P25 TDMA Control Channel decoding -- requesting help from experts

[btt]

Yes, that data dump was extracted from a demod/decode of

1R-DSDPlus-Raw-Input_2021-07-19@235920.zip

Interesting. Here is a decode showing the MCO. It is always 0. Only had one crc error in that file. I would think I might have changed something, but the same code decodes voice and broadcasts from other files I have. Not sure what I'm missing. Thanks for the reply.

 

[nd5y]

If it really is a Harris, the system will likely cycle between all available CCs - several times per day is not out of the question...

Most of the AEP sites I have seen don't rotate control channels very often if at all.

 

[ScannerDude244]

Here's the (provisional) list of secondary Control Channel frequencies from this system

secondary control channel(s): 855.862500,857.312500,858.362500

If it really is a Harris, the system will likely cycle between all available CCs - several times per day is not out of the question...

My local harris system p1 normally cycles CC's every few days or some times it will go multiple times in one day.

 

[maus92]

Here's the (provisional) list of secondary Control Channel frequencies from this system

secondary control channel(s): 855.862500,857.312500,858.362500

If it really is a Harris, the system will likely cycle between all available CCs - several times per day is not out of the question...

The WACN certainly screams Harris.

 

[ralexander5]

testing a lightly hacked version of OP25... The secondary CC logic is not yet done, nor is the non-TDMA identifier update logic, but here is a summary of the CC (if someone with knowledge of the system could confirm any/all of this, that would be helpful).

I can confirm several of sites identified are local to me in Corpus Christi area and can be received. I have placed wav files for 4 of the sites on cloud drive and will ask Mike to pull and put in accessible location.

 

[mtindor]

I can confirm several of sites identified are local to me in Corpus Christi area and can be received. I have placed wav files for 4 of the sites on cloud drive and will ask Mike to pull and put in accessible location.

I will do that as soon as I get the details from you (I don't think I see them in the last folder). Thanks, Bob, for the signal captures!

Mike

 

[mtindor]

Most of the AEP sites I have seen don't rotate control channels very often if at all.

The "standard" sites up here seem to rotate, but I haven't pinned down an exact timeframe of when they do. At least every couple weeks they do.

 

[mtindor]

Hi Folks,

It has been reported that some suspect portions of the new AEP P25 multi-state system (a Harris P25 system) being built out, specifically some sites in Texas at this point, are using the P25 TDMA control channel format. I am not aware of any publicly available software that can decode this "new" type of control channel and thus am starting a thread here to encourage those who can (i.e. those who know what the hell they are doing) to attempt to try and pick apart the datastream and make sense of it. As new sources of raw audio are provided by people, I'll try to add those links to this thread if nobody else does.

To be clear, nobody can even confirm at this point that this is a P25 TDMA control channel, but all signs certainly are pointing to it and thus there is good reason to believe that it is a P25 TDMA control channel.

1. @ralexander5 original post: American Electric Power P25 WACN 92715

2. The raw audio posted by @ralexander5 is attached to this post and can also be fetched here: Index of /p25tdmacc

3. And what little is known (publicly, or at least by me) thus far about the datastream in that raw audio

The P25 audio sample received yesterday is from a Phase II signal that
is broadcasting D1 (hex) DUID values.

Raw 320 bit data units:

C774690346444760C2983B685718201A222222200A00696D92563E8AA51468540C882291BACFE689
C720690302444360C2983F2853608068888888802C01F5B74958FA2A9451A1503224DB46EB3F9E75
C7358010000000003FDFF08098888888888888802C0BC965FA432C5F617313EDB8587BAAAEAEB6A5
C71E4B0B20C28120FC90408098888888888888802C138492A212E905ABF24081189EAF1762A29F11
C71EC1249C547E2096970002C0807888888888802C1DDD3923DF195DBE75D1C3093D0155F4FA3481
C71E4B0B21268120C290408098888888888888802C28E090CA4C24C42EA0C2A59FD266EA79409EE9
C71E0103CB0D83CB0D90108098888888888888802C6C40C5F9EDB174109372EE3F116D2ED1F78531
C71E4B0B20FC81212690408098888888888888802C7A4A05D41E7953C809A0AB00056228581D15C1
C723E901C28980028210B88888888888888888802CAF0ACFD60E2B68558591CD866DCE13D13E2F05
C71E810C7E0B0B209697008098888888888888802CED5A399C5996B544C991A06AF7BD944B002DD5

The first half of each data block appears to be a payload, with the
second half containing forward error correction data.

Payloads with embedded DUID bits removed:

1DD1A40D19111D830A83B685718201A222222200A0
1C81A40C09110D830A83F2853608068888888802C0
1CD6004000000000FFFF08098888888888888802C0
1C792C2C830A0483F20408098888888888888802C1
1C7B04927151F8825A70002C0807888888888802C1
1C792C2C849A04830A0408098888888888888802C2
1C78040F2C360F2C360108098888888888888802C6
1C792C2C83F204849A0408098888888888888802C7
1C8FA4070A26000A080B88888888888888888802CA
1C7A0431F82C2C825A7008098888888888888802CE

Hopefully as time goes on we will get more raw audio submissions (enough for those developer guys who know how to pick apart datastreams to make use of), and hopefully some of the savvy coders of decoding apps (like OP25, DSD, DSDPlus, Unitrunker, etc) can/will attempt to participate in the thread and attempt to ultimately add support for this type of control channel to their product.

I would be remiss if i did not mention that it was the DSDPlus team that actually provided this original info above and sent it to me. So basically, @nd5y figured out what was going on first (when I was in denial and scoffed it off), @ralexander5 provided captures, and the DSDPlus folks provided us all with some starting data to provide everyone the confidence moving forward that this was indeed a P25 TDMA CC.

I can't believe how quickly the community of developers have jumped on this though. You guys all rock. My hobby would suck without all you software developers pushing the envelope!

Mike

 

[mtindor]

Here are some new site captures for you developers:

Index of /p25tdmacc

Beeville-42-1R-DSDPlus-Raw-Input_2021-07-21\@214754.zip
Alice-41-1R-DSDPlus-Raw-Input_2021-07-21\@214551.zip
Corpus-14-1R-DSDPlus-Raw-Input_2021-07-21\@214937.zip
Freer-52-1R-DSDPlus-Raw-Input_2021-07-21\@215149.zip

 

[btt]

Here are some new site captures for you developers:

Index of /p25tdmacc

Beeville-42-1R-DSDPlus-Raw-Input_2021-07-21\@214754.zip
Alice-41-1R-DSDPlus-Raw-Input_2021-07-21\@214551.zip
Corpus-14-1R-DSDPlus-Raw-Input_2021-07-21\@214937.zip
Freer-52-1R-DSDPlus-Raw-Input_2021-07-21\@215149.zip

They all decode ok here. All idle channels with no voice. The only opcodes are MAC IDLE for all 4 files.

 

[mtindor]

They all decode ok here. All idle channels with no voice. The only opcodes are MAC IDLE for all 4 files.

I sorta didn't expect them to have any "additional" info that the others had, given the system the captures came from and the time of day and lack of inclement weather. But its good to have a few samples out there. Besides, I'm thinking that as you guys all progress, some more decodes of CC / VC / NAC / Site ID / peers might be posted (as Max did with the last one). That at least helps us (RR) to verify some new sites and get them added to the DB, even if nobody (except you developers) can currently copy them lol.

Mike

 

[btt]

I sorta didn't expect them to have any "additional" info that the others had, given the system the captures came from and the time of day and lack of inclement weather. But its good to have a few samples out there. Besides, I'm thinking that as you guys all progress, some more decodes of CC / VC / NAC / Site ID / peers might be posted (as Max did with the last one). That at least helps us (RR) to verify some new sites and get them added to the DB, even if nobody (except you developers) can currently copy them lol.

Mike

I can verify that those NAC values (decimal) are correct. I'm still trying to figure out how to get the peers out of there...

 

[mtindor]

I can verify that those NAC values (decimal) are correct. I'm still trying to figure out how to get the peers out of there... It must be something different than the standard broadcast messages.

I'm sure you will figure it out. Based upon previous output you had posted much earlier in the thread, I'm betting you'll have some 'ahah' moment and suddenly you'll have full decodes. Thanks for being one of those developers who is willing to work on it!

 

[mtindor]

I did? I mentioned him, but never said I was contacting him. I guess he'll get pinged now from this thread.

I misunderstood. You know that happens a lot.

 

[GTR8000]

Yeah, well...🤐

I'm sure he'll stumble upon this thread at some point, and/or someone will give him a heads up if he doesn't.

 

[boatbod]

If someone who has receive capability for one of these tdma control channels can also run op25 using the changes I committed this morning, I would be very interested to see if it logs any activity (-v 11) if parked on the control channel. The LCCH(OECI) should follow the same basic format as an S-ACCH(OEMI) so there is a good chance something positive might happen.

 

[mtindor]

If someone who has receive capability for one of these tdma control channels can also run op25 using the changes I committed this morning, I would be very interested to see if it logs any activity (-v 11) if parked on the control channel. The LCCH(OECI) should follow the same basic format as an S-ACCH(OEMI) so there is a good chance something positive might happen.

For anyone in Texas wanting to help @boatbod, you will probably have the best luck if you are within earshot of the following sites (with their last known CCs). And remember, he is asking for you to use his particular modified OP25 version, which means you may have ask him how to go about getting it.

08.08 859.7875 (Fannin or El Campo)
14.14 855.3125 (Kenedy or Rio Grande City)
41.41 854.9125 (Alice)
42.42 854.8125 (Beeville)
43.43 854.9375 (Refugio)
44.44 854.7625 (George West)
52.52 854.0875 (Freer)

 

[nd5y]

If someone who has receive capability for one of these tdma control channels can also run op25 using the changes I committed this morning, I would be very interested to see if it logs any activity (-v 11) if parked on the control channel. The LCCH(OECI) should follow the same basic format as an S-ACCH(OEMI) so there is a good chance something positive might happen.

I'll try it again if somebody can point me to a source of recent instructions.
All the info I could find was how to run it on a Raspberry Pi and SDR dongle. I need to know what magic command line switches to use to get it to use discriminator audio from the default sound device on a PC, if that's even possible.

 

[mtindor]

I'll try it again if somebody can point me to a source of recent instructions.
All the info I could find was how to run it on a Raspberry Pi with and SDR dongle. I need to know what magic command line switches to use to get it to use discriminator audio from the default sound device on a PC, if that's even possible.

You'll have to compile a special version, and then run it. And the details for doing that should probably occur in another thread. ( @boatbod -- if you are going to entertain helping people to get set up for OP25 and to compile your version, please consider opening another thread for that). I can't stop you from doing it here, but it sure could turn into a cluttered mess if there are a lot of OP25-compile-n-run posts inside this thread.

Thanks

 

[KQA726]

Any verdict yet? So is this taking a P25 signal and then doing a DMR-type slice on top of that where you cut that into two 'channels' of data? How much more overly complex and 'digital sounding' can one make it?
I'm almost ready to give-up the hobby now as my ears barely work okay on analog audio signals, but my hearing is compromised on P25 simulcast audio to where scanning isn't any fun anymore if you have to "squint" to hear what is being said.