Batboard

Here it is: I have 2 MDT 9100-10's enroute to me as I type this. I'm wondering if anyone has successfully hacked one of these to monitor a local MDT system. The one I'm mostly interested in uses these exact terminals on the RD/LAP 9600 BPS protocol.

Here's what I'm thinking.. if I can trick this thing into thinking that it's one of the units already on this system, it should respond to the messages sent to it's twin on the system. I can then just xmit inhibit the radio to keep it from talking back (perhaps) and voila - an MDT scanner of sorts.

The trick will be to change it's hardware ID number to match that of a logged in MDT (and of course I have no way other than trial-and-error to guess at this) My questions are:
1. Can this be done on this unit or am I just dreaming the impossible dream?

2. How hard will it be? Is this something I can do myself or should I start offering bribes to the local comm shop guys?

3. Do I need any special software/hardware to do it or can I manipulate this thing via the keyboard?

If it's not possible that's OK too - the main purpose will be for a ground up restoration of an old PD cruiser I've got my eye on. It would just be totally kick-ass if the unit could actually receive real dispatches from a live CAD system.

As soon as I receive the units, I'll be able to give more details. Right now all I know is what I've posted. Thanks for any and all responses.

Regards,
-AZ

Read this first: http://batboard.batlabs.com/viewtopic.php?t=31471

I will doing the same thing, but with FD dispatch messages for a Museum Display. The RF portion will be completely bypassed. The stored messges will be on a Linux based PC. Basically sent every few seconds from a batch of text files.

Unless you have written permission from the Agency in question, don't even think affiliating your MDT with their network. (Especially by hacking the system ID or randomly entering ID's)

Here another question: Does the RF portion of an MDT have an Inhibit command?

Martin

spareparts wrote:Read this first: http://batboard.batlabs.com/viewtopic.php?t=31471

I will doing the same thing, but with FD dispatch messages for a Museum Display. The RF portion will be completely bypassed. The stored messges will be on a Linux based PC. Basically sent every few seconds from a batch of text files.

Unless you have written permission from the Agency in question, don't even think affiliating your MDT with their network. (Especially by hacking the system ID or randomly entering ID's)

Here another question: Does the RF portion of an MDT have an Inhibit command?

Martin

Martin,

Thanks for the quick response. The radio this thing operates with is a garden variety 800MHz spectra AFAIK, so inhibiting the TX portion should be easily done. As for getting written permission, ha ha, fat chance of that! That's why I'll be making sure it can't transmit anything before I even attempt to configure it.

I guess I'm just looking for verification that my theory will work. For example: Let's say my MDT has a hardware ID of 038F hex, and the agency I want to monitor also has an MDT with a hardware ID of 038F. If MDT 038F is logged on and receiving CAD messages, shouldn't mine also receive those same messages? Using it in this manner, having a -10 might actually be to my advantage because it is just a dumb terminal - it won't know there's another 038F out there, and neither will the host system, since my MDT won't be talking back. The key to the whole puzzle is being able to set that hardware ID (which I'm sure can be done - again, the lack of a RS232 interface suggests that this is done via the keyboard on the unit). If that can be done, the rest should just fall into place. Unless they are encrypted, if so then that's the end of the story - no way I will even attempt to crack that; too many legal issues there.

Am I way off base here, or is this just crazy enough to work?

Thanks again everyone for your help! This board is awesome!
-AZ

We upkept MDT9100-10's for the police here for a couple years, but it was just swap & ship to Vancouver, so I'm no guru. I do seem to recall however that the system ID & some other parameters were blown into a large PROM, it wasn't a keyboard thing. You could manually set the frequencies & the 'home' or 'prefered' site ID (if more than one site) with the keyboard, but that was about it.

Otherwise, your theory sounds like it would work.

Todd

wavetar wrote:We upkept MDT9100-10's for the police here for a couple years, but it was just swap & ship to Vancouver, so I'm no guru. I do seem to recall however that the system ID & some other parameters were blown into a large PROM, it wasn't a keyboard thing. You could manually set the frequencies & the 'home' or 'prefered' site ID (if more than one site) with the keyboard, but that was about it.

Otherwise, your theory sounds like it would work.

Todd

Wellsir, looks like I will need to give it a try when they arrive. Sounds like I will need some sort of RSS software to do this - I was hoping not but I guess I should have known better. But I will just tinker around when I get them and see what I can do from the keypad. Frequencies can be set huh? That's interesting...verrrrrrry interesting.....

I'll let everyone know if I get it to work.

-AZ

wavetar wrote:We upkept MDT9100-10's for the police here for a couple years, but it was just swap & ship to Vancouver, so I'm no guru. I do seem to recall however that the system ID & some other parameters were blown into a large PROM

Todd,
That's correct - if you flip the unit over with the keyboard in your lap, there's a snap in cover with 3 latches. That's where the prom lives ( it would be just to the right of the FCC ID plate). I'm pretty sure the 9100-11 are programmable without burning a prom as there's nothing socketed in that area on the -11 version.

Martin

OK. Can someone tell me if the 9100-386 has a serial port? If so, it looks like it would make a cool programming computer.

John

10-points for answering my own question!!!

John

spareparts wrote: Todd,
That's correct - if you flip the unit over with the keyboard in your lap, there's a snap in cover with 3 latches. That's where the prom lives ( it would be just to the right of the FCC ID plate). I'm pretty sure the 9100-11 are programmable without burning a prom as there's nothing socketed in that area on the -11 version.

Martin

OK, here's my next dumb newbie question - is there a programmer I can buy to reload that PROM? Anyone know the model/part number so I can query almighty eBay and see if any are available?

Thanks all,
-AZ

there might be only one little problem if you want to reprogram a prom: PROM stands for Programmable Read Only Memory. so it's not eraseable aka you can not REload it. hence you will most likely have to buy a new prom and program it for your terminal. and every time you want to change params you will need a NEW prom to do it.

I don't know the status of your prom but getting one might be hard since they are no longer used for some time.

it might be an idea to get an EPROM that fits the PROM's pinout so you can reprogram it. or maybe somehow emulate it.

my two bits

doi wrote:there might be only one little problem if you want to reprogram a prom: PROM stands for Programmable Read Only Memory. so it's not eraseable aka you can not REload it. hence you will most likely have to buy a new prom and program it for your terminal. and every time you want to change params you will need a NEW prom to do it.

I don't know the status of your prom but getting one might be hard since they are no longer used for some time.

it might be an idea to get an EPROM that fits the PROM's pinout so you can reprogram it. or maybe somehow emulate it.

my two bits

I'm beginning to wonder if these ARE infact 9100-11's and the guy we bought them from doesn't know it, because my buddy who picked them up for me told me there's an EMPTY SOCKET where the prom should be, just like spareparts said in his post! Take a look at these pics - maybe someone here can tell me:







Thanks to all,
-AZ

Your initial post says that you are restoring a PD cruiser. That suggests that the system you would be monitoring with this device is carrying law enforcement traffic such as license plate lookups, wants, and warrants.

Much of that information comes from NCIC and regardless of what you may believe the FCC rules say about monitoring of radio systems - there are VERY strict rules about distribution of NCIC information. If the agency you are monitoring ever found out about it - they would be REQUIRED to report the situation to FEDERAL authorities.

I can't recommend strongly enough that you drop the monitoring plan. 'spareparts' has the right idea here - put dummy traffic on the screen. You could probably even do that with a basic-stamp. You just need to find a port that lets you access the screen - or disect the unit and find an internal point that accesses the screen.

Just think of all the fun messages you can display:

"ATTENTION ALL CARS! The HOT NOW sign is lit on west 48th Street"

"One Adam 12, One Adam 12, see the man...

AZScanner wrote:I'm beginning to wonder if these ARE infact 9100-11's and the guy we bought them from doesn't know it, because my buddy who picked them up for me told me there's an EMPTY SOCKET where the prom should be, just like spareparts said in his post!

The model number is in the upper right corner of the keyboard. If the plate is missing the giveaway is an -10 does NOT have an rs-232 connector, the -11 does.

BTW, The -11 does not have a socket under the trapdoor, everything is soldered to the board.

Martin

xmo wrote:Much of that information comes from NCIC and regardless of what you may believe the FCC rules say about monitoring of radio systems - there are VERY strict rules about distribution of NCIC information. If the agency you are monitoring ever found out about it - they would be REQUIRED to report the situation to FEDERAL authorities.

Sigh...

I figured this would come up sooner or later.

Let me ask you this: If I chose to monitor a system that does NOT disseminate NCIC information, what then? Are you still strongly recommending I not try and see if it works? I appreciate your concern but this is like warning me not to point a loaded gun at myself. I hope you don't think I'm THAT dumb.

Of course I won't be showing this off to just anyone if I can get it to work, and the details I choose to share will be purposely vague. If you'll notice, I've been very careful NOT to state what system(s) I intend to monitor.....

I don't think you have much to worry about anyway. I'll be really surprised if I get it to work at all considering all the unknowns I'll have to guess at just to get it to listen to the system itself, let alone what I'll need to do to get it to receive any data. We'll see.

-AZ

spareparts wrote: BTW, The -11 does not have a socket under the trapdoor, everything is soldered to the board.

Martin

He said there's an empty socket. I guess I'll have to see for myself tonight when I go over there, but it sounds like a -10 from what you said. Bummer.

Oh well. Time to start the weekend. Thanks everyone for your responses!

-AZ

AZScanner wrote: Let me ask you this: If I chose to monitor a system that does NOT disseminate NCIC information, what then? Are you still strongly recommending I not try and see if it works? I appreciate your concern but this is like warning me not to point a loaded gun at myself. I hope you don't think I'm THAT dumb.

ok, well, in our area "The Great Humid East Connecticut I Mean " the only MDT services around are law enforcement. (if i'm wrong in assuming that, i expect PJ or Mike or nmfire10 chime in ) And hell, If it's not NCIC then you're not in hot water with the feds, but if it's something state, you're boned on the state level....i'd say go to f*in town if you have a different non police MDT service to monitor, but....

Just a few comments:

I believe the MDT your referencing uses MDT-4800 protocol. Or possibly an earlier version.

Are these style MDT's still in use in your area? If you don't see them then the locals have probably gone to a packet, cellular data, or possibly Nextel data method of distribution. Especially if you see that they have laptops in the vehicles.

If you do a google on MDT monitoring you'll find a different method to do this utilizing a data slicer circuit, scanner with discriminator tap, and software (not found within the US though).

In addition, you'll find out why reverse engineering the MDT RD/LAP protocol to monitor is not a wise thing to do. Several people have been in court over it. (US Code Title 18, Sec 2512(1)(a) and 371) (also see Bill Cheek) and of course refer to our favorite, The Patriot Act.

But on the other hand, I believe it was an LA scanner hobbyist that produced some transcripts which allowed the Rodney King legal team to discover some interesting MDT traffic.

OK, Later, I'm -98 on this conversation...

An update -

Well, these are infact -10's but here's the interesting thing: There are 2 25 pin connectors on the bottom. One is female and is labeled "Radio" and one is male and is labeled "I/O".

Now my question is, if the RF transceiver is connected to the unit, what is the RADIO port for? My guess is that is how you connect to it for programming the transceiver via RSS, but I have no idea. Then there's the I/O port - what is that used for? Also there is a little white plug on the bottom, that isn't labeled at all so I have no idea where that goes.

In addition the numbnuts who pulled these units out of service snipped the damn power leads flush with the case... but at least that's something I do know how to fix.

If someone knows where I can obtain an owner's manual or service manual for this unit that will probably answer 99% of my questions.

Also, I've decided to not attempt to monitor anything with the units - the systems I'm interested in are migrating over to a newer technology and these terminals will not work on the new system, so even if I do figure it all out, it will be too little too late. And there's the obvious legal problems I can face for trying (gotta love the "Land of the FREE" ). So at this point, I'd just like to learn as much as I can about these units and see what other uses I might have for them beside neat looking doorstops.

Thanks everyone,
-AZ