Me and my friend ANgazu from radiofrecuencias.es have recently studied curious, and apparently unid, burst transmissions occurred for about two consecutive days (7-8 Sept, ceased on 9 morning) on 12431 KHz USB. The idea of this post just comes during the analysis of that signal, noting an interesting similarity of its preamble to the one of Link-11 SLEW. The post then retraces those steps: from the analysis of the bitstreams (and recognition of the waveform) up to the in-depth examination of the preamble sequences and their coding.
The used waveform is the quite common and well-known PSK-8 & 2400 Bd occupying a 3 KHz bandwidth. The bursts do not appear synched or following a certain
timing pattern, even if the sequence highlighted in the FFT-spectrum/time of figure 1 seems
to be used.
|
Fig. 1
|
The good quality of the recording (courtesy of ANgazu) allow its demodulation using the PSKn demodulator of SA. The resulting bitstreams have a 480/96 bit length period, corresponding to 160/32 tribit PSK8 symbols (figure 2). Since these are bursts, the initial part is likely to consist of one or more TLC sections used for transmitter level control and receiver AGC settling (1).
|
Fig. 2
|
The most interesting thing is that, after reshaping the bitstream to the 96-bit period, I found a 192-symbol sequence which is the same as the one used in Link-11 SLEW acquisition preamble (figure 3). Indeed, quoting STANAG-5511 paragraph 10.1.1.1: "[the preamble] consists of a 192 tri-bit known sequence generated from a pseudo random code [...] these symbols are not scrambled and are applied directly to the 8 PSK modulator".
|
Fig. 3 - the evident matching between the two 192-symbols sequence (*) |
Judging from the preamble, it could be said that the bursts are Interrogation Messages of Link-11 SLEW... but actually their durations and the structures following the preamble are not the same: indeed, Link-11 bursts have a well defined 45-symbols length header [1] which is not reflected in the analyzed bursts:
|
Link-11 SLEW waveform structure (Figure B-9, Stanag-5511)
|
So, a question arises: what other waveform has a 192-symbol length preamble?
Checking my blog I found a match to the preamble of Rohde & Schwarz proprietary waveforms implemented in their GM2100/2200 HF modem [2] (although the term GM 2100 refers to the physical modem, from now on I will use it to refer to its characteristic waveform). The framing consists of a 192-symbol sequence preamble followed by one ore more data blocks each consisting of 64-symbols: 48 unknown symbols (coded data) + 16 known symbols (test sequences). The postamble terminates the data blocks and consists of a 64-symbol End Of Message sequence. Except for the presence of an initial TLC section(s), the total length is then a multiple of 64 symbols.
|
Fig. 4 - GM2100 "signal format" waveform structure
|
To thoroughly analyze the bitstream under consideration, it's useful to refer to figure 5 that shows the ACF/period of a GM2100 transmission heard some years ago: since the 2400 Baud, the 133.45ms value corresponds to 320-symbol, or 5 data blocks, period:
|
Fig. 5 - GM2100 133.4 ms ACF |
Back to our bistream, after removing initial TLC section(s) and preamble, the remaining bits, once reshaped to a 64-symbol pattern, are consistent with the GM2100 framing of figure 4. Moreover, it's easy to see in figure 6 that the five 16-symbol test sequences are repeated and are "segments" of the longer 80-symbol sequence (*):
0 2 7 7 3 5 1 0 1 4 0 5 0 0 0 0
4 1 1 2 1 4 1 5 4 2 7 4 5 1 6 4
5 4 3 7 0 7 6 2 6 2 4 6 7 2 4 7
3 0 3 1 3 5 1 2 5 0 1 7 1 4 6 0
0 5 7 7 2 5 2 7 7 4 7 5 5 0 5 6
The repetition of the five test sequences causes the (48+16)×5=320 symbol length period shown in figure 5.
|
Fig. 6 - GM2100 burst, demodulated bitstream (*) |
Thanks to ANgazu, another important confirmation of GM2100 was a 188-141A 2G-ALE handshake (heard in that same frequency) which allowed us to identify the user as the Italian "Guardia di Finanza" (GdF): as it's known, they make a large use of R&S equipments in their onshore/offshore stations. Unfortunately, the handshake was not followed by any data traffic.
After identified the waveform, we agreed that the evident correspondence between the 192-symbol preamble sequences of Link-11 SLEW and GM2100 shall be further investigated anyway!
R&S documentation [2] reports the "autobaud" facility of the GM2100 waveforms: "A
great advantage of the transmission method employed by GM2100 is
automatic detection of the received signal data rate by means of a code received at the start of reception. This means that the receiving data modem need not be told the data rate of the transmitting modem".
A fairly likely conclusion - in my opinion - is that R&S - as usual in the practice - use Walsh Orthogonal Modulation sequences in the sync preambles for both syncing and coding data-rate, FEC, interleaver, and
modulation used in the following data blocks.
Walsh Orthogonal Modulation is accomplished by taking each three bits (tribit) symbol and selecting a corresponding 4-fold repeated Walsh sequence, represented as octal characters (0 will be 0, and 1 will be 4); the selected four element Walsh sequence is repeated 8 times to yield a 32-element Walsh sequence used for the sync symbols (Table I)
|
Table I Channel symbol mapping for sync preamble.
|
The 32-element sequences of Table I are then modulo 8 added to the scrambling sequence 7 4 3 0 5 1 5 0 2 2 1 1 5 7 4 3 5 0 2 6 2 1 6 2 0 0 5 0 5 2 6 6 (Table II). The scrambling sequence, from what I could find, is chosen from the long pseudorandom sequence of (2^16 -1) bits generated by the LFSR x^16+x^15+x^13+x^4+1 [3].
|
Table II
|
The receive node, knowing the beginning and duration of each sequence, first "removes" the randomizing sequence from the received signal and then the resulting symbols are determined
by the maximum likelihood method.
So, the reason of the corrispondences shown in figure 3 is that both L-11 SLEW and GM2100 code their preamble by using the same 32-element Walsh randomized sequences (2). Notice that a similar method is also used in the preamble pattern generation of MIL-STD-188-110/FED-STD-1052.
By the way, I processed the recording using two GM2100 decoders but the analysis
of the resulting bitstreams did not reveal the presence of some
known protocol, specifically the expected RSX.25 (the R&S
implementation of X.25) which constitutes the main payload of these waveforms. The duration of the operations (~2 days), their modality and the lack of "consistent" traffic, lead us think about the execution of some test or training.
Ultimately, the practice of coding preambles using 32-element Walsh randomized sequences can lead to inaccurate conclusions or even false positive IDs, especially when analysis is limited to preambles only.
https://disk.yandex.com/d/Q-XCoIrJ2rbDdQ
(*) A comment about the bitstream of figures 3,6
SA is an amazing signals analyzer but it's not a "waveform decoder", this means that its PSKn demodulator does not sync on knowns sequences. When used on phase keyed signals, SA produces correct info and images (number of phases, angles, modulation speed, carrier frequency, ...) but for the same signal it returns different demodulated streams due to the inevitable phase-offset errors (figure 7). Hence, each output stream should be analyzed separately.
|
Fig. 7
|
(1) Existing HF radios were generally not designed with burst
waveforms in mind. For example, MIL-STD- 188-141 military radios are
allowed 25 ms to reach full transmit power after keying. While the
transmitter radio frequency stages are ramping up, the input audio
signal level is adjusted by a transmit level control (TLC) loop so that
it fully modulates the transmit power. At the receiver, an automatic
gain control (AGC) loop must also adjust to a new receive signal. To
accommodate these characteristics of existing radios, the 3G burst
waveforms begin with a TLC section of “throwaway” 8-ary PSK symbols that
are passed through the system while the transmitter’s and receiver ’s
level control loops stabilize. (Johnson, Koski, Furman, Jorgenson,
"Third Generation and Wideband HF Radio Communications").
(2) According to Table II, the sequence of the link-11 SLEW acquisition preamble consists of the symbols 5,7,6,1,4,0
7 0 3 4 1 1 1 0 2 6 1 5 1 7 0 3 5 4 2 2 6 1 2 2 0 4 5 4 1 2 2 6 5
7 0 7 0 1 1 5 4 2 6 5 1 1 7 4 7 5 4 6 6 6 1 6 6 0 4 1 0 1 2 6 2 7
7 4 7 4 1 5 5 0 2 2 5 5 1 3 4 3 5 0 6 2 6 5 6 2 0 0 1 4 1 6 6 6 6
7 0 3 4 5 5 5 4 2 6 1 5 5 3 4 7 5 4 2 2 2 5 6 6 0 4 5 4 5 6 6 2 1
7 4 3 0 1 5 1 4 2 2 1 1 1 3 0 7 5 0 2 6 6 5 2 6 0 0 5 0 1 6 2 2 4
7 4 3 0 5 1 5 0 2 2 1 1 5 7 4 3 5 0 2 6 2 1 6 2 0 0 5 0 5 2 6 6 0
[1] https://i56578-swl.blogspot.com/2018/09/link-11-slew-transmission-format.html
[2] https://disk.yandex.com/i/mh2Ev4Bo15Az4Q
[3] https://disk.yandex.com/i/zOmzgHgthPXqMA
[4] https://disk.yandex.com/i/lb5zWmqYic7gBA