P25 TDMA Control Channel decoding -- requesting help from experts

Status
Not open for further replies.

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
Hi Folks,

It has been reported that some suspect portions of the new AEP P25 multi-state system (a Harris P25 system) being built out, specifically some sites in Texas at this point, are using the P25 TDMA control channel format. I am not aware of any publicly available software that can decode this "new" type of control channel and thus am starting a thread here to encourage those who can (i.e. those who know what the hell they are doing) to attempt to try and pick apart the datastream and make sense of it. As new sources of raw audio are provided by people, I'll try to add those links to this thread if nobody else does.

To be clear, nobody can even confirm at this point that this is a P25 TDMA control channel, but all signs certainly are pointing to it and thus there is good reason to believe that it is a P25 TDMA control channel.

1. @ralexander5 original post: American Electric Power P25 WACN 92715

2. The raw audio posted by @ralexander5 is attached to this post and can also be fetched here: Index of /p25tdmacc

3. And what little is known (publicly, or at least by me) thus far about the datastream in that raw audio

The P25 audio sample received yesterday is from a Phase II signal that
is broadcasting D1 (hex) DUID values.

Raw 320 bit data units:

C774690346444760C2983B685718201A222222200A00696D92563E8AA51468540C882291BACFE689
C720690302444360C2983F2853608068888888802C01F5B74958FA2A9451A1503224DB46EB3F9E75
C7358010000000003FDFF08098888888888888802C0BC965FA432C5F617313EDB8587BAAAEAEB6A5
C71E4B0B20C28120FC90408098888888888888802C138492A212E905ABF24081189EAF1762A29F11
C71EC1249C547E2096970002C0807888888888802C1DDD3923DF195DBE75D1C3093D0155F4FA3481
C71E4B0B21268120C290408098888888888888802C28E090CA4C24C42EA0C2A59FD266EA79409EE9
C71E0103CB0D83CB0D90108098888888888888802C6C40C5F9EDB174109372EE3F116D2ED1F78531
C71E4B0B20FC81212690408098888888888888802C7A4A05D41E7953C809A0AB00056228581D15C1
C723E901C28980028210B88888888888888888802CAF0ACFD60E2B68558591CD866DCE13D13E2F05
C71E810C7E0B0B209697008098888888888888802CED5A399C5996B544C991A06AF7BD944B002DD5

The first half of each data block appears to be a payload, with the
second half containing forward error correction data.

Payloads with embedded DUID bits removed:

1DD1A40D19111D830A83B685718201A222222200A0
1C81A40C09110D830A83F2853608068888888802C0
1CD6004000000000FFFF08098888888888888802C0
1C792C2C830A0483F20408098888888888888802C1
1C7B04927151F8825A70002C0807888888888802C1
1C792C2C849A04830A0408098888888888888802C2
1C78040F2C360F2C360108098888888888888802C6
1C792C2C83F204849A0408098888888888888802C7
1C8FA4070A26000A080B88888888888888888802CA
1C7A0431F82C2C825A7008098888888888888802CE

Hopefully as time goes on we will get more raw audio submissions (enough for those developer guys who know how to pick apart datastreams to make use of), and hopefully some of the savvy coders of decoding apps (like OP25, DSD, DSDPlus, Unitrunker, etc) can/will attempt to participate in the thread and attempt to ultimately add support for this type of control channel to their product.
 

Attachments

  • 1R-DSDPlus-Raw-Input_2021-07-19@235920.zip
    807.8 KB · Views: 50
Last edited:

merlin

Active Member
Joined
Jul 3, 2003
Messages
3,127
Location
DN32su
If it is TDMA P25 then DSD plus should at least be logging the control channel.
Looks can be deceiving and never assume anything.
 

KA1RBI

Member
Joined
Aug 15, 2008
Messages
799
Location
Portage Escarpment
I'm not clear as to what is meant by a "raw audio" sample.

I'd like to see an I/Q capture of such TDMA CC covering, say, 1 minute. Not necessary to use a high sample rate as it's a single channel.

If "audio" means what I think it means (the results from attempting to demodulate the signal as if it were FM/FSK), the result will (likely) be unsatisfactory. Also, such a sample would not provide necessary information about modulation specifics. Perhaps this form of "TDMA" is the same as P2 voice channels from a modulation standpoint, but it would be good not to have to guess...
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
I'm not clear as to what is meant by a "raw audio" sample.

I'd like to see an I/Q capture of such TDMA CC covering, say, 1 minute. Not necessary to use a high sample rate as it's a single channel.

If "audio" means what I think it means (the results from attempting to demodulate the signal as if it were FM/FSK), the result will (likely) be unsatisfactory. Also, such a sample would not provide necessary information about modulation specifics. Perhaps this form of "TDMA" is the same as P2 voice channels from a modulation standpoint, but it would be good not to have to guess...

It's a wav as if it were taken from a discriminator tap basically; 'raw audio' is in DSDPlus parlance. You press "r" in dsdplus to record the raw audio, which can be fed back in to DSDPlus later. I imagine it's just like IQ data. But I think @ralexander5 provided me with a sample ending in .IQ, so I'll try to toss it in my p25tdmacc folder.

Mike
 

KA1RBI

Member
Joined
Aug 15, 2008
Messages
799
Location
Portage Escarpment
It's a wav as if it were taken from a discriminator tap basically; 'raw audio' is in DSDPlus parlance.

... and we all know how well that works on simulcast modulation types ...

I've yet to see a FSK4 TDMA channel; I don't think there is such a beast - even the specs for TDMA have dropped the farcical "Compatible" QPSK nonsense....
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
... and we all know how well that works on simulcast modulation types ...

I've yet to see a FSK4 TDMA channel; I don't think there is such a beast - even the specs for TDMA have dropped the farcical "Compatible" QPSK nonsense....

Ok I take that back. It is not a discriminator tap -- but it's raw audio taken from an SDR. Whether it ends in IQ, or .Tindor, or whatever, I know that it can be piped back into copy of DSDPlus and produce output whether the recording was from a C4FM, *PSK, etc. signal.

There are links in recent threads (past two days) discussing Harris P25 TDMA CC support (which was apparently first announced a couple of years ago, and now suspect to be in use down in Texas on some AEP P25 sites).

I uploaded an IQ file that I got from @ralexander5 , to my website. But I did that withOUT confirming from him that it was IQ data from a suspect P25 TDMA CC. If you care to look at it, cool. But, since I was unable to confirm yet from Bob if it is .IQ data from the suspected P25 TDMA CC, it might be useful.
 

scannerboy02

Member
Premium Subscriber
Joined
Nov 16, 2004
Messages
2,085
Just as a note, this suspected TDMA control channel signal is also being heard on several sites for the new Duke Energy P25 trunking system. The AEP system and the Duke system are being built by the same company.

I am going to try to go out and get an audio sample later this week that I will post here, I can not get a clean sample from my home.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
Just as a note, this suspected TDMA control channel signal is also being heard on several sites for the new Duke Energy P25 trunking system. The AEP system and the Duke system are being built by the same company.

I am going to try to go out and get an audio sample later this week that I will post here, I can not get a clean sample from my home.

Ok, as long as you sure it isn't Hi Velocity channels you are seeing. Those are the 20+ khz ones, and aren't what we are looking for here.

Mike
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
Giving up on that file. Perhaps there is some secret Rosetta Stone that would provide the key, but it initially does not appear to be modulated RF.

Ok, sorry about hte IQ file. Like I said, I wasn't even sure what it was for. Seriously though, the .zip file with the WAV in it should be more than adequate. If it contains all of the information needed for DSDPlus to decode it (whether its a C4FM, PSK signal, whether it's P25, DMR, NXDN, Provoice or Fusion), then it has to contain what you are looking for -- and if it needs "converted" to I&Q format, there must be some easy enough way to do that.

I am going to remove the .IQ file if it's not useful, since I haven't been able to verify it contains audio from the same suspect site.
 

scannerboy02

Member
Premium Subscriber
Joined
Nov 16, 2004
Messages
2,085
Ok, as long as you sure it isn't Hi Velocity channels you are seeing. Those are the 20+ khz ones, and aren't what we are looking for here.

Mike
I will check for this when I get the sample but if it is HVD the frequency isn't licensed for it. I'm about 76% sure it isn't HVD as that should require a control channel AND a HVD signal being heard and I'm only getting one signal per site.
 
Last edited:

btt

Jew lover
Banned
Joined
Mar 11, 2020
Messages
2,585
Location
Wa State
To be clear, nobody can even confirm at this point that this is a P25 TDMA control channel, but all signs certainly are pointing to it and thus there is good reason to believe that it is a P25 TDMA control channel.

1. @ralexander5 original post: American Electric Power P25 WACN 92715
The wav file looks like it probably 4-FSK, 6ksps, with 96k sample rate to me. I'm willing to spend some time on this. If this is a full-time, standard TDMA control channel that doesn't require an associated FDMA CC, then you would need to know the WACN, SYS_ID, and NAC in order to initialize the scrambler matrix. I see the WACN referenced. Is there a known SYS ID and NAC associated with this wav file?
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
The wav file looks like it is probably 4-FSK, 6ksps, with 96k sample rate to me. I'm willing to spend some time on this. If this is a full-time, standard TDMA control channel that doesn't require an associated FDMA CC, then you would need to know the WACN, SYS_ID, and NAC in order to initialize the scrambler matrix. I see the WACN referenced. Is there a known SYS ID and NAC associated with this wav file?

There is all of that associated with it, but the info will have to wait until we get @nd5y or @ralexander5 to chime in. They are the ones in Texas who can copy these sites.

WACN: 92715

Network/System ID: likely 1F8 (like the other Texas AEP stuff)

Site ID: unknown, but nd5y and ralexander5 know of some neighbor sites (running FDMA CCs) that do indicate the peers' Site ID and associated control channel frequency (and they subsequently match that peer control channel audio linked above to one of those peers)

NAC: typically the NAC on every AEP P25 site thus far is the hex of its Site ID.

@ralexander5 have you determined which site that your recorded audio came from? And are you able / will you be able to review the peer/neighbor data from a neighboring (FDMA CC) site to confirm it?

@nd5y Tom might want to post those screenshots he had of the Unitrunker peers for an FDMA CC site he copied that listed some peers that appeared to be TDMA CC peers.

Mike
 
  • Like
Reactions: btt

btt

Jew lover
Banned
Joined
Mar 11, 2020
Messages
2,585
Location
Wa State
Looking at the code, I forgot that a system may not require scrambling, so should be able to figure out some things without that information. I'll work on this for a while and report back.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
11,039
Location
Carroll Co OH / EN90LN
The wav file looks like it is probably 4-FSK, 6ksps, with 96k sample rate to me. I'm willing to spend some time on this. If this is a full-time, standard TDMA control channel that doesn't require an associated FDMA CC, then you would need to know the WACN, SYS_ID, and NAC in order to initialize the scrambler matrix. I see the WACN referenced. Is there a known SYS ID and NAC associated with this wav file?

If you look at @nd5y post here:


You'll see in his screenshot where it shows Munday TX (1F8-33) with a control channel that is 855.0625 (08-0650 channel number, suggesting TDMA control channel). That is what caught Tom's (nd5y) eye and made him question things. When he attempted to tune to the control channel of one of the peers that was listed with an 08-xxxx control channel, it was a 24/7 signal that was undecodable in DSDPlus or Unitrunker and sounded like the FM output audio that @ralexander5 had posted. Where @ralexander5 posted the FM output in the response thread, he also posted the original raw audio that I mentioned in my first post of this thread.

but, the site that @ralexander5 copied raw audio from is likely not Munday TX but one of the other AEP sites around him . So we will need to get him involved to figure out the likely SystemID-SiteID and NAC of the actual site he provided raw audio for.
 
Status
Not open for further replies.
Top