How to find out network ID of APCO25 users?

[radio-link]

Hi!

Is there any way besindes from an APCO25 testset to tell the network ID # from APCO25 transmissions? I have only access to some APCO25 radios, at the moment XTS5k, and they only seem to be able to show the talkgroup.
Would a scanner like a pro-96 or bc250d do this job?

[JAYMZ]

If you are trying to moniter a trunked system, the scanner is the best place to go for that. If you are an autorized user of the network, take your radio to the admin and have him assign you an ID.

[RESCUE161]

I think he is referring to conventional digital IDs and if there is a way to find out if someone is using something other than ID 293.

Just a guess though.

[radio-link]

I think he is referring to conventional digital IDs and if there is a way to find out if someone is using something other than ID 293.

Just a guess though.

Yes, that is exactly the point. I have to do with a network of plain simplex APCO25 without any additional siganlling, where some radios had been reprogrammed unauthorized, they sometimes use unassigned frequencies, sometimes another talkgroup, and another network ID - for their private chat; at the moment we are trying to track the whole thing down, but for now it is absolutely not clear who the users of those radios are, and up to now we where not able to get our hands on one of those radios - difficult with 1000+ handheld radios.

Knowing this ID just would be one little piece in the whole thing - maybe they accidentally use the illegal network ID for a regular call, and knowing the ID would make it easier to program a radio just to pick up the illegitimite usage.

All this APCO25 stuff is somehow new for me, but I am learning fast; I am being forced to do so *g*

[tvsjr]

If you are trying to moniter a trunked system, the scanner is the best place to go for that. If you are an autorized user of the network, take your radio to the admin and have him assign you an ID.

Calm down - don't bite the poor guy's head off. He's trying to figure out how to decipher the network access code, which is nothing sneaky.

Now, for answers:
The AOR P25-decoder box has a serial port which outputs data regarding the current transmission. Unfortunately, the last time I looked into it, it sent XXX where the NAC should go. I believe it's supposed to decode the talkgroup, but am not sure.

On a Moto radio, you'll know that you have the right NAC when you start seeing IDs decoding (assuming, of course, that you have digital ID display in your flashcode). If you're monitoring DCSQ and don't see IDs, they're not using 293, etc.

The scanners ignore the NAC and conventional talkgroup data entirely. What a surprise.

I'm not positive, but I bet an IFR/Aeroflex 2975 will do what you want. That might be a tad more than you want to spend, but it sounds like you've got quite a few radios, so maybe not. Perhaps Wowbagger can comment on this?

Now, you can *monitor* their transmissions (assuming they're not encrypted) by disabling conventional talkgroups (so your radio ignores them) and setting the receive type to DCSQ. You should then hear all unencrypted P25 traffic (and encrypted, if you have the hardware and key) present on the channel.

[radio-link]

Now, you can *monitor* their transmissions (assuming they're not encrypted) by disabling conventional talkgroups (so your radio ignores them) and setting the receive type to DCSQ. You should then hear all unencrypted P25 traffic (and encrypted, if you have the hardware and key) present on the channel.

Yes, of course I can hear "them" loud and clear (sometimes they transmit encrypted, but with the normal commmon key, looks they have no KVL), but I can not yet recognize them as the bad guys directly from listening to them. And no ID display available, all the radios really got the lowest budget flashcode. So my idea was to decode their NAC and set up a scan over "their" channels with "their" NACs, to be able to record and identify them.

Regarding monitoring equipment, it is just a customer, and they are not willing to pay anything more than my time and maybe some below-1k$ stuff like a scanner, if this would be helpful.

[tvsjr]

Now, you can *monitor* their transmissions (assuming they're not encrypted) by disabling conventional talkgroups (so your radio ignores them) and setting the receive type to DCSQ. You should then hear all unencrypted P25 traffic (and encrypted, if you have the hardware and key) present on the channel.

Yes, of course I can hear "them" loud and clear (sometimes they transmit encrypted, but with the normal commmon key, looks they have no KVL), but I can not yet recognize them as the bad guys directly from listening to them. And no ID display available, all the radios really got the lowest budget flashcode. So my idea was to decode their NAC and set up a scan over "their" channels with "their" NACs, to be able to record and identify them.

Regarding monitoring equipment, it is just a customer, and they are not willing to pay anything more than my time and maybe some below-1k$ stuff like a scanner, if this would be helpful.

Nope, scanners won't help you, unfortunately.

Did you program the radios they're using? I wonder if the radio disable features are still active. If nothing else, you might consider picking up a used Astro Saber or XTS3000 from here or eBay that has the flashcode you need for ID display.

[radio-link]

[Nope, scanners won't help you, unfortunately.

Did you program the radios they're using? I wonder if the radio disable features are still active. If nothing else, you might consider picking up a used Astro Saber or XTS3000 from here or eBay that has the flashcode you need for ID display.

No, I did not program them, and there is no ID transmission feature active - or do they send some kind of ESN anyway?

I already have suggested the way to publish to all radio users that the units are being reprogrammed, and that any discovered modifications will lead to serious trouble. But if the problems do not disappear after this it will be necessary to do as promised, and this will become difficult, time consuming and expensive. A big number of radios, spread over several facilities...

[batdude]

while reprogramming may be a pain, it may be your only way out.


if it were me in your shoes, I would take in all the radios on the lowest production day (sunday?) - reprogram ... and as you state, look for changed dates in the programming fields.

set up new templates, then CHANGE THE NAC ON THE QUANTAR from it's default 293 to something only you know.

after you have the 10-20 radios flagged that had their default template modified....issue letters to those employees that tampering with the radio programming is ........blah blah blah



doug

[carbineone]

Radio link you may be in luck shortly there will be a new software program that uses a scanner discriminator to decode many things including nac's. The new program is called uni-trunker go to radioreference.com and under forums look for trunker decoders.
Supposedly it will be out by the end of may.

[RESCUE161]

I'm using it now and it seems to work good, but there are no digital systems here - yet.

Forgot to add that if you're going to take the time to read/program the radios, can't you password protect them?

[radio-link]

@carbineone: I will have a look at it, this really could help me with this problem!!

@rescue161: Although I never had looked at the CPS for password protection, I guess this would be possible - but we really would like to avoid having to reprogram all those radios. In case this must be done, for sure I will to something like that!

[RESCUE161]

The password feature can be used to stop a read or a write to the radio. What version of CPS are you using? R05.02.00 is out now, so once you re-do the radios, the pirates shouldn't be able to mess with them any longer.

Password protection is under Tools > Password. Pretty easy stuff, just a pain in the ass to keep idiots from messing up your system.

How many people have access to the CPS? That may be a problem in itself.

[radio-link]

The password feature can be used to stop a read or a write to the radio. What version of CPS are you using? R05.02.00 is out now, so once you re-do the radios, the pirates shouldn't be able to mess with them any longer.

Password protection is under Tools > Password. Pretty easy stuff, just a pain in the ass to keep idiots from messing up your system.

How many people have access to the CPS? That may be a problem in itself.

I am using R05.00.00, the german MOL seems to be slower in presenting the latest versions. We had still 04.something when 05 had been out in the US for weeks or even months :(

Access to the RSS has nobody, it is all done externally (just KVLs are present, but locked away with hard access restrictions), but ebay offers the programming cables, and the software also is not too hard to get for an enthusiast.

[RESCUE161]

I just looked again and R05.02.00 says that it's for dealers only. Sorry for the bad info, but you still have the password option even though it sucks to reprogram that many radios.

[radio-link]

I just looked again and R05.02.00 says that it's for dealers only. Sorry for the bad info, but you still have the password option even though it sucks to reprogram that many radios.

Well, I _am_ dealer :) Just takes some time in germany until it shows up in MOL, this is the problem...

[Wowbagger]

I'm not positive, but I bet an IFR/Aeroflex 2975 will do what you want. That might be a tad more than you want to spend, but it sounds like you've got quite a few radios, so maybe not. Perhaps Wowbagger can comment on this?

Oh, yes, it will tell you what the radio is sending, both on the voice channel and the control channel (for APCO trunking).

We threw a scare into some of the three letter agencies when we showed them our control channel logger - they were concerned about their security. They finally realized that The Bad Guys could find other ways to decode the information if they had the resources to buy a 2975.

You can even run the logger on the voice channel, record the data to disk, and later analyze the file to see what is showing up - that was one of the use-cases for the logger when we designed it.

[JAYMZ]

If you are trying to moniter a trunked system, the scanner is the best place to go for that. If you are an autorized user of the network, take your radio to the admin and have him assign you an ID.

Calm down - don't bite the poor guy's head off. He's trying to figure out how to decipher the network access code, which is nothing sneaky.

Not biting the guys head off. I was making a statement on what I thought he was looking for. As it turns out he is looking for something different. Which is fine, and you'll notice the topic has continued. A little bit of discretion has to be taken these days in regards to trunking and public safety networks. Just trying to help keep the board or any of it's members from getting jammed up over it.

If you want to talk further send me a PM so we don't continue to hijack the thread.

[radio-link]

[quote="Wowbagger]We threw a scare into some of the three letter agencies when we showed them our control channel logger - they were concerned about their security. They finally realized that The Bad Guys could find other ways to decode the information if they had the resources to buy a 2975.
[/quote]

Wow, a really cool device, and a must-have when dealing regularly with P25-stuff. I could not find prices at first look, but I assume way beyond the limits I got from my customer :)

[Wowbagger]

Wow, a really cool device, and a must-have when dealing regularly with P25-stuff. I could not find prices at first look, but I assume way beyond the limits I got from my customer

Base is US$25,000 or so, plus what options you order. Fully tricked out you can hit US$70,000.

But then again, fully tricked out you replace:

An RF signal gen.
An audio signal gen.
A measuring receiver.
An RF spectrum analyzer
An audio spectrum analyzer.
An audio signal analyzer (SINAD)
An oscilloscope.
An RF wattmeter.
A DVM.

Plus the protocol analysis and simulation.

[kb3jkp]

T4WIN supports EDACS,3600 baud motorola systems,MPT1327, and LTR passport(if my memory serves me correctly.. but yeah..once uni-trunker comes out... :drool:

[2wayfreq]

Hmm,
They use ASTRO in deutchland? Cool. Are the Polizei still on Mid-Band 80-86 Mhz--I think? Or did they go Tetra/APCO? I used to listen to them in the 80s whan I was ststioned there. I had an AOR-1000 scanner. Even the MPs were on 83MHz.

[radio-link]

Hmm,
They use ASTRO in deutchland? Cool. Are the Polizei still on Mid-Band 80-86 Mhz--I think? Or did they go Tetra/APCO? I used to listen to them in the 80s whan I was ststioned there. I had an AOR-1000 scanner. Even the MPs were on 83MHz.

APCO is still not widely known in germany, only some users have moved to this technology; police still is on mid band and VHF 170 MHz, but it looks that they will go to Tetra25. MP now uses 139 MHz bands.

[mancow]

Wow, a really cool device, and a must-have when dealing regularly with P25-stuff. I could not find prices at first look, but I assume way beyond the limits I got from my customer

Base is US$25,000 or so, plus what options you order. Fully tricked out you can hit US$70,000.

But then again, fully tricked out you replace:

An RF signal gen.
An audio signal gen.
A measuring receiver.
An RF spectrum analyzer
An audio spectrum analyzer.
An audio signal analyzer (SINAD)
An oscilloscope.
An RF wattmeter.
A DVM.

Plus the protocol analysis and simulation.

Hey, Wowbagger. If there some kind of tour you guys give down there? I wouldn't mind stopping in to drool over all the crazy hi tech stuff some day.


mancow

[Wowbagger]

Hey, Wowbagger. If there some kind of tour you guys give down there? I wouldn't mind stopping in to drool over all the crazy hi tech stuff some day.
mancow

Well, I don't know of an official tour - you might talk to Marketing/Communications (Jim DeBroeck)

As for an unofficial tour - that might be possible, the only thing would be that a tour of engineering would involve some Jedi Mind Tricks - "You didn't see that - that's not the equipment you are looking for" to abide by various non-disclosure agreements.

[RKG]

You'd also have to pass out drool shields.

[mam1081]

In case anyone hasn't seen it yet...

New software just released. Take discriminator audio out of your choice of radio, plug into soundcard. Run Program.


http://radioreference.com/forums/attach ... 1150068292

[MattSR]

The kNACk