29 March 2018

FSK 500Bd/1000, CIS Navy Akula ("shark")

CIS Akula ("Shark") is a FSK 500Bd/1000 burst waveform used by Russian/CIS Navy in  ship-shore links, most likely by submarines. Akula is one of the most interesting signals you may meet in air: fast, unpredictable and unfrequent; see below for a little story of this signal.
Back to the signal, the waveform consists of FSK bursts modulated at speed of 500Bd and 1000Hz shift (Figure 1). A distinctive sign are the last bits of the demodulated bitstream: a sort of EOM mark "1771/" (Figure 2).

Fig. 1
Fig. 2
I worked several good quality recordings and found that they can be successfully descrambled using the polinomyal x^5+x^3+x+1, after the removal of the scrambler the resulting bitstream exhibits an interesting 6-bit period (Figure 3).

Fig. 3
The same 6-bit period (Figure 4) can be obtained by descrambling the bitstream after differential decoding: in this case the scramble polynomial is x^4+x^3+1 (thanks to KarapuZ).

Fig. 4

Legacy Akula (Shark), or the so-called 49th channel, was originally a ship-shore superfast telegraph system used to transmit reports from submarines, the received transmissions were immediately relayed to HQ Navy on all available communication channels.
Transmissions did consist of ten groups of 5 digits and 0.72 secs in air. The main equipment of Akula is the sensor P-758 and the receiver P-759 (Figs 5,6), with their ancillaries, and appeared in the fleet in the late 50's. In total, more than 4,500 sets were produced. [1]

Fig. 5 - P-758
Fig. 6 - P-759
"In parallel with the development of land-based communication systems of the Navy the technical means with high-speed, security and automation were designed for surface ships and submarines. The experts of the Naval Research Institute of Communication designed special HF very-high-speed (VHS) secured communication link later named Akula (Shark). Then existing systems could not detect and not even saying of taking a bearing of VHS transmissions. In addition thanks to the usage of increased capacity (up to 15 kW) radio transmitting equipment at submarines and a set of geographically distributed land-based receiving radio centers the high-fidelity reception was possible even at range of 8-10 thousand kilometers. Navy commissioning of VHS communication means marked the new qualitative stage in the development of naval communication systems."

There is an interesting story about the so-called "Project Boresight" and “lost” Soviet submarines that confirms the Akula's undetectable feature (thanks to Dave for the link):

Akula, with minor variations ("Dolphin", to be precise), is still used for long-range operational and near operational-tactical communications of the Russian Navy, perhaps the P-758IS equipment is used (Figure 7).

Fig. 7 - P-758IS

Frequencies (all CFs):

3399 4414 4882 5338 5555 5784 6772 6836 6852 6864 6908 6920 7316 7620 
7690 7734 7674 7748 8300 8500 9155 9202 9264 9372 9955 9628 10116 10192
10208 10314 10478 10659 10664 10816 10860 10888 10928 11024 11155 12312
12368 12693 13146 14266 13404 13406 14206 14208 14266 14840 14860 16104
16248 16264
Thanks to Dave who collected the logs.


28 March 2018

unid 3-of-6 multitone system (tentative)


On August 16, 2017 I copied an interesting multitone signal on 14642.0 KHz and 16114.0 KHz on USB. The signal uses 6 tones, 400Hz spaced, starting from 650Hz, and it sounds just like a frog. Tranmissions do not have a preamble, last for a few minutes (the longer I heard last up to 16 minutes) and consists of 820ms blocks: 500ms data block followed by 320ms interval (Fig. 1)

Fig. 1
Transmissions end with the sending of the 6 carriers in a special sequence (Fig. 2)

Fig. 2
Three of the six tones are used to form the code symbols, ie they are sent simultaneously (Fig. 3): since given six tones there are twenty combinations of three that can be drawn without repetitions, this system use a 20 symbols alphabet set. It's important to note in Fig. 3 that each data block always consists of the ordered sequence of all the possible symbols (!) that makes a speed of 40 symbols/sec that is - in some way - coherent with the used shift (40Bd/400hz).

Fig. 3

Many "exotic" coding could be derived from this set (as 123=A,124=B,... or 123=0,124=1,...) and a 6-bit representation could be one of these: e.g. using the lower tone as the LSB we get the sequences:

000111 001011 010011 100011 001101 010101 100101 011001 101001 110001 
001110 010110 100110 011010 101010 110010 011100 101100 110100 111000

(you may play around it inverting the order, changinB g polarity, differential decoding,...)

I don't know who they are and where the signals come from, anyway the fact of sending all the alphabet symbols leads to think that it could be a test of a new system, maybe aimed to Intel/Diplo services... but it's only a my supposition and - if that is the case - we should wait for further transmissions from the "production" frog-modem.

➤8 Feb / 7 Mar updates
The same system has been spotted on 10222.0 KHz/USB on February 8 (Fig. 1) and on 7674.0 KHz/USB on March 7 (Fig. 2): data blocks last respectively 250 msec and 200 msec

Fig. 5 - 250 msec blocks
Fig. 6 - 200 msec blocks
In my opinion, looking at the three intercepts, it seems that these are still test transmissions in which different data-formats are used:

➤28 Mar update
The MFSK-6 modem seems to be entered in production mode: spotted today on 10222.0 KHz/USB with no repetitions of the same pattern, as noted in the precedent intercepts.  Note as the system uses 3-tone symbols and a symbol rate of 100symbols/sec.

Will wait for further recordings to confirm my guess.


➤17 July update
several TDoA multilaterations on both 10222 and 14462 channels indicate Frankfurt as source of the signal, below a TDoA run on 10222/usb (July,14)


27 March 2018

scrambling and descrambling

(The polynomial theory which scramblers are based on is beyond the scope of this post, for those who want to deepen, google offers a lot of documentation about it. The aim is just to show their operation and the results obtained by manipulating an incoming stream of data with a scrambler, say a little introduction to this topic.)
In telecommunications a scrambler, also referred to as a randomizer, is a block that manipulates a data stream before transmitting. The manipulations are reversed by a descrambler at the receiving side. A scrambler can be placed just before a FEC coder, or it can be placed after the FEC, just before the modulator to give the transmitted data useful engineering properties as to reduce the length of consecutive 0s or 1s [1] (long sequences of 0s or 1s can cause transmission synchronization problems at receive modem).
In brief, scramblers are often constructed using linear-feedback shift registers (LFSRs) which consist of clocked storage elements (say "registers") and a feedback network and are defined similarly by a polynomial: the number N of registers gives the degree of the polynomial, the "taps" in the feedback network are modulo-2 additions (equivalent to exclusive-OR, or XOR) and give the used monomial with their relative degree. The registers are initially pre-loaded to the 0 state. The schematic in Figure 1 shows the so-called multiplicative (or "self-synchronizing") scrambler.

Fig. 1 - scrambler/descrambler schematic
As example, the schematic in Figure 2 shows a  x^8+x^5+x+1 scrambler (for simplicity the connections between the registers are not indicated).

Fig. 2 - x^8 + x^5 +x + 1 scrambler

That said, removing the scrambler from a demodulated stream (if scrambled), offers some more chances to understand the original data format and allows to take a step forward in signals analysis. That's why I coded some functions in LUA to study the operation of scramblers and the examples I post here refer to the scrambler described by the plynomial x^10+x+1 and depicted in Figure 3

Fig. 3 - x^10+x+1 scrambler

A good way to observe the "randomizer" effect of a scrambler is to use an input bitstream composed of all 1s, the operation of the x^10+x+1 scrambler is illustrated in Figure 4. The function I wrote also prints out the scrambler and descrambler tables which report at each step (clock) the values of the input and output bits and the internal state of the registers.

Fig. 4
The scrambled stream just appears as a random sequence of 1s and 0s: this means that what looks like a ciphertext could actually be a scrambled plain text. It's interesting to note the first ten bits of the scrambled stream: in this case the first "1" takes ten clock cycles to pass through the descrambler and reach the last register, during this time the last register output remains to zero therefore the two XORs in the feedback path produce the sequence "1010101010".
The initial part of the descrambler table is shown in Figure 5.

Fig. 5

An example with a ASCII text stream is shown in figures 6,7

Figure 8 shows the first thirty steps of the scrambler and descrambler tables, note that the two set of registers assume the same states.

Another example of the use of  the x^10+x+1 descrambler can be observed in radioscanner forum: here a GFSK transmission has preamble and data blocks wich are scrambled using two different polynomials (x^10+x+1 and x^11+x^9+1).

Fig. 9
Removing the tap from the first register the scrambler x^10+1 is obtained: the feedback simply consists of the modulo-2 add between the input bit and the output bit. Notice how the first 10 bits of the scrambled stream follow those of the input stream: this happens because during the first 10 clocks the output remains at zero and is XORed with the input.

Fig. 10 - x^10+1 scrambler
Fig. 11

Quoting wikipedia "a scrambler has nothing to do with encrypting as its intent is not to render the message unintelligible", anyway scramblers are also used in the stream ciphers: in this case the initial states of the registers are actually the secret keys.

[1] https://en.wikipedia.org/wiki/Scrambler 

24 March 2018

STANAG-4285 unid 1536-bit secondary protocol (UK MoD?)

In most cases, STANAG-4285 transmissions running at 1200bps/L or 2400bps/L carry a data protocol with a period of 1536 bits, most likely a multiplex system (TDM) capable of carrying data and sync channels.

I followed these STANAG-4285 transmissions on 14548.2/usb throughout the morning and the first part of the afternoon. Unlike similar S-4285 broadcasts, there is not a continuous broadcast and the messages are transmitted to the need and always using the 1200bps Long interleaver sub-mode.
TDoA multilateration using 5 KiwiSDRs as sensors points to Cyprus Island as Tx site: maybe UK MoD DHFCS?

19 March 2018

WI2XER, Skycast Experimental Radio Station?

Few days ago, 16 March, I spotted on 7703.0 KHz/USB (cf 7704.8) a transmission consisting of 30 unmodulated tones, 100Hz spaced, lasting 20.7 secs and followed by Morse ID “WI2XER”. I wonder if it’s related to the Experimental Radio Station (ERS) run by Skycast. Quoting SWLIng "Skycast (WI2XER) is a station in the Experimental Radio Service, licensed under Part 5 of the FCC Rules."
Skycast recently renewed the license so probably they conduct test also in the 7 MHz band:
I tried to email Skycast asking a confirm of the intercept, so far no reply.


April, 6 Spotted on 12140 at 1342z

April, 4  Spotted on 113905.5 at 1304z

16 March 2018

unid 32-bit secondary protocol

The analysis is related to a 3G-HF STANAG-4538 transmission in which the traffic service is “Circuit Mode” and spotted on 7961 KHz/USB, 188-110A Serial is used as the traffic waveform. After demodulation of 188-110A, the stream obtained shows a series of data blocks, corresponding to the transmitted bursts, characterized by a 32-bit length period which is due to the headers of each block (Fig. 1). Comparing the headers gives a common structure of 120 bytes that differs by 32 bytes (Fig. 2).

Fig. 1
Fig. 2
A proposed byte-framing (LSB-> MSB) is presented below:

initial 176-bit length sequence of "0" followed by 2-byte sequence (SYN sequence?)
0x81 0x18 (10000001 00011000)

23-byte idle pattern 0x55  starting with 0x27

21-byte (preamble?):
0xD5 0x68 0xF1 0x90 0x70 0xEF 0x96 0x8E 0x70 0x11 0x0F 0x09 0xF7 0x6E 0xE9 0x68 0x17 0xF1 0x90 0x70 0xEF 

32-byte block, this block is different in each burst  as shown in Figure 2 (message identifier?, addresses?)

3-byte sequence 0x68 0xF1 0x90 followed by 4-byte sequence repeated four times (encoder key?)
0xF0 0x68 0xF1 0x90 (00001111 00010110 10001111 00001001)  

user-data follow

it is interesting to note that the sequence 0x68 0xF1 0x90 (00010110 10001111 00001001)  is repeated several times (also starting from byte fourty-nine).
This is an hand-made mapping since I do not own a protocol analyzer/dissector tool: comments are welcome.

13 March 2018

about LPC-10 frames (STANAG-4197/M39)

A few days ago me and KarapuZ were discussing about a way to detect/isolate the LPC-10 digital voice encoded frames from a STANAG-4197 waveform and avoid false decoding. I took advantage of an heavy cold to stay at home and deepen the subject a little more
Briefly, the 4197 modem generates two separate signal formats based on two tone libraries: the 16-tone library is used for the system preamble and the 39-tone library is used for digital voice data. The initial preamble (modem preamble) is used in the receive modem for the detection of signal present, the correction of doppler, and the identification of the beginning of the system preamble. The system preamble tones are modulated at 75 Baud and the encoded voice (say LPC) segment at 44.44 Baud : both the segments are formed using OFDM technology (Figure 1). 

Fig. 1
As said above, the aim was to dig the demodulated bitstreams and find the period of the LPC frames.  In all the demodulated streams, from different registered 4197 samples, we highlight a period of 252 bits that is due to the system preamble frames (Figure 2). Indeed, quoting STANAG-4197, "The system preamble consists of a 4-bit code word to indicate the mode of the transmitting terminal combined with a 108-bit COMSEC message indicator, plus a 16-bit all-zero word. These 128 bits are encoded by a Bose-Chaudhuri-Hocquenghen (BCH) error correction code (252,128) which provides a 252-bit which are transmitted as 126 dibits on the 16-tone library.
Fig. 2
To avoid their "interference", the system preambles were removed from all the streams getting the only LPC segments. From the reading of STANAG-4197 we expected a LPC period of 54 bits: "The Linear Predictive Code provides 54 bits per frame at 44.44 frames per second. [...] The modulator shall accept 78 bits per frame from the encoder. The data shall be assigned to 39 dibits (one dibit symbol per tone)", as depicted in Figure 3.
Fig. 3
Well, what we have seen are random-bit periods, never a 54-bit period, sometimes bursts with 78-bit periods (Figure 4). Perhaps the periods of 78 bits are just a coincidence, but given that the modulator works on frames of this length (Figure 3)  in my opinion this result should not be underestimated.

Fig. 4
The reason, the most probable, is the use of a ciphering device in the chain (Figure 5): the signal coming from a headset/handset or from on-board communication systems is digitalized by the LPC vocoder, encrypted and then modulated in accordance with STANAG 4197.
Fig. 5
Although a period of 252 bits is a hallmark of 4197, it is not sufficient to identify LPC frames, at least as long as a ciphering device is used. The doubt remains on those 78-bit period frames, a length that corresponds exactly to the 39 dibits assigned to the LPC tones.
The tests were done on about two dozen samples, some of them coming from the same source, so it would be useful to repeat the measurements on other and different recordings, better if un-encrypted. 
Unfortunately, 4197 / LPC-10 are not very frequent but 188-110 39-tone (also known as M-39) could be a way out: according to 188-110B # "the modem should be expandable to include the Advanced narrowband digital voice terminal (ANDVT) (thirty-nine tone) mode. If included, this mode shall be in accordance with MIL-C-28883 and STANAG 4197." This is possible since 188-110B App. 8 waveform adopts a same 39-tone libray as STANAG-4197.

Fig. 6
Looking at one of these demodulated streams we had more luck and we found a period of 54 bits length that could be(!) what we were looking for (Figure 7).  More over, quoting STANAG-4197 "The 39 dibit/tone assignments shall be permuted to minimize the effect of the frequency selective fading and narrow-band interference [...]. The permutation pattern shall repeat after 39 frame periods.", we have also tried a 78 x 39 = 3042 bits period getting a quite good result.

Fig. 7
Fig. 8
Further 4197/M39 recordings will help.