A Look at Project 25 (P25)

Digital Radio
Aaron Rossetto
Principal Architect, NI
Agenda
• What is Project 25?
• A brief introduction to trunked radio
• The P25 protocol
• GNU Radio and P25 decoding experiments
About the presenter
• 21-year veteran of NI*
• August 2019: Joined SDR team to work on
UHD 4.0 and RFNoC
• Long-time SDR enthusiast
• 2003: Ten-Tec RX320D
• FunCube, AirSpy, RTL-SDR dongles
• Long-time interest in public safety
communications monitoring
• 1988: PRO-2013 (my first scanner!)
• 1997-present: Various Uniden scanners

* NOTE: Not speaking for my employer in this presentation

What is Project 25?
• In an emergency, communication is often the key to survival
• Many agencies must collaborate and coordinate in a disaster scenario
• First responders: Police, fire, EMS (city, county, state)
• Federal agencies (e.g. FEMA, military reserves, NTSB, ATF, etc.)
• Relief agencies, local government resources, etc.
• Challenge: Lack of interoperability between public safety comms
systems
• Technical: Spectrum used, system features
• Political: Isolated or lack of planning, lack of coordination, funding disparities,
jurisdictional issues, etc.
What is Project 25?
• 1988: U.S. Congress directs the Federal Communications Commission
to study recommendations for improving existing public safety
communications systems
• 1989: APCO Project 25 coalition formed
• Association of Public Safety Communications Officials (APCO)
• National Association of State Telecommunications Directors (NASTD)
• National Telecommunications and Information Administration (NTIA)
• National Communications System (NCS)
• National Security Agency (NSA)
• Department of Defense (DoD)
What is Project 25?
• Set of standards for land mobile radio systems enabling public safety
responders to communicate with each other and, thus, achieve
enhanced coordination, timely response, and efficient and effective
use of communications equipment
• Codified in TIA-102 series of documents
• Defines open interfaces between components of LMR systems
What is Project 25?
• Common Air Interface (CAI)
• Specifies the type and content of signals transmitted by compliant radios
• Subscriber Data Peripheral Interface
• Fixed Stations Interface
• Console Subsystem Interface
• Network Management Interface
• Data Network Interface
• Telephone Interconnect Interface
• Inter-RF Subsystem Interface
What is Project 25?
• Common Air Interface (CAI)
• Specifies the type and content of signals transmitted by compliant radios
• Subscriber Data Peripheral Interface
• Fixed Stations Interface
• Console Subsystem Interface
• Network Management Interface
• Data Network Interface
• Telephone Interconnect Interface
• Inter-RF Subsystem Interface
A brief introduction to trunked radio

146.940 MHz
A brief introduction to trunked radio
Charlie Sector

input frequency
voice traffic
Bravo Sector

output frequency
Delta Sector voice traffic

Alpha Sector
A brief introduction to trunked radio
Charlie Sector

input frequency
voice traffic + CTCSS tone
Bravo Sector

output frequency
Delta Sector voice traffic + CTCSS tone

Alpha Sector
A brief introduction to trunked radio
Charlie Sector

Bravo Sector

Delta Sector

Alpha Sector
A brief introduction to trunked radio
Charlie Sector

Bravo Sector

Delta Sector

01011101
Alpha Sector
A brief introduction to trunked radio
Charlie Sector

Bravo Sector
Delta dispatch
XYZ MHz

Delta Sector All Delta Units

Dispatch talking
Tune to XYZ MHz

01011101
Alpha Sector
A brief introduction to trunked radio
Charlie Sector

MDT Data

Fireground 201

Bravo Sector
Delta dispatch

Delta dispatch
→ ch 1
Delta Sector Fireground 201
→ ch 3
MDT data → ch 5

01011101
Alpha Sector
A brief introduction to trunked radio
Charlie Sector

Engine 17
Emergency

Bravo Sector

Delta Sector

01011101
Alpha Sector
A brief introduction to trunked radio
• Greater Austin/Travis County Regional Radio System (GATRRS)
• Project 25 Phase I system
• 66 sites covering 40 counties
P25 Common Air Interface
• Standard specific for digital voice modulation and the digital signals
transmitted by compliant radios
• Access method, modulation, data rate and message format for P25 radios
• Codified in TIA-102-BAAA-A standard document
Physical layer
• Phase 1: Modulation is a form of π/4 differential QPSK
• 4800 symbols (‘dibits’)/sec * 2 bits/symbol = 9600 bits/sec

C4FM: Continuous 4-level FM CQPSK: Compatible/Continuous QPSK

Constant amplitude carrier Variable amplitude carrier

a.k.a. LSM (Linear Simulcast Modulation)

Physical layer
• Phase 2: 2-slot TDMA in 12.5 kHz channel
• Provides two 6.25 kHz-equivalent channels
• 30 ms slots
• H-DQPSK modulation (Harmonized – Differential QPSK) outbound
• Essentially π/4 DQPSK with different filtering
• H-CPN (Harmonized – Continuous Phase Modulation) inbound
Physical layer
• 24-dibit frame synchronization
111113113311333313133333

• Dibits are interleaved in data blocks to spread

burst errors across the block

• Trellis encoding for error correction

• Rate ½ code: 48 dibits in, 98 dibits out
• Unconfirmed data blocks, including TSDUs
• Rate ¾ code: 48 tribits in, 98 dibits out
• Confirmed data blocks
Media access layer
• Voice and data messages are sent over the air as data units
• Voice-related data units
• HDU – Header Data Unit
• LDU1/LDU2 – Logical Link Data Unit
• TDU – Terminator Data Unit
• TDULC – Terminator Data Unit with Link Control
• Data-related data units
• PDU – Packet Data Unit (variable length data unit)
• TSDU (a.k.a. TSBK) – Trunked Signalling Data Unit (Block)
• Not part of CAI
• Heavy use of error correction and detection codes (Golay, Hamming,
Reed-Solomon, CRC)
Media access layer/Channel access
• Data units begins with frame sync and
network identification (NID)
• NAC: Uniquely describes the system
• DUID: Indicates the type of data unit to follow

• Status symbols
• Injected periodically within data units to
indicate status of channel

• Data packets include protection flag for

encrypted payloads
P25 voice traffic
• Voice traffic encoded as Improved Multi-Band Excitation (IMBE)
• IMBE frames encode 20 ms of speech into 88 bits of information
• Pitch, voicing, quantized gain for each audio band
• Continuous average of 4.4 kbps
P25 voice traffic
• Voice traffic begins with HDU, then alternating LDUs, then a
TDU/TDULC
• LDU1/2 pair comprise 360 ms of audio data
• Link control, encryption sync, and low speed data embedded within LDUs
P25 voice traffic
• IMBE frame contents
• Quantized pitch (8 bits)
• Voicing vector information (3-12 bits, one bit per band)
• Quantized average frame gain level (6 bits)
• Quantized gain vector and DCT coefficients (remainder)
• Sync (1 bit)
• TIA-102.BABA document describes the vocoder implementation
• NOTE: IMBE is a patented technology of Digital Voice Systems, Inc. (DVSI)
P25 voice traffic link control information
• Link control information embedded within voice messages or in
TDULC packet
• Identification information and control information for notifying listeners on a
voice call of system events and status
• Used in conventional and trunked system
• Messages and formats described in TIA-102-AABF-A
Explicit MFID (SF==0) Implicit MFID (SF==1)
Link control information example
• Group Voice Channel User LC message
• Indicates user of this channel for group
voice traffic

• Group address defines whom the user

is addressing
• Source address is the user of the
channel
• Service options indicate type of
service being requested
(E==emergency)
P25 data traffic
• PDU – Packet Data Unit
• Data is split into packets beginning with a header and then blocks of 12 or 16
bytes
• Packet data can be confirmed or unconfirmed
• Confirmed: Receiver can request retransmission of individual blocks
• Unconfirmed: Single CRC over entire payload; no retry
P25 data traffic
• PDU header is 12 bytes
• IO indicates inbound or outbound message
• Logical Link ID indicates subscriber unit source or destination
• Confirmed header has additional sequence number synchronization fields

Confirmed (A==1) Unconfirmed (A==0)

S – Sequence # resync flag

N(S) – Sequence # of packet
FSNF – Fragment sequence #
P25 data traffic
• Confirmed packet blocks contain serial number and per-block CRC
• Last block has packet-wide CRC
• Unconfirmed packet blocks message-wide CRC on last block

Confirmed data blocks (1..N-1, N) Unconfirmed data blocks

P25 data traffic
• Confirmed data receiver sends an acknowledge response
• Class, type, and status specify the meaning of the response
• Selective retry encoded in following blocks
• 1 or 2 blocks can follow to selectively resend up to 127 blocks
P25 trunking control
• Defined in TIA-102.AABB – but not part of the P25 CAI
• Allows trunked radio control channels to be transmitted on P25-
compliant systems
• Two forms of trunk control channel message
• Single and multiple block packet
• System independent and manufacturer-specific messages supported
• TIA-102.AABC defines system independent common messages
• Micro-slots of 7.5 ms allow for consistent response time potential
P25 trunking control
• Single block packet format
• DUID of 7
• Single, double, and triple TSBKs supported
P25 trunking control
• Multiple block packet format
• Same DUID and format as PDU
P25 trunking control example
Charlie Sector
• Unit-to-unit call

Bravo Sector

Delta 205 Delta 201

Delta Sector
Delta 205

Delta 201 01011101

Alpha Sector
P25 trunking control example
Charlie Sector
• Unit-to-unit call

Bravo Sector

Delta 205 Delta 201

ch 0x115
Delta Sector
Delta 205

Delta 201
01011101
Alpha Sector
P25 trunking control example
Charlie Sector
• Unit-to-unit call

Bravo Sector
ch 0x115 output
P25 voice traffic

Delta 205 Delta 201

Delta Sector

01011101
Alpha Sector
P25 GNU Radio experiments
CAVEAT PROGRAMMATOR!
• There are likely FAR better ways to do all of this
• They’ve probably already been implemented
• My signal processing knowledge is very basic
• Code is >3 years old
P25 GNU Radio experiments
• “The Scanopticon”
• Record all voice traffic on a trunked radio system to disk
• Long-term: Web accessible audio with graphical per-talkgroup timelines
P25 GNU Radio experiments
• “The Scanopticon”
• Record all voice traffic on a trunked radio system to disk
• Long-term: Web accessible audio with graphical per-talkgroup timelines

“What is the most UNIXy way in which I could go about this?”

 Scanopticon architecture
towerserv process
wavfile_source →
float_to_complex →
GNU Radio flowgraph
throttle 32x decim FIR + FM 4FSK TCP port 40000
freq translation
5x decim FIR RRC FIR filter TCP server
demodulator decoder channel 1 dibits
osmocom_airspy shift spectrum to :
channel 1 frequency :
usrp_source SDR :
I/Q buffer :
10 MHz centered around shift spectrum to :
trunked system channel N frequency
frequencies 32x decim FIR + FM 4FSK TCP port 40000+N
freq translation
5x decim FIR RRC FIR filter TCP server
demodulator decoder channel N dibits

complex f32 real f32 char [0,1,2,3]

dsd – Digital Signal Decoder

“Less beefy” PC (Open source software with
“Beefy” PC modifications)
nc dsd audio_{talkgroup}_{timestamp}_ch1.wav
UNIX pipe
: :
towerserv TCP :
:
: :
: :
: :

nc dsd audio_{talkgroup}_{timestamp}_chN.wav
4FSK decoder
• Derived from gr-fsk4 OOT module
• https://github.com/JohandeGraaf/gr-fsk4 (not original author)
• Small modifications
• Removed message queue for fine frequency adjustments
• Output ‘3’, ‘2’, ‘0’, ‘1’ based on slicing decision
• Also version that outputs packed bytes (4 dibits/byte) for a different
experiment
dsd
• Digital Speech Decoder
• https://github.com/szechyjs/dsd
• Major modifications
• Accept pre-sliced dibits as input from file
• Previously only accepted discriminator input from sound card/serial slicer
• Remove all live audio playback functionality (disable PortAudio)
• Write separate .wav files per transmission
• Previously one huge .wav file per dsd instance
• Uses link control information in LDU1/2 packets to determine channel user
• Fix various bugs in the code
• NOTE: There is a gr-dsd block!
cc_mon
• Control channel message monitor (very basic)
• Early research work for trunk scanner architecture
• Reads control channel dibits from socket
• Outputs group channel grant information
• Which users are on which channels
Demo
• Start up towerserv process
• Show TCP traffic on channel 16 (control channel)
• Run cc_mon utility
• Show nc/dsd pipe script
• Start nc/dsd pipe script
• Explain output
• Show and play audio files
Other OSS libraries
• libmbe: Open source decoder for IMBE/AMBE packets
• https://github.com/szechyjs/mbelib
• Required by dsd to convert LDU packet data to audio
• NOTE! Encumbered by DVSI patents
• “For educational purposes only”
• it++ (itpp): C++ library of math, signal processing, and
communications classes or functions
• http://itpp.sourceforge.net/4.3.1/
• Required by dsd for error detecting and correcting of P25 packet data
My dream
“DIY OSS Trunked Radio Scanner”
• RPi, SDR module, and audio
amp/speaker in an enclosure
• Headless (web-based mobile
Enclosure
friendly UI for interactive control)
• Wi-Fi enabled for updating,
configuration, audio streaming,
and cloud audio backup
• GNU Radio support, of course :)
• Maybe even implemented in GR
Additional Resources
• https://archive.org/details/TIA-102_Series_Documents
• Subset of TIA-102 documents
• https://www.radioreference.com/
• Comprehensive radio systems database