I have already encountered the Rohde & Schwarz RSX.25 protocol in some transmissions of the German BPOL and Italian GdF, this time (just a few days ago) I spotted such transmissions from the Polish AirForce (Siły Powietrzne - Ministerstwo Obrony Narodowej, MON) on 6884 KHz/USB where they use R&S GM2100 proprietary waveforms as HF bearer and UUCP over RSX.25 to send PostMan II email messages (Figure 1). Transmission were recorded using a Polish KiwiSDR [1].
|
Fig. 1 |
Particularly, one of the transmissions being analyzed refers to the nodes with ALE address WARSZAWA2 and BYDGOSZCZ:
TO WARSZAWA2 TIS BYDGOSZCZ
TO BYDGOSZCZ TIS WARSZAWA2
TO WARSZAWA2 TIS BYDGOSZCZ User Unique Function 00 07 (CMD USER UNIQUE WORD)
The used 2G-ALE protocol is the well-known standard 188-141A: the first thing that catches the eye is the use of a User Unique Function (UUF) [2] with the value 00 07 (14-bit ASCII [nul][bel]) in the third frame of the ALE handshake. User Unique Functions enable the transmission of a manufacturer-specific Unique Index which may be used for controlling the subsequent data transmission protocol; in this case, the value 0007 is most likely the particular "index" that R&S uses to signal UUCP/RSX.25 protocol to the receive node.
Data are sent using the HF waveform "Signal Format", a so-called R&S proprietary advanced waveform provided by their GM2100/GM2200 HF modem. The used waveform is the quite common 2400Bd PSK8 occupying a 3 KHz bandwidth (Figure 2). With 8PSK the net data rate of the serial modem is 5400 bit/s, errors are at first corrected by FEC, which reduces net data rate to 2700 bit/s.
|
Fig. 2
|
The framing consists of a 192-symbol sequence preamble followed by one ore more data blocks each consisting of 64-symbols: 48 unknown symbols (coded data) + 16 known symbols ("test sequences"). The postamble terminates the data blocks and consists of a 64-symbol End Of Message sequence. Except for the presence of an initial TLC section(s), the total length is then a multiple of 64 symbols.
|
Fig. 3
|
Figure 4 shows the ACF/period of the GM2100 waveform: since the 2400 Baud, the ACF value of 133.33ms corresponds to a 320-symbol period, ie to five 64-symbol data blocks.
|
Fig. 4
|
The length of 320 symbols is due to the fact that the 16-symbol test sequences are actually "segments" of a longer 80-symbol sequence and so they are five times repeated, as visible in Figure 4 (unless demodulation errors), hence the length of (48+16)×5=320 symbols, or 960 bit since each PSK8 symbol is mapped to a tri-bit sequence (000...111).
|
Fig. 5
|
After the removal of the HF waveform overhead, the well-known 8-bit patterns of RSX.25 emerge (Figure 6). RSX.25 literally stands for R&S adaptation of wired X.25 protocol to the HF radio channel,ie a modified AX.25 packet radio protocol.
Quoting R&S papers: "RSX.25 organizes the data to be transmitted in packets, which are successively transferred to the data modem. The packets contain a variable number of frames, the number per packet depending on radio-link quality and being adapted at regular intervals. The data transmitted in a packet are distributed among the frames. The length of the frame data is variable and also depends on radio-link quality: in channels of very good quality, a frame contains up to 250 data bytes, in strongly disturbed channels 4 bytes. Errors escaping FEC are eliminated by the ARQ procedure of the RSX.25 protocol." [3]
|
Fig. 6
|
The transmitted data are obtained after the removal of RSX.25 encapsulation and packets' reassembly, the file (Hex codes and ASCII text) is edited using the XVI32 hex editor [4] and shown in figure 7. Some known "reserved words" and syntax say that's an email transport performed by the use of UUCP: all messages in the initial handshake begin with a `^P' (a byte with the
octal value \020, hex 0x10) and end with a null byte (octal \000, hex
0x00).
|
Fig. 7
|
UUCP (Unix-to-Unix copy) suite is a set of computer programs and protocols that allow for the remote execution of commands and the transfer of email and files between computers, in this scenario it is used over RSX.25. The human-readable version of the UUCP "conversation" (just the initial part) is shown in Figure 8.
|
Fig. 8
|
The messages can be parsed according to the UUCP protocol internals [5] so to get some other informations about users, SW/HW equipment... and so on.
login...Connected...OK
login section
S Bydgoszcz_HF -pz -vgrade=z -R -N07 ROKN07 Pyie Uy
UUCP handshake
S caller hostname = Bydgoszcz_HF
-pz -vgrade=z requests the called system to only transfer files of the specified grade or higher = z (grades in UUCP links means 'priorities')
-R caller UUCP understands how to restart failed file transmissions. Supported only by System V Release 4 UUCP, so this is a System V release.
-N07 - caller UUCP understands the Taylor UUCP size negotiation extension (only for UUPlus, so this is UUPlus)
ROKN07 – called station acknowledgement of ‘R’ options. The caller UUCP is acceptable, it specified `-N', and the called UUCP also understands the Taylor UUCP size limiting extensions
Pyie the called station supports the following UUCP protocols y, i, e
Uy the calling station selects which protocol to use out of the protocols offered by the called station, in this case the UUCP protocol 'y'
pm2mrs -CR D.0097 0666 dso22odn@bydgoszcz.airforce.pl 0x3d26
most likely R&S PostMan II messenger
D.0097 file to send
0666 mode of file, if UUPlus always = 0666 for outgoing files
dso22odn@bydgoszcz.airforce.pl file name
0x3d26 file size (15654 bytes)
rsmail -v2 -f dso22odn@bydgoszcz.airforce.pl dsocop@warszawa2.airforce.pl
Since PostMan offers e-mail, fax and file transfer, my guess is that the additional command rsmail (most likely R&S mail) following the pm2mrs invocation just specifies the email service
dso22odn@bydgoszcz.airforce.pl the caller station (ALE address: BYDGOSZCZ) is the "22 Ośrodek Dowodzenia i Naprowadzania" (22 Command and Guidance Center) [6] located st Bydgoszcz Airport: it's a civilian airport but shared with the Polish Air Force
dsocop@warszawa2.airforce.pl it's the called station (ALE address: WARSZAWA2) , "dso cop" is probably the Armed Forces Operational Command in Warzawa (it's a my guess)
It's interesting to note that in some other recordings the email address are user@warszawa2.airforce.pl and user@bydgoszcz.airforce.pl ("user@" is the common default username as in other message handling systems), although the ALE address remain the same, ie WARSZAWA2 and BYDGOSZCZ.
BZh9
Bzip2 4 bytes header, here starts the file to be sent (Bzip compressed)
BZ Signature (0x425A magic number)
h Bzip2 (h is for Huffman coding)
9 increments of 100 kB block-size uncompressed
It's really obvious that the two stations belong to the Polish Air Force (indeed "airforce.pl" is the email domain name) as well as the use of R&S hardware/software equipment (STANAG/MIL-STD waveforms cannot be used along with the RSX.25 protocol [7]).
A bit of OSINT demonstrates the R&S support to the Polish Armed Forces:
as well as the use of R&S XK2500L and XK2900L radios (along with Harris RF-5800) at the "Radio Center, Region 4 Air Force ICT Support":
Must be noted that PostMan II (now superseeded by PostMan III) is a combined R&S hardware & software product running on a Unix-like communication server: hence the use of such OS, at least in the mail server of the local nets.
Further catches could offer the chance to gather some more intelligence.