28 February 2017

a possible variant of the CIS-48 OFDM modem


This signal was copied on 9905.0 KHz/USB at 0922 UTC 22 February, although the poor quality of the recording (it mostly depends on the signal weakness) some interesting characteristics can be obtained from its analysis.
Once the signal has been processed with a pass-band filter, the spectrum reveals the presence of 48 tones (Fig. 1) which are confirmed by the SA-OFDM module: in particular the 48 tones are 62.5 Hz spaced and are keyed at a symbol rate of 50 symbols/sec (Fig. 2); the "magic K" value is very good, ie 1/4, meaning a quite consistent result.

Fig. 1
Fig. 2
The poor quality of this sample does not allow to detect what kind of modulation is used in the channels (possibly 4-ary?) anyway it's possible to see that a special/service symbol, consisting of a certain combination of used/unused & modulated/unmodulated tones, is sent each 102 symbols (Fig. 3):

Fig. 3
The body of the signal is preceeded and followed by 6 tones, the initial ones are modulated with BPSK at 100 symbols/sec (Fig. 4)

Fig. 4
The CIS-48 OFDM modem is mentioned several times in radioscanner.ru forum and my friend KarapuZ, who helped in the identification, addressed me to one of his posts just related to CIS-48:
From these readings I may understand that some variants of this modem are on-air and most likely this is one of these: better and further recordings just of this signal, as well as your comments, would be needed.




 

25 February 2017

a new S4285-like waveform (most likely a new Iraqi waveform)


The signal appears on-air as a PSK-8 modulation of a 1800Hz single tone, symbols rate is the quite usual 2400 Baud (Fig. 1). ACF is 120 msec, that makes 288 PSK-8 symbols per frame or a 864-bit length period (Fig. 2).

Fig. 1
Fig. 2
The structure of the frame resembles the well-known Stanag-4285 waveform: the initial 63 symbols preamble is followed by four data blocks, each block consisting of 51 unknown symbols (user data) and 7 known symbols (mini-probe); the last block is transmitted w/out the miniprobe (Fig. 3). As said, each frame is transmitted each 120 mesc.
Looking at the constellation, the two pronounced points lead to think to a BPSK modulated preamble which is probably not scrambled (just as in Stanag-4285) and use Walsh modulation (Fig. 4).

Fig. 3
Fig. 4

The recording was sent me by KarapuZ and his friends, translators have identified the language as Iraqi (sometimes voice comms were copied in between the data exchanges) and are inclined to think  to marine coast stations. Transmissions were copied on several USB frequencies such as 7997.0, 8228.0, 8250.0, 8458.0, 8613.0, 17380.0,...



24 February 2017

chasing HAARP

photo from Chris Allen twitter account
On 19-22 February, scientists used the HAARP (High-frequency Active Auroral Research Program) research instrument to conduct multiple experiments, including the so-called "Luxembourg Broadcast" and creation of "Artificial  Aurora". Radio listeners  were able to tune HAARP radio transmissions in real time by following Chris Fallen, Assistant Research Professor in the Space Physics Group at UAF, on twitter during his experiments at HAARP.  
I too tried to  follow the HAARP transmissions on 21 and 22 February and other than a fake transmission I had also a copy, or better a "track", of the 22 February Artificial Aurora transmission: short report follows below.

21 February,  a fake transmission
The alarm clock rings at 0300 UTC (0400 CET), just a coffee and then in front of the radio hoping to catch the Luxembourg Broadcast scheduled for that session/time. Propagation is quite good and I tune alternately to 2.8 and 3.3 MHz (the advertised frequencies), although both the frequencies are under my eyes in the portion of the band displayed in the SDR waterfall. Since the exact frequencies of the transmissions are not known until shortly before the experiment begins, I follow the operational updates published in @ctfallen, a special twitter account.
Looking for the Luxembourg Broadcast on 2.8 and 3.3 MHz, at 0314 UTC I copy a short CW transmission on 2.8, repeated few seconds later on 3.3 MHz (Fig. 1). The Morse coded message is the bare "vvvvv de haarp" which exhibits a wrong keyd "p" (uh?). The too-simple message, the not uniform separation between tones, the wrong "p" and the HAM style of the keyer make me think of an European "joker" and thus of a fake transmission!
I send images and recordings to Chris Fallen and his team, warning about a possible fake transmission by some European joker: initially they tend to confirm the reception, but after further analysis they realize that the copied transmission was really a fake (as supposed).

Fig. 1 - the 21 Feb 0314UTC fake transmissions

22 February,  Artificial Aurora transmission
Too tired to wake up early in the morning, I choose for an off-line listening and program SDR-Console for a timed IQ recording starting at 0330 untill 0500 UTC 22 February. In the afternoon I analyze the file and, given the propagation conditions and the HAARP antennas beam, I decide to read the recordered band using the powerfull QRSS viewer by I2PHD ("Argo"). Since the need to know the exact frequencies, as said, I browse the 22 February operational updates in @ctfallen. Indeed, for Artificial Aurora experiments they have to match the frequency to the specific peak plasma density altitude by operating a low power scanning ionosonde and then pick the main transmitter frequency based on the ionosonde analysis.
At ~0400 UTC Chris Fallen says:
3.4 MHz (and 9.5 MHz probe) tune in! If in Aalaska maybe try to photograph the artificial auroral spot"
here we are: using the IQ file navigator I move on 3.4 MHz @ 0400 UTC to dig the signal ...and I find it: although weak, a track of the Artificial Aurora transmission is visible just in the place and time at which it was to be. Quoting Fallen,  "the broadcast only sounds like a silent carrier wave, as if a radio DJ fell asleep and neglected to change the record" (Fig. 2). Note that the 1025Hz track in the QRSS waterfall is due to the 1 KHz offset (I was tuned on 3999.0 KHz/USB) plus the 25 Hz calibration error of my receiver.

Fig. 2 - the 22 February 0400 UTC Artificial Aurora transmission


Operation of the HAARP research facility, including the world’s most capable high-power, high-frequency transmitter for study of the ionosphere, was transferred from the U.S. Air Force to UAF in August 2015. Research funding agencies include the National Science Foundation, Department of Energy’s Los Alamos National Lab and the Naval Research Laboratory.

For more details on the dates and times of Fallen’s experiments, as well as information, visit:
Information is also available at the HAARP website, the UAF:  
and the official UAF HAARP Facebook page:

Address from The SWLing Post page:

19 February 2017

a 3G Multicast Data Link w/ NAKs?


few days ago, 16 Feb, I copied a 3G-HF transmission on 10958.0 KHz/USB consisting of an initial FLSU PDU (BW5 burst) followed by 13 not-ACKed LDL PDUs (BW3 bursts) and ending with a single BW4 burst: since LDL is a stop-and-wait ARQ protocol, ACK burst were expected. This scenario recalls the 3G Multicast Data Link with NAKs (MDLN) protocol previously copied and reported here (Fig. 1).

Fig. 1
I could not find official NATO/Stanag documentations about the 3G Multicast but only some "proposed" papers; Multicast MDL Protocol is still cited as "still in development" in STANG-4538 Amendment 2 Draft 0.3, the one at my disposal, thus the following are my suppositions based on the clues which I can see, so, comments are welcome (after all, this blog is just a collection of notes and experiences of a digital signals enthusiast and amateur analyst and does not claim to be a scientific blog).

Multicast Data Link protocol (MDL/MDLN) shares many of the characteristics of the other 3G data link protocols but unlike the 3G ARQ protocols, MDL links employ the one-way link setup: each transmission begins with an TM,  FTM or FLSU PDU that indicates the MDL mode that will be used in the remainder of the transmission.
The MDL_Data PDUs use the BW2 and BW3 burst waveforms used in HDL and LDL: in this case the MDL-288, a stream of 288-byte bursts, is used (as known the BW3 data section can be any multiple of 32 bytes, from 32 up to 512 bytes).
Fig. 2 - BW3 frame
The transfer ends with a BW4 burst, Fig. 3, most likely acting as MDL_EOM PDU (any PDU sent using BW4 in the forward direction is an EOM PDU).

Fig. 3
Sending an FLSU_Terminate would impose a triple demodulation requirement [1] on the receiving stations (they do not expect BW5 bursts) thus, as it happens in LDL transfers, the calling station sends an MDL_EOM PDU (BW4 burst) to signal the receiving stations that the datagram has been transferred, and hence will send no more MDL_Data PDUs for the current datagram.  MDL_EOM PDU would use BW1 burst in case of MDL-5k (HDL BW2 used for MDL_Data)?

Once demodulated, the received datagram transports Harris Citadel off-line encrypted messages (Fig. 4) 

Fig. 4

[1] Dual Demodulation clarifying example:
PU1 issues a FLSU_Request to PU2, requesting LDL ARQ traffic. PU2 issues a FLSU_Confirm that is not received by PU1 due to poor propagation. Since PU2 must only look for at most two waveforms, it looks for the LDL Forward Packet waveform (BW3) and the LDL_EOM PDU (BW4). Thus, in order to terminate the link due to missing the FLSU_Confirm, PU1 must send a LDL_EOM followed by a FLSU_Terminate.





16 February 2017

STANAG-4538 "Circuit Mode" (a 3G-2G switching)


an interesting sample of a 3G-2G switching copied on 7780.0 KHz/USB: the handshake is performed with FLSU bursts (ie 3G-ALE) and user data are sent using MIL 188-110A serial (a 2G HF waveform), last FLSU bursts terminate the link (Fig. 1).

Fig. 1

In this scenario the traffic service is termed “Circuit Mode” in STANAG-4538 and  is used when an HF data continuous waveform (not a burst waveform) will be used to convey traffic after link establishment. The FLSU_Request specifies the traffic waveforms that will be used during circuit mode, for example MIL 188-110A (as in this recording), STANAG 4285, STANAG-4539 or other. Once circuit mode begins, any station can initiate transmissions using the specified traffic waveform. A CSMA/CA process is recommended to avoid collisions (Fig. 2)

Fig. 2

Same operational contest was copied on 11132.0 KHz/USB (Figs. 3a, 3b): these are more likely  test sessions that involves both the packet mode (the used datalink protocols are HDL+ and LDL over BW3-BW4 burst waveforms) and the circuit mode (the HF waveform is MIL 188-110A serial). These (test?) transmissions are probably from Algerian Military.

Fig. 3a
Fig. 3b


A STANAG-4538 circuit mode traffic was also copied by my friend Mike (ak mco) on 9003.0 KHz/USB (Fig. 4) who sent me his recording.  The sample consists of n-transmissions, each composed of a MIL 188-110A transfer running at 300bps, preceeded and terminated by BW5 bursts which control the link. More precisely, 188-110A frames transport Harris proprietary Citadel encrypted data, Fig. 5, so it's difficult to say what sits behind.

Fig. 4
Fig. 5

(9003.0 KHz)
https://yadi.sk/d/GCq28TAjzSYzU

8 February 2017

STANAG-4538: 3G-ALE FLSU Async call with Linking Protection

Another decoded sample of FLSU Async call is shown in Figure 1: the first 15 PDUs clearly exhibit alternating patterns that, in my opinion, make sense only in case of Linking Protection mode enabled.

Fig.1
But how Linking Protection works in 3G-ALE networks?
Linking Protection (LP) encrypts only the PDUs used for link setup, traffic setup, link maintenance, link termination, and data link acknowledgement. LP scrambles PDUs using a scrambling algorithm that depends on a key variable, the time of transmission of the PDU, and the frequency on which it is sent (the latter two dependencies enter via a so-called “seed” that is distinct from the key variable): this achieves the two purposes of authenticating each transmission, and combining the called-PU network number with the other bits in an LSU PDU. Indeed, the network number of the called station is used in the linking protection as shown in Figure 2:  the network number is replicated to match the length of the LP encryption key in use in the network, and then exclusive-ored with that key for use as the key in the LP algorithm. 

Fig.2
The seed format is shown in Figure 3, one may read the description of the fields in the paragraph "9.2 Seed Format" of STANAG-4538 profile: for the scope of this post I consider only the fields CVI and Word 

Fig.3
The CVI (Code Validity Interval) field specifies time-units within each day. Normally, this field contains a count of the number of CVIs that have completely elapsed since midnight network time; the Word field is used to count PDUs within a CVI.

For what concerns the formation of the seed and the scrambling procedure, it's important to note that  once a linking process is started using a specific CVI, the calling PU must not change the CVI even if a CVI boundary is crossed during the linking process.
That said, the scanning asynchronous-mode call PDUs are scrambled using alternating Word Numbers 00000000 and 00000001 and the call PDU that concludes an asynchronous-mode call is scrambled using Word Number = 00000010. This means that the same 50-bit PDU is scrambled 15 times (in this sample) using two alternating keys, that's the reason of the alternating patterns seen above (Fig. 4).

Fig.4
One could say that  the last PDU contains a valid 3-bit identifier in the protocol field  ("001") but I think it's a coincidence. Indeed, the scrambling procedure use the SoDark-6 algorithm (48-bit length) and then only the last rightmost 48 bits of each FLSU PDU are scrambled so the remaining bits, ie the first leftmost two bits, are sent without scrambling.
An example of "unprotected" asynchronous FLSU call can be read here

7 February 2017

a modified/proprietary MIL 188-110B/C Appendix C waveform

(updated)
It may happen that manufacturers sometimes modify one or more parameters of standard HF waveforms and then obtain proprietary waveforms (and modems) as in the case of these signals, copied today on 8207.0 KHz/USB around 0940 UTC (Fig. 1).

Fig. 1
The different fadings that affect the bursts lead to think to two stations operating in half-duplex mode. Each burst has a ~2520 msec duration and consists of a 1500Hz single tone modulated with PSK-8 modulation at a costant symbol rate of 1800Bd (Fig. 2): that's a bit odd since we are used to observe PSK-8 modulations coupled with 2400Bd speed and 1800Hz sub-carrier.

Fig. 2
Things get more interesting analyzing preamble and data blocks structure. The first part of the preamble consists of seven blocks of 184 PSK-8 symbols and the data blocks are structured in frames consisting of 287 PSK-8 symbols (ie 861-bit period), as shown in Figure 3.

Fig. 3a
Fig. 3b

This is clearly a MIL 188-110B/C Appendix C (or STANAG-4539) modem, but what about the symbol-rate (1800Bd) and the sub-carrier (1500Hz)?
As said above, modem manufacturers may change one or more parameters of the HF waveforms: in this case we face a sort of underclocked STANAG-4539 modem, ie the modulation speed is reduced from 2400 to 1800 Baud as well as the sub-carrier frequency from 1800 to 1500 Hz.
Let's see a trick (thanks to KarapuZ) that prove that it's a S4539 modem: correcting the baud-rate and shifting the signal (Fig. 4) we get the right S4539 3200bps/short interleaving waveform which can be easily processed and demodulated (Fig. 5).

Fig. 4
Fig. 5
By the way, the signals transport STANAG-5066 data.

Another clue to identify the modem/manufacturer is the 1250Hz "roger beep" sometimes heard during voice-comms before the data transmissions. Helps are welcome.

A good "candidate" could be the CODAN 3212 HF-modem, this modem use a modified STANAG-4539 (188-110B App.C) to fit 2400 Hz channels (thanks to Johannes for the hint):
https://www.codanradio.com/product/3212-7200-bps/ 







5 February 2017

CV-786 (TRC-75) FSK 75Bd/850Hz bursts


CV-786 is a synchronous wideband FSK mode compliant with STANAG-4481, shore-to-ship RATT FSK 75Bd/850 waveform: in this sample the bursts transport KG-84C on-line encrypted contents. I copied a long-run transmission (...hours) on 11464.0 KHz/USB with 2 KHz offset; given the strong signal, the tx site could be the US military base in Niscemi, Sicily Island Italy.

CV-786 mode is built in Rockwell-Collins MDM-2001 HF Modems and used in TRC-75 transceivers: