L3Harris P25 Phase 2 Call - Source Address Anomaly

[DSheirer]

I'm updating sdrtrunk with TDMA control channel support and I'm testing against a recording I made in Tampa, FL for the Duke Energy system. I'm seeing weird behavior in the decoded messages where sometimes it's using different source address values depending on the messaging.

In the first call sequence (see below), the channel grant message on the control channel and the push-to-talk message on the traffic channel use a source address of zero and the channel user message on the traffic channel shows the (real) source address of 16,429,307.

The second call sequence is where I'm seeing the disconnect. The channel grant and push-to-talk messages show the source address as 9,962,143 and the voice channel user message has a source address of 16,421,848.

This is a clean recording and there are no decoding or CRC errors. Both call sequences (1 and 2) are subsequently repeated in the same recording, with the same results. I've triple checked the message parsing code and I'm confident that it's correct.

Does anyone know if L3Harris systems use some form of source address aliasing (obfuscation?), or some other system feature that might explain why I'm seeing these source address disconnects? The only thing I've found that possibly explains is the TIA-102.BAAC-D section on Source and Destination ID values shows:



Based on this table, in call sequence 2 the 9,962,143 address falls into the 'general use' range and the 16,421,848 address falls into the 'special purposes' range. However, I'd expect that the messaging would consistently use the same source address value throughout the call sequence and not toggle back and forth between two different source radio values for the same call.

Call Sequence 1:
Channel Grant & Push-To-Talk: source address = 0
Voice Channel User: source address = 16,429,307

TS1 LOCCH-U NAC:9/x009 SIGNAL GROUP VOICE CHANNEL GRANT IMPLICIT FM:0 TO:62801 CHAN:8-848 TS2 PRI4 ENCRYPTED CIRCUIT TS2 FACCH-S ACTIVE GROUP VOICE CHANNEL USER ABBREVIATED FM:16429307 TO:62801 PRI4 ENCRYPTED CIRCUIT TS2 FACCH-S ACTIVE L3HARRIS TALKER ALIAS: FL-DCC-0 TS2 FACCH-S PUSH-TO-TALK FM:0 TO:62801 ENCRYPTION:AES-256 KEY:1 MI:DC3DBB634A6981C000 ...(voice omitted) TS2 FACCH-U END PUSH-TO-TALK FM:16777215 TO:62801 NAC:9/x009

Call Sequence 2:
Channel Grant & Push-To-Talk: source address = 9,962,143
Voice Channel User: source address = 16,421,848

TS1 LOCCH-U NAC:9/x009 SIGNAL GROUP VOICE CHANNEL GRANT IMPLICIT FM:9962143 TO:62801 CHAN:8-848 TS2 PRI4 ENCRYPTED CIRCUIT TS2 FACCH-S ACTIVE L3HARRIS TALKER ALIAS: CLWT-23953-B TS2 FACCH-S ACTIVE GROUP VOICE CHANNEL USER ABBREVIATED FM:16421848 TO:62801 PRI4 ENCRYPTED CIRCUIT TS2 FACCH-S PUSH-TO-TALK FM:9962143 TO:62801 ENCRYPTION:AES-256 KEY:1 MI:09D2AD433340735900 TS2 SACCH-S ACTIVE GROUP VOICE CHANNEL USER ABBREVIATED FM:16421848 TO:62801 PRI4 ENCRYPTED CIRCUIT ...(voice omitted) TS2 FACCH-U END PUSH-TO-TALK FM:16777215 TO:62801 NAC:9/x009

Denny

 

[mtindor]

I can tell you this, on the AEP P25 system in Ohio (which is FDMA CC but obviously Phase II P25 voice), if you park on the control channel, the radio IDs are completely different than those same radio IDs when reported on from the voice channels. I don't have a screenshot or log to show you right now. But if memory serves me correctly, the radio IDs of typical radios on the systems start with 98xxxxx when shown while monitoring the CC, and then are 2xx3485 when seen on the voice channel. And on the voice channel, they actually end with the unit number of the vehicle or person (such as 3485), whereas they don't on the control channel.

I noticed this as soon as the AEP L3 Harris system came to town and it drove me crazy for quite a while. I finally came to grips with the fact that I couldn't do anything about it and moved on with life.

I also notice that talker aliases do not show up in the Events window. But I know the system up here uses them because DSDPlus displays them.

 

[lwvmobile]

In the first call sequence (see below), the channel grant message on the control channel and the push-to-talk message on the traffic channel use a source address of zero and the channel user message on the traffic channel shows the (real) source address of 16,429,307.

The second call sequence is where I'm seeing the disconnect. The channel grant and push-to-talk messages show the source address as 9,962,143 and the voice channel user message has a source address of 16,421,848.

Yep. Observed the same phenomena here as well, could never quite figure out the reason. My only thought was that is was regroup related and the SRC/SUID provided is a temporary one from a pool value. I think the SRC=0 value on PTT is due to it using an external site src and the channel update message providing a full SUID value, but I've also seen the other you describe as well, with mismatching SRC values in the PTT and the channel user update.

 

[lwvmobile]

Here is a mismatch of my own from some captures in December:

16:10:23        P25p2 LCCH   MAC_SIGNAL
 Encrypted Circuit Priority 4 Group Voice Channel Grant
  SVC [44] CHAN [82B9] Group [64808] Source [9962643]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][40][44][82][B9][FD][28][98][04][93][08][09]
  [88][88][88][88][88][88][88][01][AE][55][B0][00]
16:10:23        P25p2 LCH 1  MAC_ACTIVE
 MFID A4 (Harris); VCH 1; TG: 0; SRC: 0; Talker Alias: TREN-34343-SBK
 P25 PDU Payload
  [9C][A8][A4][11][54][52][45][4E][2D][33][34][33]
  [34][33][2D][53][42][4B][54][80][00][00][00][00]
16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris) Group Regroup Explicit Encryption Command
 Patch Active; SSN: 09; SG: 64809; KEY: 0001; ALG: 84;
  WGID: 62775; WGID: 62776;
 P25 PDU Payload
  [1C][B0][A4][0D][69][FD][29][00][01][84][F5][37]
  [F5][38][08][05][88][88][88][01][A1][D4][A0][00]
16:10:23        P25p2 LCH 1  MAC_ACTIVE
 VCH 1 - TG: 64808; SRC: 16422298;  Encrypted Circuit Priority 4 Group Voice - Abbreviated
 P25 PDU Payload
  [9C][01][44][FD][28][FA][95][9A][00][00][00][00]
  [00][00][00][00][00][00][DE][A0][00][00][00][00]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Network Status Broadcast - Abbreviated
  LRA [1A] WACN [91F14] SYSID [2D7] NAC [01A] CHAN-T [82B8]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][7B][1A][91][F1][42][D7][82][B8][70][00][1A]
  [08][07][88][88][88][88][88][01][A6][BF][A0][00]
16:10:23        P25p2 LCH 1  MAC_ACTIVE
 MFID A4 (Harris); VCH 1; TG: 64808; SRC: 16422298; Talker Alias: TREN-34343-SBK
 P25 PDU Payload
  [9C][A8][A4][11][54][52][45][4E][2D][33][34][33]
  [34][33][2D][53][42][4B][54][80][00][00][00][00]
16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Secondary Control Channel Broadcast - Implicit
  RFSS[026] SITE ID [026] CHAN1 [8314] SSC [04] CHAN2 [848C] SSC [04]
  Frequency [855.937500] MHz
  Frequency [858.287500] MHz
 P25 PDU Payload
  [1C][79][1A][1A][83][14][04][84][8C][04][08][09]
  [88][88][88][88][88][88][88][01][A8][44][B0][00]
16:10:23        P25p2 LCH 1  MAC_ACTIVE
 VCH 1 - TG: 64808; SRC: 16422298;  Encrypted Circuit Priority 4 Group Voice - Abbreviated
 P25 PDU Payload
  [9C][01][44][FD][28][FA][95][9A][00][00][00][00]
  [00][00][00][00][00][00][DE][A0][00][00][00][00]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris) Group Regroup Explicit Encryption Command
 Patch Active; SSN: 01; SG: 64201; KEY: 0001; ALG: 84;
  WGID: 62208; WGID: 62464; WGID: 62976; WGID: 62720;
 P25 PDU Payload
  [1C][B0][A4][11][61][FA][C9][00][01][84][F3][00]
  [F4][00][F6][00][F5][00][00][01][AB][D1][00][00]
16:10:23        P25p2 LCH 1  MAC_PTT 
 VCH 1 - TG 64808 SRC 9962643
         ALG ID 0x84 KEY ID 0x0001 MI 0x53E6D74749740AFD MPTT
 MAC_PTT_PAYLOAD_F OFFSET: 1 RES: 0
 [24][53][E6][D7][47][49][74][0A][FD][00][84][00]
 [01][98][04][93][FD][28][3F][A0][00][00][00][00]
16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 SACCH  MAC_ACTIVE
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Synchronization Broadcast

  Date: 2023.12.03 Time: 14:02:00 UTC
 US: 0; IST: 0; MM: 0; MC: 0; VL: 0; Sync Slots: 28;
 P25 PDU Payload
  [1C][70][09][00][00][2F][83][70][40][1C][08][09]
  [88][88][88][88][88][88][88][01][A2][BA][20][00]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Group Voice Channel Grant Update - Implicit
  Channel 1 [82B9] Group 1 [64808][FD28]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][42][82][B9][FD][28][82][B9][FD][28][08][09]
  [88][88][88][88][88][88][88][01][A6][78][B0][00]
16:10:23        P25p2 LCH 1  MAC_PTT 
 VCH 1 - TG 64808 SRC 9962643
         ALG ID 0x84 KEY ID 0x0001 MI 0x53E6D74749740AFD MPTT
 MAC_PTT_PAYLOAD_F OFFSET: 0 RES: 0
 [20][53][E6][D7][47][49][74][0A][FD][00][84][00]
 [01][98][04][93][FD][28][44][40][00][00][00][00]
16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 SNDCP Data Channel Announcement
  AA: 0; RA: 0; DSO: 00; DAC: FFFF; CHAN-T: 0000; CHAN-R: 0000;
 P25 PDU Payload
  [1C][D6][00][40][00][00][00][00][FF][FF][08][09]
  [88][88][88][88][88][88][88][01][A5][D5][C0][00]
16:10:23        P25p2 LCH 1  4V 1
 AMBE 0455644B48B380 err = [0] [0]
 AMBE 84D87993CB4100 err = [0] [0]
 AMBE 647B7F6936D380 err = [0] [0]
 AMBE F6114A97CD5080 err = [0] [0]

16:10:23        P25p2 LCCH   MAC_SIGNAL
 Group Voice Channel Grant Update - Implicit
  Channel 1 [82B9] Group 1 [64808][FD28]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][42][82][B9][FD][28][82][B9][FD][28][08][09]
  [88][88][88][88][88][88][88][01][A6][78][B0][00]
16:10:23        P25p2 LCH 1  4V 2
 AMBE C3C32ADE670580 err = [0] [0]
 AMBE 61FFEDF0F2D800 err = [0] [0]
 AMBE 436D3B58097480 err = [0] [0]
 AMBE 6550BFFADC4C80 err = [0] [0]

16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris) Group Regroup Explicit Encryption Command
 Patch Active; SSN: 08; SG: 64808; KEY: 0001; ALG: 84;
  WGID: 62773; WGID: 62774;
 P25 PDU Payload
  [1C][B0][A4][0D][68][FD][28][00][01][84][F5][35]
  [F5][36][08][05][88][88][88][01][A4][7A][80][00]
16:10:23        P25p2 LCH 1  4V 3
 AMBE BA93D101696300 err = [0] [0]
 AMBE 10E8905D6AE000 err = [0] [0]
 AMBE 12F29445DC6300 err = [0] [0]
 AMBE C86A0730D00880 err = [0] [0]

16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris); Res: 0; Len: 18; Opcode: 01; 0F110DFFFFFFFFFFFFFFFFFFFFFFFF
 P25 PDU Payload
  [1C][81][A4][12][0F][11][0D][FF][FF][FF][FF][FF]
  [FF][FF][FF][FF][FF][FF][FF][01][A3][62][E0][00]
16:10:23        P25p2 LCH 1  4V 4
 AMBE 442AD7C4494400 err = [0] [0]
 AMBE 79974F5B5E9600 err = [0] [0]
 AMBE 38785F0D9F8B80 err = [0] [0]
 AMBE E6A630BB373E80 err = [0] [0]

16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 SACCH  MAC_ACTIVE
 MFID A4 (Harris); VCH 1; TG: 64808; SRC: 9962643; Talker Alias: TREN-34343-SBK
 P25 PDU Payload
  [84][A8][A4][11][54][52][45][4E][2D][33][34][33]
  [34][33][2D][53][42][4B][00][00][00][C8][10][00]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Group Voice Channel Grant Update - Implicit
  Channel 1 [82B9] Group 1 [64808][FD28]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][42][82][B9][FD][28][82][B9][FD][28][08][09]
  [88][88][88][88][88][88][88][01][A6][78][B0][00]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris); Res: 0; Len: 7; Opcode: 0F; 0A44800A
 P25 PDU Payload
  [1C][8F][A4][07][0A][44][80][0A][08][0B][88][88]
  [88][88][88][88][88][88][88][01][A8][37][50][00]
16:10:23        P25p2 LCH 1  2V
 AMBE 671B166DD1DF00 err = [0] [0]
 AMBE 803527D335D680 err = [0] [0]

 VCH 1 - ESS_B 840001673EEE7089F19BB800 ERR = 00
 VCH 1 - ALG ID 0x84 KEY ID 0x0001 MI 0x673EEE7089F19BB8 ESSB
16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 Group Voice Channel Grant Update - Implicit
  Channel 1 [82B9] Group 1 [64808][FD28]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][42][82][B9][FD][28][82][B9][FD][28][08][09]
  [88][88][88][88][88][88][88][01][A6][78][B0][00]
16:10:23        P25p2 LCH 1  4V 1
 AMBE 00D6AEDDCC9B00 err = [0] [0]
 AMBE 214CA37C3C6780 err = [0] [0]
 AMBE 2DE514082FD880 err = [0] [0]
 AMBE 04CD1E411E1080 err = [0] [0]

16:10:23        P25p2 LCCH   MAC_SIGNAL
 MFID A4 (Harris) Group Regroup Explicit Encryption Command
 Patch Active; SSN: 09; SG: 64809; KEY: 0001; ALG: 84;
  WGID: 62775; WGID: 62776;
 P25 PDU Payload
  [1C][B0][A4][0D][69][FD][29][00][01][84][F5][37]
  [F5][38][08][05][88][88][88][01][A1][D4][A0][00]
16:10:23        P25p2 LCH 1  4V 2
 AMBE 9165CADD2A9280 err = [0] [0]
 AMBE B37254DBD4D800 err = [0] [0]
 AMBE 47F206AC33D300 err = [0] [0]
 AMBE 45D6C654414C80 err = [0] [0]

16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 LCCH   MAC_SIGNAL
 RFSS Status Broadcast - Implicit
  LRA [1A] SYSID [2D7] RFSS ID [026] SITE ID [026] CHAN [82B8] SSC [70]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][7A][1A][32][D7][1A][1A][82][B8][70][08][09]
  [88][88][88][88][88][88][88][01][A8][E9][B0][00]
16:10:23        P25p2 LCH 1  4V 3
 AMBE 15A647C6765500 err = [0] [0]
 AMBE A79946D0FE3B80 err = [0] [0]
 AMBE 1A1717F5AA6000 err = [0] [0]
 AMBE 5FA9E977057F00 err = [0] [0]

16:10:23        P25p2 LCCH   MAC_SIGNAL
 Group Voice Channel Grant Update - Implicit
  Channel 1 [82B9] Group 1 [64808][FD28]
  Frequency [855.362500] MHz
 P25 PDU Payload
  [1C][42][82][B9][FD][28][82][B9][FD][28][08][09]
  [88][88][88][88][88][88][88][01][A6][78][B0][00]
16:10:23        P25p2 LCH 1  4V 4
 AMBE 3B3B6C746A5900 err = [0] [0]
 AMBE B3C980F0BC6F00 err = [0] [0]
 AMBE 9C3972E48CC380 err = [0] [0]
 AMBE BC9CC6C2485280 err = [0] [0]

16:10:23 Sync: +P25p2 SISCH  WACN [91F14] SYS [2D7] NAC [01A]
16:10:23        P25p2 SACCH  MAC_ACTIVE
 VCH 1 - TG: 64808; SRC: 16422298;  Encrypted Circuit Priority 4 Group Voice - Abbreviated
 P25 PDU Payload
  [84][01][44][FD][28][FA][95][9A][00][00][00][00]
  [00][00][00][00][00][00][00][00][00][F1][A0][00]

MAC_PTT SRC value indicated is 9962643, Channel User SRC value indicated is 16422298.