Echotel-MAHRS 2400 serial

The so-colled Echotel MAHRS 2400 is a 2400Bd PSK-8 serial waveform with simmetical 2 x 8 pre-tones in respect of the 1800Hz carrier. The signal has strong 106.66ms ACF spikes (256 tribit symbols) due to its frame structure: an initial 80 symbol (240 bit) preamble that is followed by a data block consisting of 176 data symbols (528 bit). The pronouncec BPSK states in the constellation plane are due to the BPSK modulation of the preambles (Figure 2).

 

Fig. 1

Fig. 2

The waveform belongs to the Telefunken Racoms HF HRA 5100 radio communication, an ARQ-like system used in airborne platforms for air-to-air and air-to-ground comms. As far as is recoverable from the web, "MAHRS" (Multiple Adaptive HF Radio System) is the name of the HF radio-data standard originally developed by Telefunken, Arcotel is the radio processor and Echotel 1810 is the HF modem. The HRA 5100 system has been replaced by the more recent HRA 9100, both supplied by Elbit System (Figure 3).

Fig. 3

 

https://disk.yandex.com/d/x-bVsSFriyfJtg

unid secondary protocol

Recently I ran across on several transmissions in the 5 MHz band (also available on a secondary basis for amateur use) consisting of STANAG-4538 point-to-point circuit mode service with 188-110A and STANAG-4539 as traffic waveforms at several speeds. The transmissions are receivable in Northern Europe with a good SNR, especially using the KiwiSDR receiver at OZ1AEF (Skanderborg, Denmark): they are very frequent, of short duration, and occur on at least a half dozen different channels between 5300 and 5400 KHz USB. Given their unpredictability (time/channel) and their duration, a Direction Finding is very difficult, at least with the means at my disposal.  

The excellent SNR allows demodulations without many errors and therefore the possibility of examining and comparing the obtained bitstreams: to be honest, I expected to find a known data-link protocol or at least sequences attributable to some encryption technique (known or not )... but that's not what exactly happened.  Although the ACF doesn't produce results, comparing various demodulations it turns out that all the bitstreams exhibit the same initial 16-bit sequence 11110000100111010111 (0x90EB). 

 

Fig. 1

By syncing the bitstreams on the two sequences, interesting results are obtained: in particular,  patterns that have a fairly well-defined structure in the first 192 bit  (Figure 3).

Fig. 3 - bitstreams synched on 0000100111010111 sequence (first 192 bit)

 

 

One could argue that the 16-bit sequence (LSB)0000100111010111(MSB) is the binary equivalent for 0x90EB, ie the sync sequence of STANAG-5066 frames: unfortunately, the following bytes do not match the Data Transfer Sublayer headers, ie the (supposed) fields do not contain data that make sense (EOT, size of address,...).

https://disk.yandex.com/d/qPt2CXC2x76yfg (wav)

https://disk.yandex.com/d/8tn5OrrXlsuL4A (streams)

CIS Navy FSK 50Bd/250 (T-600)

50Bd/250 FSK is another waveform used by CIS Navy for their fleet broadcast. Unlike the same waveform but with 136-bit framing (T-600 136), this one shows all the characteristics of the (perhaps more) well known 50Bd /200 broadcast, ie:

* 44 initial 42 bit initial sequence (usually  "100001010010111110000101001101011010101101")
* 70-bit Initialization Vector (ten 7-bit words, repeated twice)
* payload arranged in the 4:3 ratio
* 7-bit words "000100" as EOM

 

https://disk.yandex.com/d/zr9Mj7M7jII2xQ

a long (and protected) FLSU async scanning call

STANAG-4538 async call of FLSU protocol consists of the transmission of 1.35N (nearest integer value) Request type 3 PDUs on the requested link frequency, where N is the number of channels in the scan list, and 1.35 is the duration of each dwell period in seconds; the "scanning call" ends with a single FLSU request PDU of type 0 (Fig. 1). Since up to 61 requests are used, 45 are the allocated channels for this network.

000 10 1000100000 1010100110 0 0 011 101100 011111 11011111
001 00 1101010101 0010000011 0 1 110 001100 010111 01011010
000 10 1000100000 1010100110 0 0 011 101100 011111 11011111
001 00 1101010101 0010000011 0 1 110 001100 010111 01011010
000 10 1000100000 1010100110 0 0 011 101100 011111 11011111
001 00 1101010101 0010000011 0 1 110 001100 010111 01011010
000 10 1000100000 1010100110 0 0 011 101100 011111 11011111
...
...
001 10 1000100101 0111010110 0 0 011 011111 000101 00110111
 

Fig. 1 - LFSU async call

One might be wondering why the 61 requests have different formats: the answer is that the calling station uses the Linking Protection (LP) procedure. 3G-ALE LP scrambles the 50-bit PDUs using a scrambling algorithm that depends on a key variable, the time of transmission of the PDU, and the frequency on which it is sent (the latter two dependencies enter via a seed that is distinct from the key variable). The 50-bit PDUs are scrambled using alternating the two "Word Numbers" (provided by the seed) 00000000 and 00000001 while the PDU of type 0 that concludes the asynchronous call is scrambled using the "Word Number" 00000010: thus that the same PDU is scrambled 61 times (in this sample) using two alternating keys, that's the reason of the alternating patterns seen above. The effect of this alternating scrambling is also reproduced in the ACF function of figure 2.

Fig. 2 - Auto Correlation Function of the async call

The scrambling  procedure use the SoDark-6 algorithm (48-bit length) and then only the last rightmost 48 bits of each FLSU PDU are scrambled so the first leftmost two bits are sent without scrambling. 

Note that LP does not address jamming or similar techniques, which are best countered by TRANSEC, nor is it intended to replace the COMSEC function of traffic protection. LP protects the linking function, including related addressing and control information.

https://disk.yandex.com/d/YM8rWZvP4heOoA (wav)
https://disk.yandex.com/d/wNR0-nLOl7i87g (bitstream)

3 x 250Bd/500 FSK, likely Ukr nets

3 x 250Bd/500 FSK channels, probably Ukrainian-Mil broadcast, already met here in october 2020. This sample shows a 334-bit period with interesting preambles consisting of a repeated pattern followed by a "counter/progressive" binary field.

 

 https://disk.yandex.com/d/3wTfrevGpVvJ9A

CIS-75 FSK 75Bd/200 (4)

During the last week I have been monitoring the 75Bd/200 FSK transmissions (T-208 equipment?) on 9044.0 Khz (CF): transmissions are on-air during daytime only, are encrypted (likely linear encryption) and appear look like  "fleet broadcast" in the way of T-600 50Bd/200 FSK or NATO S-4285 (ie continuous broadcast). 

Fig. 1

 All TDoA results point to Smolensk area, a Russian military communications center (Figure 2).

Fig. 2

T-208 equipment is announced as QYT9 in CW op-chats, for example:
RCB de RJF94 QYT9 QSX 8573 K.      
RJF94 de RCB OK QYT9 QWH 8573 K.
(RJF94 and RCB negotiate T-208 mode on 8573 Khz)

https://disk.yandex.com/d/667pA4SMJL6vWQ

A similar transmission (75Bd/200 FSK) was heard on 11 Jan 2018 on 4540.0 KHz. In that case, after differential decoding, the stream showed up a clear 365-bit period (Fig. 3) due to the sequence of the scrambler polynomial x^8+x^6+1. The descrambled stream is shown in Figure 4 (thanks to cryptomaster).

Fig.3

 

Fig.4

  

T-208 365-bit period heard on 4540 KHz