31 March 2016

unid BPSK 2400Bd burst system


This signal was heard at 1245 UTC on 12168.0 KHz/USB on March 30th.
The burst waveform use a PSK-2 (prob. DBPSK) serial tone modulation of an 1800 Hz carrier at 2400 symbols per second (pics 1 and 2). Each transmission consists of 12 x 4000ms bursts, ending with a single 1500ms burst. 

pic. 1
pic. 2 - PSK-2 modulation of a 1800Hz carrier at 2400 Baud

Each 4000ms burst consists of 8 x 500ms frames (pic.3), for a total of 9600 bits; ACF = 500ms/1200 bits (of course). 

pic. 3 - frame structure
Each 1200-bit frame is structured as a preamble followed by a 67/134 bits period sub-frames, as shown in pictures 4 and 5 (the underlying sub-frames structure is also visible above in pic. 3).

pic. 4 - possible frame periods
pic. 5 - 1200 bit frame seen as a 134 bits period

Using a test-string such as "0011011000010101111" and synchronizing the stream on a 67-bit period, it's clearly visible that the burts send repetitive blocks of data
 
pic. 6 - 67-bit synchronized period

27 March 2016

Unid FSK 100Bd/500, 40-bit/400ms ACF


16340.1 ---: Unid (prob. Russian) 1014 (cf) FSK-2 100Bd/500, strong ACF 400 ms (25Mar16) (AAI)



Probably an "old" RTTY transmitter sending the same pattern as a frequency marker.




26 March 2016

SVO SiTOR-B: a curious feature

SVO Olympia Radio (formerly SVA Athinai Radio) belongs to Hellenic Telecommunication Organization, S.A. (OTE) and is a telecommunications network that serves the needs of maritime security sector as well as the needs of commercial maritime communications  across the world.
At a first glance, its SiTOR-B broadcasts comply the standard 100Bd/170Hz that is common for such transmissions (pic.1) 

pic. 1
But looking closely at the signal there is a curious feature of the Sitor transmitter which is  evident in the oscillograms of the WF module (pic.2,3)

pic. 2
pic. 3
It is not clear what causes such behavior, if it's a requested feature or a transmitter "sign", anyway is present only in the Greek SVO SiTOR-B and in all their SiTOR-B bands (8, 12, 16 and 22 MHz/USB). 

update (from my Fb page):
Reed Gaede Ha! It's clearly a harmonic resonance in the exciter, modulator, or PA. Common flaw/issue in tank-tuned tube PAs, less so in broadband solid-state units. Their engineering department is slacking.
 

22 March 2016

Japanese Military, OFDM-30 +2 (mutichannel hybrid modem)


For several days, at a frequency of 12384.0 and 16553.0 kHz on USB (16553.0 is a constant for the Japanese MIL 8 freq signal), we heard unmodulated carriers only, and then finally they went to the data! 
At a first glance the signal looks like an OFDM 32 tones, ~70Hz spaced and BPSK modulation at 50 Baud (pic.1). A separated unmodulated tone, the lower in the spectrum, acts as a pilot-tone for Doppler correction and is transmitted at a higher level that the other tones.
 
pic.1 - OFDM analysis
studying more carefully the individual tones and especially the first two tones in the lower part of the spectrum, the signal is not properly constructed with OFDM technology but rather is a multichannel waveform with a DPSK or MSK modulation with 25 Hz shift and 50 Baud speed for what concerns the 30 upper channels.
Indeed, once isolated the higher tone, there is no evicence of carrier harmonics in the 2^ power and the phase detector shows a characteristic FSK-2 shape with 25Hz shift (pic.2).
pic.2 - absence of the carrier in the 2^ power harmonics
The 4-ary phase plane related to such channel reveals no diagonal transitions and two-state  transitions in Diff.1: signs of a DPSK or MSK modulation (pic.3)
pic. 3
The upper 30 tones are then MSK 50Bd 25Hz shift, spaced by 70 Hz.
The two lower tones just after the pilot tone (the lowest one) exhibit a BPSK modulation and a speed of 25 Baud for the first (pic. 4) and 50 Baud for the second (pic. 5). It is worth noting that:
- the sequence "0101010101" which is transmitted with these two channels is maybe used for sync purposes,
- these two tones are tranmitted at a lower level that the upper 30 tones. 
pic. 4 - the lower BPSK channel
pic. 5 - BPSK 50Bd in the second channel
Sumarizing the characteristics (pic. 6):
30 data-channels DPSK/MSK 50Bd/25Hz, 25Hz spaced (OFDM)
2 service-channels BPSK 25 and 50 Baud, transmitted at lower level than the 30 upper tones
1 pilot-tone, transmitted at higher level that the 30 upper tones
pic.6
Both 16553.5 kHz USB and 12384.5 kHz USB was previously channels for the old Japanese 8-tone mode, probably a litlle mis-tuning.

21 March 2016

CIS 5 x MFSK-16 + BPSK 250Bd (2)

Just to point out some interesting analogies with a similar MFSK-16 signal, heard in the latest days of the past September 2015.
That signal had the same MFSK parameters, 5 x 16 tones 10Bd 20Hz, but with FSK inserts each 10 seconds rather than the BPSK inserts seen in these days . SOM and EOM shows the same style. While the BPSK version has a fixed lenght of 21:05 minutes, the FSK version had a 33 seconds lenght and was repeated each 15 minutes.
One could say that the BPSK version seen in these days is a sort of evolution of the semptember FSK (test ?) version, but it's probably a speculation.

20 March 2016

STANAG-4285 running in ASYNC mode


Although a bitstream analyzer recognizes physical or data-link layer protocols by matching known patterns and sequences, it isn't source-coding aware then  in order to get something that makes sense is important to know if we face a synchronous or asynchronous mode. For example, my friend AngazU sent me a STANAG-4285 transmission which transports a Citadel encrypted file: 75bps speed and long interleave are the settings for its right decoding into an ASCII-bits file.
Looking at the graphic representation of the stream it's possible identify something like the characteristic pattern of Citadel... but  it isn't: there are some bits more. The reason is that that STANAG-4285 was in asynchronous mode (or better in asynchronous operation) with 8N1 framing: eight data bits, no parity bit, one start bit and one stop bit and then each character will be transmitted using a total of 10 bits. This framing could be guessed looking at the period back from the analyzer: just ten bits (pic. 1).

Pic. 1
After removed both the start and the stop bits we get the clean 8-bit data and the Citadel pattern. It is worth nothing that processing the new stream, the analyzer easily detect the encryption (pic. 3).

Pic. 2
Pic. 3
The same issue may occur analyzing a Baudot (ITA-2) coded stream: five data bits, no parity bit, one start bit and two stop bit. The example is related to a STANAG-4285 transmission in clear text (no encryption and no re-protocolled) from French Navy FUG8. The bit analyzer correctly returns an 8-bit period and after removed the extra bits added by ITA-2 (1 bit start + 2 bits stop) we get the well-known text "VOYEZ VOUS LE BRICK..."

Pic. 4

Pic. 5
Then a big help comes from the period returned back from the analyzer: not always a stream is encrypted or looks not identifiable, sometimes it's only processed as synchronous when it's coded in async mode.

18 March 2016

CIS 5 x MFSK-16 + BPSK 250Bd


this interesting signal (supposed to be used by "Russian Intelligence") has been heard on 13497.0 KHz and 15812.0 KHz USB on 30 October (from 1300z to 1330z) and on 15845.0 KHz USB on 18 March (from 1300z to 1320z).
The most interesting feature are the BPSK inserts, each 10 seconds, that modulate in turn 6 different 250 Hz spaced carriers at 250 symbols/sec. Apparently there isn't a certain order of choice of the six carriers or a sort of cycle so it's difficult to say something about the scope of these inserts. Since they do not carry informations, they could be sent for tuning filters and equalizing MFSK demodulator purposes, but it's only my guess.



About the MFSK part, it's possible to individuate five distinct MFSK-16 channels with tone separation of 20Hz and 10Bd speed


Most likely the signal is a sort of FTD waveform. All the heard transmissions end with the same ~860 ms sequence  2 frequencies, modulated in some frequency time shifted method.




17 March 2016

Turkish Mil, FSK 600Bd/400Hz & 1200Bd/800Hz KG-84C


weak signal heard on 10551.0 KHz/USB  0805z, variant of the more frequent 600Bd/400 reported here.


The low quality of my recordings does not allow its demodulation and then further investigations to check the presence of KG-84 encryption, anyway generally used in this kind of signals (FSK, both 600 and 1200 Baud speed). KarapuZ provided me a better quality recording so it was pretty easy to verify the KG-84 "flag"



13 March 2016

Sending files using MS188-110A and FED-STD 1052 App.B (H520) Data Link Protocol


FED-STD-1052 Appendix B (FS-1052B) specifies a first generation Data Link Protocol (DLP) layer with priority messaging and multiple pre-emptive resume queuing ARQ (it is basically the equivalent of MS188-110A Serial Tone as to the modems). The FS-1052B HF DLP as designed will work with other data modems and not just the FS-1052 and MS110A ST modems, as in this sample. However FS-1052 it is optimized for use with a data modem having those same data rates from 75-2400bps and also supporting auto-baud.
FS-1052B provides three modes of operation:
ARQ mode The primary mode of operation is the automatic repeat request (ARQ) mode, which provides for error-free point-to-point data transfer and
employ a control frame acknowledgment scheme.
Broadcast mode A secondary mode of operation is the Broadcast (non-ARQ) mode. The Broadcast mode allows unidirectional data transfer using fixed-length frames to multiple (as well as to single) receivers. No transmissions from the receiving terminal are desired or required.
Circuit mode The other secondary mode, the Circuit mode, allows a link to be established and maintained in the absence of traffic. The ARQ variable-length frame protocol is used along with a technique to maintain the data link connection in the absence of user data.  


In the samples below, signals come from the real-world, for example the above picture  is related to a link between the callsigns BS008CB and CS003A: after the link setup, performed by MS188-141 2-G, they go into MS 188-110 for data transfer. 
After removed MS188-110A headers and other stuff (scramber, interleave and FEC coding) the resulting bistream exhibits a clear 520 bits period that is characteristic of FED-1052 App.B or H520 protocol (pic 2)


pic. 1 - over-the-air bitstream, as demodulated by SA

In the case shown in pic.2, the transmission is performed through an exchange of protocol frames so here we face the primary ARQ mode.

pic.2 - FS-1052B in ARQ mode
If the data are corrupted (strong fading, interferences, too weak signal,...) the analyzer will print out the "CRC Error" message, moreover the sessions should be taken from the beginning to the end since any lack of bits affects the integrity of the data.

pic. 3 - FS-1052B in Broadcast mode
Each new transmission begins with a three byte (24 bits) frame synchronization pattern to identify the following traffic as DLP processed traffic. The frame synchronization sequence in hexadecimal format is "5C5C5C". The sync pattern is transmitted such that the first eight bits in order of transmission are "00111010". Note: As shown here in transmission sequence, the left-most bits are the LSBs (pic. 4). If a transmission contains more than one frame, a two-byte sync sequence shall be inserted between each pair of adjacent frames, this pattern (hexadecimal) is "5C5C".

pic.4 - frame synchronization pattern
The Frame Header fields (consisting of the Sync Mismatch Bit and the Frame Type bit) and then Control Frame Header fields (pic. 5) follow the 3-byte sync pattern: their possible values and meanings are illustrated in paragraph 50.1.2 of "FS-1052: Letter of Promulgation" (see the link at the end).
 
pic.5 - Frame Header and Control Frame Header fields

In Broadcast mode (the receiver does not send acknowledgments) the transmit peer sends 520 bits (or 65 bytes) fixed-length frames structured as (pic. 6):

a) 40-bits header
8-bits synchronization, depends on the communication line (observed patterns: "10010000", "10110000" 10001000");
8-bits descending counter indicating the frame number inside the block (pic. 7);
24-bits offset (in bytes) from the beginning of the message;
+
b) 448-bits information field;
+
c) 32-bits CRC field (computed over the preeceding 448-bits data).

pic.6 - 40 bits header
pic. 7 - the 8-bits descending counter
The information field can be obscured using cryptographic encoders such as KG-84A, KG-84C, KY-99, KY-57, KIV-7, KY-58 and  KY-68.

With this protocol, E-mail, files in MS-TNEF format, text messages, graphics extensions (TIF, GIF, JPG, BMP), Microsoft Word and Excel documents, Power Point presentations, PDF documents, HTML and other types of file can be transmitted: unfortunately, my analyzer does not have all handlers so, once removed FS-1052B protocol (pic. 8) the resulting stream/file may contain other protocols that will require further processing.
pic. 8 - after FS-1052B removal
FS-1052B is limited to a 2400bps maximum data rate by design, whereas the newer STANAG-5066 (second generation Data Link Protocol) has no such limitation.
An interesting  E-mail Performance comparison with 2nd and 3rd Generation Data Links protocols can be seen here (.pdf file).

About the user equipment, the popular Harris family of tactical HF radios includes models that implement a draft Proposed FS-1052B DLP (pFS-1052) they adopted and fielded years prior (!) to the published 1996 FS-1052 standard. So, more likely, the heard trasmissions just come from Harris tactical radios.

Links

8 March 2016

About CIS-3000, possibly a counterpart of NATO ALE ?


The so-called CIS-3000 is a single 8-ary PSK-modulated 2000 Hz carrier (pic. 1) and it's nick name is just due to its constant 3000 symbols/sec waveform. This single-tone signal provides a teoric limit of max 9000 bit/sec and neeeds about 3300 Hz bandwidth.

pic.1 - main characteristics of CIS-3000
CIS-3000 is allegedly almost 100% of Russian origin and possibly used by Intel/Diplo agencies. It can be seen either as a continuous stream and as bursts,  and very often used before MFSK-68 and OFDM-128 "Corvette" modem transmissions (pic. 2).


pic. 2
The burst waveform has been analyzed by radioscanner.ru friends and in this blog too; it is worth noting that in the analysis the radioscanner guys, mostly SergUA6, often use the terms "in this example only!" perhaps to draw attention to the existence of different CIS-3000 modes as, for example, the stream mode I heard and that is illustrated below in picture 3.
The first thing that strikes the eye is a sort of well-defined structure consisting of a preamble and data (say a superblock) that is repeated each ~3456 ms and indicated as "A" in pic. 3; in that same picture is also visible the repetition of the same structure "B" along the superblocks.

pic.3 - super-blocks and blocks repetitions

A more refined measurement of the length of the superblock "A" is obtained by the demodulation of the signal and analyzing the resulting bistream: the length is 31104 bits or 10368 PSK-8 symbols (exactly 3456 ms, as a confirm of the precision of SA), as shown below in pic.4 where the number of the lines just match the number of the superblocks (unless the initial sync and the final trailer).

pic.4 - the same signal seen by the bitstream analyzer
Processing the CIS-3000 bistream returns a characteristic period of 5760 bits length, or 1920 PSK-8 symbols. Besides the period,  another interesting characteristic are the sequences of repeated data: as shown in pics. 5-6, the same sequences are repeated either along "B" blocks and "A" superblocks. This means that the system transmits contiguous redundant informations (source and destination adresses?, commands?, controls?, ...), most likely to combat and reduce the effects of fading, interference, and noise.

pic.5
pic.6

Back to the burst mode, it's interesting to observe that this mode too has both the same 5760 bits length structure and redundancy feature (pic. 7),  although the repetitions in this sample seem to be limited to 3 times and then less "aggressive". So, the 5760 bits period length and the redundancy are certain characterstics of CIS-3000, regardless the stream or the burst mode.

pic.7 - structure and redundancy of a CIS-3000 burst
By the way, since the lengths of a single burst and a superblock are pretty the same (pic. 8), the stream waveform could be thinked as a sequel of burst sent side by side (preambles included), but it's only a my speculation.

pic.8
The substantial redundant format adopted by the system, like MS188-141 or CODAN PSK-8 selcall, and its use before MFSK-68 and OFDM-128 modems, leads to think that the CIS-3000 could be used  as a selcall or a sort of CIS counterpart of the NATO ALE.