24 February 2020

3 x 7-bit KW-46 secured channels over STANAG-4481F, NRTF Niscemi

(cryptomaster, I56578, KarapuZ)

This post may be considered as a continuation of an interesting analysis started by my friends cryptomaster and  KarapuZ, see the radioscanner post for background. The signals analyzed by my friends and me consist of STANAG-4481F waveform (also known as NATO-75, FSK 75Bd/850) and  have been spotted on 8202.5 KHz/usb (tuning frequency, CF = +2000 Hz): in our opinion they seem to be (off line) fleet broadcasts of 3 x 7-bit multiplexed encrypted channels.
I want to thank my friend AngazU and the owner of the KiwiSDR http://158.255.239.102:8073/ in Alicante (Spain) who allowed me to use his device w/out time limits in order to monitor these transmissions.

The interesting aspect is the 3-bit structure which is visible in SA raster (Fig. 1) by using, for example, a time window of 200ms (=15 bits @75bps); notice that it does not occur in time windows that implie a number of bits which is not an integer multiple of 3.

Fig. 1 - 3-bit structure in a 200ms raster window
Following this results, the demodulated stream has been reshaped into a 3-bit framing (Fig. 2): it is easy to see that two columns have the same content.

Fig. 2 - 3-bit framing of the demodulated stream
Then, each column in turn has been reshaped in a 7-bit pattern in order to obtain 3 separate files corresponding to the three channels. Karapuz noted that the Fibonacci's bit sequence (generated by the polynomial x^31 + x^3 + 1) is present in each channel (Fig. 3): this is the main indication that the source data was encrypted using the KW-46/KIV-7 cryptographic device, according to STANAG -5065.

Fig. 3 - the KW-46 M-sequences in the 3 channels conveyed by a single S-4481F trasnmission
The presence of three distinct channels suggests that a time division multiplexer (TDM) be used upstream of the S-4481F modem, but there is a problem with the speeds at stake. The used TDM must have a 75bps "aggregate" speed in order to meet the S-4481F waveform requirements, thus each (encrypted!) input channel should have a speed of 25bps... but crypto devices such as KG-46 or KIV-7 do not work at speeds lower than 50 bps! (Fig. 4).

Fig. 4
So, it seems that a kind of "rate change" occurs between TDM and S-4481F modem but a such kind of store-and-forward device to down the speed  appears unrealistic in case of long broadcasts.

During my monitoring I had the luck to catch the beginning of a transmission. Interestingly, the M-sequences generated by the polynomial x^31 + x^3 + 1 just start from the very first bit of the 3 demodulated streams (100% indication in Fig. 5), there are no signatures or magic numbers attributable to transfer protocols or to file formats, neither preambles or synch sequences.

Fig. 5
According to TDoA direction finding tries, the transmitter site is the Naval Radio Transmitter Facility (NRTF) in Niscemi, Italy (Fig. 6): an infrastructure of the NATO communication system that is linked with other US military bases [1]. It's to notice that similar transmissions (3-bit structure S-4481F) can be heard on 7545.5 and 6383 KHz (CF), also them from NRTF Niscemi!

Fig. 6 - TDoA result
As I said, two channels have the same content, as indeed shown in the raster (Fig. 1): it's to notice that such repetitions of encrypted channels were also noted in some KW-46/KIV-7M secured fleet broadcast of the Australian Ny, see the blog post. In that case we have an aggregate speed of 600bps and 12 multiplexed channels, i.e. 50bps speed per channel.

I checked sveral other S-4481F transmissions but so far these odd 3-bit structure is present only in the ones coming from Niscemi: help and comments from readers are very apreciated and welcome.

High Frequency dual mode antennas at NRTF Niscemi (source Wikipedia)
24 Feb update
As expected, parallel transmissions on 8204.5 KHz and 6383 KHz convey the same content (Fig. 7); the third frequency (7545.5 KHz) is not used at this time. 

Fig. 7 - same contents on parallel transmissions

  (to be continued)
[1] https://www.globalsecurity.org/military/facility/niscemi.htm

158.255.239.102_2020-02-18T21_13_33Z_8203.00_usb.wav 
transmission_start.wav
158.255.239.102_2020-02-18T21_13_33Z_8203.00_usb.txt.bin
start.txt.bin

3 comments:

  1. Ciao Antonio !
    Because of this interesting anlysis I was searching for other Stanag-4481 transmissions with the same 3-bit pattern.
    First I was successful and could see that also USN Diego Garcia on 4726 kHz (cf) has this 3 bit structure.
    But then something strange happened:
    By mistake I was thinking that French Navy on 2065.8 kHz (cf) also uses S-4481. But here we have the typical French Navy 50bd FSK with the bit period of 21.
    But when I was using the S-4481 FSK decoder with 75bd then I could also see this 3-bit pattern ! Although the baud rate and mode should not match ! Now I'm confused...
    Can you please check if you're getting the same result ?
    Maybe this repetition is just an issue of the decoder ?

    BR,
    Guido

    ReplyDelete
    Replies
    1. Hi Guido,
      I did not use a decoder, I demodulated the 4481F signal just using Signals Analyzer demodulator and the right parameters (75Bd/850).
      In your tests, the ratio between 75 and 50 is 75/50=1.5 so using a 75bps speed on a 50 bps speed, each "original" bit is repeated 1.5 times. The bit editors work with an integer number of bits (they can't represent half bit!) and and the 1.5 bit view is possible by aggregating two consecutive frames and then get an integer number of 3 consecutive bits (i.e. 1.5 x 2): thus thus the 3-bit structure you see (it's the same story of the async 5N1.5 framing which is represented as a 15-bit pattern, i.e. 7.5 x 2).
      The most important aspect is the presence of the Fibonacci's bits in all the 3 columuns of the 3-bit demodulated 4481F signal! I don't think it happens in the case of the French-Ny FSK if you reshape the 21-bit stream into a 3-bit pattern, moreover French guys do not use S-5065 for their home raffic.
      Thanks for the tips about the 4726 KHz, as far as I know it's from Dixon CA.



      Delete
    2. Oh, of course you're right ! It was a bad idea to use 1.5 times of the baud rate specifically when searching for repeated bits :)
      (and I also did not check for Fibonacci bits)
      Thanks for clarification !

      Delete