29 December 2018

9MR - Malaysian Navy, uncommon FSK shift and ITA2 framing

(a joint analysis by me, ANgazu, Cryptomatser)



is the Id & "RY/SG" test tape transmitted by 9MR Royal Malaysian Navy (RMN) [1], picked up using the  VR3BG KiwiSDR located in Hong Kong and tuned on 8461.1 KHz and 6483.1 (CF).
The signals exhibit two curious features, at least in the heard test trasmissions: the first consists of the used 50Bd async FSK waveform with the non-standard and quite uncommon 900Hz shift value (Fig. 1).

Fig. 1 - 900Hz shift
The second feature is the framing which is used during the test operations: as you may see in Figs. 2 and 3, they use ITA2 code (5x28) with alternating framings 5N1/5N2, i.e., a character sent with 1 stop bit followed by a character sent with 2 stop bits:

This odd system causes the 15-bit period visible either in the raster of SA either in the bitstream (the latter reshaped to 30-bit in Figure 2). When a block ends, it possibly uses a special character or new line that causes te one bit shift to the left.

Fig. 2
Fig. 3
According to my friend Cryptomaster, we face a 5N1.5 framing and the synchronous equipment compensates for this disadvantage, resulting in alternation of stops with a length of 2 and 1 bit. About the unusual frequency manipulator, this is a drawback of the frequency manipulation shaper: when changing its polarity, the unfiltered classical transient process is visible (Fig. 4)
It could be a good reason, anyway after removing/cutting the upper and lower extra-frequencies, the signal still exhibits a 900Hz wide spectrum (Fig. 5)

Fig. 5

By the way, our TDoA direction findings (6483.1 KHz signal) point to Tanjung Gelang, site of RMN's Fleet HQ of the Naval Region I.

As a final note, the analysis of the 6483.1 FSK  transmission suggests that there maybe some flaw somewhere.

https://yadi.sk/d/d15nXWys6iSuIg (6483.1 KHz)
https://yadi.sk/d/2gmoADztQTwT0w (8461.1 KHz)

22 December 2018

some recent (unid) catches in the 8 MHz band

STANAG-4285 async operations

Transmission heard on 8167.0 KHz/usb consisting of S4285 600bps/L transfer. After demodulation, the bitstream reveals ITA2 5N1.5 async operation with encrypted data and looks like the format seen here which is possibly used by Turkish-Mil.


MIL 188-110A bursts

Since several days I've been listening to 188-110A Serial Tone bursts on 8058.0 KHz/usb, 600bps short interleaving is the used mode. Burst last 1200ms and have a spacing of 500ms.  The long (hours) sessions continuously send the same 240-bit pattern. 

Fig. 1 - 240 bit pattern (reshaped to bytes)
TDoA runs point to Spain. 

Fig. 2


MFSK-4 100Bd/400

short transmission heard on 8180.0 KHz/usb, unfortunatelly I went very late on it and I have not had the chance to listen to it anymore. My friend KarapuZ suggests Russian source.


15 December 2018

STANAG-5030/MIL-188-140 VLF/LF multichannel broadcast to submarines (tentative)

The Navy ashore VLF/LF transmitter facilities transmit submarine command and control broadcast which is the backbone of the submarine broadcast system. The VLF/LF radio broadcast provides robustness, availability, global coverage, and has seawater penetrating properties. The 200Hz assigned bandwidth for VLF/LF broadcast and the low efficiency (and narrow bandwidth) of the aerials are limiting factors, but the use of Minimum Shift Keying (MSK), a form of Quadrature Phase shift Keying, can allow optimum use of this narrow bandwidth [1]. 
VLF/LF broadcasts to submarines are STANAG-5030 compliant but unfortunately it's a restricted document so no information is publicy available. Moreover, the new STANAG-4724 is currently being ratified by NATO member states as next evolution.  However, googling the web it's possible to retrieve (few) manufacturers brochures of VLF/LF modulators/demodulators, as the one shown in Fig. 1, and get some informations. These equipments can provide TDM multi-channel broadcast (up to four channels, all 50 baud) and mainly use modulation techiniques as MSK (MSK2 2x50 Baud channels and MSK4 4x50 Baud channels), OQPSK and OOK "on-off keying" (the latter usually associated with the Morse Code).

Fig. 1
Reference MSK modulation indicates zero-crossing transitions (eg +1/+1 to -1/-1 and viceversa, +1/-1 to -1/+1 and viceversa) cannot be allowed if phase discontinuity is to be preserved.

I analyzed some easily receivable VLF stations (DHO38, FTA, FUE, GQD, ICV, JXN, NSY, SXA, ...) and found that the phase-plane of some signals exhibits the expected transitions while others signals show odd transitions. The answer is to be found in the harmonics spectrum of the signals (Fig. 2): when the carrier is missing  the PLL algorithm locks onto one of the two spectral lines and causes the odd transitions shown in the phase-plane. The presence/absence of the carrier also makes me think of different solutions adopted by manufacturers since MSK should be coherently detected like OQPSK (that implies acquiring the carrier!) or non-coherently detected like FSK. 

Fig. 2 - carrier is missing in signals like FUE
My friend ANgazu pointed out the use of different filtering (Fig. 3). If a Gaussian filter with a Bt of 0.8 or less is in use, as in FUE, the side lobes are attenuated and the modulation is GMSK. NSY has many side lobes so, most probably, no Gaussian filter is in use and modulation is pure MSK. A special case is JXN that uses a cosine filter.

Fig. 3 - differing filterings
That being said, some equalization/correction is needed to emerge the carrier in the midlle of the two tones as shown in Figure 4:

Fig. 4 - FUE constellation after and before equalization
However (G)MSK doesn't seem to be the sole modulation used: using Diff=1 in the phase-plane it turns out that OQPSK-like modulations are used, as in case of FTA and DHO38 (Fig. 5)

Fig. 5
Indeed, MSK is a special case of Continuous-Phase Frequency Shift Keying (CPFSK) which is a special case of a general class of modulation schemes known as Continuous-Phase Modulation (CPM). It is worth noting that CPFSK is a non-linear modulation and hence by extension MSK is a non-linear modulation as well. Nevertheless, it can also be cast as a linear modulation scheme, namely Offset Quadrature Phase Shift Keying (OQPSK), which is a special case of Phase Shift Keying (PSK)... identifying the used modulation may become a nightmare!

data format
Traffic is encrypted and each channel may convey four different types of broadcasts, reference Figure 1:

VALLOR: a VLF/LF single-channel 50 Bd submarine broadcast operating as a backup to the VERDIN (1) system and using KW-46 encryption system (VALLOR is the codename for KW-46 system);
JASON: it's probably a proper feature of the shown product depicted (maybe a codename of an encryption system?);
CLEAR: most likely clear-text traffic (no encryption is used);
ECF: (Empty Channel Filler), in conditions where no messages are available for a transmission channel, Empty Channel Filler data is generated automatically at the transmitter equipment. 

Data are arrangend in a stream incorporating in a regular manner a symbol dedicated to synchronization and placed every r data symbols, i.e. in the same format defined by STANAG-5065 in which frames are delimited by the pseudo-random sequence generated by the polynomial x^31+x^3+1 (aka "Fibonacci bits"). These formats may also be related to the patent WO2009071589A2 [2]. Error Correction And Detection (EDAC) should be performed using Wagner coding.
Curiously, I found that GQD uses a 28-bit format and a pseudo-random sequence  generated by the polynomial x^32+x^31+x^4+x^3+x+1 ...but I have to say that in this case I used an FSK demodulator.

Fig. 6

transmit system
Figures 7a and 7b show simplified block diagram of the VERDIN (1) VLF/LF transmit system and a real-world equipment used by US-Ny. Shore-to-Sub broadcast is a continuous transmission sequence of prioritized messages which normally lasts two hours. It is generated by ISABPS (Integrated Submarine Automated Broadcast Processor System) and sent to the transmit terminal which is used to multiplex, encrypt, encode, and modulate up to four 50 bps submarine broadcast channels into VLF/LF radio frequency signals which is amplified/radiated by the VLF/LF transmitter antenna. [3]

Fig. 7a - VERDIN system
Fig. 7b - a VERDIN receiver

(to be continued)

(1) VERDIN is a digital data, multichannel communications system operating in the VLF range from shore to deployed submarines. VERDIN permits transmission of up to four 50 Bd channels from an individual transmitter using time division multiplexing.The system is normally operated in a four-channel mode.

12 December 2018

XMPP over HF radio using STANAG-5066


Interesting transmissions spotted on 4381.0 KHz and 4833.5 KHz (all usb) consisting of MIL 188-110A Serial HF waveform (fixed 600bps/S) and 6-bit code clear text (6x28) & STANAG-5066 as bearer for XMPP Multi-User Chat (MUC)  messages.
XMPP, the Internet Standard eXtensible Messaging and Presence Protocol, is the open standard for Instant Messaging (IM), Group Chat and Presence services. XMPP is widely used for military deployments, where operation over constrained and degraded networks is often essential, particularly for tactical operation. 
Multi-User Chat (MUC) is a central service for military communication. If data is being provided, it makes sense to share it so that all interested parties can see it. For example, it will enable external strategists or lawyers to observe communication in real time, and provide input as appropriate. It often makes sense to share information in the field, for example a group of ships jointly working out who will target what and how. MUC is an important operational capability. 
In XMPP a client connects locally to its server, and then there are direct server to server connections (S2S) to support communication with clients on other servers. The mapping of XEP-0361 (Zero Handshake Server to Server Protocol) onto STANAG-5066 is standardized in "XEP-0365: Server to Server communication over STANAG-5066 ARQ”. XEP-0365 is mapped onto the S5066 SIS and transferred using RCOP protocol.
The 6-bit text and S5066 bitstream (Fig. 1) is obtained after demodulating the 188-110A Serial waveform:
Fig. 1
S5066 peers have the addresses and (odd) in 4381.0 KHz channel; the addresses and (even) are used in the 4833.5 KHz channel. These are probably "exercise" addresses since the block 10.50 is allocated to Uganda. 
These transmissions have been monitored for about one day so I could collect hundreds of messages, only some of them are shown below as examples: you can see groupchat messages, Instant Messaging (private messages) and Presence/IQ messages. My friend and colleague Guido @decodesignals logged same transmissions (and same addresses) on 4613.0 Hz, in his catches the S4539 4800bps is used as the HF waveform.

    (a3d5bb51-70c3-4152-9a29-ab7cddbb47a3; 20181207T224101.034169)
    Test Message H - Private Message From GROUND Latency Acct
    <securitylabel xmlns="urn:xmpp:sec-label:0">
    <displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>

    type='groupchat' id='fmucinte54838a0b2804718'>
    <fmuc xmlns='http://isode.com/protocol/fmuc'
    (29f06ec4-a4a9-4849-bd46-42c54efa42ea; 20181207T224452.309137)
    Test Message T - MUC From GROUND Latency Acct
    <securitylabel xmlns="urn:xmpp:sec-label:0">
    <displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>

    to='mission-one@chat.p8-one.net/Supervisor Air'
    type='get' id='d98686c2-d66f-4bdc-9b4e-ceb9911c834e'>
    <query node='http://swift.im#3ScHZH4hKmksks0e7RG8B4cjaT8='

    <fmuc xmlns='http://isode.com/protocol/fmuc'
    <x xmlns='http://jabber.org/protocol/muc'/>

    <fmuc xmlns='http://isode.com/protocol/fmuc'
    <x xmlns='http://jabber.org/protocol/muc'/>

A bit of intelligence gathering can be done by the reading of the messages and from TDoA.
Direction finding  is not easy since the transmissions originate from two different sites, however the results obtained indicate UK as the area of operations (Fig. 2): maybe UK MoD?
Fig. 2 - TDoA result
The namespace attribute fmuc xmlns='http://isode.com/protocol/fmuc can be a clue of the use of the M-Link software developed by Isode for XMPP [1]. By the way, reading some Isode documentation available in the web you can see odd 10.x.y.w S5066 addresses like the ones used in the heard transmissions (Fig. 3)

Fig. 3 - from XMPP5066EVAL.pdf by Isode
Servers names and nodes names as: mission-one@chat.ground.net/LATENCY_GROUND and mission-one@chat.ground.net/LATENCY_AIR, as well as the Test Message format suggest a test phase aimed to measure the latency of air and ground links. Note also that the tests are performed using different HF waveforms: MIL 188-110A Serial 600bps and STANAG-4539 4800bps.

That being said, probaby these are UK MoD test transmissions concerning (Isode) XMPP over HF radio but it's only my guess. Ropey @Topol_MSS27 suggests that "maybe P8 (chat.p8-one.net) is a clue and references new ops for upcoming P-8A's due to join RAF from Nov next year" [2].

12 December update
My friend Martin G8JNJ, owner of the http://southwest.ddns.net:8073/ KiwiSDR, reports he heard synch'ed transmissions on 4381.0 KHz and 5505.0 KHz too, all usb. His TDoA runs point to Inskip (Former RNAS Inskip), a transmitting site of UK DHFCS located in Lancashire, North England: it confirms my TDoA and is a further clue in favor of RAF operations.

(a lot of documentation is publicy available in the web about ISODE XMPP, google is your friend) 
[2] https://www.raf.mod.uk/aircraft/p-8a/ 

CIS-79 "TANDEME" OFDM 79-tone

CIS-79 "tandem", OFDM 79-tone spotted on 10790.0 KHz/usb with bad SNR value. The signal is formed by 80 sub-carriers but the higher one (#80) is zeroed and unmodulated. The waveform uses QAM-64 modulation at symbol-rate of 30.5 Baud and 37.5 Hz channel step. No ACF value (=0) has been detected. Each symbol lasts 315 samples (256 +59). 
Note that a "control/service" symbol is sent each three tones using BPSK (Fig. 2): this feature was also commented here but in that case PSK-8 modulation is used. The signal was resampled at 9600Hz before to be analyzed.

Fig. 1

1 December 2018

STANAG-5065 MSK300, LF shore-to-ship surface broadcast

Nice catch of a STANAG-5065 MSK300 signal picked up by a colleague using the Alicante Kiwisdr on 145.0 KHz. By the way, we wish here to thanks the owner of Alicante kiwisdr for his kindness allowing the use of his sdr uninterruptedly for long periods.
The signal is transmitted from Guardamar de Segura in Spain (also known as "Torreta de Guardamar" [1]) currently operated by the Spanish Infanteria de Marina to convey messages to submarines. The use of the S5065 Low Frequency MSK300 waveform (surface broadcast) and the "mission" of Guardamar site, suggest that these transmissions could be intended for surfaced submarines or submarines cruising at periscope depth.  
Fig. 1- TDoA results (left), Tx location obscured by Google Earth (right)
While other broadcast stations for submarines such as DHO38 or NSY transmit continuously, Guardamar only transmits if there is traffic to send, and, since the low bandwidth that characterizes the LF band, transmissions may last for some more than an hour. Most likely the Thales TRC 2556 VLF/LF digital multi-channel receiver is used aboard [2].

As said, the S5065 MSK 300Bd/150 is the used waveform:

Fig. 2 - MSK 300Bd/150Hz waveform
Messages use 7-bit START-STOP ITA2 (Baudot) code which is then encrypted using the KW-46 crypto equipment (KWT-46 transmitter and the KWR-46 receiver hase the code name Vallor). Encryption results in bits 1 to 6 being encrypted and bit 7 (STOP) being replaced with a deterministic unencrypted Fibonacci bit defined by the polynomial x^31+x^3+1 which provides synchronization to the receive KW-46 equipment. 
In MSK300 mode the encrypted data from KW-46 are coded into a (13,12) Wagner error coding scheme and then applied to the MSK modulator (as seen here, processing for STANAG-5065 FSK operations does not include Wagner encoding). As shown in Figure 3, the encoding includes blocking the information into 2 character groups, substituting a parity bit for every second Fibonacci bit to form a (13,12) Wagner odd parity code block (odd numbers of 1s) over 12 informations bits (Fibonacci bit excluded).

Fig. 3 - (13,12) Wagner encoding of KW-46 encrypted stream
In MSK modulations the intelligence is contained in the phase shifts and is not consistent with the frequency shifts, thus the signal can't be demodulated using a generic FSK demodulator.

Fig. 4 - MSK300 phase-plane (before equalization)
After some unsuccessful demodulation attempts I asked my friend Christoph Mayer for help, he too checked the S5065 waveform and kindly sent me an MSK demodulator written by him and re-coded for Octave. The results of the analysis of the modulated stream, shown in Fig. 5 after left shifted, perfectly matches the schema of Figure 3.

Fig. 5 -  S5065 MSK300 stream after demodulation
It's very interesting to note that both the sequence obtained with n F-bits and that obtained with n/2 (n/2 -1) F-bits are attributable to the same polynomial x^31+x^3+1, my guess is that this feature maybe helps the initial synchronization of the FEC process detecting the position of the Wagner odd parity bits.