29 September 2018

HF Industry website (HFIA)

WARNING: some of the recent posts have links to the "meetings & presentations" section of the High Frequency Industry Association (HFIA) website that end up giving the 404 error "page not found". The "404" errors are not due to my errors in the links but to the fact that HFIA has recently changed the layout and the policy  of its website, and in particular the "meetings & presentations" section has been replaced by "resources" and is no longer browsable without an account.

the old layout of HFIA website


28 September 2018

unid FSK 1200Bd/1200 test transmissions

Unid long-run (crtical) FSK 1200Bd/1200 test transmission heard on 13720.0 (cf) around 1320z (26 Sep). The demodulated stream consists of 16-bit frames, each frame consisting of:
*) seven bits coded with ASCII-7  ([A-Z] letters, [0-9] numbers and special chars)
*) 4-bit coded numbers [0-9]
*) 5-bit coded numbers patterns
Notice the sharp filtering at the edge of FSK transitions.





https://yadi.sk/d/7hXxtCYFjmM3bA

26 September 2018

25 September 2018

8-ary constellation bursts at 12800bps data rate (likely UK-MoD)


These transmissions consist of spread band "cluster bursts" which are sent in sequential order on several frequencies, ie the clusters are not sent simultaneously (Figure 1). Each cluster lasts about 5200ms and is composed of three 1600ms bursts separated by 200ms and spaced by 6000Hz (b1-b2) and 9000Hz (b2-b3). My friend KarapuZ spotted other clusters on 3.3, 4.0, and 4.7 MHz and published a youtube clip that shows a complete cycle [1], therefore it seems that "five" is the number of the used clusters, for a total of 3x5 = 15 "burst channels".


Fig. 1 - 5.7 and 7.8 MHz clusters
Probably they use staring SDRs, and in my opinion it could be an implementation of STANAG-4539 Annex H "Technical specifications to ensure interoperability of application communication systems using multiple discrete HF channels serial waveform", also provided in 110C Appendix F.
 
The bursts use the STANAG-4539 2400Bd and a 8-ary like constellation with a data-rate of 12800bps uncoded (!?!), a similar waveform (S-4539 12800bps/U bursts) was heard on 14 June on 7807.2 KHz/usb [2], just the same frequency of burst b1 of the 7.8 MHz cluster!
12800bps, also detected by my Harris RF-5710A, is clearly unlikely since PSK-8 modulation at a symbol rate of 2400Bd makes a gross bit transfer of 2400x3 = 7200 bit/sec, which in turn allows max data rates of 3200bps and 4800bps (if uncoded). So, 12800bps or PSK-8 seems an inconsistent data rate.
Fig. 2 - incosistent data rates
The frame structure of the bursts matches the one specified in S4539 #4.3. An initial
preamble is followed by data frames of alternating data and known symbols. Each data frame consists of a data block (256 data symbols), followed by a mini-probe (31 symbols of known data).  It's worth noting that each burst (consisting of 12 data blocks) curiously ends up with a half (½) data block.
Since the waveforms match, I wonder if they use an alternative/reserved coding that somehow deceives the RF-5710A modem. The only way to shed light on the wrong data rate is look at the received preamble.
Data rate and interleaver settings are explicitly transmitted as a part of the waveform in the second 103 symbols of the initial preamble and are coded as described in S4539 #4.3.1.1 "Synchronisation preamble" page B-11

The tribit symbols D0, D1, and D2 take one of 30 possible sets of values to indicate the data rate and interleaver settings:


The Modulo operations are meant to signify that the data rate and interleaver coded values (D0,D1,D2) are used to shift the phase of the Barker code 0,4,0,4,0,0,4,4,0,0,0,0,0.
Now look at the phase diagram of the received preamble (Fig. 3): data rate setting consists of two equal sequences plus a third one, such a symbols pattern can be originated only by the values "0,0,4", "6,6,2", and "2,2,6" of the Table 4.3.1.1-1 above reported.

Fig. 3 - phase variations of the received preamble
I'm less than a novice GNU-Octave coder so I asked my friend Christoph to write a little script to extract the symbols from the received preambles, results are surprising: quoting his email "the first few symbols of the preamble are not transmitted but the rest fits perfectly D0,D1,D2 = 6,6,2", therefore the 12800bps setting seems to be coded into the received preambles. I edit his script to improve the display of the 39 symbols related to the setting and replicated the tests: results are shown in Figure 4.
Fig. 4 - a) 287 symbols preamble and its sync (red); b) the actual "6,6,2" setting read from the preamble; c) the theoretic "6,6,2" setting
Since the 12800bps settings is correct, the used 8-ary constellation can't be a PSK-8 modulation!

But oddities do not end there.
Assuming that - in some ways - the decoding is correct, what you get is that each single burst carries 1536 bits of data and by aggregating the bursts of a single channel you will end up to see a 1536-bit protocol which looks like the DHFCS multiplexed stream (Figure 5).

Fig. 5 - demodulated streams of the 7.8 MHz cluster
Notice that each burst carries different contents: maybe the source contents are spread on the five clusters (ie on the 15 burst channels)?
I just add that all TDoA runs point to Cornwall, maybe St.Eval? if so, I wonder if Babcock/DHFCS are testing/using a  S4539 burst system in addition to the S4285 based system.
Fig. 9 - result of TDoA

(to be continued)
 
[1] https://youtu.be/iZCq4DnlNxo
[2] http://i56578-swl.blogspot.com/2018/06/stanag-4539-unexpected-data-rate-of.html

https://yadi.sk/d/EhPc_M8G7jC-mg 

15 September 2018

"Winnie pooh" HF test transmissions


odd wideband signals spotted recently on 9110 KHz (center frequency) and likely related to Russian tests or exercises. Transmissions (Figure 1) consist of a 3xFSK 250bd/500 waveform which occurs as stand-alone transmission or as preceding a wideband PSK waveform, the latter also heard as stand-alone. The FSK signals are 1500 Hz spaced, carry encrypted streams and occupy a 4KHz bandwidth. PSK signals exhibit a clear component in the fourth power (Figure 2) that leads to think to a QAM waveform either 5000Bd/5KHz bandwidth and 10000Bd/10KHz bandwidth. Further analysis of the IQ samples, or just further recordings, are needed to shed some light on the modulation.

Fig. 1
Fig. 2
Besides the two (new?) waveforms, the most surprising thing was hearing a short track of the Russian version of "Winnie Pooh" cartoon transmitted in DSB mode in between FSK and PSK (Figure 3): strange but true, check by yourself
- Russian cartoon track https://t.co/il9bFkhOyQ  
(at first I had mistaken its waterfall pattern as a sort of vocoder, my friend KarapuZ immediately identified it as a Winnie Pooh cartoon track).

Fig. 3
A topic was opened by KarapuZ on radioscanner ("ansanto" is my nickname there):


13 September 2018

Unid FSK 100Bd/500, T-207 encryption

Yet another (unid) FSK 100Bd/500 signal spotted on 9075.0 CF around 0810z (11 Sep) with good SNR. User is likely from Kaliningrad Oblast, contents are encrypted with T-207 system.





https://yadi.sk/d/Y29ujJhDt-EG9g
https://yadi.sk/d/xYkIjgOZXOYErQ


10 September 2018

LINK-11 SLEW, properties of the acquisition preamble sequence

(thanks to Christoph for his Octave hints and collaboration) 

Since some weeks I'm studying the symbols sequence which is used to form the Link-11 SLEW acquisition preamble, the reason is that - quoting STANAG-5511 - "the acquisition preamble [...] consists of a 192 tri-bit known sequence generated from a pseudo random code": well, from waht I can see I don't think so. In my opinion the preamble sequence has been accurately studied and designed and in this post I try to argue the reasons.
The preamble sequence (used to define the start of a transmission, AGC, signal detection, synchronization, doppler requirements and equalization) is reported in S5515 as:

7 0 3 4 1 1 1 0 2 6 1 5 1 7 0 3 5 4 2 2 6 1 2 2 0 4 5 4 1 2 2 6
7 0 7 0 1 1 5 4 2 6 5 1 1 7 4 7 5 4 6 6 6 1 6 6 0 4 1 0 1 2 6 2
7 4 7 4 1 5 5 0 2 2 5 5 1 3 4 3 5 0 6 2 6 5 6 2 0 0 1 4 1 6 6 6
7 0 3 4 5 5 5 4 2 6 1 5 5 3 4 7 5 4 2 2 2 5 6 6 0 4 5 4 5 6 6 2
7 4 3 0 1 5 1 4 2 2 1 1 1 3 0 7 5 0 2 6 6 5 2 6 0 0 5 0 1 6 2 2
7 4 3 0 5 1 5 0 2 2 1 1 5 7 4 3 5 0 2 6 2 1 6 2 0 0 5 0 5 2 6 6

and according to #10.1.1.1 "these symbols are not scrambled and are applied directly to the 8 PSK modulator".


A first oddity - see Figure 1a - is that after the mapping of the complex symbols onto a PSK-8 constellation we don't get all the possible PSK-8 transitions as it happens for example by mapping the preamble sequence symbols of STANAG-4539 or a random sequence of PSK-8 symbols. A second puculiarity is that the preamble has a clear period of 96 bits (ie 32 tribit symbols) , which may be detected by BEE editor (see Figure 1b) and emphasized by plotting the matrix of complex symbols versus the columns (the two diagrams at the bottom of Figure 1a). 

Fig. 1a
Fig. 1-b

As a characteristic of PSK-n signals [1], the process of squaring a PSK-8 transforms the signal into a QPSK modulation (at twice the frequency); my friend Christoph pointed out to me that after the squaring of the preamble we get 6 repeating QPSK patterns, each 32 symbols long (1):

6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4


That's another oddity, or - better - another property of Link-11 SLEW preamble.

Christoph also noticed some other features of Link-11 preamble, but just the squared sequence is interesting for its "analogy" with the preamble used in STANAG-4285 (both consist of periodic sequences). 
Indeed, the periodic sequence of the squared preamble symbols can be assumed as a reference and - as it happens in S4285 - may be used to perform Doppler effetcs estimation by continuous correlation of the squared received sequence with the reference (S4285 adopts this method using the 31-symbol PSK-2 preamble sequence as reference for Doppler and sync acquisition [2]). Figure 2 shows the two reference sequences: notice the QPSK constellation of the squared L11 preamble. In my guess this is another point in favor of a designed preamble sequence.

Fig. 2
I wanted to look for evidences and confirmations from the analysis of a sample of a Link-11 SLEW signal [3], identifying and demodulating a preamble sequences (Figure 3).

Fig. 3

received preamble symbols:
5 6 0 6 3 4 2 7 1 6 3 1 5 1 7 0 4 0 3 2 6 1 2 2 0 4 5 4 1 2 2 6
7 0 7 0 1 1 5 4 2 6 5 1 1 7 4 7 5 4 6 6 6 1 6 6 0 4 1 0 1 2 6 2
7 4 7 4 1 6 5 0 2 2 6 5 1 3 5 3 5 1 6 2 6 5 6 2 0 0 1 4 1 6 6 6
7 0 3 4 5 5 6 4 2 6 1 5 5 3 4 7 5 4 2 2 2 5 6 6 0 4 5 4 5 6 6 2
7 4 3 0 1 5 1 4 2 2 1 1 1 3 0 7 5 0 2 6 6 5 2 5 0 0 5 0 1 6 2 2
7 4 3 0 5 1 5 0 2 2 1 1 5 7 4 3 5 0 2 6 2 1 6 2 0 0 5 0 5 2 6 6

after its squaring:

2 4 0 4 6 0 4 6 2 4 6 2 2 2 6 0 0 0 6 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 4 2 0 4 4 4 2 2 6 2 6 2 2 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 4 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 2 0 0 2 0 2 4 4 4
6 0 6 0 2 2 2 0 4 4 2 2 2 6 0 6 2 0 4 4 4 2 4 4 0 0 2 0 2 4 4 4


The difference between the reference and the received sequences are shown in Figure 4, notice that only the sequences #2 and #6 are received w/out errors.

Fig. 4
Figure 5 shows the results of the cross-correlations of the reference with the received sequences: the upper side concerns the tribit symbols while the lower side concerns PSK-8 symbols. I have to say that in this example the received PSK-8 symbols are not the actual ones since they are re-mapped at demodulation time; the tribit symbols instead are the actual ones.
Fig. 5
I am quite positive that the results would have been more complete and meaningful if I had extracted all the preamble sequences from the Link-11 transmission or if I had used only I/Q values. By the way, Christoph emailed me saying that he worked a link11 SLEW sample and the cross-correlations shows the expected results so that the doppler and frequency offset can be estimated: he's a skilled guy so hope to read soon such a post in his blog.

In conclusion, from what seen above, I do not think that Link-11 SLEW preamble is a sequence which is "generated from a pseudo random code" - by the way, so far I have not yet found a polynomial generator - but rather it seems a designed sequence or source algorithm (e.g. S4285 and S4539 do not talk of preamble sequences in such terms).


(1)
if "z" is a complex symbol and "s" is a tribit symbol, then:
z^2 corresponds to mod(2*s, 8)


3 September 2018

LINK-11 SLEW, transmission format


The SLEW waveform transmission format consists of an acquisition preamble followed by two or more fields, each field followed by a reinsertion probe. 
The first field immediately following the preamble is the header field and contains information that is used by the Combat Data System (CDS) and the encryption device. If a network PU (Partecipating Unit) has data to transmit, successive data fields follow the reinsertion probe of the preceding fields. These data fields consist of track data and other user data. The last field to be transmitted is the end-of-message (EOM) field. The transmission ends with a reinsertion probe.

Fig. 1

Data are accommodated using 3 different types of fields: header field, CDS data field and EOM field. The acquisition preamble, a very interesting topic, will be discussed in a next post.

The structure of the header field  consists of 33 data bits appended with 12 error detection bits (CRC). This 45 bit sequence is encoded with a 1/2 rate error correction code resulting in a 90 bit field. The header field contains information to define (Figure 2): 
the transmission type T (1 bit),
the Picket address ADDR (6 bits), 
the KG-40 Message Indicator MI (24 bits), 
the NCS/Picket designation N (1 bit),
a spare field SP (1 Bit).
Fig. 2 - Link-11 SLEW header field
The transmission type (T) indicates the format of the transmission to follow: is set to 0 to indicate an NCS Interrogation Message (IM) and is set to 1 to indicate a NCS Interrogation with Message (IWM) or a Picket reply transmission (the term picket indicates a PU on the network that is not the NCS).
The KG-40 Message Indicator subfield contains the sequence generated by the KG-40 crypto device. Cryptographic synchronization is achieved when the receiver acquires the correct MI. Since 24 bits is the length used by the Golay code, I tried to verify if the KG-40 MI was really coded using the extended Golay (24,12) ...but without success. For an NCS interrogation transmission (tramission type subfield = 0), this subfield will contain all zeros since no message is carried.
The address subfield  ADDR contains either the address of the next Picket to be interrogated or the address of the Picket that initiated the current transmission: note that only Pickets addresses are exposed.
The NCS/Picket designation (N)  identifies whether the current transmission originates from the NCS or from a Picket: 0 indicates an NCS transmission, 1 indicates a Picket transmission.

The structure of the CDC data field consists of 48 data bits (two standard 24 bit CDS frames seen in CLEW waveform) appended with 12 error detection bits that are encoded with 2/3 rate error correction code resulting in a 90 bit data field. 
The EOM field is used to indicate the end of the transmission and consists of a sequence of 90 bits. No error detection or correction bits are applied to this field. The sequence depends on the unit that is transmitting:
An EOM from the NCS is a 90 bit sequence of all “0”
An EOM from a Picket is a 90 bit sequence of all “1”
Below an example where all the SLEW fields are visible:

100101000110111110001110000011111 000001111100
100010100010001011000001101110010000101011110011 011001011010
111000010110000011110010111001001000000001110000 111100101001
011000001000110111001101100000001100011010110011 001111011101
111001010110100001101001111101011000101011010100 001110110011
111111111111111111111111111111111111111111111111

100101010001100001001000111101001 001101011111
111111010001010101000001001101001111111111101001 001110110000
000111000100111011000110010010001001111110011110 100010111111
001100111011011100100100010000110000001100101110 011101010010
111001100100110100111100010001100010100100011101 100100001111
000000000000000000000000000000000000000000000000

100101001110110010000010101000011 001111010111
100101110000001100001111011000110111011101110111 001111001101
110011011001010000111110011001100101100111110000 011111110010
000111101110101111010000101001011010010100010010 010100001110
100011010110110101111100001110111000011011111010 100010011011
111111111111111111111111111111111111111111111111 


It's interesting to analyze the headers related to the SLEW transmissions shown in Figure 3 

Fig. 3 - SLEW transmissions headers
In all the headers the transmission type subfields (T) are set to 1 to indicate that the following data sub-fields are NCS transmissions or Picket reply transmissions.
In the first header the NCS/Picket designation subfield (N) is et to 0 to indicate an NCS transmission: in this case the 6-bit subfield address identifies the address of the Picket to be interrogated (010100). In the second header the NCS/Picket designation is set to 1 to idicate the Picket reply transmission: in this case the 6-bit address identifies the address of the Picket which initiated the transmission (010100). You may check that
the other headers are interpretable in the same way. So, the headers indicate a series of IWMs and replies between the NCS and the Picket station addressed by 010100. 

2 September 2018

DHFCS 1536-bit TDM protocol (2)

In the previous post I associated the 1536-bit TDM protocol to the DHFCS network, and that's correct, but I wrongly ascribed this protocol to Rockwell Collins. Indeed, looking carefully at the two slides below you can see that they refer to the products GA-123 (HF modem) and GA-205 (TDM multiplexer), both are produced by DRS Technology, a Leonardo (formerly Finmeccanica) company.

Fig. 1
Reading the GA-205 datasheet [1] we can shed a bit of light on the 1536-bit protocol: GA-205 is a 12-channel Time Division Multiplexer (TDM) that provides full-duplex and half-duplex transmission and reception of data at selectable user port rates of 75 x 2n up to 9,600 bps. The system accommodates user data that do not share common timing sources and provides for isochronous, bit stuff, synchronous and asynchronous operation.

Fig. 2 - the GA-205 multiplexer

In Time Division Multiplexing (TDM) the communication resource is shared by assigning input channels the full spectral occupancy of the system for a fixed duration of time called time slots.
Synchronous TDM works by the muliplexer giving exactly the same time slot to each device connected to it even if one or more devices have nothing to transmit. The data rates of different input devices control the number of the slots: a device may have one slot, other may have two or three according to their data rate. 
Asynchronous TDM, or statistical TDM, is a more flexible method of TDM since slots are assigned dynamically as needed, ie slots are not assigned to devices that have nothing to transmit. Variable-Length Time Slots Asynchronous TDM can accommodate traffic of varying data rates by varying the length of the time slots. Stations transmitting at a faster data rate can be given a longer slot.

Since GA-205 multiplexer can handle up to 12 channels, the four ports you see in Figure 1 can be misleading: it is possible that the "preset" shown in the screenshot (identified as TDM1 in the upper right), refers to a particular configuration used to manage only 4 input channels of the 12 available. Maybe a default? who knows, the slide dates back to 2006. Notice that in the shown preset the input channels exhibit different baud rates: 600, 300, and 75. In that condition, bit stuffig or variable length slots can be used.
 

Given the above considerations:
1) at most, the DHFCS 1536-bit format carries up to 12 channels (by the way, 1536 bits = 1024+512, ie 1.5 Kb);
2) managing TDM requires that some control bits (sync, device tagging, ...) be appended to the beginning of each slot and this overhead is clearly part of the raw bitstream that we get after S4285 removal;
3) since we do not manage the control bits, when the the GA-205 is used in async mode we can't say the number of the channels currently transmitted; as well as we do not know the number of "traffic" channels when GA-205 is used in sync mode.

My guess is that the 1536-bit period could be the frame length (the slots gathered in a complete cycle), no matter if GA-205 works in sync or async mode. 
Channels are encrypted individually before being applied to the multiplexer, they probably use BID-950 or KIV-7 (KIV-7 may work as KW-46).

DHFCS STANAG-4285 stations logged and DF'ed so far:
05553.2 Cyprus Is.
07937.0 Crimond 
11015.0 Crimond 
14390.0 Ascension Is. 
14548.2 Cyprus Is. 
15812.1 Cyprus Is.
16106.3 St. Eval 
16287.0 Ascension Is. 
16398.2 Cyprus Is. 
17398.2 Cyprus Is. 







[1] http://www.drs-ds.com/media/1414/ga205.pdf