Radio Redux
Mr. Icom (Ticom) (ticom.new.england@gmail.com)
As an old-school radio hacker from back in the day, I'm pleased to see a revival of interest in wireless topics among the 2600 community.
While RF hacking waxed and waned in popularity over the years, there's still a core group of us who pretty much only do radio, and who would like to see more hackers get into it. In this article, I'm going to discuss some basic info for those of you who would like to explore RF hacking, and talk about some of the latest news in the RF hacking scene.
Cheap Receivers
Back in the day, I started with a cheap Electra multi-band portable radio that covered the shortwave, and VHF-high public safety bands. It was a tag-sale find, and cost a lot less than a programmable police scanner. A good wideband receiver setup is essential for not only hearing what's out there, but also as one of your first pieces of test equipment to check the quality of signals you might be putting on the air.
If you look around, you could probably find a working CEI/WJ RS-125 setup for a couple hundred bucks at a hamfest, and that would be more receiver than you would know what to do with for a while, both in physical size and capability.
If you're really lucky, you might even come across an RS-111, better known as the receiver that made G. Gordon Liddy famous. RadioShack PRO-2004/2005/2006 scanners, the classic model that got most of us into radio hacking, are being offered at a fraction of their original cost. Most of them already have the appropriate mods done on them. For most beginners though, the most likely entry point would be one of the inexpensive USB stick type Software-Defined Radio (SDR) receivers.
All of this started with the introduction of the FUNcube Dongle (FCD). The FCD is a receiver with nominal 64-1700 MHz frequency coverage (closer to 51.5-2000 MHz, depending on the particular unit) that uses standard sound card drivers under Windows, Linux, or OSX. At ~$175 with shipping to the U.S. (depending on exchange rates), this was up until very recently one of the least expensive ways to buy a wideband receiver.
If $175 is still too much for you, how about $20? It was recently discovered that a USB DTV dongle with a RTL2832U chipset and an E4000 tuner can be used as a wideband SDR receiver with frequency coverage of 62-1700 MHz. At present, this is the least expensive route to get wideband VHF/UHF receiver coverage.
For more information, visit the following sites:
- funcubedongle.com - Info on the FUNcube Dongle
- RTL-SDR and GNU Radio - RTL2832U/E4000 SDR
- osmocom.org/projects/rtl-sdr/wiki/Rtl-sdr - RTL SDR
- World's Cheapest Software Defined Radio (SDR) - Even more RTL SDR info, including compiling software under Debian
The Next Step
Hacking RF usually means learning a bit about electronics.
Fortunately, the means to do so is available right on the Net. Do a Google search for "NEETS Navy Electricity Electronics Training Series" and you will find links to a 24 volume set of PDFs that you can download. This is a complete electronics course used by the U.S. Navy to teach their economic draftees, and it's very good.
The other item you should pick up is a copy of "The Handbook," by which I mean that bible of ham radio operators, The ARRL Handbook for Amateur Radio Operators, or more recently Handbook for Radio Communications. The material in the ARRL Handbook is a little more practical and how-to in nature, and complements the NEETS courses. A brand new current copy costs $50 from the ARRL or your local ham shop. You can find recent used copies at ham radio swap meets (a.k.a. hamfests) or on eBay for much less.
Any copy put out within the past ten years will suffice, although you might find yourself collecting old ARRL Handbooks as the DIY material is different from year to year, and, at less than $10 a copy, you can put together a pretty impressive collection of ARRL Handbooks for not a lot of money. The last two copies I bought, dated 1994 and 1979, cost me $1 and $5 respectively.
There has always been a big controversy between the RF hackers who have gotten their ham ticket versus those who remain unlicensed. I've been licensed for the past 28 years, and also have a commercial license since I used to do RF professionally. However, I have to respect the opinion of those who don't want to deal with the geriatric cranktards who often populate the airwaves.
I've been licensed since high school, and I'm still considered the "youngster." My attitude is "f*ck them." I hang out with all the cool ham radio people instead, and there are quite a few of us. With that said, many of the cool hams are senior citizens with a shitload of practical RF know-how and a willingness to share. They, unfortunately, don't have much longer on this planet, so you should find them and learn what you can while they are still around.
From an experimenter's standpoint, having your ham ticket gives you a shitload of spectrum to play with, ranging in frequency from just above the AM broadcast band to the upper-microwave region. Hopefully, soon there will even be a ham band below AM broadcast that promises all sorts of interesting opportunities. Getting the ticket is easy. The questions and correct answers to all of the tests are available, and most people just simply memorize enough to get a passing grade.
While passing the tests is cool, your true education doesn't really begin until you start plying the ether. For those of you who don't want to get the ticket for whatever reasons, there is still a good amount of license-free spectrum you can experiment with. You'll be dealing with Part 15 and Part 95 limitations, but some take it as a challenge. To each their own, I guess.
If you follow ham radio news in magazines like QST and CQ VHF, you'll find that there is always something neat and new going on. Digital modes using a computer's sound card have gotten to the point where the equipment hears better than you can, and can pull stuff right out of the noise floor. The microwave "weak signal" guys keep going higher and higher in frequency as the equipment for playing up there becomes cheaper and more available.
Narrowbanding
Narrowbanding is probably one of the best things to happen to the radio hobbyist scene when it comes to the availability of surplus equipment.
I expect over the next year or so for the used market to have a lot of neat stuff available for re-purposing. Narrowbanding is the implementation of an FCC mandate to reduce the amount of spectrum used by land/mobile licensees, and double the amount of channels available.
Previously, Land-Mobile Radio (LMR) systems ran FM with a maximum 5 kHz deviation. The new standard calls for 2.5 kHz. The channel spacing will then go from 15 kHz to 7.5 kHz. All LMR users in the VHF-high and UHF bands must switch their systems to a narrowband standard by 2013. All LMR radios made within the past ten years or so are narrowband compliant, but there is still quite a bit of older stuff in use out there. Commercial radios are built to last!
This means that millions of perfectly serviceable radios will become unusable for LMR use after 2013.
While most of them will find their way to developing countries or be scrapped/recycled, there will still be plenty around for hobbyist use. The two meter (144-148 MHz) and 70 cm (420-450 MHz) ham bands are directly adjacent to the VHF-high and UHF LMR bands respectively, and LMR gear can be moved over to the ham bands with no or little adjustment, 90 percent of the time.
The best equipment for the hobbyist would be the 50-100 watt mobile radios, and any radio that is Front-Panel Programmable (FPP).
An FPP radio is exactly as described, a radio that you can program frequencies in from the front-panel, without the need for a computer with the correct Radio Service Software (RSS), Radio Interface Box (RIB), and programming cable.
One of the biggest differences between ham gear and commercial gear is that ham gear is designed to be set by the user to any frequency within the edges of a given ham band, while commercial gear is set to specific channels in the LMR band, usually by a radio shop, that the user is licensed for. So where a ham can simply tune right to 146.52 MHz for example, a commercial LMR user goes to Channel N and the frequency is pretty irrelevant unless someone wants to listen in with a scanner (assuming the mode is analog FM or P25, and not something like TRBO or NEXEDGE).
Being that LMR users are restricted to specific channels, the equipment cannot be ready programmed to go off their licensed frequencies. Older radios had quartz oscillator crystals in them that determined the specific frequency. Some can be programmed directly from the front-panel by entering in an unlock code on the panel's keypad, usually after moving a programming jumper on the radio's circuit board or attaching a programming dongle to the radio. Most radios are done with a computer, using the proper RSS, RIB, and programming cable for the specific make and model of radio. In the days of USB ports, the RIB is becoming a thing of the past with a USB programming cable that goes directly from the computer to the radio.
Of the three items, the RIB and cable are the easiest to get. The RSS may be a different story, however.
Some LMR companies are not too bad with software availability, and may have it available at a reasonable cost (or free) without hassle. Other companies are a different story. They may restrict software availability to "authorized service centers" and discontinue software availability for "obsolete" products. Some companies have been extremely aggressive in going after individuals who "pirate" their software. Motorola is notorious for this. Your mileage may vary.
There are also early synthesized radios that are programmed by burning a PROM or EPROM that is then plugged into the radio. The programmers and chips range in availability from unobtainium to pretty common. Generally speaking, the Motorola stuff, using their proprietary modules and "suitcase programmer" such as the MX-350-S handhelds, should be avoided as it's almost impossible to get the stuff to get them reprogrammed. The old GE stuff used more common hardware that has since been reverse engineered by hobbyists, and is available in the ham community if you look and ask around.
The easiest and best option for the beginner RF hobbyist looking to get into "real radios" is a FPP model, as no external equipment is needed to get it up and running on the right frequencies. More likely than not, you'll be getting a portable (HT), as that'll be the unit you'll be changing frequencies on most often.
There are several types of FPP radios out there. My favorites are the Motorola JT1000, Icom IC-H16 and IC-U16, "ham flashed" GE M-PA, Kenwood TK-350, and Bendix King LPI (a.k.a., U.S. Military PRC-127). If you can find an old RadioShack Simplex Repeater box (Cat No. 190-0345), they work very well with the Icom radios. On the mobile side, a lot of hams like theKenwood TK-705 (VHF) and TK-805 (UHF). Icom also made the IC-V100 (VHF) and IC-U400 (UHF) (Programming) mobiles that are FPP.
Older crystal-controlled radios, in which each frequency is determined by an oscillator crystal inserted into the radio, are generally overlooked by hobbyist types. I've found them a useful source of RF parts, especially when acquired for free. Getting them recrystalled and retuned for ham band frequencies is not too difficult, and they are reliable performers for certain fixed applications where you won't be changing the frequency.
Many years ago, I came across a Drake TR-22, which is a vintage solid-state crystal-controlled two meter rig that was recrystalled by the previous owner for all of the AX.25 packet radio channels in the 145.01-145.09 MHz region. It also had the 146.52 MHz national simplex frequency in it, and a couple of other common simplex channels. The radio cost like $30, and it made a very handy packet rig.
More recently, I was given a donation of older vintage VHF-low band (30-50 MHz) equipment to help out with a project I'm working on. Included was a Motorola Mocom-70 that was recrystalled to operate on the six meter band (50-54 MHz), simplex frequency of 52.525 MHz. Just attach an adequate 12V power source to the radio, and it's all ready to go.
Stuff like this, despite its age, will continue to run like a tank for many years to come. When it does break, you can usually find a scanned copy of the service manual online and fix it with commonly available electronic components, if you can't find someone with a "parts unit" they'd like to offload.
If you come across any Motorola MT500 portables, you might want to give them a second look. There have been copious ham-related mods done to them, and one gentleman has done a great job converting them for APRS use on the two meter ham band.
That leaves the radios that require computer programming.
As mentioned previously, getting RSS can be problematic, depending on the make/model of your radio. Fortunately, there are plenty of hams who work in the LMR industry, and hams who like to work with surplus commercial gear.
Assuming you don't come across as a total jerk or basket-case, they will likely be able to get your radio up on the ham bands. Do not ask them for copies of current production RSS, and do not ask them to program non-ham frequencies into your radio. I can assure you that the answer will be no, and that future assistance may not be very forthcoming.
While hams who work in the LMR industry are, for the most part, very helpful in helping their fellow hobbyists get surplus commercial gear up and running on the ham bands, they're not going to do anything that will jeopardize their job, such as pirating software or putting someone on a frequency they're not authorized for.
With that said, some of the older stuff from companies that are not be around in their original incarnation may be available online if you look around. Downloading and using such obsolete, orphaned software for non-commercial (ham) purposes will probably not cause you grief.
My first commercial portable was a Motorola MT1000. They come in a 99-channel variety and, if you find one, you would do well to get it. Those Genesis-series radios are true bricks. After that, I ran SABER (Programming) and HT1000 portables, which are both excellent radios. Some of the early ASTRO SABER radios are also becoming available in the surplus market, which would be a good way to get a P25 handheld.
For mobile radios, the two Motorola models to look for are the MaxTrac and the SPECTRA. Both of those have an accessory jack on the back of the radio that, among other things, gives you unfiltered demodulated audio, like a discriminator tap on a police scanner, which can be used for monitoring various digital modes such as POCSAG.
These radios will also handle data transmission very well. There are plenty of older SPECTRAs and, to a lesser extent, MaxTracs still in active service. Come 2013, they will not be able to be legally used on the LMR bands.
Some of the best radios to come out of the surplus LMR market are the 100 watt remote-mount mobile radios that also see use as base stations. The radio's control head has a nice small footprint that fits anywhere on a workbench, and the RF deck can be placed somewhere out of the way. Motorola Maratracs are nice, especially if you can get a 99-channel control head for it.
The Primo unit in my opinion, however, is the VHF-low band Syntor X9000. Unlike other low-band radios that only cover a portion of the band, the Syntor has full 30-50 MHz. coverage and will operate on both the ten meter and six meter ham bands with up to 128 channels. Syntors have been discontinued for some time now, and are beginning to become like unobtainium. If you find one, grab it and hold onto it!
The Internet is a great resource for ham operators who want to work with surplus LMR radios. Here are a few websites to get you started:
Pagers
After seeing my talk on pagers from the original HOPE re-released, it occurred to me that not only was it 18 years ago, but that it was time for an update.
I then saw the pager article from the Summer 2011 issue, and was heartened to discover that the topic still had maintained interest among the hacker community over the years. While pagers have been replaced by wireless devices with SMS and email among the general populace, they remain interesting and useful to the hacker hobbyist, especially those who concentrate on RF.
The first thing I need to say is that monitoring pagers in the United States is not necessarily illegal.
Pager protocols are not encrypted, and their technical specifics are public information. The law applies to common carrier services, that is commercial paging services, and to radio system users who implement encryption. There exist in the land/mobile radio bands many paging systems that are licensed under the Business-Industrial Land Mobile Radio (LMR) service, and these are fair game for monitoring.
Amateur radio operators have also been known to use POCSAG for communications, and monitoring them is fine, too. What may apply from a federal law standpoint is the section of the Communications Act of 1934 that makes it illegal to disclose or take advantage of the contents of an electronic communication intercepted by a third-party. There has been some discussion as to whether that would only apply to common carrier services, or to radio communications in general, but legal discussion of the various communication laws is beyond the scope of this article.
As I've previously mentioned, pagers have mostly been supplanted by SMS and wireless device email.
This has had two consequences from the hobbyist standpoint. The first is that the common carrier pager frequencies, at least here in New England, have but a fraction of the traffic compared to the 1990s. The second, and most important as far as this article is concerned, is that there has been an influx of surplus equipment that can be re-purposed for hobbyist experimentation. This is in addition to the POCSAG-friendly amateur radio equipment that has been available for some time. This shows a heartening paradigm shift from simply monitoring systems to hacking and re-purposing cast-off technology to be used for the implementation of hobbyist-type systems, a time-honored tradition among amateur radio operators and other technological hobbyists.
I'll start with the actual pagers themselves.
I've seen dozens of these in the bottom of "make offer" bins at hamfests, and I'm reasonably sure that you can probably pick them up for no more than a dollar or two apiece. Usually, ten or twenty bucks will get you the entire contents of a "make offer" bin, and the seller will throw in the bin just so that he or she doesn't have to load it back in their vehicle.
The units you want to look for are the 1980s and early 1990s vintage POCSAG and tone pagers on VHF and UHF frequencies. The older tone and numeric pagers, such as the Bravo series, are useful in two ways. They can have their frequency changed to a nearby ham band and be used as actual pagers, or you can salvage the very nice receiver board out of them and use it in another project. From a frequency-changing standpoint, the pagers will be either crystal-controlled or computer-programmable. For those with access to the correct programming software and accessories, the latter are quicker and easier to reprogram. Otherwise, go with the rock-bound boards.
I previously mentioned the Motorola MaxTrac and SPECTRA.
These are readily available surplus, can be easily converted over to the ham bands, and work very well for transmitting POCSAG data. Using these radios is one of the quickest and easiest ways to get a "discriminator tap" for monitoring low-speed wireless data. You will also want to keep an eye out for ham rigs that are advertised as "9600 baud packet ready." This feature is very common in Yaesu and Alinco VHF/UHF ham rigs. Also, keep your eyes open for used Kantronics KPC-9612 TNCs, as they do POCSAG rather well.
For those of you without ham tickets, provided you stayed within the necessary technical specifications and FCC regs, the MURS band can act as a substitute for two meters for your POCSAG system experimentation. All that surplus VHF-high band gear will move over to the MURS channels with no problems whatsoever. The older wideband stuff will need to be used on the wideband MURS frequencies (154.57 and 154.60 MHz), and you will need to crank the power down to two watts or less.
In a similar vein, I was experimenting with some older Motorola Bravo pagers (POCSAG) on the UHF business band (464 MHz) to see how well they would perform when the customer in question narrowbanded their business' radio system.
For the test, I used my trusty KPC-9612 into the external modulation (EXT MOD) input of a service monitor. Without any modifications, the pagers were able to successfully decode POCSAG at narrowband transmitter deviation (below 2.5 kHz).
In fact, I did not notice any problems with data decoding until the deviation dropped below 1 kHz In practice, narrowband deviation is usually set at 60 percent of the maximum limit. That would be 1.5 kHz in this instance.
My recommendation, based on my experiments, would be to aim for a deviation around 2 kHz. That would give you plenty of swing for reliability, while still keeping you legal.
Epilogue
For those of you who really want to get their hands dirty, I have been reading this excellent RF book published by the ARRL titled Experimental Methods in RF Design. This is for those of you who want to get seriously into rolling your own gear from scratch. Of particular interest to readers of this article is Chapter 7: Measurement Equipment.
Test equipment can be an expensive proposition for the RF experimenter, and this chapter shows you how to make a lot of what you'd need.
There are certainly a lot of cool and interesting things going on in the RF hacking scene, and I only touched on a few of them in this article. If you'd like to see more of this material in the pages of 2600, please contact me via email at the address above.
- An Overview of the Motorola Radio Service Software
- Motorola RSS R05.00.00
- Motorola MCS2000 (CPS, RSS) RSS R04.00.00 [RVN4113E] / CPS R02.02.00 [RVN4175V] / CPS R02.03.00 [RVN4175W]
- Kenwood TK-705 Programming Software
- Programming the Motorola Radius-Series
- Motorola GP300 Codeplug Hex Edit Checksum Hack Overview
- Pager Programming, Monitoring, and Applications L0pht Radiophone Archive
- Pager Hardware Reprogramming & Paging Protocols
- Radio Scanner Modifications and Information
- Low-Cost POCSAG Paging Network How-To
- General RSS File List This is what to search for...
- Motorola RSS File List This is what to search for...