Results 1 to 19 of 19

Thread: Using a NX800 to monitor a type c system

  1. #1
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default Using a NX800 to monitor a type c system

    I have all the software and cables (KPG111 v5.0). I can communicate with the radio with no issues. I have all the system info and TG information as well.

    I want to program the radio to either NAF the system or to scan separate channels looking for activity on a specific TG.

    EG
    SYS ID 164 Site 23 RAN23
    freqs
    451.1000 LCN 346
    451.5000 LCN 376
    451.9500 LCN 388
    TG 1226
    RID = all known for the user 11347-11401

    I am totally new to the NXDN stuff so this is a learning curve for me. I believe that a .skf would be needed to scan the system and there might be autoafilitaion issues. If that is the case then I would like info on programming up the freq as conventional setting them to decode NXDN traffic and preferably only Decode the desired TG.


  2. The Following User Says Thank You to Notarola For This Useful Post:

    Viper1-6 (Jun 24, 2018)

  3. #2
    Join Date
    Nov 04, 2012
    Location
    True North Strong and Free
    Posts
    258
    Thanks
    1,261
    Thanked 369 Times in 164 Posts

    Default

    Quote Originally Posted by Notarola View Post
    I have all the software and cables (KPG111 v5.0). I can communicate with the radio with no issues. I have all the system info and TG information as well.

    I want to program the radio to either NAF the system or to scan separate channels looking for activity on a specific TG.

    EG
    SYS ID 164 Site 23 RAN23
    freqs
    451.1000 LCN 346
    451.5000 LCN 376
    451.9500 LCN 388
    TG 1226
    RID = all known for the user 11347-11401

    I am totally new to the NXDN stuff so this is a learning curve for me. I believe that a .skf would be needed to scan the system and there might be autoafilitaion issues. If that is the case then I would like info on programming up the freq as conventional setting them to decode NXDN traffic and preferably only Decode the desired TG.
    AFIAK it is not possible to do what you want to do with a NX800.




    Sent from my iPhone using Tapatalk

  4. #3
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 05, 2012
    Location
    Moonbase Alpha
    Posts
    773
    Thanks
    132
    Thanked 273 Times in 125 Posts
    Country: Japan

    Default

    Pretty sure the radio will recognize the conventional channels you entered are actually trunked and will not let you monitor them.

    That only leaves getting the required skf file.
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  5. The Following User Says Thank You to cyrus For This Useful Post:

    Viper1-6 (Jun 25, 2018)

  6. #4
    Join Date
    Nov 04, 2012
    Location
    True North Strong and Free
    Posts
    258
    Thanks
    1,261
    Thanked 369 Times in 164 Posts

    Default

    Quote Originally Posted by cyrus View Post
    Pretty sure the radio will recognize the conventional channels you entered are actually trunked and will not let you monitor them.

    That only leaves getting the required skf file.
    From my understanding, there is no work around with NX subscribers to passively monitor Type C systems, other than to be legitimately provisioned with in the network, but thatís not passively monitoring.

    Kenwood Type C is pretty locked down. Itís almost like Kenwood looked at how easy it is to compromise Motorola Type 2, and eliminated those weaknesses from this format.



    Sent from my iPhone using Tapatalk

  7. The Following User Says Thank You to Viper1-6 For This Useful Post:

    MotFAN (Jun 25, 2018)

  8. #5
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    Yea thats pretty much what I had found. I was hoping that I had missed something or there was a way to assign the RAN and TG to a scan.

  9. The Following User Says Thank You to Notarola For This Useful Post:

    Viper1-6 (Jun 25, 2018)

  10. #6
    Join Date
    Mar 25, 2015
    Posts
    235
    Thanks
    212
    Thanked 107 Times in 60 Posts
    Country: United States

    Default

    I honestly think that it's just the fact that no one has really invested the time into figuring this dilemma out. The field of Motorola experts far outweighs the Kenwood folks and Motorola trunking has been around much longer than Kenwood/Icom nxdn trunking.

    Someone with their own system and alot of time on their hands could probably figure out some work around. I mean there are hackers who break theses insane encryption codes, but we can't figure out an rf trunking protocol?
    I'm here to learn!

  11. #7
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    If someone has a codeplug for a type C trunking system I really can use one as a reference I can then make sure that all the fields I am entering in my codeplug are correct. PM me if you have one.

    From there I can look deeper into whats happening.

    Currently I am leaning towards in conventional there is a SID. The SID may possibly be 000. Either that or the SID block is not sent. I have a very good service monitor, a SDR and lots of tools to look at the data being sent both from the system and from the radio in conventional mode. I also have some of the ETSI info on NXDN so given time I may be able to identify the CC data structure and compare it to the conventional structure.

  12. The Following 2 Users Say Thank You to Notarola For This Useful Post:

    box (Jun 26, 2018),slapshot0017 (Jun 26, 2018)

  13. #8
    Join Date
    Nov 04, 2012
    Location
    True North Strong and Free
    Posts
    258
    Thanks
    1,261
    Thanked 369 Times in 164 Posts

    Default

    Quote Originally Posted by slapshot0017 View Post
    The field of Motorola experts far outweighs the Kenwood folks and Motorola trunking has been around much longer than Kenwood/Icom nxdn trunking.
    And yet Motorola never addressed, or fixed the weaknesses.

    In the hobby world maybe there are more ĎMotorola expertsí but Kenwood has the benefit of being able to see a suite of protocols and build of their strengths.

    Quote Originally Posted by slapshot0017 View Post
    Someone with their own system and alot of time on their hands could probably figure out some work around. I mean there are hackers who break theses insane encryption codes, but we can't figure out an rf trunking protocol?
    Why would a system owner attempt to hack their system, and publish the methods? So whackers can hack and cause mayhem? Give your head a shake.


    Sent from my iPhone using Tapatalk

  14. The Following User Says Thank You to Viper1-6 For This Useful Post:

    triptolemus (Jun 26, 2018)

  15. #9
    Join Date
    Mar 25, 2015
    Posts
    235
    Thanks
    212
    Thanked 107 Times in 60 Posts
    Country: United States

    Default

    I'm not saying that a system owner is going to do this... That's like shooting yourself in the foot!

    I am saying it can probably be done given the technology we have access to and brain power of people who can reverse engineer things. Some of the methods and breakthroughs that come out of this site really wow me so it wouldn't surprise me if given time someone could come up with an NAS method.

    You could tell the OP to "Just use a scanner", but we all have a half a brain to know a radio works 10 fold better than any scanner... It's not uncommon for agencies that work next to each other to not be able to communicate or hear each other due to bureaucracy... Some times its really astonishing that we have to go through steps like this, but it makes for a cheaper and less red taped solution by harmlessly monitoring.

    I'm talking from a professional standpoint too not as a whacker, but if you think about it a vast majority of professionals got into this field because of scanning/monitoring.
    I'm here to learn!

  16. #10
    triptolemus's Avatar
    triptolemus is offline TĻ ∆S ō - Moderator
    CS Forums $upporter
    Join Date
    Dec 15, 2012
    Posts
    883
    Thanks
    621
    Thanked 1,427 Times in 512 Posts
    Country: United States

    Default

    I don't understand why you believe that no affiliate scan is some sort of breakthrough. Whoever happened to notice it was pretty clever, but it's hardly a hack or reverse engineered. The feature works as designed which is evidenced by the fact that M has let it be after all these years. It would be trivial for M to stop a radio from unmutung unless affiliated, but this would likely break many use cases, I would imagine.

    Additionally, any of the type of work you describe will be done behind closed doors and not openly shared. The good old days are over. Too many leeches, lids, and risk.

  17. #11
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    triptolemus has some very good points. My objective is not to crack, hack or break a system or format. I simply want to NAF a TG using higher quality hardware. There are several ways to do this already Scanner, SDR plus one or two more Im not up to speed on.

    Currently I am looking at trying something similar to using a TRBO radio to scan a TG. It is possible that setting up a conventional channel and then using the correct settings may allow the unit to decode a TG. It may only be possible to decode all traffic on a channel in conventional mode. It may not be possible to monitor anything. Thats where we are in the discussion right now.

    I am hopeful that some member can either confirm or walk through the settings for conventional operation, from there I can expand on that and see what happens when I attempt changes. Non of this is hacking, it is all something a person familiar with NXDN would know. The first step is to eliminate as many variables as possible thats why I requested a sample codeplug.

    CS is not about hacking stuff it is about understanding stuff and how it works. There is a great range of members here sometimes its just a matter of putting the pieces together.

  18. The Following 2 Users Say Thank You to Notarola For This Useful Post:

    bsdam (Jun 28, 2018),Viper1-6 (Jun 26, 2018)

  19. #12
    Join Date
    Mar 25, 2015
    Posts
    235
    Thanks
    212
    Thanked 107 Times in 60 Posts
    Country: United States

    Default

    Gents, I'm sorry if I have been unable to convey what I am trying to say by using the incorrect vernacular.

    All I am saying is that like motorola NAS I bet that with a little time and tinkering someone could probably figure out a way to do it. That's all. I'm not saying it should be publicized, I'm not saying that someone should go and hack it. All I am saying is that what notarola wants to do is probably possible.
    I'm here to learn!

  20. #13
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    Im willing to do the tinkering thats why I started the thread. What I need is more info from those familiar with Kenwood and their software.

    To start I need a properly configured codeplug for any typeC trunking system. With that I can go through the pages and configure my radio to the same settings but with my local site info. Once that is done I can observe what the radio does. If trunking NAF is not possible then I will be trying individual conventional freqs and checking the settings etc.

    I am hoping someone who works on a system can advise me on whats settings and mode types do what etc. This is a learning curve and Im starting out raw.

  21. The Following 2 Users Say Thank You to Notarola For This Useful Post:

    bsdam (Jun 28, 2018),Viper1-6 (Jul 02, 2018)

  22. #14
    Join Date
    Sep 18, 2012
    Location
    EMEA
    Posts
    56
    Thanks
    7
    Thanked 25 Times in 14 Posts

    Default

    A Kenwood radio programmed in conventional mode will not un-mute on trunking channels, it's how application firmware is designed.

    There was a rumor of a possible hack but never confirmed or detailed.

  23. The Following 2 Users Say Thank You to bup For This Useful Post:

    triptolemus (Jun 29, 2018),Viper1-6 (Jun 29, 2018)

  24. #15
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    I had kind of figured something like that may be the case. First I wanted to get myself familiar with the radio and the software. Then I can start scoping the main board and see if the no unmute is contoled by software settings or hard coded settings etc.

    One idea that Im toying with is to have the unit sit on a known very active NXDN user and start scoping the board and chips. There is some Railroad activity that is NXDN and I believe that they can just be programmed up and monitored. With that info I may start forcing logic points to see what happens. This is still very early stages and I have not passed the lets try all the codeplug settings step.

  25. The Following 2 Users Say Thank You to Notarola For This Useful Post:

    slapshot0017 (Jul 01, 2018),Viper1-6 (Jun 29, 2018)

  26. #16
    Join Date
    Jul 11, 2012
    Location
    Stinkadeener
    Posts
    822
    Thanks
    538
    Thanked 978 Times in 439 Posts
    Country: United States

    Default

    Quote Originally Posted by Notarola View Post
    There is some Railroad activity that is NXDN and I believe that they can just be programmed up and monitored.
    Correct. Conventional only needs frequency and RAN, just like P25.
    "The Girl Scouts found several hungry REACT members at the finish line..."

  27. #17
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    I have programmed up the rail freq and NXDN works fine. The rail freq all use RAN = 0. I then tried entering the same configuration in the UHF unit and selecting RAD = 23. No go the unit displays activity but no unsquelch. I am looking into maybe a missing setting but it looks like in conventional mode the units only look for a RAN they have no setting for a TG. It looks like the conventional data packet is different from a trunking packet (no TG slot). research continues.

  28. The Following User Says Thank You to Notarola For This Useful Post:

    Viper1-6 (Jul 03, 2018)

  29. #18
    Join Date
    Jan 05, 2018
    Location
    WTVLCA01DS0
    Posts
    9
    Thanks
    17
    Thanked 30 Times in 9 Posts
    Country: United States

    Default

    Quote Originally Posted by Notarola View Post
    I have programmed up the rail freq and NXDN works fine. The rail freq all use RAN = 0. I then tried entering the same configuration in the UHF unit and selecting RAD = 23. No go the unit displays activity but no unsquelch. I am looking into maybe a missing setting but it looks like in conventional mode the units only look for a RAN they have no setting for a TG. It looks like the conventional data packet is different from a trunking packet (no TG slot). research continues.
    Probably not new info, but I run a Kenwood Type C systemÖ

    I don't have time to dig into it, but I've tried.
    My understanding is that the packets from a trunked system are tagged as such, and unless the radio is set up to work on the trunked system, it will not unmute, even with the RAN set to 0, or anything else (I tried with mine).

    I played with it for a few hours when I was turning up the system and hadn't put any users on it yet. Never did figure out a way to make it work.

    When I turned the system up, I had a pretty fresh memory of all the issues I'd had with the Motorola SmartNet system it was replacing.
    -At one point, the guy before me had let one of the local shops do some radio programming, so they had the system key, codeplug and a radio ID. When we did our rebanding, we discovered that there were a LOT of radios with that same ID in our bus fleet.

    When I set up the NexEdge system, I locked it down as hard as I could because of that.
    - I've got it locked down to require the radio UID and radio ESN to be entered into the system.
    - The UID (radio ID) and ESN must match. You can't use a random UID and expect it to work.
    - If the UID isn't in the system, the ESN isn't in the system, or the UID/ESN don't match, the radio will not unmute any traffic, it won't TX, will show "out of range".
    - No amount of "RAN=0" will bypass that.
    I also set read passwords and write passwords on all the radios. But someone at Kenwood (or one of the dealers) let the "engineering password" out that lets people bypass that.

    So, I've tried with my limited amount of time, never figured out a way to hack it. I'm sure it can be done, but I don't have the time to figure it out. So far, I don't see any indication of anyone hacking the system.

    I think that Kenwood did learn a lot of Motorola's mistakes.

  30. The Following 5 Users Say Thank You to mmckenna For This Useful Post:

    Alpha (Jul 10, 2018),box (Jul 11, 2018),MotFAN (Jul 10, 2018),motorola_otaku (Jul 10, 2018),Viper1-6 (Jul 10, 2018)

  31. #19
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    I dont need or want to access the system. I am looking for a way to just passively monitor(NAF) traffic.

    I agree with all the steps you have taken to lock down the system. I knew from my research that the systems could be configured from just UID to UID and ESN with both compared to the database. I believe that even the TG can be checked so that a legit radio cannot just have TGs added. It is also my understanding that RID= 0 is not a universal decode RID. Unlike P25 there is no universal TG that can be used to decode any TGs active.

    As you know there are several modes for the radio to be programmed in (conventional, site trunking etc) My plan is to go through each of these modes and match what I know about the TG I am interested in to see if anything useful happens. So far nothing has popped up but research is in the early stages.