BCD436HP/BCD536HP: help program DMR tier 3 systems

[lx2005]

Hello, everyone:
Recently I've been trying to receive the traffic police in my city. Unfortunately, since I'm not in North America, the RR database is of no use to me.

I already know some facts about the system. There are dozens of frequencies in 360MHz to 370MHz band, and I have written them down. And I decoded some of the frenquencies with DSD+ and the scanner(conventional mode) without problems, so they are not encrypted.

Here are the things I'm trying to do:
Figuring out the frequencies, and then program my UBCD3600XLT scanner in trunk mode.
My understandings are: 1.find all frequencies 2.distinguish different systems/sites 3.program frequencies 4.use LCN finder to figure out LCNs is that correct?

But now I have a few problems. First, both DSD+ and the scanner tell me that they are all Tier3 systems(it says 'DT3'), so how to identify the exact system type(i.e con+, cap+, etc)? And I cannot tell the difference between control channels and voice channels. Almost all the channels brocast continuously, and when I try to use DSD+ to decode some of them, it shows idle most of the time, sometimes I can get audio. So do I need to distinguish control/voice channels to program? Do I need to distinguish different systems/sites to program?

Also, hear is a screenshot shows the busy band.

Thank you for any help. And sorry for my English, since I am not a native speaker.

 

[AK9R]

Is there anything in this thread that might help: BCD436HP: - how to setup TIER 3 trunking ubcd3600

 

[lx2005]

Is there anything in this thread that might help: BCD436HP: - how to setup TIER 3 trunking ubcd3600

I will try it soon. Thanks.

 

[Red_Ice]

Hello lx2005, I don't know if I understood you correctly, but there are several things that you should take into account.

For localizations there are two different protocols (LOCn and LRRP), my advice is that if, as you say, you are capturing a TIII, set the verbosity to 4 (-v4) in your command line and look at those frames that bring hexadecimal packets .

2022.05.03 17:28:05 -DMR MS DATA DCC=1 Data Header DPF=[2:UcData] Tgt=71 Src=1 Conf=0 SAP=[4:IP Data] Blocks=4 Pad=3 Last=0 Seq=0
2022.05.03 17:28:05 -DMR MS DATA DCC=1 Rate 1/2 Data 45 00 00 29 09 ED 00 00 3F 11 58 90 E..)....?.X.
2022.05.03 17:28:05 -DMR MS DATA DCC=1 Rate 1/2 Data 0D 00 00 01 0C 00 00 47 0F A1 0F A1 .......G....
2022.05.03 17:28:05 -DMR MS DATA DCC=1 Rate 1/2 Data 00 15 F8 93 09 0B 22 04 00 00 00 04 ......".....
2022.05.03 17:28:05 -DMR MS DATA DCC=1 Rate 1/2 Data 51 62 34 31 1E Qb41. LRRP; Tgt=71 Src=1

In the image you can see all the combinations that I have managed to filter with GPS or IP data.



In relation to the system, the most common is the cap+ as seen in the code, in this case the RestCh=1 or rest channel is the one that acts as the control channel.

2022.02.23 11:03:03 -DMR slot1 BS DATA DCC=1 CSBK Cap+ RestCh=1
2022.02.23 11:03:03 [LB=1 CSBKO=62 (?) FID=16 v16=C100 id1=0 id2=0]
2022.02.23 11:03:03 3E 10 C100 000000 000000
2022.02.23 11:03:03 101111100001000011000001000000000000000000000000000000000000000000000000000000000011010101111101

 

[lx2005]

I gathered some dsd+ logs...
1. 363.0125MHz a voice call in progress

logs - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

2.364.8000MHz another voice call and idle

logs - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

I noted in event logs there were no CHs, so calculating LCNs are not possible.
ps.I guess there may be non-standard of modified systems , since in China it's very common...(only guess)

 

[Red_Ice]

I gathered some dsd+ logs...
1. 363.0125MHz a voice call in progress

logs - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

2.364.8000MHz another voice call and idle

logs - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

I noted in event logs there were no CHs, so calculating LCNs are not possible.
ps.I guess there may be non-standard of modified systems , since in China it's very common...(only guess)

Although the two samples you have put are from a ITII, they indicate different things.

The first one is reporting the data code data, now, we can give two interpretations, the first is the one that reports the DSD+ that I think is wrong, the data reported are:

- Huge network
- Network ID 1
- Area 20
- Site 8

On the other hand, the ETSI presents other different data, since the area is not transmitted:

- Huge network
- Network ID 1
- Site 160

In the other capture you have two different references, the first one is indicated that it is "Open Voice Channel Mode Service" and the second "Parity Check Bit", both are encrypted emergency calls. There is another interesting value that corresponds to the short link control operating code and indicates that it is a addressing of the embedded message data to individual calls.

I hope I helped you.

 

[lx2005]

Although the two samples you have put are from a ITII, they indicate different things.

The first one is reporting the data code data, now, we can give two interpretations, the first is the one that reports the DSD+ that I think is wrong, the data reported are:

- Huge network
- Network ID 1
- Area 20
- Site 8

On the other hand, the ETSI presents other different data, since the area is not transmitted:

- Huge network
- Network ID 1
- Site 160

In the other capture you have two different references, the first one is indicated that it is "Open Voice Channel Mode Service" and the second "Parity Check Bit", both are encrypted emergency calls. There is another interesting value that corresponds to the short link control operating code and indicates that it is a addressing of the embedded message data to individual calls.

I hope I helped you.

You definitely helped me a lot, I'm still a beginner in digital systems. So what's the best way to follow it? DMR OFT or mototrbo(possible?)

 

[Red_Ice]

Motorola Mototrbo is definitely the one with the patent although the DMRA are compatible as well as Hytera with slight variations, for example, in the basic encryption (BP) they are not compatible (Motorola and Hytera), against the other types of encryption (EP, AES ) if they are, another example is the "Capacity Plus" capacity (cap+) of Motorola, the similar in Hytera would be the capacity "extended pseudo trunking" (xpt), which even being different come to present the same solution.

In short, my advice is that you use the one that best suits your interest and program your CC.bat file by adding the -v4 command to report the maximum information, if you also include >log.txt will generate a txt file from the uptake and you can study it, provided you are interested in the information it generates, which is a lot and if you also like the analysis (I am an analyst), you will enjoy a lot.

 

[lx2005]

Now, I am able to program channels in conventional mode. But sometimes it just hang on one frequency, showing color and slot but no audio(data? guess so) Also I don't know how to identify different sites, so I can't program it in trunk. Is there any solutions?

 

[lx2005]

The fact is that all frequencies using the same color code belongs to one site. And I have figured out 2 sites. They all trunktrack flawlessly.
I'll put more details when I'm available later.
BTW: This variant of DT3 systems is so-called 'PDT' system, you can find several LCNS using the lcn finder, and calculate the rest using the calculator on the forum.