28 August 2020

CIS Navy VLF 50Bd/75 FSK (T600 75Hz)

50Bd/75 FSK is the T600 waveform variant utilized by Russian Navy on 18.1 kHz, commonly for submarine communications.

Fig. 1 - 50Bd/75 waveform
As seen in CIS 36-50, frames are constructed from data blocks consisting of 7-bit words: a packet of payload data of basically arbitrary length is surrounded by a start and an end sequence (EOM). Sometimes blocks of data already transmitted are observed to be repeated, verifying the contents by the recipient can be performed easily this way. Idle sequences of reversals, i.e. strictly alternating sequences of "0"s and "1"s, of 36 Bd and 50 Bd are used to introduce and to terminate a transmission or also (50 Bd only) to separate data blocks.
A data block itself consists of three sections: start sequence, (encrypted) payload data, end of message (EOM) sequence; all payload data has a fixed ratio of '1's vs. '0's of 4 to 3 or vice versa, depending on polarity of reception (Figure 2). 

Fig. 2 - 4/3 ratio test on a five-message transmission (s1 and s2 data blocks are the same)
After a single "1" bit (following the last "01" reversal pair), the 28-bit (four-words) start sequence 1010111 1101011 0100000 1010000 is sent: the 4/3 ratio is not followed here to make the start sequence distinguishable from the actual data. Payload comes next; its first part are two equal words 0101101 0101101 followed by a repeated ten-word (7 bits each) group: likely the Message Indicator or the session key. All subsequent data (arbitrary length) do not obey a special regularity anymore. The end sequence shows five equal 7-bit words (5 x 0001000), again disregarding the 4/3 ratio of the data section (Figure 3).
Fig. 3 - structure of a data block

Multiple Russian military naval communication stations share this frequency (18.10 KHz) and the call sign "RDL".  The 24h transmission schedule has frequent flash-override messages in A1A Morse, FSK-Morse and T600 75 Hz, as shown in the lower image of Figure 1.

https://yadi.sk/d/0M7f_H_WOD9LTA (T600-75 bitstream)

22 August 2020

Swedish Navy submarine MSK multi-channel broadcast

(For background it might be helpful to read the relevant entries here)

Swedish Royal Navy (Swedish: Svenska marinen [1]) uses a broadcast function of STANAG-5030 (1) for communication with its subs in the Baltic Sea, the return channel is believed to be low-end HF. These LF broadcasts use the 200Bd/100 MSK waveform and can be heard on 40.4, 42.5, and 44.2 KHz (CF) by using  KiwiSDR receivers located in the island of Gotland which have a good SNR. [2].

All the three signals have the classic set of parameters for (G)MSK: a spectrum equal to 1.5*Br (300Hz), shift equal to Br/2 (100Hz), a characteristic bell-shaped appearance (Figure 1), and others such as 4-point constellation, transitions and real trajectories (Figure 2). Please note that the carrier in the fourth degree is very weakly expressed, sometimes it is practically invisible at all.

Fig. 1
Fig. 2
Using 200Bd MSK (a form of QPSK) it is possible to transmit two 100 Baud channels X and Y, each on a pair of phase, and each channel can consists of 2x50 Baud multiplexed channels. Thus, MSK can provide a TDM multi-channel broadcast of  up to 4x50 Baud X1 X2 Y1 Y2 channels within the 200Hz assigned band (MSK4).  Some aspects about the similarities bewteen QPSK and MSK are covered in radioscanner forum [3].

In conditions where no messages are available for transmission, the four channels are arranegd with two "empty channel filler" (ECF) patterns, probably generated automatically at the transmitter equipment:
- two channels share the same 15-bit pattern;
- a third channel uses a different 5-bit pattern;
- the fourth channel uses the same 5-bit pattern where one column is repalced by the bits of the pseuso-random sequence generated by the polynomial x^31+x^3+1.
An example of this "idle" mode is shown in Figure 4: here the m-sequence is sent in the Y2 channel (notice the same pattern sent in X1 X2 channels ).

Fig. 3
A more generalized scheme highlighting the position of the m-sequence channel in four different recordings is shown in Figure 4.

Fig. 4
 In case of messages, the four channels use a 5-bit format with different framings:  
- two channels share the same 5-bit framing, i.e 1-bit marker (pos/neg according the polarity) + 4-bit data:
- a third channel uses an unid (to me) framing;
- the fourth channel uses the same 5-bit framing of the first two channels but the marker column is replaced by the bits of the pseuso-random sequence generated by the polynomial x^31+x^3+1.
Figures 5a,5b show such arrangement.

Fig. 5a
Fig. 5b
Due to their strategic and tactical importance, subcomms require secure cryptographic protocols and this could explain the presence of the x^31+x^3+1 pseudo-ramdom sequence which is used to sync the receive KW-46/KIV-7 ciphers (other than to permit channel identification), although an encrypted 4-bit stream is rather unusual as well as the use of the 1+4 bits frames. 
In this regard, one might even think that the actual secured messages channel is Y before the TDM split (Figure 6), while the other channels X1 X2 transport not critical 4-bit coded data (WX forecast, sea conditions, ...). This way, messages could use 10-bit START-STOP code which is then encrypted using the KW-46/KIV-7 equipment. Encryption results in bits 2 to 10 being encrypted and bit 1 (START) being replaced with unencrypted bit defined by the polynomial x^31+x^3+1, or in reverse order - bits 1 to 9 encrypted and bit 10 (STOP) replaced (2). A second hypothesis - perhaps the most likely - is that each channel is encrypted with a specific cipher ...but these are just my speculations.

Fig. 6 (m-sequence columns are highlighted)

The results of TD0A geolocation indicate three probable transmitter sites that match fairly exactly with those indicated in a map presented by FMV (the Swedish Defence Materiel Administration) [4] at the March 2020 HFIA HF Industry Association [5] Meeting in San Diego, CA (Figure 7):
- 40.4 KHz: SAS/SRC Varberg
- 42.5 KHz: SAS2 Gudinge
- 44.2 KHz: SHR Ruda

Fig. 7

It must be taken into account that I can't record the (KiwiSDR) LF spectrum 24/7 so the results indicated above may be incomplete: further recordings are needed and possibly an update post will be published later. Hints and comments are welcome.

(1) STANAG-5030 is a restricted document so no information is publicy available. Moreover, the new STANAG-4724 "VLF/LF MSK Multi Channel Broadcast" is currently being ratified by NATO member states as next evolution:

(2) max success for x^31+x^3+1 in Y stream was found for a length frame of 10 bit; that same frame does not have parity bits (x^31+x^3+1 column excluded from the checksum)

4 August 2020

(yet another) 100Bd/500 FSK-2

4 August 2020 update
some frequency, same timing, and same 511-bit sequence but the speed has switched to 50Bd (shift remains unchanged, 500Hz):

It's to notice that the 511-bit sequence is obtained using the seed  s=[0 0 0 0 0 0 0 0 1]  and transmitting the output in opposite polarity (i.e., inverting the polarity of the demodulated sequence we get the exact sequence generated with seed s=[0 0 0 0 0 0 0 0 1]):

up: LFSR sequence when seed = [0 0 0 0 0 0 0 0 1], down: received sequence after reversing the polarity

2 August 2020
Just to log interesting 100Bd/500 FSK-2 transmissions found on 9130 KHz (CF). Data sent consist of a repeated 511-bit pseudo-random sequence which is generated by the polynomial x^9+x^5+1 (Fig. 1); likely that sequence is used when no data to transmit is available or to mantain sync between transmitting and receive modem (see also ITU Recommendation O.153 [1]). Since the 100Bd/500Hz waveform is used in several systems, it's difficult to state the source; anyway, it's to notice that x^9+x^5+1 sequences (PRBS9) are also used in CIS-12 and more generally in T-230 family devices.

Fig. 1 - the 511-bit pseudo-random sequence

Looking at the two FSK tones, it seems that they preserve their phase after each switch-over (Fig. 2). By the way: F1 = 753.87 Hz (1:0.001326479), F2 = 1253.68 Hz (2:0.001595299), dF = 499.81 Hz.

Fig. 2

I followed the transmissions for some days, they usually take place on weekdays at 0943 and stop at 1100 (UTC times). I ran several TDoA attempts and results point to the Moscow area, unfortunately they do not exactly agree.

Fig. 3 - start stop period

Fig. 4 - some of the TDoA results