26 April 2020

STANAG-4285 async 1200bps test transmissions from Turkey

For about a week I monitored STANAG-4285 1200bps async transmissions heard on several frequencies in the 6 MHz band according to Table I; after April 23th the transmissions have stopped (at least in the 6 MHz band and until today). About the used frequencies, I have not found any match either in the UDXF group logs database or in other resources on the web.

Table I
The transmissions take place with a cycle of about 2 minutes and 25 seconds and seem to use a kind of "call/reply" mode between two stations a,b (since the different strength of the signals); don't know who's the caller and who's the called, but I noticed different patterns depending on the monitored day, as for example in Fig. 1

Fig. 1
The use of two frequencies was also observed (Fig. 2). Obviously it is automated transmissions or controlled by software. Messages, net of 32 bits each for SOM & EOM, have the same length each day, e.g. 8832/5760 bits (caller/called); user-data are encrypted and then transmitted using the 8N1 framing (Fig. 2). Note that the Turkish S-4285 async transmissions I have met so far used the 5N1.5 framing.

Fig. 2 - (the different durations of the signals on the left depend on the waterfall rate that has been selected)

As from Table I, the STANAG-4285 submode 1200bps/L was used from April 15th to April 19th, then the submode 1200bps/S was used.

The direction finding (TDoA) results indicate an area of southern Turkey as a possible transmitter site (Fig. 3); results may be a bit incorrect since the short durations of the signals, anyway it's quite credible. Such a location, along with the transmission schedule and with the encryption algorithm, allows for some observations and comments.


Fig. 3
As seen, the contents of the messages are encrypted but the encryption algorithm does not correspond to the known ones such as KG-84/BID and KW-46/KIV-7 therefore the use of a "national algorithm" can be assumed. TÜBİTAK (Technological Research Council of Turkey) National Electronic and Cryptology Research Institute (UEKAE) developed secure communication solutions in terms of cryptographic algorithms, protocols, and architecture as well as data encryption devices such as the MİLON family (MİLON-4A was also approved by NATO) [1] [2]. It is reasonable to think that these transmissions, as well as other encrypted transmissions from Turkish Armed Forces which are reported in this blog, use such encryption systems.

Fig. 4 - some encryption devices by TUBITAK
(https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf)
The way these transmissions are conducted suggests that they are tests. STANAG-4285 is now a consolidated and widely used waveform and therefore the tests could concern the installation of a new HF system (maybe a MRL system?). There is also another somewhat "suggestive" hypothesis: on-field tests of a SCA-based 4285 waveform on proprietary advanced SDR transceivers. Indeed, TUBITAK UEKAE ported two different waveforms to the Spectrum's flexComm SDR-4000 for demonstration to the Turkish Ministry of Defense: an implementation of STANAG-4285 for high frequency (HF) radio links and APCO Project 25 (P25) for public safety links [3].
[1] https://www.hurriyet.com.tr/gundem/natonun-kripto-cihazlari-tubitaktan-9191151
[2] https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf
[3] https://pdfs.semanticscholar.org/

8 April 2020

F7B with mixed offsets mode (likely Ukr nets)

Some days ago my friend Mike (mco) sent me an interesting record about a seeming MFSK-4 signal (fig. 1) originating north of Rivne, Ukraine; such (duplex) transmissions are frequently heard on 13873.55, 15833.55, 15863.55, 16354.55, 17412.55, 17442.55 & 17469.55 KHz (Rivne TX).

Fig. 1
Actually, it's an F7B mode [1] which is actively used by Ukrainian Nets. SA program parses these transmissions as classic MFSK-4 therefore the bitstream after MFSK demodulation does not make sense. F7B is a FSK modulation technique with four modulation frequencies, the two transmission channels, termed V1 and V2, usually transfer T-207 ciphered data and are obtained through six possible combinations of the four frequencies and this leads to 6 different modes F7B-1 to F7B-6.
Hoka Code300 demodulates such transmissions using the mode "Baudot F7B" and the right offsets: since the output will always be something like garbage (contents are encrypted) will be quite difficult detect the correct mode.
This sample I think it's a  combined "free modes" in which the used offsets and speeds are: -1200 -400 +400 +1200 400Bd, -750 -250 +250 +750 250Bd, and -600 -200 +200 +600 200Bd; anyway, it's to be noticed a change of the center frequency between the first and the second mode (Figs 2,3).

Fig. 2
Fig. 3
"They use a wide range of frequencies and I've not noted all of them. This list seems ok but it certainly include Main stn freqs and also side B stations ones and some are missing. They are working full duplex with abroad stations according to multiple TDoAs. So far I've seen them using MFSK-4 with 50/100 80/160 100/200 125/250 160/320 200/400 250/500 400/800 500/1000 settings" my friend Linkz say.

Fig. 4 - TDoA Tx site (thanks to Mike)
https://yadi.sk/d/WQrHjOlxMkH48A
[1] http://resources.rohde-schwarz-usa.com/c/manual-of-transmissi-2