Sunday, January 28, 2018

Whistler TRX-1 Digital Scanner Radio Handheld Review


Introduction

The Whistler TRX-1 Digital Scanner Radio Handheld is one of the latest on the market and one of the few if not only scanners available that does DMR (Digital Mobile Radio) and NXDN (Next Generation Digital Narrowband) modes, as well as Project 25 Phase 1 & 2.  Overall, I am pleased with this scanner and would buy it again knowing everything that I have learned so far after using it for a couple of weeks.  It has been a long time since I have owned a scanner, the last one being bought before digital transmissions were common, so I don’t' really have much to compare it to.  I would have to give at an 8.5 out of 10.


 While the Capitol Police are encrypted, I had no problem listening to the Metro Transit Police and DC Fire Department as I walked around the core of Washington DC.   By the way, encrypted transmissions give you a telephone like busy signal and a highlighted E on the display. 

Frequency Coverage

Covering almost all frequencies from 25 to 1300 megahertz picks up everything from the Citizens Band top of the 23 cm Amateur Radio band.  It skips cellular and broadcast radio and television, which is pretty standard for scanners.  In all, it is pretty standard for scanners in its price range.  I've yet to try it down in the HF band, or beyond the  800 MHz public safety bands, but from about 46 to 870 MHz it has exceeded my expectations both with receiving neighboring county systems, and its performance in the dense RF environment of downtown DC.  Coverage more common today than when I last purchased a scanner is military bands in the 300 MHz range.  Both aircraft and base trunked systems can be found there in the 216-420 MHz range that I had never scanned before. 

Analog and Digital Modes

This radio receives almost every mode you'll find in use in government and business, as well as many hams.  AM, FM, NFM, FM-MOT (Motorola), LTR (EF Johnson), CTCSS, DCS, NAC on P25, EDACS wide/narrow (GE/Ericsson/HARRIS), P25-Phase I, X2-TDMA, P25-Phase II, DMR, MotoTRBO Tier II, & NXDN.  DMR is a must have these days as many businesses have been moving to this technology.  NXDN still seems a little rare but it is out there, and growing.  If you are interested in railroad communications, NXDN is a must have for you.  While the rollout is slow, NXDN is the future standard on the railroad.

Other Features

I really like that, although it is a Mini-B connection, it can be powered and charged through USB.  The NiMh batteries to take a while (overnight) to fully charge through the radio.  It can also be powered by alkaline batteries, but swapping out batteries is a bit of an ordeal as you have to remove the belt clip, antenna, and the rubberized case and it can drain them rather quickly.  It has a 3.5 mm jack for audio out which I have used to connect to the AUX port in my car.  This 3.5mm jack can be converted to a discriminator tap for use with software decoders. 

Programming - Basic

The TRX-1 comes loaded with a fairly up to date database from radioreference.com which allows basic programming to be done with just a few button presses to select your location by county or zip code.  This easy programming has its advantages, quick, easy, requiring little knowledge of the frequencies and digital systems in the area.  Disadvantages are that when you use this method of programming, you are kind of stuck with what they give you.  It works, but in large suburban counties or cities, the scan list gets pretty long and it can take while to scan all the way through back to the beginning.

Programming – Intermediate

Using the software, it is easier to customize the scan lists with conventional frequencies and trunked system talk groups.  This is where you can set up the scanner for the way you want to use it.  I didn't find it completely intuitive, but it wasn't too hard to figure out, so, as software goes, it is about average.  I was able to set up my scan lists by county which suits my long commutes and frequent trips from Western Maryland to the Baltimore Area.


This is a screen grab of one of my scan lists that includes three trunked systems and a conventional frequency for Anne Arundel County Maryland.  It may be hard to see but I omitted the AAPD 11D Southern district police talk group as I don't really go to the south of the county, the same reason for eliminating AAFD 1C talk group.

I'm sure that there will be endless tweaking of my scan lists to try and find that sweet spot where I get to listen to what I find  interesting without wasting time scanning or listening to the more routine stuff.  I think my next project will be to create two scan lists for my home county, one for dispatch and major incidents, and the other for a lot of other types of traffic like, routine responses channels, highways, mall security, etc. 

Programming – Advanced

I haven't ventured into  this very much, but this scanner has the capability to program multiple virtual scanners that can be loaded from the supplied SD card.  When you load a different virtual scanner, it essentially wipes everything the memory and replaces it with something totally different, everything from settings, to conventional frequencies, to trunked systems.  I think this will be useful for experimenting with different settings and systems and for folks who travel.  I don't think it is for everyone, but it seems like a nice feature to have.

The Manual

The supplied manual was helpful, but it just didn't seem to be that great.  My understanding of the radio really improved when I found a manual online: http://new.marksscanners.com/1080_1095/1080_1088.shtml  the Easier to Read Whistler WS1080/1088 Handheld Digital Scanner and Programming Software Manual.  It was written for an older model, but it really helped me figure this thing out.

More Resources

There is really only one place where I've found a large enough community to ask questions where people will know  the answer.  The Radio Reference forum on Whistler scanners.


A more comprehensive write up about the TRX-1 can be found here:

Friday, January 26, 2018

Two Way Forest Trust from One Side Access Denied

Starting with my first in 1996, I've created countless Windows domain and forest trust relationships over the years.  The only thing that has ever caused a problem for me when creating trust relationships is network connection issues, firewall, routing, etc.  This week, what was planned to be a routine forest trust didn't work.

In this scenario, I was to create a trust in a forest where I am an Enterprise Administrator and a remote forest where I have no access but they had already created their side of the trust and shared the trust password with me.  Using Active Directory Domains and Trusts and using the same procedure I've always used, and had just used in my lab, verified with Microsoft's guidance from TechNet: Create a Two-Way, Forest Trust for One Side of the Trust I was prompted for a username and password at a point where I'd never been asked for a username and password before, after entering the name of the remote forest (step 4 in the linked procedure) and before being prompted to select the trust type (step 5 in the linked procedure).  This was a problem since I wasn't going to get an account or access in the remote forest.

Thinking that it could have just been some sort of GUI anomaly and that it may work in the command line or at least give me some more diagnostic information, I switched to PowerShell.


$targetforest = "contoso.com"
$trustpw = "password"
$Trustdir = "Bidirectional"
$localforest = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
$localForest.CreateLocalSideOfTrustRelationship($targetforest,$Trustdir,$trustpw)
Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied."
At line:1 char:1
+ $localforest.CreateLocalSideOfTrustRelationship($targetforest,$Trustdir ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : UnauthorizedAccessException 


It still didn't work, and essentially, I got the same error message.  After scouring the event logs on the local forest domain controller I found nothing to indicate what I was being denined access too.  I was still hesitant to blame the remote forest with what I had so far, but I started suspecting it.  Without access, it was hard to know for sure.

I used a combination of the Microsoft Message Analyzer and Process Monitor to get a better idea of what was going on.

Process monitor was really all I needed, here's the event:

High Resolution Date & Time: 1/26/2018 12:25:00.8212215 PM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: \\devfardc01.contoso.com\PIPE\lsarpc
TID: 2152
Duration: 0.0005023
Desired Access: Generic Read/Write
Disposition: Open
Options: Non-Directory File
Attributes: n/a
ShareMode: Read, Write
AllocationSize: n/a
Impersonating: NT AUTHORITY\ANONYMOUS LOGON

Message Analyzer also had an access denied entry that was helpful


Source
Destination
Module
Summary
devdc01.tailspintoys.com
10.1.1.38
SMB2
Negotiate, Status: Success, ClientGuid: {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}, DialectRevision: SMB 3.0.2
devdc01.tailspintoys.com
10.1.1.38
SMB2
SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, NTLM, Flags: 0
devdc01.tailspintoys.com
10.1.1.38
SMB2
SessionSetup, Status: Success, NTLM v1 with extended session security, Flags: 0
devdc01.tailspintoys.com
10.1.1.38
SMB2
TreeConnect, Status: Success, Path: \\devfardc01.contoso.com\IPC$, TreeID: 0x00000001, Capabilities:
devdc01.tailspintoys.com
10.1.1.38
SMB2
Create, Status: STATUS_ACCESS_DENIED, FileName: lsarpc


These tools were more of a verification of what was happening with a little more detail to help find out why.  Process Monitor was telling me that the anonymous logon couldn't connect to lsarpc, but that is pretty standard.  Could it be that the remote forest EA has removed lsarpc from the anonymous access pipes?  I checked some standard security templates, which still had the lsarpc pipe accessible by the Anonymous Logon, but I thought it could still be a possibility so I tested it in my lab.

I removed lsarpc from their NullSessionPipes values under HKLM\system\currentcontrolset\services\lanmanserver\parameters on the domain controller representing the remote forest and rebooted.  This can also be done with group policy by removing lsarpc from the list in GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Network access: Named Pipes that can be accessed anonymously. For the first time, I was able to reproduce the problem in my lab environment.

I tested two solutions to the problem, the first being returning the lsarpc entry to the NullSessionPipes values and the second was to use an enterprise admin account in the remote forest, and both allowed the trust to be created successfully.

This was kind of a strange issue and I wasn't able to find the answers with some in depth internet searching.  A lot of folks have trouble creating trusts in some way, but usually it is an easy problem like DNS, a firewall, or they aren't using an admin account, etc.