Non-affiliation scanning of analog and P25 digital trunked radio systems using commercial radios

What is non-affiliation scanning?

Non-affiliation scanning refers to using a commercial, two-way radio to listen to trunked public safety and business systems without actually connecting to those systems. Normally, when you attempt to use a commercial radio on most systems, those radios will connect or “affiliate” with that system in order to be able to transmit and receive audio. By law, if you want to connect to those systems, you need to be authorized to be on them. Of course, most system admins won’t let just anyone with a radio on their systems, even if you just want to listen, which is why most hobbyists use receive-only radios, or scanners, to listen to these systems. Scanners are readily available, relatively cheap (compared to a commercial radio) and never require you to be authenticated on the system you want to monitor. So why would you choose to use a two-way radio instead of a scanner? There are a few reasons people prefer to use a commercial radio, such as better audio and better reception, but the biggest reason is because of the difficulty created by simulcast systems. Listening to these systems using the scanners available today is problematic for some and downright impossible for others.

What is a simulcast system?

A simulcast system is one where a single transmission is broadcasted from multiple towers in different locations at the same time. The advantage of this type of system is that a subscriber on a particular network is able to travel from one area (tower A) to another area (tower D) without losing contact with the system. This also means that a radio may be within range of more than one tower at any given time causing it to receive more than one signal simultaneously, but since it is usually closer to one tower than another it may receive these signals at slightly different intervals. This is called Simulcast Distortion. For most commercial radios this is not a problem as the hardware and software were designed to handle simulcast systems. Scanners, however, are a different story.

Scanning a simulcast system.

Of all the scanners available today none are able to deal with the problem of simulcast distortion. When a scanner receives a transmission multiple times at different intervals, no matter how small the difference, they have difficulty putting the original transmission back together which usually results in dropped calls, garbled audio or no reception at all. For whatever reason, the scanner manufacturers have not seen fit to correct the problem, either in software or hardware, leaving the average listener frustrated when it comes to monitoring simulcast systems. This has forced scanner users to began looking for alternative solutions with the most popular being to use a “real” radio as a scanner.

Should I use a commercial radio as a scanner?

Since commercial radios work well on simulcast systems many people have started to use them in place of scanners. Although this may sound like a good solution to the problem there are a few disadvantages to using commercial radios along with the risk of accidentally transmitting on a system that you’re not authorized to be on in the first place. Does this mean it shouldn’t be done? Not at all. It just means that the listener should weigh the advantages and disadvantages before deciding to use a transmitting device as a scanner. As for the risk, when configured properly, there’s no chance of transmitting a signal when scanning.

Is it legal to use a transmitting radio as a scanner?

The short answer is, absolutely! In the US, it is not against the law for an average citizen to own a commercial radio (assuming it is not stolen or restricted to a specific type of entity) nor is it illegal to intercept and listen to a radio signal that is being broadcasted in the clear. Any radio that is not restricted to government use or specific groups can be used to receive a transmission. Even if that transmission is encrypted, as long as the receiver doesn’t try to hack or decrypt that signal it can be monitored. Of course, there’s really no reason to monitor encrypted signals as they would would like noise but it is legal to do so.

What are the disadvantages of using a commercial radio as a scanner?

Cost: The biggest disadvantage is usually the cost. The price range for a commercial radio is usually in the $1,000’s. Keep in mind, when we refer to a commercial radio we’re not talking about the family and small-business radios such as those that operate on the FRS and GMRS frequencies. Those can be had for less than $100 but are not capable of being used to scan trunked systems. A typical trunking radio (new) with the features required to be able to monitor a simulcast system can run anywhere from $2000 to $6000 per unit. Once you have the radios you then have to acquire the software needed to program them which can add another $300-$600 to the cost. Most non-professional users prefer to hit the used market for this equipment. Trunking radios from sites like eBay can be found for as little as $300.

Complexity: Another disadvantage is the learning curve required to configure the radio. Commercial radios are not programmed the same way scanners are. They require a lot more planning and understanding of how certain aspects of each system works that you want to use. That’s not to say it can’t be done, and once you’ve configured one radio it’s fairly easy to clone the settings to another. It just means that you have to pay careful attention to the details or yo may end up in a lot of hot water.

Access: To configure a trunked system into a radio (in most cases) you need a system key for that system. There are two types of keys, software keys and Advanced System Keys, or ASK. A software system key is a tiny file (typically a few bytes) that, when loaded in to the programming software, unlocks the fields needed to program a particular system in to the radio. Without this key you cannot configure the system. An ASK key requires a hardware device to load the key and can only be done by the system administrator.

Functionality: Most commercial radios were not designed to be scanners and don’t do it as well as a real scanner. For one, the frequency range is hardware limited compared to a full-blown scanner and most radios only operate in a subset of the VHF, UHF, 700/800 MHz or 900MHz spectrums and not all at the same time. The ones that do support multiple ranges are ridiculously expensive. Also, because they are radios first and scanners second, they usually have limits on how many entries you can have in a scan list, some as few as 10 entries. This makes it harder to listen to what you want.

I need a software system key for xxx system. Where can I get it?

You can’t. It’s impossible. They don’t exist to the public. It’s illegal.

If you ask someone in a public forum or site where/how you can get a system key for a trunked radio system you can expect answers like those above. It has been mentioned that system keys are the intellectual property of the system manufacturer and only the system administrator is allowed to possess them and this may be true. This is one of those gray areas where no real precedence has been set. I personally don’t know the legality of having one in your possession. That said, it is very possible to obtain or create a system key. There have been a lot of posts in various radio forums on that topic. Remember, Google is your friend.

Is there any way to scan a trunked system without a system key?

Yes. Use a scanner!

Seriously, there are a couple of devices that you can use as a scanner without having to find a system key. Some Relm/BK radios will allow you to program a trunked system in receive-only mode without a system key. This is probably the safest way to scan a trunked system with a commercial radio. The second device is a P25 voice pager made by Unication. A P25 pager is not capable of transmitting and is not plagued by the simulcast distortion issue. They’re more expensive than your average digital scanner but cheaper than a commercial radio. One of the biggest disadvantages to the Unication pagers is that they can only scan one trunked system at a time whereas a commercial radio can have multiple systems within a singe scan list.


HP Cloud Services AP. Just another paperweight…or is it?

hp-365-access-pointConvert an HP Cloud Services AP to an Aruba Instant AP 

In 2014 Hewlett-Packard (HP) acquired Aruba Networks and decided to create a cloud-only spin-off of the virtual controller called “HP Cloud Network Manager” while keeping the original Aruba product line intact. HP Cloud Network Manager was created with the idea that the access points would require no on-premise controller whatsoever, either physical or virtual but it never really took off. During the brief period in which HP had this service available they took a select few of the Aruba IAP models, re-branded them as HP access points and loaded the cloud firmware on to these devices. In July of 216 HP discontinued their cloud service altogether, leaving a slew of HP branded access points with useless firmware on them and no way to manage them. For a while HP had a trade-in program where licensed users could replace their HP branded cloud services access points for Aruba branded IAPs but that program has long since been abolished.

The good news is that there is a way to convert these bricks into something useful, that is to say a fully functional Aruba IAP. Anyone who has an active Aruba contract and access to the IAP firmware can easily perform the conversion. All that is required is a TFTP server and a console cable.

Note: Do this at your own risk! I don’t know if this works on all HP-branded access points. I have done this a few times using HP 365 models purchased on eBay. I have not tried this on other HP models. The 365 and 355 have a standard RJ45 console port whereas the 350 has a funky 4-pin console connection. I assume this would work on that model if one had the right console cable.

The HP/Aruba model match-up is as follows:

  • HP 365 – Aruba IAP-225
  • HP 355 – Aruba IAP-115
  • HP 350 – Aruba IAP-103

The steps to perform the conversion is as follows:

  • Download and install a TFTP server
  • Download the IAP firmware from HP (Aruba) that matches the model of the access point you have. The models that I am aware of are the HP 365 (IAP-225), the HP 355 (IAP-115) and the HP 350 (IAP-103)
  • Copy the firmware to your TFTP root folder
  • Boot the AP with the console cable connected. When you see “Hit Enter to stop autoboot:” press the enter key before the countdown elapses. If you miss it just reboot the AP.
  • When you see the “apboot>” prompt type “osinfo” and it should show both partitions as containing the HP Cloud OS
  • Next type “setenv serverip server_ip” where server_ip is the IP address of your TFTP server
  • Type “upgrade os 0 image_name” where image_name is the entire name of the IAP firmware file. This upgrades the primary partition which normally boots the AP
  • When the upload is done type “osinfo” and you should see that partition 0 now contains the Aruba Instant OS rather than the HP OS
  • Type “upgrade os 1 image_name” where image_name is the entire name of the IAP firmware file. This upgrades the recovery partition in the event that you do a paper-clip reset on the AP. If you skip this step and do a factory reset you will boot back to the HP Cloud firmware
  • When the second upload is done type “osinfo” and you should see that both partitions now contain the Aruba Instant OS

That’s it. Now when you boot the AP it will come up with Aruba’s Instant software and you can follow the same steps you would for any Aruba Instant AP and either configure it as an IAP or convert it to a Campus/Remote AP just as you normally would.