7 July 2016

"T-207" recognition in CIS VFT systems

Some days ago I heard some CIS VFT systems and in particular one of them, a six  100Bd/120Hz channels, caught my attention. I already logged it but sent its main parameters as speed, modulation and shift, to my friend Karapuz asking if he knew the real name of that signal or the name of the modem. He told me that in last January he had just the same receptions and pointing an interesting discussion in radioscanner.ru about the encryption/coding used in such signals: T-207.  Although radioscanner is entirely in Russian, reading the opinion of the expert analyzers from this forum was interesting and I could figure out how detect the T-207 presence. In this post I describe the way I sought its "signature" in some CIS VFT signals as:

a) 3 x 100Bd/1440Hz VFT system
b) FSK 100Bd/2000Hz (but not in all FSK 100Bd/2000)
c) 6 x 100Bd/120Hz VFT system


replicating the experiences seen in radioscanner.ru and getting the expected results. 
By the way, these VFT systems are easy to receive (with good strength, at least here in JN52) on 13-16 MHz USB bands, mainly during the morning  and seldom during weekends.
 
Since the lack of official documentation it's difficult to say much more about the (former Soviet) T-207, guys from radioscanner talk about "equipment" and is regarded as a in-line ciphering device. T-207 is quite old and it is used by CIS Mil as well as by Ukrainian Mil or other Ukrainian Governative users such as Diplomatic and/or Intelligence services: allegedly as a Soviet communication legacy. 
Since its features, T-207 can be connected to several modems hence it can be found  in several FSK waveforms; its detection has to be manually spotted by processing the demodulated bitstream and checking if it matches the criteria described in the cited post.
We have first to choose a 14 bit period for the bistream and then focus on the first 12 positions and count the amount of "1" symbols:
- if the amount counts 2 or 6 or 10: the last two symbols (13th and 14th bits) must be 10
- if 3 or 7: 00
- if 4 or 8: 11
- if 5 or 9: 01
In case the sum is 0, 1, 11 and 12, it can be assumed that the last two symbols will be 11, 01, 00 and 11, respectively. These rules are shown in tab. 1.
Tab.1 - T-207 criteria
Since the above rules act presumably as a synchronization mechanism, the signal will be decoded and decrypted once removed the columns 13 and 14.

 a) 3 x 100Bd/1440Hz VFT
fig. 1 - 3 x 100Bd/1440Hz VFT
In this signal we have three channels modulated at 100Bd and a pilot tone at ~3300 Hz (characteristic feature of Russian systems). Every channel has a 1440 Hz shift and 100 Baud speed, channels are separated by 480Hz steps and interleaved as in figure1.

In my test I used the lower channel (fig. 2).
 
fig. 2

The obtained bitstream must be processed using the right/left shift (one bit at time) and sometimes the negative polarity:  criteria of Tab. 1 must be checked in all the rows at each shift-step, in case of fails we go on shifting. Unless possible interferences and demodulator errors, I confirmd the T-207 signature (fig. 3).
 
fig. 3

b) FSK 100Bd/2000Hz 
fig. 4
Not all the the FSK 100Bd/2000Hz waveforms exhibit the T-207 signature: since the VFT systems are used by the main "home" station, we have to find the correspondent outstations that just work using the FSK 100Bd/2000Hz in duplex mode as shown in figure 5. One could say that this waveform is in some way complementary to a VFT system.
The IQ recording of the FFT visible in  fig. 5 was kindly given by Karapuz.

fig. 5
Once demodulated, I had to repeate the same procedure seen above. Results are shown in figure 7.

fig. 6
 
fig. 7

c) 6 x 100Bd/120Hz VFT

Fig. 8
the 6 x 100Bd/120 system (a variant of the 3 x 100Bd/1140 system) allows six independent channels, each of them exhibits 440 Hz shift and 120 Baud speed: in this sample the one-of-six mode is used. T-207 signature was found after processing the demodulated bitstream in the usual way as in the previous examples (figs 9,10).

fig. 9
fig. 10
According to these results, it seems that T-207 is a prerogative of (at least) these VFT systems.

No comments:

Post a Comment