Quantcast
Channel: diario SWL I-56578 Antonio
Viewing all 622 articles
Browse latest View live

playing with MARS-ALE v3.00 and FS-1052 DLP messaging

April 25, 2016, 7:42 am
$
0
0

MARS-ALE is a Personal Computer based 2G-ALE Modem and Controller that in conjunction with a supported computer controllable HF SSB transceiver allows for HF ALE communications. MARS-ALE also provides an implementation of FED-STD 1052 (FS-1052) Appendix B, DLP Data Link Protocol, running over the integral software defined MS188-110A modem on the PC Sound Device. The latest MARS-ALE v3.00 and MS-DMT (MIL-STD Data Modem Terminal) versions can be downloaded from here: 

When used in conjunction with other programs such as Audacity, Signals Analyzer, MS-DMT and BEE (a bitstream editor), MARS-ALE is a great tool for practicing with MS188-110 ST and FS-1052 DLP waveforms: digital signal enthusiasts can prepare clear and clean waveforms for study, analysis and comparisons with real-world signals.Below is a  short FS-1052 DLPmessaging example just to show and understand the educational possibilities offered by MARS-ALE.

Modem Type and Data Mode settingsare configured as follows (pic. 1,2)

Pic. 1 - MS188-110 messaging settings
Pic. 2 -FS-1052 DLP messaging settings
As expected, since the overhead added by FS-1052 DLP the lasting of this transmission is longer than MS-188-110 SYNC sending the same message and at the same data rate (pic. 3)
 
Pic. 3 - lasting of the two transmissions
 
In pictures 4,5 I run two MARS-ALE sessions, acting as the transmitting an receiving modems,  linked by a virtual cable: since FS-1052 DLP is a Data Terminal protocol, no portions of the message are printed until the entire message is received error free.

Pic. 4 - entering the message to be sent via MS188-110 + FS-1052 DLP
Pic. 5 - transmitting and receiving modems
For the same reason, it's very interesting to note that a plain MS188-110 receiving modem, as for example MS-DMT modem, does not print any message in its output screen unless the HEX string "5C 5C 5C D3 00 00 00 00 00 00 00 00" (pic. 6) and that is just the frame sync pattern used to mark DLP processed traffic.

Pic. 6 - MS-DMT modem facing a FS-1052 DLP transmission
From FED-STD 1052 App.B "50.1.1.1 Frame sync pattern":  Each new transmission over the physical channel shall begin with a three byte (24-bit) frame synchronization pattern to identify the following traffic as DLP processed traffic. The frame synchronization sequence in hexadecimal format, shall be "5C5C5C". The sync pattern shall be transmitted such that the first eight bits in order of transmission are "00111010". Note: As shown here in transmission sequence, the left-most bits are the LSBs.


The FS-1052 DLP frame sync pattern can be easily seen by processing the ASCII-bits file obtained from the output of a common MS188-110 decoder as Sorcerer used in this example (pics 7,8): this way we get the bistream after removed the MS188-110 stuff

Pic. 7 - bistream after MS188-110 removal
Pic. 8 - FS-1052 DLP frame sync pattern
If a transmission contains more than one frame, a two-byte sync sequence shall be inserted between each pair of adjacent frames: this pattern (hexadecimal) is "5C5C" (pic. 9)

Pic. 9 - two-byte sync sequence between frames

The sync sequences, along with other control bits and CRC, are also visible looking at the output of the ASCII parser of the bitstream editor: note the lack of such bits in a plain MS188-110 transmission (pic. 10)

Pic. 10
From FED-STD 1052 App.B "50.1.1.5 CRC error control checksum": a 32-bit CRC following the Frame Headers and Data field shall conclude each protocol frame. After initially setting all 32 bits to one, the CRC shall be calculated using all bits of the frame starting with the Sync Mismatch bit and ending with the last bit of the Frame Headers and Data field. The generator polynomial for the CRC calculation shall be:

 x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1

After removed the sync patterns out from the bitstream, I tried to find all the possible 32-bit polynomial which match with the data length and CRC bits.. but it's a long time consuming procedure and I stopped it just after the first results (pic. 11)

Pic. 11 - find the CRC polynomial

Another interesting MARS-ALE tool is the TRACING dialogue (pic. 12). This feature provides seven check boxes to enable/disable the display of data related to Received (RX) Words, Transmitted (TX) Words, program States, program Events, program Commands, program Timers and FS-1052 parameters as shown in pic. 13.

Pic. 12 - the "tracing" dialogue
Pic. 13 - tracing FS-1052 DLP at work

FS-1052 DLP is typically implemented in computer software applications and not in the hardware modem, however some tactical radios do implement an embedded 1052 ARQ and Broadcast capability. 
Historically, in MIL-STD-187-721C, “Interface and Performance Standard for Automated Control Applique for HF Radio,” Appendix A (USAISEC TECHNICAL REPORT “ HFDLP HF DATA LINK PROTOCOL”) is provided which specifies HFDLP for use with MS188-110A.

Search

MS188-110: probe designation symbols D1-D2 and 200ms ACF

April 29, 2016, 6:18 am
$
0
0
in a previous post I already talked about the way MS188-110 scrambler length affects the value of the ACF at certain data rates. Now I want verify the typical 200ms ACF  of a 2400 bps data rate (short interleaver): as seen in the above post, this ACF value is also met at other data rates along with the 66ms value.  Summarizing:
  • In case of low data rates (from 150 up to 1200 bps) four groups of the pairs probe+data count 160 symbols (4 x 40) and they are just in sync with the scrambler length (160 symbols) causing the strong 66.67mS ACF.
  • In case of the lowest speed (75bps data rate) the channel probes are not sent so the 66.67mS ACF is just due to the scrambler length (160 symbols).
  • In case of 2400 bps the pair probe+data counts 48 symbols (32 symbols for data +16 symbols for probe) and this value is not correlated to the the scrambler length, so the "visible" ACF in this wavfeorm, and in 4800 uncoded, is the known 200 mS or 480 symbols.
pic. 1

(Since we are talking about MS188-110 Serial Tone, I refer to "symbols" as over-the-air PSK-8 symbols).
But, why the 480 symbols ACF rather than the expected 48?

pic. 2 - strong 200ms ACF spikes in a MS188-110 signal
The short interleaver matrix dimension consists of 40 rows and 72 columns (= 2880 bit room) and is loaded in 600 ms. Indeed, for the 2400 bps data rate the FEC encoder results in 4800 bps coded rate, and so (4800 x 600)/1000 = 2880 are the bits transferred into the interleaver matrix during the 600ms short interleave load. At 2400 bps data rate the bits fetched from the interleaver matrix are grouped together as three bit entities that will be referred to as channel symbols and processed by the Modified-Gray Decoder (MGD). Then, the Symbol Formation function maps the three bit channel symbols from the MGD output into tribit numbers compatible with transmission using an 8-ary modulation scheme.
This means that from the short interleaver matrix we get 960 symbols that in turn will be transmitted into 30 data-blocks (unknown-data) each of 32 symbols (pic. 1). According to the framing table (pic. 1), each data-block is followed by a 16 known symbols sequence (probe). That said, the lenght of a interlever block will be 1440 channel symbols or 30 x (32+16).

The period of this waveform (pic.3) exibiths a 1440 bit lenght (not symbols!), or else 1/3 of the interlever block length: just ten data+probe frames, which are well visible in the bistream. Looking closely at the patterns of the last two probes (yellow circled in the picture) is visible a sort of discontinuity that is not present in the patterns of the middle probes.

pic. 3 - 1440-bit (or 480 symbols) period
The reason is the way those two probe patterns are formed (pic. 4):
 
MIL-STD 188-110 - 5.3.2.3.7.1.2 Known data”
During the periods where known (channel probe) symbols are to be transmitted, the channel symbol formation output shall be set to 0 (000)except for the two known symbol patterns preceding the transmission of each new interleaved block. When the two known symbol patterns preceding the transmission of each new interleaver block are transmitted, the 16 tribit symbols of these two known symbol patterns shall be set to D1 and D2, respectively, as defined in table XV of 5.3.2.3.7.2.1 and table XVII of 5.3.2.3.7.2.2. The two known symbol patterns are repeated twice rather than four times as they are in table XVII to produce a pattern of 16 tribit numbers.
(The three bit values of D1 and D2 also designate the bit rate and interleave setting of the transmitting modem during the Sync preamble sequence)
 
pic. 4
This is more clear when looking at the the probe patterns in the middle positions of each interleaver block (pic. 5)

pic.5 - middle probe patterns
and at the last two probe patterns P(n-1) and P(n) preceeding the transmission of one interleaver block. In pic. 6 these two probe patterns are shown as isolated.

pic. 6 - the two last probe patterns
The three rows, each of 1440 bit, identify one interleaver  block of 1440 channel symbols: the last two probe patterns are clearly visible (pic.7).
In my opinion the patterns of the last two probes of each interleaver block - or better the Designation Symbols D1, D2 - cause the 1400-bit/200ms ACF and they act as a sort of autocorrelation sequence.
 
pic. 7
Its worth noting that the 66.67ms ACF visible at lower data rates, and due to the scrambler length, corresponds to 480 bits and this value is a submultiple, exactly 1/3, of the 1440 bit period (200ms) that is due to the Designation Symbols D1,D2 in the last two probe patterns of the interleaver blocks. These two matters concurr to the two ACF spikes visible, for example, in the 150bps data rate waveform (pics. 8,9).

pic. 8
pic. 9
The Find Period function, running at the same level, prints out one unique 1440 bit value for the 2400bps waveform (pic. 10)

pic. 10

(CIS) OFDM 64-tone QAM-16, 40Bd

May 2, 2016, 5:23 am
$
0
0

this is an interesting burst waveform composed of a two-parts preamble phase and a data phase; bursts have a duration of 2800ms and are 980ms spaced.

Preamble phase (pic. 1)
Part one has a duration of 8 symbol element periods (~200ms) and consist of LFM pulse modulated data. Part two has a duration of 24 symbol element periods (~600ms) and consist of four unmodulated data tones with frequencies of 350, 1350, 2350 and 3350 Hz. During this part, the transmitted level of the 1350 Hz tone is 7 dB higher than the level of the 350 Hz and 2350 Hz tones and the transmitted level of the 3350 Hz tone is 7 dB lower than the level of the 350 Hz and 2350 Hz tones (pic. 2). Since the lack of the typical 3350 Hz tone, it's possible that the  1350 Hz tone could be used as Doppler correction.

pic. 1
pic. 2
Data phase (pic. 3)
The data phase has a duration of 2000 ms and consists of 64 QAM-16 data tones with constant modulation rate of 40 Baud. The 64 tones are 46.8 Hz shifted and spread about 2955 Hz bandwidth.

pic. 3
Detailed analysis in the OFDM module indicates that one special/service symbol is sent each five symbols (pic 4) and, as logically expected, it is confirmed by the 125ms value of the ACF (pic. 5).

pic. 4
pic. 5
Most likely this is a Russian signal: my friend KarapuZ sent me a recording with the evidence of a serdolik MFSK-32 ALE just before the OFDM 64-tone (pic. 6). That same ALE, characterized by the LFM period, was meet here (waveform s3):
http://i56578-swl.blogspot.it/2015/10/prob-new-serdolik-mfsk-burst-waveforms.html

pic. 6

Unid PSK-8 Serial and non-standard LFM 2G-ALE (prob. Iranian source)

May 9, 2016, 2:04 am
$
0
0

this transmission is composed of messages sent using standard MS188-110 Serial Tone waveform (the ones indicated as 3, 4 , 9, ...) and messages (as 9, 11, ...) transmitted using a MS188-110 like  waveform that most likely is a proprietary variant. The transmission ends with a short op-chat, thatmay providesome cluesabout the originof the signals, and one interesting not-standard ALE message the closes the link and characterized by the presence of a LFM pulse waveform preamble.
Since it is the better recording of the not-standard MS188-110 signals,  I report below the analysis of the message #11 only.

For what concerns the carrier, its modulation and symbols rate, the signal shares the same parameters of the MS188-110 modem: PSK-8 on a single 1800 Hz carrier frequency and a constant 2400 symbols per second output waveform (pic. 1)

pic. 1
 The structure of the signal is indeed different: after a ~211ms sync preamble phase, the data phase consists of 51.25ms frames of alternating data and known symbols (pic. 2). After 57 data frames a symbol sequence (most likely a subset of the initial preamble) is reinserted possibly to facilitate late acquisition, Doppler shift removal, and sync adjustment as requested by MS188-110 standard (pic. 3).

pic.2 - sync preamble and data phases
pic. 3 - preamble re-insertions
The most peculiar aspect of this waveform is its data frame that counts 123 symbols or 369 bit (51.25ms, as indicated by the ACF function in pic 4). The data frame consists of 91 data symbols and a mini-probe of  32 symbols of known data (pic. 5).
The length of the mini-probe, 32 symbols, is quite common and is largely used in MS188-110 waveforms, including the appendix D and C. The oddity is the 91 symbols length of the data block. We will need additional recordings to indagate it.

pic. 4 - 51.25ms ACF
pic. 5 - frame structure
 
About the short op-caht in the final part of the transmission, a friend of mine suggests that the language may belong to the  Iranian group (Dari, Pushto, Kurdish) and possibly the protocol itself is developed there: the recording is available for who wants to indagate, simply email me.

The ALE sequence the closes the link is shown enlarged (1/16) in pic. 6.
 
pic. 6 - the ending 2G-ALE sequence
It consists of three messages, each consisting of a Linear Frequency Modulation (LFM) pulse preamble followed by the "common" MS188-141 2G-ALE waveform: MFSK-8 carriers, manipulation speed of 125 baud and 250Hz step between carriers (pics 7,8).
 
pic. 7
pic. 8 MFSK-8 grid

logs

May 11, 2016, 3:44 pm
$
0
0
05892.0 ---: Unid (prob. Austrian Mil) 1505 USB MIL 188-110 App.B 39-tone QPSK (11May16) (AAI)
05892.0 OP00: Austrian Mil, AUT 1516 USB MIL 188-141 2G-ALE calling OC00 (11May16) (AAI)
05892.0 OY00: Austrian Mil, AUT 1513 USB MIL 188-141 2G-ALE calling OC00 (11May16) (AAI)
06329.0 OSY: Sailmail Brugge, BEL 2150 (cf +1500 USB) PacTOR-III, working PF6269  Dutch "Pleasure Ship" REBEL "PF6269 de OSY" (11May16) (AAI)
07617.0 302013: Turkish Civil Defense, TUR 2102 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 311013: Turkish Civil Defense Bilecik, TUR 2116 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 315018: Turkish Civil Defense Burdur, TUR 2054 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 324013: Turkish Civil Defense Erzincan, TUR 2053 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 327018: Turkish Civil Defense Gaziantep, TUR 2119 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 332013: Turkish Civil Defense Isparta, TUR 2118 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 349013: Turkish Civil Defense Mus, TUR 2058 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 357013: Turkish Civil Defense Sinop, TUR 2054 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 360018: Turkish Civil Defense Tokat, TUR 2101 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 364013: Turkish Civil Defense Usak, TUR 2100 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 371013: Turkish Civil Defense Kirikkale,TUR 2059 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 376013: Turkish Civil Defense Igdir, TUR 2121 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 8181: Turkish Civil Defense Cankiri, TUR 2121 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 3404: Sonatrach, ALG 2135 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 4216: Sonatrach, ALG 2137 LSB USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 4216: Sonatrach, ALG 2137 USB USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07803.5 ---: Unid (prob. French AF) 2145 USB J3E male, loop recordered message “Execute TOABCD1910608K 2115z” (10May16) (AAI)
07898.0 049116: Deutsches Rotes Kreuz, D 2129 LSB MIL 188-141 2G-ALE sounding (11May16) (AAI)
08016.0 P34: NPRD Net Pozega, HRV 1534 USB MIL 188-141 2G-ALE sounding (25Apr16) (AAI)
08070.0 PY50: Algerian Mil, ALG 15:41 USB MIL 188-141 2G-ALE calling XS50 (25Apr16) (AAI)
08115.0 PY30: Algerian Mil, ALG 1537 USB MIL 188-141 2G-ALE calling RK31 (25Apr16) (AAI)
08182.0 XSS: UK DHFCS TASCOMM Forest Moor, G 1548 USB MIL 188-141 2G-ALE calling XBP (25Apr16) (AAI)
08190.0 RHN: Saudi AF Riyadh, ARS LSB MIL 188-141 2G-ALE calling AAN (11May16) (AAI)
10272.5 049119: German Red Cross, D 1521 LSB MIL 188-141 2G-ALE sounding (25Apr16) (AAI)
13233.0 ---: NATO French station 0836 USB (cf +2 Khz) NATO-FSK 75Bd/850 sending KG-84 encrypted traffic, opchat in French (30Apr16) (AAI)
17513.1 M42b: Russian Government & Intel, RUS 1504 (cf) FSK 50Bd/800 messages (10May16) (AAI)
18038.0 ---: Russian Mil, RUS 1034 USB CIS-45 OFDM HDR modem v1 33.33Bd BPSK (11May16) (AAI)
22499.7 ---: Unid 1356 BPSK 125Bd traffic, s/off 1400 (10May16) (AAI)
 

SkyOFDM 22-tone, 64Bd QPSK, 2KHz bandwidth

May 12, 2016, 12:19 pm
$
0
0

this modem can be frequently spotted after the 2G-ALE handshake between Finnish MFA stations, being used to transfer data. Probably its development is by Sky Sweeper team, hence its name SkyOFDM. 
From Sky Sweeper manual
"SkyOFDM is a state of art high speed modem based on the OFDM and turbo coding technologies. It offers several baud rates (300-9600 bps) and two different interleaving options (short and long). Also there are two bandwidth options: 2.0 and 2.6 kHz.The receiver should be set to the USB reception mode.
The VHF/FM variant is not included in the SkySweeper Professional product."
 
This version use 22 tones with QPSK modulation at 64 Baud (pic. 2) and exhibits the same special char sent each 5 signal element periods, also visible after the ACF function (pic. 3)

pic. 2
pic. 3
This special symbol is also visible by highlighting a single tone and inspecting the bistream after the demodulation (pics. 4,5)

pic. 4 - analysis of the bottom tone
pic. 5
More info in the radioscanner site: 

 

STANAG-5511 (Link-11) SLEW: scrambler length and ACF value

May 13, 2016, 8:17 am
$
0
0

Single tone Link Eleven Waveform (SLEW) is one of the modes defined within the Link 11 NATO standard. For SLEW, a single analog waveform is generated for the upper side band, the PSK-8 modulation process is achieved by assigning the tri-bit numbers from the scrambler to 45-degree phase increments of a 1800 Hz carrier. Symbols rate is 2400 Bd while the user data rate is 1800 bps (pic. 1).

pic. 1
The SLEW waveform transmission format consists of an acquisition preamble followed by two or more fields. Each 45 symbols field is followed by a 19 symbols reinsertion probe. The first field  after the preamble is the header field and contains information that is used by the Combat Data System (CDS) and the encryption device. If there are data to transmit, successive data fields follow the reinsertion probe of the preceding fields (pic. 2,3).

pic. 2 SLEW waveform structure
pic. 3
Running the Cross Correlation or Auto Correlaton functions, a 64 symbols or 192 bits frame are expected, but in contrast the CCF output exhibits clear and strong 320 symbols spikes corresponding to a period of 960 bits. Note that five data and reinsertion-probe pairs are arranged inside the period window (pic. 4).

pic. 4 - SLEW waveform CCF result (133.33ms)
So, why the 133.33ms, or 320 symbols, period?
As in pic. 5, the 45 phase encoded pairs (values 0, 1, 2, 3) are mapped into tri-bit numbers (by multiplying by 2).  The tri-bit numbers (0, 2, 4, 6) are used for symbol generation and scrambled  to take on all 8 phase states. During the reinsertion probe, 19 tri-bits (set all to "000") are used for known symbol formation and scrambled.
 
pic. 5 - SLEW wavefrom formation (reinsertion probe and data field)
Since the scrambler could be an important factor in ACF generation, let's give ita close look: it's worth to noting that the data sequence randomizing generator is the same 12-bit shift register used in MS188-110 serial tone!

"The tri-bit numbers supplied for the symbols (both data and probe) are modulo-8 added to a three-bit value supplied by the data sequence randomizing generator. At the start of the data phase, the shift register is loaded with the initial pattern 101110101101 (binary) or BAD (hex) and advanced 8 times. The resulting three bits are used to supply the scrambler with a number from 0 to 7 which is modulo-8 added to the data/probe symbol. The shift register is shifted eight times each time a new three-bit number is required (every transmit symbol period). After 160 transmit symbols, the shift register is reset to BAD (hex) prior to the eight shifts."

As seen in MS188-110 low data rates, this 12-bit randomizing generator is the cause of the Link-11 SLEW ACF.
In fact, since the scramble length of 160 symbols coincides with 2.5 frames, we get that each five frames - or just two scramble cycles(!) - the same probe value "000" is scrambled exactly after the same number of shifts and hence produce the same probe patterns (pic. 6). These same patterns repetion produces the 320 symbols (or 960 bit) spikes in CCF and ACF function.

pic. 6 (qualitative rapresentation, not in scale)

phase keyed signals, SA, and fake demodulations

May 16, 2016, 3:59 am
$
0
0
Playing with a STANAG-4285 signal and SA (Signals Analayzer) I met some problems in understanding correctly the synchronization sequence pattern of this waveform: the solution is very simple indeed and must be sought in the way the SA phase-plane module demodulator works. Below the story.
 
SA phase-plane demodulating a STANAG-4285 signal
 "The synchronization phase of the STANAG-4285 waveform consists of 80 symbols and is transmitted recurrently every 106.6 ms. This sequence uses 2-bit phase shift keying (2-PSK) modulation and the modulation rate is equal to 2400 bauds. The sequence is identical to a pseudorandom sequence of length 31, which is repeated periodically within the 80-symbol window, i.e., the synchronization sequence consists of 2 periods of length 31 plus the first 18 symbols of another period. A generator for the synchronization sequence is described in pic. 1. The generator polynomial is: x^5 + x^2 +1.
At the beginning of every frame the generator is initially set to the following value: 11010. The first symbol of the synchronization sequence is identical to the least significant bit of this initial value. The remaining 79 symbols are obtained by applying the clock 79 times.
The scrambling operation is carried out on reference and data symbols only, not on the synchronization sequence."
pic. 1 - S-4285 sync sequence generator
Coding into 8-ary is achieved by mapping one-bit to one-symbol according to the following rule in pic. 2: "000" for bit "0" (symbol 0) and "100" for bit "1" (symbol 4)
pic. 2 - coding 04
Such sync sequence generator can be simulated running a simple Lua program: since the sync sequence is not subjected to the scrambling, the output file generated by the program is just the STANAG-4285 sync sequence that we want. The pattern of the sync sequence is visible using the BEE bitstream analyzer (pic. 3).

pic. 3 - sync sequence pattern (mapping 0-4)
Curiously, looking at a real world STANAG-4285 signal demodulated by SA phase-plane, its 80 symbols sync sequence has a different pattern than the one expected (pic. 4)

pic. 4 - sync sequence pattern of a S4285 real-world signal
Inspecting the same sync sequence of a STANG-4285 modem, an orignal and clean signal, things seem even worse (pic. 5)
pic. 5 - sync sequence pattern of a S4285 modem
  
The interesting matter is that editing the mapBit() function of the Lua code as below:
  
local function mapBit(Ubit)
   if (Ubit == "0") then 
      8ary_symbol = {"1","1","1"} -- # symbol number 7
   else  
      8ary_symbol = {"0","1","1"} -- # symbol number 3
   end
    return 8ary_symbol
end

we can get the same sync sequence pattern of the modem sample just by using the mapping 7-3 rather than 0-4, which is equivalent to add a negative π/4 phase rotation to the original mapping 0-4 (pics 6,7)

pic. 6
 
pic. 7
Same conclusions for the over-the-air (real world) STANAG-4285 signal: in this case the used mapping is 4-0, equivalent to a π phase rotation or phase opposition (pics 8,9)

local function mapBit(Ubit)
   if (Ubit == "0") then 
      8ary_symbol = {"1","0","0"} -- # symbol number 4
   else  
      8ary_symbol = {"0","0","0"} -- # symbol number 0
   end
    return 8ary_symbol
end
pic. 8
pic. 9
The reason of the above incongruencese between the expected pattern and the obtained ones,  is very simple: SAis a signal analyzer and nota decoder (and Ihadforgotten!).
Being part of an analyzer, the SA phase-plane module uses a sort of "universal demodulator" that does not match  any particular protocol to exactly sync its demodulator, as it happens instead in STANAG-4285  (for example) "suited" decoders such as Sorcerer, Sigmira and many others. In other words, SA  phase-plane demodulator is not synchronized with the waveform being analyzed and the resulting phase-offset may cause different (fake) results for the same waveform. So, the more the phase values, the more the variants that the demodulator produces: for example, in case of a π/4 DQPSK modulation  24 different decodings are possible, and it isn't surely the worst case. 
Working phase keyed signals, the SA phane-plane demodulator produces correct interpretations and view under a "quantitative" profile (number of phases, angles, modulation speed, carrier frequency,...) but uncertain results under a qualitative (demod) one.

Search

unid PSK-8 2400Bd burst waveform

May 19, 2016, 7:57 am
$
0
0

this transmission was spotted on 6550.0 KHz/USB (16 May) at 2024 UTC and consists of a 3-bursts train: each burts has a duration of ~1048ms and the interval between two consecutive bursts is ~385ms. The signal spreads a bandwidth of 2880 Hz (pic. 1).

 
pic. 1
The signal shares the common PSK-8 waveform features, 1800Hz single tone carrier, and 2400Bd symbol-rate,  although the 8-ary constellation is a bit confused: four "clear" points and four "nuanced" points, as shown in pic. 2. Such feature has been observed in some Chinese waveforms but in this case, since the strength of the signal, it's difficult to confirm this origin.

pic. 2
About the structure of the waveform, it's possible to detect the presence of a preamble sequence (CCF of pic. 3) which has a duration of 200ms and preceedes the data transfer.

pic. 3
Data are structured in a 32 symbols frame, or 96 bits (pic. 4).The frame duration of 13.33ms (32 symbols @ 2400Bd) is the same than the STANAG-4538 BW-3 (LDL traffic data PDUs)  but the burst duration does not match the BW3 characteristics (pic 4,5): for example, burst duration is computed to 1226.45ms in case of a packet of 64 frames while the burst of the signal being analyzed has a duration of 1048ms.
 
pic. 4

pic. 5
By the way, as seen in some previous posts, the measurement of the period of a certain signal could not coincide with its frame structure: it has been shown that in particular circumstances the period lenght, and hence the ACF value too,is produced by the lenght of the scrambler or the interleaver combined with the real frame lenght.
 
Similar transmissions are often spotted on 14870.0 KHz/USB kHz and "rumors" say it could be a modified 3G-ALE waveform. Comments are welcome, short recording is available on e-mail request.

FSK 300Bd/850

May 21, 2016, 2:02 pm
$
0
0

This FSK signal has been heard on 6699.0 KHz (cf), manipulation speed is 300 symbols/sec (quite unusual) and the shift between tones is ~850 Hz (pics. 1,2)

pic. 1
pic. 2
The transfer is continuous and data are encrypted but since I tuned it after its initial phase, I did not found any particular sequence in the demodulated bistream. However friends from radioscanner.ru that spotted a whole transmission say it contains KG-84 identifier in the initial part of the trasmission: this signal is reported here
The signal has a characteristic "batman-like" spectrum that exhibits 955Hz bandwidth (pic. 3)

pic. 3

logs

May 22, 2016, 5:16 am
$
0
0

06250.0 IABC: Italian Navy, I 1318 USB opchat with IDR, testing a faulty STANAG-4285 modem (17May16) (AAI)
06300.0 AVE: Unid Italian station 0920 J3E/USB op-chat with ROMA, QSY 5800.0  (20May16) (AAI)
06341.0 ---: Unid 1248 USB Thales Systeme3000 ALE (17May16) (AAI)
06417.0 XSL: Japanese Navy (aka Japanese Slot Machine) 2025 USB QPSK encrypted shore to ship (12May16) (AAI)
06790.0 4042: Sonatrach, ALG 0608  LSB MIL 188-141 2G-ALE sounding (21May16) (AAI)
06795.0 316013: Turkish Civil Defense, TUR 2202 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 318018: Turkish Civil Defense, TUR 2153 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 334018: Turkish Civil Defense, TUR 2201 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 370018: Turkish Civil Defense, TUR 2156 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06803.0 OC00: Austrian Mil, AUT 0754 USB MIL 188-141 2G-ALE handshake with OP00 then into MIL 188-110 App.B 39-tone (12May16) (AAI)
06815.0 JP20: Algerian Mil, ALG 0731  USB MIL 188-141 2G-ALE handshake with PY20 then into MIL 188-110 serial (12May16) (AAI)
06831.0 D20: National Protection and Rescue Directorate, HRV 0838 USB MIL 188-141 2G-ALE calling E5X (22May16) (AAI)
06831.0 E5X: National Protection and Rescue Directorate, HRV 0839 USB MIL 188-141 2G-ALE calling D20 [CMD AMD][RADIO TEST MESSAGE 22052016] (22May16) (AAI)
06831.0 R51: National Protection and Rescue Directorate, HRV 0839 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
06831.0 Z01: National Protection and Rescue Directorate, HRV 0825 USB MIL 188-141 2G-ALE sounding (22May16) (AAI)
06834.0 ---: Unid 1223 USB Thales Systeme3000 ALE (17May16) (AAI)
06867.0 (no call): Unid net 0736 USB MIL 188-141 2G-ALE calling ABK4 (12May16) (AAI)
06867.0 ABC7: Unid net 0729 USB MIL 188-141 2G-ALE calling ABD1 (12May16) (AAI)
06906.0 5001: Unid net 0607  USB MIL 188-141 2G-ALE sounding (21May16) (AAI)
06931.0 ---: Unid (prob. Croatian Mil/Gov) 0611 USB modified STANAG-4285 modem (21May16) (AAI)
06952.0 ---: Russian Intel, RUS 2044 (cf + 1600Hz USB) 5 x MFSK-16 10Bd 20Hz, BPSK 250Bd Hybrid modem (12May16) (AAI)
07739.0 4204: Sonatrach, ALG 0729 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
07814.3 C3: Royal Moroccan Army, MRC 0622 USB MIL 188-141 2G-ALE calling R3 (14May16) (AAI)
07890.0 CS001: Macedonian Mil, MKD 0635 USB MIL 188-110 ST sending FED-1052 App.B data to RS002 then terminate link (16May16) (AAI)
07950.0 FN01: Algerian Mil, ALG 0857 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
08016.0 Z01: National Protection and Rescue Directorate, HRV 2001 USB MIL 188-141 2G-ALE sounding (12May16) (AAI)
08023.0 FQ55: Algerian Mil, ALG 0753 USB MIL 188-141 2G-ALE calling PY40, flwd by short (prob. Hagelin HC-256) scrambler and terminate link (20May16) (AAI)
08162.0 BX01: Algerian Mil, ALG 0737 USB MIL 188-141 2G-ALE calling BX02 (20May16) (AAI)
08162.0 MDN:  (prob. Algerian Ministry of Defence, ALG) 0745 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
08162.0 MV01: Algerian Mil, ALG 0738 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
08162.0 PC02: Algerian Mil, ALG 0742 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
13449.5 ---: Uk Mil/Gov, UK 1500 USB WINDRM modified waveform OFDM 51-tone (20May16) (AAI)
14710.0 RIA: Finnish Embassy Riyadh, ARS 1734 USB MIL 188-141 2G-ALE calling HKI2 Helsinki, flwd by SKY-OFDM 22-tone (12May16) (AAI)
17500.0 ---: Russian Intel/Diplo 0833 USB CIS-3000: PSK-8 serial tone, 2000Hz carrier, 3000Bd (17May16) (AAI)

DSSS (Direct-Sequence Spread-Spectrum) as a reason for the 'unid PSK-8 burst waveform' ?

May 23, 2016, 1:42 pm
$
0
0

This burst signal, spotted same days ago on 6550.0 KHz/USB, has already been studied in this post. In short, it consists of a 3 x 1048ms bursts transmission, each burst consists of a preamble followed by data blocks structured in 32 symbols frames. The used waveform is the conventional PSK-8 modulation of a 1800Hz carrier and symbol rate of 2400 Bd. The 3-bursts transmission is repeated at regular intervals.
Talking about this unidwaveform, my friend AngazU - intrigued by its weird 8-ary constellation - suggested a different analysis approach, based on the DSSS (Direct Sequence Spread Spectrum) technique.
Being an interesting as much as new point of view,  I asked AngazU to produce a very basic introduction to DSSS and then we re-thinked the analysis of the burst waveform  bearing in mind the main features of some DSSS signals, such as GLONASS and PacTOR IV (shortly analyzed here): the results of this comparison are very interesting.
Below the story, keep in mind we deal only with free/cheap software from the Internet. No expensive hard /soft tools as the ones available for official organizations. Should the reader have some quality wav recordings of potential DSSS or FHSS signals, we will do our best to analyze them

Direct Sequence Spread Spectrum (DSSS)

DSSS ( Direct Sequence Spread Spectrum)  techniques are  becoming quite popular. Some well known uses are Sats (GPS,Glonass, etc) 3G mobile comms ( CDMA) , W-LAN, etc.
In DSSS the message signal is used to modulate a bit sequence known as the Pseudo-random Noise (PN) code; this PN code consists of pulses (chips) of a much shorter duration (and then larger bandwidth) than the pulse duration of the message signal, therefore the modulation by the message signal has the effect of chopping up the pulses of the message signal and thereby resulting in a signal which has a bandwidth nearly as large as that of the PN sequence.  The resulting signal resembles white noise, just like an audio recording of "static". However, this noise-like  signal is used to exactly reconstruct the original data at the receiving end, by multiplying it by the same PN sequence (de-spreading) which is known by the receiver.
Key parameters are: PN sequence length, the chip-rate and the spread factor, that refers to the expansion of signal spectrum. The chip rate of a code is the number of pulses per second (chips per second) at which the code is transmitted (or received). The chip rate is larger than the symbol rate, meaning that one symbol is represented by multiple chips. The ratio is known as the spreading factor (SF) or processing gain:

PacTOR IV

We know that Pactor IV uses M-ary modulation and DSSS techniques in some modes. We run the envelope detector  in order to get the modulation speed (pic. 1): the recording in use for analysis is from our friend Karapuz.

pic. 1 - modulation speed in the AM envelope
The AM envelope shows a clear line at 1800 Hz but in the three middle segments there are also other lines (eight) starting starting from 225 Hz and multiples. This is an odd feature in normal PSK signals but indeed a characteritic of DSSS. In this case the symbol-rate is 225 sps and the chip-rate is 1800 cps, that make a spread factor (SF) = 8. 
Another important feature can be seen looking at the phase vector of te DSSS segments (pic. 2)
 
pic. 2
In this picture the phase evolution has a sawtooth structure: according to MIL-STD 188-181A (1), this means that the constellation keeps rotating point by point in only one sense.

Note that in PacTOR IV signals the 8-ary constellation is obtained using the value of the chip-rate (1800 symbols/sec) rather than the (lower) real symbol-rate. The reason is that we only see the over-the-air bitstream and it should be de-spreaded before to get a valid demodulation.  




GLONASS

Glonass is the russian GPS, and uses FDMA and DSSS for every carrier. Data is well known, so we use it to prove the concept. We know that Glonass sats DSSS use a chip rate of 511 Kb/s. In this case, chip rate is much bigger than symbol rate. Picture 3 shows speed measurement of a Glonass sat signal. It is the chip rate and we get a quite good value, since the nominal is 511000 MHz.

pic. 3
The PN sequence for GLONASS sats is made up by 511 bits codes. Since chip rate is bigger than original speed, there are redundant blocks that generate strong ACF spikes of 1 ms or 511 bits (pic. 4).

pic. 4
 Using the carrier and the symbol-rate we get the PSK-2 constellation of the signal (pic. 5)

pic. 5

After demodulation you can get bits from GLONASS signals and use a bit editor to prove that chip code is 511 bits (pic. 6)

pic. 6

the 'unid PSK-8 burst waveform'

In light of what was seen aboout signals that use DSSS, mainly the presence of "harmonics" in the envelope detector and the shape of the phase vector, it's worth resuming some aspects of this signal.
For what concerns the modulation speed, we get a clear speed line in 2400 but also many lines starting from 150 Hz and up in multiples (pic. 7) that are a clue of the DSSS technique: in this case using a spread factor SF = 16 (2400/150).
pic.7
Another important clue comes from the analysis of phase vector of the signal (pic. 8)
 
pic.8
The phase vector has mostly four states and segments of eight states and probably this is the reason of  the "nuanced points" in the constellation of picture 9. The insteresting thing is its shape that in some parts is like to the sawtooth seen in the phase vector of PacTOR IV. As said, it means that the constellation rotates in only one sense and according to MIL-STD 188-181A, this will produce an undesired carrier shitf that could be a source of errors in a concentional PSK demodulators.

pic.9
The differences against a conventional PSK-8 waveform (MS188-110 Serial Tone), mostly evident in the phase vector evolution, are shown in picture 10:

pic. 10 - AM envelope and phase vector for the MS188-110 ST waveform
Assuming the value of 2400 as the chip rate, the resulting 96 bit period should be the length of the PN sequence (pic. 11)

pic.11


That said, there is a chance that this PSK-8 burst signal use a DSSS technique characterized by a base speed of 150 symbols/sec, a spread factor of 16 that makes a chip rate of 2400 cps and a PN sequence length of 96 bits.

by AngazU & Antonio
---
(1) from MIL-STD 188-181
B.4.3 Phase vector rotation. The Dapper/Hill paper recommends that the direction of the phase vector rotation during a phase transition be implemented so that transitions to the 180° state occur by alternately rotating the phase in the clockwise and counter-clockwise directions from the 0° position. Rotation back to 0° is in the opposite direction from that most recently taken. In other words, the direction of rotation reverses upon reaching the 180° state, resulting in a change of the direction of phase vector rotation every other phase transition (see Figure B-2).
According to the paper, there is an offset of the carrier frequency equal to one-fourth the data rate if the phase is rotated in the same direction for each data bit transition.This means there is a 600-Hz offset when the data rate is 2.4 kbps. The reason given is that a nonzero average value disturbs the phase-error measurement of conventional demodulation techniques, which are unable to separate transitional information from phase-error measurement.
Figure B-2



STANAG-4538 modified BW5

May 26, 2016, 3:59 pm
$
0
0

This signal employs 8-ary phase-shift keying (PSK-8) on a single 1800 Hz carrier, the modulation of this output carrier is a constant 2400 symbols/secs waveform: a quite common mode largely used in HF (pic. 1). I spotted this transmission on 15062.0 KHz on USB.

pic. 1
The period of the waveform has a duration of ~1013 ms that in turn makes 7296 bits or 2432 PSK-8 symbols @2400 Baud (pic. 2)

pic. 2
This (long) period length could be misleading but looking at the STANAG-4538 table 13-1 (LSU Burst waveform characteristics, pic. 3) we see that it matches the lenght of the BW5 waveform:

pic. 3
Looking at the diagram of the ACF we see that the single BW5 burst has been transferred 14 times in a row in the third segment of the trasnmission as confirmd in the bitstream (pics. 4,5). Since the manufacturer of the equipment may modify the standard if it does not impair its performance, perhaps we are dealing with a modification of the STANAG-4538 BW5.

pic. 4
pic. 5
To avoid confusions, MIL 188-141C Appendix C third-generation ALE is termed Link Set-Up (LSU) in STANAG 4538. Two non-interoperable protocols for link establishment are specified in STANAG 4538: Fast LSU (FLSU, smaller, lightly-loaded tactical networks) and Robust LSU (RLSU, large networks and heavy traffic).  The specifications previously contained in the Appendix C have been replaced with reference to the essentially identical NATO STANAG 4538.

unid MFSK-16 175Hz modem, varying speeds

June 2, 2016, 8:19 am
$
0
0
This 16-tones signal occupy a bandwidth of about 2700 Hz, from 385Hz of the lower tone to 3010Hz of the top tone (dF = 2625Hz), with 175Hz increment steps as shonw in pics. 1,2:

pic. 1 - spectrum of the MFSK-16 signal
pic. 2 - the 16 tones grid
Since last January, this modem has been observed on several frequencies on USB and running at different speeds (32.8, 49.3, 65.8 and 131.6 symbols/sec) but all with the same constant frequency shift of 175Hz. Personally, I spotted the firts two waveforms while the 49.3 and 65.8 Bd waveforms come from my friend Karapuz.
 
32.84Bd
49.32Bd
65.8Bd
131.59Bd
It could be that the symbol rate varies according to the transmission channel conditions, or most likely these are just transmission tests to evaluate the better waveform that allow acceptable performaces in presence of varying channel conditions. Source is suggested to be CIS Intelligence/Diplomatic services.

logs

June 4, 2016, 3:07 pm
$
0
0

06059.0 ---: Unid 2103 (cf) FSK 100Bd/1000, no traffic (02Jun16) (AAI)
06262.5 IDR: Italian Navy, I 0650 USB STANAG-4285 600L, sending encrypted data using KG-84 to IHMW (26May16) (AAI)
06801.0 D20: National Protection and Rescue Directorate, HRV 0624 USB MIL 188-141 2G-ALE sounding (04Jun16) (AAI)
06970.0 ---: Ukraine Mil, UKR 0620 USB MFSK-4 (double FSK) 96Bd 500Hz modem (tones at -750, -250, +250, +750 Hz) (01Jun16) (AAI)
07739.0 4204:  Sonatrach, ALG 2030 USB MIL 188-141 2G-ALE sounding (02Jun16) (AAI)
07814.3 C3: Moroccan Army, MRC 2025 USB MIL 188-141 2G-ALE calling R3 (02Jun16) (AAI)
08010.0 ---: Ukraine Mil, UKR 0614 USB MFSK-4 (double FSK) 96Bd 500Hz,(tones at -750, -250, +250 and + 750) (26May16) (AAI)
08190.0 RHI: Saudi Air Force, ARS 2135 DSB MIL 188-141 2G-ALE calling AA1 (29May16) (AAI)
08939.0 ---: Rostov Meteo, RUS 2125 female (29May16) (AAI)
08950.0 381013: Turkish civil defense, TUR 2223 USB  MIL 188-141 2G-ALE calling 378013 (31May16) (AAI)
09104.5 ---: Uk Mil/Gov, UK 2218 USB WINDRM modified waveform OFDM 51-tone (31May16) (AAI)
10153.0 ---: US Navy NAU Isabela, PR 2150 FSK 50Bd/850 (NATO 50) Encrypted messages (27May16) (AAI)
12143.0 ---: Russian Intel, RUS 0820 (cf) CIS FTM-4, MFSK-4 150Bd (effective 37.5Bd) 4000Hz modem (tones at: -6, -2, +2, +6 KHz) (02Jun16) (AAI)
13044.0 ---: Russian Mil, RUS 0645 USB AT-3004D 12-tone modem BPSK 120Bd (31May16) (AAI)
14109.0 9A4OS: Global ALE HF network, Zadar HRV 0628 USB MIL 188-141 2G-ALE sounding  (30May16) (AAI)
14401.5 OEY80: Austrian Mil, AUT 0608 USB MIL 188-141 2G-ALE calling OEY61  (30May16) (AAI)
14500.0 ---: Egyptian Navy, EGY 2008 USB opchat and STANAG 4197 digital voice (28May16) (AAI)
14631.0 CTA14: Portoguese Navy, POR 0740 LSB STANAG-4285/600L CARBS msgs "0740Z//CTA02I/CTA04I/CTA08I/CTA14I//" (24May16) (AAI)
14969.0 ---: Unid (prob. Russian Intel) 0828 USB MFSK-16 175Hz 49.32Bd modem (02Jun16) (AAI)
15662.0 ---: prob. Iranian Navy 2150 (cf) Iranian-QPSK 468.75Bd (31May16) (AAI)
15870.0 CNC: Algerian AF, ALG 0710 USB MIL 188-141 2G-ALE calling CM3 (01Jun16) (AAI)
15959.0 ---: US Navy NSS Davidsonville, MD 2200 (cf) FSK 75Bd/850 (31May16) (AAI)
16020.0 ---: Russian Mil/Gov, RUS 0635 USB CIS VFT 3x100 100Bd/1440 (31May16) (AAI)
16090.0 ---: Unid NATO TADIL 1256 ISB 2-ch Link-11 CLEW traffic (03Jun16) (AAI)
16103.0 ---: Russian Mil, RUS 1535 USB CIS-45 OFDM HDR modem BPSK 33.33Bd (31May16) (AAI)
16112.0 ---: Russian Mil (RAA Russian NDCC?), RUS 1308 T600/BEE36-50 Msg Start Sync 0x1414bebe64c (03Jun16) (AAI)
16123.0 ---: US Navy  NAU Isabela, PR 1410 FSK 50Bd/850 (NATO 50) Encrypted messages (27May16) (AAI)
16125.0 STA5: Tunisian MOI, TUN 1239 USB MIL 188-141 2G-ALE handshake with STAT154 (03Jun16)
16201.0 ---: Unid (prob. Russian Intel) 1220 USB MFSK-16 175Hz 32.84Bd modem (03Jun16) (AAI)
16207.0 RIT: Russian Navy Severomorsk, RUS 1320 T600/BEE36-50 Msg Start Sync 0x1eb41eb2952 (03Jun16) (AAI)
16222.0 ---: MFA Cairo, EGY 1328 USB (cf + 1700Hz) SiTOR-A 100Bd/170 selcall to unid embassy TVVY (03Jun16) (AAI)
16222.0 ---: Unid (prob. Russian Intel) 0720 USB (cf + 2000Hz) MFSK-16 175Hz 32.84Bd modem (01Jun16) (AAI)
16280.0 no call: 0715 USB MIL 188-141 2G-ALE calling BM10HFC (01Jun16) (AAI)
16340.0 CENTR4: MFA Bucharest, ROU 1155 USB MIL 188-141 2G-ALE several calls to ACG, no reply (03Jun16) (AAI)
16583.0 ---: Unid NATO TADIL 1334 USB Link-11 SLEW, PSK-8 2400Bd ACF 960 bits (133ms) (03Jun16) (AAI)
16626.0 ---: Unid 0831 USB Thales Systeme-3000 ALE (03Jun16) (AAI)
16634.5 ---: Unid (prob. German Mil) 1244 USB Arcotel MAHRS-2400 HF modem, ALE bursts (03Jun16) (AAI)
16779.0 ---: Unid ship 1247 USB (cf + 1500Hz) SiTOR-A 100Bd/170 sellcall to QVXV Shanghai Radio (03Jun16) (AAI)
16788.5 ---: Unid Coastal Station 0725 USB (cf +1500Hz) SiTOR-A 100Bd/170 "The quick brown fox..." (03Jun16) (AAI)
16856.0 RDL: Russian Mil, RUS 1408 T600/BEE36-50 Msg Start Sync 0x1414bebe64c (03Jun16) (AAI)
16872.0 ---: Russian Mil, Rus 1510 (cf) FSK 50Bd/125 (03Jun16) (AAI)
16912.0 ---: Russian Mil, RUS 1515 (cf) T600/BEE36-50 Msg Start Sync 0x1414bebe952 (03Jun16) (AAI)
18223.5 OEY61: Austrian Army, AUT 0718 USB MIL 188-141 2G-ALE handshake with OEY20 (03Jun16) (AAI)
18596.0 ---: Unid (prob. German Mil) 1031 USB Arcotel MAHRS-2400 HF modem, ALE bursts (02Jun16) (AAI)
18735.0 ---: Australian MHFCS net 0815 LSB (cf +1350Hz) FSK 600Bd/340 (27May16) (AAI)
18765.0 11121: Moroccan Civil Protection, MRC 0620 USB MIL 188-141 2G-ALE sounding  (30May16) (AAI)

Search

CIS MFSK-16 175Hz (updated)

June 8, 2016, 12:27 am
$
0
0
This 16-tones signal occupy a bandwidth of about 2700 Hz, from 385Hz of the lower tone to 3010Hz of the top tone (dF = 2625Hz), with 175Hz increment steps as shonw in pics. 1,2:

pic. 1 - spectrum of the MFSK-16 signal
pic. 2 - the 16 tones grid
Since last January, this modem has been observed on several frequencies on USB and running at multiple speeds but all with the same constant frequency shift of 175Hz 
An interesting feature of this signal is itsspeed of manipulation,we have spotted 4 different waveforms with speed that increases at a '2x' rate, i.e.: 16.44, 33.33, 66.66 and 133.33 symbols/sec (pics 3,4,5,6)

pic. 3 - 14,66 Bd
pic. 4 - 33.33 Bd
pic. 5 - 66.66 Bd
pic. 6 - 133.33 Bd
Formerly the MFSK-16 phase was preceded by an MSK preamble with ~1866Bd and ~928Hz shift (pic. 7)
pic. 7 - MSK preamble before MFSK-16 transfer
Although the preamble may appear as a QPSK modulation, a more carefull analysis indicates the MSK mode (pic. 8)

pic. 8 - preamble speed and mode
The reason of the lack of the preamble in the current waveforms is unknwon, maybe the preamble could used in the set-up phase of the signal but it's only speculation.

Australian MHFCS net, a distinctive sign

June 8, 2016, 11:56 pm
$
0
0
Just a tip: in order to identify the MHFCS transmissions, in addition to the dial frequencies listed  here (remember that they use a 1500Hz offset above the indicated carrier) and to the shift and speed parameteres (tipically 600Bd/340Hz), think that these MSK signals exhibit a quite unique sign when inspecting the harmonics  using the SA 'involutions' tool. In this case, you will see the presence of several spectral lines in the 7^ power.


Unid MSK 1200Bd 800Hz

June 10, 2016, 12:24 am
$
0
0
Yesterday (10 June) morning I spotted this weird signal on 20877.0 KHz/USB at 0725 UTC, unfortunatelly some statics due to a thunder storm ruin the reception.
The signal has a 1200 Hz bandwidth and is characterized by a strong tone at ~1400 Hz (1394) and two simmetical tones at +600 and -600 Hz which are transmitted at lower level than the central one. A sort of "marks" are transmitted each 137.5 ms (pic. 1)

pic. 1

FSK bursts are inserted in a seemingly random way, they have a shift of about 800Hz and manipulation speed of 1200Bd: curiously it's the same value of the bandwidth (pic. 2)

pic. 2
The 137.5ms marks make the period of the signal = 165 bits.

pic. 3

Arcotel MAHRS-2400 serial (Telefunken Racoms)

June 10, 2016, 11:12 pm
$
0
0
[updated]

This signal has been heard several times, this one on 12282.5 KHz on USB at 1430z. An old WUN publication (http://www.udxf.nl/WUN-v10.pdf) and some other logs report the 12282.0 and 12282.4 frequencies as operated by German Military, so probably the 12282.5 frequency is also owned by that same network.
MAHRS-2400 is a STANAG4285-like 2400Bd PSK-8 serial waveform (pic. 1) with 2 x 8pre-tones which are simmetrical in respect of the 1800Hz carrier

pic. 1
The signalexhibits ACF of 106.66msor 256 symbols due to its frame structure: 80 symbols lengthprobe (kown symbols) followed by 176 symbols of data (pic. 2)

pic. 2
The evidence of a pronounced 2-ary states in the constellation suggeststhat the known-data probe are modulated using BPSK and then scrambled to appair as 8-ary in air. The BPSK probes are clearly visible in pic. 3 after after increasing the FFT size.

pic. 3
The waveform is similar to the one used in the MAHRS ALE mode, a 500ms burst system briefly reported here

This signal islinkable to the HRA 5100 radio communication system used in airborne platforms (hra-5100.html). As far as is recoverable in the web, "MAHRS"is the name of the HF radio-data standard used for data transmission while "Arcotel"was originally used to indicate the modem:  recentTelefunken Racoms HF transceivers have integrated radio processor and modem, Arcotel is supposed to indicate just the radio processor. The company's name "Telefunken Racoms"  is used since 2004 (http://www.army-guide.com/eng/firm3787.html).

MS188-110 poor man ASCII-bit stepper simulator (I)

June 13, 2016, 3:06 am
$
0
0
thepoor-man ASCII-bit stepper simulator implements a fixed-frequency serial (single-tone) waveform as speciefied in MIL-STD 188-110B 5.3, it only supports the 1200/2400 bps data rate and short interleaveronly.

-why poor man
I'm just an hobbist in signals analysis and do not have resources to invest in sophisticated hw-devices or sw-tools suited to this specific activity (it's not my work).

- why ASCII-bit
the simulator does not treat the data in a bitwise mode but rather it uses their ASCII text representation, i.e. the data are written (and processed) as ASCII chars of zeroes and ones ("0" and "1") and so it's not a real modem since each ASCII character is a 7-bit code stored in a byte. This means, for example, that an initial ASCII string such
"0010011110001111100001010101010011100100011100100111001100011100"
will end in a different baseband signal if processed by a real MS188-110 software modem as, for example, MS-DMT. 
Nevertheless, the ASCII-bit representation of data doesn't alter the way these are processed and appear at the input of the SSB modulator and, unless data representation, it's always possible to get a valid baseband waveform once the scrambled data 000,001,010,... are mapped into PSK-8 complex symbols 1+j0, 1+j1, 0+j1,...
Note that the binary values for ASCII text '0' and '1' are 00110000and 00110001 respectively.

- why stepper
the simulator is not a single piece of software running in concurrent mode but rather it is composed of a series of pipelinemodules, which have as their input-file the output-file of the preceeding module and therefore the modules are executed one at time (by manually running each of them). This allows the chance to examine step-by-step the evolution and the contents of the bitflow along the functional blocks of the modem.

- why simulator
from the above, it can't replace the original for a real use and it could be seen as a (limited) model for analysis.

The simulator is coded using the Lua language, a fast and powerfull interpreter (altough the sources could be compiled) and is limited to 1200/2400bps and short interleaver (I did not want to code a 188-110 compatible modem but just a way to look inside it). Please, at least now, do not ask for the code: it needs to be further debugged, does not have GUI , it's roughly written and need more lines to be user safe and 100% error-free.

unknown (user) data

In this eaxmple the input user data come from a random generator (https://www.random.org/bytes/): the randomized binary strings are printed on the screen and have to be cut&past into a simple editor (such as notepad) to create the input data file.  This procedure will cause a weird (but predictable) result once the data are passed through the FEC encoder.

FEC Encoder block

In this example, the output data from the FEC encoder exhibit a fixed pattern characterized by a 130 bits length period. As said above, this (apparently) weird result is due to the way Windows OS store the text files and to the length of the randomized binary strings printed out by the random generator.
Looking closely at the input file using a Linux terminal, we realize that is composed of 64 chars rows (the lenght of the random strings produced by the random generator), each row terminated by the DOS/Windows line-ending character ^M (or ctrl M, not visible using Windows notepad) that make 65 chars per row.


Since at the 1200bps rate the convolutional coder performs an effective code rate of 1/2, coded rows streams of 130 bits are generated for input data rows of 65 bits length 


remember that the simulator treats each single ASCII text '1' or '0' as one bit!

 

Interleaver block

The interleaver matrix accommodates a block storage of 600ms of receiving bits in case of short interleaver and 1200bps rate. Because the bits are loaded and fetched in different orders, two distinct interleave matrices are used: this allows one block of data to be loaded while the other is being fetched!
At the 1200bps rate the short interleaver matrix has a dimension of 40 rows x 36 cols, providing 1440 bits room: this value matches the number of output bits from the FEC encoder during the 600ms interleaver load period, i.e. 1200 * 2 * 0.6 (remember that FEC encodes at 1/2 rate).
The effect produced by the interleaver is most evident forcing a long sequences of zeroes and ones at its input:



MGD and Symbol Formation blocks

At the 1200bps rate, the bits fetched from the interleaver matrix are grouped together as  two bit entities (dibit channel symbols) and applied to the Modified Gray Decoder (MGD) to guarantee that only one bit changes. Three bit entities (tribit channel symbols) are used in case of the 2400bps rate. 
Following the above example of a long sequences input file:


The function of Symbol Formation block is one of mapping the channel symbols from the MGD (or from the sync preamble sequence) into tribit numbers compatible with transmission using an 8-ary modulation scheme. For user data, at the 1200-bps rate the dibit channel symbol formation use tribit numbers 0, 2, 4, and 6. At the 2400-bps rates, all the tribit numbers (0-7) are used for symbol formation. A different mapping process is used for preamble transmissions.

Sync Preamble Sequence
The waveform for synchronization is essentially the same for all data rates. The synchronization pattern shall consist of either three or twenty four 200ms segments (depending on whether either zero, short, or long interleave periods are used). Each 200-ms segment shall consist of a transmission of 15 three bit channel symbols
0, 1, 3, 0, 1, 3, 1, 2, 0. Dl, D2, C1, C2, C3, 0
The three bit values of Dl and D2 designate the bit rate and interleave setting of the transmitting modem. The three count symbols C1, C2, and C3 represent a count of the 200 ms segments starting at 2 for the zero and short interleave setting cases and 23 for the long interleave case.

Scrambler block

The Scrambler block modulo 8 adds the tribit number supplied from the Symbol Formation block for each 8-ary transmitted symbol to a three bit value supplied by either the data sequence randomizing generator or the sync sequence randomizing generator.
The bitstream at the 1200bps rate exhibits a 480 bit period corresponding to 160 symbols or 66.66ms: as seen in a previous post, this value is due to scrambler length. The frame structure, at the 1200bps rate, is the expected 20 (unknown) + 20 (known) symbols as specified in standard


Modulator block
The modulator block will be discussed closely in a further post (...I'm still working at it). The output data from the Scrambler block, after converted to the 0-7 numbers, will be mapped into the PSK-8 constellation complex symbols 1+j0, 1+j1, 0+j1,... to form the baseband waveform file: in a few words, a sequence of "samples" of the modulated signal (2400 samples/sec).


It's worth noting that the 0-7 numbers file is the sameas the one obtained by the SA phase-demodulator (unless the phase offset):




After the complex-symbols conversion, the baseband file must  be up-sampled and filtered to spectrally constrain the waveform to within the specified bandwidth. A square root of raised cosine filter is recommended with a roll off factor, excess bandwidth, of 35% (as specified in standard)then, since the baseband signal has a center frequency of 0 Hz, it must be translated to the 1800 Hz center frequency and finally saved in the wave format to get the audio signal.
The modulator block will be implemented using the SciLab environment. By now, just for fun, it's possible to plot the numbers-baseband file to get the 8-ary constellation and transitions



(to be continued)

Viewing all 622 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>