4 July 2020

STANAG-4481F from NSY, back to normal op

(for background read all the post of this topic
After a period during which the signals showed a strange behavior consisting of a 3-bit period (which in some way "simulated" a 50Bd speed), it seems that the transmissions from NSY Niscemi have back to normal 75Bd operations. So far, I checked almost all the channels except 8145.0 and 8204.5 KHz (and 13229.0 Khz but from NAU Isabela).

Fig. 1 -  6732 KHz from NSY Niscemi in different dates
There is however a peculiarity that is noteworthy: according to my logs and analysis NSY is the only station that uses KW-46 encryption - instead of KG-84 - with the 4481F 75Bd waveform(!), the other stations that use that encryption all adopt the 50Bd waveform. This fact modifies the content of a previous post according to the following diagrams (although provisional).

Fig. 2 - 6732 KHz streams from NSY Niscemi in different dates
Fig. 3
https://yadi.sk/d/02FOSxK157CsYw

3 July 2020

50Bd/300 async 5N1.5 FSK (likely Serbian-Mil)

6374.8 KHz (cf) async 50Bd/300 FSK using 5N1.5 framing, after demodulation:
UFBV UFBV UFBV de FNCS FNCS FNCS
E9U9 E9U9 E9U9 de FNCS FNCS FNCS
Z64G Z64G Z64G de FNCS FNCS FNCS

Friends from UDXF group suggest Serbian Army as the user.



https://yadi.sk/d/SblPr4eOCLpR4Q

30 June 2020

CIS-75 FSK 75Bd/250 (3): 126-bit LFSR sequence

(for background, read all the posts of this topic)
Russ-Mil CIS-75 75Bd/250 FSK system spotted this morning on 15832.0 KHz (cf). After differential decoding, the bitstream shows a clear 385-bit period and a 126-bit pseudo random sequence, generated by the polynomial x^7+x^6+1, which is inserted in the data stream probably to re-sync the receive modem among the messages:

111110111110011110101110000110111010011000101011000001011110001
110110110010010100100001001110010110100010001100110101010000000

Fig. 1 - 126-bit pseudorandom sequences
Fig.2 - the synched stream
It's interesting to note that in previous CIS-75 recordings, we saw the use of a 128-bit (!) length pseudo-random sequence transmitted in positive and negative polarity: those sequences are easily identifiable by inspecting the stream with a window, coincidentally, 385-bit wide.
By the way, the same polynomial x^7+x^6+1 is also used by the French-Ny in their 50Bd/850 FSK fleet broadcast as one of the two stream LFSR delimiters [1].  


29 June 2020

unid 40.4Bd/800 FSK & FSK/Morse

6800.0 KHz (cf): unusual 40.4Bd/800 FSK long time reversals then into FSK/Morse "UUG4 de UTN7 ZC GB 73 SK" and off-air. Most likely a CIS network.
 
 
Comments are welcome 😄

23 June 2020

CIS Navy 50Bd/500 FSK 136 bit (T600-136)

Yet another 50Bd/500 FSK transmission, this time recorded monday morning on 14704.0 KHz (cf) around 1340Z and almost surely sourced by the CIS Navy T600 system (typical shifts: 200, 250, and 500 Hz): given the 136-bit length frames this waveform is also known as "T600-136".

Fig. 1 - FSK parameters
Note that the full transmission period is 544-bit length, i.e. 4 x 136-bit frames. Indeed, from a quick examination of the demodulated bitstream (Fig. 2), it is easy to see that it's composed of blocks of four repeated frames, probably to add redundancy to the system.

Fig. 2 - CIS-Ny 50Bd/500 bitstream (136-bit frames)
The same 136-bit framing is also used in the CIS-Ny 50Bd/250 FSK, still from a T600 system (Fig. 3): these two waveforms seem to be used to carry the same "type" of messages unlike the CIS-Ny 50Bd/200 FSK which shows a different structure of the frames (70-bit Message Indicator, 4:3 ratio,...) and it's mainly used for fleet broadcast.

Fig. 3 - CIS-Ny 50Bd/250 bitstream (136-bit frames)

Although the shift is a multiple of the manipulation speed, the two tones do not preserve their phase (Fig. 4).

Fig. 4 - CIS-Ny 50Bd/500 tones

14 June 2020

50Bd/500 FSK (likely CIS Gov/Mil)

update

My friend cryptomaster (thanks) confirmed the user (CIS networks) and he also pointed out that the 128-bit sequence is actually a 64-bit sequence that is transmitted in opposite polarity:
1111101111001110101100001011100011011010010001001100101010000001
0000010000110001010011110100011100100101101110110011010101111110


As well as the central part of the message which is the same 64-bit sequence (here 13-bit shifted) but with one bit in error:
0010101000000111110111100111010110000101110001101101001000100110
1101010111111000001000011000101001111010001110010010110111011000



11 June 2020

Unid (likely CIS) 50Bd/500 FSK message recorded on 12221 KHz (cf) at 1035z using the KiwiSDR "nsk" located near Novosibirsk, Russia. Notice the LFSR sequences generated by the polynomials x^7 + x^5 +x + 1 (128 bytes length) and x^5 + x^4 + x + 1 (Fig. 1).

Fig. 1 - the two LFSR sequences
Although the shift is an integer multiple of the speed, the two FSK tones do not preserve their phases (Fig. 2).

Fig. 2 - phases of the two FSK tones
https://yadi.sk/d/mZiO7oRcHtQ5-Q

5 June 2020

Saab Grintek MHF-50 "preamble" variant

6 June 2020 update


As noted by my friend KarapuZ, the 75Bd/170 FSK segment 
010100101001010010100101001010010100101001010010100101001010010100101
can be successfully descrambled using the polynomial x^8 + x^6 + x + 1; maybe it serves sync purposes for the following MFSK decoder. It's interesting to note that the same polynomial is used in CIS-75 waveform.



It's supposed that some frequencies (4346, 6504, 8580, 12982, ...) are either channel markers, propagation markers and/or FAB channels and some other (4245, 6407, 6493, 8603, ...) are traffic channels; anyway, it seems that they carry different patterns.



5 June 2020


Saab Grintek MHF-50 variant recorded on 8603.0 KHz/USB using the KiwiSDR located at TWR Kempton Park, South Africa: notice that 8603.0 Khz is believed to be one of working channels used by South African Navy.
The signal has a kind of "preamble" (Figs. 1,2) which is followed by the usual multimode waveform. This preamble consists of a short 75Bd/170 FSK
010100101001010010100101001010010100101001010010100101001010010100101
followed by a 120 sec long 1622 Hz tone which exhibits interesting markers each 12 & 1 seconds maybe to serve sync purposes.

Fig.1
Fig.2
As said, the preamble is followed by the well known multimode waveform (Figs. 3,4) consisting of 54.4Bd/390 FSK and 54.4Bd/65 MFSK-33 with the characteristic 3 tones signaling the EOM.

3 June 2020

NATO 75Bd & 50Bd FSK: F1F2 phase

I decided to replicate the analysis of the phase of the two FSK tones shown in the  previous post  by taking a look at the NATO 75Bd & 50Bd FSK transmissions just because only in the latter the shift (850 Hz) is an integer multiple of the bit rate (850/50 = 17). The The difference between manipulation with a break and without a phase break during switch-over is also visible in SA program in Wave Form mode (Fig. 1): signal "a" is 75Bd/850 FSK, signal "b" is 50Bd/850 FSK; all NATO transmissions.

Fig. 1 -
As expected, both the tones of the signal a (75Bd/850 FSK) do not preserve their phase after each switch-over (Fig. 2) while the tones of signal b (75Bd/850 FSK) preserve their phase (Fig. 3).

Fig . 2 - 75Bd/850 FSK
Fig. 3 - 50Bd/850 FSK
To be precise, 75Bd FSK is from NAU Isabela on 16121 KHz and 50Bd FSK is from NSY Niscemi on 8203 Khz: therefore it must be considered that generally the data are not generated in the same place where the FSK signal is formed. Don't know if the same modem is used in both the waveforms (...and in both the two TX sites), anyway the two tones of the French-Ny 50Bd FSK too have the same behavior i.e their phase is preserved (Fig. 4).

Fig. 4 - French-Ny 50Bd/850 FSK

2 June 2020

200Bd/1000 FSK Rus-Intel 288-bit (F06x)

200Bd/1000 FSK Rus-Intel 288-bit (aka Enigma F06x) transfers with a slightly different pattern, although all recognized by Rivet [1]. Each frame starts with a 32-bit (4 bytes) sync sequence 0x7D12B0E6
10111110010010000000110101100111
followed by a 11-bit frame line counter (block index). The sync sequence could be generated by the polynomial x^5 + x^4 + x^3 + X + 1.
More and accurate details here.

27 May 2020

unid 200Bd/800 FSK (2)

(see the previous post for background)
My friend cryptomaster suggested me an interesting way to measure and analyze the two component frequencies of the 200Bd/800 FSK signal by using the VMW module of SA. Indeed, using that tool it is quite possible to obtain additional phase characteristics of the signals. For this, it is necessary to consider the bitmap picture of the carrier signal, adjusting the scan so that one period of the carrier wave fits on the line of the raster. Two columns of red and blue colors  on the screen of the WMV module reflect the positive and negative half-cycles of the oscillation (Fig. 1).

Fig. 1 - oscillation period (thanks to cryptomaster)
Well, it turned out that during the formation of this FSK signal the pahses of the two frequencies are preserved after each "shift" (Figs 2a,2b): that suggests that it's formed by switching (mechanically or electronically) two independent F1 F2 frequency generators which bear some inter-relationships or by using a VCO system.

Fig. 2a - F1 component phase (on a 2 periods view)
Fig. 2b - F2 component phase (on a 3 periods view)
Phase analysis was performed on a signal recorded in IQ mode exactly on its center fequency of 5094.7 KHz: in this case the two values of the frequency generators are:

F1 ~ 5602,6 HZ (2:0,000356972)
F2 ~ 6402,6 Hz (3:0,000468558) 

as expecetd, 800 Hz shift.
Me and cryptomaster discussed these values and he obtained an interesting result recording the signal at a frequency of 5093.50 KHz/usb. In this case, the carriers are equal to F1 = 800Hz F2 = 1600 Hz (Fig. 3).
 
Fig. 3 - F1 F2 components (thanks to cryptomaster)
Probably the lower frequency is obtained using a d
ivide-by-2 circuit. Anyway, examining the signal at different intervals, one can notice a small discrepancy in the phases of these two frequencies (Fig. 4): thus, it is once again proved that the signal is generated by two different generators.

Fig. 4 - discrepancy between F1 F2

22 May 2020

unid 200Bd/800 FSK

Odd  and unid (to me) 200Bd/800 FSK spotted this morning on 5094.7 KHz (CF). ACF shows a transmission period of 15 bit: 111101011100101
Apparently, no relevant results after defferential decoding or descrambling tries.
Fig. 1
Fig. 2 - 15-bit pattern in the decoded bitstream
Note also in Fig. 3 the unwanted "spikes" during the manipulation when carrier (and carrier phase too in this case) change:

Fig. 3
All my TDoA Direction Finding runs point to the District of Poznan, Poland.

Fig. 3 - TDoA results
https://yadi.sk/d/OIm7MzUJKRx9Sw
https://yadi.sk/d/dLieSh9imUYBfg

16 May 2020

yet another odd STANAG-4481F channel

(for background read all the post of this topic
 
May 16th update
Interesting tip from my friend cryptomaster (thanks) who pointed me the 13229 KHz (cf) fequency: also in this case it's a STANAG-4481F transmission with the characteristic of the 3-bit pattern (and obviously KW-46 encryption) but the source, however, is NAU Naval Radio Transmitter in Isabela  (PTR).



Therefore, contrary to what I had observed so far, such broadcasts do not come only from Niscemi (NSY) and Barford (AJE). Below the updated list of the successful frequencies and sites (all CF):

05120.5 NSY
06383.0 NSY
06732.0 AJE
07545.5 NSY
08145.0 NSY, AJE
08204.5 NSY
13229.0 NAU


May 9th
6732.0 KHz: another STANAG-4481F KW-46 secured channel that use the odd 3-bit pattern discussed here. This one is most likely from AJE (Barford St, John, UK) and // with 8204.5 KHz from NSY (Niscemi, Italy). 

Fig. 1
Fig. 2
Fig. 3


So far, it seems that only the transmissions from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Below the current list of the successful frequencies which I observed (all CF):

5120.5 NSY
6383.0 NSY
6732.0 AJE (new update)
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

In winter, my friend cryptomaster observed two more frequencies: 4723.9 and 5118.6 kHz (the latter probably NSY tuning freq.).

As said, it's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station  Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant). 



13 May 2020

(slow) 19.5Bd/97Hz FSK, likely a Russian-Mil network

19.5Bd/97Hz (slow) FSK waveform spotted on 5331.0 KHz followed by opchat in Morse:
"RGJV de PZSF QSY 17542 K"


Source is probably some Russian-Mil network. Transmission consists of a repeated 126-bit sequence (Figs. 1,2).

Fig. 1
Fig. 2
 Interesting: a time shift of half bit is added after each sequence most likely for synch purposes (Fig. 3)

Fig. 3
A similar signal, except the 125 Hz shift, was also noted by my friend Cryptomaster:


26 April 2020

STANAG-4285 async 1200bps test transmissions from Turkey

For about a week I monitored STANAG-4285 1200bps async transmissions heard on several frequencies in the 6 MHz band according to Table I; after April 23th the transmissions have stopped (at least in the 6 MHz band and until today). About the used frequencies, I have not found any match either in the UDXF group logs database or in other resources on the web.

Table I
The transmissions take place with a cycle of about 2 minutes and 25 seconds and seem to use a kind of "call/reply" mode between two stations a,b (since the different strength of the signals); don't know who's the caller and who's the called, but I noticed different patterns depending on the monitored day, as for example in Fig. 1

Fig. 1
The use of two frequencies was also observed (Fig. 2). Obviously it is automated transmissions or controlled by software. Messages, net of 32 bits each for SOM & EOM, have the same length each day, e.g. 8832/5760 bits (caller/called); user-data are encrypted and then transmitted using the 8N1 framing (Fig. 2). Note that the Turkish S-4285 async transmissions I have met so far used the 5N1.5 framing.

Fig. 2 - (the different durations of the signals on the left depend on the waterfall rate that has been selected)

As from Table I, the STANAG-4285 submode 1200bps/L was used from April 15th to April 19th, then the submode 1200bps/S was used.

The direction finding (TDoA) results indicate an area of southern Turkey as a possible transmitter site (Fig. 3); results may be a bit incorrect since the short durations of the signals, anyway it's quite credible. Such a location, along with the transmission schedule and with the encryption algorithm, allows for some observations and comments.


Fig. 3
As seen, the contents of the messages are encrypted but the encryption algorithm does not correspond to the known ones such as KG-84/BID and KW-46/KIV-7 therefore the use of a "national algorithm" can be assumed. TÜBİTAK (Technological Research Council of Turkey) National Electronic and Cryptology Research Institute (UEKAE) developed secure communication solutions in terms of cryptographic algorithms, protocols, and architecture as well as data encryption devices such as the MİLON family (MİLON-4A was also approved by NATO) [1] [2]. It is reasonable to think that these transmissions, as well as other encrypted transmissions from Turkish Armed Forces which are reported in this blog, use such encryption systems.

Fig. 4 - some encryption devices by TUBITAK
(https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf)
The way these transmissions are conducted suggests that they are tests. STANAG-4285 is now a consolidated and widely used waveform and therefore the tests could concern the installation of a new HF system (maybe a MRL system?). There is also another somewhat "suggestive" hypothesis: on-field tests of a SCA-based 4285 waveform on proprietary advanced SDR transceivers. Indeed, TUBITAK UEKAE ported two different waveforms to the Spectrum's flexComm SDR-4000 for demonstration to the Turkish Ministry of Defense: an implementation of STANAG-4285 for high frequency (HF) radio links and APCO Project 25 (P25) for public safety links [3].
[1] https://www.hurriyet.com.tr/gundem/natonun-kripto-cihazlari-tubitaktan-9191151
[2] https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf
[3] https://pdfs.semanticscholar.org/