23 August 2019

CIS-75 FSK 75Bd/250 (2): 128-bit LFSR sequence

This post is a follow-on of the previous one and shows some findings due to the collaboration between myself and my friend Valentin (cryptomaster).
In the analyzed CIS-75 recordings, we saw the use of a 128-bit length pseudo-random sequence which is inserted repeatedly in the data stream probably to re-sync the receive modem. As it turned out, the sequence is transmitted in positive and negative polarity according to an alternation  of patterns which are easily identifiable by inspecting the stream with a window of 385 bits width (Fig. 1)


Fig. 1 - sequences patterns
The sequence positions emerge after descrambling the stream using either the x^8+x^6+x+1 polynomial or the x^9+x^8+x^7+x^6+x^2+1 polynomial (Fig. 2): since they are not primitive polynomials the 128-bit sequence can't be considered as an m-sequence [1] but rather a scrambler sequence. Notice that the descrambled streams show opposite polarity.

Fig. 2 - descrambled stream
The sequences (the positive and negative one) have the interesting property of being both parts of the same 256-bit sequence generated by the polynomial 9,8,7,6,2 ...subject to some errors that apparently have been added to the sequence in order to complicate its analysis.


Interestingly, if the stream is decoded in differential mode the sequence changes its length to 127 bits and acquires only one polarity (Fig. 3): in this case both the descrambler polynomials 8,6,1 and 9,8,7,6,2 are suitable (Fig. 4).

Fig. 3 - sequences in the diff. decoded stream
Fig. 4
We also saw that syncing the diff. stream, the sequences appear in regular positions so that they could also be used to separate data blocks, but it's just our guess (Fig. 5).

Fig. 5 - sinched stream
During one of his monitorings, Valentin caugth an interesting transmission: after a stop the only "space" frequency was emitted for a long time and then followed by a short-term transmission (~ 3 sec). The signal contains the 128-bit sequence that we discovered and another 114-bit sequence repeating in the stream: the most interesting thing is that also that sequence is a consequence of the mentioned scramblers (Fig. 6 shows the descrambled stream).

Fig. 6

By the way... just another feature: when the modem works in idle mode the speed is set to 100 Bd (Fig. 7). Actually, in idle mode a "meander" is transmitted with a frequency of 50 Hz. The source of this frequency is a 50 Hz AC network. The meander is used to correctly configure the correspondent station, as well as to ensure that no one else occupies the HF frequency.
Notice that 50 Hz frequency originates a 100 bps stream: "1" value during the positive period (the first half cycle) and "0" value during the negative period (the second half of the cycle): if considered as speed, then it is 100 bps. 

Fig. 7


[1] http://www2.siit.tu.ac.th/...m-sequence.pdf

Signals for analysis was mostly gathered thanks to the KiwiSDRs:
http://sdr.ok2kyj.cz:8073/   (Pohorany near Olomouc, Czech Republic)
http://r3tio.proxy.kiwisdr.com:8073/  (Nizhny Novgorod, Russia)
http://kiwi-kuo.aprs.fi:8073/  (Kuopio, Finland)

1 comment:

  1. Nice job antonio!
    I can't understand how do you got that conclusions, but it's amazing.