Understanding Capacity Plus trunking, some more

[lwvmobile]

Does look to fit the pattern.
I guess 0 (0000) for site state means both slots available.
F (1111) means either both slots busy or repeater not available (no entries would indicate the latter)
C (1100) means slot0 busy
3 (0011) means slot1 busy

That's the same conclusion I came to, based on the patterns found in these samples.

Is that Free repeater: F (15) and 3 repeaters not available?

I have no idea on that one. Any private calls or data calls on that system?

Also, about CSBK:11 (0x0B) Can't say I've deciphered much out of that, other than maybe (very speculative) the repeater site number, assuming the wav files are labeled correctly, the only difference appears to be in byte 3 where we have 0x08 in site 1, and 0x10 in site 2. If you read the 5 MSB, then you get site 1 and site 2. Maybe its just coincidence though, I'm unsure. No idea what the rest of the values would indicate, they seem to be identical during the entire playback on all samples, other than the one byte mentioned, regardless of idle or call in progress.

Site 2:

10:17:51 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK
 Hytera XPT 0x0B  Repeater Number: 2
 DMR PDU Payload [0B][68][10][20][18][10][20][10][28][20][EF][DA]

Site 1:

10:20:14 Sync: +DMR   slot1  [slot2] | Color Code=01 | CSBK
 Hytera XPT 0x0B  Repeater Number: 1
 DMR PDU Payload [0B][68][08][20][18][10][20][10][28][20][CC][B4]

 

[mrscanner2008]

I have no idea on that one. Any private calls or data calls on that system?

no data calls or private calls on those samples. And the wav files are labeled correctly with site number. Site 1 and 2 have the sames calls at the same time.

 

[thewraith2008]

The sample I have that indicates F (15) as free repeater, I have only seen group calls on it.

The value itself seems out of range as a valid repeater index starts at 1* and climbs to 8* depending on number repeaters used.
- The repeater index is probably sent as 0-7
* The DATA repeater index range starts at 16 and goes up to 30 (30 does not make sense as only 8 data repeaters allowed)
NOTE: Information taken from the application notes (posted earlier)

Maybe the F indicates that there is only one repeater on the single site or maybe it's just a XPT conventional repeater?
- I know there is a 2nd repeater at this site that only outputs CSBKO:10 and I'm yet to see an traffic (voice or data) on it.

I don't know why I'm even bothering with XPT as I only have one crap site.

 

[thewraith2008]

From mrscanner2008 samples.
The SLCO does not seem to send/show any SiteID that would indicate site:1 or site:2.
How are sites identified? Surely the radio needs to know this.
I thought maybe the DCC (color code) serves this purpose to act as SiteID but the supplied site:1/2 samples show both are DCC: 1.
The two XPT frequencies I see are DCC: 1 and DCC: 2.

If it is operating as a multi-site, surely having the same site id would note be permitted.
Too many questions. arrrh.

 

[lwvmobile]

How would it go about private call announcements since only 8 bits are allocated for TG/MS address in what he describes.

The only thing I can think of, assuming this works for Private Calls, is an 8-bit hashed address like SLC Activity Update uses. Or just truncated to 8 bits.

Maybe the F indicates that there is only one repeater on the single site or maybe it's just a XPT conventional repeater?

I was beginning to wonder if F meant it WAS the free repeater, and thought about the indexing of 0-7, which would fit with the placement, but I don't think it fits the pattern.

The good thing about publishing to Github is, if something is broken or doesn't work right, somebody will complain about it, and if they send samples, its more information to go on to solve the puzzle. Other times, it makes me wish I wouldn't have added something because there is no technical documents to go on, just a bunch of guesswork (LRRP).

How are sites identified? Surely the radio needs to know this.

My best guess was in CSBK:11, 5 MSB in the third octet. Or its just a coincidence.

Also, for what its worth, I found a patent that seems to pertain to Hytera Link Control.

US20190280760A1 - Data communication method, apparatus and system - Google Patents

A method of data a communication includes: determining, by a first terminal, an idle channel, and transmitting a data handshake request carrying interruption information on the idle channel, wherein the interruption information at least includes a call indication of an interrupted traffic...

patents.google.com

The 'Handshake Request' Opcodes don't seem to match any opcodes I've seen yet though. This could be a CSBK, but I think its link control. Could also be a UDT Header and Block (maybe?) Doesn't Hytera use UDT?

 

[thewraith2008]

I think the header part of the PDU shown (first 16 bits) is what the FLCO:9 is like.
You will notice that bit that would normally be 'PF' changes with the slot it's in.
Not sure if that means a grant could appear in TS:0 and call could actually be in TS:1 (if that bit is set) or it's just indicates the current TDMA channel.

The 'R' bit is always 1 which matches the group calls I see.
Not sure if the reserved bit[4] in what is assume to the service options also indicates the same thing or is some else all together.

 

[mrscanner2008]

From mrscanner2008 samples.
The SLCO does not seem to send/show any SiteID that would indicate site:1 or site:2.
How are sites identified? Surely the radio needs to know this.
I thought maybe the DCC (color code) serves this purpose to act as SiteID but the supplied site:1/2 samples show both are DCC: 1.
The two XPT frequencies I see are DCC: 1 and DCC: 2.

If it is operating as a multi-site, surely having the same site id would note be permitted.
Too many questions. arrrh.

here are the sites in question, no site number according to DSDPLUS, I added the numbers to try to differentiate and follow with dsd+. I had already sent audio extracts to the DSD team but no return.

 

[lwvmobile]

Here is a file I had, it was completely buried in the folders, long forgotten. Its an IQ file of a Hytera XPT system that seems quite busy with multiple channels. Looks like I'm going to have to rethink some of my earlier code and assumptions. Relevant frequencies that I found so far are 468.5875, 468.675 and 468.75. There may be others as well. I'll have to remember who sent me that again and see if they can sent some more if needed. Considering the filesize, I don't think this sample runs for very long. SDR++ doesn't tell me the run time on it.

Upload files for free - xpt_iq_wav_file.zip - ufile.io

Download xpt_iq_wav_file.zip for free from ufile.io instantly, no signup required and no popup ads

ufile.io

 

[thewraith2008]

A lot going on in that sample (considering how short it is - 23 sec).

v/d  468.7500
v/d  468.7250
  d  468.6875
v/d  468.6750
?    468.6375 - seems distorted but decodes very briefly at start
  d  468.5875

?    468.575 - weak
  d  468.525 - weak
  d  468.500 - weak
  d  468.475 - weak

The free repeater value is doing a lot of changing probably on the account of the DATA traffic that is occurring along with the voice traffic.

I did not add testing code for CSBKO:10 to show the repeater states, but it looks like it could be using multi-block to show more than three repeaters as I'm seeing the PF bit indicate. (sequence number). If it's also showing the DATA traffic then I'd imagine that would make it tricky to tell voice calls from DATA.

Based on what CSBKO:10 shows, you show be able to match TG/RID? on the frequencies to determine their repeater numbers.

 

[thewraith2008]

OK, stared at this some more and this is what I think is going on with a CSBKO:10 PDU.

The four bits for each repeater state: R1, R2, R3 (or higher R4, R5, R6, R7, R8 depending on sequence number) are broken down as follows:

• abcd used here to indicate bits
• 2 bits are used for each slot in the repeater state to indicate idle/busy and call type private/group on repeater
• a = TS0 idle=0 or busy=1
• b = TS0 private=0 or group=1
• c = TS1 idle=0 or busy=1
• d = TS1 private=0 or group=1
• Invalid combinations would be if only bits b and/or d are set

The annoying part of it seems that private calls (or individually address MS's) use an 8 bit hashed address that can't be reversed to get the real 16 bit MS address. Using a LUT (1-65535) is not going to help as there will multiple addresses with the same hashed address. You could probably create a seen RID list with calculated hash addresses but this also could see same hash addresses created so you wouldn't know for sure.

I only have one sample with group voice call showing that the group call TG appears not to be hashed.

• More sample of group calls with different TGs would validate this.
• This would make sense as TG values are only between 1-255 (8 bits).

 

[lwvmobile]

I wrote this earlier, just didn't post it because I wasn't sure if it sounded stupid, but seeing your last post, think we kind of came to some of the same conclusions.

---

The more I've analyzed that IQ sample, the more and more brain dead I become.

What I've done though, I've used the first two bits (lb and pf) as a switch just to indicate which bank of channels we are looking at, and that seems pretty consistent. I don't think its like a LCSS, because it always alternates 1 or 0 (not enough channels I guess for a 2 or 3). If it is LCSS, then it could be a constant first block last block repititon, but that system is so busy its hard to find spots where you get back to back CSBKs for that site status update, so I'm thinking the sequence is more like a bank switch, unlike Cap+. Could still be wrong though.

As far as the TG values in the Site Status CSBK, when its private data or private calls, it would seem to be an 8-bit hashed value to represent the longer private target value. I need to write a CRC8 that will do the correct hash of the target values for the SLCO Activity Update, I wonder if this is using the same hash values. When its a talkgroup in a group call though, like in the earlier samples, it does indeed show the 8-bit TG value from the link control.

As far as the status bits that preceed the 6 bytes that give us the 8bit TG or hash values, I am getting a lot of '10' bits in those. I am assuming those are for private calls, but I can't seem to find a distinction between when it is supposed to be private data call or private voice call. However, I am also not always getting a corresponding TG value in the designated byte for a '10' status, so I think that depending on whether or not its a data call or a voice call, it may either be 00, or an actual value there. There are Preamble CSBKs however, so that may serve for the data calls as opposed to the status update tg value. Also, because the private values are hashed, and I don't have a way to hash the TG value, I can't tell which is private voice and which is private data, or if I am way out in left field on this right now.

I have still yet to see the status value of '01' however, so I am wondering if that is group data call. '00' always seems to indicate idle, and '11' seems to indicate group voice, or if the TG value is null in the corresponding byte, then I think that means the repeater channel is not turned on.

The other main issue that the IQ sample is, is that I think that perhaps some of those frequencies belong to another XPT site, so it makes it difficult to find matching 'sites'.

 

[thewraith2008]

The more I've analyzed that IQ sample, the more and more brain dead I become.

I completely understand.

The sequence number (what would be normally LB, PF bits) usage is:

• 0 = R1, R2 and R3
• 1 = R4, R5 and R6
• 2 = R7, R8 and R9 - R9 is not used as XPT has a maximum of 8 repeaters
• 3 = Reserved

The 8 bit address hash is just the same CRC-8 you would be using with ShortLC.
Here are some of the RIDs with hash address seen in that sample:

• 930 = 88
• 9317 = 198
• 10002 = 187

I think it may be a bit tricky to trunk track XPT.
I guess you could monitor CSBKO:10 then switch to an active repeater to follow call.
For the XPT I've seen where CSBKO:10 does not indicate an call activity, this approach would not work.
Like CAP+ you would need to work out a channel plan as well.

 

[lwvmobile]

The 8 bit address hash is just the same CRC-8 you would be using with ShortLC.
Here are some of the RIDs with hash address seen in that sample:

You know what. I tried that earlier. Didn't work.
Looked at it again, realized I was sending the CRC8 the wrong bits.

I think it may be a bit tricky to trunk track XPT.
I guess you could monitor CSBKO:10 then switch to an active repeater to follow call.
For the XPT I've seen where CSBKO:10 does not indicate an call activity, this approach would not work.
Like CAP+ you would need to work out a channel plan as well.

Yeah, I haven't really thought of a good way to trunk track it either.
For a recap: On a completely idle system, first calls will start on repeater 1, or the home repeater.
Then, if needed, expand to 2, 3, and so on in order?
Is that the correct procedure, or is it just random on what channel a new call will go to.

The Free Repeater is kind of the exact opposite of a Capacity Plus Rest Channel in that way. Is that correct?
The best thing I can think of for possibly trunking is to 'go home' when no voice activity after x seconds.
While 'at home' monitor the CSBK:10 for any activity on other repeater channels and change if needed, but
if all activity originates on the 'home' repeater, then it'll probably just stay put almost all the time.
Probably just going to be one of those systems where you want a dedicated instance of dsd for each channel.

 

[thewraith2008]

A guess of whats going on:
468.6750 = Voice in slot 2 = Site? R3? (indicated as R3 by CSBKO:10)
468.7250 = Voice in slot 2 = Site? R2? (indicated as R2 by CSBKO:10)

468.6875 - Voice indicated on R2-2- This is Site? R?
468.7500 - Voice indicated on R2-2- This is Site? R?

468.5250 - Voice indicated on R3-2 - This is Site? R?
468.5875 - Voice indicated on R3-2- This is Site? R?

Activity on R2 and R3 are the same but are assumed to different sites?
Other XPT frequencies don't indicate the voice activity so are another site? that is not to two above?

He is a rough dump of all the CSBKO:10 activity: (R#_state#_slot1:addr_state#_slot2:addr)

The call is occurring in the R3 slot 2 position with the hashed addresses 88,198

 

[lwvmobile]

Yep, think that about lines up with what I was getting on that one

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | TLC
 SLOT 1 TGT=10001 SRC=9293 TGT HASH [B2][178] CH=3 FLCO=0x09 FID=0x68 Hytera XPT Private Call Grant F-Rpt 4
 DMR PDU Payload [09][68][31][40][27][11][00][24][4D][E4][2A][D6]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC6
 SLOT 2 TGT=9317 SRC=930 TGT HASH [C6][198] FLCO=0x03 FID=0x68 SVC=0x40 Encrypted Hytera XPT Private Call
 Key F5E4D3C2B1 <== if you really wanna know lol
 DMR PDU Payload [03][68][40][30][24][65][00][03][A2]
  SB: 00000000000 - 000
 AMBE F848602E445080 err = [0] [0]
 AMBE F833993E4CE880 err = [0] [0]
 AMBE F833992F8CC880 err = [0] [0]

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT Site Status - Free RPT: 4 SN: 1
 Ch7: ST-2 188  Ch8: ST-0 Idle Ch9: ST-3 Null
 Ch10: ST-3 Null Ch11: ST-3 Null Ch12: ST-3 Null
 DMR PDU Payload [4A][68][48][FF][BC][00][00][00][00][00][D0][6F]
 SLCO Hytera XPT - Free RPT 4
 SLCO Completed Block [86][84][00][07][F0]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC1
 AMBE F830F95F84D800 err = [0] [0]
 AMBE F839C9CF84E800 err = [0] [0]
 AMBE F839C9CF84E800 err = [0] [0]

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT CSBK 0x0B
 DMR PDU Payload [8B][68][10][10][18][20][00][00][00][00][81][8D]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC2
 AMBE F82569CF8CE980 err = [0] [0]
 AMBE F829C3CF8C6980 err = [0] [0]
 AMBE F82560CF8C5980 err = [0] [0]

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT Site Status - Free RPT: 4 SN: 0
 Ch1: ST-2 187  Ch2: ST-0 Idle Ch3: ST-2 195
 Ch4: ST-2 178  Ch5: ST-0 Idle Ch6: ST-2 198
 DMR PDU Payload [0A][68][48][A2][BB][00][C3][B2][00][C6][6B][C4]
 SLCO Hytera XPT - Free RPT 4
 SLCO Completed Block [86][84][00][07][F0]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC3
 AMBE F82569CF8CE800 err = [0] [0]
 AMBE F825699F8CE100 err = [0] [0]
 AMBE F825699F8CE100 err = [0] [0]

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT Site Status - Free RPT: 4 SN: 1
 Ch7: ST-2 188  Ch8: ST-0 Idle Ch9: ST-3 Null
 Ch10: ST-3 Null Ch11: ST-3 Null Ch12: ST-3 Null
 DMR PDU Payload [4A][68][48][FF][BC][00][00][00][00][00][D0][6F]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC4
 AMBE F820619F8C5000 err = [0] [0]
 AMBE F820694F8C9900 err = [0] [0]
 AMBE F820634F8C7900 err = [0] [0]

23:19:35 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT CSBK 0x0B
 DMR PDU Payload [8B][68][10][10][18][20][00][00][00][00][81][8D]
 SLCO Hytera XPT - Free RPT 4
 SLCO Completed Block [86][84][00][07][F0]
23:19:35 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC5
 AMBE F82563478C6900 err = [0] [0]
 AMBE F82561478C4900 err = [0] [0]
 AMBE F820F9978CB900 err = [0] [0]

23:19:36 Sync: +DMR  [slot1]  slot2  | Color Code=10 | CSBK
 Hytera XPT Site Status - Free RPT: 3 SN: 0
 Ch1: ST-2 187  Ch2: ST-2 181  Ch3: ST-2 195
 Ch4: ST-2 178  Ch5: ST-0 Idle Ch6: ST-2 198
 DMR PDU Payload [0A][68][3A][A2][BB][B5][C3][B2][00][C6][59][07]
23:19:36 Sync: +DMR   slot1  [SLOT2] | Color Code=10 | VC6
 SLOT 2 TGT=9317 SRC=930 TGT HASH [C6][198] FLCO=0x03 FID=0x68 SVC=0x40 Encrypted Hytera XPT Private Call

 

[thewraith2008]

For a recap: On a completely idle system, first calls will start on repeater 1, or the home repeater.
Then, if needed, expand to 2, 3, and so on in order?
Is that the correct procedure, or is it just random on what channel a new call will go to.

At least that is what I think it does based on the description of operation given in the video.
TGs are allocated a home repeater and only move to the free repeater when it's home repeater (both slots) are busy.
Unlike CAP+ rest CH, TGs expect a setup on home repeater unless it's moved to free repeater, then the setup is expected there.
When the system indicates the the home repeater of the TG is now free/idle. The TG sitting on the free repeater will move back to it's home repeater to wait for next setup.

No sure about the next free repeater logic and I would assume it's selection can be controlled some how but maybe random or just the next repeater.

Please, these are just assumptions I've made based on what I've read and observed.

The Free Repeater is kind of the exact opposite of a Capacity Plus Rest Channel in that way. Is that correct?
The best thing I can think of for possibly trunking is to 'go home' when no voice activity after x seconds.
While 'at home' monitor the CSBK:10 for any activity on other repeater channels and change if needed, but
if all activity originates on the 'home' repeater, then it'll probably just stay put almost all the time.
Probably just going to be one of those systems where you want a dedicated instance of dsd for each channel.

Yeah, still a bit of head scratching left to do there.
Maybe need to set a preferred TG to monitor and follow it.

 

[thewraith2008]

Yep, think that about lines up with what I was getting on that one

I see what you did there.

 

[lwvmobile]

I see what you did there.

Not that it helps much, I have no idea what they are saying anyways
If I recall correctly, they said it said something about some freight company about the delays.
Hytera seems to be all the rage in some European countries.

BTW, is your terminal ncurses based, or something else? Is that just a bunch of lines of spaces with inverted green colors? Or an actual bar?

 

[thewraith2008]

I only got as far as the BP code.
Other types I only ever see in samples so I never looked into it further.

No not using ncurses.
The screens(x9) I use are simple enough I've just manually created them.
The double lines framing are just standard characters from the default codepage (at least on Windows) and escape colors (e.g. x1b[0m ).

 

[thewraith2008]

OK, some more staring, now at what I think is going on with a CSBKO:11 PDU.

I believe this could be the current and adjacent/neighbor site PDU.

• It describes four sites with free repeater on that site (the first site been the current site)

Showing the site information: 2 sites - ( SiteID-FreeRepeater[unk3_unk4] )

16 bits for each site entry:

Site ID [5 bits]
Unknown_3 [3 bits]
Free Repeater on site [4 bits]
Unknown_4 [4 bits]

repeat x3 (for total of 4 sites)

Documentation suggests Site ID can be 1-30 hence the 5 bits for it.
I was hoping the 'Unknown_3' or 'Unknown_4' bits maybe used to indicate master and sub-master sites but they just seem to be 0 so far.
I don't think more than 3 adjacent/neighbor sites can be used for each site as I think the 'LB','PF' bits are use like normal (i.e. no sequence number).

Anyway, what do you think?
Looks like it could be right to me.