I have already encountered the Rohde & Schwarz RSX.25 protocol in some transmissions of the German BPOL and Italian GdF, this time (just a few days ago) I spotted such transmissions from the Polish AirForce (Siły Powietrzne - Ministerstwo Obrony Narodowej, MON) on 6884 KHz/USB where they use R&S GM2100 proprietary waveforms as HF bearer and UUCP over RSX.25 to send PostMan II email messages (Figure 1). Transmission were recorded using a Polish KiwiSDR [1].
 |
| Fig. 1 |
Particularly, one of the transmissions being analyzed refers to the nodes with ALE address WARSZAWA2 and BYDGOSZCZ:
TO WARSZAWA2 TIS BYDGOSZCZ
TO BYDGOSZCZ TIS WARSZAWA2
TO WARSZAWA2 TIS BYDGOSZCZ User Unique Function 00 07 (CMD USER UNIQUE WORD)
The used 2G-ALE protocol is the well-known standard 188-141A: the first thing that catches the eye is the use of a User Unique Function (UUF) [2] with the value 00 07 (14-bit ASCII [nul][bel]) in the third frame of the ALE handshake. User Unique Functions enable the transmission of a manufacturer-specific Unique Index which may be used for controlling the subsequent data transmission protocol; in this case, the value 0007 is most likely the particular "index" that R&S uses to signal UUCP/RSX.25 protocol to the receive node.
Data are sent using the HF waveform "Signal Format", a so-called R&S proprietary advanced waveform provided by their GM2100/GM2200 HF modem. The used waveform is the quite common 2400Bd PSK8 occupying a 3 KHz bandwidth (Figure 2). With 8PSK the net data rate of the serial modem is 5400 bit/s, errors are at first corrected by FEC, which reduces net data rate to 2700 bit/s.
 |
| Fig. 2 |
The framing consists of a 192-symbol sequence preamble followed by one ore more data blocks each consisting of 64-symbols: 48 unknown symbols (coded data) + 16 known symbols ("test sequences"). The postamble terminates the data blocks and consists of a 64-symbol End Of Message sequence. Except for the presence of an initial TLC section(s), the total length is then a multiple of 64 symbols.
 |
| Fig. 3 |
Figure 4 shows the ACF/period of the GM2100 waveform: since the 2400 Baud, the ACF value of 133.33ms corresponds to a 320-symbol period, ie to five 64-symbol data blocks.
 |
| Fig. 4 |
The length of 320 symbols is due to the fact that the 16-symbol test sequences are actually "segments" of a longer 80-symbol sequence and so they are five times repeated, as visible in Figure 4 (unless demodulation errors), hence the length of (48+16)×5=320 symbols, or 960 bit since each PSK8 symbol is mapped to a tri-bit sequence (000...111).
 |
| Fig. 5 |
After the removal of the HF waveform overhead, the well-known 8-bit patterns of RSX.25 emerge (Figure 6). RSX.25 literally stands for R&S adaptation of wired X.25 protocol to the HF radio channel,ie a modified AX.25 packet radio protocol.
Quoting R&S papers: "RSX.25 organizes the data to be transmitted in packets, which are successively transferred to the data modem. The packets contain a variable number of frames, the number per packet depending on radio-link quality and being adapted at regular intervals. The data transmitted in a packet are distributed among the frames. The length of the frame data is variable and also depends on radio-link quality: in channels of very good quality, a frame contains up to 250 data bytes, in strongly disturbed channels 4 bytes. Errors escaping FEC are eliminated by the ARQ procedure of the RSX.25 protocol." [3]
 |
| Fig. 6 |
 |
| Fig. 7 |
 |
| Fig. 8 |
The messages can be parsed according to the UUCP protocol internals [5] so to get some other informations about users, SW/HW equipment... and so on.
S caller hostname = Bydgoszcz_HF
-pz -vgrade=z requests the called system to only transfer files of the specified grade or higher = z (grades in UUCP links means 'priorities')
-R caller UUCP understands how to restart failed file transmissions. Supported only by System V Release 4 UUCP, so this is a System V release.
-N07 - caller UUCP understands the Taylor UUCP size negotiation extension (only for UUPlus, so this is UUPlus)
ROKN07 – called station acknowledgement of ‘R’ options. The caller UUCP is acceptable, it specified `-N', and the called UUCP also understands the Taylor UUCP size limiting extensions
Pyie the called station supports the following UUCP protocols y, i, e
Uy the calling station selects which protocol to use out of the protocols offered by the called station, in this case the UUCP protocol 'y'
0666 mode of file, if UUPlus always = 0666 for outgoing files
dso22odn@bydgoszcz.airforce.pl file name
0x3d26 file size (15654 bytes)
rsmail -v2 -f dso22odn@bydgoszcz.airforce.pl dsocop@warszawa2.airforce.pl
dsocop@warszawa2.airforce.pl it's the called station (ALE address: WARSZAWA2) , "dso cop" is probably the Armed Forces Operational Command in Warzawa (it's a my guess)
Bzip2 4 bytes header, here starts the file to be sent (Bzip compressed)
BZ Signature (0x425A magic number)
h Bzip2 (h is for Huffman coding)
9 increments of 100 kB block-size uncompressed
[2] http://hflink.com/standards/MIL_STD_188-141C.pdf (A.5.6.9 User unique functions)
[3] https://cdn.rohde-schwarz.com/pws/dl_downloads/.../n155.pdf
[5] http://www.math.utah.edu/docs/info/uucp_5.html
Interesting... what does this look like from a security/confidentiality perspective?
ReplyDeleteMaybe I'm paranoid but even stupid email addresses in such communication should be hidden under cryptography imho
Correct! But it depends on where the crypto device sits along the Tx chain: if just before the modem (or embedded as L3Harris Citadel) then you will see nothing, only the framing of the HF waveform.
Delete