Improvements to the AirSecurity feature

The Brandmeister DMR development team has made improvements to the Airsecurity feature! The repeater and area scopes are now available. For extra convenience, a Secure Local Pass option allows to bypass the AirSecurity authorization from your personal password-protected hotspots.

What is AirSecurity for?

As most of you already know, Brandmeister DMR only accepts transmissions from DMR IDs that are registered and active in the RadioID database.  However, there is a possibility that someone may inadvertently configure their radio with your personal DMR ID, causing their transmissions to appear as originating from you on the Brandmeister DMR network. This can be avoided by utilizing the AirSecurity feature.

How does it work?

Once AirSecurity is activated for your callsign, any over-the-air transmission from one of your DMR ID will need to be pre-authorized by sending a one-time code via private call. The authorization will be valid for a pre-determined time period, and can be restricted to a single repeater, to a group of repeaters, or to all repeaters connected to a particular master server. If a transmission is made over the air without authorization, the message “Access denied” will be played back by the Brandmeister network.

How to enable and configure AirSecurity?

Login to the Brandmeister dashboard, and open your selfcare page. Click on AirSecurity / TOTP.

A set of options will appear:

  • When AirSecurity/TOTP is set to ON, the feature is active for your callsign
  • When Secure Local Pass is set to ON, transmissions from your personal hotspot (for which the first 7-digits matches your DMR ID) will be allowed without authorization
  • Choose the scope of AirSecurity protection
    • Repeater : only the repeater from which you are sending the authorization code will accept transmissions from your DMR ID
    • Area : this option is currently under development. It will allow to authorize a group of repeaters.
    • Master: only repeaters connected to the master you select will accept transmissions from your DMD ID. Choosing this option will allow you to provide authorization from your web browser in Selfcare, in addition to the TOTP private call method.

Once you have made your scope choice, scan the QR code using any TOTP authenticator application, enter the current code in the “QR Code Verification” field, and click the Save button.

How to use AirSecurity?

When the AirSecurity feature is enabled on your Selfcare account:

  • Open your TOTP application and look at the current 6-digit code
  • Using a radio programmed with your DMR ID make a private call to 9 + followed by the 6 digits code. (for example, if the current TOTP code is 123123, then make a private call to the contact ID 9123123). A short PTT is enough.
  • From that point on, you can transmit with your ID, within the scope you have chosen (repeater or master)

If you have enabled both “AirSecurity” and “Secure Local Pass”, you can make calls with your DMR ID from your personal hotspot without having to enter the TOTP code. The first 7 digits of the hotspot ID must match your Radio ID.

If you selected a scope of Master, an additional method of authorization is available: by pressing the “Enable PTT Now” in your Selfcare. This method also comes with a choice of different time periods for the duration of the authorization:

Hotspots and Repeaters Passwords – Important change on October 1st 2021

Over the past few months, the default password “passw0rd” used for MMDVM, Homebrew, and Kairos connections has been progressively removed from BrandMeister DMR Master Servers. This process will be completed by October 1st 2021.

Below are the details of which devices will be affected with this change, and how to address it.

MMDVM, Homebrew Hotspot users (which includes OpenSpot, Pi-Star, BlueDV, ZumSpot, etc.)

If you have not yet specified a hotspot password in your BrandMeister Selfcare, please do so by following the steps in this article. You will also find explanations on configuring your personalized password for the Openspot, Pi-Star and BlueDV.

MMDVM, Homebrew Repeaters Owners

If you are running a repeater using a 6-digit DMR ID and connected to a BrandMeister Master, and you have not set a password yet, please login to your repeater page and scroll to the bottom of the screen where you will find the “Device Password” field:

Once saved, configure your repeater to use this password when connecting to any BrandMeister Master server.

Dual time-slot MMDVM devices

If you are running a dual-timeslot MMDVM with a 7-digit DMR ID, please follow the steps described in the hotspot section above.

How to select a BrandMeister Master Server?

One of the main distinguishing feature of BrandMeister DMR is that the network is accessible from any master. Therefore you have a choice of 40+ master servers to connect your repeater or hotspot. How to choose?

The best performance will not always be with the master server that is closest to you geographically. Rather, it depends on your internet service provider’s capacity/peerings and the one of the master server.

The key factors for best DMR performance are jitter, then latency. Below is the most simple method to find the best master for you, without any special software.

Step 1: Go to the Brandmeister DMR Master Servers list, and select which master(s) you want to consider. Click on the “Status” button and grab the IP address for the master in your browser’s address bar.

Step 2: From the same network as your repeater or hotspot, run a “ping” command for 1 to 2 minutes to each master you are considering. Perform this test during the time of the day where your typically have the most traffic.

Step 3: Check that the round-trip delay provided by each ping (called latency) stays consistent, without any major variations (called jitter). See the examples below:

Good (No Jitter):

~ ping -t 74.91.118.251

Pinging 74.91.118.251 with 32 bytes of data:
Reply from 74.91.118.251: bytes=32 time=71ms TTL=54
Reply from 74.91.118.251: bytes=32 time=73ms TTL=54
Reply from 74.91.118.251: bytes=32 time=69ms TTL=54
Reply from 74.91.118.251: bytes=32 time=68ms TTL=54
Reply from 74.91.118.251: bytes=32 time=71ms TTL=54
Reply from 74.91.118.251: bytes=32 time=74ms TTL=54
Reply from 74.91.118.251: bytes=32 time=70ms TTL=54
Reply from 74.91.118.251: bytes=32 time=69ms TTL=54
Reply from 74.91.118.251: bytes=32 time=69ms TTL=54
Reply from 74.91.118.251: bytes=32 time=68ms TTL=54
Reply from 74.91.118.251: bytes=32 time=69ms TTL=54
Reply from 74.91.118.251: bytes=32 time=69ms TTL=54
Reply from 74.91.118.251: bytes=32 time=70ms TTL=54
Reply from 74.91.118.251: bytes=32 time=72ms TTL=54
Reply from 74.91.118.251: bytes=32 time=70ms TTL=54

You can see that there are no major latency variations.

Bad (Jitter):

~ ping -t 74.91.118.251

Pinging 74.91.118.251 with 32 bytes of data:
Reply from 74.91.118.251: bytes=32 time=71ms TTL=54
Reply from 74.91.118.251: bytes=32 time=73ms TTL=54
Reply from 74.91.118.251: bytes=32 time=354ms TTL=54
Reply from 74.91.118.251: bytes=32 time=366ms TTL=54
Reply from 74.91.118.251: bytes=32 time=219ms TTL=54
Reply from 74.91.118.251: bytes=32 time=72ms TTL=54
Reply from 74.91.118.251: bytes=32 time=70ms TTL=54
Reply from 74.91.118.251: bytes=32 time=77ms TTL=54
Reply from 74.91.118.251: bytes=32 time=983ms TTL=54
Reply from 74.91.118.251: bytes=32 time=875ms TTL=54
Reply from 74.91.118.251: bytes=32 time=917ms TTL=54
Reply from 74.91.118.251: bytes=32 time=75ms TTL=54
Reply from 74.91.118.251: bytes=32 time=72ms TTL=54
Reply from 74.91.118.251: bytes=32 time=819ms TTL=54
Reply from 74.91.118.251: bytes=32 time=668ms TTL=54

You can observe here the big variances in latency, indicating jitter. Symptoms of jitter include choppy/garbled audio and delayed/dropped transmissions.

Step 4:

Once you have found some masters with no jitter, pick the one offering the lowest latency (smallest ping time).

For any further question, please refer to the BrandMeister Support Portal.

Using DMR IDs on BrandMeister

The support team noticed a lot of questions are being sent regarding the use of IDs in radios, hotspots and repeater. Here is how BrandMeister recommends to use DMR IDs based on the different use case.

Accessing BrandMeister DMR with your radio and a public repeater or hotspot

All you have to worry about is the codeplug of your radio. In the configuration, you will use the 7-digit DMR ID your call-sign has been assigned (for example: 2060945) and the proper TX/RX frequencies.

Accessing BrandMeister DMR using your radio and personal hotspot

In your radio’s codeplug, configure your 7-digit personal DMR ID as assigned by HamDigital or RadioID. (For example: 2060945).

In your hotspot configuration, use your 7-digit personal DMR ID followed by “01”, for a total of 9-digits. (For example: 206094501). If you have more than one hotspot, use the suffix 02, 03, etc. Always make sure that all your hotspots are using different frequencies.

Do not add only “1”, “2”, etc. for a total of 8 digits, as this won’t work.

You do not need to request a 6-digit repeater ID for a hotspot, even if more than one person is using it, and even if it is dual-timeslot. The 6-digit repeater IDs are designed for large-coverage repeaters.

Providing a BrandMeister DMR repeater for the general public

If you would like to setup a repeater to allow a larger audience to access the BrandMeister DMR network, you will have to apply for a repeater ID with HamDigital.org or RadioID.net depending on your geographical location. Use this ID as-is in your repeater codeplug configuration and you are done.

If you are planning to deploy more than one repeater you will need to request a new 6-digit repeater ID for each repeater. Do not add “01”, “02” suffixes in each repeater configuration.

BrandMeister DMR repeater sysops: how to create a “local talkgroup” on your repeater

BrandMeister Repeater Sysops : How to create a “local talkgroup” for your repeater ?

Repeater owners like to offer a talkgroup dedicated for hams within the coverage area of the repeater and refer to it as the “local talkgroup”. This can be achieved two ways, depending if you want a talkgroup:

1) that only local users within the repeater coverage can use

As you know, all valid talkgroups numbers are routed between BrandMeister master servers. There is however an exception for talkgroups 1 through 90. QSOs on these talkgroup numbers will never route past the repeater.

Considering that single-digit talkgroup numbers are usually used for clusters, using a talkgroup number between 10 and 90 for your local-only talkgroup(s) is a good choice.

One might think that Talkgroup 9 on Timeslot 2 is an option because traffic doesn’t seem to route. However it is not a good idea because TG9/TS2 is dedicated for reflector usage. As soon as someone connects a reflector on the repeater: all the traffic that users think is local on TG9/TS2 is now broadcasted on the matching talkgroup on the worldwide BrandMeister without them knowing! (unless the connected master is configured to disable reflectors, but better be safe than sorry!).

2) that is dedicated to the local community of the repeater users but also available outside of the coverage area if someone travels and want to use a different repeater or hotspot to talk to hams at home

What is recommended in this case is to simply use a talkgroup number that matches the 6-digit DMR ID of the repeater. This avoid any possible collision if choosing an arbitrary talkgroup number, since all repeaters have a unique ID on the BrandMeister network. 4-digit and 5-digit talkgroups are usually dedicated to regional talkgroups. There no need to make this talkgroup static since it is for the repeater’s local users.

Please configure a personalized security password for your hotspots !

What are hotspot passwords ?

As you may know, hotspots connecting to a BrandMeister master server using homebrew or MMDVM protocol require a password to connect. Currently most of you use the “master server password” which is typically published on the corresponding country’s BrandMeister wiki page. Some software packages include those default passwords, relieving the users from needing to research and input this password.

It is also possible, and now strongly recommended for each user to setup their own personalized password from within the BrandMeister Selfcare.

Why setting up a personalized hotspot password for your own callsign ?

If you did not setup a personalized password for your hotspot, anyone can configure their hotspot with your personal DMR ID and connect with the master’s publicly documented default password, and start using the hotspot with your callsign !

Unfortunately this is happening more and more, thus our recommendation for everyone to setup a personalized password. By creating your own password, you ensure that you are the only one able to use your DMR ID to setup a hotspot.

Also setting up your own password will prevent your hotspot connection to stop working when the password is changed on the master you are connecting to.

How to proceed ?

First, create a personalized password in your BrandMeister selfcare.

1. Login to your BrandMeister Selfcare

2. On the top right, click on your Callsign

Click on your callsign

3. Click on the “SelfCare” option

Select SelfCare

4. At the bottom of the page, check the box “Hotspot Security”

Select HotSpot Security

5. A password box will appear. Enter your personalized hotspot password and click “Save”.

Enter a hotspot security password

Setup the password on your hotspot

OpenSpot

1. Login to yourOpenSpot web interface , and click on the “Connectors” option

2. Make sure your Active Connector is “Homebrew/MMDVM”. (If not, select it from the “Edit connector” dropdown, and click ” Switch to selected”

3. Scroll down to the “DMR/Homebrew/MMDVM” section. The current “Server Password” is the generic one for the master you are currently connected to. Change this field to your customized password.

4. Click the “Save” button

pi-Star (Raspberry-based hotspots such as JumboSpot, Zumspot, etc.)

  1. Login to your pi-Star web interface, and click on the configuration page.

2. Scroll down to the “DMR Configuration” section, and input your hotspot password in the “Hotspot Security” field

3. Click on the “Apply Changes” button below the field.

Note that if the field Hotspot Security is empty, it will revert to using the default password from the DMR Host file provided with pi-Star updates.

Blue-DV

1. Click on the “Menu” option at the top, and then “Settings”

2. Enter your personal password in the “Brandmeister” section, in the “Master Password” field.

Questions / Issues ?

If you have any question or issue, contact us using the BrandMeister support platform.