Understanding Capacity Plus trunking, some more

[thewraith2008]

OK here is another thing I've recently noticed on a CAP+ network I found that seems to mainly send DATA.

I'm seeing unconfirmed rate 1/2 data blocks with a second proprietary header included where the CRC32 is not checking correctly after all blocks received. While I don't really expect to be able to decode this type of DATA (yet?), I'm wondering if this is using a RAS style of CRC check. (Voice that is rarely seen does not use RAS). At first, I though the CRC code I was using was not right but this seems OK with other networks I've seen with DATA been sent.

I've tested the DATA with the bad CRC in another CRC generator and it is giving the same bad CRC which make me thing the code is OK and something else is afoot.
Anyone else seen this?

 

[thewraith2008]

OK, here is a short 'over' (in TS:2) of the CAP+ private call from the sample provided.

• There is no voice activity is TS:1 in this shot
• Not showing other slot while current slot is voice active (optional)

This DSD of mine is designed to be highly verbose when needed showing all errors worts and all.

• Here we can see that the "F" frame (embedded RC) of the voice superframe is not NULL and that the vBPTC has failed. Most likely more non-standard Motorola stuff.
• Never mind the 'b' in "bSLOT2", this is just for debugging for another thing I was looking into.

 

[mrscanner2008]

[QUOTE="I've not come across RAS in-use for CAP+ systems locally for awhile now so it was hard to test.
Is RAS used only for CAP+ or does it get used on other Motorola systems? (like DMR BS, CON+, CapMax)
[/QUOTE]
I have system near me with RAS : CON+, CAP+, DMR, and Capmax. I could make audio samples if need.

 

[lwvmobile]

I'm seeing unconfirmed rate 1/2 data blocks with a second proprietary header included where the CRC32 is not checking correctly after all blocks received. While I don't really expect to be able to decode this type of DATA (yet?), I'm wondering if this is using a RAS style of CRC check. (Voice that is rarely seen does not use RAS). At first, I though the CRC code I was using was not right but this seems OK with other networks I've seen with DATA been sent.

This is one that just rolled in for me after setting up to check the RAS FIeld bits. The Data Header and the Prop Header both seem to have RAS enabled, but not the blocks that follow.

11:28:05 Sync: +DMR  [slot1]  slot2  | Color Code=01 | DATA RAS? 4 1 - 0 0 1
  Unconfirmed Data Header: DPF 2 - SAP 09 - Block Count 04 - Padding Octets 01
  Proprietary Packet Data - Source: [211] Destination: [1]
  Proprietary Packet Data Incoming   (FEC OK)RAS ENABLED
DMR PDU Payload [02][91][00][00][01][00][00][D3][84][00][55][3D]
11:28:05 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK RAS? 0 0 - 0 0 0
Capacity Plus Channel Status - FL: 3 TS: 1 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2: Idle Ch3: Idle Ch4: Idle
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle
DMR PDU Payload [BE][10][E1][00][00][80][08][00][01][00][DA][37]
11:28:05 Sync: +DMR  [slot1]  slot2  | Color Code=01 | DATA RAS? 4 1 - 0 0 1
  Proprietary Data Header: SAP 4 - Format F - MFID 10  (FEC OK)RAS ENABLED
DMR PDU Payload [4F][10][11][01][00][00][75][84][4D][20][7B][F6]
11:28:05 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK RAS? 0 0 - 0 0 0
Capacity Plus Channel Status - FL: 3 TS: 1 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2: Idle Ch3: Idle Ch4: Idle
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle
DMR PDU Payload [BE][10][E1][00][00][80][08][00][01][00][DA][37]
SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
SLCO Completed Block [F1][00][10][85][D0]
11:28:05 Sync: +DMR  [slot1]  slot2  | Color Code=01 | R12D  RAS? 0 0 - 0 0 0
DMR PDU Payload [B9][DE][04][EF][3C][D4][4C][C5][B3][72][22][E2]
11:28:05 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK RAS? 0 0 - 0 0 0
Capacity Plus Channel Status - FL: 3 TS: 1 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2: Idle Ch3: Idle Ch4: Idle
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle
DMR PDU Payload [BE][10][E1][00][00][80][08][00][01][00][DA][37]
11:28:05 Sync: +DMR  [slot1]  slot2  | Color Code=01 | R12D  RAS? 0 0 - 0 0 0
DMR PDU Payload [C3][F8][32][CB][EE][C5][E4][B1][C6][4D][C6][D9]
11:28:05 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK RAS? 0 0 - 0 0 0
Capacity Plus Channel Status - FL: 3 TS: 1 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2: Idle Ch3: Idle Ch4: Idle
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle
DMR PDU Payload [BE][10][E1][00][00][80][08][00][01][00][DA][37]
SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
SLCO Completed Block [F1][00][10][85][D0]
11:28:05 Sync: +DMR  [slot1]  slot2  | Color Code=01 | R12D  RAS? 0 0 - 0 0 0
Multi Block PDU Superframe - Slot [1]
  [4F][10][11][01][00][00][75][84][4D][20][7B][F6]
  [B9][DE][04][EF][3C][D4][4C][C5][B3][72][22][E2]
  [C3][F8][32][CB][EE][C5][E4][B1][C6][4D][C6][D9]
  [1C][27][EB][20][95][0B][22][00][C7][D8][F3][D0]

DMR PDU Payload [1C][27][EB][20][95][0B][22][00][C7][D8][F3][D0]

Here we can see that the "F" frame (embedded RC) of the voice superframe is not NULL and that the vBPTC has failed. Most likely more non-standard Motorola stuff.

Yeah, I had noticed that as well. It appears to be an embedded single burst or rc burst, the usual value I find on that on Cap+ is 0x313 (could be determined erroneously, but is always consistent), and on multiple Cap+ Systems. If the system is RC4 (probably DES and AES as well) encrypted, I tend to see 0x313 intermixed with the single burst for the key id/alg id in Voice Burst F. I have no idea what the first value mentioned indicates.

 

[thewraith2008]

I have system near me with RAS : CON+, CAP+, DMR, and Capmax. I could make audio samples if need.

This would be much appreciated if you could do this.

@lwvmobile
For the bad CRC-32 DATA, I don't get the RAS indication on either data header or any rate 1/2 block.
Everything passes up to the CRC-32 check.
Just not sure if a mask is used or a different variation of the CRC-32 or a RAS style of CRC check.

 

[hrh17]

I have a few RAS-Cap+ wav files saved from dsdplus of various systems, PM me thewraith2008 if you need anything

 

[thewraith2008]

I have a few RAS-Cap+ wav files saved from dsdplus of various systems, PM me thewraith2008 if you need anything

Thanks for the offer.
Good to know there are samples available when needed.
I just wish I had more spare time.

 

[lwvmobile]

Good to know there are samples available when needed.

hrh17 will keep you busy for a century with samples, trust me. Speaking of which...

More fun with opcodes @thewraith2008 . What's an embedded voice burst lc MFID 0x10 FLCO 0x10 on a Cap+ System? Its not just a bad decode, it happens consistently on this batch of wav files.

17:04:06 Sync: +DMR   slot1  [slot2] | Color Code=05 | VLC  
 SLOT 2 TGT=14 SRC=1400 FLCO=0x04 FID=0x10 SVC=0x00 Cap+ Group Call  Cap+ R-Ch 1  RAS 4 
 DMR PDU Payload [04][10][00][00][00][0E][01][05][78][91][C1][30]
 SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
 SLCO Completed Block [F1][00][10][85][D0]
17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC1*
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE F801A99F8CE000 err = [0] [0] 

17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC2 
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE F801A99F8CE000 err = [0] [0] 

 SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
 SLCO Completed Block [F1][00][10][85][D0]
17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC3 
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE F801A99F8CE000 err = [0] [0] 
 AMBE 9802B95FA4D300 err = [0] [0] 

17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC4 
 AMBE AC41F0930FF380 err = [0] [0] 
 AMBE E82B286CAFE280 err = [0] [0] 
 AMBE 8CF3FB89E12F80 err = [0] [0] 

 SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
 SLCO Completed Block [F1][00][10][85][D0]
17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC5 
 AMBE 0F092041587980 err = [0] [0] 
 AMBE 982F50BE027F80 err = [0] [0] 
 AMBE B82D78236ADE80 err = [0] [0] 

17:04:06 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:06 Sync: +DMR   slot1  [SLOT2] | Color Code=05 | VC6 
 SLOT 2 TGT=14 SRC=1400 FLCO=0x10 FID=0x10 SVC=0x00 Group Call  
 DMR PDU Payload [10][10][00][00][00][0E][00][05][78]
  SB: 00000000000 - 000
 AMBE A828F150006A80 err = [0] [0] 
 AMBE 7823584E061800 err = [0] [0] 
 AMBE 6813543C6EE800 err = [0] [0] 

 SLCO Capacity Plus Site: 1 - Rest Channel 1 - RS: 08
 SLCO Completed Block [F1][00][10][85][D0]
....
17:04:58 Sync: +DMR   slot1  [slot2] | Color Code=05 | TLC  
 SLOT 2 TGT=14 SRC=1400 FLCO=0x00 FID=0x00 SVC=0x00 Group Call   RAS 4 
 DMR PDU Payload [00][00][00][00][00][0E][00][05][78][95][D6][98]
17:04:58 Sync: +DMR  [slot1]  slot2  | Color Code=05 | CSBK
 Capacity Plus Channel Status - FL: 3 TS: 0 RS: 0 - Rest Channel 1
  Ch1: Rest Ch2:  014 Ch3: Idle Ch4: Idle 
  Ch5: Idle Ch6: Idle Ch7: Idle Ch8: Idle 
 DMR PDU Payload [BE][10][C1][40][0E][00][00][00][00][00][68][32]
17:04:58 Sync: +DMR   slot1  [slot2] | Color Code=05 | TLC  
 SLOT 2 TGT=14 SRC=1400 FLCO=0x00 FID=0x00 SVC=0x00 Group Call   RAS 4 
 DMR PDU Payload [00][00][00][00][00][0E][00][05][78][95][D6][98]

 

[thewraith2008]

I have not seen a FLCO:16 (0x10) PDU before, I don't have any info on that one.

Sometimes context can help figure them out but other times, they just look like any other standard PDU with the same ole elements defined.

 

[mrscanner2008]

I have system near me with RAS : CON+, CAP+, DMR, and Capmax. I could make audio samples if need.

This would be much appreciated if you could do this.

Audio samples (2 CAP+, 1 CON+, 1 CAPMAX) RAS audio samples just let me know if you need more.

 

[lwvmobile]

Thanks for the CapMax sample, I needed to make a change to my code to allow CSBKs to pass when RAS was enabled (was previously requiring both good CRC and FEC, now also checking for RAS and good FEC)

 

[lwvmobile]

Audio samples (2 CAP+, 1 CON+, 1 CAPMAX)

Oh, just FYI, wasn't sure if you meant to include multiple samples in your link, but that link only has the capmax sample.

 

[mrscanner2008]

Oh, just FYI, wasn't sure if you meant to include multiple samples in your link, but that link only has the capmax sample.

oh ok I will recheck the link, because it include multiples samples.

edit: new link RAS audio samples

 

[thewraith2008]

oh ok I will recheck the link, because it include multiples samples.

edit: new link RAS audio samples

Downloading now , thanks again.

 

[mrscanner2008]

Downloading now , thanks again.

@lwvmobile @thewraith2008 just let me know if you need more audio samples.

 

[thewraith2008]

Some interesting stuff seen in those samples provided.

For the CapMax, RAS is used with more PDUs than just call maintenance PDUs (like ALOHA, BCAST).
RAS is used on FID:0 PDUs, not just FID:16 (0x10)
The FLCO:16 FID:16 (0x10) PDU seems to be same as FLCO:0. (GRP call maintenance)

• I wonder what the private call maintenance FLCO is? (do we have a sample of this by chance)
• I don't see FLCO:16 been used on non-RAS CapMax here, so that maybe a RAS thing?.

The CapMax sample generates a lot of "bad" CSBKO with non 0/16 FIDs.
This maybe the nature of the DSD+ recording as it switches in and out.
These "bad" PDUs can be filtered out by only allowing RAS PDUs with FIDs of 0 and 16

For CAP+, RAS is indicated for CSBKO:59 and 62 FID:16 (0x10) but the PDU CRC-16 check is OK.
The call maintenance PDUs are RAS as expected.

For CON+, RAS is indicated for CSBKO:1 and 3 FID:6 (0x06) and FLCO:0 FID:0 but the PDU CRC-16 check is OK.
RAS does not actually seem to be used here (for this sample/network at least).

Fun stuff

 

[thewraith2008]

Still with RAS (and at the risk of deviating a smidge OT)

Has anyone seen RAS been used with the MBC (header) or USBD dataTypes like seen with CSBK/VoiceLC[FLCO]/TermLC[FLCO]/Data Header/EMB[FLCO].

I've added code any to handle this but I just wanted to see if it occurs.

 

[mrscanner2008]

Some interesting stuff seen in those samples provided.

For the CapMax, RAS is used with more PDUs than just call maintenance PDUs (like ALOHA, BCAST).
RAS is used on FID:0 PDUs, not just FID:16 (0x10)
The FLCO:16 FID:16 (0x10) PDU seems to be same as FLCO:0. (GRP call maintenance)

• I wonder what the private call maintenance FLCO is? (do we have a sample of this by chance)
• I don't see FLCO:16 been used on non-RAS CapMax here, so that maybe a RAS thing?.

The CapMax sample generates a lot of "bad" CSBKO with non 0/16 FIDs.
This maybe the nature of the DSD+ recording as it switches in and out.
These "bad" PDUs can be filtered out by only allowing RAS PDUs with FIDs of 0 and 16

For CAP+, RAS is indicated for CSBKO:59 and 62 FID:16 (0x10) but the PDU CRC-16 check is OK.
The call maintenance PDUs are RAS as expected.

For CON+, RAS is indicated for CSBKO:1 and 3 FID:6 (0x06) and FLCO:0 FID:0 but the PDU CRC-16 check is OK.
RAS does not actually seem to be used here (for this sample/network at least).

Fun stuff

Let me know if you need recording with sdrsharp, if this could be better than DSD+FL.

 

[lwvmobile]

Has anyone seen RAS been used with the MBC (header) or USBD dataTypes like seen with CSBK/VoiceLC[FLCO]/TermLC[FLCO]/Data Header/EMB[FLCO].

The only system I've even seen that uses MBC Header and Continuation Blocks is a Hytera T3 system(So, no RAS), its the only sample I have that uses them. The sample may be of interest to you if you want to look at it. The MBC Header/Cont Blocks contain grants with absolute channel/frequency assignments, so that's nice, and some talkers have talker alias blocks in link control. The sample has some issues at times decoding very well, probably was a weak signal or noisy signal or something, throws a lot of tact/cach errors on me if I don't bypass the check on it.

Upload files for free - 1R-DSDPlus#5-Raw-Input_2022-08-12@141952.wav - ufile.io

Download 1R-DSDPlus#5-Raw-Input_2022-08-12@141952.wav for free from ufile.io instantly, no signup required and no popup ads

ufile.io

 

[hrh17]

I can actually make a new recording of that, one which will have 0 errors since the remote machine is closer to the site, I'll start recording and upload shortly