Quantcast
Channel: diario SWL I-56578 Antonio
Viewing all 623 articles
Browse latest View live

Iranian-QPSK 468.75, 937.5 Baud

$
0
0

Heard on 10724.0 KHz and 17382.2 (cF) on USB at 2120z, this signal is known as "Iranian-QPSK" since its QPSK modulation QPSK.For what is known, the Iranian-QPSK occurs in some variantsthat differ inspeed such as: 1875, 937.5, 468.75 and 207 Baud. It seemsthat there isalsoa variantwitha speed of 234baud. The 207 Baud waveform is reported in radioscanner.ru while qrg.globaltuners.com  identifiesthe signalas belongingto the Iranian Navy: I did not find such match looking at UDXF logs.



 

a STANAG-4285 variant

$
0
0

each single "transmission" begins with 4 unmodulated tones that are 700, 500 and 900 Hz spaced (from bottom) and lasting ~ 100ms. The existence of this special preamble could be misleading since STANAG-4285 doesn't plan such preamble but rather 80 BPSK synchronization symbols (cyclically repeated every 106.6ms). The STANAG-4285 waveform is indeed well defined by looking at ACF duration and frame structure of the signal (pic.1 ) as well as the evidence of the BPSK segments (pic. 2). 
This signal is frequently audible on 6931.0 KHz on USB, at my side logged  in the morning around 0850 UTC. Difficult to say the user: a post in radioscanner.ru forum suggests a Croatian source.

pic. 1
pic. 2

BELL 103 compatible FSK modem (Algerian AF)

$
0
0

heard on 11446.2 KHz (cf) at 0756 UTC. FSK bursts preceeded by three unmodulated tones 150 Hz spaced, manipulation speed is 300 symbols/s and shift is 200 Hz. A short 250ms preamble is embedded in the 3 pre-tones (pic.3) , data are encrypted. Since the baudrate (300Bd) is higher than the shift (200Hz), modulation could be a so-called semi-mode such as MSK or GMSK.
The waveform is compatible with AT&T Bell 103 modem and suggested to be used by Algerian Air Force. A short recording is available here
 
pic. 1 baudrate 300Bd
pic. 2 shift 200 Hz
pic. 3 FSK preamble

KG-84 evidences

$
0
0
I tried out to look at some signals that use KG-84 hardware crypto equipmentin order to identify its footprint inside them and differences (if any), specifically: the two NATO widely used waveforms STANAG-4285 and STANAG-4481-FSK, one of the STANAG-4285 variants (this one possibly a Croatian version) and the FSK 600Bd/400Hz by Turkish Military. Since only four waveforms, this does not claim to be a complete view, rather it will be updated as soon as I'll get other such encrypted signals.
 -
Given a signal, as previously seen, the existence of  KG-84 encryption can bedetected by a known 64 bits sequence (say the KG-84 resolver) inserted at the beginning of each session/message:
1111101111001110101100001011100011011010010001001100101010000001
followed by the encryption key insertion. 
In order to highlightthe 'resolver' we need to work with bitstream files, also known as ASCII-bits file, containingonly the binary symbols 0 and 1 and provided by decoders such as k500 or Sorcerer (in the picture belows). This because - for example - the PSK-8 demodulated output from signals analyzers such SA, provideon-the-air symbols that still contains extra-symbols due to FEC and they should de-scrambled, de-interleaved and converted from HEX values to binary. 
The bitstream analysis is performed using a bit flow processor and editor.


STANAG-4285

pic. 1 - NATO STANAG-4285
in this case the resolver is followed by a 512 bits group consisting of two 64 bits sequences repeated 4 times: the two 64 bits sequences form the 128 bits key, k500 call them as "inizialization vectors" and are clearly indicated in its output as two strings each of 32 HEX characters. As far as I can see, both the resolver and the key are inserted at the beginning of the session and are not re-inserted or repeated so that the message can not be deciphered in case of late entry.

STANAG-4481-FSK
pic. 2 - NATO STANAG-4481-FSK
since the same operating environment (NATO), STANAG-4481-FSK adopts the same structure as in 4285: after the reversals, 128 bits resolver followed by the 64 bits sequences of the key. It is worth noting in pic. 3 that the 64 bits sequences produce ~850ms ACF spikes visible in the initial part of the signal.

pic. 3 - 850ms ACF spikes due to key insertion

STANAG-4285 variant

pic. 4 a STANAG-4285 variant
although it's compatible with NATO S-4285, this waveform (the user is suggested to be Croatian) does not provide KG-84 encryption (coud not find the resolver) but rather a sort of linear encryption taht is not detected by the standard S-4285 decoders such as k500 and Sorcerer.

Turkish FSK 600Bd/400Hz

pic. 5 - the Turkish FSK/600/400
for what concerns KG-84 encryption, this waveform exhibits an interesting peculiarity: the resolver is not followed by the 512-bits key block as seen in NATO 4285 and 4481 implementations. I do not know if the  128 bits immediately following the resolver are indeed the key or else the key is just scrambled and then obscured to standard decoders. 
As expected, since this trasmission consists of 7 blocks, the resolver is repeated  7 times each 3954 bits exactly: since the apparently lack of the key I don't know if the transmission carries seven distinct messages or if the repetion is an help in case of late entry (so the messages are the same?).

pic. 6 - the seven resolvers

It's quiteuseless and waste ofspace and bandwidth to listhereconceptsandimagesthatareeasilyfound on the web about KG-84, below just few links:
Thanks to my friend KarapuZ for pointing me this argument and his stimolous to deepen.

HARRIS 'Citadel' cryptographic engine

$
0
0

This is an automatic link setup (ALE) and traffic forward performedthrough the use of MIL-STD standards 188-141A and 188-110A Serial Tone: the calls in the play belongs to Romanian Military,  the trasmission has been caught on 8000.5 KHz on USB.
Since the encryption is visible in the secondary protocol (or better, at data-link layer), as seen in the KG-84 detection we need a bitstream that is de-encapsulated from MS188-110 (the used physical-layer in this case) stuff.  I used Sorcer to decode the received signals (pic. 1): as you can see, they were sending data at 300bps with long interleaving. Some logs in the web report the pattern "]]]VVV" as a sort of footprint related to Citadel encryption: maybe this is true for 2400bps/voice transmissions since I could not find any particular "pattern" in the ASCII outputs.  The secondary protocol (pic. 2) is identified as Harris FED-1052 and it's not an error since MS188-110 has been removed by Sorcerer and so probably it's related to the data-link layer specified by this protocol. As you can see, the encryption is easily detected.
In pic.3 I drewasimpleand unpretentious diagram to illustrate how all the stuff works, if you understand TCP/IP then it will be easy for you.
 
"The Citadel cryptographic engine provides military-grade encryption for non-Type 1 applications for U.S. and international users. It is approved for export with configurable key lengths and multiple algorithm options, making it an ideal encryption solution for a broad range of modern communications products. Citadel has three algorithm options: a standard Citadel high-grade algorithm; a Harris-configured, customer-unique Citadel algorithm; and a customer-configurable unique Citadel algorithm. All Citadel cryptographic algorithms are based on a mixed-mode, arithmetic block cipher and support both communications security and transmission security functions."
pic. 1

pic. 2
pic. 3

THALES Skymaster, "skyhopper" mode

$
0
0
 
This is the Thales Skymaster ALE in Skyhopper mode, heard on 16360.0 KHz/USN at 0814. The signal use very short bursts, in this sample an initial GFSK (GMSK) is followed by MFSK-8 bursts each 200ms and 400ms. MFSK-8 bursts consist of eight 250 Hz spaced tones, 125 Baud speed: the parameters are the same of  MS188-141 2G-ALE but this is the only common thing.
Unless to get a good recording, the GFSK study is quite difficult since the short duration of the burst, friends of  radioscanner suggest OQPSK modulation at a rate of 2000 Baud. These burst are better clear in the upper part of the above image.




logs

$
0
0
ALE
06510.0 Z1V: Slovak Mil, SLV 0742 USB MIL 188-141 ALE calling P1O (22Jan16) (AAI)
06510.0 Z1V: Slovak Mil, SLV 0747 USB MIL 188-141 ALE calling K1U, handshake flwd by MIL 188-110A serial (22Jan16) (AAI)
06790.0 4212: Sonatrach, ALG 0725 USB MIL 188-141 ALE sounding (28Jan16) (AAI)
06905.0 TC01: Algerian Mil, ALG 0740 USB MIL 188-141 ALE calling AT01 (22Jan16) (AAI)
07102.0 9A0MIL: Global ALE HF Network Croatia 0812 USB MIL 188-141 ALE calling HB9MHB (27Jan16) (AAI)
07393.0 ---: Unid prob. German Mil, D 0736 USB Arcotel MAHRS-2400 ALE bursts (26Jan16) (AAI)
07575.0 KB21: Algerian il, ALG 0733 USB MIL 188-141 ALE calling PY10 (26Jan16) (AAI)
08000.5 HBLZDRD1 Roumanian Mil, ROU 0800 USB MIL 188-141 ALE calling HFJCDRD1 (22Jan16) (AAI)
08014.0 STAT151: Tunisian MOI Net, TUN 0815 USB MIL 188-141 ALE, handshake with STAT25 flwd by tfc in PacTOR-II (23Jan16) (AAI)
08020.0 CHARLY46: Italian AF 46th Aerial Brigade Pisa-San Giusto, I 1131 USB MIL 188-141 ALE calling 45 (03Feb16) (AAI)
08023.0 WG41: Algerian Mil, ALG 1125 USB MIL 188-141 ALE calling FQ53 (03Feb16) (AAI)
08025.0 RO2: Romanian Diplo, ROM 0814 USB MIL 188-141 ALE calling @?@ (26Jan16) (AAI)
08025.0 ZPO: Romanian Diplo, ROM 0812 USB MIL 188-141 ALE calling CENTR2, handshake + tfc in MS188-110 serial (26Jan16) (AAI)
08072.0 6CIN1D: Unid 0846 USB MIL 188-141 ALE calling 6CIN2D (03Feb16) (AAI)
08125.0 LIS: Unid network 0734 USB MIL 188-141 ALE calling WTF (27Jan16) (AAI)
08174.0 ND01: Unid (prob. Algerian or Tunisian net) 0845 USB MIL 188-141 ALE calling AC01, handshake + MS188-110 App.B 39-tone (03Feb16) (AAI)
08207.0 ABA: Maritime Services, Malta Armed Forces, MLT 0755 USB MIL 188-141 ALE calling AB1 (25Jan16) (AAI)
08449.5 ---: Unid prob. German Mil, D 0758 USB Arcotel MAHRS-2400 ALE bursts (27Jan16) (AAI)
08700.0 VNL: (prob. Slovenian Net,"Triglav-11") 0911 USB MIL 188-141 ALE calling POC (22Jan16) (AAI)
08990.0 TOLGAALE: prob. Algerian Police 0825 USB MIL 188-141 ALE sounding (27Jan16) (AAI)
09980.0 YDM: Unid 0907 USB MIL 188-141 ALE caling QZO (29Jan16) (AAI)
13499.0 2002: Unid network 0942 USB MIL 188-141 ALE calling 2407 (25Jan16) (AAI)


data
06228.0 ---: Unid 2258 Hagelin HC-256 voice scrambler (29Jan16) (AAI)
06813.0 HBM46: Swiss Military SUI 0735 VFT 2x 100Bd/170 (channels cf at -500, +500Hz) (25Jan16) (AAI)
08086.5 IGVE: Italian Coast Guard/SAR, I 1231 USB voice comms, fixing randezvous at 34°0'N 13°0'E (03Feb16) (AAI)
08125.0 ---: Unid prob. Czech MFA, CZE 0720 (cf +1500Hz USB) PacTOR-II 200Bd short transmission (27Jan16) (AAI)
08391.0 ---: Italian fishing boats 0840 J3E/USB simplex, chatting (25Jan16) (AAI)
09070.0 ---: Russian Mil, RUS 0904 USB CIS-45 HDR modem v2 40Bd 62.5Hz BPSK (25Jan16) (AAI)
11446.2 ---: Unid prob. Algerian AF 0756 Bell-103 compatible modem FSK 300Bd/200 (29Jan16) (AAI)
12173.0 ---: Russian Intel, RUS 0835 USB (cf) CIS FTM-4, MFSK-4 150Bd 4000Hz (tones at: -6, -2, +2, +6 KHz) (01Feb16) (AAI)
12226.0 ---: Unid (prob. Bulgarian Diplo Net) 0900 USB RFSM-8000 modem with data-masking // 9050.0 KHz (01Feb16) (AAI) (*)
12270.5 ---: Unid prob. German Mil 0925 USB R&S GM2100 HF modem 2400Bd serial PSK-8 (carrier 1500Hz) (29Jan16) (AAI)
13383.0 ---: Russian Intel, RUS 0922 USB (cf) CIS FTM-4, MFSK-4 150Bd 4000Hz (tones at: -6, -2, +2, +6 KHz) lasting 4mins (25Jan16) (AAI)
14556.5 REA4: Russian Air Force, RUS 0835 FSK 100Bd/2000, upper tone Morse keyed "REA4 REA4 = T 2T 8T 997EE E555 T 53842 7 2997 322E3 11E21245 82T22=REA4 K" (02Feb16) (AAI)
14898.0 ---: Russian Mil, RUS 0938 USB CIS-112 OFDM 22.22Bd BPSK (03Feb16) (AAI)
15623.0 ---: Russian Intel, RUS 0845 USB (cf) CIS FTM-4, MFSK-4 150Bd 4000Hz (tones at: -6, -2, +2, +6 KHz) lasting 4mins (22Jan16) (AAI)
15623.0 ---: Russian Intel, RUS 0850 USB (cf) CIS FTM-4, MFSK-4 150Bd 4000Hz (tones at: -6, -2, +2, +6 KHz) lasting 4mins (26Jan16) (AAI)
16810.0 ---: Russian Mil, RUS 0820 CIS-60 OFDM 35.55Bd p/8 DPSK-8 (02Feb16) (AAI)
16360.0 ---: Unid 0814 USB THALES Skymaster ALE Skyhopper mode (02Feb16) (AAI)
17382.2 ---: Iranian Net 1230 (cf) Iranian QPSK 468.75Bd and 937.5Bd (26Jan16) (AAI)
18553.0 ---: Russian Mil, RUS 1252 USB CIS-45 HDR modem v1 33.3Bd 62.5Hz BPSK bursts (25Jan16) (AAI)

CIS Makhovik (the "flywheel") vocoder

$
0
0

Makhovik is classified as "vocoder" butcan be used also for sending encryption of data,it is designed to operate in the UHF  but very often is found on the HF as a part of the AT-3004D modem. The manipulation speed is 1200 Baud and the modulation used is BPSK(pictures 1 and 2)and are easy obtained by SA in case of a good recording of the signal.

pic. 1 

pic. 2
For what concerns its structure, this is signal is quite difficult to study. A fairly complete analysis can be found here,as for me I willillustratewhat I havebeen able to find  and verify in regard to theaforementionedanalysis.
Looking at the sonogram we can see an initial long BPSK preamble that is re-inserted several times: reinsertions do not happen at regular time intervals and have different durations. The preamble has a period of 12.5ms and since the speed of the system (1200 Baud) and the used modulation (BPSK), 12.5ms makes a 15-bits string matrix:this idle sequence111101011001000the characteristic "sign" of Makhovik but can be transmitted with different polarity (pic. 4). 

pic. 3 - period of the preamble, 12.5 milliseconds

 pic. 4 - the characteristic 15 bit string can be sent in both the negative and positive polarity

The header following the preamble, and preceeding the data block, is composed of a 511 bits synchronization block followed by the insertion of the encryption key. The key is composed of eight strings of 30 bits (i.e.240 bits lenght) and each string is repeated 3 times so that the key weight is 720 bits(pic. 5). The x3 redundancy, as well as in KG-84 encryption, is probably used to improve the accuracy and realiability of the transmission.
pic. 5
Preambles and headers (sync blocks + keys) are easy recognizable inside the bit flow (pic. 6) as well in the sonogram of the signal (pic. 7).

pic. 6

pic. 7
As a concuding note I want to point out that the bitstream comes directly from SA demodulator and then we have to do with "on-the-air"symbols.
As said, an interisting and detailed analysis can be read in radioscanner  forum although it's in Russian language, anyway both the positive/negative idling sequence and the 720 bits key block are valid cluesfor its identification.
Thanks to KarapuZ for the precious help and tips.


CIS FSK 100Bd/2000, Russian AF (in this case)

$
0
0

this signal has been caught on 14555.0 KHz on USB at 0840 UTC and 1240 UTC (the latter from KarapuZ). It's an FSK modulation characterised by 2000 Hz shift and speed of 100 Baud. The user is proved to be Russian and the Morse mode seen in the upper tone, decoded using MultiPSK software (pic. 3), suggests the Russian Air Force since the call REA4 belongs to Russian AF HQ Moscow. By the way, before the upper tone keyed the signal were not transporting data. More likely the Air Force is not the only user of the waveform.

pic. 2
pic. 3

FSK 100Bd/620, Polish Intel

$
0
0

FSK-2 modulation with 620 Hz shift and 100 Baud speed, in use by Polish Intel service.

pic. 1 - baudrate and shift
The signal exhibits clean ACF spikes at 96 bits (~960ms lenght). Looking morecloselyone can distinguish six periods of16bits, most likelythey represent a five digits code and a separator between the groups as also shown in the bitstream (pic. 3).

pic. 2 - 96 bits ACF (6 x 16 bits digits)
.
pic. 3
Looking at the whole demodulated bitstream (pic. 4), although inclusive of the overhead bits, we canget an ideaof the signal structure. First of all, note that the ACF is due to the final part "D" and then does not characterizethe entiresignalbut onlya part. While the parts A and E can be assumed as the 'start' and 'end' of transmission, it's difficult to fix the roles of the other groups: message, destination address, coded-instructions and so on. Talking with my friend KarapuZ, he says we need much more recordings for statistic comparisons since a previous recording of 2014 just exhibits that same characteristics. And if he says so...

pic. 4

MS188-110 scrambler lenght and ACF (another test)

$
0
0
In a previous post I already talked aboutthe way MS188-110 scramblerlengthaffects the valueof theACF and onlyat certain data rate speeds, today I wanted to verify this matter but using a bitstream analyzer rather than SA. 
In order to do that, I neededto pick up transmission symbols from the output ofthe scrambler, just before the PSK-8 modulator: i.e. the "pure" symbols flow,  without any other addition such as mini-probes or preamble re-insertions. In other words, I needed a sort of reduced MS188-110 modem as shown in pic . 1

pic. 1 the reduced MS188-110 modem
Since this kind of reduced-modem simply doesn't exists, I decided for a software-implementation by writing a simple LUA [1] program, following the directions provided by the protocol [2] (see below): the program doesn't use bitwise operations but handle binary values as array of ASCII zeroes and ones  such as {101} for 0x101. Since the scope, FEC Encoder and Interleaver matrices have been omitted and replaced by a binary input file (formed of random binary data) and/or a constant binary data string. 
As said, known data sequences (mini-probes) and preamble re-insertions have also been omitted just to prevent ACF periods due to these patterns.

5.3.2.3.8 Scrambler.
The tribit number supplied from the symbol formation function for each 8-ary transmitted symbol shall be modulo 8 added to a three bit value supplied by either the data sequence randomizing generator or the sync sequence randomizing generator.

5.3.2.3.8.1 Data sequence randomizing generator.
The data sequence randomizing generator shall be a 12 bit shift register with the functional configuration shown on figure 6. At the start of the data phase, the shift register shall be loaded with the initial pattern shown in figure 6 (101110101101 (binary) or BAD (hexadecimal)) and advanced eight times. The resulting three bits, as shown, shall be used to supply the scrambler with a number from 0 to 7. The shift register shall be shifted eight times each time a new three bit number is required (every transmit symbol period). After 160 transmit symbols, the shift register shall be reset to BAD (hexadecimal) prior to the eight shifts.



As shown in pic. 1, the software output is a bitstream file called "scrambler-output.txt" that can be analyzed through a bit analyzer, and here we are: the result is shown in pic. 2., asit wasto be expected, and incidentally reported in MIL 188-110 standard, the scrambler just produces a periodic pattern 480 (160 transmit symbols) bits in length!

pic. 2 - 480 bits (160 PSK-8 symbols) period
So, summarizingwhat has already beenwritten in the cited post, this is why at low data-rate speeds (from 150 up to 1200 bps) the ACF analysis produces strong 66.67ms spikes (pic. 3): four contiguous groups of the pairs [mini-probe] + [unknown data] makes 160 symbols (pic. 4) and they are just in sync with the scrambler length! At lowest speed (75bps) there are no channel probe so the 66.6ms ACF is only due to the scrambler.

pic. 3 - MS188-110 ST 66.67ms ACF
pic. 4 - MS188-110 ST frame formation

logs

$
0
0
16553.5 --- Unid (prob. Japanese Mil) 0852 USB 30-tones 70Hz spaced + 1 pilot tone and 4 service tones (?) (16Feb16)
18003.0 201073  USAF U-2 80-1073 0838 USB MIL 188-141 ALE sounding (16Feb16)
18003.0 5RS 5th Reconaissance Squadron, Osan Air Base, South Korea 0836 USB MIL 188-141 ALE calling 201077 (16Feb16)
18003.0 5RS 5th Reconaissance Squadron, Osan Air Base, South Korea 0826 USB MIL 188-141 ALE calling 280329 (16Feb16)

16112.0 1011: Mauritanian Gendarmerie, MTN 1036 USB MIL 188-141 ALE calling 1001 (14Feb16) (AAI)
09240.0 335013: Turkish Civil Defense, TUR 0813 USB MIL 188-141 ALE calling 303013 (13Feb16) (AAI)
08819.0 ---: Tashkent volmet UZB 1450 J3E/USB female (12Feb16) (AAI)
08016.0 NPRDPZ: NPRD Net, HRV 1449  USB MIL 188-141 ALE sounding (12Feb16) (AAI)
10176.0 STAT152: Tunisian MOI, TUN 0942 (cf +1700Hz USB) PacTOR-II "DEFAULT@#HFARQ#STAT152" (12Feb16) (AAI)
10311.0 XV01: Unid (prob. Algerian or Tunisian net) 0902 USB MIL 188-141 ALE calling AC01, handshake + MS188-110 App.B 39-tone (08Feb16) (AAI) (AAI) (AAI)
10175.0 380: Unid net 0850 USB MIL 188-141 ALE calling all stations (@?@) (12Feb16) (AAI)
10241.0 ---: Russian Mil, RUS 0825 CIS-60 HDR modem 35.5Bd 44.4Hz DQPSK (12Feb16) (AAI)
13373.0 ---: Russian Mil, RUS 0807 CIS-45 HDR modem v2 40Bd 62.5Hz BPSK (12Feb16) (AAI)
12210.0 ---: Czech Diplo, CZE 0745 (cf +1500Hz USB) PacTOR-III "CN=ZPRAGA01/O=ZSMZV" (12Feb16) (AAI)
08453.0 FUG8: French Navy, La Regine F 0922 USB STANAG-4285 600L "FAAA FAAA FAAA DE DE DE FUG8 FUG8 FUG8" (11Feb16) (AAI)
08115.0 RK33: Algerian Mil, ALG 0919 USB MIL 188-141 ALE sounding (11Feb16) (AAI)
08984.0 BE01: Algerian Mil, ALG 0918 USB MIL 188-141 ALE sounding (11Feb16) (AAI)
08162.0 035: Hungarian Mil, HNG 0906 USB MIL 188-141 ALE calling 093 (11Feb16) (AAI)
11168.6 KWB48: RIMC, Frankfurt US DoS 0826 USB MIL 188-141 ALE sounding (11Feb16) (AAI)
10801.0 ---: Unid (prob Chinese Intel/Diplo net) 1125 (cf) DQPSK 62.5Bd (10Feb16) (AAI)
10192.0 ---: Russian Navy, RUS 0934 (cf) CIS-Akula FSK 500Bd/1000 bursts (10Feb16) (AAI)
10574.5 A08: Netherlands MIL, HOL 0827 USB MIL 188-141 ALE calling A02 (10Feb16) (AAI)
08345.0 IASC: Italian Navy, SCIROCCO frigate F573 0805 USB J3E radio check with IDR HQ (10Feb16) (AAI)
07775.0 DUM: Polish Mil, POL 0748 USB MIL 188-141 ALE calling HAG (10Feb16) (AAI)
08298.5 ---: Unid 0712 ISB Link-11 CLEW (09Feb16) (AAI)
08286.5 ---: Unid 0710 ISB Link-11 CLEW (09Feb16) (AAI)
08016.0 NPRD001:  NPRD Net, HRV 0709 USB MIL 188-141 ALE sounding (09Feb16) (AAI)
08875.0 C3: Moroccan Mil, MRC 0706 USB MIL 188-141 ALE sounding (09Feb16) (AAI)
10311.0 SZ01: Unid (prob. Algerian or Tunisian net) 0945 USB MIL 188-141 ALE calling AC01, handshake + MS188-110 App.B 39-tone (08Feb16) (AAI) (AAI)
10430.0 TOA: Algerian Gendarmerie, ALG 1000 USB MIL 188-141 ALE calling AML (07Feb16) (AAI)
10590.0 745: Algerian AF, ALG 0950 USB MIL 188-141 ALE calling CM1 (07Feb16) (AAI)
17382.2 ---: Iranian Net 0950 (cf) Iranian QPSK 468.75Bd (06Feb16) (AAI)
05895.0 LKB/LLE: Erdal, Bergen (Norway) 0855 USB music, speech and  CW ID (06Feb16) (AAI)
05762.0 035: Hungarian Mil, HNG 0812 Harris AVS vocoder + USB MIL 188-141 ALE closing link with 082 (06Feb16) (AAI)
10311.0 ---: (no call) 0908 USB MIL 188-141 ALE calling DX01 (04Feb16) (AAI)
09423.0 K36: Israeli Air Force, ISR 0840 USB MIL 188-141 ALE sounding (04Feb16) (AAI)
07584.0 OEY342: Austrian Army, AUT 0747 USB MIL 188-141 ALE calling OEY831 (04Feb16) (AAI)


5RS 5th Reconaissance Squadron, Osan Air Base, South Korea

5th_Reconnaissance_Squadron

Unid MFSK 30 parallel tones (plus pilot and services)

$
0
0
About the unid MFSK 30 parallel tones, reported in the previous post, since the frequency 16553.5 KHz/USB is operated by Japanese Military with their 4xFSK-2 system, it could be that this signal has that same source. 
The spectrum spreads a 2300 Hz bandwidth (pic. 1) and shows 30 tones ~70Hz spaced, in the lower part, after the strong pilot-tone, are visible four distinct tones transmitted at a lower power than the other 30: this could lead to think to a sort of "service" tones but it's a my guess (pic. 2). All the carriers are not modulated so the signal does not carry information. It's difficult to confirm the source (Japanese Mil.) as well as say if they are just testing a new system.

pic. 1
pic. 2

MS188-110C, Appendix C/D scrambler

$
0
0
Both the High Speed Waveforms (HSWF) and Wide Band HF Radio waveforms (WBHF), described in the Appendices "C" and "D"from the standard MS188-110C, use the same scrambler. Modems operating over multiple discrete channels (Appendix F) also use this same scrambler since they use the waveforms from Appendix C.The scrambling sequence generator polynomial is:
x^9 + x^4 + 1
and is initialized to 00000001 at the start of each data frame, i.e. each 256 transmitted symbols (data block lenght is the same in both the two waveforms families). The length of the scrambling sequence is 511 bitscomputedas the maximal number of its states excluding the all-zeroes state (2^9 -1). For a 256 symbol data block with 4 bits per symbol, this means that the scrambling sequence will be repeated about 2 times, while for 6 bits per symbol just slightly more than 3 times, although in terms of symbols there will be no repetition (pseudo-random generator). In other words, the scrambler is designed to not have auto-correlation property, contrary to what happens for the MS188-110A scrambler, as we saw here, where the scrambler produces a periodic pattern 160 transmit symbols (480 bits, since the PSK-8 modulation) in length that at certain data rate speeds affects the value of ACF. 
I do not want reinvent the wheel here but only practiceof analysis, soI just looked for a confirmation of this behavior(and described below) by analyzing the bitstream produced by a software-scrambler that I wrote in Lua language for both PSK-8 and QAM-16 modulations, in the latter case I also examined a real-world QAM-16 signal to verify the lack of possible signs/repetitions caused by the scrambler.

PSK-8 modulation
For PSK-8 data symbols (3200 bps and 4800 bps), the scrambling shall be carried out taking the modulo 8 sum of the numerical value of the binary triplet consisting of the last (rightmost) three bits in the shift register, and the symbol number.  A block diagram of the scrambling sequence generator is shown in pic. 1, in this illustration, three output bits are shown: this is the case for PSK waveforms.

Pic. 1
After each data symbol is scrambled, the generator shall be iterated (shifted) the required number of times to produce all new bits for use in scrambling the next symbol, so will be 3 iterations for PSK-8. Since the generator is iterated after the bits are use, the first data symbol of every data block (256 symbols) shall, therefore, be scrambled by the appropriate number of bits from the initialization value of 00000001.

pic. 2
The sw-scrambler writes the scrambled symbols, ready to be sent to the PSK modulator, to the "scrambler-output.txt" file. Examining this bitstream (pic. 2) a 768 bits period is revealed and this lenght is exactly the lenght of the 256 PSK-8 symbols data block: there is no evidence of 511 bits cycle due to the scrambler.

QAM-16 modulation
The data symbols for QAM modulations shall be scrambled by using an exclusive or (XOR) operation: sequentially, the data bits forming each symbol (4 for QAM-16, 5 for QAM-32, 6 for QAM-64 and 8 for QAM-256) shall be XORed with an equal number of bits from the scrambling sequence (pic. 3).

pic. 3 - scrambler for QAM-16 modulation
After each data symbol is scrambled, the generator shall be iterated 4 times to produce all new bits for use in scrambling the next symbol. As said, since the generator is iterated after the bits are use, the first data symbol of every data frame shall, therefore, be scrambled by the appropriate number of bits from the initialization value of 00000001. I used a constant data symbol value (0110) just to highlight the behavior of the scrambler.

pic. 4 - running the sw-scrambler for QAM-16 modulation
The sw-scrambler writes the scrambled symbols to the "QAM-16-scrambler-output.txt" file. Examining this 5000 symbols bitstream (pic. 5) a 1024 bits period is revealed. As in the case of PSK-8 scrambler, this lenght is exactly the lenght of the 256 QAM-16 symbols data block: also in this case there is no evidence of 511 bits cycle due to the scrambler.

pic. 5
real-world QAM-16 signal

pic. 6a - real-world MS188-110C App.D signal

pic. 6b - MS188-110C App.D, QAM-16 ACF
As expected, the ACF returns a 120ms period (pic. 6) that makes 288 symbols length frame at 2400 Baud. Since the data block for QAM-16 modulation is always 256 symbols, it follows that mini-probes are 32 symbols lenght (waveform n.8 from Appendix D TABLE D- XI):


After demodulating the QAM-16 signal with SA, it was then converted into an ASCII-bit file by using a simple HEX2BIN converter also written in Lua: the output file was then analyzed using a bit-flow processor tool. 
The analysis of the bitstream reveals a strong 1152 bits period that is exactly what is expected for the 4-bits symbols WBHF waveform (pic.7):

pic. 7
data-block: 256 symbols = 1024 bits
mini-probe: 32 symbols = 128 bits
frame (data-block + mini-probe): 288 symbols = 1152 bits
and in terms of symbols, there are no repetition caused by the scrambler (no auto-correlation property).

The same scrambling sequence generator polynomial x^9 + x^4 + 1is also used in STANAG-4285 waveform (see Annex-A to STANAG-4285) but with a different inizialization vector (see the picture below and pic. 1):
and the results are obviously the same,the bit flow processor only detects the expected 768 bits period:

 

Ital-HDLC/QUEDRE (High Level Data Link Control)

$
0
0
Looking at the Data Link layer, the many and seemingly boring STANAG-4285 transmissions start to get interesting: the followingis an example about the pair S-4285 and HDLC.
The HDLC (High Level Data Link Control) is a group of protocols for transmitting synchronous data packets between Point-to-Point nodes and operates at the data link layer of the OSI reference model. The protocol uses the services of a physical layer (for example STANAG-4285 or MS188-110 waveforms) , and provides either a best effort or reliable communications between the transmitter and receiver (i.e. with acknowledged data transfer as ARQ). The type of service provided depends upon the HDLC mode which is used.
Each piece of data is encapsulated in an HDLC frame (pic. 1) by adding a trailer and a header. The header contains an HDLC address and an HDLC control field. The trailer is found at the end of the frame, and contains a Cyclic Redundancy Check (CRC) which detects any errors which may occur during transmission. The frames are separated by HDLC flag sequences which are transmitted between each frame and whenever there is no data to be transmitted (idle phase).
There is much documentation about it in the web, some linksare givenat the bottom.
pic. 1 - HDLC Frame Structure showing flags, header 
(address and control), data and trailer (CRC-16)
Sample HDLC data signal follows, when not sending data, a hardware generated idle pattern is present on the data signal:

[... idle pattern ...][Flag][...Data...][CRC][Flag][... idle pattern...]

As said, HDLC can be met in STANAG-4285 and MS188-110 as "secondary" (transported) protocol: the following is anexample of itsdetection just in a STANAG-4285 transmission (pic. 2).

pic. 2 - a common STANAG-4285 transmission as seen by SA
Since I'm investigating the Data Link, I need a bitstream after having de-interleaved and removed the overhead bits added by the underlaying waveform; in other words, I need a STANAG-4285 decoded output. After identifyingthe correctsettingsfordata-rate and interleaver, 1200bps/short in this case, I ran a k500 session and got the bitstream coming from the upper layer (pic. 3) which I then saved in a ASCII-bits file.

pic. 3 - bistream of that same transmisssion after stanag-4285 removal
The HDLC flags areeasilyidentified looking for the "01111110" sequences (pic. 4) and the "presence" of this protocol has been confirmed (pic.5):

pic. 4
pic. 5
Thingswork in the same "logical" way TCP/IP stack does: as the data bits (the payload) flows down along a layer (transmitting-phase), they are encapsulated by (one of) the protocol running at that layer and this packet, data and protocol overhead, just forms the payload for the protocol that works at the next  layer. In this sample it's something like:
In the receiving-phase the packets go up the stack and are progressively de-encapsulated in order to return the starting payload, ie.e the original user-data.
That said, after removingStanag-4285 and then theHDLC stuff, I got the sent messages (pic. 6).

pic. 6 - HDLC messages
Frames are recognized as idle sequences (idle lin) and are characterized by the repetitions of the string "QUEDRE" closed by "XT". Other than the frame type, the bitstream analyzer correctly detects the HDLC blocks, sizes and computes CRC (pic. 7).

pic. 7
The word "QUEDRE" does not belong to the embedded commands of HDLC, rather it seems a sort of an agreed string used for the idle sequences (at least here). That string is anyway one of the distinctive signs, sincesome bit analyzers tools use indifferently both the terms Ital-QUEDRE and Ital-HDLC just to indicate this feature in respect of the standard HDLC protocol. Difficult to say what QUEDRE means, perhaps a sort of acronym or most likely an agreed term, as said above, but in lack of a safe source these are only speculations. Since there are no (encrypted) messages in the HDCL data fields, these are almost surely some test transmissions.

It is worth noting that the QUEDRE string is clearly visible also in the output of any STANAG-4285 decoders by enabling the synchronous mode with 8N1 framing: probably the decoder will be DataLinkaware so you will just see thoserepetitions and some other garbage due to the HDLC headers, addresses and CRC (pic. 8). Although the output text be consistent, this way isslightly misleadingbecauseyou lose the knowledge of theData Link.

pic. 8

http://www.interfacebus.com/HDLC_Protocol_Description.html 
http://www.synclink.com/html/hdlcmode.htm 
http://www.erg.abdn.ac.uk/users/gorry/eg3567/dl-pages/hdlc-framing.html 

A real example of e-mail over HF (via FTP) using STANAG-5066 and MS188-110A

$
0
0
in this recording two stations run STANAG-5066 with BFTP protocol client (a File Transfer Protocol) in order to exchange e-mails using the MS188-110A serial waveform. Note that the E-mail delivery does not happen here using STANAG-5066 HMTP client but rather by FTP_ingthe email file (containing all the SMTP headers and fields) ready to be processed by common e-mail clients such as Microsoft Outlook. 
It is worth mentioning thatBFTP (Basic File Transfer Protocol) client is defined by  STANAG-5066 Annex F.10.2.2, that same Annex also defines the Compressed File Transfer Protocol client (CFTP) that provides the most bandwidth-efficient exchange of data just using BFTP (MIL-STD-188-141B Notice 1 APP.E).
Talk about e-mail and file-transport protocols go beyond the purpose of the blogso I preferto have an HF approach, keeping in mind that STANAG-5066 is designed for running IP applications over HF and that the stuff (in this sample) is arranged as in pic. 1.


pic.1
As said above, the heard waveform is a standard MS-188-110A serial, as can be verified by SA (pic. 2) although a little shift of the sub-carrier from the nominal 1800 Hz. Since at this stage the signal is coming directly from the USB demodulator, we face Over The Air (OTA) symbols. The structure of the MS188-110 frame is recognizable from the bitstream returned by the SA phase-plane demodulator after its conversion (pic. 3).

pic.2
pic.3 - OTA bitstream after demodulation performed by SA
In order to dig the signal we need de-scramble and de-interleave it and then  remove the extra bits added by the FEC encoder: a basic decoder will do the job returning the bitstream after the MS188-110 removal. Once detected the presence of STANAG-5066 as "secondary" protocol, we need to remove also its encapsulation so to get  the email message that have been transferred by BFTP protocol at sender side. Note that the name of FTPprotocol is HBFTP, as it appearsin the output window of the analyzer(pic.4). 

pic.4 - the bits trasferred by HBFTP after removed STANAG-5066 and MS188-110A
The acronym HBFTP could stand for HF-BFTP and is suggested to be the Harris implementation of this protocol,available inmail-gateway as the HARRIS RF-6760W Wireless Message Terminalor RF-6750W Wireless Gateway.
The contents of 000_HBFTP--3  can be saved to a file and Windows assigns the .eml extesion sincethe file exhibits all the features as it was received from a conventional SMTP server via an Internet connection (pic.5).  The file can be  opened and processed by Microsoft Outlook w/out problems: Outlook simply does not care where and how this file has arrived (pic. 6). For reasons of confidentiality the email addresses have been deliberately blackened.

pic.5

pic.6

logs

$
0
0
19864.0 ---: Russian Mil, RUS 1400 USB CIS-45 OFDM HDR modem_v2 40Bd BPSK (29Feb16) (AAI)
10250.0 GHARB3: GMRA net, LYB  1333 USB MIL 188-141 ALE calling HQ2, cmd "IFBUIFSHSBIBN" flwd by CLOVER-2000 (29Feb16) (AAI)
10588.0 FC4FEM1: FEMA region 4 Thomasville GA, USA 0748 USB MIL 188-141 ALE sounding (29Feb16) (AAI)
10838.5 ---: Unid 0737 (cf +1500Hz on USB) R&S ALIS 228.65Bd/170 Called address: 69 (29Feb16) (AAI)
10442.0 ---: Unid 0735 (cf) FSK 100Bd/800 (29Feb16) (AAI)
16256.5 ---: Unid 0757 USB THALES Skymaster ALE (rptd at 16262.5) (27Feb16) (AAI)
14550.0 A2: Unid (prob. Moroccan Army?) 0912 USB MIL 188-141 ALE calling A5 (26Feb16) (AAI)
14550.0 A2: Unid (prob. Moroccan Army?) 0905 USB MIL 188-141 ALE calling A4 (26Feb16) (AAI)
12431.0 APRUZZI: GdF Patrol Boat, I 0847 USB MIL 188-141 ALE calling CINUS (26Feb16) (AAI)
15626.0 ---: Russian Intel, RUS 0840 (cf) CIS FTM-4, MFSK-4 150Bd 4000Hz (tones at: -6, -2, +2, +6 KHz) (26Feb16) (AAI)
06320.0 Z1V: Slovak Mil, SLV 0709 USB MIL 188-141 ALE calling S1S (26Feb16 (AAI)
12142.0 ---: Russian Intel 1505 USB CIS-3000 serial PSK-8 3000Bd (24Feb16) (AAI)
10313.5 AABMEBCMD2: US Marines Batalion 0812 USB MIL 188-141 ALE calling MTAMEBCMD2 (24Feb16) (AAI)
06228.0 ---: unid 2207 USB Hagelin HC-256 voice scrambler (24Feb16) (AAI)
07617.0 123456: Turkish civil Defence "test call", TUR 2145 USB MIL 188-141 ALE sounding (24Feb16) (AAI)
18038.0 ---: Russian Mil, RUS 1035 CIS-45 OFDM HDR modem_v1 33.33Bd BPSK (24Feb16) (AAI)
12062.0 SKUBNO62: Polish Mil, POL 0803 USB MIL 188-141 ALE handshake with VQ6 (24Feb16) (AAI)
12062.0 SKUBNO62: Polish Mil, POL 0741 USB MIL 188-141 ALE calling VQ1 (24Feb16) (AAI)
08124.0 ---: Russian Navy, RUS 0721 (cf) FSK 100Bd/250 (24Feb16) (AAI)
07334.0 ---: Unid 0742 USB THALES Systeme3000 MFSK-8 Robust Mode + Systeme3000 ALE (23Feb16) (AAI)
07637.0 VNL: (prob. Slovenian Net) 0732 USB MIL 188-141 ALE calling POC (23Feb16) (AAI)
07500.0 ---: Unid 0730 USB Arcotel MAHRS-2400 serial PSK-8 2400Bd (23Feb16) (AAI)
08875.0 J62: Moroccan Military MRC 0723 USB MIL 188-141 ALE sounding (23Feb16) (AAI)
08183.5 DE1: Polish Mil, POL 0720 USB MIL 188-141 ALE handshake with HA2 (23Feb16) (AAI)
08180.0 ---: Unid 0825 USB Thales Systeme3000 ALE (22Feb16) (AAI)
05292.8 S: Unid Beacon 2204 CW "S" also on 5293.6 (21Feb16) (AAI)
05581.0 BB3: Israeli Air Force, ISR 2150 USB MIL 188-141 ALE sounding (21Feb16) (AAI)
05581.0 BB1: Israeli Air Force, ISR 2147 USB MIL 188-141 ALE sounding (21Feb16) (AAI)
05581.0 DD2: Israeli Air Force, ISR 2132 USB MIL 188-141 ALE sounding (21Feb16) (AAI)
09174.0 ---: Unid 1818 USB Arcotel MAHRS-2400 ALE burst (21Feb16) (AAI)
13417.0 ---: Russian Mil, RUS 0917 USB CIS-112 modem 22.22Bd π/4 DQPSK burst (19Feb16) (AAI)
14455.0 BLD: Algerian AF, ALG 0908 USB MIL 188-141 ALE clg CM3 (19Feb16) (AAI)
16357.0 XGX: Unid DHFCS node, U 0852 USB MIL 188-141 ALE calling XSS (18Feb16) (AAI)
16357.0 XGX: Unid DHFCS node, U 0845 USB MIL 188-141 ALE sounding (18Feb16) (AAI)
16148.0 XGX: Unid DHFCS node, U 0805 USB MIL 188-141 ALE calling XSS (18Feb16) (AAI)
16683.5 ---: Unid 0808 USB THALES Skymaster ALE Skyhopper mode (18Feb16) (AAI)
08107.0 XAE: Unid DHFCS node, U 0748 USB MIL 188-141 ALE calling XSS (18Feb16) (AAI)
09151.0 ---: Unid (prob. Swiss Diplo) 1454 (cf +1500 Hz USB) PacTOR-II encrypted message (17Feb16) (AAI)
09107.0 ---: Russian Mil, RUS 1420 USB CIS-60 HDR modem OFDM 35.5Bd (17Feb16) (AAI)





examples of Automatic Link Setup & traffic forward

$
0
0
MS188-141A + MS188-110A serial
MS188-141A + MS188-110A App.B

CODAN
MS188-141A + R&S GM2100

MS188-141A + voice comm

R&S ALIS + R&S GM2100
THALES Skymaster ALE + THALES TRC 177x serial modem


Unid DQPSK-19200Bd signal: new waveforms tests from Inmarsat-GW ?

$
0
0
Thanks to my friend KarapuZ, I recently had the opportunity to play with some signals heard in HF maritime segments, fixed and mobile services, mainly recordered on 8400 and 12300 KHz/USB. Although there are no definitive conclusions or official informations, some observers suggest to be the GW-OFDM system replacement after the Globe Wireless acquisition by Inmarsat:
http://www.inmarsat.com/press-release/inmarsat-acquire-globe-wireless/
All these signals exhibit a PSK modulation with spread spectrum and, following the trend of the waveforms described in the recent MIL-STD standards (WBHF waveforms family), the most of these signals have wide-band and high-speed performances, however not compatible with such standards. 
One of these signals is the DQPSK 19200 Baud, ~21KHz bandwidth, (pic. 1) described below.

pic. 1
As in almost all these signals, a 1500Bd starting block seems used to announce or precede the session: as shown in pic. 2, this block has a BPSK preamble and trailer and DQPSK data while the follwing three segments have a symbol rate of 19200 Baud and DQPSK modulation (pic. 3).

pic. 2 - 1500Bd starting segment
pic. 3 - 19200Bd segments
By selectingand analyzingthe second 19200Bd segment, the longer one, we can get some clues about its frame structure. Looking at pic. 4 we can see frames of alternating data and miniprobe symbols. Each data frame consists of a data block followed by a mini-probe consisting of symbols of known data.  After 4 data blocks, the initial preamble (or an its symbol subset) is reinserted most likely to facilitate late acquisition of an ongoing transmission.

pic. 4 - frame structure
Frame structure and times are confirmed by running both CCF and ACF functions (pic. 5): note that 120ms frame makes 2304 QPSK symbols, ie 4608 bits, at 19200 Baud speed.
 
pic. 5 - CCF and ACF results
In order to find the data block and known data (miniprobe) lengths we need to investigate the 120ms frame by using a bitstream analyzer as shown in pic. 6.
 
pic. 6 - 19200Bd segments
As expected, the period legth is 4608 bits that matches the 120ms or 2304 QPSK symbols. Since the mini-probes consist of well known data, their pattern is easily recognizable into the bitstream and we can get a pretty acurate measurement of the length: 512 bits, ie 256 QPSK symbols (pic. 7)

pic. 7 - known data lenght
Unless my mistakes, each 2304 symbols frame consists of a data block consisting of 2048 data symbols followed by a mini-probe consisting of 256 symbols of known data. After 8192 data symbols, ie each four data blocks, a 512 known symbols set (preamble?) is reinserted (pic. 8)

pic. 8 - frame structure

Just about preamble (or an its subset) re-insertions, it's worth nothing that MIL-STD 188-110C W/ CHANGE NOTICE-1 (03-JAN-2012) removed the Paragraph D.5.4 sentence "The reinserted preamble facilitates acquisition (or re-acquisition) of an ongoing broadcast transmission." since it refers to a feature that is obsolete.

Little or nothing can be said about the secondary protocol: we can work on just the over-the-air symbols, unless to find the scrambler ploynomial, interelaver lenght and CRC algorithm... but that's another story.

Chinese-64: MFSK-64, 37.5Bd 37.5Hz

$
0
0

Since the weak signal, a tip from KarapuZ was decisive to indentify the name of the signal: he sent me his recording of the Chinese-64 modem and it's easy to verify that both the records show the same start sequence of symbols (pic. 1), unless the white-circled descending ramp which is visible in my recording. About that ramp, it's difficult to say if is a new-add to the original signal, maybe for delimiting message segments, or if it's unrelated to the signal: my opinion is that the latter is less probable since the ramp happens in between consecutive sessions without overlapping.

pic.1
The signal was heard on 16990.2 KHz (cf) around 0910 UTC, it consists of 64 tones, 37.5 Hz spaced, modulated at 37.5 Baud speed (pic. 2): these values sligthly differ form the ones reported in the analysis by radioscanner.ru friends.

pic.2
It's worth nothing an odd behavior of the signal, seen in both the two recordings: in some segments the tones seem to have a longer duration (~50ms) that in some way could affect the speed computation.

pic.3

Viewing all 623 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>