30 September 2021

analyzing the HF network traffic on 5120 KHz (OS BiH)

 

First of all I want to thank IZ6BYY Alain from Martinsicuro (Italy) who allowed me to use his KiwiSDR receiver without time limits: I very appreciated. 
I monitored this Bosnian HF network (I logged them first time on 2016) for more than two weeks: transmissions occur almost exclusively in the morning, not on weekends, and start around at 0730 UTC, likely following a certain schedule. The traffic consists of standards-based email exchange:

– 141A 2G ALE for link establishment
– Up to 2400 bps modem (Serial 110A, 39-tone 110A App.B)
– STANAG 5066 & CFTP client used for reliable over-the-air data delivery
– Standard SMTP email protocols into the wired network

All stations are members of the same ALE network and use the 3-way handshake for link management. In a few cases, a link closure similar to that used in STANAG-4538 is adopted, i.e. the link is terminated by the called station and not by the calling one.
The analysis of the 5066 PDUs after the removal of 110A overhead, figure 1, show the use of HBFTP compressed files (Harris Basic File Transfer Protocol) which, as for 5066 Annex F, is used along with CFTP for transfers from one SMTP server to another. 

Fig. 1 - STANAG-5066 PDUs showing the use of CFTP and HBFTP protocols

After HBFTPn.gz files have been extracted and unzipped, the email headers finally emerge and allow a bit of "intelligence" (figure 2):

Fig. 2 - email headers
 
wmtuser@OMEGA.ok, wmtuser@CIKLON.ok
The email addresses reveal that the messaging system software, and most likely the connected radios, are provided by Harris Corporation: indeed "wmtuser" is the email address default name that is prompted by Harris RF-67x0W Wireless Gateway. The ".ok" e-mail domain name stands for Operativna Komanda or Operational Command,
 
received: from osbihbutmir, received from kstbrvspvo
The server name "osbihbutmir" must be split as OS BiH Butmir where OS BiH (Oružane Snage Bosne i Hercegovine) stands for Armed Forces of Bosnia and Herzegovina, and Butmir is a neighborhood in Ilidža municipality site of the AF Operational Command HQ. Similarly, the name "kstbrvspvo" could be formed by the acronyms KSTBR and VSPVO, where KSTBR may stand for Communications Systems and Technologies Brigade (Komunikacioni Systems i Tehnologije BRigada).
I also noted the server name "jovana" which may have been chosen to honour the memory of Jovana Divjak, a Bosnian army general who died on April 8th, 2021: but that's just a my guess.

X-Mailer
The underlaying PCs run a Microsoft OS, likely Windows 2000 Professional or Windows XP Professional; Outlook 11 is used to draft and send the emails by OMEGA while other nodes seem to use Outlook Express.

X-HSMTP
(likely Harris SMTP, Simple Mail Transfer Protocol) The routing rows show that the recipient node is at 1-hop distance (DP and NP values).

By processing the bitstreams is then possible to derive the the 5066 addresses of the nodes and associate them to the related stations names and 141A ALE addresses  (in brackets):
 
000.000.000.001 OMEGA (OMA)
000.000.000.006 ASTRA (ASA)
000.000.000.007 CIKLON (CIN)
000.000.000.011 GRANIT (GRT)
000.000.000.016 LI(?)A (LIA)
000.000.000.017 LI(?)1 (LI1)
000.000.000.029 ORKAN (ORN)
 
It must be noted that:
1) the 5066 address range 0.0.0.0 — 0.255.255.255 does not have a Regional Assignee, rather the actual block allocation for Bosnia-Herzegovina is 6.6.y.z ( STANAG-5066 Annex N);
2) during the monitoring period I have not heard any other station or ALE address other than those listed. 
 
We also might compare the current station names with the old ones in use in year 2016, assuming that the 5066 addresses of the stations have not changed; notice that at that time the 141A ALE addresses were assigned  by using some popular automotive brands (HFMREZA is the Bosnian translation for HF Nerwork):

000.000.000.001 GAMAHFMREZA (GAMA)
000.000.000.003 FIATHFMREZA (FIAT)
000.000.000.005 FORDHFMREZA (FORD)
000.000.000.007 OPELHFMREZA (OPEL)        
000.000.000.009 SKODAHFMREZA (SKODA)   
000.000.000.011 VOLVOHFMREZA (VOLVO)        

Searching in the UDXF logs, this network appears for the first time in 2014: even in that case the ALE addresses were formed by the union of the first two and the last letter of the station names (TAO = TAngO), the latters consisting of the letters of the Greek alphabet: ALA (=ALFA), BRO (=BRAVO), DEA (=DELTA), GOF (=GOLF), EKO (=ECHO), OMA (=OMEGA), OSR (=OSCAR),TAO (=TANGO), ZUU (=ZULU).

The particular 5066 address (.001), the site (the AF Operational Command HQ), the traffic (OMEGA almost always initiates the ALE sessions) and the software too (Outlook 11 rather than Outlook express), led to think of OMEGA (OMA) as the net-control station as it was for the station GAMA. In addition to the change of station names and addresses, the most relevant change compared to 2016 is the paradigm used for emails: PEM - Privacy Enhanced Mail is now used for secure that traffic (figure 3).

Fig. 3
 
In some cases the contents of the emails are in clear-text, as for example the list of telegrams received/sent by the DK brigade (DK brTP) along with the greetings (*** Greetings from the team DK brTP OS BiH **** ) and the name of the operator of the "Workstation DK 6.pbr"; due to privacy, I have masked his surname:
 
Fig. 4

As said above, in some links the messages are also exchanged using the 39-Tone (110A App.B/FED-1052B) as HF waveform: this evidence proves the use of (at least) two radio networks where all or a subset of the nodes are members of both nets; at this regard, it's to be noted that Harris RF-6750 WG does not allow the use of multiple waveforms/protocols in a same radio-network. Likely, the HF email domain ".OK" coincides with only one radio network.
(yep I know, it's not good and it's definitely not discreet! anyway - to better illustrate my hypothesis - I had recourse to a old copy of the 6750 WG to simulate the software setup that I imagine and which in my opinion comes closest to the configuration which they use)

Fig. 5 - two distinct radio-networks with different waveforms/protocols

Another interesting point is that some bitstreams carried by the 39-tone and 188-110 modems have initial 41-bit length similar patterns (figure 6) that - in my opinion - reveal the use of encryption, therefore in those cases 5066 PDUs are not readable. I tried some analysis of the patterns and maybe they could be "partial" strings of the sequence generated by the polynomial x^42+x^41+x+1

Fig. 6 - 41-bit patterns in Serial 110A and 39-tone bitstreams

As far as the encryption device is concerned, my guess is that some links use Datotek encryption which is used in Harris RF-5022 and RF-5800 based radio stations. In that regard, I did some research in the web and found that as early as 2009 they were just using Harris RF-5022 transceivers during their participation as a PfP country in the "NATO Combined Endeavor" 2009 exercise (1). If my guess is correct, the 41-bit sequences could be a kind of "distinctive sign" of the Datotek encryption.

Fig. 7 - Datotek encryption may be used in RF-5022 based radio stations

https://disk.yandex.com/d/B0wHSW1Tfhz2Eg

(1) Bosnia and Herzegovina joined the Partnership for Peace (PfP) programme in 2006.At the beginning of 2021, Bosnia and Herzegovina established the Commission for Cooperation with NATO in order to facilitate the development of their Reform Programme for 2021-2022 and other matters on their path to accession.  
http://mod.gov.ba/Zdruzeni_napor/?id=21449 

 


29 September 2021

a strange (if not wrong) use of STANAG-5066

29 Septembere 2021, update

I was WRONG!
Starting from RF-6710W Wireless Messaging Terminal (WMT) v5.0, Harris added new adaptive data rate support for existing HF modem waveforms so that customers can leverage their hardware investments with their new radio purchases. These waveforms include the widely used Parallel tone (39-tone) and STANAG 4285 Coded waveforms. Looking at the 39-tone demodulated stream, it could be that a crypto device is in the path, ie between a pc running STANAG-5066  and the modem

thus the STANAG-5066 PDUs are not in clear text and then no more visible.

24 Septembere 2021
These days I am monitoring some signals on 5120 KHz (from Serbian-Mil) that will be the subject of a next post, and I noticed a strangeness in the use of STANAG-5066 in relation to the "way" the data are sent. The waveforms are shown in the waterfall of figure 1.

Fig. 1 - the waveforms into play

As known from the "operation" of STANAG-5066, before the Data Transfer Sublayer (DTS) forwards the data, the Channel Access Sublayer (CAS) provides the functions necessary to access the physical channel (figure 2), ie the radio spectrum, assuming that the selection of the frequency (physical link setup) is handled by an external process such as ALE, in this case 188-141A. Then, a soft-link session (1) will be started immediately when there is data available for transmission to a remote STANAG-5066 node (2).

Fig. 2 - Physical Link Request PDUs related to the S5066 of figure 1

The strangeness is that, in that sample, data are not sent by STANAG-5066 DTS & 188-110 but rather using M-39 (188-110 App.B), ie outside STANAG-5066 (remember that STANAG-5066 is a data-link protocol, NOT a waveform).

 (1) To explain the difference between a physical channel and a session: when a client wishes to send an email to a remote client a physical link is established by the CAS; then a soft-link session is set up over this physical link. The soft-link session is between the local and remote client while the physical link is between the local and remote node. 
 
(2) A correct sequence of operations is shown in figures 3,4 (physical link request/accept, data forward, ACKs, physical link break): all managed by the STANAG-5066 sublayers that is carried by the same underlaying HF wavefrom. Notice the switch of the node address.
 
Fig. 3

 
Fig. 4

Frames captured thanks my STANAG-5066 off-line dissector.

22 September 2021

19.5Bd/100 FSK: Rus R-397 “IRTYSH” (“ИРТЫШ”)

About one years ago (may 2020) I came across a short 19.5Bd/100 FSK [1] which, at that time, I chalked up to a some Russian-Mil network. Well, an anonymous reader of the blog, whom I thank, left a link about it [2], without further comments or suggestions: the link refers to an interesting topic posted on the airbase.ru forum about the HF R-397LK receiver - "Lapis" (Р- 397ЛК "Ляпис") used by the Navy Special Forces and - likely - not only by the Navy or by Russian forces. 
The translation from Russian is shown below. 

The R-397 LK radio receiver is intended for tuningless and search-free communication with discrete frequency setting in the short-wave range and provides reception and registration of call commands with visual and sound indication in the memory device, as well as auditory reception of messages by Morse code in the RT and AT modes. The radio receiver provides the following modes:
- Auditory reception of telegraph signals with amplitude modulation (AT)
- Auditory reception of telegraph signals with frequency modulation (FM)
- Continuous reception of commands by signals of RF at a rate of 19.53 baud (CALL CONTINUOUS.)
- Reception of commands by signals of RF at a rate of 19.53 baud with periodic switching on and off of the radio receiver power (CALL CYCLE) 

Fig. 1 - 19.5Bd/100 FSK (R-397 OK)

The “IRTYSH” (“ИРТЫШ”) equipment is designed to provide h24, noise-resistant short-wave special radio communication for the purpose of transmitting short messages with up to 50 digital groups and calls and providing auditory telegraph communication.

RADIO LINE COMPOSITION [3]
R-397 OK - special radio transmitter "OKOLYSH"
R-397 LK - special radio receiver "LYAPIS"
R-397 KC - a set of center equipment "KEDON" as part of the R-160P radio receiver, R-397 OTs demodulator and BPA
R-397 OTs - special demodulator "DEER" included in the set of center equipment "KEDON"
Р-397 LC - the generator of calling commands "LUMEN"
BPA - start-stop telegraph apparatus operating with the MTK-2 code

Conventionally, the radio line "IRTYSH" can be divided into two functionally independent directions:
radio link "OKOLYSH" - "KEDON"
radio link "LYUMEN" - "LYAPIS"
Radio direction "OKOLYSH" - "KEDON" works only for the transmission of information with a special broadband low-energy signal from the correspondent to the Center. The radio direction "LYUMEN" - "LYAPIS" provides an urgent call for communication with a source of intelligence or special intelligence at any time and the transfer of information by auditory telegraph from the Center. Thus, it seems I heard just a short transmission in the Lyumen-Lyapis mode, maybe the R-397 OK2 was the used device.

[1] https://yadi.sk/d/z-4ImVGLytR0rQ
[2] http://forums.airbase.ru/2008/10/t62176_10--spetsnaz-vmf.html
[3] https://sdamzavas.net/4-35296.html 
https://studfile.net/preview/7104174/page:25 
http://www.vrazvedka.ru/main/learning/last-confl/afgan-03_07.shtml

20 September 2021

unid 1200Bd/850 (G)FSK bursts recorded in Japan

This is an update of the January 9, 2019 post (see below)

Nicely, on the same day two friends of mine linkz (from France) and Eddy (from South Australia) signaled me about the presence of these 1200Bd FSK bursts on 19102.0 KHz (cf). Linkz also DF'ed the signal with good success, identifying the probable Tx site location in the city area of Busan, South Korea "still transmitting the same data over & over":
So, at present, these (still unid) transmissions have been heard on (KHz): 4584,4626,4756,7531, and 19102 (all cf).


9 January 2019
 
This 1200Bd/850 FSK signal was recorded at different periods using some the KiwiSDRs located in Japan (http://103.2.34.7:8073 http://222.7.151.84:8073 http://kiwisdr-jp7fso.ddns.net:8073), it was observed, at least, in three frequencies: 4765, 4626 and 4584 KHz. During night-time good results are also obtained with the KiwiSDR at Irkutsk (Russia), so the origin of the signal seems to be Japan or surroundings. 
My Spanish friends ANgazu and Rapidbit (from radiofrecuencias group) did a brief analysis measuring the speed (1200Bd) and the shift between tones (825-890 KHz) and suggesting the GFSK mode. On my behalf, I veried their measurements and verified that the bursts are 26 secs spaced and carry the same (encrypted?) text sent in async 8N1 mode (Fig. 21), although there are some difference among old recordings and new ones. The stream obtained after removal the start/stop bits does not offer useful information (encryption? not-standard 8-bit alphabet?), same results after descrambled the stream using the polynomial x^3+x^2+x+1. 


Fig.1
 

17 September 2021

SDPSK 40Bd 50Hz OFDM-60 (60-out-of-61 + pilot tone)

OFDM signal heard on 5767.0 KHz (cf) and consisting of 61 channels plus a pilot tone located at the lowest frequency (thus 62 channels in all). The modulator actually uses 60 of the 61 available channels (60-out-of-61) since the position #34 is empty (figure 1).

Fig. 1

For what concerns the OFDM formation, the channels have a 50 Hz spacing and are modulated using SDPSK - also called π/2-DPSK (1) - at the rate of 40 symbol/sec (2400Bd as "aggregate" speed).
 
Fig. 2

Fig. 3

The pilot tone at its lowest position, rather than at the usual highest frequency of 3300 Hz, leds to think of a Russian "Serdolik" waveform, indeed it's similar to the Serdolik OFDM-60 [1]: same speed (40Bd) and spacing (50 Hz) but PSK4 modulation. Some friends of mine (Karaputz, linkz,...) confirmed the idea, likely an enhanced waveform.
Reception and recording thanks to the "Tambov" KiwiSDR [2].
 
(1) In SA Phase-Plane using n-Ary = 4 and absolute mode (diff=0) the transitions between states are similar to QPSK but without diagonal paths (no "zero" crossings); in differential mode (diff=1) we see transitions between two states (Fig. 3) thus it's a Differential-PSK or DPSK. DPSK is called Conventional DPSK (or CDPSK) if the phase differences is in the set of [0,π] and Symmetrical DPSK (SDPSK, also called π/2-DPSK) if the phase difference is in the set of [π/2,-π/2].  As you see in Figure 3, the transitions in differential mode (diff=1) are in the set of [π/2,-π/2].
 
 

14 September 2021

2000Bd/3250 FSK on 26.9 MHz

Interesting FSK signal spotted on 26.9 MHz by friend killer258 from raduioscanner.ru: modulation speed is 2000 bps and 3250 Hz shift (figure 1).

Fig. 1

ACF results show a kind of "interleaved" values of about 161.7 ms that make a 322-bit length period; indeed, looking carefully at the pattern, the stream is actually formed of a 161-bit sequence wich is sent alternatively in positive and negative polarity (figures 2,3).

Fig. 2
 
Fig. 3 - 322/161 bit period
 

Also interesting are the oscillations during modulation in the first part of the transmission which are visible in figure 4. Tones do not preserve their phase (figure 5).

Fig. 4

Fig. 5

Thanks to killer258 who kindly allowed me to use his recordings.

https://disk.yandex.com/d/br7vJ2uGOTFr9w

6 September 2021

75(50)Bd 4481F: yet another channel

Yet another 75Bd/50Bd 4481F channel spotted on 9338.0 KHz (cf), most likely from NPM Lualualei, HI (thanks my friend Mike "mco"). After filtering out the column of the replicated bits from the demodulated stream, it turns out the actual 50Bd speed; then resizing the new stream into a 7-bit pattern, the KW-46 sync sequence emerges.

https://disk.yandex.com/d/eGbxz_R34wLOdw

3 September 2021

async 5N1 STANAG-4481F, likely tests or training transmissions

5 September 2021 Update

Transmissions are now continuous and after the removal of the start/stop bits the text appears KG-84/KIV-7 secured. It's worth noting that the  128-bit Initialization Vector is splitted in two 64-bit groups and each group is repeated twice rather than four times (as instead it's used to do). That feature has already been osserved in other STANG-4481F transmissions from UK MoD [1] (spotted on 6245.20, 8056.7, 8127.0, and 10272.0 KHz all Cf).

Fig. 1

TDoA results now indicate definitively Crimond (figure 2).

Fig. 2
https://disk.yandex.com/d/Huw79u7T8CKAGQ
[1] https://i56578-swl.blogspot.com/2021/03/async-stanag-4481f-with-kg-84kiv-7.html

3 September 2021

Async (and episodic?) 5N1 STANAG-4481F "segments" spotted on 4539.7 KHz (cf): as a distinguishing feature it's to notice the presence of a pilot tone at CF-700Hz (4539.0 Hz) preceding each segment and the slight diversity of the durations of both the segments and the pilot tone.

Fig. 1
 
I went casually on the signal at about 2150 (Sept. 1st) when it was already active and it lasted almost all night until about 0800 the following morning (Sept. 2nd) when it ceased, all times are UTC: after that I haven't heard it again, unless a sporadic carrier just on 4539.0 Khz. The effective duration of the transmission can be verified by looking at the 24-hour waterfalls as received by the WebSDR receiver in Twente (figure 2).
 
Fig. 2 - Twente WebSDR wtarefalls of 1 and 2 September
 
The 5-bit text after the removal of the start-stop bits seems to be encrypted, definitely not KG-84/KIV-7 or other encryption that I'm aware, or consisting of pseudo-random chars. I tend to think of training or test transmissions - that makes more sense - on a not "usual" frequency: indeed I did not find mentions of S4481 transmission received on 4539.7 KHz in the large collection of logs of UDXF group, only few S4285 logs from Italian-Ny.

Fig. 3

All the direction finding tests (figure 4) point to an area located in north UK, therefore the Tx site could be likely Crimond (Aberdeenshire, Scotland), belonging to UK MoD DHFCS [1]:  it must be noted - however - that the results could suffer from the non-continuity of the signal. By the way,  some async STANAG-4481F transmissions have already been observed on last March and just from Crimond [2]: in that case, transmission were secured using KG-84/KIV-7 encryption.

Fig. 4 - some TDoA results

https://disk.yandex.com/d/CmkxVf5NwOBJ6A
[1] https://www.scottish-places.info/features/featurefirst94146.html
[2] https://i56578-swl.blogspot.com/2021/03/async-stanag-4481f-with-kg-84kiv-7.html