This post may be considered as a continuation of an interesting analysis started by my friends cryptomaster and KarapuZ, see
the radioscanner post for background. The signals analyzed by my friends and me consist of STANAG-4481F waveform (also known as NATO-75, FSK 75Bd/850) and have been spotted on 8202.5 KHz/usb (tuning frequency, CF = +2000 Hz): in our opinion they seem to be (off line) fleet broadcasts of 3 x 7-bit multiplexed encrypted channels.
I want to thank my friend AngazU and the owner of the KiwiSDR
http://158.255.239.102:8073/ in Alicante (Spain) who allowed me to use his device w/out time limits in order to monitor these transmissions.
The interesting aspect is the 3-bit structure which is visible in SA raster (Fig. 1) by using, for example, a time window of 200ms (=15 bits @75bps); notice that it does not occur in time windows that implie a number of bits which is not an integer multiple of 3.
![]() |
| Fig. 1 - 3-bit structure in a 200ms raster window |
Following this results, the demodulated stream has been reshaped into a 3-bit framing (Fig. 2): it is easy to see that two columns have the same content.
![]() |
| Fig. 2 - 3-bit framing of the demodulated stream |
Then, each column in turn has been reshaped in a 7-bit pattern in order to obtain 3 separate files corresponding to the three channels. Karapuz noted that the Fibonacci's bit sequence (generated by the polynomial x^31 + x^3 + 1) is present in each channel: this is the main indication that the source data was encrypted using the KW-46/KIV-7 cryptographic device (STANAG -5065). It's not a mere coincidence because I checked the "signature" of KW-46 in several other 4481F transmissions on that same frequency (Fig. 3).
![]() |
| Fig. 3 - the KW-46 M-sequences in the 3 channels conveyed by a single S-4481F trasnmission |
The presence of three distinct channels suggests that a time division multiplexer (TDM) be used upstream of the S-4481F modem, but there is a problem with the speeds at stake. The used TDM must have a 75bps "aggregate" speed in order to meet the S-4481F waveform requirements, thus each (encrypted!) input channel should have a speed of 25bps... but crypto devices such as KG-46 or KIV-7 do not work at speeds lower than 50 bps! (Fig. 4).
![]() |
| Fig. 4 |
So, it seems that a kind of "rate change" occurs between TDM and S-4481F modem. Since a kind of
store-and-forward device to down the speed appears unrealistic in case of long broadcasts, it could be that "source - crypto - multiplex" block and "4481F modem - Tx" block do not sit in the same place.
According to TDoA direction finding tries, the transmitter site is the Naval Radio Transmitter Facility (NRTF) in Niscemi, Italy (Fig. 5): an infrastructure of the NATO communication system that is linked with other US military bases [1]. It's to notice that similar transmissions (3-bit structure S-4481F) can be heard on 7545.5 and 6383 KHz (CF), also them from NRTF Niscemi!
![]() |
| Fig. 5 - TDoA result |
In my opinion (!), the stream is "packaged" (i.e. encrypted, multiplexed, and stored) elsewhere and then routed to NRTF Niscemi for its following (off-line) transmission on HF. In other words, Niscemi only hosts modems and Tx and just receives a "ready-to-send" file via SATCOM or IP.
During my monitoring I had the luck to catch the beginning of a transmission. Interestingly, the M-sequences generated by the polynomial x^31 + x^3 + 1 just start from the very first bit of the 3 demodulated streams (100% indication in Fig. 6), there are no signatures or magic numbers attributable to transfer protocols or to file formats, neither preambles or synch sequences:
just as if it were a file that is read and transferred to the modem. ![]() |
| Fig. 6 - KW-46 M-sequences in the transmission start segment |
And how it works at receive ships? It's difficult to say, even here only hypotheses can be formulated. Maybe a dedicated software pre-processes the 3 demodulated streams... but it's only a speculation.
As I said, two channels have the same content, as indeed shown in the raster (Fig. 1). I can't explain why, maybe the "repetition" is used to add redundancy to the system or maybe it's used just to fill an empty space. Anyway, it's to notice that such repetitions of encrypted channels were also noted in some KW-46/KIV-7M secured fleet broadcast of the Australian Ny, see
the blog post. In that case we have an aggregate speed of 600bps and 12 multiplexed channels, i.e. 50bps speed per channel.
I checked sveral other S-4481F transmissions but so far these odd 3-bit structure is present only in the ones coming from Niscemi: help and comments from readers are very apreciated and welcome.
![]() |
| High Frequency dual mode antennas at NRTF Niscemi (source Wikipedia) |
24 Feb update
As expected, parallel transmissions on 8204.5 KHz and 6383 KHz convey the same content (Fig. 7); the third frequency (7545.5 KHz) is not used at this time.
![]() |
| Fig. 7 - same contents on parallel transmissions |
(to be continued)
