Thanks to the help of some friends of mine - Guido, J.S4538 and Karapuz - I've been studying these transmissions for several months and some of their characteristics (mainly their occurences and format) lead to think that this traffic is
most likely the encrypted "8-bit text ACP-127 (SV-7)" from the Swedish Armed
Forces, as indicated in one slide of their presentation of the HF2000
system at HFIA Metting 2010 [1] and reported below in Fig. 1 (at present I
don't know what the term "SV-7" stands for).
All
the transmissions use the MIL 188-110A Serial waveform with a data-rate
of 1200bps and modem running in ASYNC 8N1 mode, they are not
preceded by 2G/3G ALE neither by voice calls and happen many times per
day w/out an apparent sked. The transmitted 8-bit (encrypted) text can
be obtained using a 188-110A decoder that shall be configured to work in
ASYNC mode and 8N1 framing, or you may get the source bitstream by
configuring the output of the decoder as ASCII Bits: in the latter way
you have to manually remove the start/stop bits in order to obtain the
8-bit text (I mostly used this method to study the "format" of the bitstreams).
As well as with our receivers, monitoring is performed thaks to the use of four remote KiwiSDRs located in Sweden and Finland (Fig. 2)
So far these are the spotted frequencies thanks to Guido, J-4538 and Karapuz (all freq. are USB):
3034, 4228, 4321, 4373, 4396, 4408, 4513, 4522, 5242
Although in a small percentage, synchronous 188-110A transmissions (still 1200bps/Long) can be received in these channels.
A parallel monitoring of 4396 KHz (using KP20 in Finland) and 4513 KHz (using SM0KOT in the northern part of Sweden) was performed during the morning-time on 20 December 2017 and got some interesting points about these two channels. Looking at the waterfall in Fig. 3, the strengths of the received signals point out different transmitters sites; since the waterfall is related to KP20 SDR, frequency 4396 KHz - on the left in the waterfall - perhaps could be operated by the close Karlskrona Naval Base. Moreover, transmissions on 4396 and 4513 KHz occurred almost simultaneously during all the monitored time (Dec 20th, 2017) but actually it's impossible to say if they carried the same messages.
However, such behavior was not observed during the first seven days of January 2017: indeed, those two frequencies seem not to be used, as well as 4321, and the trasmissions happen on 4373 KHz (Fig. 4) which was spotted by Karapuz on 2 January.
➤ ๐ข๐๐๐๐ก๐ On Jan 8th, 4.3 MHz transmissions take place only on the new 4372 KHz. I do not know the reasons for these changes.
๐ด๐๐ ๐๐จ๐ซ๐ฆ๐๐ญ๐ฌ
Looking at the bitstreams, it's esay to see that headers and data are arranged in different formats, although the same "8N1" framing is used (Fig. 5).
"A" format (headers and data are shifted and separated) is used in 4373, 4396, 4408, and 4522;
"B" format (headers and data are contiguous) is used in 4228, 4321, 4513, and 5242;
"C" format (as in "A" but data appears as "fragmented" in separated blocks) is used in 3034.
(for what concerns the 3034 KHz I could record only very few 8N1 transmissions during long-time periods, perhaps it is related to a less used service)
Probably the different formats (and the one used in STANAG-5066 [2]) and the different Tx sites are due to the different recipients, ie: Army, Navy, Air Force and Civil Defence ...but it's only my guess.
๐ญ๐ก๐ ๐-๐ฌ๐ญ๐ซ๐ข๐ง๐ ๐ฌ ๐ข๐ง ๐ด๐๐ ๐๐ง๐ ๐-๐๐๐๐ ๐ญ๐ซ๐๐ง๐ฌ๐ฆ๐ข๐ฌ๐ฌ๐ข๐จ๐ง๐ฌ
The most important aspect is the presence of the Z-strings in the messages' headers: these are the same as the strings already seen in the data-blocks of the S-5066 transmissions from the Swedish Armed Forces [2]. Note also that in both the transmissions the Z-strings are contained within the same sequences (I catched tens of transmissions, for simplicity I show in Fig. 7 only two of these but the matches are in all the recordings).
The 8-bit transmissions use only the Z-strings ZAPD<L> and ZXPD<L> and both are used every day with a prominence of the latter. So far, these are the heard strings:
ZAPD flwd by B,C,D,E,F (ie: ZAPDB, ZAPDC,...)
ZXPD flwd by B,C,D,E,F (ie: ZXPDB, ZXPDC,...)
I saw that the fifth letter of the Z-string does not change during the week, then in the following week it takes the next value in the alphabetical order: for example ZAPDD is used from Mon to Sun then in the following monday it changes into ZAPDE; the same happens for ZXPDD which changes into ZXPDE.
This alphabetical progression is verified by a long-time monitoring and it's not a simple "rotation" but rather a way to indicate the week of the year using the last two letters and the convention A=1, B=2, C=3,... so that for example DC = 43, DD = 44 and so on (Fig. 7).
It is very important to note that the same mechanism has been observed in the variations of the Z-strings in S-5066 transmissions (sporadic catches, not from a monitoring):
ZRTBC and ZXPBC on 6,7 June (BC = 23th week)
ZRTBD and ZXPBD on 15,16,17 June (BD = 24th week)
ZXPBE on 23 June (BE = 25th week)
ZAPCA on 1,2 August (CA = 31th week)
as you see, the dates belong to the number of the week indicated by the last two letters of the Z-strings. Nothing (unless the timestamp header in S-5066 transmissions) seems indicate the time & date of the message, maybe it is contained within the encrypted text.
The Z-strings suffix "DI" was expected during the week 4-10 December to indicate the week #49 but curiously they skipped the letter "I" and adopted "J" to code the number 9 (Fig. 8), maybe to avoid confusion between "I" and "1" ?
It's interesting to note the choice of the letter "K" to code the "0" during the fiftieth week (11-17 December): indeed the suffix "EK" (more precisely the string "ZXPEK") has been found in all the messages of the monitored frequencies (3034, 4396 and 4513) during the week #50.
As expected, the suffix "KA" (= 01) is used to code the first week of the year: the presence of the ZXPKA string has been confirmed also by the catches of my friends Guido and Karapuz (see the comments to this post). Figure 9 below shows the string ZXPKA in a message received in the firts week of 2018 (Jan 4th): note the use of MS-DMT software configured in Async 8N1 mode.
That said, the Z-strings shall be considered as 3-letters:
ZAP
ZNT (so fare seen only in S-5066 transmissions)
ZRT (so far seen only in S-5066 transmissions)
ZXP
followed by 2-letters (encoded) week of the year, according to:
A = 1, B = 2, C = 3, ..., H = 8, J = 9, K = 0
It's difficult to say what the initial 3-letters stand for, maybe they could indicate the precedence of the messages: ie, ZAP for higher priority (flash) and ZXP for routine, or maybe a kind of classification.
I tried the NATO military Z-signals defined in ACP 131 [3] but their meanings make poor sense in our context.
[1] http://www.hfindustry.com/meetings_presentations/...HF2000_HFIA_2010.pdf
[2] https://i56578-swl.blogspot.it/2017/06/unid-stanag-5066...client.html
[3] http://www.angelfire.com/va3/navy_mars/ACP131.pdf
https://youtu.be/lWNljuCQw_0
Fig. 1 |
๐ญ๐๐๐๐๐๐๐๐๐๐
As well as with our receivers, monitoring is performed thaks to the use of four remote KiwiSDRs located in Sweden and Finland (Fig. 2)
Fig. 2 - the used KiwiSDRs and map of main RT/x stations |
3034, 4228, 4321, 4373, 4396, 4408, 4513, 4522, 5242
Although in a small percentage, synchronous 188-110A transmissions (still 1200bps/Long) can be received in these channels.
A parallel monitoring of 4396 KHz (using KP20 in Finland) and 4513 KHz (using SM0KOT in the northern part of Sweden) was performed during the morning-time on 20 December 2017 and got some interesting points about these two channels. Looking at the waterfall in Fig. 3, the strengths of the received signals point out different transmitters sites; since the waterfall is related to KP20 SDR, frequency 4396 KHz - on the left in the waterfall - perhaps could be operated by the close Karlskrona Naval Base. Moreover, transmissions on 4396 and 4513 KHz occurred almost simultaneously during all the monitored time (Dec 20th, 2017) but actually it's impossible to say if they carried the same messages.
Fig. 3- KiwiSDR KP20 in Finland |
However, such behavior was not observed during the first seven days of January 2017: indeed, those two frequencies seem not to be used, as well as 4321, and the trasmissions happen on 4373 KHz (Fig. 4) which was spotted by Karapuz on 2 January.
Fig. 4 - KiwiSDR KP20 in Finland |
๐ด๐๐ ๐๐จ๐ซ๐ฆ๐๐ญ๐ฌ
Looking at the bitstreams, it's esay to see that headers and data are arranged in different formats, although the same "8N1" framing is used (Fig. 5).
Fig. 5 |
"A" format (headers and data are shifted and separated) is used in 4373, 4396, 4408, and 4522;
"B" format (headers and data are contiguous) is used in 4228, 4321, 4513, and 5242;
"C" format (as in "A" but data appears as "fragmented" in separated blocks) is used in 3034.
Probably the different formats (and the one used in STANAG-5066 [2]) and the different Tx sites are due to the different recipients, ie: Army, Navy, Air Force and Civil Defence ...but it's only my guess.
๐ญ๐ก๐ ๐-๐ฌ๐ญ๐ซ๐ข๐ง๐ ๐ฌ ๐ข๐ง ๐ด๐๐ ๐๐ง๐ ๐-๐๐๐๐ ๐ญ๐ซ๐๐ง๐ฌ๐ฆ๐ข๐ฌ๐ฌ๐ข๐จ๐ง๐ฌ
The most important aspect is the presence of the Z-strings in the messages' headers: these are the same as the strings already seen in the data-blocks of the S-5066 transmissions from the Swedish Armed Forces [2]. Note also that in both the transmissions the Z-strings are contained within the same sequences (I catched tens of transmissions, for simplicity I show in Fig. 7 only two of these but the matches are in all the recordings).
Fig. 6 (HEX view) |
ZAPD flwd by B,C,D,E,F (ie: ZAPDB, ZAPDC,...)
ZXPD flwd by B,C,D,E,F (ie: ZXPDB, ZXPDC,...)
I saw that the fifth letter of the Z-string does not change during the week, then in the following week it takes the next value in the alphabetical order: for example ZAPDD is used from Mon to Sun then in the following monday it changes into ZAPDE; the same happens for ZXPDD which changes into ZXPDE.
This alphabetical progression is verified by a long-time monitoring and it's not a simple "rotation" but rather a way to indicate the week of the year using the last two letters and the convention A=1, B=2, C=3,... so that for example DC = 43, DD = 44 and so on (Fig. 7).
Fig. 7 |
It is very important to note that the same mechanism has been observed in the variations of the Z-strings in S-5066 transmissions (sporadic catches, not from a monitoring):
ZRTBC and ZXPBC on 6,7 June (BC = 23th week)
ZRTBD and ZXPBD on 15,16,17 June (BD = 24th week)
ZXPBE on 23 June (BE = 25th week)
ZAPCA on 1,2 August (CA = 31th week)
as you see, the dates belong to the number of the week indicated by the last two letters of the Z-strings. Nothing (unless the timestamp header in S-5066 transmissions) seems indicate the time & date of the message, maybe it is contained within the encrypted text.
The Z-strings suffix "DI" was expected during the week 4-10 December to indicate the week #49 but curiously they skipped the letter "I" and adopted "J" to code the number 9 (Fig. 8), maybe to avoid confusion between "I" and "1" ?
Fig. 8 - "DJ" suffix to code week #49 (8x19 view) |
As expected, the suffix "KA" (= 01) is used to code the first week of the year: the presence of the ZXPKA string has been confirmed also by the catches of my friends Guido and Karapuz (see the comments to this post). Figure 9 below shows the string ZXPKA in a message received in the firts week of 2018 (Jan 4th): note the use of MS-DMT software configured in Async 8N1 mode.
Fig. 9 - "ZXPKA" string during the week #01(transmission decoded using MS-DMT) |
ZAP
ZNT (so fare seen only in S-5066 transmissions)
ZRT (so far seen only in S-5066 transmissions)
ZXP
followed by 2-letters (encoded) week of the year, according to:
A = 1, B = 2, C = 3, ..., H = 8, J = 9, K = 0
It's difficult to say what the initial 3-letters stand for, maybe they could indicate the precedence of the messages: ie, ZAP for higher priority (flash) and ZXP for routine, or maybe a kind of classification.
I tried the NATO military Z-signals defined in ACP 131 [3] but their meanings make poor sense in our context.
[1] http://www.hfindustry.com/meetings_presentations/...HF2000_HFIA_2010.pdf
[2] https://i56578-swl.blogspot.it/2017/06/unid-stanag-5066...client.html
[3] http://www.angelfire.com/va3/navy_mars/ACP131.pdf
https://youtu.be/lWNljuCQw_0
Antonio, hello!
ReplyDeleteI was imbued with your research on this topic and also decided to contribute my small contribution. Summing up the year, I chose the bitstreams in which the "Z" lines are inserted. These are post-processing flows after the removal of the primary protocol 188-110A 1200L. In the file name - frequency (kHz USB), month and day (year 2017):
4321 11-08.ZAPDE
4396 10-22.ZXPDC
4396 11-16.ZXPDF
4408 09-20.ZXPCH
4522 03-29.ZXPAC
4522 04-11.ZXPAE
4522 06-14._XPBD
5242 10-10.ZXPDA
As you can see, some frequencies can be added to your list. I hope this helps you in your research.
Binary streams are attached at https://yadi.sk/d/gPwZ5ZaN3Qod9Z
With best wishes and coming Christmas!
Daniel
thank you Daniel, much appreciated indeed!
ReplyDeleteHappy New Year!!!
ReplyDeleteAntonio, you were right!
The first week of the year in the "Z" line is coded as "KA". I took the 188-110a on the frequency 4373 (new!). The line looks like this:
ZXPKA
Packing and recording bitrate link
Daniel
https://yadi.sk/d/SML-wcDs3RAECZ
Outstanding job Antonio.
ReplyDeleteCongratulations.
ANgazu