Scanning the Tasmanian EDACS System

By Doug Chivers, Jason Rielly & Ashley Geelan

Some years ago, the Tasmanian Government put forward a proposal to create a State owned and operated trunked radio network for it’s users. For whatever reason, this project did not get under way, but Ericsson embarked on an ambitious project to provide a privately operated network for the electricity authority, then called the ‘Hydro’ (now Aurora) and hoped that it could sell the network to other users as well. The project grew from there, with interest being shown by the Tasmania Police Service, as well as demand from other non-government users.

Eventually, back in 1996, the first steps were taken to install an EDACS (Enhanced Digital Access Communications System) Trunked radio network in Tasmania. EDACS is the trunked radio platform that was started by General Electric in the USA, and bought by Ericsson, and has spread into world wide use today. Recently, Ericsson sold it’s trunked radio business to Com-net Critical Communications.

Trunked radio is a new concept to many Tasmanians, causing much confusion and mis-information amongst scanner users, so let’s have a look at the basics of a trunked radio network.

In the past, each radio user had their own radio frequencies, their own radio network, and their own channels ie: the ambulance would have their own frequencies and base stations, the fire service has their own frequencies and base stations quite separate from the ambulance and so on. Trunked radio instead provides a common set of frequencies and base stations for all to use, all at once, but due to some ‘intelligence’ in the radios and the network, each agency does not hear other agencies, and is not aware that they are actually sharing a common set of frequencies or channels.

An analogy could be the difference between cars and busses. Let’s say that all the people in your street want to go from home to the supermarket. The old way of doing things was for each person to get into their own car and drive to the supermarket. The new way of doing things was for each person in the street to pool their resources to buy a bus, and they all use the bus to get to the supermarket. Using the ‘trunked radio’ bus is more efficient because each person does not have to individually own and maintain a car, makes more efficient use of the roads, and in the long run will end up being cheaper for each person to get to the supermarket.

In a similar way, trunked radio systems can deliver efficiencies for their users by each agency not having to own or maintain their own frequencies and base stations and radio network. Now, different agencies can ‘pool their resources’ and subscribe to a trunked radio network that uses a common set of frequencies and base stations in the one network, and share the frequencies but use them as if they were their own. Think of it as many ‘virtual’ networks and channels for each agency all within the one physical network.

When using your scanner to listen to a trunked radio network you will note that, for example, there might be 5 frequencies in use in total; one frequency will have a constant warbling data like noise, and the other 4 frequencies have the various agencies talking amongst themselves, seemingly with no pattern to the use of those frequencies ie: agency A might begin talking on frequency 2 and agency X might begin talking on frequency 5. Then a reply for agency A comes through on frequency 4 and a reply for agency X might come through on frequency 2, and so on. What is happening is that all radios used by all agencies in the area are listening to the one frequency that has the constant data on it - this is known as the control channel. If a person from agency X picks up their microphone and begins to speak, what happens in the blink of an eye is that radio ‘electronically’ talks to the control channel and requests a voice channel for the user to speak on. The control channel will pick a free frequency, and tell that user and all other radios belonging to agency X to ‘tune to frequency 3’ or whatever frequency that has been chosen. When the user has finished speaking, all radios return to listening to the control channel frequency to start the process all over again. If a second user wants to make a reply, then the same process happens, although most likely a different frequency is chosen this time. It is this constant rotation and reallocation of frequencies for each conversation that causes confusion to someone listening in with a scanner.

By now you will have guessed that trying to listen in to just one single user on a trunked radio network is going to be difficult due to the seemingly random frequency allocation of each conversation. Not only that, but there might be other users also using the frequencies as well, so picking out the conversation you want to hear is definitely more difficult than just listening to the one frequency. Add to this some other tricks that the EDACS system does, and scanning the trunked radio network in Tasmania can quickly become a frustrating experience. EDACS will add five beeps to the end of each conversation, which locks up a scanner on that frequency while a potential reply may come through on another frequency. Another feature that is sometimes used is the transmission of a rather annoying ‘buzz’ that lasts for 3 or so seconds on each of the frequencies in turn used for voice transmissions. Both these features serve no purpose other than to specifically annoy and therefore discourage scanner users from listening to the system. Add to this the fact that the Tasmania Police Service use digital scrambling for the majority of their transmissions, and there are other data transmissions also sent over the voice frequencies, you will quickly tire of listening in to all the hissing, buzzing, beeping and blipping just to be able to hear someone speak. There are ways around this, however, but more of this later.

Getting back to the installation of EDACS in Tasmania, the original specification was to provide handheld coverage to 90% of the State (95% for a mobile) with some exemptions for remote unpopulated areas. Given the use of 800 MHz frequencies and the difficult topography of the island State, this was not going to be an easy task. 800 MHz was chosen after system designers from the USA recommended this band due to the world-wide trend towards this band, the convenience of handhelds at this band, as well as the better transmission characteristics of high speed data at 800 MHz. Initially, 50 base stations were planned, however, this has grown to over 65 to meet the stringent coverage requirement. Even today, new base stations are being built three years on to improve the coverage. This is actually good news for scanner owners; most people in Tasmania would be within range of at least one base station, and probably wouldn’t need an external antenna for good reception.

Each of the base stations are linked back to a pair of central hubs, called IMCs (Integrated Multisite Controller), one in Launceston, one in Hobart, which performs a similar function to a telephone exchange. The links that are used for this function are generally microwave links in a variety of bands, and the loss of a microwave link does not mean the loss of service from connected base stations. In this scenario, local trunking is still possible, under a ‘failsoft’ mode of operation. The EDACS system is more fault tolerant than other competing trunk radio networks, a feature that is often appreciated in an island that sees extremes of weather conditions.

Some base stations use only one frequency, known as SCAT (Single Channel Autonomous Trunking) base stations. When monitoring this type of base station, you will hear the control channel being replaced by any voice, data or even digital voice calls, and return to being a control channel function at the completion of the call. This as far as I know is a unique feature to EDACS trunked radio systems. Other base stations occasionally transmit a morse ID on one of the voice channels every 15 minutes - a hang over from where EDACS was originally designed: the USA.

The network was named the TMRS (Tasmanian Mobile Radio System) and at present has five main users: Aurora, Tasmania Police, Ericsson, Stornoway Road Constructions and Spectran Transport. Both the Tasmania Ambulance Service and the Tasmania Fire Service have trialed the system, but as yet have not made any plans to use the system. The network is alive with activity 24 hours a day in all areas around the State.

Compared to a normal two way radio network, from a users point of view actually using the EDACS network is a little more involved, however this is outweighed by the additional features available. Each agency can have many ‘virtual channels’ programmed into their radios, called ‘groups’. In the case of Aurora, for example, one group is allocated to the linesmen looking after the customer distribution network in Hobart, another for Launceston, another group is allocated to the linesmen working on high voltage transmission lines and so on. Each group will not be heard by another group, but users have the ability to change groups on their radio, in a similar way that you would change a channel on a normal radio. Each group’s calls are retransmitted across all base stations that are authorised for that group to use. If the group is normally only used in, say, Hobart, then only the base stations around Hobart will broadcast those calls. On the other hand, if the group normally communicates statewide, then all base stations across the state will rebroadcast that particular group. It all depends on how the agency has their radios set up. This is known as the ‘wide area’ trunking concept.

Another feature is the ability of the radios to call one radio privately, so that no other radio in the system can hear it. This is called an ‘individual’ or ‘LID’ call. The radio will display the LID number (similar to a telephone number, if you like) of the other radio calling it. Telephone interconnect calls can also be made. Incidentally, if you do hear a telephone ringing sound, you should discontinue monitoring that call, since it is illegal to monitor a telephone call no matter how it is transmitted.

Other nifty features include the ability to transmit fax or data at 9600bps or low speed data at 150bps while already engaged on a voice call, an ‘emergency’ call feature that can override any call in progress, and allocate resources as a priority to that call, a ‘remote kill’ feature that can disable a radio should it be lost or stolen, simplex ‘talk-around’ channels, and in exceptional circumstances, groups from different agencies can be joined together so that they may communicate to one another if a combined response to a situation is required.

Of course, there is the digital voice transmission system that the Tasmania Police use. This system is called Aegis, an Ericsson propriety method of transmitting voice digitally, with or without encryption. Either way, there is no way that Aegis can be decoded, and all you will hear using a normal scanning receiver is a hissing, bleating noise. The Tasmania Police use Aegis in most areas for most calls that they make. Not all base stations are digital capable, however, so you will be able to hear some Police activity in the more remote regions. At first Aegis gained a bad reputation to it’s users due to it constantly locking up radios and the extra delay and poor voice quality that it offered, but these problems have generally been sorted out now.

Most users are equipped with LPE 200 portables or MDX mobile radio units, both supplied by Ericsson. Both units are capable of digital voice Aegis calls with an optional add-in module. A variety of accessories are available for the LPE 200, including a vehicle cradle charger and antenna adaptor, a speaker microphone with antenna (like you see on the television program ‘The Bill’) and a covert microphone & speaker system for surveillance use.

So much for the EDACS network itself, but exactly how can you use your scanner to listen in to the action? Generally speaking, there are three methods of doing this, which is discussed in detail below:

Method 1: Using a standard scanner.

The EDACS system in Tasmania uses frequencies located between 865.0125 and 869.9875 MHz, in 12.5 KHz steps. What you will need to do is to use table 1 below to determine the closest base station to you, program in all the frequencies for that base station, lock out the channel with the constant noise on it (the control channel), and scan away. You won’t need to scan more than one base station because normally, most conversations are rebroadcast across all base stations in an area. Don’t be fooled into thinking you’ve found a ‘new, secret’ set of frequencies only used by one agency, this just isn’t the case. If your scanner supports it, select no delay. You will find that you will need to manually resume scanning once you hear the five ‘end of transmission’ beeps or any Aegis or data calls, since the scanner will quite happily sit listening to these beeps, buzzes or whatever while another call is happening on another channel. This quickly becomes annoying, but alas, there is no other way.

Or is there? A device that can be bought from the USA called “G-Wiz” can be added in to your receiver to mute these beeps, buzzes etc. which will restore your listening pleasure but at a price, around $150 Australian. Look up www.scannermaster.com/prod05.htm if you are interested. If you are handy with electronics, you can design your own circuit that will do a similar job, as I have, and I can vouch that this idea works quite well.

Note that the control channel occasionally changes frequency every now and then, so what you will need to do when this happens is to lock out (or ‘pass’ or ‘skip’ in the case of some scanners) the ‘new’ control channel, and unlock the old channel, which would now have voice calls being placed on it.

Of course, if you are listening to a SCAT site, all you need to do is to listen to the one frequency, however, you will have to put up with the control channel noise until someone speaks, unless you own an AOR 8200 I, I, III or AOR5000, which, if you enable VSQ (Voice Squelch)which allows you to set a pre-detremined voice db level before the scanner will lock-up, so you get only good clear audio signals and use a TE8200, it will eliminate all the tones and only open up that frequency if it’s a an audible voice transmission.

Note: If you use on AOR 8200 then using the VSQ(Voice Squelch) and TE8200 options will automatically allow no-delay scanning as this tells AOR to stop only an audible voice transmissions (I.e. all the annoying beeps will be eliminated and you will never hear another data beep, or end of transmission lock-up signal again) I use this method to continually scan (conventionally) the Victorian SMR network and tested this theory when I visited my grandparents in Tasmania (Tests carried out at Prospect, Launceston, Blackstone Heights) and this method works fine with an AOR scanning the EDACS and I was able to eliminate all data bursts and I never have to miss a converstion or part therof, because of tail-end ‘roger-beeps’ etc which my scanner now ignores.

I prefer this method to the one above, as you do not have to pass (lock-out)any channels from the scan sequence which could later become voice active again, this way the scanner will just not stop on data channels. (Example: 865.1125 is currently a data channel, programmed into my scanner as Bank A, Ch 6, but as there is data only it won’t stop there, but later on 865.1125 becomes voice and the control channel moves

Method 2: Using a Uniden TrunkTracker 245XLT scanner.

The Uniden TrunkTracker II & III scanners now widely available were specifically designed to listen in to not only normal radio communications, but trunked radio systems, including EDACS. Be warned however, that the process for programming these scanners is quite a bit more involved than your average scanner, but the end result is something well worth it. You will be able to target your monitoring to just one user or group if you wish, or you can monitor several groups, or you can monitor EDACS and other conventional frequencies. You must buy the Australian version of the 245XLT, since other versions may not fully cover the Australian 800 MHz ‘trunking’ band.

Method 3: Using a computer and two scanners.

The most complex but by far the most flexible method of monitoring an EDACS network is available if you have access to a computer and two scanners both capable of tuning 800 MHz, with one scanner computer controllable from the following list:

Icom: R10, R7000, R7100, R8500

AOR: 8000, 8200, 2700, 3000, 3000A, 5000

Kenwood: RZ1 & others

Yaesu: FRG9600

Uniden: BC245, BC895

or any Optocom or OS456 or OS535 equipped radio

With this set up, you will be able to use one scanner to monitor the control channel, which the computer decodes with a freeware program called Etrunk.exe (available from the internet at www.lcblanton.com/digital.htm) and the computer then commands your computer controllable scanner to tune to the correct frequency for whatever group, user or individual radio you want.

The beauty of this method is that you can specify exactly what groups, agencies or even individual radios you wish to listen to, and in a given priority. If while listening to one call and another call becomes active that you have specified as a higher priority, your computer will instantly tune that higher priority call. These sets of priorities and groups can be changed at any time very easily. You can give a name to each group and each radio if you want, and have this displayed in a format that is easy to see exactly what is happening and who is talking to whom. This level and ease of flexibility isn’t available with the other methods. The big disadvantage with this is that it is not very portable, and ties up a computer and two receivers.

For those interested in this method, you will need to install a discriminator output in the scanner that will be used to monitor the control channel, and use this output to drive a modified version of a “ham comm” data slicer, which the computer then uses to interpret the control channel information. Full details are available on the web page noted above. Just a note: do not use the slicer circuit that uses a 741 op amp, this will not work with EDACS 9600 bps control channels. If you own an AOR8200 you will simply need to purchase CC8200 the computer interface lead which includes the discriminator output (it’s built in to all AOR’ s since 2001)

Please note that the above methods will not decode Aegis digital voice calls that the Police use. It will only allow you to listen in to the normal analogue voice calls that are used by Aurora, Stornoway, Spectran and Ericsson and the occasional Tasmania Police analogue voice call. Before you ask, no, there is no computer software or hardware that can decode Aegis, and as some criminals have already found out, stealing a Police radio is futile, since the radios can be remotely disabled and their approximate location determined.

Having said that, there is still plenty of interesting listening to be had, especially during or after a storm when Aurora get busy restoring mains power supplies.

Now that you have read the above and know how to scan the network, let’s get into some information specific to listening to the Tasmania Police. What? You’re still confused about scanning the EDACS network? It’s complex I know, but you will just have to learn.

The biggest hurdle to scanning the Tasmania Police is their use of Aegis digital voice transmissions. Believe me, there is NOTHING that can be done to decode Aegis. Firstly, Aegis is an Ericsson propriety system that because it is propriety, no details will be released for it. All that is known is that it operates at 9600bps, uses either LPE (early version of Aegis) or IMBE (later versions) of coding, and can come in unencrypted or encrypted. If encryption is used, it has a key of 320 bits, which as far as keys goes, is huge. There are 7 publicly available keys, meaning that anyone off the street can buy a EDACS radio that is Aegis capable, and select one of the seven public keys to use without having to justify ‘national security’ concerns to get a ‘custom’ key. You would have to have a very good reason indeed to buy one of the ‘custom’ keys. As if this wasn’t enough, a second layer of encryption can be used, using DES, DVP etc. Stealing a radio to listen in to Aegis won’t work, either. As soon as someone realises the radio is missing, it can be remotely disabled so that it won’t transmit, receive or even switch on, turning it into a rather expensive paperweight. Even temporarily ‘borrowing’ a radio to copy the contents of the memory in the hope of finding the key and programming your own radio (legally obtained, I would hope) wouldn’t work - the key is held in a matrix of random data much larger than the key itself, so hiding the key and not making it obvious. Even if you did have an EDACS radio of your own, the programming software needs the user to enter a ‘feature’ encryption key to enable the software to ‘turn on’ certain features in the radio, such as Aegis. Having said all that, I do know of one person who purchased himself a LPE200 EDACS handheld, bought the Aegis module for it, and asked the local technician to program the radio as a receive only unit. It turns out that in his area (somewhere in the USA) the public safety agencies use one of the public encryption keys. The technician happily programmed this in for him, and behold, he was listening to ‘public key’ encrypted Aegis calls.

Back to the Tasmania Police - I do not know if they use unencrypted or encrypted Aegis, or if they use a public or custom key.

However, not all base stations installed can handle Aegis. Only those base stations installed near the main cities and towns will handle Aegis, so some base stations you will hear only analogue voice calls from the Police. Monitoring one of these base stations would be preferable to listening to digital voice calls interrupting any analogue voice calls.

Also, LID or individual calls are always analogue voice. The one to one nature of LID calls and the sense of security that Aegis offers will often lull some Police officers into thinking that individual calls can’t be heard by anyone else - including those with scanners, so you occasionally get some pretty ‘interesting’ conversations overhead.

Yet another factor to consider is that Aegis gained a horrible reputation with the Police initially. The first area to change from the VHF police frequencies to EDACS using Aegis full time was the North East of the State. In this early stage, Aegis would continually lock up the radios, requiring them to be switched off and on again. The voice quality was also not impressive, and the extra delay in setting up an Aegis call and decoding it at the other end (up to 1 second delay) was seen to be a safety issue, and after several tries of using Aegis, the North-East region police gave up using it full time. These problems have since been overcome, and Aegis is in full time use every where else in the State, but the North-East region still continues on using analogue voice. Hence scanner users in the North-East are in a privileged position to be able to hear the majority, rather than the minority of Tasmania Police activity. News flash! As of the 30^th of May 2003, Tasmania Police in the North-East have resumed using Aegis digital calls full time, except for individual calls and when out of range of a digital capable base station, of course.

Some savvy police members do actually know that their radio transmissions can be heard by scanners when not on Aegis or during LID calls, not like back in the VHF channel days when just about every second call was “I will call you on your mobile phone…” This is a far cry from the early days when I accidentally overheard a training session for the police on how to use the new radio system. They were assured that on an individual call that nobody else could hear them, and that even on an analogue voice channel it would be almost impossible for a scanner to pick up their conversations. How things have changed!

Communications (when in analogue voice) for the Tasmania Police is fairly relaxed, with almost no use of codes or abbreviations. The base operators use the callsign VKT as per the old VHF channels, and the mobiles use the following callsigns followed by two digits (the lower the number, the higher the rank or function of that unit).