An Introduction to Radio Scanning
by Sam Morse (sigint98@yahoo.com)
A common "police scanner" is one of the most potentially useful tools a technological enthusiast could have.
Scanners have come a long way from bulky, crystal-controlled affairs with a handful of channels. Contemporary scanners fit in the palm of your hand, have a thousand keyboard-programmable channels, and have wide-band frequency coverage from 100 kHz to 2 GHz. Certain models even have the ability to follow communications on trunked radio systems used by government and business.
For the uninitiated, a scanner is a VHF/UHF communications receiver that has the ability to step through multiple channels or "scan," stopping on a frequency it detects traffic on. Scanners monitor frequencies used by government agencies, the military, public safety, emergency services, utility companies, businesses, and wireless telecommunications devices. Some of the more deluxe units even cover the "HF" shortwave region. While the use of digital communications systems and encryption is on the rise, there is still plenty of monitorable activity for the foreseeable future.
There's a lot of good equipment out there, and selection is pretty much a matter of personal preference and operational requirements. For those living in areas whose public safety agencies use a Motorola or GE/Ericsson trunked system, my recommendation would be the Uniden (Bearcat) BC245XLT TrunkTracker. This handheld is a refinement of the excellent BC235XLT, which only was capable of monitoring Motorola systems. If you're looking for a really small wideband unit with great audio, examine the Icom IC-R2. This unit has coverage from 500 kHz to 1300 MHz (minus cellular). The Uniden BC3000XLT, Icom IC-R10, and Alinco DJ-X10 are also nice full-featured wideband handheld units. There are also computer-controlled units such as the WiNRADiO, Icom IC-PCR1000, and Optoelectronics Optocom. Hackers appear to be gravitating towards the Icom IC-PCR1000. The nice thing about the PCR1000 is that it has a built-in discriminator tap for monitoring digital signals.
Due to federal law, there are no new scanners with cellular phone coverage available in the United States to ordinary civilians. Those of you looking for a unit with unrestricted 800 MHz coverage will have to check out used equipment sources such as hamfests and pawn shops. The two models that still reign supreme are the Realistic PRO-2006 base and PRO-43 handheld. Good luck finding one. These days, scanners sold by RadioShack are not only over-priced, but lacking in performance. There are much better sources available. The one thing, however, that I would get from RadioShack is a copy of the book, Police Call. It is one of the best frequency directories you will find for any given area, along with the FCC's web site.
Finding Frequencies
Eventually the serious monitoring hobbyist gets the urge to go beyond listening to the standard widely available public safety and business frequencies. They get the desire to look for the good stuff that you will not find listed in Police Call or any of the other scanner frequency directories.
The object of the hobbyist's listening might also be something mundane like the local mall security force, but a search through the directories fails to uncover their operating frequency. In either of these situations, the hobbyist can resort to using the various techniques detailed in this article to acquire an elusive frequency.
There are two basic approaches to finding frequencies. The first approach is to go on an electronic fishing expedition. This is how hobbyists operate most of the time. You simply take a small piece of the frequency spectrum that your radio is capable of receiving and listen to see what you can find. The second approach is to pick a specific target to be the focus of your monitoring attention and attempt to find the frequencies they use. During the course of using this second approach you will find other users; which you might find interesting later. I recommend that you use the first approach once in a while.
Knowing the usual activity around you will help determine how far you can listen and, especially important, when a transmission out of the ordinary appears. I recommend you acquire frequency directories for your area. Police Call is excellent for public safety listings, but only average when it comes to identifying businesses. There are other excellent directories available for particular local areas. Your local radio shop will be able to help you there.
The FCC also maintains a database at gullfoss2.fcc.gov. A frequency directory will identify the normal users of an area. This is useful in preventing you from wasting hours analyzing a common signal when you should be analyzing something else.
The tool that every monitoring hobbyist has is the "search" function on their scanner. Most of them however, do not know how to use it. You should know the frequency band that your target uses. You should have an idea of where in that band they would be operating. You should search probable areas in small sections.
Knowing what band a target operates on could be a matter of general knowledge. If your local police's dispatch channel is on VHF-high band, then it is a good bet their unlisted tactical channel is also there. It can also be determined by looking at the antennas on vehicles; unless the vehicle has a disguised antenna. A VHF-low band antenna will be a 60- to 100-inch whip or a 35-inch whip with a 5-inch coil on the bottom. A VHF-high band antenna will be either an 18-inch whip or a 40-inch whip with a 3-inch coil on the bottom. UHF band antennas will be either a 6-inch whip or a 35-inch whip with a plastic band in the middle. 800 MHz antennas are either a 3-inch whip or a 13-inch whip with a "pigtail" coil in the middle. A cellular phone antenna is a common example. I suggest ordering the catalogs of various antenna manufacturers to get a visual idea of what antennas on each of the bands look like. You can do the same thing with handie-talkie antennas. A VHF-low band antenna will be about a foot long. A VHF-high band antenna will be about 6-inches long and about as thick as your index or middle finger. UHF antennas will be either 6-inches long and slender compared to the VHF-high band antenna, or 3-inches long. 800 MHz antennas are about an 1-1/2 inches long.
Once you know the frequency band, you determine where in that band they might be operating. In most non-federal cases this is as easy as looking at the Consolidated Frequency List in the back of Police Call. The two types of users you might have problems with are police departments and the federal government. Police departments can use any public safety frequency for "tactical" communications on a non-interference basis. The FCC also licenses local government services for frequencies allocated to a different service if the frequency does not have a licensee already assigned to it. For example, a fire department could be licensed to a frequency allocated for highway maintenance.
The Intergovernmental Radio Advisory Committee (IRAC) handles licenses for the federal government. IRAC listings have been exempt from the Freedom of Information Act since 1983. The mundane agencies have been using the same frequencies for the past 13 years, but some of the more interesting ones have changed frequencies. The IRAC listings in the Consolidated Frequency List are still fairly accurate. Remember that they are only fairly accurate.
You should search a range that covers three to five seconds, and with the scanner's fastest speed. This seems to be the average duration for a radio transmission. Let's say you are searching the VHF-High band with a scanner that does 50 steps a second. Channel spacing for VHF-High band is 5 kHz. You should search your target areas in sweeps of 750 kHz to 1.25 MHz. Search a range for one to two weeks at different times to catch everything in that range. One little known trick is to use one of those old tunable public safety band receivers that predate scanners. An example would be the Realistic PRO-2. It covered 30-50 MHz and 152-174 MHz. You can pick one up at a flea market or hamfest for as little as $5.
RadioShack still sells a "multiband portable" (Part No. 12-649) that covers the aircraft and VHF-High bands, but at $100 I think it's overpriced. While these units lack the sensitivity and selectivity of a scanner, they are excellent for doing high-speed searching. Once you get a hit, you will have narrowed the possible frequency range down to roughly 500 kHz. You then use your scanner's search function to find the exact frequency. They are also good dedicated single channel receivers for things like NOAA weather radio and the local fire department's dispatch frequency. If you ever find an old multiband portable that covers UHF-TV, remember that channels 70-83 are now the 800 MHz public safety, business, and cellular phone band.
If a signal is in your location's coverage area and your scanner is capable of receiving the frequency, you will eventually find it by searching. This will take time if you do it properly. If you are in a situation where you desire a faster approach, you can use a frequency counter.
A frequency counter is probably one of the most useful tools a monitoring hobbyist can own. A frequency counter works by locking on the strongest radio signal in an area and displaying the frequency. I strongly suggest that you bite the bullet and buy the Optoelectronics Scout if you are going to get into this facet of monitoring. Other frequency counters cost less, but lack the features the Scout possesses. These features make a world of difference between simply being a piece of test equipment and being a monitoring tool. The Scout will automatically capture a frequency and store up to 400 of them in memory. When the Scout captures a frequency, it will either beep or discreetly vibrate. In each of these memories, the Scout stores up to 255 hits. This lets you know how active a given frequency is. The scout has a CI-V interface. The CI-V interface connects to a PC for automatic frequency logging, or to a receiver for reaction tuning. With reaction tuning, the receiver automatically tunes to the frequency the Scout captures. I used a RadioShack frequency counter for monitoring work before I bought a Scout. It had adequate sensitivity, but required constant viewing and a quick writing hand in order to use effectively. It was also very difficult to use while driving.
Frequency counters work in a radio transmission's near field. This means that you will generally have to be within 1000 feet of the target transmitter in order to acquire the frequency. The following table shows the average distances at which one will acquire a particular type of transmitter:
There are a few things you can do to enhance a frequency counter's operation. The first technique involves antenna usage. The standard telescoping whip is good for many operations but you can do better. With the standard whip antenna, the Scout will pick up a cellular phone at approximately 150 feet. Hook it up to a 5/8-wave 800 MHz antenna and the range increases to approximately 300 feet. A high-gain antenna designed for the band of interest will increase your range on desired frequencies and reduce interference from undesired ones. If you use a directional antenna, such as a Yagi, you will be able to select a particular target location to investigate and eliminate interference from another location.
The second technique is using filters. Using filters will block out undesired frequency ranges and find desired ones. An FM broadcast notch filter is very useful. Optoelectronics sells the N100, which I recommend. FM broadcasters are a major source of undesirable interference, and having one nearby will cause your counter to lock up on the broadcast station's frequency.
By using these techniques you will find the frequencies you desire. How quickly you find a frequency depends on your skill as a monitoring hobbyist and how much the target uses their radios. You can acquire a target such as a mall security force in as little as thirty seconds. This was how long I had to loiter near a help desk with a frequency counter before a security officer keyed up a radio. Some of the less active federal agencies can take a week or two before you can tag them. If you do not find the frequency, there are two possibilities.
The first is that your target either does not use radios or uses them very infrequently. I will assume that your target does indeed use radio communications. The only solution to tagging an infrequent radio user is persistence and patience. Eventually they will key up and you will have their frequency.
The second possibility is that you found their frequency, but failed to identify it properly. Learn who operates on what frequency ranges. Listen to what you have found during previous monitoring attempts over a period of time to determine who it is you have found. My monitoring experiences have taught me that sometimes the true nature of the parties using a frequency may take a while to become apparent. Certain users use encrypted or spread spectrum (frequency-hopping) communications. Receiving spread spectrum communications is at this time beyond the ability of the average hobbyist. As I write this I can hear some of my phriends telling me, "Let's not go there." A little birdie told me, however, that a certain radio hobbyist organization in Connecticut publishes an excellent introductory-level technical text. Encrypted communications not only present a similar technical difficulty, but are also illegal to listen to under the Electronic Communications Privacy Act. Encrypted communications system users will sometimes have equipment difficulties and operate in the clear. A patient listener will wait for this opportunity.
Introduction to Signal Analysis
We will assume that you, in the course of your monitoring hobby, have come across a genuine unidentified ("UNID") user while searching the spectrum. You've checked all the scanner frequency lists, e-mail lists, web sites, and USENET postings and have come up with nothing. You wish to identify the UNID and determine the extent of its communications network. To do this, you ask the following questions:
Frequency (or talkgroup/subfleet if monitoring a trunked system)? PL/DPL tone, if any? Single PL/DPL used, or multiple? Scrambled or clear? Type of scrambling: digital or analog? How many stations do you hear? How do they identify themselves? Signal strength of stations communicating? What are they talking about?
The first five characteristics are noted as soon as you discover the UNID. You will have some initial information about the others, but as time goes on you will acquire more information. What you should be doing now is noting what information you do have on the UNID. Some people like using a computer database, others like 3x5 index cards. The more info you have, the easier it'll be to identify the UNID.
The frequency in question can help tell you the approximate range, extent, and purpose of the UNID's communications net. For example, the VHF low-band would likely be used for regional communications between base stations and maybe mobile units. UHF on the other hand, would be for short-range tactical-type communications between several mobiles and portables. UHF portables are limited to a few miles. A VHF low-band base station can communicate a couple of hundred miles under the right circumstances. What other identified users operate on nearby frequencies?
PL/DPL tones are another identifier. Knowing the PL/DPL tone of an UNID enables you to cross-reference it to other frequencies. If a police department uses a certain PL/DPL on their repeater, and an UNID with surveillance activity is noted on the same band with the same PL/DPL, then it's quite possibly an unlisted channel for that police department. Knowing how many different PL/DPL tones are in use on a given frequency tells you approximately how many different nets, or distinct groups of communicators, are active on that freq. On a low-power portable frequency such as 154.600 MHz, users will use a "unique" PL/DPL tone so they don't have to hear everyone else. There are only a limited number of PL/DPL tones however, so duplication by different nets is inevitable. Other users won't want to spend the extra money for radios with PL/DPL capability, run without it, and tolerate the other users on the channel breaking their squelch. If you hear an UNID running DPL, then you can be 99 percent sure they are running real "commercial land mobile" equipment. There are only a couple of ham rigs, such as the Yaesu FT-50, that have DPL.
Most radio communications businesses maintain "community repeaters." The license for the system is in their name, and they rent airtime to various businesses and organizations. The individual users will not be licensed, instead running under the radio shop's license. Each subscriber will be assigned his or her own PL/DPL tone on the repeater. The community repeater is being replaced with Specialized Mobile Radio (SMR) trunked systems, although they are still widespread. Motorola sold all their commercial SMR systems to Nextel who is gradually taking them off the air and replacing them with iDEN (digital) systems.
This has prompted many radio users to seek out alternatives to Nextel. Many radio shops are setting up 400 MHz. LTR trunked systems, which will eventually replace their community repeaters. LTR is an open protocol. This not only means a wide availability of equipment for the business offering these services, but equipment for the monitoring enthusiast as well. There are also a few commercial SMRs running the GE/Ericsson EDACS system on 800 MHz as well as 800 MHz. SmartNet systems that are not owned by Nextel. Each system can have several dozen users on it, making them a nice challenge for the monitoring hobbyist who wishes to map them out.
If an UNID is scrambled, you will at least know whether or not the scrambling method is analog or digital. If they are using a simple single-frequency inversion method, then it is possible, although illegal, to descramble their communications and proceed. If they are using something advanced such as DVP, DES, or rolling-code then you will not be able to monitor the actual communications. You will still at least be able to note how often the frequency sees activity and the signal strengths of the stations communicating. Voice encryption is often subject to failure, and you might catch a station operating in the clear if you monitor long enough.
At this point, you have all the immediate characteristics of the UNID noted down. The rest is just a matter of time. The remaining questions you have in identifying the user are:
How many stations do you hear? How do they identify themselves? Signal strength of stations communicating? What are they talking about?
All of these will eventually answer the main question, "Who am I listening to?" The best thing to do at this point is take a receiver and dedicate it to the given frequency. You can acquire basic 16-50 channel scanners for under $100 at flea markets, pawn shops, and hamfests for this purpose. If you want 24-hour monitoring of the frequency, attach a VOX-operated tape recorder to the scanner. Many scanners come equipped with a "tape out" jack for easy connection. Otherwise, go to RadioShack and pick up one of the suction cup telephone microphones. This is attached to a telephone receiver by the earphone to record phone calls. Attach it near the speaker of the scanner. Experiment to find the best place to attach it to the scanner. For those of you who really want to get into things, Bill Cheek's Scanner Modification Handbooks contain a wealth of information on modifying your scanner to make monitoring easier. You can add event counters to see how many times the frequency breaks squelch, time-stamping for monitored communications, and a whole host of other enhancements.
You will be able to initially discern IDs used on the frequency and the signal strength (even if approximate) of the stations on the net. You will also know what they are saying if it's in a language you can under-stand, although you might get a little tripped-up on any specialized jargon. Log it all down. Eventually you'll also be able to recognize the voices of the various people on the frequency and match them to IDs. The signal strength of each user will tell you approximately how far away they are from your location, and whether they are base or mobile/portable stations. Consistent signal strength will indicate a base station or repeater. Mobile and portable stations will have varying signal strengths and often "mobile flutter" on their signal.
When listening to an UNID with the intent of identifying it, two things you should listen for are locations and specialized trade jargon. They can be cross-referenced to assist in identifying the user. Street maps of your nearby locales are good reference to have. I don't advocate "call chasing" (going to the site of an incident that you've heard on your scanner). This can be dangerous and complicates matters for public safety personnel who are working the incident. If, however, you've determined you are listening to an obviously civilian UNID on a trunked system or community repeater who was just sent on a service call to a location that's a few blocks away from you, it would be a different matter. It would be worthwhile to take the dog for a quick walk to see who you are listening to. On that note, information you discover on community repeaters or trunked systems is transitory in nature. The talkgroup or PL/DPL may belong to a different business next month.
If you listen long enough and pay attention to the communications you are receiving, you will identify the user. The amount of time will vary with the nature of the user, and how often they are on the air. Once you identify the user, the rest is up to you. You can become quite intimate with the operations of a business by monitoring their communications. Monitoring local public safety communications will often give you a better handle on what's going on in your community than the local newspaper. The possibilities are endless. As an intellectual exercise, your monitoring endeavors will be delving into such diverse areas as electronics, geography, sociology, research skills, and current events. At any rate, signal analysis is a far better pastime than sitting in front of the television (although having CNN running in the background while you're working on something is a good idea). Chances are you'll have some questions regarding communications systems or activities in your locale that could be answered by using signal analysis. Some questions that might come to mind are:
Who are the users of local community repeaters and SMR systems? What are high crime areas in my community? What are the most common crimes in my community? What is the reliability of the local utility infrastructure (electrical, telephone, CATV, gas)? "X" is obviously employing radio communications, but no license is listed for them. What's their frequency? What frequencies and/or radio systems are the local public safety agencies using other than their publicly listed ones?
This article just scratches the surface of an activity that could easily take up a several book series. The best way a beginner can start is to just do it. Pick something, like a local community repeater or SMR system, and see how much information you can acquire on it. You might have some specific questions regarding a communications user or system you already have some information on which you can go investigate. You might even be interested in something non-technical, such as crime statistics in your local community. Whatever your specific interest, remember that patience and persistence are good things and will reap dividends far above and beyond your initial investment.