Can you track a DTR or Nextel i355?

Status
Not open for further replies.

poltergeisty

Truth is a force of nature
Banned
Joined
May 7, 2004
Messages
4,012
Location
RLG, Fly heading 053, intercept 315 DVV
I was wondering. With the right plugin for AirSpy and SDR# you can scan a very high bandwidth. Would it be possible to track the one half second frequency hop of a DTR radio or a Nextel i355 that uses the same technique? If it can follow the hops what about the VSELP modulation? Can you decode that?

Thanks!
 

Darkstar350

Member
Joined
May 19, 2014
Messages
409
Location
Nassau County
DTR i would say most likely no
Thats comparable to trying to break encryption

i355 on the other hand i suppose its possible to see what frequencies are being used on a SDR or service monitor type thing
I also heard some rumor that theres either a particular Motorola radio or a type of way you can set up a i355 where you would be able to monitor iden talkgroups, etc
Again its a rumor dont quote me on it but i have seen iDen systems in the database mapped out with talkgroups and all so it could be somehow possible..


.
 

kayn1n32008

ØÆSØ
Joined
Sep 20, 2008
Messages
6,601
Location
Sector 001
You may be able to see the hops with a SDR that can span the whole 908-928 spectrum, but I don't think it will decode VSLEP.
 

jonwienke

More Info Coming Soon!
Joined
Jul 18, 2014
Messages
13,416
Location
VA
Following the frequency hopping is possible if the hop pattern is known, i.e. follows a specific, static pattern. But if a secret key is used to generate the hop pattern, then you'd have to either know the key (maybe legal, depending on how you got it), or crack the encryption (possibly illegal, maybe impossible).

Any known modulation scheme can be demodulated in software, if the SDR can receive the frequency range has enough bandwidth to receive the entire signal simultaneously. For example, a RTL SDR can decode broadcast stereo FM, which uses 100KHz of bandwidth between 88-108MHz. But it cannot decode Wi-Fi for 2 reasons:
1. Wi-Fi uses a higher frequency range than can be received by the RTL SDR (2.4GHz, vs 1.7GHz upper limit for the RTL SDR), and

2. Wi-Fi channels are 20-40MHz wide, and the RTL SDR can only receive 2-3MHz of bandwidth at a time.

You would need to know the details of the hop algorithm, including whether or not some kind of user-defined key is used to generate the hop sequence.

Your SDR would have to be able to retune fast enough to follow the hops. That might require 2 SDR receivers, alternating between retuning to the next hop frequency and listening to the signal.

Your SDR(s) need to be able to receive the entire signal modulation bandwidth, but do not need to receive all possible hop frequencies simultaneously.

Lastly, you need software that can take the digital data from the SDR(s) and decode it properly. This may or may not currently exist.
 

PACNWDude

Member
Joined
Oct 15, 2012
Messages
1,336
My YouTube channel has a troll who seems to expound on the ability to monitor DTR series radios with SDR, but of course no evidence is ever given. VSELP and frequency hopping is a pretty effective method of keeping your radio comms pretty secure from a realistic standpoint.

Your best bet for monitoring DTR radios is to have one yourself. Many onwers/users do not put in a private channeland use the default "Private1" setting. I have used SDR to see that they are in use, but they can't monitor them.

What is easily monitored is the analog frequency hopping eXRS radios. I have used several mobile and handheld scanners to listen to these. They are not built as well and I would not recommend them.

Nextel i335, I have not tried. Although I did have some older mobile Nextel gear that was able to be used after their push to talk network was rebanded.
 

poltergeisty

Truth is a force of nature
Banned
Joined
May 7, 2004
Messages
4,012
Location
RLG, Fly heading 053, intercept 315 DVV
DTR i would say most likely no
Thats comparable to trying to break encryption

I'm referring to these. dtr radio | eBay

Both the Motorola DTR radio and the old Nextel i355 phones use the same scheme in that they use FHSS in the 900 MHz band and VSLEP for modulation. The only difference would be the output wattage between the two and perhaps the hop rate, The DTR is 1 watt, while the Nextel is like 750 mW if I can remember. But I gotta tell you. I got pretty good range with those Nextel's.

I just wonder how much of a bandwidth the radios use? If it's within the bandwidth that a SDR can auto tune to then all I would need to do is decode VSLEP.

Which brings me to another question: Is VSLEP just VSLEP or is there like different versions of VSLEP in its self. I thought I read about a SDR decoding VSLEP that was used for public safety. But I can't remember the system name they used.


Edit-

Here's an old thread. http://forums.radioreference.com/tavern-archives/43865-motorola-dtr-650-550-anyone.html

I also read the hop rate for the DTR is 90 ms. I wonder if they use the entire ISM band? That would definitely be out of the scope for a SDR.

Edit 2-

The manual for the DTR states that it's just using the ISM band which would be 26 MHz spread and 8 level FSK. The channel spacing is 50 KHz.
 
Last edited:

poltergeisty

Truth is a force of nature
Banned
Joined
May 7, 2004
Messages
4,012
Location
RLG, Fly heading 053, intercept 315 DVV
I read that a user was able to use SDR# and a plugin (of which I can't remember) I think it was a scanner-like plugin where you can filter out birdies and what have you and scan large swaths of spectrum. This would be useful and scan the entire 26 MHz ISM band.

Edit-

Here it is! http://www.rtl-sdr.com/sdr-frequency-scanner-plugin-updated/

That is awesome! The user on this forum that talked about this was able to scan the entire Mil-air band in like 2 seconds or less. :lol:
 

jonwienke

More Info Coming Soon!
Joined
Jul 18, 2014
Messages
13,416
Location
VA
With SDR# and a $20 RTL SDR stick, I can scan about 10MHz/second. SDR# comes with the scanner plugin now. You have to tweak the default scanning settings to get it to scan that fast, but it's better than anything else in the price range for scanning an entire band for active frequencies. It even logs activity to a MySQL database for further analysis.
 

jonwienke

More Info Coming Soon!
Joined
Jul 18, 2014
Messages
13,416
Location
VA
I also read the hop rate for the DTR is 90 ms. I wonder if they use the entire ISM band? That would definitely be out of the scope for a SDR.

Edit 2-

The manual for the DTR states that it's just using the ISM band which would be 26 MHz spread and 8 level FSK. The channel spacing is 50 KHz.

Monitoring the DTR with SDR is possible then, with the following caveats:

1. You'll have to figure out the FHSS hop scheme to retune the SDR for each hop. This may require "leapfrogging" 2 SDRs, so that one is receiving the current freq, while the other is retuning to the next freq. If there are any user-settable parameters that affects the hop pattern, you'll need to know those parameters.

2. You'll either need to find or write some code to decode the VSLEP audio from the SDR data.
 

WPXS472

Member
Joined
Aug 3, 2013
Messages
226
Location
Heflin, AL
It has been a while since I fooled with either the DTR or Nextel phones. But, I do remember looking at one transmit on a spectrum analyzer. They don't use the entire 26 MHz, but I don't remember exactly how much they do use. I believe it is stated in some of the limited technical data available. Seems like there are different groups of frequencies and different hopping patterns. These are mixed together to form the "groups"and "channels"used by these devices to keep them from interfering or being heard by the wrong radio. Though they use similar technology, the two won't communicate with each other. I bought a couple of the DTRs off eBay and played around with them a little. I didn't care for them. Same goes for the retired Nextels. A pair of FRS radios suits my needs much better. It might be possible to intercept and listen to these things, but why bother? Sounds like a lot of trouble for very small returns on your investment of time and effort.
 

prc117f

Member
Joined
Jul 22, 2009
Messages
369
I was wondering. With the right plugin for AirSpy and SDR# you can scan a very high bandwidth. Would it be possible to track the one half second frequency hop of a DTR radio or a Nextel i355 that uses the same technique? If it can follow the hops what about the VSELP modulation? Can you decode that?

Thanks!

No. The problem is go and look at 902-928 it is full of frequency hopping emitters. How do you tell which is the DTR transmitting amongst the clutter of FH traffic in that band?

DTR/i3555 is hiding in plain sight.
 

RayAir

Member
Joined
Dec 31, 2005
Messages
1,925
I've noticed the only couple of places that I noticed using DTR radio were just using public group channels.

It's been years since I toyed with these, but I tested a near field receiver against a DTR550. After the 3 Nextel type beeps there is data sent to the other radios. Some of which likely just confirms another radio is in range, but I'd assume data containing hop set information and radio ID's/group #'s should be in there too.

It might be easier to try to decode the data burst then program the necessary info in a DTR radio instead of trying to decode a FH VSELP signal.
 

prc117f

Member
Joined
Jul 22, 2009
Messages
369
The trick is check your near field reciever with users on DTRs 350 feet away.

When I was looking at the entire spectrum 902-928 you would not be able to discern the DTR traffic from all the other FH activity. it blends right in since that ISM band is full of transmitters.
 

RayAir

Member
Joined
Dec 31, 2005
Messages
1,925
Maybe buying a DTR radio for test purposes and trying to capture the pre voice frame signalling data and attempting to make sense of it would be the best way to go.

It is sent immediately after the tx beeps.

If you could somehow create a disc tap and by means unknown to me, try to read the data on a scope. Also, I believe they only use 50 non overlapping hop sets.

The hop dwell time is sufficient enough for a decent capture, but you need to be close in.

The defunct eXRS radios were much easier to eavesdrop on because they used analog NFM and a very slow hop rate of ~4 hops per second. But these radios didn't take off due to sync issues.
 

n1das

Member
Joined
Feb 17, 2003
Messages
1,601
Location
Nashua, NH
https://fccid.io/AZ489FT5852

I own 6 factory brand new DTR650 radios. Radios and batteries were manufactured in October, 2016. They are working excellent have have replaced my use of GMRS for local on-site simplex type use. I migrated my local simplex operations from GMRS/FRS to the DTRs. I set up a private talkgroup for them so they are unmonitorable by any other DTR or DLR that are not a member of the group. The DTRs and DLRs use an ID based system and each radio has its own unique 11 digit electronic serial number (ESN) as its radio ID. The ID cannot be changed by the end user or through programming with the CPS. So while not encrypted, DTRs and DLRs can be made very secure by using private 1 to 1 calling and private groups. Monitoring these would require capturing the hopping and decoding the VSELP digital. DTRs and DLRs might be able to be monitored by using old iDEN test equipment from Motorola.

I have monitored some DTR and DLR traffic on Public groups 1-6 on hopset #1. Public groups 1-6 on hopset #1 map to channels 1-6 in the DLRs with Profile 0000 (default). DTRs and DLRs will work with each other right out of the box with both at their factory default programming. Setting up private contacts and private groups requires using the Business Radio CPS, a free download from Motorola.
 

Attachments

  • DTR_freqs.jpg
    DTR_freqs.jpg
    96.1 KB · Views: 495
  • FCCID.io-611180.pdf
    188.5 KB · Views: 130
Last edited:
Status
Not open for further replies.
Top