24 December 2017

a MS-110A modem running in ASYNC mode

This is a sample of MIL-STD 188-110A Serial 75bps/L modem working in ASCII ASYNC mode and transporting a Citadel encrypted file. The transmission was heard on 7413.0 KHz/USB following a 188-141A handshake between two Algerian Air Force nodes: CM2 (Algerian Air Force Base - Oran, 2nd Regional Command Centre) and COF (Algerian Air Force HQ - Cheraga). 

In ASCII Asynchronous mode the bitstream consists of a 8N1 structure: one start-bit (0), 8 data-bits and at least one stop-bit (1). Each character is transmitted using a total of 10 bits and the 8 data bits are transmitted with the LSB first.

Fig. 1
Working in the ASYNC part, after removed both the start and the stop bits we get the clean 8-bit data where the characterstic pattern of the Harris "Citadel" encryption is easy to identify (Fig. 2).

Fig. 2
A similar example but related to Asynchronous STANAG-4285 can be read here:
http://i56578-swl.blogspot.it/search/label/Stanag-4285%20Async

You may use the MIL-STD Data Modem Terminal (MS-DMT) [1] to verify how the MS-110A works in ASYNC mode (Figs. 3,4)

Fig. 3 - MS-DMT settings for ASYNC mode
Fig. 4
[1]
http://www.n2ckh.com/MARS_ALE_FORUM/MSDMT.html
The latest MS-DMT test build is available at:  
www.n2ckh.com/MARS_ALE_FORUM/MSDMT32v200B1000TB1002_FI.zip

Thanks to  Steve Hajducek for the update, I suggest to subscribe his group at
https://www.facebook.com/groups/MARS.MIL.STD.TOOLS.LIB/




https://yadi.sk/d/1rw59Z0K3QuToC 
(MS-110 Async from Algerian AF)

2 December 2017

Baudot FSK 50Bd/100

.
This FSK transmission was copied on 6330.8 (cf) at 1128z: shift is clearly 100Hz while some problems arise when measuring the speed. Indeed, the measurement of the speed based on FFT may fail in case of non-integer number of bits as in Baudot/ITA2 code where the stop bit lasts 1.5 bit: in this case SA assumes an integer number of bits, so  it prints out a value of 53.47 Baud (Fig. 1)

Fig. 1
In such cases the speed shall be measured using the "raster" tool of SA (Fig. 2): the structure of the frame is 7.5 bit (1 bit start, 5 bit of data and 1.5 stop bit) and the time line is 299.4 msec for 15 bit that makes a speed of 50 Baud.

Fig. 2

Baudod decoders work fine and print out the content of the message after the RYRY sequence, in this case: "ZHGD ZHGD ZHGD DE N4O4 N4O4 N4O4 QRK ? +?". The user is not identified, probably Russian Military.

Fig. 4


update
my friend KarapuZ catch a similar transmission on 5565.0/USB,  callsigns are very similar to the once I had: "ZBNV ZBNV DE 7X6R 7X6R 7X6R QRK ? +?". 

So far, these are the heard callsigns:
ZBNV, ZHGD
N4O4, 7X6R


https://yadi.sk/d/K_eEO7cT3QFLLU

14 November 2017

SIGFOX, UNB IoT
by Angazu & Rapidbit

SIGFOX [1] is a signal for Internet of Things (IoT) with some features that predict a great future. The use of the spectrum, adapted to its purposes, does not waste resources as other systems do. Its advantages in terms of cost and efficiency have made its develop quickly and its main usage being the internet of things.
Its data capacity is very low (100 bps), allowing up to 140 messages per day, but enough for its uses. It is cheap and has good coverage. The signal is robust and not easy to interfere with. To this we must add that the battery consumption is minimal, and may last several years. It also uses the free band of 868 MHz  and does not require any type of SIM. The standard is the ETSI GS LTN 003 V1.1.1 (2014-09) [1]

The signal was received at home, probably from a near home alarm  system carrying out installation tests.
 
Spectrogram (edited) in Fig. 1 shows three segments (three "telegrams") in different frequencies. Each segment lasts about 2.1 sec and is separated by a dead time of about 42 msec. Each emission uses a different frequency within its allowed range. In what has been observed so far, it always transmits the  message 3 times using  a different frequency in every Tx.

Fig.1 - spectrogram
The spectral occupation (Fig. 2)  is about 200 Hz. In this case, there are quite a few lateral lobes  due to the proximity of the transmitter-receiver. The measurement was made about 30 dB below the peak.

Fig. 2 - spectrum
Estimated modulation speed is Differential BPSK at a rate of about 100bps, the overview of 3 frames (Fig. 4) is aligned  to 210 bits. (ID has been removed once demodulated).

Fig. 3
Fig. 4
Frame as per  etsi standard:



 [1]
 
 

3 November 2017

CIS Selcall "Vishnya", FSK 150Bd/200

I spotted this short transmission on 7823.5 KHz/USB at 0827z, it's an FSK modulation with 200Hz shift and speed of 150bps. I asked my friend KarapauZ about the name of this system and he told me that this signal is correlated with the CIS Selcall and it's also known with the nickname "Vishnya" ("Cherry" in English language) from the name of the radio equipment R-016V "Вишня".
The signal is discussed here in radioscanner:



2 November 2017

radiosonde Vaisala RS92-SGP
(by: ANgazu,Rapidbit)

The RS92-SGP has been manufactured and marketed by the Finnish company Vaisala since 2003. It incorporates a Helix Antenna (QFHA=Quadrifilar Helix Antenna) for the reception of GPS satellites.

This type of radiotracer has a GPS receiver to determine its location and allow indirect measurement of wind speed and direction at altitude... The RS92-SGP has a silicon pressure sensor, a heated dual humidity sensor and a small, fast temperature sensor.
The synthesizer-based transmitter is stable and uses narrow bandwidth. The RS92-SGP radio sensor complies with the European ETSI standard for digital radiosondes operating in the 400 MHz band.
The SONDE MONITOR software allows the data transmitted by the RS-92 SGP to be decrypted, in particular the exact position measured with the aid of the GPS receiver on board, which makes it easier to locate it in the field.
Measurements carried out with the aid of a radio-sounder are relative to a specific place and time interval. In order for such data to be truly useful, polls conducted around the world must be synchronised. These polls are usually conducted at 00h and 12h GMT. Some stations carry out polls at 06h and 18h regularly.
More than 850 surveys are conducted, at least twice a day worldwide. The distribution of the radiosonde centres is not regulated on the planet's surface and developed countries in the northern hemisphere (82%) are better covered than deserts and oceans in the southern hemisphere (18%). 820 of these surveys are carried out by fixed stations and some 30 of them are carried out from ships, both merchant and regular lines.
Surveys are mainly carried out by meteorological services, but from time to time we may find ourselves with radio probes launched by:
- Weapons test centres (missile, ammunition and radiosounder testing).
- Scientific missions, atmospheric monitoring services (ozone measurements, radioactivity)
- Special campaigns for the study of regional climatology and meteorology.
- Artillery units, before firing practice.
- Radio sounding training centres (meteorological, military, manufacturers of radio sounders...)


Radiosondes are telemetry devices that measure various atmospheric parameters.
They are usually launched using a weather balloon and, while ascending and moving in the wind, transmit the data in real time. They can reach a considerable height, so reception is possible far away  from the launching point.
The signal for this entry , from a Vaisala RS92-SGP, was recorded near an airport somewhere in the south of Europe. Frequency was 403 Mhz.
This signal is a very interesting one since it shows a considerable Doppler effect due to both its ascent speed and its lateral displacement due to the wind (Fig.1).

Fig. 1
The  spectrum exhibits a phase modulated signal framed by two unmodulated tones (Fig. 2). Tones are separated 4800 Hz.

Fig. 2
Analyzing the signal as a whole, modulation speed is 4800 sps using a GFSK modulation, but filtering out  the outer tones to isolate the internal signal, result is a BPSK with a speed of 2400 sps.(Fig.3)

Fig. 3
Should the signal be demodulated as GFSK, result is a stream of manchester coded bits. Once manchester decoded, the bits are exactly the same as if the inner signal was demodulated as BPSK. Frame ACF is 1 s. There is a second ACF for character  of 4,16 ms (Fig. 4)

Fig. 4
Once decoded, frames are  2400 bits long (Fig. 5) using  8N1 characters.

Fig. 5
The combination of vertical and lateral velocity of the probe produces a doppler effect on the signal. In the image, the frequency variation in a tone for about 21 m (Fig. 6)

Fig. 6
The data transmitted can be demodulated using the ionosonde monitor by COAA (see links)

Fig. 7
Links:

29 October 2017

Maritime Interdiction Operations (MIOs) in Med'sea, a joint exercise?


The heard communications concern a Maritime Interdiction Operation (MIO) in Mediterranean sea and involve 2 vessels and one ashore station which acts as the net-control station by coordinating all the activities. It is not clear if  the heard activity is part of a routine patrol or rather a naval joint exercise. The ALE IDs used in communications (ie "CMOC", that could stands for Combined Maritime Operation Center), some terms in the messages (such as PUBEX, EVOLEX) and the "special" email domain name (here not reported for confidentiality) make me think to a MIO joint exercise. By the way, I did not find any related news in some specialized websites neither in press-agency sites.
The activity was heard on 7 and 8 MHz bands, expecially on 27 October. Communications  make use of 188-141 2G ALE for link setup while the messages are sent using a battle force email system based on STANAG-5066 HBFTP protocol. STANAG-4539/MS-110A are used as bearer HF waveforms, mostly QAM-64 9600bps and PSK-8 1200bps modulations (Figs 1,2). The STANAG-5066 addresses of the network nodes belong to the dummy block 10.000.000.zzz  which is not assigned to a country.
The language used for working out operational documents and for communications is English and French, this could be another hint in favour of a joint exercise.

Fig. 1 - STANAG-4539 transfer using QAM-64
Fig. 2 - STANAG-5066 stream
In addition to text or routine messages such as request to compress photos ("compresser la photo svp"), link informations ("liaison XXX to YYY par HF est nulle") or some ehortations ("veilles respecter le battle rythme et nous transmettre la situation RMP TN/DZ et vos position 12h00"), I saw some operational messages that are worth seeing. Although it could be a joint exercise, I avoid to go into details and some parts of these messages, as well as callsigns, are obscured or omitted for reasons of confidentiality of sensitive information. 

The firts two messages are related to the operation (tactical instructions?) and to the use of the MIO Board.

Fig. 3
Fig. 4
In Fig.5,  looks like they send informal ACP-like messages using email: note the from CMOC (Combined Maritime Operations Center?) to OTC (Operational Training Center?) header

Fig. 5
The operation was successull since the report on the interception of a boat of narcotrafficants (Fig. 6). Drug smugglers have thrown the material off at sea but it has been recovered by the navy sailors. Note how such reports are rigidly formatted in sections (termed "alfa", "bravo", "charlie") and sub-sections.

Fig. 6
Note also that in some messages, likely the more important ones, they make use of return receipts, as indicated by the MDN (Message Disposition Notification) tags in the email shown in Fig. 7 (turnaround time of 31 secs.). I saw MDNs in both English and French language.

Fig. 7
Many joint exercises (Phoenix Express, Morjane, Osis, MEDEX,...) take place every year in Souther Med'sea, so what I heard could be an ad-hoc scenario just established for this exercise.

update: 31 October 2017

...as expected:
http://en.aps.dz/algeria/20899-naval-force... 


20 October 2017

BPSK 4800,9600,19200Bd 6,12,24 KHz (Marine Band)

Other WideBand burst waveforms spotted in HF Marine band: speed 4800, 9600 and 19200 Baud, bandwidth  6, 12 and 24 KHz.

Fig. 1 - 16625.0 KHz/USB
Fig. 2 - 16657.0 KHz/USB
Still uncertain whether these transmissions concern the over-the-air tests of KNL Networks CNHF (Cognitive Networked HF) system, as they illustrated in their presentation slide of this system (Fig. 3), or perhaps a real-world testbed/implementation.

https://yadi.sk/i/7bcD0sWZHqF6sw
 Some info about CNHF system can be read in their website.



19 October 2017

Radio Teleswitch, an example of AM Signalling System (AMSS)
(by ANgazu)

BBC Radio-4 (LF 198 Khz) is a radio station that broadcasts a great variety of programs. At first glance, it looks like any other AM commercial emitter, but there is a feature that makes it different: its carrier is PSK modulated, transmiting  data to switch electric meters and consumer appliances to take advantage of best electric tariffs [1].
This sample was recorded using TWENTE sdr in USB mode so to preserve the carrier, its spectrogram is as any standard AM broadcast (Fig. 1) and it's occupation is about 12 Khz as most AM comercial stations.

Fig. 1
When zooming on carrier (Fig. 2), there is a  signal using about 50 Hz BW on each side of the carrier and once filtered, the modulation speed is 50 symbols/sec (Fig.3).

Fig. 2
Fig. 3
In this case, carrier is the AM carrier so we  can go to  the signal constelation that shows that the carrier phase is shifted  ±  22.5º (Fig. 4). This small shift is suitable  for retrieving data and is small enough to avoid interferences with the intended AM signal.

Fig. 4
To  demodulate this signal, you have to filter out the carrier and proceed as in any BPSK signal. ACF is about 2 seconds, this means that there are 30 frames within each second and everyone carries 100 bits. Signal is "manchester" coded so we will have 50 bits of information per frame (Fig. 5). The signal is idling most of the time (01010101…) 

Fig. 5

[1]

14 October 2017

BPSK & QPSK 2400Bd, QPSK 1500Bd, ARQ system (Maritime Band)


Robust ISB SDR ARQ system heard on 6231.5 KHz/USB (Maritime Mobile band) 2800Hz offset from carrier, around 0630z on 12 October and in which the two channels are used as follows:

- on USB upper channel: user data transfer using adaptive 2400 Baud PSK-2 and QPSK burst waveform, according to the channel conditions and the feasible data-rate. Initial bursts use PSK-2 modulation at 2400 Baud;  
- on LSB lower channel: link and traffic management (ACKs and mode used for data transfer) using 1500 Baud PSK-2/QPSK waveform; 

is not clear if the change of the mode used for data transfer is signaled in the management channel by the caller or it is requested by the called station.

Fig. 1 - user data transfer waveform (upper channel)
Fig. 2 - link and traffic management waveform (lower channel)

At least in this sample, data bursts last 2088 msec for PSK-2 and 3144 msec for QPSK, the initial bursts have a duration of 520msec; link and traffic management bursts last 310 msec. PSK-2 and QPSK data bursts exhibit strong ACF spikes every 523 msec which suggest a 1256 symbols frame structure (Fig. 3); initial data bursts have ACF = 0, probably Walsh modulation is used (Fig. 4).

Fig. 3
Fig. 4
Together with IK1YDE we studied the bitstreams after PSK-2 and QPSK demodulations and found a frame structure similar to those provided by the recent MS-110 Appendix C for the waveforms ID 5 and 6 (Fig.5). Indeed both PSK-2 and QPsK frames consist of 288 symbols (Fig. 6): 32 knwon symbols (mini probes) followed by 256 unknown (data user) symbols. It must be noted anyway that the data rate of the analyzed waveform (in its USB channel) is 2400 Baud and doesn't match the one provided by the waveforms 5 and 6 of MS-110 App.C.
Most likely the 1256-bit ACF is due to the length of the interleaver or the scrambler sequences.

Fig. 5
Fig. 6 - data bits and symbol numbers

A similar system was heard on 5 November 2016: in that case ACK burst were sent after each BPSK data burst (Figs. 7,8)
.
fig.7
fig.8

Talking with KarapuZ about this system, he suggested a SDR equipment rather than a ISB mode (I edited the text of the post accordingly) and proposed to have a look at the KNL Networks website since they are testing a proprietary 3G HF hybrid system (termed CNHF) to support the ship traffic in Artic regions [1]. In that high latitudes satcomm links can't be easily used since geostationary satellites do not cover these areas, moreover due to the long dark periods the low portion of HF shall be used (lack of F layers). Perhaps may catches are related to their tests... but it's only my guess (I emailed them to ask a confirm and maybe shed some ligth on this system).