Batboard

No doubt some of you old timers will remember the "hidden talkgroups" method of scanning a Motorola trunked system.

To recap, you program your rotary knob as a talkgroup selector, and it only has 16 positions. You then program your scan list with MORE than 16 groups per list, (this is all applicable to Astro equipment only) and you hide your trunked groups (the ones you don't want anyone to have direct access to) in the groups ABOVE slot 16. You scan them by referencing that scan list via the mode slaved scan lists.

You must NOT enable the CHAN/GROUP menu key option in your radio if you truly want these hidden groups to STAY hidden, and therefore no transmission or (or even affiliation) is possible if nobody can directly access those groups.

In theory, this works on at least Astro Sabers and XTS3Ks, but honestly I haven't had the chance to try it, though nobody has ever said it didn't work.

I'd like to ask now, since it's been a few years since I developed this idea (with help), has anyone successfully used this approach?

Has anyone ever used it successfully with one of the newer radios? (XTS-anything but 3K)

Has it been tried with a SmartZone system?

What were the results in each case?

Elroy

Though not entirely done this way, I have had no problem doing this in an Astro Spectra, however I also program it as WAC AMSS, but I hear there could be issues with that too (smartnet seems to work well for this). I have one zone that is used just for scanning, and the others with complete systems with different groups since the couple of systems I listen too have close to a 100 active talkgroups.

Good to see you still lerking!

Well the system I listen to (with Elroy's method) is a smartzone system. I have three systems setup, all with the same SysID but of course with different control channels. I have the coverage type set to disabled though. This probably explains why I can't get the radio to switch sites or more importantly, show me the RSSI indicator. Either that or the fact that the radio still thinks it is parked on a conventional channel, since it is.

It's important also to remember if you want your radio to be totally low key: program tx inhibit for trunking on the secure switch (on both sides of the switch) and also DO NOT ENABLE TALKBACK on your scan lists, set it to selected mode, which will be a conventional channel. Enable the password feature in case someone gets ahold of your portable.

Thanks Elroy, and to the other folks who cooked this up. PJ, I would be interested in seeing how your setup works. It sounds like you can safely monitor in one zone, yet talk in another. Correct me if I am wrong.

Jay

Just to recap, particularly for the benefit of our newer users, the point of this devious scheme is to be able to safely monitor a Motorola trunked radio system, as there is no provision in Motorola's trunking software for a truly "receive only" option with any trunking radio. All radios programmed to receive a Motorola trunking system have the capability to transmit SOMETHING, even if it's only a brief data exchange with the control channel, and that alone is enough for legal trouble to occur in some instances.

This scheme we're discussing here is intended to allow truly safe monitoring of a trunked system. Not even YOU will have direct access to the trunked talkgroups in a properly programmed radio, but you can still SCAN them effectively. As your radio will never be set to any trunked group in question, it will never even try to affiliate.

In its preferred application, you fill all the user accessible channels in your radio with CONVENTIONAL channels. Each of these conventional channels is slaved to a trunked scan list that refers to the groups that are hidden past group no. 16 on the channel selector, which you can't physically access.

I'm glad to see that this scheme apparently does work.


Other news: Ericsson's ESK (system key scheme) has fallen to a dedicated hacker. It's really a very simple scheme that's easy to defeat. Info on this is available on the (former) trunkedradio.net board. (Go there and it will redirect you.)

Elroy

I've done something similar with my XTS2500 and it works

The difference is that I like having the rotary for zone select and have the first channel in each zone be conventional with the name of the system being scanned on it. When thrown into scan, it will trunk the system. I never see the Red LED light up for TX at all in any instance.

I've only been able to test 3.6k systems only

-Josh

Actually, it DOES offer a benefit.

You see, I don't know if you're aware of it, but in all of Motorola's various versions of trunking, NONE of them have a TRUE receive only option. If you are on a trunked talkgroup and hit the PTT, the radio WILL affiliate, even if it does nothing more than that. And you may not even be aware of it, because the TX burst is so fast that you won't even see the TX LED light up. In many cases, this is what you DON'T want to do. If you radio transmits on a frequency you're not licensed for, even if it's a few milliseconds and the controller denies the requiest, here in the US it's illegal and you can be fined up to 10,000 dollars PER TRANSMISSION.

The point of this approach is to absolutely ensure that the radio in question will never, ever transmit ANYTHING.

Using the method described, the operating group is NEVER a trunked group, and hence, the radio will not even attempt to affiliate. It will simply scan the groups in the attached scan list, and while scanning, it will not attempt to affiliate with any of those groups.

An additional safety feature is that if you MUST show your radio to The Law, and have turned scan off, he won't be able to find anything in the radio that alarms him. Just hope he doesn't know how to turn scan on!

I'm still not sure if this even works on a SmartZone system if the radio is programmed for full SmartZone operation, but you can treat your local SmartZone site as an AMSS system and it's reported to work. But in full SmartZone operation, any radio that's operating on the system HAS to affiliate on power-on and on any group change, otherwise the controller doesn't know to send your groups to the local site.

The basis of my experiments and research is to totally eliminate any and all unwanted transmissions of any type. Full stealth mode. I'm not above modifying the transceiver board to ensure that it won't transmit, by pulling the PA driver device usually.

Elroy

If you create a scan list that has both conventional channels (from the viewable zone) and trunked talkgroups (from a non-viewable zone), you are engaging in "cross-system scanning," which is going to produce large audio holes.

If you program a trunked radio for AMSS, the radio will affiliate. If the system operator is on his toes, he will detect your affiliation and attempt to disable your radio.

Radios used for monitoring trunked systems on which the user is not authorized to send should always have "coverage" set to "none," and affiliation set to "none" or "on PTT" depending on the model. Then steps should be taken to avoid inadvertent keying.

Does that include affilate on PTT? That's how I have mine setup. I know if I stop hearing traffic, I need to hit the site scan to get it back. No visual indication of tx, but ya never know.

Elroy,

I've programmed a few MTS2000 as smartzone and your suggested set up and it has worked great. I used a referenced scanlists to scan channels not accessable to the user.

I created 2 referenced list EMS and Law. Depending on how many TG I'm scanning there can be a small delay but it's the same as any high end scanner and better audio RX.

The only issue is the same as any scanner on a smartzone system. It finds the first control channel and only monitors the one tower and the affiliated TG's. I've fixed this by statigicly putting on the Freqs of the towers I want to hear at the top of my CC list and as I lose the reception on my prefered towers it continues down the list.

Thanks for the idea.

You may want to research that assertion a bit further. My experiences with the TX inhibit feature have shown different results. The radios would still affiliate on PTT. (MTX8000 and MTS2000)

Maybe that was due to a software oddity (a bug that hadn't been found in that version) or one in the radio firmware, and maybe not, but the radios definitely would try to affiliate with TX inhibit turned on under certain circumstances.

Elroy

Well, I can't speak for any other radio, but on an Astro Spectra, if you set "No Ignition" to "TX Inhibit" and don't put Ignition Sense into the radio, it won't transmit, regardless of what you do.

Other radios that have this option (MCS2000, LCS2000 (I think) and the XTL5000, and probably a few others) should work the same way...anyone with one care to try?

Edit: TX includes Affiliations, btw.

-Mike

I believe the ONLY way to solve this debate:

Find someone with a TRS that has a legit radio on it - preferably a sys-admin since this would require monitoring their system.

Hook the radio up to the service monitor and watch to see if anything comes out of it.

That would solve this debate.

IIRC, Elroy's tests were based on a service monitor, but it's been a long time since this was disucssed, and I don't recall.

Anyone care to help/report back to us on this?

-Alex

I tried it briefly on the Maricopa county AZ 3600 baud and the Phoenix 9.6K p25 system back when we were running a staging demo with Motorola about a yearand a half ago and it worked great, no affiliation at all. However; I Haven't tried the XTS5K yet.

Mike

mike m wrote:I tried it briefly on the Maricopa county AZ 3600 baud and the Phoenix 9.6K p25 system back when we were running a staging demo with Motorola about a yearand a half ago and it worked great, no affiliation at all. However; I Haven't tried the XTS5K yet.

Mike

Can you be more specific - which did you test - Hiding the channels in the scan list, or Affiliate on PTT?

-Alex

I don't think that the XTS 5k will unsquelch audio on 9.6k system unless the radio does affiliate.
I an experiment with a Jedi portable on a system it was found that when the radio is set for affilliate on PTT and coverage type is diabled that the radio does not affilliate with the system. This was tested using System Watch and monitoring affiliations.

The way I take care of the transmission problem is to pull the cap on the output of the Tx VCO and pull the Vcc for the final output device. It works on MTS,XTS3K and XTS5K. It will also work on the AS3. All mods can be placed back in service as I leave the parts in the board.

mm

Elroy Jetson wrote: You must NOT enable the CHAN/GROUP menu key option in your radio if you truly want these hidden groups to STAY hidden, and therefore no transmission or (or even affiliation) is possible if nobody can directly access those groups.

Am I mistaken in that a controller will do a sweep of radios on the system, to see if they are still affiliated, etc? Of course this radio is not affiliated, but could any issues come up? Do these radios respond as well? This just came to mind.

Jay

If a radio is set to a conventional channel and scanning a trunked scan list, the radio will NOT affiliate no matter what the trunked system controller does.

As has been noted, scanning a SmartZone system is very problematic.

Elroy

r0f wrote:
Elroy I really don't want to argue with you about your theory -- No doubt it does work. I just don't see a benifit to using it, unless it's a requirement that you keep the modes hidden.

That's just it. There often IS such a need. Especially if there's any reasonable chance that some nosy cop wants to see your radio or something, not that he'd have any legal right to do so.

It's one additional level of safeguard. That's reason enough.

If I should ever program an M trunked radio to monitor a system that I'm not an authorized user of, I'll take every precaution I can against the possibility of an inadvertent transmission, and keep the profile as low as possible. You know as well as I do that the mere existence of a radio that's programmed on a system but not issued by the system administrator is suspicious in and of itself due to the fact that the system keys are restricted and rarely get out. A smart cop who knows this and knows the radio underground (that's us and our field) then would suspect either that you've used a system key generator or a copy of lab software, BOTH of which are probably if not definitely illegal to have as they're copyrighted and not ever for sale anyway.

I shouldn't even have to explain this, but I feel it's needed so as to clarify the situation.

Elroy

The simple solution is to just use a scanner and not a system radio if you are not authorized to have a radio on the network. Chances are that if you do have any interaction with the authorities and you are in possession of a system radio without authorization you will have to answer alot of questions. I honestly don't think the trouble is worth the benefit myself. Most system admins would have kittens over an unauthorized radio and someone who is an authorized user and is modifying thier template is likely to have to find another job. There is no doubt that a system radio is an awesome receiver and the experimentation that takes place amongst the "radio underground" is actually beneficial in some regards. If one is really driven to use one as a receiver without authorization then use common sense and don't wave it around like some wannabe - leave it at home. The hardware TX inhibit mentioned is probably the safest way to monitor but personally I hate to see a radio gelded.

The reality is, we know that scanners are available that will do the job, at least in a marginal fashion, but many of us desire much better equipment, and will obtain it and find a way to make it work for us.

And, well, while a cop may ASK a lot of questions, you do NOT "have to answer a lot of questions". You have the right to say nothing, or not answer specific questions, or babble your fool head off, your choice.

Not that it's come up very often, but when it comes to me and the police and radios, one or two have acted disturbed that I can listen in on them, and my response to that has been to remind them that it IS legal, ANYONE can buy a radio at Radio Shack that will monitor their system, and it's the people's right to keep tabs on what their EMPLOYEES are doing. The more alarmed a cop is that he's being monitored, the more likely it is that he SHOULD be monitored, IMHO.

The county I live in is saddled with an EDACS system. That's actually a good thing from a scanning perspective because their radio programming software has a TRUE receive only option in trunking groups, and there's nothing at all flaky or unpredictable about it, and it works on all radios newer than an MPD. Another nice thing about it is that if you get a newer type radio, your program can be transferred directly from the older radio to the programming software and then directly to the new radio, even if it's a totally different series and model. So long as the bandsplit matches, all the comnet/macom/whatever radios are totally interchangeable in software.

Elroy

heh the beauty of EDACS....

A trunking system that was actually well designed!

Hah. Well designed, my foot!

If it were a plane, you'd never set foot on it. All the subscriber radios drop calls (unmute but no modulation) often enough to be an issue.

Insufficient security, allowing "rogue" radios to monitor without anyone's knowledge!

System reliability: I'd want my money back!

The programming software is nice, and the higher model radios are pretty well made (it's tough to argue with an alloy-cased M-PA...makes a great "Instrument of Obedience"!!), but in general, if you bought an EDACS system, you made the wrong decision.

Elroy

Alex: I'll try your experiment when I get back, but you'll have to remind me.

However, I can tell you right now that if the radio is set for any form of wide area coverage, it will attempt to affiliate, by sending an ISW, as soon as it seeks to listen to a trunked system talkgroup, either via the inclusion of that talkgroup in a scan list or via its selection from a zone list.

Elroy,

I'd have to say your system wasn't installed correctly. I use an EDACS system frequently and I've found no audio holes, dropped calls or other weird behavior.

The one weakness of EDACS as that being a simulcast system its very site dependent with very tightly balanced sites and coverage areas. Loose a site and you are SOL.

The true RX only feature was put in there on purpose so you could legitmately monitor groups a user didn't need to TX on.

Besides if you really want to annoy the rouge listener use AEGIS.

Alex,


I did the hide the channels method. I made up 16 conventional personalities and 15 trunking personalities. I made 1 zone with the first 16 being conventional and the last 15 the trunking.

I set the scan for auto and the system was set for smartzone and even though auto affiliation was set the radio never transmitted, I also tested this on a R2670 to insure it wasn't affiliating. As I said it was for a staging demo of one of our P25 avionics radios and it was done over a year and a half ago and since then I haven't played with any 800 trunking since.


Mike

As for the edacs problems noted earlier, I've noted that the old MPD radios had their own specific flaw that caused them to unmute but not deliver any recovered audio. The user only hears a dead carrier. It happens about one in maybe 100 transmissions, and the issue is with the receiving MPD only. Other radios will probably decode the transmission correctly.


Elroy

I am sitting here right now scanning and successfully monitoring a Smartzone system with a TEE connector on the antenna terminal of my XTS3000 800 radio.

One path from the TEE is connected to an 800 quarterwave whip antenna and the other to my R2670 analyzer, yes the R2670 is all set up as it should be and working as I tested it on a non scanning system to ensure that it affiliates correctly.

Testing either the 'radio init' or 'system init' feature on the R2670 the radio never affiliates when using the hidden channels method.


Mike

Yes,

It is a statewide Smartzone system.


Mike

What shawn wants to know, is what is the programming set to.

yes, the system is smartzone, but HOW is the radio programmed that your using to test.

-Alex

That isn't exactly the question. The question is:

IF you set a radio for wide area coverage (SmartZone or AMSS), and

IF you then try to invoke the "transmit inhibit" function, and

IF you then "select" a talkgroup on the system,

Which prevails: an attempted affiliation (dictated by the wide area coverage) or no attempted affiliation (dictated by the TxIn function)?

Note: Alex I was responding to Mike M; your response and mine crossed in the mail.

My radio is set for Smartzone but omnilink is not enabled, it's a full blown 9600K omnilink 800 radio. The flashcode is 100008-000480-9 BTW.

I have my trunking personalities set up in zone 3 and zone 3 contains 22 various personalities for instance.

14 of the first 16 personalities in zone 3 are conventional, the rest are trunking personalities including personalities 4 and 5 which are trunking but they are used for something entirely different and don't apply to this test.
Personalities 17 thru 22 are the interested trunking personalities, IE the hidden ones.

The 3rd conventional personality in zone 3 has autoscan enabled on scan group 1.

I just have it set up this way because it was a test radio and haven't erased anything but instead I just build other personalities on it as it's used for multiple testing, demos etc.

Scan group 1 is set for talkgroup trunking scan only and includes the Talkgroups/personalities from zone 3 channels 17 thru 22 which again are all on the same Smartzone system. I do not have omnilink enabled.


I do not attempt to enable affiliation by calling up an individual talkgroup with this setup so I cannot reply on that question.

But remember the original post from Elroy was specifically about affilition using the hidden talkgroups method.


Mike

I have performed several tests on various portables with the TX INHIBIT function, for my own curiosity. Here are the results so far:

Radio Type - XTS3000 - Quantity 2

Model# H09UCF9PW7BN
Flashcode - 1000080004006

Radio 1 - HOST 07.06.01 - DSP - 07.03.19

Radio 2 - HOST 07.20.00 - DSP - 08.03.02

There were no differences observed between these two different HOST/DSP versions during the testing.

All tests were performed on both a live SmartZone/Omnilink system, as well as with an R-2670 System Analyzer with the Trunked package. All tests were performed using analog talkgroups. All tests were performed with the radio running off a metered power supply to confirm current drain upon any transmitting. All tests were performed multiple times with the concentric switch in both positions.

Scenario #1 - Programmed as SmartZone, with concentric switch set for TX INHIBIT in both positions.

Outcome #1 - Radio does not affiliate upon power up. Radio does not affiliate upon mode change between talkgroups. Radio does not affiliate upon mode change between a talkgroup & conventional channel, though it does take several seconds to change modes, as if if were going through it's retries to affiliate. Radio does not affiliate/de-affiliate upon power down, though it does take approx 4 seconds to power off, again as if it were going through it's affilitation retries.

Scenario #2 - Programmed as WAC AMSS, with affiliation set to 'automatic', and concentric switch set for TX INHIBIT in both positions.

Outcome #2 - Same as Outcome #1, with one added twist. The radio will not fully power off when switched off. The menu selections remained on screen indefinitely, and the radio would not re-awaken upon switching the power switch on. The battery had to be removed for the radio to be reset properly.

Scenario # 3 - Programmed as WAC AMSS, with affiliation set to 'ON PTT', and concentric switch set for TX INHIBIT in both positions.

Outcome # 3 - The power-down glitch goes away. There is no time delay when switching between trunked & conventional modes. Everything else is the same (no affiliations whatsoever).

Scenario # 4 - Programmed as coverage type 'disabled', with affiliation set to 'automatic', and concentric switch set for TX INHIBIT in both positions.

Outcome #4 - Identical to outcome #3.

Scenario #5 - Programmed as coverage type 'disabled', with affiliation set to 'ON PTT', and concentric switch set for TX INHIBIT in both positions.

Outcome #5 - Identical to outcome #3 & 4

Basically, I could not get the radios to transmit in any way, shape, or form with the concentric switch set to TX INHIBIT.

I will update the thread when I have the time to test some MTS2000 radios as well.

Todd

It seems to me that in order for that particular experiment to work properly, you'd need to know if the selected talkgroup is actually being relayed to the site the radio is listening to. It certainly won't be getting talkgroups that aren't being sent to that site, as it won't be permitted to request them, but would it get those groups if they're already on the site?

Elroy

Shaun,
That is only on 9600baud systems or I'm assuming on a radio that does P25 trunking. On 3600 baud astro and analog the radio does not have to affiliate to monitor smatrzone. The radio will not smartzone without affilliation however.

It seems to me that in order for that particular experiment to work properly, you'd need to know if the selected talkgroup is actually being relayed to the site the radio is listening to. It certainly won't be getting talkgroups that aren't being sent to that site, as it won't be permitted to request them, but would it get those groups if they're already on the site?

The radio does not have to affilliate to monitor traffic if the radio is set on the talkgroup of interest's home site. If you want the radio to smartzone the radio must affilliate. If you want to monitor a local talkgroup on a site across jurisdiction you will have to affiliate to monitor it unless said talkgroup is multi site simulcast to the site you have programmed. Even then some talkgroups are not setup to smartzone to sites outside of the home site. What works on one system may not work on another.

Shaun,
Ok I did misunderstand what you were saying then. I've never tried to txinhibit a radio set for smartzone using smartzone as a coverage type.

That DOES make sense. In short, you can monitor a SmartZone system with TX inhibit enabled, but only if the radio is NOT programmed for SmartZone. Use WAC AMSS or some other option instead.

Quirky!

Elroy

r0f wrote:Todd,

In scenerio #1, you state you programmed up the radios for SmartZone operation. Can you confirm that when TX Inhibit is enabled, the radio WILL NOT RECEIVE talkgroup activity because of it's inability to affiliate with the tower, thus a non-stop cycle between the control channels attempting to affiliate, which it cannot due, thus not allowing reception?

What about in WAC AMSS? Same result? No receive when it cannot affiliate (Auto Affiliation, not On PTT)

S

I did try that, but the results were indeterminite. First off, I was using a talkgroup that nobody really uses to minimize annoyance, so I had to have two other radios which could affiliate to the site also on that talkgroup. I used two MTS2000 portables for that purpose. At first, the XTS radio heard nothing. I did verify it was cycling through the control channels, using the 'site search' feature. The funny thing is, once the radio happened to be on the proper site, audio was received, and the radio stopped scanning sites. I left it alone for several minutes & it remained on the site until I changed channels, when it again started it's searching. The exact same results were seen with the radio in it's WAC AMSS configuration.

It would seem to me that if the radio were on a 'busy' talkgroup with radios affiliated to many surrounding sites, you'd probably hear most of the conversations. I never did get the 'out of range' indications, although I never had the radio on for more than 5 minutes at any one time. More experimentation is required for definitive answers, I was mainly interested in the affiliation issue.

I'm interested to see what my results will be with a couple of different firmware versions of MTS2000, and maybe an MTX8000 as well.

Todd