P25 TDMA Control Channel decoding -- requesting help from experts

[btt]

Ok, was finally able to figure out the base frequency and offsets so I can help verify the site summaries. I still haven't figured out the CRC, so this summary has an X at the end of the line if it occurred multiple times in the file, or (not confident) if it wasn't consistent. I've also attached the updated burst sample file.

./tdma_test <Alice-41-1R-DSDPlus-Raw-Input_2021-07-21\@214551.wav |grep site|sort|uniq
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8 X
site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8 X
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X
site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8 X

./tdma_test <GW-1R-DSDPlus-Raw-Input_2021-07-21\@084542.wav |grep site|sort|uniq
site_8_freq: 859.787500, rfss: 8, sys_id: 0x1f8 X
site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8 X
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_45_freq: 854.912500, rfss: 41, sys_id: 0x1f8 (not confident)
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X

./tdma_test <Corpus-14-1R-DSDPlus-Raw-Input_2021-07-21\@214937.wav |grep site|sort|uniq
site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8 (not confident)
site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_42_freq: 855.212500, rfss: 42, sys_id: 0x1f8 (not confident)
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8 X

/tdma_test <Freer-52-1R-DSDPlus-Raw-Input_2021-07-21\@215149.wav |grep site|sort|uniq
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8 X
site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8 X
site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8 X
site_58_freq: 854.437500, rfss: 58, sys_id: 0x1f8 X
site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8 X

/tdma_test <Beeville-42-1R-DSDPlus-Raw-Input_2021-07-21\@214754.wav |grep site|uniq
site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8 X
site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8 X
site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8 X
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 (not confident)
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X
site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8 X

 

[mtindor]

Ok, was finally able to figure out the base frequency and offsets so I can help verify the site summaries. I still haven't figured out the CRC, so this summary has an X at the end of the line if it occurred multiple times in the file, or (not confident) if it wasn't consistent. I've also attached the updated burst sample file.

./tdma_test <Alice-41-1R-DSDPlus-Raw-Input_2021-07-21\@214551.wav |grep site|sort|uniq
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8 X
site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8 X
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X
site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8 X

./tdma_test <GW-1R-DSDPlus-Raw-Input_2021-07-21\@084542.wav |grep site|sort|uniq
site_8_freq: 859.787500, rfss: 8, sys_id: 0x1f8 X
site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8 X
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_45_freq: 854.912500, rfss: 41, sys_id: 0x1f8 (not confident)
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X

./tdma_test <Corpus-14-1R-DSDPlus-Raw-Input_2021-07-21\@214937.wav |grep site|sort|uniq
site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8 (not confident)
site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_42_freq: 855.212500, rfss: 42, sys_id: 0x1f8 (not confident)
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8 X

/tdma_test <Freer-52-1R-DSDPlus-Raw-Input_2021-07-21\@215149.wav |grep site|sort|uniq
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 X
site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8 X
site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8 X
site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8 X
site_58_freq: 854.437500, rfss: 58, sys_id: 0x1f8 X
site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8 X

/tdma_test <Beeville-42-1R-DSDPlus-Raw-Input_2021-07-21\@214754.wav |grep site|uniq
site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8 X
site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8 X
site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8 X
site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8 (not confident)
site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 X
site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8 X
site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8 X
site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8 X
site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8 X

Thank you!

 

[slicerwizard]

Note that there could be some bit errors in there due to the CRC not being figured out yet (not by me anyway).

The 02C DCC values are followed by a 16 bit CRC. It should be identical to the 16 bit CRC used in P25p1 CC messages.

 

[btt]

The 02C DCC values are followed by a 16 bit CRC. It should be identical to the 16 bit CRC used in P25p1 CC messages.

Thanks. Been trying that, but no luck so far. Also, I did finally realize that the OSP messages are all documented already. Just needed to mask off the opcode bits with 0x3c. Need to figure out the crc and the rest should be pretty easy I think. Are you running the 16-bit crc over 21 bytes?

 

[slicerwizard]

Docs say the CRC16 covers the preceding 20.5 bytes (164 bits)

I haven't tried it. I'll give it a go on the data in the first post.

 

[btt]

Here is an example of a 22.5 byte type-13 (0x0d) adjacent-broadcast burst (including 12 bits of crc at the end) that occurs multiple times, so pretty confident it is correct. The last octets 0x8a,0x30 should be the 12-bit crc (0x8a3). The 12-bit crc of the first 21 bytes calculates as 0x751, so fails. I've tried a lot of variations including trying a standard 16-bit CRC, but no luck. Any hints?

0x1c,0x7c,0x04,0x31,0xf8,0x2b,0x2b,0x82,0x76,0x70,0x08,0x09,0x88,0x88,0x88,0x88,0x88,0x88,0x88,0x02,0xc3,0x8a,0x30,

Ignoring the CRC, this would decode as (with base freq of 851000000 known from another burst (TDMA IDEN)):

P25_PII: Adjacent Broadcast Abv: site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8 (from the first 0x02c file)

 

[wgbecks]

Is there anyone located within radio range of this system that can make an approximate 15-30 seconds IQ capture file using the record function
available from FMP24 or FMPA associated with their DSDPlus FL instllation?

Thanks!

Bill

 

[KA1RBI]

The 12-bit crc ..... fails. I've tried a lot of variations including trying a standard 16-bit CRC, but no luck. Any hints?
(snipped)

It's not a 12-bit CRC.

FWIW, the method used in OP25 is to compute the CRC16 over the entire 22.5 byte (180 bit) message. If the message has correct CRC, the result of the computation is zero... Also it should be noted that the "CRC16" defined in P25 is not to be confused with the standard CCITT CRC-16 algo.

 

[KA1RBI]

Is there anyone located within radio range of this system that can make an approximate 15-30 seconds IQ capture file using the record function available from FMP24 or FMPA associated with their DSDPlus FL instllation?

Hi Bill

It's possible that mtindor already has such a file - he posted a file with a ".iq" extension but later removed it. I looked at it but apparently missed a key step in decoding it.

In any case - with the WAV files that have been posted, they contain most everything one might want in terms of understanding the TDMA CC. We would like to see something that contains channel voice grants for example, as well as a lot of the other miscellany that fills up a typical CC.

At this time (could be wrong) but don't feel that an I/Q capture would show us anything that isn't already known. The modulation is the same as TDMA voice channels -- "CQPSK" (sic) at 6,000 symbol rate.

73

Max

 

[slicerwizard]

Need to figure out the crc and the rest should be pretty easy I think. Are you running the 16-bit crc over 21 bytes?

From the second entry in post #1 (I didn't use the first as it looks like a bad decode):

C 720690302444360C2983F2853608068888888802C 01F5 B74958FA2A9451A1503224DB46EB3F9E75


RX 20.5 payload bytes (164 bits): 720690302444360C2983F2853608068888888802C

RX CRC16: 01F5


16 bit CRC of 164 payload bits using feedback/xor of 0x1021: FE0A

FE0A xor FFFF: 01F5

CRC MATCH

 

[btt]

It's not a 12-bit CRC.

FWIW, the method used in OP25 is to compute the CRC16 over the entire 22.5 byte (180 bit) message. If the message has correct CRC, the result of the computation is zero... Also it should be noted that the "CRC16" defined in P25 is not to be confused with the standard CCITT CRC-16 algo.

Thank you sir! That worked.

Updated decode with the crc16 check in place.

./tdma_test < GW-1R-DSDPlus-Raw-Input_2021-07-21@084542.wav | grep site | sort | uniq
P25_PII: Adjacent Broadcast Abv: site_8_freq: 859.787500, rfss: 8, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8

./tdma_test < Alice-41-1R-DSDPlus-Raw-Input_2021-07-21@214551.wav | grep site | sort | uniq
P25_PII: Adjacent Broadcast Abv: site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8

./tdma_test < Beeville-42-1R-DSDPlus-Raw-Input_2021-07-21@214754.wav | grep site | sort | uniq
P25_PII: Adjacent Broadcast Abv: site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_14_freq: 855.312500, rfss: 14, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_52_freq: 854.087500, rfss: 52, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_57_freq: 855.062500, rfss: 57, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8

./tdma_test < Corpus-14-1R-DSDPlus-Raw-Input_2021-07-21@214937.wav | grep site | sort | uniq
P25_PII: Adjacent Broadcast Abv: site_8_freq: 857.312500, rfss: 8, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_13_freq: 854.787500, rfss: 13, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_43_freq: 854.937500, rfss: 43, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_114_freq: 855.262500, rfss: 114, sys_id: 0x1f8

./tdma_test < Freer-52-1R-DSDPlus-Raw-Input_2021-07-21@215149.wav | grep site | sort | uniq
P25_PII: Adjacent Broadcast Abv: site_41_freq: 854.912500, rfss: 41, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_42_freq: 854.812500, rfss: 42, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_44_freq: 854.762500, rfss: 44, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_49_freq: 855.287500, rfss: 49, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_51_freq: 857.412500, rfss: 51, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_53_freq: 854.212500, rfss: 53, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_58_freq: 854.437500, rfss: 58, sys_id: 0x1f8
P25_PII: Adjacent Broadcast Abv: site_59_freq: 856.137500, rfss: 59, sys_id: 0x1f8

 

[wgbecks]

Hi Bill

It's possible that mtindor already has such a file - he posted a file with a ".iq" extension but later removed it. I looked at it but apparently missed a key step in decoding it.

In any case - with the WAV files that have been posted, they contain most everything one might want in terms of understanding the TDMA CC. We would like to see something that contains channel voice grants for example, as well as a lot of the other miscellany that fills up a typical CC.

At this time (could be wrong) but don't feel that an I/Q capture would show us anything that isn't already known. The modulation is the same as TDMA voice channels -- "CQPSK" (sic) at 6,000 symbol rate.

73

Max

Max,

Do you still have the original .IQ file, and if so can I get a copy of it?

Thanks!

Bill

 

[mtindor]

Max,

Do you still have the original .IQ file, and if so can I get a copy of it?

Thanks!

Bill

Index of /p25tdmacc

 

[KA1RBI]

Hi Bill

FWIW, the "iq" file that I looked at (since deleted) appeared to be fixed point (short - S16LE), not floating point. Beyond that I'm not sure about the proper parameters (sample rate etc)...

 

[ralexander5]

Mike,

I created fresh IQ, FM and a Raw file for George West site from FMPP. Not sure by posts above if still needed. I did hear slight change in signal for about a second toward the end of FM/IQ recording so may have caught some traffic. The files are in the usual place if you want to retrieve.

Bob

 

[batdude]

just FYI, we think we have a TDMA control channel online here in central Florida associated with Duke Energy - 857.3875 (WRHY215)

I will try to get some IQ files recorded to confirm.


doug

 

[btt]

Here is a text file with a complete decoded log of all the wav files. (all crc validated)

 

[merlin]

For any software authors who have access to the TIA-102 suite of standards, the TDMA Control Channel specs are contained in the following document:

TIA-102.BBAD - Two-Slot TDMA Control Channel MAC Layer Specification - August 2017

Is there a free download for this document ? I have only found host sites wanting lots of $$$

 

[mtindor]

Two audio samples from suspected Florida TDMA CC sites (for any developers would like to test them, and post results):

https://www.ovscan.com/p25tdmacc/DUKE/Florida_Duke_Raw-Input_4khzBW_2021-07-24@161527.wav

https://www.ovscan.com/p25tdmacc/DUKE/Florida_Duke_Raw-Input_9.5khzBW_2021-07-24@155121.wav

And two .IQ files (the larger is 4k BW and the smaller is 9.5k BW)

https://www.ovscan.com/p25tdmacc/DUKE/2021-07-24-40k.iq.tar.gz

https://www.ovscan.com/p25tdmacc/DUKE/2021-07-24-95k.iq.tar.gz

Mike

 

[mtindor]

Some more raw audio for Duke Site 20 down in FL

https://www.ovscan.com/p25tdmacc/DUKE/Duke_FL_site%2020_2021-07-24@202753.wav