset), it seemed reasonable for manufacturers of modern ISDN and IP phones to come up with some less hardware-intensive solution – the “Electronic Hook Switch” (EHS).

Obviously, there could not be a common global standard for EHS functionality, but you will probably deal with one of the following (mostly country- or vendor-specific) flavours:

  • DHSG (“Drahtlose Hör-/Sprech-Garnitur”, formal German term for “wireless headset”) – probably the most widely deployed standard worldwide by now
  • AEI (“Additional Equipment Interface”) – by Avaya
  • HHC (“Headset Hookswitch Control”) – for Cisco IP phones
  • MSH (“Microphone Short Hook”, as mentioned above for mobile phones, will short the MIC line to GND to signal pickup / hangup) – available in some Alcatel phones
  • RHL (“Remote Handset Lifter”, apparently standardized interface for mechanical lifters as mentioned above)

I recently had the chance to play with some Sennheiser DW Pro DECT Headsets at the office – they offer DHSG, MSH and a (proprietary?) Handset Lifter. Our phones are Yealink T46G that do not come with EHS functionality out of the box, but you are supposed to purchase the $40 “EHS36” adapter box by Yealink, which is meant to be compatible with several wireless headset manufacturers (it even comes with a bunch of cables), including Sennheiser (in DHSG mode).

While there seems to be nothing wrong with purchasing one of those adapters for each desk, users report they would crash every once in a while and need to be re-plugged. Also it just made me curious that there is absolutely no information about pinouts or even protocols out there yet, not even a picture of the PCB… So here it is:

Yealink EHS36 PCB
Yealink EHS36 PCB

The 6P6C (RJ-12) connector on the right goes into the EXT port of the phone through a 1:1 modular cable.
For Sennheiser, a Y-Cable is included that connects the 8P8C port on the base with the 8P8C (RJ-45) port on the EHS36 (left) and the 4P4C (RJ-9) analog headset connector on the phone. Basically, Pins 3-6 for analog audio go into the Yealink phone in reverse order, while Pins 1, 2, 7 and 8 (DHSG Control Pins) go into Pins 3-6 (in this order) of the EHS36 8P8C connector.

For the detailed DHSG pinout, please see the innovaphone wiki:
The specifications are also available for download from there:

There’s also some info (in German) about DHSG Y-Cables here, the one for Sennheiser should be similar to this one:

I soldered some 0.1″ pin headers to the modular jack pins on the back of the PCB to capture the signalling between phone and headset base while making some test calls.

The DHSG part looks quite straightforward and can also be found in the specifications above:

DHSG / EHS wireless headset serial bus protocol signalling / commands specification
DHSG / EHS wireless headset serial bus protocol signalling / commands specification

8P8C pinout at EHS36 (only 3-6 seem to be connected):

Pin 3: GND
Pin 4: DHSG RX (“Bus Send”: headset -> EHS36)
Pin 5: +3.3V
Pin 6: DHSG TX (“Bus Receive”: EHS36 -> headset)

Due to the pause after each bit, it will not work with standard 8 bit hardware UART though.

However I will focus on the interface between phone and EHS36 here:

Here we have SPI with CPOL = 1, CPHA = 0 (“Mode 2”) and a variable bit count, so you probably cannot use most of the hardware implementations available in microcontrollers for this part either, since most of them can only handle fixed 8 bit data chunks.
There’s also an LDO voltage regulator on board that generates 3.3V for the logic levels from the phone’s 5V supply.

6P6C Pinout at EHS36 (conntected to phone’s EXT port):

Pin 1: MISO
Pin 2: MOSI
Pin 3: SS
Pin 4: GND
Pin 5: Vin (+5V)
Pin 6: SCLK

Let’s start with the most frequent signal:
Exactly once per second, the phone will send a 15bit poll message to the EHS box:

15 bit poll:
MOSI: 101100001100000
MISO: 000000000000101

(it seems that somewhere between bit 9 and 11 the EHS36 eventually decides to reply with …101)

Periodic “poll” signal (1 Hz) between Yealink T46G phone and EHS36

The same “poll” also occurs in between the 1Hz interval, directly before any other command will be sent.

So let’s ask the EHS36 to signal an incoming call to the headset: On SPI we will have the above “poll” followed by another message (/SS released shortly in between!) that is 21bits in length:

21 bits ring:
MOSI: 101000001000000000010
MISO: 000000000000000000000

The EHS36 then signals DHSG Code 1 to the headset base, and you can hear the ringing indicator in the earpiece.

Now what if you press pickup on the headset?
Upon receiving DHSG Code 2, EHS36 will set MISO high, which makes the phone immediately pull /SS low and start generating the clock for a transfer:

At first we see the same “poll” command as above, however MISO is still high during the first 12 bits:

MOSI: 101100001100000
MISO: 111111111111101 (apparently, only the last 3 bits are considered as acknowledge from EHS36 to the polling?)

After that, /SS will be released shortly and a new 19bits transfer is started – the phone will read the command from EHS:

19 bits pickup:
MOSI: 0111111111111111111
MISO: 1110100000100011001

EHS36 now confirms with DHSG Code 2 and the call is being accepted by the phone; curiously this is followed by two more “poll” commands with sometimes very delayed SPI clock (phone seems to be busy handling the call). After several hundred milliseconds to establish the call, the phone notifies the headset about the successfull connection again with DHSG Code 2 (this will also happen when you press accept on the phone rather than headset, or after you have dialled a number and the remote party accepts):

Again, we see a “poll” command followed by a signal that is 21 bits in length:

21 bits call established:
MOSI: 101000001000000000000
MISO: 000000000000000000000
EHS36 logic signals when picking up a call by pressing the headset button
EHS36 logic signals when picking up a call by pressing the headset button

What’s missing? Hanging up by pressing the headset button!

If the headset base sends DHSG Code 1 during a call, exactly the same will happen on SPI side as for pickup:
A “poll” with first 12 bits MISO high, followed by 19 bits pickup command. This is followed by two “regular poll” commands.
The base then receives DHSG Code 3 as an indicator that the call has been terminated.

Where to go from here?

Using the information above, it should be theoretically possible to build your own EHS-adapter for Yealink <-> DHSG, though this would most probably not be cheaper than buying the original one in the small scale.

However, you could add some nice features like Busy Light Indication – think of a little LED sign on your desk that shows clearly whether you are available or not?

There seems to be no busy light on the market yet that natively uses the EXT port on Yealink phones – all that money can buy at the moment will use workarounds like monitoring the state of the microphone audio line between phone and headset – through another little black plastic box on your desk… *sigh*

For the kuando Busylight Combi, for example, there’s even a dual version that allows you to use *either* handset or external headset, by looping both microphone lines through the box…

So stay tuned for my future attempts of putting EHS, Sennheiser Y-Cable and Busy Light Ddetection all into one little box 🙂

DVB-T2 HD auf billiger China-Hardware?

Gerüchte um die Abschaltung von DVB-T zugunsten eines Nachfolgestandards gibt es schon seit Jahren, vor einiger Zeit wurde es dann konkreter: Multinationale Ballsportereignisse zeigten sich ja schon in der Vergangenheit als äußerst geeignet, um neue Generationen von Entertainment-Hardware unter das konsumfreudige Volk zu bringen.

Also mal spaßeshalber bei AliExpress den nächstbilligsten China-DVB-T2-Stick für $18 bestellt, nur so zum Spielen, ohne Garantie auf Empfangbarkeit der terrestrischen Ausstrahlungen in Deutschland. Seit dem 31.05.2016 gibt es nun auch den ersten Pilotmultiplex in den Ballungsräumen.

Es folgt die Essenz aus stundenlangem Wälzen von Bullshit-Bingo und mehr oder weniger hilfreichem technischen Wissen und Halbwissen, das man zu dem Thema finden kann:

DVB-T2 wurde als ETSI-Standard ursprünglich mit MPEG-4 (H.264) eingeführt
in Deutschland wird als Videocodec HEVC (H.265) genutzt,
außerdem eine Modulation nach aktuellerer Spezifikation mit Multi-PLP (Physical Layer Pipes)
geschützte Wort-/Bildmarke "DVB-T2 HD" der Landesmedienanstalten als Zertifizierung für Geräte
Übertragung in 1080p50, öffentlich-rechtlich meist hochskaliert, EM-Spiele jedoch nativ in 1080p und damit momentan besser als über Satellit / Kabel!
momentan billigster China-Gadget DVB-T2-Stick von Astrometa:
RTL2832P + R828D (diese Kombination klingt doch irgendwoher vertraut)
+ dazu noch ein externer Demodulator für DVB-T2, fertig ist der Stick für DVB-T2
Demodulator-IC von Panasonic: alte Version MN88472, unterstützt kein M-PLP
Stick aufmachen: neue Hardware-Revision mit MN88473 drin?
juhuu, dann fehlt jetzt nur noch die Software!
Klickibunti-Player TVR von Astrometa für Windows:
immerhin halbwegs zum Scannen geeignet, will bei mir aber auch nach Installation von LAV Filters kein H.265 decodieren

E drücken für Einstellungen
Strg + Alt + Shift + D für erweiterte Hardware-Informationen
VLC unterstützt H.265 (und/oder den Demodulator!?) erst ab Version 3, also aktuelle Nightlies runterladen!
Im VLC dann nicht drauf reinfallen und "DVB-T2" wählen, sondern DVB-T!

What’s the frequency, Kenneth?

Schon bei der Einführung von DVB-T hielt man es seitens der Sendeanstalten offenbar nicht für nötig, die Sendefrequenzen rauszurücken. Neben detaillierten Übersichten zu FM-Radiofrequenzen in den Regionen und den Parametern für den SAT-Empfang wurden DVB-T-Nutzer damals lediglich darum gebeten, auf ihrem Klickibunti-Gerät “einen Suchlauf” durchzuführen.

Geht mit VLC leider nicht, muss auch nicht (man könnte aber sicher einfach ein Batch-/Shell-Skript basteln).

Eine Übersicht der Frequenzen für den DVB-T2 HD Pilotmultiplex (sowie viele weitere Informationen – bisher die mit Abstand hilfreichste Seite) gibt es bei

Im VLC wird der Wert in kHz eingegeben, also z.B. 626000 für Hannover, 658000 für Hamburg etc.

Falls der Empfang in ländlicheren Regionen nur auf dem Dachboden wirklich brauchbar ist, kann man so im Gegensatz zur Klickibunti-Software immerhin auch mit wenigen Klicks einen Streaming-Server aufmachen und übers lokale Netz womöglich sogar direkt auf den Fernseher im Wohnzimmer streamen – falls man sowas besitzt.

Mir hat in den letzten Jahren jedenfalls ein DVB-T-Stick für sporadisches Fernsehen völlig ausgereicht.

Wenn die Privaten nun langfristig mit der DVB-T2-Plattform Freenet.TV planen, ihre Reichweite in den Ballungsräumen zu reduzieren und terrestrisch nur noch verschlüsselt zu senden, sollen sie das gerne tun.

Wenn man dann mittelfristig noch mit der analogen Kabel-Abschaltung rechnen kann, bliebe eigentlich nur die SD-Übertragung auf 19,2° Ost, die dem Deutschen Privatfernsehen überhaupt noch einen Rundfunk-Charakter geben würde – alles andere sind meiner Meinung nach längst Telemediendienste.

Möglicherweise ist das auch mittelfristig die Intention, die lästigen Bedingungen für eine Vollprogramm-Lizenz eines Tages endlich loswerden und über sämtliche Inhalte frei entscheiden zu können?

Vielleicht gibt es dann irgendwann wieder nur noch öffentlich-rechtliches Fernsehen in Deutschland, wie vor über 30 Jahren…

solar-powered LED keychain flashlights – real vs. fake

So you’ve probably come across those fancy keychain flashlights that will recharge from sunlight, using an integrated amorphous solar module.

multiple colors of solar led keychain flashlights

They usually contain a rechargeable LIR2032 battery (which is actually just the Lithium-Ion variant of the popular CR2032 single-use coin cell battery found in countless devices) with solder tabs, and a blocking diode that will simply prevent current from flowing back through (thus destroying) the solar module while there is no sunlight, causing the solar output voltage to drop below the battery voltage.
This certainly does not sound like the ideal way of effectively charging a Lithium-Ion battery these days, yet it is still working quite well as long as the battery is in good condition – and there will be intense direct sunlight at least once in a while!

So the major issue with this design is not really the charging regulation into the battery, but rather the regulation of current flowing from the solar module: when you short-circuit a solar module, nothing really happens – there will be a current flowing through the wire, but at almost no voltage, since the output voltage collapses immediately due to the short circuit, so the wires will hardly become warm after all, and the module will rather, simply speaking, just stop converting solar energy to electricity. This is actually what on-grid solar systems will do on power outages, when there is no grid frequency to synchronize with, besides they could not really supply enough power to serve the whole neighbourhood. In general, when feeding power into a public grid, it would almost behave like a short circuit to the solar system, which could not produce energy since the load of the grid (accepting way more power than the system could deliver) would immediately cause a voltage drop at the output of the solar modules – which is why those on-grid solar inverters have a component called the "Maximum Power Point Tracker", which constantly adapts the load that is "attached" to the modules, in order to get the highest possible output.

Long story short: once the battery in your solar flashlight is discharged below a point that is no longer healthy for lithium batteries (which happens quite easily – as soon as you realize the LED’s start fainting, it’s probably already too late), it will hardly recover nor fully recharge in the dim surrounding light.

After all, it had me looking for replacement LIR2032 cells to revive some of those flashlights, but curiously it turned out those are way more expensive than buying a few whole new flashlights, wtf!? However, since they really are ridiculously cheap (and also make good gifts for people who don’t have one yet), I ordered a pack of 10 for less than $15. They all had black plastic, that’s probably cheaper. Now just rip out the inside and stick it back into one of the old colourful plastic cases – so I thought. And the surprise was inside, they were all fakes!

I.e. they had real solar modules (voltage varies depending on sunlight), real bright LEDs, the same plastic cases… Just the batteries were two CR2016 cells stacked on top of each other, resulting in a 6V disposable battery rather than something rechargeable. However, they even kindly left out the diode that would connect the solar module to the battery at all, so at least it would not leak or explode when attempting to recharge it in bright sunshine, how graceful!

So if you got one of those, I’d definitely recommend checking what’s inside there. Some of them will pop open quite easily after pressing firmly on both sides, while others seem really tightly sealed and might not open up flawlessly. I figured the best way that causes the least visible damage is by using a small screwdriver to gently start prying between the LED’s and the top or bottom half of the plastic housing, then sliding some phone opening tool or similar soft plastic thing in between, slowly broadening the gap from all sides. Some of the joints might still crack though, so be careful and maybe use a drop of super glue to bond them back together in the end.

carefully opening the case with a small screwdriver and soft plastic prying tool
difference between circuits of real and fake LED solar keychain flashlights
Now the one on the left is what it’s supposed to look like, compared to those two examples of fakes i got from various sellers on both ebay and AliExpress…

two stacked CR2016 batteries in fake solar keychain flashlight

Which finally leads me back to the main intention of this post: What really bothers me about this is not that you had accidently received a damaged item and thus get a replacement or refund, but the fact that these fakes will actually do their job well for many weeks or even months – until the batteries are depleted, and probably the majority of users will never even know they had fake ones until there’s no more chance of getting money back or anything! (Maybe it could even be considered an exaggerated form of planned obsolescence, since people hardly seem to care about what’s wrong with a product these days, as they can simply get a new one for cheap…)

Even worse, it is the combined ignorance and incompetence exposed by the sellers, who probably just distribute the items and never even looked inside the cases themselves. Now how do you explain to a Chinese seller that they’re missing a rechargeable battery in their products, when you get replies (assumingly web-translated from Chinese to English) of the sort like “dear, it does not work with battery, it will recharged by the solar!” I suppose many of them don’t even intend to rip you off after all, but just have no idea what the inside of the things they are selling should look like in the first place…

Considering they are just about $ 1.20 – 1.50 per item, it is not even satisfying to get your money back after numerous attempts of explaining the issue to them (besides having waited three weeks for an item you would not use as a gift to anyone you still somewhat care about), but that’s exactly what happens – they click the refund button, hardly causing them any financial loss, the dispute will be automatically closed(!) since everything is fine now that you got your cash back, they just keep selling their crap to countless new suckers, and not a single fuck was given by the ebay customer service that day!

So let’s not have them get away with that anymore, and annoy the marketplaces’ support departments and the vendors until they realize it’s not worth selling crap anymore =)

As an addition to the images above, I also made a somewhat more, uhm… "internet-compatible" version, that might simplify helping others (or even vendors if you dare) to understand the issue…

detecting fake solar keychain flashlights

Meanwhile, I was even considering to make a complete redesign of the circuit, using one of those new-fangled bq25504 Energy Harvesting controllers from TI, which basically feature the above mentioned MPPT capability that would allow for charging the battery to the maximum – slowly but effectively – even in the dimmest light when the battery voltage is way above the solar module voltage already!

However, looking at the bill of materials (and thus PCB footprint) of the reference minimum design kept me from doing it at this time. There’s just too many additional SMD components required to make for some cool hardware hacking project for everyone yet, so I guess we’ll have to wait for a company to come up with some fully integrated one-chip harvesting solution, that could be painlessly hand-soldered, maybe even into the existing design rather than making a custom new PCB layout.