24 December 2017

a MS-110A modem running in ASYNC mode

This is a sample of MIL-STD 188-110A Serial 75bps/L modem working in ASCII ASYNC mode and transporting a Citadel encrypted file. The transmission was heard on 7413.0 KHz/USB following a 188-141A handshake between two Algerian Air Force nodes: CM2 (Algerian Air Force Base - Oran, 2nd Regional Command Centre) and COF (Algerian Air Force HQ - Cheraga). 

In ASCII Asynchronous mode the bitstream consists of a 8N1 structure: one start-bit (0), 8 data-bits and at least one stop-bit (1). Each character is transmitted using a total of 10 bits and the 8 data bits are transmitted with the LSB first.

Fig. 1
Working in the ASYNC part, after removed both the start and the stop bits we get the clean 8-bit data where the characterstic pattern of the Harris "Citadel" encryption is easy to identify (Fig. 2).

Fig. 2
A similar example but related to Asynchronous STANAG-4285 can be read here:
http://i56578-swl.blogspot.it/search/label/Stanag-4285%20Async

You may use the MIL-STD Data Modem Terminal (MS-DMT) [1] to verify how the MS-110A works in ASYNC mode (Figs. 3,4)

Fig. 3 - MS-DMT settings for ASYNC mode
Fig. 4
[1]
http://www.n2ckh.com/MARS_ALE_FORUM/MSDMT.html
The latest MS-DMT test build is available at:  
www.n2ckh.com/MARS_ALE_FORUM/MSDMT32v200B1000TB1002_FI.zip

Thanks to  Steve Hajducek for the update, I suggest to subscribe his group at
https://www.facebook.com/groups/MARS.MIL.STD.TOOLS.LIB/




https://yadi.sk/d/1rw59Z0K3QuToC 
(MS-110 Async from Algerian AF)

2 December 2017

Baudot FSK 50Bd/100

.
This FSK transmission was copied on 6330.8 (cf) at 1128z: shift is clearly 100Hz while some problems arise when measuring the speed. Indeed, the measurement of the speed based on FFT may fail in case of non-integer number of bits as in Baudot/ITA2 code where the stop bit lasts 1.5 bit: in this case SA assumes an integer number of bits, so  it prints out a value of 53.47 Baud (Fig. 1)

Fig. 1
In such cases the speed shall be measured using the "raster" tool of SA (Fig. 2): the structure of the frame is 7.5 bit (1 bit start, 5 bit of data and 1.5 stop bit) and the time line is 299.4 msec for 15 bit that makes a speed of 50 Baud.

Fig. 2

Baudod decoders work fine and print out the content of the message after the RYRY sequence, in this case: "ZHGD ZHGD ZHGD DE N4O4 N4O4 N4O4 QRK ? +?". The user is not identified, probably Russian Military.

Fig. 4


update
my friend KarapuZ catch a similar transmission on 5565.0/USB,  callsigns are very similar to the once I had: "ZBNV ZBNV DE 7X6R 7X6R 7X6R QRK ? +?". 

So far, these are the heard callsigns:
ZBNV, ZHGD
N4O4, 7X6R


https://yadi.sk/d/K_eEO7cT3QFLLU

14 November 2017

SIGFOX, UNB IoT
by Angazu & Rapidbit

SIGFOX [1] is a signal for Internet of Things (IoT) with some features that predict a great future. The use of the spectrum, adapted to its purposes, does not waste resources as other systems do. Its advantages in terms of cost and efficiency have made its develop quickly and its main usage being the internet of things.
Its data capacity is very low (100 bps), allowing up to 140 messages per day, but enough for its uses. It is cheap and has good coverage. The signal is robust and not easy to interfere with. To this we must add that the battery consumption is minimal, and may last several years. It also uses the free band of 868 MHz  and does not require any type of SIM. The standard is the ETSI GS LTN 003 V1.1.1 (2014-09) [1]

The signal was received at home, probably from a near home alarm  system carrying out installation tests.
 
Spectrogram (edited) in Fig. 1 shows three segments (three "telegrams") in different frequencies. Each segment lasts about 2.1 sec and is separated by a dead time of about 42 msec. Each emission uses a different frequency within its allowed range. In what has been observed so far, it always transmits the  message 3 times using  a different frequency in every Tx.

Fig.1 - spectrogram
The spectral occupation (Fig. 2)  is about 200 Hz. In this case, there are quite a few lateral lobes  due to the proximity of the transmitter-receiver. The measurement was made about 30 dB below the peak.

Fig. 2 - spectrum
Estimated modulation speed is Differential BPSK at a rate of about 100bps, the overview of 3 frames (Fig. 4) is aligned  to 210 bits. (ID has been removed once demodulated).

Fig. 3
Fig. 4
Frame as per  etsi standard:



 [1]
 
 

7 November 2017

SkyOFDM 28-tone, 65.6Bd BPSK, 2.6KHz bandwidth


These transmissions have been spotted during the last weekend on 4155.0 KHz/USB by ANgazu using a remote KiwiSDR located in Norway.
The waveform has a bandwidth of 2600 Hz and uses OFDM technology for 28 channels, each with BPSK modulation at rate of 65.6 symbols/sec. Speed and modulation are confirmed by analyzing the whole signal and also a single channel.
Almost certainly it is a Skysweep Technologies proprietary waveform, probably test transmissions. The user is unknown.

Fig. 1 - analysis of the whole signal
Fig. 2 - analysis of the upper channel



https://yadi.sk/d/pb0xIcWX3PUpUq

 

3 November 2017

CIS Selcall "Vishnya", FSK 150Bd/200

I spotted this short transmission on 7823.5 KHz/USB at 0827z, it's an FSK modulation with 200Hz shift and speed of 150bps. I asked my friend KarapauZ about the name of this system and he told me that this signal is correlated with the CIS Selcall and it's also known with the nickname "Vishnya" ("Cherry" in English language) from the name of the radio equipment R-016V "Вишня".
The signal is discussed here in radioscanner:



2 November 2017

radiosonde Vaisala RS92-SGP
(by: ANgazu,Rapidbit)

The RS92-SGP has been manufactured and marketed by the Finnish company Vaisala since 2003. It incorporates a Helix Antenna (QFHA=Quadrifilar Helix Antenna) for the reception of GPS satellites.

This type of radiotracer has a GPS receiver to determine its location and allow indirect measurement of wind speed and direction at altitude... The RS92-SGP has a silicon pressure sensor, a heated dual humidity sensor and a small, fast temperature sensor.
The synthesizer-based transmitter is stable and uses narrow bandwidth. The RS92-SGP radio sensor complies with the European ETSI standard for digital radiosondes operating in the 400 MHz band.
The SONDE MONITOR software allows the data transmitted by the RS-92 SGP to be decrypted, in particular the exact position measured with the aid of the GPS receiver on board, which makes it easier to locate it in the field.
Measurements carried out with the aid of a radio-sounder are relative to a specific place and time interval. In order for such data to be truly useful, polls conducted around the world must be synchronised. These polls are usually conducted at 00h and 12h GMT. Some stations carry out polls at 06h and 18h regularly.
More than 850 surveys are conducted, at least twice a day worldwide. The distribution of the radiosonde centres is not regulated on the planet's surface and developed countries in the northern hemisphere (82%) are better covered than deserts and oceans in the southern hemisphere (18%). 820 of these surveys are carried out by fixed stations and some 30 of them are carried out from ships, both merchant and regular lines.
Surveys are mainly carried out by meteorological services, but from time to time we may find ourselves with radio probes launched by:
- Weapons test centres (missile, ammunition and radiosounder testing).
- Scientific missions, atmospheric monitoring services (ozone measurements, radioactivity)
- Special campaigns for the study of regional climatology and meteorology.
- Artillery units, before firing practice.
- Radio sounding training centres (meteorological, military, manufacturers of radio sounders...)


Radiosondes are telemetry devices that measure various atmospheric parameters.
They are usually launched using a weather balloon and, while ascending and moving in the wind, transmit the data in real time. They can reach a considerable height, so reception is possible far away  from the launching point.
The signal for this entry , from a Vaisala RS92-SGP, was recorded near an airport somewhere in the south of Europe. Frequency was 403 Mhz.
This signal is a very interesting one since it shows a considerable Doppler effect due to both its ascent speed and its lateral displacement due to the wind (Fig.1).

Fig. 1
The  spectrum exhibits a phase modulated signal framed by two unmodulated tones (Fig. 2). Tones are separated 4800 Hz.

Fig. 2
Analyzing the signal as a whole, modulation speed is 4800 sps using a GFSK modulation, but filtering out  the outer tones to isolate the internal signal, result is a BPSK with a speed of 2400 sps.(Fig.3)

Fig. 3
Should the signal be demodulated as GFSK, result is a stream of manchester coded bits. Once manchester decoded, the bits are exactly the same as if the inner signal was demodulated as BPSK. Frame ACF is 1 s. There is a second ACF for character  of 4,16 ms (Fig. 4)

Fig. 4
Once decoded, frames are  2400 bits long (Fig. 5) using  8N1 characters.

Fig. 5
The combination of vertical and lateral velocity of the probe produces a doppler effect on the signal. In the image, the frequency variation in a tone for about 21 m (Fig. 6)

Fig. 6
The data transmitted can be demodulated using the ionosonde monitor by COAA (see links)

Fig. 7
Links:

29 October 2017

Maritime Interdiction Operations (MIOs) in Med'sea, a joint exercise?


The heard communications concern a Maritime Interdiction Operation (MIO) in Mediterranean sea and involve 2 vessels and one ashore station which acts as the net-control station by coordinating all the activities. It is not clear if  the heard activity is part of a routine patrol or rather a naval joint exercise. The ALE IDs used in communications (ie "CMOC", that could stands for Combined Maritime Operation Center), some terms in the messages (such as PUBEX, EVOLEX) and the "special" email domain name (here not reported for confidentiality) make me think to a MIO joint exercise. By the way, I did not find any related news in some specialized websites neither in press-agency sites.
The activity was heard on 7 and 8 MHz bands, expecially on 27 October. Communications  make use of 188-141 2G ALE for link setup while the messages are sent using a battle force email system based on STANAG-5066 HBFTP protocol. STANAG-4539/MS-110A are used as bearer HF waveforms, mostly QAM-64 9600bps and PSK-8 1200bps modulations (Figs 1,2). The STANAG-5066 addresses of the network nodes belong to the dummy block 10.000.000.zzz  which is not assigned to a country.
The language used for working out operational documents and for communications is English and French, this could be another hint in favour of a joint exercise.

Fig. 1 - STANAG-4539 transfer using QAM-64
Fig. 2 - STANAG-5066 stream
In addition to text or routine messages such as request to compress photos ("compresser la photo svp"), link informations ("liaison XXX to YYY par HF est nulle") or some ehortations ("veilles respecter le battle rythme et nous transmettre la situation RMP TN/DZ et vos position 12h00"), I saw some operational messages that are worth seeing. Although it could be a joint exercise, I avoid to go into details and some parts of these messages, as well as callsigns, are obscured or omitted for reasons of confidentiality of sensitive information. 

The firts two messages are related to the operation (tactical instructions?) and to the use of the MIO Board.

Fig. 3
Fig. 4
In Fig.5,  looks like they send informal ACP-like messages using email: note the from CMOC (Combined Maritime Operations Center?) to OTC (Operational Training Center?) header

Fig. 5
The operation was successull since the report on the interception of a boat of narcotrafficants (Fig. 6). Drug smugglers have thrown the material off at sea but it has been recovered by the navy sailors. Note how such reports are rigidly formatted in sections (termed "alfa", "bravo", "charlie") and sub-sections.

Fig. 6
Note also that in some messages, likely the more important ones, they make use of return receipts, as indicated by the MDN (Message Disposition Notification) tags in the email shown in Fig. 7 (turnaround time of 31 secs.). I saw MDNs in both English and French language.

Fig. 7
Many joint exercises (Phoenix Express, Morjane, Osis, MEDEX,...) take place every year in Souther Med'sea, so what I heard could be an ad-hoc scenario just established for this exercise.

update: 31 October 2017

...as expected:
http://en.aps.dz/algeria/20899-naval-force... 


23 October 2017

Japanese Navy "Slot Machine" w/ traffic forwards


Japanese Maritime Self-Defense Force ashore transmission from Ichihara, also known as "Japanese Slot Machine" (Enigma Designation XSL), with traffic segments  heard on 8590 KHz. Modulation used is QPSK 1500Bd (Fig. 1). The data frame structure consists of 140 symbols (28K+112U) with a 700-symbol super-frame (Figs. 2,3).
Streaming from remote SDR HL5NTR in South Korea, kindly sent me by ANgazu.
 
Fig. 1 - used modulation and ACF value

Fig. 2 - 140 symbols (28K+112U) frame structure


Fig. 3 - 700 symbols super-frame (5 frames length)



https://yadi.sk/d/67HAXeAK3NzqJn




21 October 2017

strong 4+4 π/4 DQPSK 75Bd Chinese modem


Strong copy of the 4+4 DQPSK 75Bd Chinese modem on 17149.7 KHz/USB at 0915, 1128 and 1129 UTC.

Fig. 1
Fig. 2
Fig. 3
Note the different periods in preamble, 36-bit length, and data segments, 12-bit length: most likely a 6-bit structure signal with 1 stop bit (Fig. 6)

Fig. 4 - 36-bit period in the preamble segments
Fig. 5 - 12-bit period in the data segments
Fig. 6 - 6-bit signal

The same signal was also heard few hours later (around 1130z) at -91dB and no QSB: too good conditions for a signal coming from China:


By the way, the Algerian Navy recently acquired three C28A Corvettes built in China [1] by Hudong-Zhonghua Shipbuilding Group, a subsidiary of China State Shipbuilding Corporation, this could explain the strength of the signal.

[1]http://www.defenceweb.co.za/...Sea&Itemid=106