• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.

EDACS / EDACS ESK Frame layout map?

lwvmobile

Member
Joined
Apr 26, 2020
Messages
117
Location
Lafayette County, FL
I tried searching around, but I was wondering if anybody had any links or information on how EDACS and EDACS ESK control signal frames are layed out or mapped out. I found this in the wiki:


Which does a really good job at showing the command frame and its structure, but beyond that, I was hoping somewhere out there, somebody might have more advanced information. For example, when receiving a "patch" command, which parts of the frame, which bits do you look at to determine things like if its an 'add', or a 'join' or a 'kick', and things like 'source' and 'target', etc . I was wondering if anybody had anything like that mapped out or a description of.

I was working on a bit of programming project on the side, a lot of tinkering more than anything. In my searches for information though, I haven't really found much of anything useful outside of that one link, a really old text file that has similar information as in the link, and some open source code I found a while back that I've been gleaming from to mixed results.

Any info or leads or links would be greatly appreciated.

Thanks.
 

lwvmobile

Member
Joined
Apr 26, 2020
Messages
117
Location
Lafayette County, FL
Well, I've been doing some ESK frame dumping from a local control channel, using some source code I found and modified, and so far, these are my findings. There are some rough areas and this is just the beginning of a map, but I feel like I might as well show the work I've put together so far for anybody interested, and also for anybody who would like to contribute with ideas or thoughts. Some things I'm still trying to work out and figure out are things like Site ID. Site ID has just about eluded me. I can find where I THINK it is on one CC, but if I go to another CC, then its not in the same location. I haven't had much luck working out things like which command may contain it, where in the bitstream to look, what rules or masks may apply to consistently get the correct SITE ID from other control channels. etc. Below are just pieces of the puzzle that I have been able to (mostly correctly I think) work out to correct and consistent values.
--------------------------------
Understanding EDACS 9600 ESK Frames

SR_0=[555557125555 5C07]
MASK=[000000000000 FFFF]

SR_1=[EEB239 A3F8114DC6]
MASK=[FFFFFF 0000000000]

SR_2=[5C07EEB239 C3CC1C]
MASK=[FFFFFFFFFF 000000]

SR_3=[12DC 3C33E3ED23 C3]
MASK=[0000 FFFFFFFFFF 00]

SR_4=[CC1C12DC 55555712]
MASK=[00000000 FFFFFFFF]

555557125555 - Frame Sync

Messages are send in triples:

5C07EEB239 - First Time
A3F8114DC6 - Second Time is inverted from first
5C07EEB239 - Third Time

Two Messages per Frame:

C3CC1C12DC - First
3C33E3ED23 - Second (inverted)
C3CC1C12DC - Third

55555712 begins new frame sync (or is overflow from loading up the shift register)

New Human Readable Output for Pattern Finding/Debugging:

Time: 01:29:06 AFC=2150 IDLE Status=[0xF] Site ID=[ 0]
FR_1=[5C07EEB239]
FR_2=[A3F8114DC6] Inverse of 1 and 3
FR_3=[5C07EEB239]
FR_4=[C3CC1C12DC]
FR_5=[3C33E3ED23] Inverse of 4 and 6
FR_6=[C3CC1C12DC]

This strips away the sync portion on the beginning and end, and
organizes it into 40 bit (10 Hex) message groupings.

Could also use the inverse for implementing error checking
This readout removes the frame sync and groups messages
into 40bit (10 hex) groupings for easy reading.

Time: 07:24:51 AFC=2266 VOICE Status=[0xF] LCN=3
Sender=[ 68987i] <- 0x10D7B Hex value
Group=[ 1123g] <- 0x0463 Hex Value
FR_1=[B870463003]
FR_2=[478FB9CFFC]
FR_3=[B870463003]
FR_4=[BA10AD3BE4] ---
FR_5=[45EFB9E40D] |
FR_6=[FD10D7BDF6] --- FR_4 and FR_6 values are misaligned, error receiving this frame

Group:
MASK=[0007FFF000] <-Digits below 7FFF represent group value
FR_1=[B870463003]

Sender:
MASK=[00FFFFF000] <-Digits below FFFFF represent sender value
FR_6=[FD10D7BDF6]


Time: 07:39:26 AFC=2343 VOICE Status=[0xF] LCN=2
Sender=[ 264978i] <- 0x40B12
Group=[ 870g] <- 0x0366
FR_1=[B8403661CD]
FR_2=[47BFC99E32]
FR_3=[B8403661CD]
FR_4=[BA40B122CC]
FR_5=[45BF4EDD33]
FR_6=[BA40B122CC]

Command:
MASK=[FF 00000000]
FR_1=[B8 403661CD] <- B8 is voice command in ESK (0xB8 xor 0xA0 = 0x18)

Group:
MASK:[000 7FFF 000] Mask is either 7FFF or FFFF, not sure, using 7FFF
FR_1=[B84 0366 1CD]

Sender:
MASK=[00 FFFFF 000]
FR_4=[BA 40B12 2CC]

Peers:
command=F8
Status=0xF
MASK=[00000 FF 000]
FR_1=[58821 DB 73C] <-- if fr_1 == fr_4, then fr_1&FF000>>12 while result is not equal to zero
FR_4=[58821 DB 73C] |--most likely not the exact rule, but probably more to do with a status bit

LCN:
BITS= (0100 0)000 |--Take First 5 bits of this set, then shift right to make 0010 = LCN 2
MASK=[00 F8 000000] <- All 4 binary bits of first, First binary bit of second
FR_1=[B8 40 3661CD] |--Rule doesn't seem to hold up for ESK,

Status:
BITS= 0(000 0)011 <--4 binary bits in parenthesis are status 0000
MASK=[000 78 00000] <-- 0x40 & 0x78
FR_1=[B84 03 661CD] |--
BITS 0(000 1)110 |--


The 40 information bits in each data frame seem to have
the following functions:

Bits Function
------- ----------------------------------------
0 - 7 : These eight bits are the command bits
8 - 12 : Logical channel number
13 : Status bit
14 : Status bit
15 : Status bit
16 : Status bit; possible use:
group call if set to zero, individual
call if set to one (radio ID then is
given by bits 17 - 27)
17 - 19 : Agency ID (3 bits) for group call
20 - 23 : Fleet ID (4 bits) for group call
24 - 27 : Subfleet ID (4 bits) for group call
28 - 39 : Error detection polynomial
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,374
Location
Boston, Ma
Hello,

Besides ESK, there are two versions of EDACS, original and Extended Addressing. SLERS uses both ESK and Extended Addressing. Extended Addressing increased various limits on sites, talkgroups, and radio ids. It had to do it while not causing problems with radios that might happen across the control channel.

ESK only affects the command word part of the message.

The major change is the two messages per frame. In Extended Addressing the two messages can be combined into one. Sometimes the second message in the frame is a repeat of the first message and sometimes only the uppper bits are the same. Here is the patent that explains it.

With the site id they had to redefine bits so original EDACS radios can not lock on. It does it by setting a bit in the original site id portion of the site id message.

73 Eric
 

lwvmobile

Member
Joined
Apr 26, 2020
Messages
117
Location
Lafayette County, FL
Hey, thanks for the information! That's certainly more to go on than what I had before. That patent will give me some clues as to what to look for.
Besides ESK, there are two versions of EDACS, original and Extended Addressing. SLERS uses both ESK and Extended Addressing. Extended Addressing increased various limits on sites, talkgroups, and radio ids. It had to do it while not causing problems with radios that might happen across the control channel.

ESK only affects the command word part of the message.

The major change is the two messages per frame. In Extended Addressing the two messages can be combined into one. Sometimes the second message in the frame is a repeat of the first message and sometimes only the uppper bits are the same. Here is the patent that explains it.
Well, that certainly explains some of the findings I've come across so far, especially in regards to Site ID and also why some messages are duplicates while others aren't. Pouring through text files full of hex dumps and binary dumps trying to find consistent patterns with known information about a site control channel can be mind numbing, especially when you're convinced you've nailed it, then test it on another control channel, and it just doesn't work the same, or the expected value only happens a fraction of the time.That's partially why I want to make a road map of this stuff, it feels like its a big secret yet software like Unitrunker seems to parse it just fine. Trying to get my own little piddly software project off the ground with little tidbits of information has been both rewarding and frustrating at the same time.
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,374
Location
Boston, Ma
Hello,

Looking over my notes A0 seems to be the only ESK value used when it is on.
// Take care of ESK
info1.rawBits ^= (((long)esk) << 20) & 0xff00000;
info2.rawBits ^= (((long)esk) << 20) & 0xff00000;

The upper 5 bits on EA indicate the type of frame.
switch(info1.rawBits & 0xF800000L)
{
case 0x0800000: // TDMA Group Voice Channel Assignment
case 0x1000000: // Group Data Channel Assignment
case 0x1800000: // Digital Group Voice Channel Assignment
case 0x2000000: // Unknown
case 0x2800000: // Unknown
case 0x3000000: // Analog Group Voice Channel Assignment
These are usually processed by the same code as the rest of the message follows a similar format.

case 0x8000000L: // I-Call
case 0x8800000L: // I-Call
These are usually processed by the same code as the rest of the message follows a similar format.

case 0xC800000L: // Affiliate

case 0xF800000L: // Escape so see what MT2 has. Each message has it's own processing block.
switch(info1.rawBits & 0xFF80000L)
{
case 0xF880000L: // Adjacent site control channel
case 0xFC00000L: // New Message with Control Channel LCN This possibly has other stuff as well.
ofreq = (unsigned short)(info2.rawBits & 0x01f); // 5-bit frequency number for the control channel
case 0xFD00000L: // Site ID Message
osysid = (unsigned short)(info1.rawBits & 0x01f); // lower 5-bit sysid
osysid |= (unsigned short)((info1.rawBits >> 7) & 0x3e0); // upper 5-bit sysid

73 Eric
 

lwvmobile

Member
Joined
Apr 26, 2020
Messages
117
Location
Lafayette County, FL
case 0xFD00000L: // Site ID Message
osysid = (unsigned short)(info1.rawBits & 0x01f); // lower 5-bit sysid
osysid |= (unsigned short)((info1.rawBits >> 7) & 0x3e0); // upper 5-bit sysid
Well, no wonder I never found the Site ID, I would have had to have been a wizard to figure that particular piece out. Either that, or have a white paper that spelled it out. So far in my research, I have yet to come across anything where the values are a combination of two unconnected pairs of bits. I've got this rule written into my software now and have had extremely consistent accuracy with it. I would have never been able to figure this out without you, I've probably been banging my head into my desk for the past 4 or 5 days trying to find this one little thing.

Well, I wrote an addition to my 'understanding frames' text:

Site ID
command=[FD]
Status=[0x8] if 5D0 and not 5D8, then
FR_1=[5D07133193] <--((fr_1 & 0x1F000)>> 12) | ((fr_1 & 0x1F000000)>>19);
FR_2=[A2F8ECCE6C]
FR_3=[5D07133193]
FR_4=[5D07133193]
FR_5=[A2F8ECCE6C]
FR_6=[5D07133193]

Thanks a million for that bit.
 

lwvmobile

Member
Joined
Apr 26, 2020
Messages
117
Location
Lafayette County, FL
Okay, I thought I could edit this into my old post to update my frame mapping, but either I'm blind and can't find the edit link, or it doesn't exist. Either way, I'm just going to dump my updated text here for anybody else who would like to look at it or make corrections or suggestions.

Understanding EDACS 9600 ESK Extended Adressing Frames
(September 8, 2020)

SR_0=[555557125555 5C07]
MASK=[000000000000 FFFF]

SR_1=[EEB239 A3F8114DC6]
MASK=[FFFFFF 0000000000]

SR_2=[5C07EEB239 C3CC1C]
MASK=[FFFFFFFFFF 000000]

SR_3=[12DC 3C33E3ED23 C3]
MASK=[0000 FFFFFFFFFF 00]

SR_4=[CC1C12DC 55555712]
MASK=[00000000 FFFFFFFF]

555557125555 - Frame Sync

Messages are send in triples:

5C07EEB239 - First Time
A3F8114DC6 - Second Time is inverted from first
5C07EEB239 - Third Time

Two Messages per Frame:

C3CC1C12DC - First
3C33E3ED23 - Second (inverted)
C3CC1C12DC - Third

55555712 begins new frame sync (or is overflow from loading up the shift register)

New Human Readable Output for Pattern Finding/Debugging:

Time: 01:29:06 AFC=2150 IDLE Site ID=[ 0]
FR_1=[5C07EEB239]
FR_2=[A3F8114DC6] Inverse of 1 and 3
FR_3=[5C07EEB239]
FR_4=[C3CC1C12DC]
FR_5=[3C33E3ED23] Inverse of 4 and 6
FR_6=[C3CC1C12DC]

This strips away the sync portion on the beginning and end, and
organizes it into 40 bit (10 Hex) message groupings.

This readout removes the frame sync and groups messages
into 40bit (10 hex) groupings for easy reading.

Time: 07:39:26 AFC=2343 VOICE LCN=2
Sender=[ 264978i] <- 0x40B12
Group=[ 870g] <- 0x0366
FR_1=[B8403661CD]
FR_2=[47BFC99E32]
FR_3=[B8403661CD]
FR_4=[BA40B122CC]
FR_5=[45BF4EDD33]
FR_6=[BA40B122CC]

Command:
MASK=[FF 00000000]
FR_1=[B8 403661CD] <- B8 is voice command in ESK (0xB8 xor 0xA0 = 0x18)

Group:
MASK:[000 FFFF 000] Mask is FFFF 16 bit group values
FR_1=[B84 0366 1CD]

Sender:
MASK=[00 FFFFF 000] FFFFF 20 bit sender values
FR_4=[BA 40B12 2CC]

MT-1 and MT-2

MT-1:
00001 - TDMA Group Voice Channel Assignment
00010 - Group Data Channel Assignment
000ll - Digital Group Voice Channel Assignment
11111 - Use MT-2

MT-2:
0000 - Initiate Test Call Command
1101 - Serial Number Request (would this be a join?)
1111 - Undefined
NEW MT-2 INFO (unverified)
1010 - Site ID Relay??
0001 - Peer/Neighbor Site Relay??
1011 -- Unknown? Kick?
1100 -- ADD

Time: 16:28:37 AFC=1751 ACTIVE MT-1=[0x 3] MT-2=[0x0] LCN=3
Sender=[ 197864i]
Group=[ 1123g]
Digital Group Voice Channel Assignment
MT-1 Binary = [0] [0] [0] [1] [1] <-- 00011 or 0x03; Digital Group Voice
FR_1=[B870463003] <-- MT-1 = (((fr_1 & 0xFF00000000) >> 32)^0xA0)>>3
MASK=[F800000000] |-- or simply take the command B8^A0 (xor for esk) and shift 3 right
FR_2=[478FB9CFFC] |-- 0xB8^A0 = 0x18 = (0001 1)000
FR_3=[B870463003] |-- 5 bits in parenthesis tells us MT-1, which is a Digital Group Call
FR_4=[BA304E8FD9]
FR_5=[45CFB17026]
FR_6=[BA304E8FD9]

Time: 16:29:06 AFC=1632 IDLE MT-1=[0x1F] MT-2=[0xA] Site ID=[243]
MT-1 Binary = [1] [1] [1] [1] [1] <--if MT-1 is 11111, use MT-2;
MT-2 Binary = [1] [0] [1] [0]
FR_1=[5D07133193] <--MT-2 = (fr_1&0x780000000)>>31;
MASK=[0780000000] |--0xD0 & 0x78 = 0x50 = 0(101 0)000
FR_2=[A2F8ECCE6C] |--Desired 4 bits are in parenthesis; 1010 could signify Site ID in message (unverified)
FR_3=[5D07133193]
FR_4=[5D07133193]
FR_5=[A2F8ECCE6C]
FR_6=[5D07133193]


Peers:
command=F8

MASK=[00000 FF 000]
FR_1=[58821 DB 73C] <-- if fr_1 == fr_4, then fr_1&FF000>>12 while result is not equal to zero
FR_4=[58821 DB 73C] |--most likely not the exact rule, but probably more to do with a status bit

command=[F8]
MT-1=[0x1F]
MT-1 Binary = [1] [1] [1] [1] [1]
MT-2=[0x1]
MT-2 Binary = [0] [0] [0] [1] <--MT-2 Status is 0001 for Peer/Neighbor Site??
FR_1=[58811DBE20]
FR_4=[58811DBE20]

Site ID
command=[FD]
MT-1=[0x1F]
MT-1 Binary = [1] [1] [1] [1] [1] <--if MT-1 is 11111, use MT-2;
MT-2=[0xA]
MT-2 Binary = [1] [0] [1] [0] <-- if MT-2 == 1010 or 0xA; (not sure if this status correlates to Site ID)
FR_1=[5D07133193] <--((fr_1 & 0x1F000)>>12) | ((fr_1 & 0x1F000000)>>19);
FR_4=[5D07133193] <-- Duplicate Message on this type


LCN:
BITS= 10(00 010)0 |--Take First 5 bits of this set, then shift right to make 00010 = LCN 2
MASK=[0 3E 0000000] <- All 2 binary bits of first, 3 binary bits of second
FR_1=[B 84 03661CD] |

Time: 04:15:26 AFC=2308 VOICE LCN=2
Sender=[ 333909i]
Group=[ 1123g]
FR_1=[B850463581] <--85 & 3E >> 1 = 00010 = LCN 2
MASK=[03E0000000]

Time: 04:15:30 AFC=2372 VOICE LCN=3
Sender=[ 333909i]
Group=[ 1123g]
FR_1=[B8604632C2] <--86 & 3E >> 1 = 00011 = LCN 3

Time: 04:15:37 AFC=2202 VOICE LCN=4
Sender=[ 197864i]
Group=[ 1123g]
FR_1=[B880463F75] <-- 88 & 3E >> 1 = 00100 = LCN 4

Time: 16:37:06 AFC=1740 ACTIVE MT-1=[0x 3] MT-2=[0x1] LCN=4
Sender=[ 197864i]
Group=[ 1123g]
Digital Group Voice Channel Assignment
MT-1 Binary = [0] [0] [0] [1] [1]
FR_1=[B890463DB4] <-- (fr_1&0x3E0000000)>>29; (5 bits for LCN channel, 0-31 Decimal)
MASK=[03E0000000] |--0x89 & 0x3E = 00(00 010)0 LCN bits in parenthesis, then shift right one

Patch (ADD):
command=[FE]
MT-1=[0x1F]
MT-1 Binary = [1] [1] [1] [1] [1]
MT-2=[0xC]
MT-2 Binary = [1] [1] [0] [0]
FR_1=[5E700B5D02] <--00B5 Source
MASK=[000FFFF000]
FR_4=[4000522911] <--0522 Target
MASK=[000FFFF000]

Error Detection Polynomial:
MASK=[0000000 FFF]
FR_1=[5C07EEB 239] <--Last 12 bits (3 hex) are error detection; not entirely useful for tracking.
FR_2=[A3F8114 DC6] --There may be a way to figure out proper calculation for polynomial
FR_3=[5C07EEB 239]
FR_4=[C3CC1C1 2DC]
FR_5=[3C33E3E D23]
FR_6=[C3CC1C1 2DC]

-----------------------------------------

There is always more information to find out/discover on these types of frames, but at this point, I'm not sure what all is completely useful in terms of tracking and tuning into channels to listen. The next step would probably be to re-write this mess into a more user readable and more user friendly format.

I've also made enough progress on my programming project that I'll take this opportunity to shamelessly self-plug it for anybody interested in using it or looking over the source code.

 
Top