P25 Motorola 0x90 Link Control Opcode 0x15 & 0x17 - Radio Reprogram?

[DSheirer]

I'm seeing these unknown link control messages carried in a contiguous chunk of TDULC messaging on some Phase 1 traffic channels. In both examples, it was immediately following an AES-256 encrypted group call.

Within sdrtrunk I'm calling these RADIO REPROGRAM, but I'm not yet certain of the function.

NAC:449/x1C1 LDU1  VOICE LSD:C9C2 GROUP VOICE CHANNEL USER FM:80331 TO:4073 SERVICE OPTIONS:PRI4 ENCRYPTED CIRCUIT	1	1	0
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM HEADER TG:4073 RECORD COUNT:6 SEQUENCE:11 MSG:15900FE9060100B05A	1	1	0
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:1 OF SEQUENCE:11 MSG:179001BBEE001C7013
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:2 OF SEQUENCE:11 MSG:179002B9CB7D5F2D48
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:3 OF SEQUENCE:11 MSG:179003B23695F7ED49
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:4 OF SEQUENCE:11 MSG:179004B9EA998F8748
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:5 OF SEQUENCE:11 MSG:179005BE6DAB167FAC
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:6 OF SEQUENCE:11 MSG:179006B15EC2C6222E

LCO 0x15 seems to be a header and LCO 0x17 seems to be a variable length message fragment.

When I combine the fragments, they seem to start with addressing the fully qualified subscriber (wacn, system, address) that was talking in the preceding encrypted call. The two examples I have are:

Example 1:

BEE001C70139CB7D5F2D4823695F7ED499EA998F8748E6DAB167FAC15EC2C6222E

WACN:         BEE00 
SYSTEM:     1C7 
ADDRESS:  0139CB (corresponds to radio 80331 that just completed an AES256 encrypted call)
UNKNOWN: 7D5F2D4823695F7ED499EA998F8748E6DAB167FAC15EC2C6222E

Example 2:

BEE002AEE6785283ED1081E33C03E9B3E35647DE0C00C8A83E351E4079F592CF3794B30000000

WACN:         BEE00 
SYSTEM:     2AE 
ADDRESS:  E67852 (corresponds to radio 15104082 that just completed an AES256 encrypted call)
UNKNOWN: 83ED1081E33C03E9B3E35647DE0C00C8A83E351E4079F592CF3794B30000000

I wonder if this might be an OTA encryption update? Any ideas?

Denny

 

[mikewazowski]

Possibly OTAP?

 

[Unitrunker2]

NAC:449/x1C1 LDU1  VOICE LSD:C9C2 GROUP VOICE CHANNEL USER FM:80331 TO:4073 SERVICE OPTIONS:PRI4 ENCRYPTED CIRCUIT    1    1    0
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM HEADER TG:4073 RECORD COUNT:6 SEQUENCE:11 MSG:15900FE9060100B05A    1    1    0
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:1 OF SEQUENCE:11 MSG:179001BBEE001C7013
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:2 OF SEQUENCE:11 MSG:179002B9CB7D5F2D48
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:3 OF SEQUENCE:11 MSG:179003B23695F7ED49
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:4 OF SEQUENCE:11 MSG:179004B9EA998F8748
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:5 OF SEQUENCE:11 MSG:179005BE6DAB167FAC
NAC:449/x1C1 TDULC MOTOROLA RADIO REPROGRAM RECORD:6 OF SEQUENCE:11 MSG:179006B15EC2C6222E

You can see what I call the sequence number and session in the third / forth bytes.

 

[Unitrunker2]

Example:

23:01:36.663 137 F LC 17 90 01 5B EE 09 13 EA 15 Extended Function Motorola Op 0 Seq 1 Session 5 WACN BEE09 Sys 13E ok
23:01:36.699 137 F LC 17 90 02 55 33 7D 4F 67 B8 Extended Function Motorola Op 0 Seq 2 Session 5 I A15533 ok
23:01:36.733 137 F LC 17 90 03 5D E9 98 44 E7 99 Extended Function Motorola Op 0 Seq 3 Session 5 ok
23:01:36.797 137 F LC 17 90 04 56 B1 FB 62 15 7A Extended Function Motorola Op 0 Seq 4 Session 5 ok
23:01:36.832 137 F LC 17 90 05 53 3E 2D 94 3E A3 Extended Function Motorola Op 0 Seq 5 Session 5 ok
23:01:36.867 137 F LC 17 90 06 51 9F 49 B2 BC 5D Extended Function Motorola Op 0 Seq 6 Session 5 ok

High nibble of 3rd octet always zero (so far). Lower nibble of 3rd octet as sequence digit. Upper nibble of 4th octet as the "session". Messages with consecutive sequences seem to share the same session digit. Another example:

22:57:54.643 137 F LC 17 90 01 CB EE 09 13 EA 15 Extended Function Motorola Op 0 Seq 1 Session C WACN BEE09 Sys 13E ok
22:57:54.678 137 F LC 17 90 02 C4 E4 83 34 1D 06 Extended Function Motorola Op 0 Seq 2 Session C I A154E4 ok
22:57:54.713 137 F LC 17 90 03 C7 DA 9E C3 83 09 Extended Function Motorola Op 0 Seq 3 Session C ok
22:57:54.778 137 F LC 17 90 04 C2 33 9B F6 26 BA Extended Function Motorola Op 0 Seq 4 Session C ok
22:57:54.814 137 F LC 17 90 05 C9 1D E4 2C 1A 86 Extended Function Motorola Op 0 Seq 5 Session C ok
22:57:54.848 137 F LC 17 90 06 C4 AA 68 BD 4B D4 Extended Function Motorola Op 0 Seq 6 Session C ok
22:57:54.910 137 F LC 17 90 07 CC D7 C0 00 00 00 Extended Function Motorola Op 0 Seq 7 Session C ok

 

[tadsmith]

It was previously mentioned that they may be some sort of encoded OTA alias update?

P25 Unknown Opcodes

I use DSDPlus for monitoring P25 systems. I think pretty much nobody knows what these unknown opcodes are (or haven't released that info publicly). Good chance that SDRTrunk, OP25, DSD-FME do not know what they are either. But I'm throwing the question out here anyway. This is from the...

forums.radioreference.com

P25 OTA alias

Do any of the current decoders support OTA alias on P25 trunked? My local MSI system uses it.

forums.radioreference.com

I see quite a few of them and I can't seem to find any correlation to recent encrypted group calls. I'm also 99% sure the systems that I monitor have not implemented OTAR.

In many instances, it appears that the first 20-30 bits of the "content" of the packets is identical for messages being sent to the same TG.

MOTOROLA RADIO REPROGRAM HEADER TG:11560 RECORD COUNT:6 SEQUENCE:8 MSG:15902D280601008497
MOTOROLA RADIO REPROGRAM RECORD:1 OF SEQUENCE:8 MSG:1790018BEE0740F04E WACN:BEE07 SYSID:40F RID(1/2):04E
MOTOROLA RADIO REPROGRAM RECORD:2 OF SEQUENCE:8 MSG:17900280172D21681A RID(2/2):017 STRING:2D21681A
MOTOROLA RADIO REPROGRAM RECORD:3 OF SEQUENCE:8 MSG:17900381B52FFBFBFE STRING:1B52FFBFBFE
MOTOROLA RADIO REPROGRAM RECORD:4 OF SEQUENCE:8 MSG:1790048E53D2A5ADB9 STRING:E53D2A5ADB9
MOTOROLA RADIO REPROGRAM RECORD:5 OF SEQUENCE:8 MSG:1790058561CADF4D95 STRING:561CADF4D95
MOTOROLA RADIO REPROGRAM RECORD:6 OF SEQUENCE:8 MSG:17900685EBF1CB0000 STRING:5EBF1CB0000

MOTOROLA RADIO REPROGRAM HEADER TG:11560 RECORD COUNT:6 SEQUENCE:0 MSG:15902D2806010005DE
MOTOROLA RADIO REPROGRAM RECORD:1 OF SEQUENCE:0 MSG:1790010BEE0740F04E WACN:BEE07 SYSID:40F RID(1/2):04E
MOTOROLA RADIO REPROGRAM RECORD:2 OF SEQUENCE:0 MSG:17900200DD2D21681A RID(2/2):0DD STRING:2D21681A
MOTOROLA RADIO REPROGRAM RECORD:3 OF SEQUENCE:0 MSG:17900301B52FFBFBFE STRING:1B52FFBFBFE
MOTOROLA RADIO REPROGRAM RECORD:4 OF SEQUENCE:0 MSG:1790040E53FE86BEF7 STRING:E53FE86BEF7
MOTOROLA RADIO REPROGRAM RECORD:5 OF SEQUENCE:0 MSG:17900508FD5AB910B2 STRING:8FD5AB910B2
MOTOROLA RADIO REPROGRAM RECORD:6 OF SEQUENCE:0 MSG:1790060376F9D80000 STRING:376F9D80000

 

[GTR8000]

ASTRO 25 OTA Aliases. The subscriber aliases from Provisioning Manager (PM) are encoded over the traffic channels with each transmission, and can be decoded by the receiving APX subscribers that have the Group Services option, and are stored in the codeplug's UCL (Unified Call List). These apply to both FDMA and TDMA ASTRO 25 talkgroups, as long as the option is enabled within the core (not all systems are capable of the feature or have it enabled if capable).