According to Motorola you can have up to 15 sites on Linked Capacity Plus. To go statewide with many many sites I'm sure they would want you to go Connect Plus.
- Status
I found a Capacity Plus system in use at the Washington Convention Center. I used DMRDecode to obtain the color codes, LCN, and groups for the system (and then used DSD to identify the users of the groups). I then tried to program the system into my XPR6550 TRBO radio, but none of the groups came through. I double-checked in the software to make sure I had everything programmed correctly.
I looked at the DMRDecode logs, and didn't see any long strings of unidentified numbers, which I assume is what I'd see if the system was using restricted access to system (RAS). And it's not using Privacy, of course, since it comes through fine on DMRDecode. I did notice in DMRDecode that the same group appeared to occupy both slots of the frequency a lot of the time. I'm not sure if this is just the way DMRDecode works (slow to refresh?), or if this could be part of my problem. I also saw that DMRDecode listed a Group 64 and a Group 128 in the scrolling log, but these groups never showed up at the bottom of the screen (where the two slots are listed). I'm not sure if this could indicate something strange is going on with the system.
I was using a NooElec USB SDR dongle, SDR#, DMRDecode Build 68, and DSD 1.6.
Here's the system in the database:
Walter E. Washington Convention Center Trunking System, Washington, District of Columbia - Scanner Frequencies
Thanks for any help.
Dave
I looked at the DMRDecode logs, and didn't see any long strings of unidentified numbers, which I assume is what I'd see if the system was using restricted access to system (RAS). And it's not using Privacy, of course, since it comes through fine on DMRDecode. I did notice in DMRDecode that the same group appeared to occupy both slots of the frequency a lot of the time. I'm not sure if this is just the way DMRDecode works (slow to refresh?), or if this could be part of my problem. I also saw that DMRDecode listed a Group 64 and a Group 128 in the scrolling log, but these groups never showed up at the bottom of the screen (where the two slots are listed). I'm not sure if this could indicate something strange is going on with the system.
I was using a NooElec USB SDR dongle, SDR#, DMRDecode Build 68, and DSD 1.6.
Here's the system in the database:
Walter E. Washington Convention Center Trunking System, Washington, District of Columbia - Scanner Frequencies
Thanks for any help.
Dave
A couple things to check.. First, even if the system is using Privacy DMRd will still decode it. During a voice transmission you would see Privacy Enabled in the Service Options entries. As for calls showing on both timeslots.. Not sure there...
Does your radio show Out Of Range at all? If not.. That's a good sign, usually means you have the LCN's correct. Also check your radio ID. Capacity Plus doesn't allow ID's over a certain range (I forget what it is off the top of my head).
What I would do is log the system to a file for a bit, then check the log to make sure your Group ID's are correct. They will be listed at the end of the file along with Radio ID's that were spotted. If I had to guess one thing to check first I would start with your Radio ID.
Does your radio show Out Of Range at all? If not.. That's a good sign, usually means you have the LCN's correct. Also check your radio ID. Capacity Plus doesn't allow ID's over a certain range (I forget what it is off the top of my head).
What I would do is log the system to a file for a bit, then check the log to make sure your Group ID's are correct. They will be listed at the end of the file along with Radio ID's that were spotted. If I had to guess one thing to check first I would start with your Radio ID.
Thanks.
DMRDecode was definitely not showing Privacy Enabled on any of the groups.
No, never saw an Out of Range warning. I'm fairly certain I have the LCN correct.
I'm using Radio ID 99. (I used to use ID 1, but discovered on another Cap Plus system that this would not allow calls from Radio ID 1 on that system to come through on my radio, so I changed it.)
Yes, I should have made some logs, if for no other reason than to post them here. But I'm pretty sure the groups are correct, as I saw them many times in the two slots at the bottom of the screen in DMRDecode.
Dave
DMRDecode was definitely not showing Privacy Enabled on any of the groups.
No, never saw an Out of Range warning. I'm fairly certain I have the LCN correct.
I'm using Radio ID 99. (I used to use ID 1, but discovered on another Cap Plus system that this would not allow calls from Radio ID 1 on that system to come through on my radio, so I changed it.)
Yes, I should have made some logs, if for no other reason than to post them here. But I'm pretty sure the groups are correct, as I saw them many times in the two slots at the bottom of the screen in DMRDecode.
Dave
Have you programmed a Capacity Plus system successfully before? Or is this your first attempt? If it's your first shot at it I can take a look at your codeplug if you like... See if anything jumps out at me.
Yes, I've programmed several before successfully. I'll send you the codeplug anyway. I believe I have your e-mail.
Dave
Dave
Looking at your codeplug I don't see anything out of the ordinary... We you able to confirm with a scanner or your dongle that there was indeed activity on the system while you were trying to monitor it with your XPR?
Oh.. and a though about DMRd showing the same group on both timeslots... I have seen before where when a call is complete, it still shows in the activity window as being active until another transmission comes along. So it's possible you were seeing a valid call on one slot while a 'stale' one was still showing in the other. Only other thing I can suggest at the moment is to start with a fresh codeplug and only enter this system... keep it simple as possible and maybe something will become apparent.
Oh.. and a though about DMRd showing the same group on both timeslots... I have seen before where when a call is complete, it still shows in the activity window as being active until another transmission comes along. So it's possible you were seeing a valid call on one slot while a 'stale' one was still showing in the other. Only other thing I can suggest at the moment is to start with a fresh codeplug and only enter this system... keep it simple as possible and maybe something will become apparent.
TampaTyron
Beep Boop, Beep Boop
Where is a good place to discuss Linked Cap Plus?
Guys,
I am looking to discuss the monitoring of Linked Capacity Plus and maybe see if we could get DMRdecode to help with figuring out these system. Where should I start? Thank you, TT.
Guys,
I am looking to discuss the monitoring of Linked Capacity Plus and maybe see if we could get DMRdecode to help with figuring out these system. Where should I start? Thank you, TT.
Hello,
I have been looking at some of the local capacity plus systems and figured out a few things.
The known channel field points to the Rest Channel.
Of the 8 bits that follow the Rest Channel, the first 6 are used to indicate the active channels, one bit per channel. 100000 indicates Channel 1 active, 000001 indicates Channel 6 active, 010100 indicates Channels 2 and 4 active, etc...,
The following known-8 bit talkgroup field indicates the talkgroup on the first active channel. The 5 groups of 8 bits following the known talkgroup field are for the second through the sixth active channels. So one message gives all the information needed to guide the radio to the right channel.
CSBK lb:1 pf:0 MtCap+ GoTo ?:3 Slot B ?:0 RCh: 5 ARp: 34 ?:0 TG:0D 0F
In the example above the Rest Channel is 5. The Active Channels are 3 and 4, with talkgroup 0D on Channel 3 and talkgroup 0x0F on Channel 4.
I noticed some systems will ocassionally put out long bursts of messages on non-rest frequencies, likely for any stray units. These seem to occur when there is a change in the message.
73 Eric
I have been looking at some of the local capacity plus systems and figured out a few things.
The known channel field points to the Rest Channel.
Of the 8 bits that follow the Rest Channel, the first 6 are used to indicate the active channels, one bit per channel. 100000 indicates Channel 1 active, 000001 indicates Channel 6 active, 010100 indicates Channels 2 and 4 active, etc...,
The following known-8 bit talkgroup field indicates the talkgroup on the first active channel. The 5 groups of 8 bits following the known talkgroup field are for the second through the sixth active channels. So one message gives all the information needed to guide the radio to the right channel.
CSBK lb:1 pf:0 MtCap+ GoTo ?:3 Slot B ?:0 RCh: 5 ARp: 34 ?:0 TG:0D 0F
In the example above the Rest Channel is 5. The Active Channels are 3 and 4, with talkgroup 0D on Channel 3 and talkgroup 0x0F on Channel 4.
I noticed some systems will ocassionally put out long bursts of messages on non-rest frequencies, likely for any stray units. These seem to occur when there is a change in the message.
73 Eric
Last edited:
TampaTyron
Beep Boop, Beep Boop
I setup the same equipment for another event previously, when I worked at this specific radio shop. I have acquired one of their portables and read it as well. No privacy, but has RAS enabled. RAS is a weird animal because DMR decode displays the proper system details, but the headers or packets must be different because half a dozen TRBO radios cant decode it. Can't wait until someone figures out how to figure it out ......TT
Last edited:
IanWraith
Member
Hi All
Another board member who I believe wants to remain anonymous recently sent me some logs from a couple of RAS 'protected' systems. The common element in both of them was this PDU ..
11:28:17 DMR Data Frame
CACH : TACT Ch 1 First fragment of LC
Slot Type : Colour Code 3 Terminator with LC
Unknown Full Link Control LC : FLCO=36 + FID=16 00000000000000000000001110100101000000000000011100101011
My guess is that RAS is a simple system. The base sends a hashed (basically a type of encryption) value of the RAS password every so often. The Moto radios compare this with a hash they have created of the RAS password they have been given and if they are different they won't do anything. That will be programmed into the firmware of the Moto sets and unless you fancy rewriting the firmware (which will probably be stored in an encrypted form within the radio) there isn't much you can do I'm afraid. One reason I would keep away from expensive proprietary hardware and stick to open source software.
Regards
Ian
Another board member who I believe wants to remain anonymous recently sent me some logs from a couple of RAS 'protected' systems. The common element in both of them was this PDU ..
11:28:17 DMR Data Frame
CACH : TACT Ch 1 First fragment of LC
Slot Type : Colour Code 3 Terminator with LC
Unknown Full Link Control LC : FLCO=36 + FID=16 00000000000000000000001110100101000000000000011100101011
My guess is that RAS is a simple system. The base sends a hashed (basically a type of encryption) value of the RAS password every so often. The Moto radios compare this with a hash they have created of the RAS password they have been given and if they are different they won't do anything. That will be programmed into the firmware of the Moto sets and unless you fancy rewriting the firmware (which will probably be stored in an encrypted form within the radio) there isn't much you can do I'm afraid. One reason I would keep away from expensive proprietary hardware and stick to open source software.
Regards
Ian
I suppose if one could figure out the hash then you might be able to determine the RAS password from that. Which of course opens up another can of worms. Is RAS considered encryption, making it a no-no to mess with, or is it more along the lines of EDACS ESK which was used to 'encrypt' the control channel?
Eric: Great job on the Capacity Plus info. Hopefully that can be incorporated into DMRDecode at some point... although I'm not sure what the best way is to display that info.
Eric: Great job on the Capacity Plus info. Hopefully that can be incorporated into DMRDecode at some point... although I'm not sure what the best way is to display that info.
If one wanted to look for this "hash" over the air. Were would one start to look? I have extensively looked a LCP system with RAS, in DMRDecode. Is there a way to show raw packets? Or is this kind of info even coming into DMRDecode?
RAS is akin to a system ID (like on Privacy Plus and Smartnet trunked systems) and is not related to encryption in any way. The TRBO "control channel" data can still be decoded with DMR decode.
I suppose it coule be viewed like a system ID, but I agree it's not encryption. But.. it is obviously a method to keep unauthorized users out, so it is a security feature as well. If anyone has any hopes of determining how it works you would really need a log from a system with a known key.
TampaTyron
Beep Boop, Beep Boop
On the LCP system that I am monitoring, I get the following:
CSBKO=59 + FID=16 1110011100011011000100100010001001000011000000000000000000000000
and
CSBKO=59 + FID=16 1100011100011011000100100010001001000011000000000000000000000000
as a pair every 15 seconds. Then both repeat individually every 10-15 seconds. TT
CSBKO=59 + FID=16 1110011100011011000100100010001001000011000000000000000000000000
and
CSBKO=59 + FID=16 1100011100011011000100100010001001000011000000000000000000000000
as a pair every 15 seconds. Then both repeat individually every 10-15 seconds. TT
IanWraith
Member
Hi All
My apologies for the rushed post earlier I had meant to say that the CSBKO=59 PDUs as seen by TampaTyron possibly contain a hashed (or encrypted) version of the RAS key.
As I said before I think that mobiles on a RAS system listen out for this PDU. They compare a hashed version of the RAS key they have been sent to the contents of the CSBKO=59. If they match then they proceed as normal.
Regards
Ian
My apologies for the rushed post earlier I had meant to say that the CSBKO=59 PDUs as seen by TampaTyron possibly contain a hashed (or encrypted) version of the RAS key.
As I said before I think that mobiles on a RAS system listen out for this PDU. They compare a hashed version of the RAS key they have been sent to the contents of the CSBKO=59. If they match then they proceed as normal.
Regards
Ian
IanWraith
Member
TampaTyron
Beep Boop, Beep Boop
Per Mototrbo CPS , RAS ID is 6-24 unicode characters including 0-9, A-Z, a-z, hyphen, underscore, dollar, and pound sign. TT
- Status
Similar threads
