Results 1 to 22 of 22

Thread: TETRA

  1. #1
    Join Date
    May 14, 2012
    Posts
    326
    Thanks
    78
    Thanked 197 Times in 91 Posts
    Country: Canada

    Default TETRA

    Didn't really know where to post this. Forgetting all the crap from BL and RR - does anyone know the straight answer if TETRA can be passively monitored? There's a local agency that is ramping up to a TETRA system sometime within a year and I'd like to be able to monitor if possible.


  2. #2
    Join Date
    Jun 25, 2012
    Location
    New York
    Posts
    274
    Thanks
    53
    Thanked 48 Times in 24 Posts

    Default

    DSD maybe?

  3. #3
    Join Date
    Dec 21, 2011
    Posts
    4,132
    Thanks
    2,783
    Thanked 4,943 Times in 1,473 Posts
    Country: Canada

    Default

    I thought TETRA was encrypted? I know very little about it, but I was under the impression encryption was part of the architecture?

  4. #4
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    808
    Thanks
    165
    Thanked 408 Times in 174 Posts
    Country: Australia

    Default

    Mars, Its the same as P25.

    We have lots of 800MHz TETRA here in Sydney and its all business users and unencrypted. The ETSI specs have 4 proprietary (read closed source) algorithms called TEA 1, 2, 3 and 4. These are all used for various levels of security. Much like the closed source A5/1 these algos would probably be quite interesting to look at

    Motorola have also used DVI-XL on their Dimetra gear as well, and its available to business users here in Sydney as an option.

    Cheers,
    Matt

  5. #5
    Join Date
    May 30, 2012
    Posts
    223
    Thanks
    28
    Thanked 54 Times in 27 Posts

    Default

    Quote Originally Posted by Durchschnitt View Post
    Didn't really know where to post this. Forgetting all the crap from BL and RR - does anyone know the straight answer if TETRA can be passively monitored? There's a local agency that is ramping up to a TETRA system sometime within a year and I'd like to be able to monitor if possible.
    There is a function called "background scan" which allows scanning of talkgroups that you normally can't access with the channel/menu selections, and is meant for receive only. I haven't seen the programming, or played on a system, so I can't say if the radio needs to be affiliated with the system for this function to work or not, but I'll try & find out.

    I don't go to RR, but did you ask this on BL? I don't recall seeing a thread on it...mind you there's no TETRA forum, so did it get locked?

  6. #6
    Join Date
    May 14, 2012
    Posts
    326
    Thanks
    78
    Thanked 197 Times in 91 Posts
    Country: Canada

    Default

    No, but based on the attitudes over at BL, I would simply be told no and deal with it.

    Matt, so you're saying it is in theory possible to pick up a TETRA radio and program it to receive? That is, there IS such a thing as unencrypted TETRA?

    The agency going to it up here isn't Public Safety and has been in the clear on conventional for decades, so I don't see them encrypting.

  7. #7
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 05, 2012
    Location
    Moonbase Alpha
    Posts
    776
    Thanks
    134
    Thanked 278 Times in 129 Posts
    Country: Japan

    Default

    Tango Tango Charlie?
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  8. #8
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    808
    Thanks
    165
    Thanked 408 Times in 174 Posts
    Country: Australia

    Default

    Quote Originally Posted by Durchschnitt View Post
    Matt, so you're saying it is in theory possible to pick up a TETRA radio and program it to receive? That is, there IS such a thing as unencrypted TETRA?
    Yep and its been done (not by me)..

  9. #9
    mtp850 No Longer Registered

    Default

    It can 100% be done both in conventional or trunked configuration. You can scan up to 20 talkgroups at a time while the radio is sitting on another talkgroup so in effect your scanning 21 at a time.

    To start,FOR TMO(TRUNKED MODE OPERATION) the radio needs to be affiliated on the network with a legitimate TEI(ESN) and ISSI(radio ID) or you will boot the user off the network(in the same way as a p25 trunked network). Next you will also need to know the talkgroup ID,GCK(Grout Cipher Key), Country code and Network code. If you have all that, your in business. There are a couple different requirements and configs involved which includes region specific CPS(or you will need TETRAlab). there are also different firmware revisions that this method will not work on. (I know version 10.000.6227(portable) and v10.000.4018(mobile) both work fine. my tip is set them to RX only as it is very easy to tx the radio when you pick it up, the ptt buttons are pretty sensitive.

    Don't try and copy a codeplug and then write it on to another radio, you will screw your radio bigtime(note, the display will go blank and look like its not turned on, the only way to recover this is to write back the codeplug that was originally in the radio or use "other tools" to recover the radio.

    FOR DMO(DIRECT MODE OPERATION/CONVENTIONAL) you will need the 3 digit Network MCC(mobile country code) and also the Network MNC(Mobile Network Code). in DMO(conventional) if the talkgroup is using encryption you will need to identify the security type(1,2 or 3) and also the matching key group or you won't hear a thing unlike trunked where the radio can auto select from a list depending on what current key is been used. i.e. you can have multiple radios running different keys on the same talkgroup, only radios wth that specific key programmed in will hear the transmission. (and of course you would need to have the key loaded to your radio).

    The other thing that is a pain in the arse is that you cannot drag and drop in the CPS. you can paste the talkgroup tags but everything else is radio specific. I have nearly 500 talkgroups programmed in each of my radios along with about 30 scan groups and it took a very long time to do each radio(ive got 9 radios ).

    Yes DVI-XL is used by some however there are ways around that.....

    There is software around that works similar to unitrunker which shows RID, Talkgroup etc. for that to work, the radio needs to be forced to lock on to a frequency, once it is locked on you can see what is affiliating on that freq only. E.G. If your local tower has 6 TETRA frequencies, you will need 6 radios locked on to each freq's so you have complete coverage. its a PITA but the only way it can be done.

    oh, a final tip, do not use a portable that has GPS or Remote programming enabled. if you have GPS, they will find you in a second and if remote programming is on they will re-program your radio and remove those talkgroups that you should not have in there. All of my portables I have turned off GPS, disabled the GPS engine inside the radio and turned off remote programming and a couple of other things(these features can only be turned off wither either lab or other tools.

  10. The Following 2 Users Say Thank You to mtp850 For This Useful Post:

    anthonymoj (Apr 15, 2016)

  11. #10
    syntrx No Longer Registered

    Default

    Quote Originally Posted by MattSR View Post
    Mars, Its the same as P25.

    We have lots of 800MHz TETRA here in Sydney and its all business users and unencrypted. The ETSI specs have 4 proprietary (read closed source) algorithms called TEA 1, 2, 3 and 4. These are all used for various levels of security. Much like the closed source A5/1 these algos would probably be quite interesting to look at

    Motorola have also used DVI-XL on their Dimetra gear as well, and its available to business users here in Sydney as an option.

    Cheers,
    Matt
    Not all radios support TEA. Most non-public safety gear out there has clear traffic only firmware because the bare fact of being TETRA provides Good Enough(tm) security for most users.

    Motorola's current gear also has support for AES-256 on a UCM, if you're inclined to fork out that sort of cash.

    TETRA has some phenomenal security features such as SIM cards and BCCH (read: control timeslot) encryption that make monitoring and piracy very difficult if the system owner cares enough to enable and manage them. Lucky for those who wish to monitor, hardly anyone bothers

  12. #11
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    808
    Thanks
    165
    Thanked 408 Times in 174 Posts
    Country: Australia

    Default

    Yep, thats correct - just like not all P25 radios have encryption in them also.

    TETRA being "good enough" is roughly where we were with P25 going back 15 years ago.


    [Edit by Mars: I moved unrelated system security discussion to a new thread in the lounge.]

  13. #12
    Join Date
    May 14, 2012
    Posts
    326
    Thanks
    78
    Thanked 197 Times in 91 Posts
    Country: Canada

    Default

    Well, this agency (yes, the TTC) currently runs an MPT1327 system which is being replaced by this TETRA system. Eventually their 8 conventional channels will be added as well. I don't think they'd necessarily opt for high end encryption. They currently use a simplex channel that the users are told is "secure". It's un-encrypted P25.

    Sounds to me to be more hassle than its worth, but something to play with anyway.

    I take it that like P25, a TETRA radio from any manufacturer works on any other TETRA system?

  14. #13
    syntrx No Longer Registered

    Default

    Quote Originally Posted by Durchschnitt
    Well, this agency (yes, the TTC) currently runs an MPT1327 system which is being replaced by this TETRA system. Eventually their 8 conventional channels will be added as well. I don't think they'd necessarily opt for high end encryption. They currently use a simplex channel that the users are told is "secure". It's un-encrypted P25.

    Sounds to me to be more hassle than its worth, but something to play with anyway.

    I take it that like P25, a TETRA radio from any manufacturer works on any other TETRA system?
    Yep. The standards are actually a bit better defined for TETRA than they are for P25 too, so you're less likely to find strange vendor specific quirks than you are on a P25 system.

  15. #14
    dxon2m No Longer Registered

    Default

    Not to hijack the thread but has anyone successfully decoded TETRA on DSD?

  16. #15
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    808
    Thanks
    165
    Thanked 408 Times in 174 Posts
    Country: Australia

    Default

    Given that DSD doesn't support TETRA, the answer is no.

    osmocom have done a GNUradio project that decodes TETRA though.

  17. #16
    dxon2m No Longer Registered

    Default

    My mistake, should've read the page more clearly!

  18. #17
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    808
    Thanks
    165
    Thanked 408 Times in 174 Posts
    Country: Australia

    Default

    All good mate, check out the osmocom site, Harald, Sylvain and the usual suspects have done a good just of decoding the protocol.

    I will mention that their focus is purely security research, and not voice recovery though.

  19. #18
    Join Date
    May 20, 2012
    Location
    Snowy Russia
    Posts
    195
    Thanks
    30
    Thanked 35 Times in 20 Posts
    Country: Russian Federation

    Default

    Hi guys!
    Our local airport is using Tetra, they have MTH800 radios.
    I've managed to obtain a sample codeplug from a legit radio. So I know all the key parameters: MNC, MCC, talkgroup numbers, Unit ID, list of frequencies (are they really important in Tetra?). In the case of P25 trunking I would have programmed everything to my radio the same way and monitor the system. But i heard that one who wants to access Tetra system must have the ESN which is enabled in the system in question. Is it true for all Tetra system or is it an option? How can I change the ESN for Motorola or Sepura radios? Is there a hack for it?
    And one more question. In P25 systems it is possible to listen to the conversations by programming the voice-traffic channels and setting the auto-scan. Is it true for Tetra?
    Thanks in advance!

  20. #19
    tetranet No Longer Registered

    Default

    Hey... Ok, if u have a right ISSI and TEI, u said that network with TEA encryption (TEA1) pass the unit to the registration... but, u forgot the authentication, this step when the tetra unit pass the registration... IF the network doesn't use the encryption and work at class1, then maybe unit pass the registration and joined to the group (if u having a right GSSI, group ID) ... If u have experience with clear network? or have u testing this process on the encryption network, which use class 2 or 3... (authentication is option on class 1)

  21. #20
    sanjurjo No Longer Registered

    Default

    On Motorola radios standard CPS can't write TEI. BTW some networks use shared crypto auth key (AUC). So network can be in clear but can't be monitored with a radio because can't register.

  22. #21
    tetranet No Longer Registered

    Default

    I have LAB CPS, so TEI there isn't problem to change it, the problem is authentication, this step don't pass if you don't have a right auth K. Without auth K, auth don't pass. Authentication is process between MS and BS, calculated for some algorithms by auth K. I doubt that can someone connect to the network, which is encrypted with TEA (class 2 or 3), because of this case is required authentication.

  23. #22
    oz1jua No Longer Registered

    Default

    >There is software around that works similar to unitrunker which shows RID, Talkgroup etc. for that to work, the radio needs to be >forced to lock on to a frequency, once it is locked on you can see what is affiliating on that freq only. E.G. If your local tower >has 6 TETRA frequencies, you will need 6 radios locked on to each freq's so you have complete coverage. its a PITA but the only way >it can be done.

    I know this stuff is posted long time a go. But i like more information how this is done.
    What is the software that can show RID, Talkgroup etc.