6 October 2016

cars, chamaleons, networks, and other stories (I)

For some days I monitored (and I'm still monitoring) some frequencies on 5 MHz band, hearing curious MIL 188-141A  "cars" addresses such as OPELHFMREZA, VOLVOHFMREZA,... (here denoted as HFMREZA-net) as well as FORDBRTP and FORD1BRTP  (BRTP-net), and same other ones in the format 1PB, 2PB,... (PB-net) and ABC7, ABD1,... (AB-net).  This post is about the identification of the first three networks,  a second post will cover the AB network and possible updates. Maybe I will be criticized for the share of this kind of "do-it-yourself COMINT", but its purpose is only hobbystic; sensitive and confidential messages contents, if any, are anyway not published.

car-HFMREZA net (5120.0 KHz)
MIL 188-141A is used for the link setup and, after the 3-way handshake, data are sent using STANAG-5066  and MIL 188-110A as HF waveform (fig.1): a quite common 2G configuration. The prefixes used in the ALE address are some popular automotive brands as FIAT, FORD, OPEL, SKODA, and VOLVO, while GAMA is maybe the less popular "Georgia Automotive Manufacturers Association" or the GAMA Automotive Aenter, but it could be intended as the third letter of the Greek alphabet or  as "collection". As a further option, in my opinion the most interesting, GAMA was a German maker of toys, usually cars and trucks.
Anyway, at least in my logs, GAMA always initiates the ALE sessions which precede the transmissions of data, thus acting as the net-control station.

fig. 1
In some bitstreams, obtained after removing the S-5066 headers, I could find compressed files which are originated by HBFTP protocol. As known, BFTP (Basic File Transfer Protocol) is based on the ZMODEM protocol and is often used in conjunction with CFTP protocol to transfer e-mail messages from one SMTP e-mail server to another, as specified in the Annex F of S-5066 profile. The file HBFTP--3.gz is reported in this example (fig. 2).

fig. 2 - BFTP zipped file

Since BFTP is used for informal interpersonal e-mail only, it may happen that such messages are transmitted in clear-text, thereby facilitating the identification of the network through the contents and the headers added by the SMTP server that forwards the e-mail message.  As expected, and with a bit of luck, the extracted file HBFTP--3.eml offer some useful tips and clues.

fig. 3
The points indicated as 1 and 4 inform about the configuation of the station(s). The e-mail addresses wmtuser@GAMA.ok and wmtuser@VOLVO.ok reveal that the messaging system, and most likely the connected radio, are provided by Harris: wmtuser, or  WMT user, is just the default username used in Harris RF-6750W Wireless Gateway (WG) and RF-6710W Wireless Messaging Terminal (WMT). The underlaying PC run a Microsoft OS, likely Windows 2000 Professional or Windows XP Professional; Office Outlook is  the e-mail client running at GAMA, but also Outlook Express is used (eg at station VOLVO).

From the timestamp, point 3, we can get informations about the geographic area since it exposes the time-zone of the system: in this case +0200, ie GMT +2. The time-zone helps European people like me to parse the hostname osbihbutmir, visible in point 2, and the suffix HFMREZA. Indeed, the latter can be split in HF MREZA where MREŽA is a Slavic word for "network" (google-translator is your friend): the geographic area matches the time zone. About the hostname, since BiH is a well-known ISO Country Code for that area, osbihbutmir could be split in "os bih butmir". Well, now let google do the work for you: simply enter that string, hit enter, browse some results pages and you will get the HF network we're talking about.

The official site has the English version so that you can browse its pages and find many interesting informations such as HQ locations, structure, sectors, multimedia and so on.  Specifically, "Butmir" (indicated in the hostname of the station GAMA) is the AF Operational Command HQ and we have seen above that  GAMA just act as the net-control node. About the other stations (VOLVO, FIAT, OPEL,...) they belong to the "ok" e-mail domain which almost 100% stands for  Operativna Komanda, hence the HFMREZA-net could be the main radio-network. Difficult to say their locations and their role in the "structure" diagram shown in the web site.
About the HF equipment, still from the web site we learn that Harris RF-5800 was aleady owned in September 2009, just seven years ago, during their partecipation at "NATO Combined Endeavor"  as PfP country.

I do not go beyond, anyone on their own can obtain from the web all the (public!) informations he wants; moreover the e-mails contents, although interesting, are out of the scope of this blog.

PB net (5424.0 KHz)
Same origin and owner emerge also by the analysis of this newtork, even if the configuration of the nodes is a bit different: same ALE technology (118-141A) and HF waveform (188-110A) but messaging is achieved using FED-1052 rather than S-5066 (fig. 4). It's hard to say if the choice of 1052 is due to specific requirements or if the network shall be upgraded. The addresses logged during the monitoring are 5B, AB, 1PB, 1PC, 2PB, and 3PB: 5B seems to play the net-control role.


fig. 4
Once removed FED-1052 DLP protocol headers, I got files with ARX and TNEF extensions
Files whith the .ARX extension are known as ARX Compressed Archive files, however other file types may also use this extension. Regardless of the extensions, a "path" inside the sender host is exposed in one of the received ARX files:


TNEF (Transport Neutral Encapsulation Format) is a proprietary e-mail attachment format used by Microsoft Outlook and Microsoft Exchange Server. TNEF attachments can contain security-sensitive information such as user login name and file paths from which access controls could possibly be inferred. This format is probably used since TNEF files may contain information used by only Outlook to generate a richly formatted view of the message, such as embedded (OLE) documents or Outlook-specific features such as forms, voting buttons, and meeting requests. Note also that native-mode Microsoft Exchange 2000 organizations will, in some circumstances, send entire messages as TNEF encoded raw binary independent of what is advertised by the receiving SMTP server. An interesting and complete description of TNEF can be read here.

One of the TNEF files obtained from the monitoring is shown in fig. 5.


fig. 5
Point 3 confirms the use of Harris equipment (although a confirm is not needed since the use of FED-1052), but the most relevant are the points 1 and 2 which show the stations in the play: specifically (from the cited web site) 3PB stands for 3 Pješadijski Bataljon (3rd Infantry Battalion) with headquarter in Bijeljina, and 5B stands for 5 Pješadijska Brigada (5th Infantry Brigade). By the way, all the addresses heard from this nework can be easily "humanized" through the official web site (thanks to Patrick for his hint).

About the contents, TNEF4 file consists of Outlook MAPI strings which their meaning can be retrieved from the web. I just want to point that, since:
PR_ORIGINAL_SENDER_EMAIL_ADDRESS contains the e-mail address of the sender of the first version of the message, that is, the message before it is forwarded or replied to;
PR_DISPLAY_NAME contains the message sender's display name;
most likely this message is a reply sent by 3PB to a previous message received from 5B.


BRTP net (5025.0 KHz)
For what concern FORDBRTP and FORD1BRTP addresses, belonging to the third monitored network, they probably form a two-points circuit rather than a network: so far I never logged other xxxxBRTP addresses, at least on that frequencies. 
These stations use the same configuration  of the first net (ie S-5066 + MIL 188-110A) as well as the "automotive brand" suffix in their ALE addresses. The traffic in this "circuit" seems to be less frequent and unfortunately I could not yet hear good quality transmissions. My friend Kristian successfully suggested Brigada Taktičke Podrške (Tactical Support Brigade) for BRTP.

Sumarizing 
From what seen above:
  1. the three networks are operated by the same Authority;
  2. HFMREZA-net and BRTP-net use STANAG-5066 and 188-110A;
  3. network PB-net use FED-1052 and 188-110A;
  4. all the three networks use 188-141A 2G-ALE technology, Harris equipment and Microsoft Windows systems;
  5. stations, and hence the netwoks, belong to different e-mail domains.

About the different messaging systems, it's worth noting that the Harris RG-6750 Wireless Messaging Gateway software (WMG) provides mixed networks compatibility between stations with STANAG-5066 and stations with FED-1052 by running simultaneous 5066-1052 sessions.

Processing the STANAG-5066 headers, thus except the 1052 PB-net, it is possible to derive the on-air 5066 addresses of the (heard) nodes:

GAMAHFMREZA   000.000.000.001
FIATHFMREZA   000.000.000.003

FORDHFMREZA   ? (prob. 000.000.000.005) *
OPELHFMREZA   000.000.000.007           
SKODAHFMREZA  000.000.000.009      
VOLVOHFMREZA  000.000.000.011           

FORD1BRTP     000.000.000.012
FORDBRTP      000.000.000.013

note that when alphabetically sorted they use odd numbers in the 4th byte of the 5066 address.

According to Harris terminology, one radio (with its own name, ALE/1052 address(es) and 5066 address) belong to one station (with its own station name and e-mail address) and one or more stations belong to one e-mail domain: so each station has one unique e-mail address even if the associated radio has two or more 188-141A/1052 addresses. 


Now, since:
  • 5066 adresses are contiguous passing from HFMREZA-net (ending with 011) to BRTP-net (beginning with 012);   
  • so far I never heard "cross" links among the three networks (eg: xHFMREZA <--> xPB) hence the ALE networks are not overlapping;
  • so far I never heard traffic between two "peripheral" nodes (eg: VOLVO <--> FIAT);

they could use a "star" network topology, or rather a "tree" network topology, where traffic between two peripheral nodes, or between two net-control nodes, is routed ouside the HF network. Indeed, looking at the routing rows in the e-mail headers (fig. 6), the stations have a "radio1" asset and it could indicate the existence of a second radio (say radio2) - at the same site - that belongs to a different station which, in turn, belongs to a different network and e-mail domain... but this is another speculation. Anyway, figure 6 show also that each node is at 1-hop distance (DP and NP values).

fig. 6
I tried to replicate (part of) the HFMREZA star network according the above assumptions (ie 1-hop distance nodes and no cross links): results are shown in fig. 7.

fig. 7
Each station has the other stations in the router table and the final and next values are identical. There are no alternate routes, so there is only a single direct path (1 hop) as seen in fig. 6. I also simulated the transmission of  a test e-mail to wmtuser@fiat.ok using Microsoft Outlook Express as e-mail client: the outgoing message is accepted and placed in TX queue (fig .8).

fig. 8
Unfortunately I do not own Harris modems (the "Asset" column is empty) to simulate the transmission and hence get baseband signals for further analysis and comparisons.

(to be continued)

No comments:

Post a Comment