25 December 2016

CIS MFSK-64 (32+32) 45Bd


I recently had the chance to have a good copy of MFSK-n signal previously reported here as a MFSK 68-tone (34+34). Well, according to my new measurements, I tend to reconsider it as a parallel 64-tone (32+32) signal: this way the shift of 46.9 Hz among the tones is closer or almost the same of  the apparent speed of 47 symbols/sec. 
PSK-8 9000Bd bursts (2 symbol element periods length) are sent each 1 second, possibly acting as sync (Fig. 1):  since the embedded PSK inserts, the signal occupies a bandwidth up to ~10KHz.

Fig. 1
It's worth noting that in the first half of the transfer a 3-tone symbols alphabet is used, while a 5-tone symbols alphabet (the most frequent in this wavefrom) is used in the second half, from time t1 (Fig. 2). In both the cases the speed of 45 symbols/sec remains constant (Fig. 3)


Fig. 2

Fig. 3
The measured 47 symbols/sec from SA likely results from the add of the two symbols due to the PSK-8 inserts.
The 64-tone solution can be easily seen by counting the tones over the -40dB threshold in the upper and lower part of the signal plotted in the FFT spectrum /Fig. 4).

Fig. 4
The number of the used tones remains constant, as well as the speed, for both the two alphabets (Figs 5,6) although the count of the grid in the second half of the signal (5-tones symbols) is more difficult.

Fig. 5
Fig. 6
Often you can see the CIS-3000 PSK-8 3000Bd modem before MFSK-64 as in Fig. 7: it's interesting to note that CIS-3000 and PSK-8 inserts have the same sub-carrier value (~5300 Hz) and it just matches the center of the MFSK-64 FFT spectrum (Fig. 8)

Fig. 7
Fig. 8
MFSK-64 is likely a Russian Intel parallel tones system as well as other MFSK and CIS-3000 could be employed as a sort of selcall. 


https://yadi.sk/d/WMnwnpN034qLZV 

23 December 2016

ICAO METARs TAFs sent over MIL 188-141 2G-ALE


This MIL 188-141 2G-ALE session  has been copied today 23 Dec. on 09019.0 KHz/USB starting from 1010 UTC. The ALE addresses are:  XSS, RAF base in Forest Moor UK belonging to DHFCS-net (Defense High Frequency Communication Service) and UKE304, RAF E3D AWACS Aircraft: respectively TAZ and NATO35 callsigns. The Comms  are conveyed by AMD commands which are embedded in 188-141. After the handshake, this is the first message sent by the Awacs, requesting METARs and TAFs (weather informations) for some airports in Cyprus identified by LCRA LCLK, and  LCPH:

LCRA - AKROTIRI 
LCLK - LARNACA/LARNAX 
LCPH - PAPHOS/BAF

TAZ DE NATO35 HELLO WE R RQSTING METARS N TAFS FP LCRA LCLK LCPH TVM
followed by the reply from ground:

DE TAZ WAIT ONE
something like "wait a moment..." then the requested weather informations for LCRA, LCLK, and LCPH are sent by TAZ (XSS)

LCRA 230850Z 14003KT 9999 6000E -SHRA SCT022CB BKN045 13/10 Q1019 BECMG 9999 FEW022CB
TAF LCRA 230732Z 2309/2403 09005KT 9999 BKN050 PROB 303
TEMPO 2309/2403 5000 TSRA SCT022CB

LCLK 230930Z 08007KT 9999 FEW020TCU 15/11 Q1020 NOSIG
TAF LCLK 230530Z 2306/2406 04008KT 9999 SCT020 BKN040 PROB40
TEMPO 2306/2406 5000 SHRA PROB330
TEMPO 2306/2406 VRB20G30KT 2000 TSRA SCT020CB
BECMG 2309/2312 21010KT
BECMG 2316/2319 33007KT


LCPH 230930Z 07006KT 9999 FEW0bkX30TCU SCT050 15/09 Q1019
TAF LCPH 230530Z 2306/2406 07008KT 9999 SCT020 BKN040 PROB40
TEMPO 2306/22406 5000 SHRAPROB30
TEMPO 2306/2406 VRB20G30KT 2000 TSRA SCT020CB
BECMG 2308/2311 24010KT
BECMG 2316/2319 03007KT

Transmission is terminated by:
THATS THE WX COMPLETED K


METAR (METeorological Air Report) is a format for reporting weather information which is predominantly used by pilots in fulfillment of a part of a pre-flight weather briefing, and by meteorologists, who use aggregated METAR information to assist in weather forecasting. METAR is a common format and highly standardized through the International Civil Aviation Organization (ICAO) which allows it to be understood throughout most of the world.
A typical METAR contains data for the temperature, dew point, wind speed and direction, precipitation, cloud cover and heights, visibility, and barometric pressure. A METAR may also contain information on precipitation amounts, lightning, and other information that would be of interest to pilots or meteorologists such as a pilot report or PIREP, colour states and runway visual range (RVR). TAF (Terminal Aerodrome Forecast) complement and use similar encoding to METAR reports.
TAFs are produced by a human forecaster based on the ground. For this reason there are considerably fewer TAF locations than there are airports for which METARs are available. (quoted from Wikipedia)

19 December 2016

PSTN V-series modem over a radio link ?


This transmission has been copied on 6421.5 KHz/USB at 0808 UTC and consits of five parts:
1) initial FSK 300Bd call and link negotiation, between the calling and the answering modem;
2) PSK 1200Bd data transfer from the calling modem;
3) FSK 300Bd from the answering modem (a mode switch request ?);
4) PSK 600Bd data transfer from the calling modem;
5) FSK 300bd likely as ACK and link disconnect;
Each FSK/PSK frame is preceeded by a 1500Hz short tone (Fig. 1) and looking at the strength of the PSK frames they seem to be sent by the calling modem.

Fig. 1
The FSK signal initialing the link has a speed of 300Bd and shift of ~170Hz (Fig. 2). Once demodulated,  it exhibits a 10-bit length period and matches the 8N1 format: one start bit, one stop bit, no parity and 8 data bits (Fig. 3).
 
Fig. 2

Fig. 3

Speeds, carriers and PSK constellations related to the PSK frames are shown below in Figs 4,5 (note the amplitude failure in the initial 1200Bd PSK frame that impairs its study):

Fig. 4
Fig. 5

It's interesting to note that the waveforms of the PSK frames match some of the ITU-T V series recommendations for data communication modems over the Public Switched Telephone Network (PSTN):
1200 Baud, 1800 Hz carrier, PSK-4 (2400 bps gross) --> ITU-T V.26
 600 Baud,  1200 Hz carrier, PSK-4 (1200 bps gross) --> ITU-T V.22 (Bell 212A)
(ITU-T recommendations can be read here)

My friend KarapuZ, who pointed me to ITU modems, heard some other V-serie modem on HF: maybe some tests or arrangements as proof-of-practice about the feasibility of such unusual solution (PSTN modem over HF). It's worth noting what seems to be a sort of adaptive solution, the 1200-600 Baud switch, and that the military often use such modems but on VHF repeaters.
Comments are welcome.





15 December 2016

HARRIS proprietary Autolink-I (1G-ALE)


Very interesting ALE session consisting of HARRIS Autolink-I handshake (a proprietary waveform) followed by a data transfer using MIL 188-110 App.B 39-tone OFDM modem (M39) and link disconnect: since the used technology, 1G-ALE and 39-tone, the session is almost a sort of HF flashback. The transmission has been heard on 12567.0 KHz/USB at 1140 UTC 13 December, most likely from Moroccan Military.

The Harris Autolink-I system was one of the first adatptive and automated HF systems available and was implemented in the Harris RF-7110 controller, then it was upgraded to a RF-7210A Mil Spec Autolink-II. The basic difference between the first and second generation units is in the type of utilized addressing:  call signs in the 1G controllers are limited to numerical digits while 2G controllers can employ up to 15 alphanumerical identifiers.

Fig. 1
Autolink-I employs an FSK waveform modulated at 200 Baud and shift of 200 Hz (Fig. 2). Structure is very similar to Harris RF-3560 Selcall. Preamble is a sequence of reversals and its duration is proportional to the number of channels in use so receivers have a chance to lock on the signal while scanning. Then, info is about 800 ms. and consists of some control words and 4 digits numeric call sign (Fig. 3). In case of group call to test channel conditions, answers are slotted.

Fig. 2
Fig. 3
As said, the data transfer is achieved with MIL 188-110 App.B, a 39-tone OFDM waveform introduced with the first release of 188-110 Standard and not recommended for new systems by the 3rd release (188-110C, September 2011). The modulator output consists of 39 QDPSK data tones which have a constant modulation rate of 44.44 Bd for all standard input data signaling rates from 75 to 2400 bps, plus an unmodulated tone for Doppler correction (Fig. 4).

Fig. 4

14 December 2016

unid FSK 200Bd/400


Yet another unidentified, and unknown to me, FSK waveform copied on 12424.8 KHz (cf) at 0808 UTC. Key parameters are 200 Baud as manipulation speed and shift of 400 Hz (Fig. 1). These values match one of the possible ARQ-E3 settings but decoding does not produce outputs so the signal doesn't belong to such waveforms family.
This same signal is reported in radioscanner.ru forum, you may read the topic and get more info here.

Fig. 1
As a side notes, its spectum has a characteristic pattern (Fig. 2) and working on the period length it's possible to get the value of 896 bit which is likely the frame structure (Fig. 3). Unless erorrs, the frame consists of 52-bit  of known symbols (sync probe?) and 844-bit room allocated for unknwon symbols (data block?). 

Fig. 2

 
 Fig. 3

13 December 2016

unid FSK 50Bd/1000 (prob. CIS Navy occasional test)


Strong - and odd - signal copied on 12376.0 (cf) at 1423 UTC on 11 December. This is probably a totally occasional test since the used fequency and some other points as below. The signal exhibits a well defined 100Hz keying at transitions edge (Figure 1):

Fig. 1 - 10Hz FM: a) after phase detector, b) SA scan-raster method
although the raster shows 50 symbols/sec as the value of the modulation speed: maybe the 100Hz keying si due to a filtering failure. After filtering the signal to 50Bd value, it's possible to get a 1000Hz value for the frequency shift (Fig. 2).

Fig. 2

Some notes about the demodulated stream, thanks to  radioscanner friends Karapuz and Cryptomaster for their advices and comments.
It's worth noting the presence of 2 x 70 bit repeated sequences in the preamble (likely the Message Indicator), as in Fig. 3, which resembles the  CIS Navy T-600 modem (ACF = 70 bit in the preamble only) although the constant 50Bd speed and the shift of 1000 Hz is quite rare for such modem (typical shifts are: 200, 250 and 500 Hz). Also note as the End Of Transmission "000100" sequence contains at least 4 EOT characters and the 4:3 ratio alphabet code (Fig. 4). 

Fig.3
Fig.4
 


unid FSK 300Bd/500, 255/360 bit period

The signal was spotted on two frequencies 06775.0 and 12572.0 on different days and different formats as continue stream or tone-separated bursts. The FSK-2 modulation exhibits a constant 300 symbols/sec speed and shift of 500 Hz. 
The most interesting feature is the switch of the period lenght most likely in corrispondence of switching from idle/sync and traffic mode. In the fist case the ACF has the value of 850.55 msec that corresponds to a 255-bit period length, in the second case, traffic mode, the ACF exhibits the value of 200.13 msec that corresponds to a 360-bit period length or, better, to a 60-bit frame which is repeated six times.



The two 252 and 255 -bit patterns can be descrambled using the polynomial x^6+x^5+1.
The T=360 bit data block can be descrambled using the polynomial x^18+x^15+x^3+1: after removing the "0" columns a 6-bit structure is obtained where the 6th bit is the parity bit:


Same results for the 300Bd/500 waveform and 60-bit period:


https://yadi.sk/d/ltJvIvLHRi8FBA
https://yadi.sk/d/khAoWLFG6MPajQ

9 December 2016

unid FSK 150Bd/250 with KG-84 encryption


I copied this FSK modem on 06252.2 KHz (cf) on 7 December morning, carrying several messages with a very good signal strength here in JN52 (about 70 dB). The modem use a frequency shift of 250 Hertz and a modulation speed of  150 bps (Figs 1,2).

Fig. 1
Fig. 2
The most interesting thing is that the initial part of the messages contains the 64-bit sync pattern which is typical of KG-84 encryption
1111101111001110101100001011100011011010010001001100101010000001
followed by the 2 x 64 bit initialization vectors (each vector is repeated four times), as shown in Figs. 3,4:

Fig. 3
Fig. 4
The presence of KG-84 leads to think to a NATO country as source, surely - since the signal strength - the site of transmitter is very close to my antenna (center Italy), most likely in the Mediterranean area. 



5 December 2016

cars, chameleons, networks... (update 2)

OPL-OPn net (5424.0 KHz)
I have already talked here about this QRG, where the heard ALE addresses were 5B, AB, 1PB, 1PC, 2PB, and 3PB (the so-called PB net), but in these days, at least from 1st December, in that same frequency I heard addresses as OPL, OP1, OP2, OP3, and OP4 (so the name OPL-OPn net). Transmissions start from about 0800 UTC and OPL seems to act as the net-control station. The used technology is the same than PB net, i.e. 188-110A and FED-1052 App.B for the messaging system, and 2G-ALE for the link setup, aside just three 188-110 App.B/FED-1052 App.A frames (see below).
 
Fig. 1
Same QRG and same nodes configuration mean the same source, OS BiH, and the same stations: just a "rotation" of the tactical on-air ALE addresses. I do not know if it's a monthly update or if the update was due to some other reason, further monitorings will help in this direction.
As expected, once removed 188-110A and FED-1052 headers, I got files with ARX and TNEF extensions but this time I had more luck: since the informal nature of the messages (in the reported example, a simple list of sent/received telegrams) these were sent in clear-text. The reading of the extracted files in Figs 2,3 confirms the source and the rotation of the on-air addresses while the e-mail addresses of the network nodes remain unchanged (see Fig.5 of the Part I for what concerns 5PBR), so the old 5B, AB, 1PB, 1PC, 2PB, 3PB,... and the current OPL, OP1, OP2, OP3, OP4,... refer to the same nodes of a single radio-network belonging to OS BiH and running on 5424.0 KHz/USB.

Fig. 2
Fig. 3
Thre is an oddity in one of the recordered transmissions: the presence of three 188-110 App.B/FED-1052 App.A frames just before the link termination (Fig. 4).

Fig. 4
This is the first time, on my side, I see such modality during the e-mail exchanges monitored in this frequnecy: it's hard to say if it just belongs to this transmission or it appeared randomly from some other (unid) source. Anyway, it's worth noting that its time-position in the transmission flow is correct as well as its obsolescence is justified by the use of FED-1052.


https://yadi.sk/d/W19eZn8W32AwPg