Project: Scanning the Orion DMR Network (Kurrajong Heights Base)

I was sitting in my room the other day and something seemed off. It was quiet. Too quiet. But why? As it turns out, I used to have a scanner radio active in idle times to listen to what was happening in the community around me. Listening to transit officers and RMS on the NSW GRN, and Sydney Buses would provide an interesting view of what was happening on the roads and tracks without leaving the comfort of my own room while I did some work.

With my recent overseas travel and change of scenery, things haven’t been quite set up in the same way as they have been in the past. As a result of ACMA’s rejig of the 400Mhz band, the radio landscape had changed to (almost all) digital trunked voice systems with new frequency allocations. All those memories in my scanners were now picking up nothing but the chugging of digital FSK signals. Even the NSW GRN doesn’t seem to have the same level of activity it once had – the transit officer talkgroups are nearly silent with an occasional radiocheck. It seems the “new” transit officers might rely on mobile phones instead, or there really isn’t any transit officers “connected” to my local GRN base so I’m not getting the transmissions.

But I wasn’t going to give up – in my new area, I really wanted to listen to the local bus operator (Busways) as I was convinced there was still some good listening to be had, so I spent some time to find them on the air.

The Quest for Busways

The first thing I always do is just to search the ACMA RRL. The first thing I tried was to find a client containing “Busways”. No dice. Knowing that Busways operates out of Glendenning, I tried to search for licenses in that postcode – but there was no clear indication of any such entity. It seems that I might have been too late to catch the trail and follow it … so I had to take a different approach.

I grabbed my IC-R20, still programmed with the old frequencies and found the Busways Blacktown frequency from it – 488.5500Mhz. Who might be using this frequency now? I downloaded the whole 400Mhz transition band table from the RRL (rather than the even larger full dump) to take a search.

There were two results – one for Gearhouse Broadcast Event Communications, the other for Mastercom. The first one has “Sub-Local” coverage, which is probably too small, especially from Mascot so I decided it was irrelevant. However, Mastercom proved to be more interesting …

Mastercom and the Orion Network

In the end, the fingers pointed towards Mastercom, a radio communications solutions provider in Granville (which I used to pass everyday by bus on my way home). They do a lot of work installing radios for many customers – trucks, utes, vans and buses. I figured that while most bus operators may have had their own licensed radio repeaters in the past, the transition to digital might have required external help and it seems that Mastercom may have taken the opportunity to change the way the service is provided.

A look at their site shows that they are a key part of the Orion Network, a DMR network based on Motorola’s MOTOTRBO Connect Plus technology covering most of the capitals in Australia. Mastercom is responsible for the deployment in the Sydney area. As a result, if we’re looking for potential Orion Network DMR network frequencies, we’ll have to be on the lookout for Mastercom’s licenses. From what I can tell based on ACMA’s site location map, there are quite a few sites, but not all of Mastercom’s licenses are DMR, so all that we can conclude is that at least some of these sites are running DMR.

Based on the information thus far, I suspect that Mastercom and Busways may have been involved in the past – maybe Mastercom was responsible for installation and maintenance of radios but the repeater license was owned by Busways. Upon the transition, I suspect the original frequency allocation was “returned” to Mastercom from Busways and a number of other companies so as to create a “pool” of frequencies which could be used to deploy a trunking system that better utilises the spectrum for the benefit of all. In return, Mastercom would be responsible for the licenses.

Because of the flexibility of the DMR trunking system, having frequencies all over the place with different input splits is no problem. This is probably why the frequencies aren’t “evenly spaced” as like in the NSW GRN network, or even in one “clump” as you might otherwise expect. This might create new propagation or performance difficulties, but additionally, it means that any receiver will need to tune across a wide frequency band to catch all the possible trunks. Good luck capturing everything with one SDR!

Receiving the DMR Connect+ Network

Knowing that the Orion DMR Network is probably my target, I tried to see what information is available. Sadly, the RadioReference database is so anemic that it’s almost useless in NSW – the bases have only the control frequencies listed and talkgroup listings are almost non-existent. As a result, I decided to start from scratch – something I haven’t done before.

Step 0: Get your SDR out and set up!

I’m going to assume you have an SDR and it’s set up and ready to go. Ideally, you will also have virtual audio cable software available to route SDR output into a decoder and an SDR package that can demodulate NFM without audio filtering. If you don’t have this, you could still manage this with a quality scanner with discriminator output into a sound card, but the setup is often a bit more finnicky to get good decodes. Personally, I prefer SDR# for initial scoping.

Step 1: Find a good DMR (or P25/NXDN/IDAS/etc) control channel

Rather than focus on the frequencies offered by the licenses, I took the reverse approach to look at what was on the air using my BladeRF SDR instead. There’s really no point trying to focus on existent systems if you can’t hear them! Trunking control channels are continuously broadcasting, making a constant “chugging” noise.

On a spectrogram, it looks like a peak with a periodic waterfall signature. Sometimes it’s not obvious which mode this might be, so having a decoder handy is the only way to make a positive identification and extract relevant metadata from the system. There’s a good chance you might have stumbled on a trunk frequency (in which case, the transmission ceases after a while) or a different mode (i.e. from another system, e.g. P25, NXDN, IDAS).

For reference – 492.5750Mhz is the main control channel for the Orion Network’s Kurrajong Heights base station. A recording of the control channel signal sounds like this.

Step 2: Firing up a decoder

To decode a majority of the digital voice systems, you can use DSDPlus. This software was an extension of an older software called DSD that only decoded digital voices. The new software also manages the trunking data and has been released openly with version 1.101 from 2015 being the currently offered version.

Because of the questionable legality of software that implements decoders for a number of digital voice modes, the software may be illegal to distribute in its binary form (or maybe even to use) depending on how this decoding is implemented and whether it infringes on patented methods. As the source code is unavailable and I am no expert on voice compression, it’s not something I can determine. Regardless, I’m no legal expert, so use the software at your own risk!

In my case, for educational/hobby/personal home use and evaluation of the systems on the air, I don’t see it being a major issue. It might even convince me to buy a scanner for it … although I suspect the prices are still going to be a sore point.

Apparently, there are newer versions of the software that have better features, known as DSD Fast Lane which requires payment – this only makes the legality issue even more murky and as a result, even though I might like some of those features, I don’t think it is right to pay for them as now profit can be considered to enter the equation. Despite this, it still seems to be under active development.

If you have a DMR control channel, you should see something similar to that above. If so, congratulations! As DMR carries two timeslots per frequency, we can see that slot 1 carries the system trunking data, whereas the second slot is idle. This site is named 1-10, and adjacent sites are listed as 1-2, 1-6, 1-7 and 1-8 (for radio roaming). You will notice that no frequencies show up and the trunked system “dimensions” are unknown –

Over time, the number of channels will become clear as calls “light up” each channel/slot in sequence, but the talkgroup IDs and radio IDs are still very much anonymous. There is still much to be done before you can have an enjoyable listen to the DMR system.

But before you go any further, I think it’s a good idea to scan around and note down all the active digital frequencies – things like system type, ID, neighbouring sites. This will allow you to better determine the strongest site and whether there are alternative base stations belonging to the same system and either use or ignore them.

In my case, I was able to detect a neighbouring base (1-6) on 496.625Mhz which belongs to the Orion Network’s Horsley Park base station. The signal was fairly good, but the Kurrajong one was slightly stronger, so I opted to stay.

I also found a DMR Tier 3 system on 504.0875Mhz named “H3-1.7” and one on 504.2875Mhz named “H3-2.3”. Both seem to belong to Mastercom as well, the first at Horsley Park and the other at Kurrajong Heights. This seems to imply there are separate DMR networks for individual users who might not want to share a trunked system with other users – possibly for quality of service concerns.

There was also an NXDN system named E200-7 (with neighbours of -6,-8,-9) on 486.575Mhz. This probably belongs to Vertical Telecommuncations and is part of the Vertel Team Talk NXDN system. Radioreference knows of the system, but there are no talkgroups listed.

There was also an IDAS system, although I misrecorded the frequency – I guess I’ll have to go for a scan for it later. This is aside from the regular clatter of the NSW GRN which has a bucketload of APCO P25 bases.

Step 3: Determining the per-trunk frequencies

The next difficulty is to understand which frequencies belong to each voice channel. To get started, it would be wise to look up the RRL to find which site the control channel belongs to – then find all the frequencies belonging to the licensee at the site. This gives you a list of potential candidates.

Then, it’s a game of waiting to see the channel light up on the DSDPlus decode display, while noting which frequency seems to have activity which matches – when DSDPlus says a transmission is on, there’s “burbling” and when DSDPlus says it’s inactive, the channel goes quiet soon after.

However, DMR has one additional trap (or help) – because of its slotted nature, pairs of channels share the same frequency. Channel 1 and 2 share the same physical frequency, as does 3 and 4, as does 5 and 6 and so on. This can reduce your need to monitor substantially. In the case of the Kurrajong base, the system has 14 voice trunks, corresponding to 7 frequencies. The control frequency is known, and is always the first slot on that frequency, so that narrows it down to 6 to determine.

The best time to do this particular exercise is when the system is busiest – weekdays during business hours are a sure bet. Then you need to key the data into DSDPlus by modifying the frequencies file. You only need to create an entry for each two channels – while it is possible to enter the repeater input frequencies, doing so does not affect the operation, so I just entered the same frequency as the repeater output.

Step 4: Begin Trunked Monitoring

Now begins the fun part – once the system is ready, then you can begin monitoring. However, there are a few problems with DSDPlus that can make life difficult. The first is that it supports only the RTL-SDR and Airspy as inputs – so the easiest way is to grab two RTL dongles and have them connected to decent antennas.

The second seems to be that the software has batch files to run the CC (control channel) and VC (voice channel) receiver instance, using FMP to receive the audio from an RTL over TCP. The inter-process communication between the CC and VC instances is via files on the disk – .traffic and .tuned files. Unfortunately, it seems that for some reason, this doesn’t work on Windows 10. If you try, you might get .traffic files generated and removed on each call, but the VC instance is blind to it. The only way around this was to run it on my older Windows 7 machine where this worked just fine.

The third, and arguably the most annoying, was discovering that the FMP tuning routines have a bug.

Once I had my frequencies configured, all calls were being received correctly except for one pair of channels – those that ran on 507.4125. When a tune is requested, we are “off frequency” every time.

I verified with my IC-R20 – the frequency I keyed is correct. If I nudge the tuning on FMP, I could never get the tuning to be right for the channel – it would jump from being severely below or above the DMR carrier and couldn’t sit right on it.

I thought this might end my monitoring enjoyment, until I dug into the literature, and discovered it was possible to swap the I/F location from low-side to high-side injection by pressing I on the keyboard into the instance of FMP. By running high-side, the frequency compute routine seems to be correct and all 14 channels are decoded correctly! Also of help is the C/c keys which allow you to tweak the RTL crystal ppm compensation to ensure your signals line up correctly.

If you’ve gotten this far and your audio is correctly configured, then you should be listening to some digital voice. The quality of the decode is highly dependent on the signal input, but seems to be a little below that of a legitimate radio, as expected. A lower audio quality is expected as digital vocoders are tuned for voice only, background noises causing intelligibility issues. That being said, occasionally you might get some “stuttery” audio, swimmy sounds, echoes and transmissions which seem to be decoded as “unvoiced”, resulting in a sound like someone who has lost their voice is talking into a radio. It’s not always the fault of the program, but it seems to be the expected result.

From here, you can make your listening more enjoyable by modifying your .groups and .radios file to reflect the users and changing the priority of each group (as you are only decoding one voice transmission at a time).

But remember – most trunking systems have “deliberate” features which can make things hard for you. One of them is the fact that the control channel alternates on a daily basis between the primary control (Ch1) and alternate control (Ch3) in this system. The change happens around 2am and DSDPlus isn’t smart enough to change on its own. You could use a conventional scanner radio with a power-based squelch to provide the control channel to automate this, or (the hard way) retune the control channel FMP instance every night before you sleep.

Talkgroup Mapping

So who uses the Orion Network around here? A lot of listening had to be done to try and find out. Luckily DSDPlus records per-call files, so I monitored from 3rd to 13th August 2018 for a period of 10 days. Only talkgroups with over 300 calls had their recordings reviewed for identification, as a talkgroup averaging 30 calls per day would be very “boring” to listen to on its own. Because very few companies would say their own names over their own channels over the air, I had to make some inferences from information provided – the talkgroup identification isn’t going to be 100% but should be decently close.

Talkgroups Identified:

  • 15011 – seems to be related to Vehicle Recovery.
  • 44990 – Football Tournament, but suspect it is a rental talkgroup along with 44991-44993.
  • 170004 – Transdev NSW (Kuringai) with associated 170000-170003. Radio ID 170838 belongs to Kuringai Base, the give-away was some route numbers which they operate. Radio IDs of 16xxxx where xxxx is the bus number.
  • 203998-203999 – Boral Concrete.
  • 217599 – container transport company.
  • 218496 – Bingo Industries St Marys.
  • 218497 – Bingo Industries Auburn.
  • 218498 – Bingo Industries Ingleburn.
  • 218499 – Bingo Industries Revesby.
  • 218990 – Metromix Concrete (?) – talk about decorative coloured concrete in Seven Hills making this the likely candidate.
  • 219299 – pallet truck deliveries.
  • 220320 – soil and clay, with Arabic language.
  • 220499 – BNP Securities as they mentioned securing Rosebank College for which they are the security provider.
  • 220599 – Cumberland Coachlines – talk of mini charter bus.
  • 223699 – security (maybe MSS? Wilson?) – likely whoever does UNSW as talk of Robert Webster Building.
  • 223801 – Busabout – Narellan depot.
  • 223990 – container delivery company.
  • 224090 – VISA Global Logistics (?) or other container delivery company, as one driver said “should I take it back to VISA?” but in that context is unclear whether that is just the source or the company’s own depot.
  • 226598 – St Marys based skip bin operator.
  • 249991 – Busways Blacktown – main channel, radio IDs of 24xxxx where xxxx is bus number.
  • 249992 – Busways Penrith
  • 249993 – Busways Mulgrave
  • 249994 – Busways Wyong – also likely related to 249996.
  • 260001 – Transit Systems Smithfield, with radio IDs of 25xxxx where xxxx is the bus bumber.
  • 260002 – Transit Systems Hoxton Park – also likely related to 260004.
  • 280001 – Hillsbus (Dural) – likely related to 280000, 280002, 280007, 280008, 280010, 280012, 280014, 280023 as well. Radio IDs of 27xxxx where xxxx is the bus number. All Hillsbus channels use Radio ID 280700 for either the base, or OCC (operations control centre).
  • 280004 – Hillsbus (Parramatta).
  • 280005 – Hillsbus (Northmead).
  • 280006 – Hillsbus (Special Event/Olympic Park).
  • 280010 – Hillsbus (Valley Heights).
  • 280013 – Hillsbus (Auburn).
  • 281498 – School Charter bus.
  • 281699 – clay and topsoil.
  • 281899 – vehicle transportation.

Surprisingly, the listed 228059 talkgroup on Radioreference didn’t light up even once in the ten day monitoring period. As a result, I suspect a lot of the data available is just out of date! However, this list in itself is pretty impressive, considering this is just a 14-channel trunked system.

The Orion Network in Action

Watching the trunk status and seeing them light up and fall away is quite hypnotic, almost like watching a telephone switchboard (not that these really exist anymore). What follows is a speeded-up screen capture over about an hour of operation.

The Orion Network does get fairly busy during certain periods – I’ve seen the control channel occasionally drop out as it gets used as the channel of last resort to carry a last voice trunk.

But an extra channel can be added to the system as long as they get the license for it and the radios are told about what frequency it is.

Conclusion

Getting yourself set-up on digital trunking isn’t exactly a walk in the park compared to the analog days when you could just punch in a frequency and begin listening right away. Now you have to contend with setting up software, configuring frequency maps and talk-group/radio ID data/priorities. That’s assuming everything works as expected in the first place – when you discover a bug along the way, then you’re banging your head against the wall. Audio quality seems to take a hit as well, but something to listen to is better than nothing even if it might be legally problematic. There really isn’t any viable alternative, especially not one that can give you access to the system metadata in the same way to actually discover what is there to listen to.

After spending a few hours intensively reviewing recordings, I was able to identify quite a few talkgroups. As I was interested mainly in Busways, it was a nice find to see several private bus operators in a similar region also on the Orion Network, so I can hear them as well.

In fact, I was listening to the bus drivers and their difficulties during the recent rail meltdown – sometimes hearing things behind the scenes shows just how much of a struggle it is to keep the system going under extraordinary circumstances. Other times, it’s just plain fun to hear drivers report kangaroos, emus, cows on the road as well as commuters trying to ride the bus with bikes and even bed frames!

About lui_gough

I'm a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!
This entry was posted in Radio and tagged , , , , , , . Bookmark the permalink.

3 Responses to Project: Scanning the Orion DMR Network (Kurrajong Heights Base)

  1. Gavin says:

    Interesting post! Do you need a high end SDR to receive digital trunk systems? Or can I do it with a R820T? (I’m initially interested in the NSW GRN.)

    • lui_gough says:

      Generally speaking, no, but for good results with the RTL SDR you will need a decently strong signal with few competing sources of interference. You’ll probably want to have two (or more) dongles as well. The old method which is rather clunky but carries over from scanner + discriminator tap days is to use Unitrunker for handling the system data and using either a dedicated scanner or one instance of SDRSharp to feed it via a loopback audio. A second instance of SDRSharp with a plugin can be used as the “voice channel” tuner, with its audio routed through a second loopback into an instance of DSD/DSDPlus for decoding the audio.

      Another option I haven’t tried is the “newer” more integrated approach of using something like SDRTrunk, although it won’t decode audio without you building your own JMBE decoder. Sounds easier, but I haven’t tried this myself.

      – Gough

Error: Comment is Missing!