(updated)
Interesting transmissions spotted on 4381.0 KHz and 4833.5 KHz (all usb) consisting of MIL 188-110A Serial HF waveform (fixed 600bps/S) and 6-bit code clear text (6x28) & STANAG-5066 as bearer for XMPP Multi-User Chat (MUC) messages.
XMPP, the Internet Standard eXtensible Messaging and Presence Protocol, is the open standard for Instant Messaging (IM), Group Chat and Presence services. XMPP is widely used for military deployments, where operation over constrained and degraded networks is often essential, particularly for tactical operation.
Multi-User Chat (MUC) is a central service for military communication. If data is being provided, it makes sense to share it so that all interested parties can see it. For example, it will enable external strategists or lawyers to observe communication in real time, and provide input as appropriate. It often makes sense to share information in the field, for example a group of ships jointly working out who will target what and how. MUC is an important operational capability.
In XMPP a client connects locally to its server, and then there are direct server to server connections (S2S) to support communication with clients on other servers. The mapping of XEP-0361 (Zero Handshake Server to Server Protocol) onto STANAG-5066 is standardized in "XEP-0365: Server to Server communication over STANAG-5066 ARQ”. XEP-0365 is mapped onto the S5066 SIS and transferred using RCOP protocol.
The 6-bit text and S5066 bitstream (Fig. 1) is obtained after demodulating the 188-110A Serial waveform:
 |
| Fig. 1 |
S5066 peers have the addresses 010.050.066.001 and 010.050.066.003 (odd) in 4381.0 KHz channel; the addresses 010.050.066.002 and 010.050.066.004 (even) are used in the 4833.5 KHz channel. These are probably "exercise" addresses since the block 10.50 is allocated to Uganda.
These transmissions have been monitored for about one day so I could collect hundreds of messages, only some of them are shown below as examples: you can see groupchat messages, Instant Messaging (private messages) and Presence/IQ messages. My
friend and colleague Guido @decodesignals logged same
transmissions (and same addresses) on 4613.0 Hz, in his catches the S4539 4800bps is used as the HF waveform.
<message
from='latency.ground@ground.net/2aad61419fb06287'
to='latency.p8-one@p8-one.net'>
<body>
(a3d5bb51-70c3-4152-9a29-ab7cddbb47a3; 20181207T224101.034169)
Test Message H - Private Message From GROUND Latency Acct
</body>
<securitylabel xmlns="urn:xmpp:sec-label:0">
<displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>
<label/></securitylabel>
</message>
<message
from='mission-one@chat.ground.net/LATENCY_GROUND'
to='mission-one@chat.p8-one.net'
type='groupchat' id='fmucinte54838a0b2804718'>
<fmuc xmlns='http://isode.com/protocol/fmuc'
from='latency.ground@ground.net/8f9f7ba5ca23d374'
sync_stamp='2018-12-07T22:44:52Z'/>
<body>
(29f06ec4-a4a9-4849-bd46-42c54efa42ea; 20181207T224452.309137)
Test Message T - MUC From GROUND Latency Acct
</body>
<securitylabel xmlns="urn:xmpp:sec-label:0">
<displaymarking bgcolor="green">UNCLASSIFIED</displaymarking>
<label/>
</securitylabel>
</message>
<iq
from='mission-one@chat.ground.net/LATENCY_GROUND'
to='mission-one@chat.p8-one.net/Supervisor Air'
type='get' id='d98686c2-d66f-4bdc-9b4e-ceb9911c834e'>
<query node='http://swift.im#3ScHZH4hKmksks0e7RG8B4cjaT8='
xmlns='http://jabber.org/protocol/disco#info'/>
</iq>
<presence
from='mission-one@chat.ground.net/LATENCY_GROUND'
to='mission-one@chat.p8-one.net/LATENCY_GROUND'
id='fmucint0e52f98befac3522'>
<fmuc xmlns='http://isode.com/protocol/fmuc'
from='latency.ground@ground.net/8f9f7ba5ca23d374'/>
<x xmlns='http://jabber.org/protocol/muc'/>
</presence>
<presence
from='mission-one@chat.p8-one.net/LATENCY_AIR'
to='mission-one@chat.ground.net/LATENCY_AIR'
id='fmucint0572337e8aafbad5'>
<fmuc xmlns='http://isode.com/protocol/fmuc'
from='latency.p8-one@p8-one.net/f5ac7b83c2cc6951'/>
<x xmlns='http://jabber.org/protocol/muc'/>
</presence>
A bit of intelligence gathering can be done by the reading of the messages and from TDoA.
Direction finding is not easy since the transmissions originate from two different sites, however the results obtained indicate UK as the area of operations (Fig. 2): maybe UK MoD?
 |
| Fig. 2 - TDoA result |
The namespace attribute fmuc xmlns='http://isode.com/protocol/fmuc can be a clue of the use of the M-Link software developed by Isode for XMPP [1]. By the way, reading some Isode documentation available in the web you can see odd 10.x.y.w S5066 addresses like the ones used in the heard transmissions (Fig. 3)
 |
| Fig. 3 - from XMPP5066EVAL.pdf by Isode |
Servers names and nodes names as: mission-one@chat.ground.net/LATENCY_GROUND and mission-one@chat.ground.net/LATENCY_AIR, as well as the Test Message format suggest a test phase aimed to measure the latency of air and ground links. Note also that the tests are performed using different HF waveforms: MIL 188-110A Serial 600bps and STANAG-4539 4800bps.
That being said, probaby these are UK MoD test transmissions concerning (Isode) XMPP over HF radio but it's only my guess. Ropey @Topol_MSS27 suggests that "maybe P8 (chat.p8-one.net) is a clue and references new ops for upcoming P-8A's due to join RAF from Nov next year" [2].
12 December update
My friend Martin G8JNJ, owner of the http://southwest.ddns.net:8073/ KiwiSDR, reports he heard synch'ed transmissions on 4381.0 KHz and 5505.0 KHz too, all usb. His TDoA runs point to Inskip (Former RNAS Inskip), a transmitting site of UK DHFCS located in Lancashire, North England: it confirms my TDoA and is a further clue in favor of RAF operations.
(a lot of documentation is publicy available in the web about ISODE XMPP, google is your friend)
[2] https://www.raf.mod.uk/aircraft/p-8a/
[2] https://www.raf.mod.uk/aircraft/p-8a/
No comments:
Post a Comment