DSD+ 1.101pt and XPT

Status
Not open for further replies.
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,930
trbonaut said:
Hello,

A few Hytera XPT repeaters were fired up near my QTH recently and DSD+ goes completely haywire with them. As all audio is encrypted, I don't know if it would decode correctly nevertheless. If this is a bug and the devs are interested in fixing this, I'm happy to provide more samples.
Raw audio here https://mega.nz/#!8k5QDI4Q!RNJgfkrYFGdJpOgkBqPRp2ss125_qZiNFjDAtOwJJN4
Click to expand...


I've only encountered one XPT system and that was in NYC.
Unfortunately I didn't have my Hytera with me. XPT in CPS looks a lot like MotoTRBO Capacity Plus (set up wise). It also looks like XPT has an authentication option which I'm assuming does the same job as MotoTRBO RAS. This won't affect DSD+ though.

The Alg=BP means they're using the built in "Hytera Basic Encrypt" which can be a 40, 128, or 256 bit key depending on how they were programmed.

The other encryption options in the Hytera radios are:
40 bit Full Encrypt (RC4)
128 bit AES (HYT proprietary or DMRA)
256 bit AES (HYT proprietary or DMRA)
Both AES 128 and 256 require a paid upgrade per radio.

The "Basic Encrypt" is substantially weaker.


Do you happen to have a Hytera radio, like a PD782?
 
Last edited:
T

trbonaut

Member
Joined
Feb 29, 2016
Messages
6
RayAir said:
Do you happen to have a Hytera radio, like a PD782?
Click to expand...

No, I'm afraid not. I have a DP3400 VHF + Anytone AT-D858 UHF (XPT repeater is on UHF).

Please note however, that all those private calls shown in my screenshot are not really happening. Basically random (fake) private calls show up like every second while an XPT group call is ongoing. Looks like DSD+ is unable to decode these DMR messages correctly.
 
S

slicerwizard

Member
Joined
Sep 19, 2002
Messages
7,643
Location
Toronto, Ontario
There is no basic privacy being used. Every voice call header is followed by a PI header - that means enhanced encryption, probably AES.

Code: 
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=64250
+DMR           slot1         BS VC2
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=64250
+DMR           slot1         BS VC3
XPT 2000
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=64250
+DMR           slot1         BS VC4
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=64250
+DMR           slot1         BS VC5
XPT 2000
+DMR                slot2    BS DATA       DCC=11  PI █eader KID=10 MI=A6760270 Tgt=182
+DMR           slot1         BS VC6
Slot1: Enc GC TG=227 RID=14
+DMR                slot2    BS VOICE
The only calls that don't have a PI header are abandoned calls.

Code: 
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=7777
+DMR           slot1         BS VC4
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=7777
+DMR           slot1         BS VC5
XPT 2000
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=7777
+DMR           slot1         BS VC6
Slot1: Enc GC TG=227 RID=14
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=7777
+DMR           slot1         BS VOICE
XPT 2000
+DMR                slot2    BS DATA       DCC=11  Voice Header Enc GC TG=230 RID=7777
+DMR           slot1         BS VC2
+DMR                slot2    BS DATA       DCC=11  TLC XPT CommEnd Tgt=230 Src=7777
+DMR           slot1         BS VC3
XPT 2000
+DMR                slot2    BS DATA       DCC=11  TLC XPT CommEnd Tgt=230 Src=7777
+DMR           slot1         BS VC4
+DMR                slot2    BS DATA       DCC=11  TLC XPT CommEnd Tgt=230 Src=7777
+DMR           slot1         BS VC5
XPT 2000
+DMR                slot2    BS DATA       DCC=11  TLC XPT CommEnd Tgt=230 Src=7777
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,930
trbonaut said:
No, I'm afraid not. I have a DP3400 VHF + Anytone AT-D858 UHF (XPT repeater is on UHF).

Please note however, that all those private calls shown in my screenshot are not really happening. Basically random (fake) private calls show up like every second while an XPT group call is ongoing. Looks like DSD+ is unable to decode these DMR messages correctly.
Click to expand...


I think you're getting the phantom calls due to the basic encrypt and that version of DSD+.

I recall testing my PD782's when DSD first featured XPT detection and when I transmitted in basic encrypt mode in simplex , DSD was displaying it as XPT and the group codes were wrong.

I would subscribe to the DSD+ Fast Lane and upgrade to the latest fast lane release (2.8).

I monitored an XPT rest channel in NYC with some groups running basic encrypt and it didn't look to be generating any falsities. It was DSD+2.5.
 
A

AM909

Radio/computer geek
Premium Subscriber
Joined
Dec 10, 2015
Messages
1,105
Location
SoCal
In SoCal, the SCE P25 system BEE00.5AA does something similar on the non-control channels when idle. I assumed these were some kind of test pattern being used to "burn in" the new system. For example, on 936.3750, which I believe to be a voice channel at site 1.98, about every 30 seconds, I get about 5 seconds like this:

2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC Neighbor: LRA=0 SysID=5AA RFSS=1 SID=106 Ch=16485 SSC=70
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC Neighbor: LRA=0 SysID=5AA RFSS=1 SID=110 Ch=16506 SSC=70
... [more neighbor announcements interspersed]
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=9252737 src=3117312
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=15806223 src=3112192
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=5714171 src=3209984
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=5845329 src=3234048
2016.05.02 2:07:09 Sync:+P25p1 NAC:5A8 TDULC UNHANDLED IMPLICIT OPCODE: #35
2016.05.02 2:07:10 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=8729989 src=3507456
...
2016.05.02 2:07:13 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=6238059 src=3104512
2016.05.02 2:07:13 Sync:+P25p1 NAC:5A8 TDULC UNHANDLED IMPLICIT OPCODE: #35
2016.05.02 2:07:13 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=9252737 src=3117312
2016.05.02 2:07:14 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=15806223 src=3112192
2016.05.02 2:07:14 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=5714171 src=3209984
2016.05.02 2:07:14 Sync:+P25p1 NAC:5A8 TDULC [E] Unit to Unit Channel Users: tgt=5845329 src=3234048
2016.05.02 2:07:14 Sync:+P25p1 NAC:5A8 TDULC Channel release
2016.05.02 2:07:14 Sync:+P25p1 NAC:5A8 TDULC Channel release
... [8 more channel releases] ...
2016.05.02 2:07:15 Sync: no sync
2016.05.02 2:07:41 1572 radio records saved; 100 aliases
 
T

trbonaut

Member
Joined
Feb 29, 2016
Messages
6
In Fast Lane it looks like this. Maybe these are encryption key update messages masquerading as private calls? Please note while the repeater is idle (sending idle bursts), these phantom calls never occur.
 

Attachments

  • xptfastlane.png
    xptfastlane.png
    21.9 KB · Views: 1,380
H

hamtrektng

Member
Joined
Aug 9, 2015
Messages
75
Location
Plymouth, UK
XPT decoding incorrect system TG's?

I have come across an XPT system near me whereby upon obtaining details of TG's like 100, 102, 103 etc, I have found to be inaccurate or incorrect according to DSD+ event log. Whilst trying out with my MD380 Tytera rig with promiscuous mode switched on to monitor all TG's, it comes up on the same XPT system active TG's starting with 2097255 etc. DSD+ has also shown me a "TEXT; TG=3276906 Src=3211266 "ASSISTANCE REQUIRED". Assuming Src is TG. Is there a bug about?
 
H

hamtrektng

Member
Joined
Aug 9, 2015
Messages
75
Location
Plymouth, UK
Has anyone received a TEXT message going through this system (XPT)?

I am monitoring a local theatre at the moment that seems to use both voice and data calls.

Can anyone confirm to me if there is a TG starting 223xxxx or 321xxxx (decimal format) that is used for TEXT please?

e.g 2236517 would be converted to TG=101 for sending txt

I am looking for 101 to 108 in text talkgroup numbers

Any help is much much appreciated.

Many Thanks
 
Last edited:
S

slicerwizard

Member
Joined
Sep 19, 2002
Messages
7,643
Location
Toronto, Ontario
hamtrektng said:
Can anyone confirm to me if there is a TG starting 223xxxx or 321xxxx (decimal format) that is used for TEXT please?

e.g 2236517 would be converted to TG=101 for sending txt

I am looking for 101 to 108 in text talkgroup numbers
Click to expand...
Looks like you have to take the big number and divide it by 256. The remainder is the talkgroup you're looking for, i.e. the actual talkgroup number:

2236517 / 256 = 8736, remainder = 101
 
H

hamtrektng

Member
Joined
Aug 9, 2015
Messages
75
Location
Plymouth, UK
I am really looking for talkgroups that start 223xxxx and 321xxxx and are attached to TEXT messages on the system. Have you guys come across these?
 
C

cg

Member
Premium Subscriber
Joined
Dec 13, 2000
Messages
4,599
Location
Connecticut
Unfortunately, the Uniden 536 shows the incorrect seven digit TGIDs. I had to do a bunch of math when programming the systems I want to monitor after I discovered it.

chris
 
A

Andru

Member
Joined
May 11, 2016
Messages
30
Location
Iraq
I have The same problem with XPT system But no decode or there is a sound but its look like noise or nothink
Is there any one knowes if i got the fast lane release can decode or I got the same result ?
 
H

hamtrektng

Member
Joined
Aug 9, 2015
Messages
75
Location
Plymouth, UK
After a lengthy study of these uniden TG's, I have now found the answer whereby 7 digit numbers are subtracted (or added) by 1048576 giving the user the next or previous TG on the system list.

Try it yourself:

i.e subtract 3145829 using 1048576 gives you 2097253 (spooky!) which in hex is 101
 
Last edited:
Status
Not open for further replies.

Similar threads

J
  • Locked
UniTrunker and DSD+ Decoding Question
Replies
15
Views
4K
KC5KAW
KC5KAW
Top