Receiving 900MHz Trisquare eXRS FHSS Radios On Your Scanner

[RayAir]

A few years ago a couple of manufacturers introduced digital frequency hopping spread spectrum radios for the consumer market; the Motorola DTR and the Trisquare eXRS 900MHz frequency hopping radios. One claim is that they cannot be monitored by scanners. For the most part, that is not true (except for the DTR). Others have discovered the Trisquare can be monitored with an Optoelectronics R-10 linked to a scanner. This is true. (Note: The Trisquare does NOT use digital audio, it is analog frequency hopping) I have discovered a poor mans method of monitoring these radios. I don't have an R-10 linked to a scanner so I just used my signal stalker and wrote down every frequency it stopped on while tx'ing. This yielded about 30 unique freq's. All the channels are 25KHz spaced. I entered all the freq's into a scanner bank, turned off the delay and hit SCAN. What do ya know I heard audio, albeit choppy, but mostly readable. I am still missing a few of the hopping freq's obviously. I just have to spend more time with the freq. counter. I am going to use my Scout instead of the signal stalker when I get some more time. With some refining this should work really good.

If you have a Trisquare eXRS radio and want to try this here is some additional info:

- The eXRS radios all have a maximum of 400 possible hopping frequencies, however for each TX the radio selects a set of 50 frequencies to perform hopping on. The 50 freq. set is determined by the channel number you select.

- The hop rate is 400mS.

- This crack will not work for the Motorola DTR radios because they use digital audio (VSELP). So, even if you could track the DTR with a near field receiver you would still have to be able to demodulate VSELP.I believe the hop rate for the DTR is 90mS.

This is just an information piece. Of course these radios were not made for true COMSEC, they do however provide much more privacy than virtually all consumer grade radios. However I have seen numerous web sites hawking these radios as "secure" and "unmonitorable". That is simply not the case. Anyone who wants to listen to this radio service just has to try.

I would like to get a complete list of all 400 possible frequencies. One initial problem I am noticing is the scanner stopping on a synchronization signal. Deleting these should solve that problem. They seem to be all in the 922MHz+ range. Most of the voice so far has been in the 906-919MHz range.

 

[RayAir]

A few years ago a couple of manufacturers introduced digital frequency hopping spread spectrum radios for the consumer market; the Motorola DTR and the Trisquare eXRS 900MHz frequency hopping radios. One claim is that they cannot be monitored by scanners. For the most part, that is not true (except for the DTR). Others have discovered the Trisquare can be monitored with an Optoelectronics R-10 linked to a scanner. This is true. (Note: The Trisquare does NOT use digital audio, it is analog frequency hopping) I have discovered a poor mans method of monitoring these radios. I don't have an R-10 linked to a scanner so I just used my signal stalker and wrote down every frequency it stopped on while tx'ing. This yielded about 30 unique freq's. All the channels are 25KHz spaced. I entered all the freq's into a scanner bank, turned off the delay and hit SCAN. What do ya know I heard audio, albeit choppy, but mostly readable. I am still missing a few of the hopping freq's obviously. I just have to spend more time with the freq. counter. I am going to use my Scout instead of the signal stalker when I get some more time. With some refining this should work really good.

If you have a Trisquare eXRS radio and want to try this here is some additional info:

- The eXRS radios all have a maximum of 400 possible hopping frequencies, however for each TX the radio selects a set of 50 frequencies to perform hopping on. The 50 freq. set is determined by the channel number you select.

- The hop rate is 400mS.

- This crack will not work for the Motorola DTR radios because they use digital audio (VSELP). So, even if you could track the DTR with a near field receiver you would still have to be able to demodulate VSELP.I believe the hop rate for the DTR is 90mS.

This is just an information piece. Of course these radios were not made for true COMSEC, they do however provide much more privacy than virtually all consumer grade radios. However I have seen numerous web sites hawking these radios as "secure" and "unmonitorable". That is simply not the case. Anyone who wants to listen to this radio service just has to try.

I would like to get a complete list of all 400 possible frequencies. One initial problem I am noticing is the scanner stopping on a synchronization signal. Deleting these should solve that problem. They seem to be all in the 922MHz+ range. Most of the voice so far has been in the 906-919MHz range.

Correction:

There are 700 possible frequencies.

 

[prc117f]

LOL good job. 400ms is a pretty poor dwell time. 90ms is much better + you get VSELP encoding.

I wonder what the frequency spacing is for the DTR. I heard the DTR model will use the entire span of the 900mhz ISM band.

 

[gmclam]

... so I just used my signal stalker and wrote down every frequency it stopped on while tx'ing. This yielded about 30 unique freq's. All the channels are 25KHz spaced.

I think you can fiind the lowest frequency used and the highest frequency used and then enter in EVERY frequency in between with 25kHz steps.

 

[RayAir]

I think you can fiind the lowest frequency used and the highest frequency used and then enter in EVERY frequency in between with 25kHz steps.

I read somewhere that the Trisquare doesn't use the frequencies near the beginning or end of the ISM band. I have to say I was disappointed the Trisquare could be tracked so easily and now I wonder why they say their radios are digital. The only thing digital on them is the channel display. Anyway, I am sticking with my DTR's. I like the fact they use VSELP so they can't be heard on a scanner, even if something like an Opto Xplorer could track the frequency hopping no audio could be decoded. The removable antenna option on the new DTR's is also nice. I put 6" Motorola 900MHz duckies on them. If I ever get the time I may fool around with this some more. I was thinking of using three scanners and breaking the ISM band in thirds. This would allow faster channel scanning.

 

[RayAir]

UPDATE:

I was able to purchase a nice used Opto R-10 Interceptor and can confirm it will track the TriSquare eXRS 900MHz FHSS radio and produce audio. The TriSquare hops frequencies 2.5 times per second. The R-10 follows it with ease.

I was also able to lock onto my Motorola DTR 900MHz FHSS radios. They hop a bit faster, every 90mS or about 11 frequency changes per second. Although the R-10 will follow the hopping it cannot decode the digital (VSELP) audio. All you hear is dome data being negotiated at the start of a transmission and then just popping.

I would like to try an R-10 against the old Transcrypt frequency hopping radios (Transcrypt SC-1000). I have read that the R-10 could detect the radio when in COMSEC (freq. hopping mode) and produce audio although it sounded "clipped".

Optoelectronics now offers a near field receiver called the Xplorer. A bit pricey, but it displays the actual frequency, LTR I.D, DTMF, DCS and CTCSS info. I believe it can do P25, but don't quote me on that.

Note that the receiving distance of a near field receiver such as the Xplorer or R-10 can be greatly enhanced with the use of high gain antennas such as a Yagi. This is just interesting information and it is surprising how well the R-10 performs. I didn't think it would track FHSS so well. I even tested our baby monitors to make sure they were digital. They use FHSS and the audio was digital which is what I wanted. I didn't want a "eavesdropping device" in my house.

I had fun with this experiment, now I am always looking for RF signals on my travels. I even found the water meter signal from my house which uses RF. Next, I want to start testing some 900MHz FHSS cordless phones.