26 August 2023

CIS FSK scanning SelCall (ACS/C)

This is an example of a CIS ACS/C (Automatic Channel Selection/Control) scanning SelCall [1], in this case a scan set of seven channels is used. The signal was recorded by my friend AngazU in two occasions and presents some interesting aspects. As shown in Figure 1, the call consists of five scanning cycles: the 3 centrals ones, each consisting of all the seven channels of the scan list (1-7), plus the first and the latter ones consisting respectively of the four upper channels (4-7) and the three lower ones (1-3): this way each channel of the scan list is "worked" four times. Since the scanning mode, the call (and probably the system) is asynchronous.

Fig. 1 - the five CIS ACS/C cycles

The main parameters are (Figure 2):

- used modulation in channels is FSK at 150 bps with a shift of 200 Hz;
- separation between channels is 4 Khz, for a total bandwidth of ~24 KHz *
- each FSK segment has a duration of 4000ms (see below) or 600 bits, which makes a 28s duration for a complete scanning cycle;
-
the scanning call lasts 1m 50s;
- transition time between two consecutive channels is pratically zero. 

* the occupied bandwidth in Hz may be computed as ~[(N-1) × 4000 + 2×Br], in this sample N=7

Fig. 2 - main parameters

The FSK segments exhibit a 300 ms ACF and consist of a 45-bit repeated sequence (Figure 3), obviously all the segments transmit the same data.

Fig. 3 - a demodulated bitstream

It's worth noting that a 15-bit encoding would make sense.

As from Figure 1, the last FSK segment is shorter (~ 2240ms instead of 4000ms): the sequence before the trailing "1s" seems to be 1 bit off from the previous pattern, maybe it's a streaming failure (Figure 4).

Fig. 4 - last FSK segment

The second recording (Figure 5) shows the same scan set arrangement (4-7, 1-7, 1-7, 1-7, 1-3) except for a short FSK segment in the third scan cycle (Figure 6): it's not possible to know if it is intentional or is a malfunction or maybe - as assumed for the last segment - a streaming failure.

Fig. 5

Fig. 6

About the length of the FSK segments it's interesting to notice in Figure 7 that the very first segment, and only this, lasts 4040ms and consists of an initial preamble consisting of a 460ms "01"s sequence followed by a ~ 3580ms length data of the selcall: probably the preamble signals the start of the scanning cycles.

Fig. 7 - "01"s preamble in the first FSK segment

Even more interesting is that the preamble seems to be keyed at the speed of 160 bps and thus consisting of 73-bit length reversals: Figures 8, 9 clearly indicate the different speeds.

Fig. 8 - different modulation speeds detected with the "zero-crossing" method

Fig. 9 - 160 and 150 bps FSK demodulations

The scanning system makes probably use of the CIS Selcall waveform [2] "Vishnya" (from the name of the R-016V "Вишня" radio  equipment): indeed modulation, bps, shift and ACF match. It must be said, however, that although I referred to the transmission as a "call" it could also be an LQA or other type of message/signaling. Apparently - at least in this portion of band - there is nor reply from the called station.

By the way, also this (quite rare and old) signal was heard using a remote SDR located in Ukraine... unfortunately, many interesting signals are on-air in that unfortunate area.

https://disk.yandex.com/d/MuMLNeTCkb4npg

[1] http://signals.radioscanner.ru/base/signal251/
[2] http://signals.radioscanner.ru/base/signal106/

19 August 2023

yet another unidentified "embroidery"

updated

Unid signal noted on 7005 KHz/USB, "patterns" are sent each 1328 ms and have a duration of 672 ms (2000 ms cycle). Transmissions occur during the afternoon, not all the days, and last 2 hours. As per Kiwis and some observations, this new waveform could be from Russia.

Fig. 1

Could be a kind of "image" formed by the array of multiple frequencies, just like the HAM calls sent in SSTV broadcasts, but it's only a my guess and further recordings could clarify source and users. Comments are welcome.

https://disk.yandex.com/d/Kvog7RX83oppFA 

19th August update
I want to thank my dear friend cryptomaster who suggested that this signal could be an "evolution" or a modified version of the Turkish waveform shown here:
http://i56578-swl.blogspot.com/2023/05/a-strange-as-unid-signal-appeared-last.html

If he's right, as I think, this would be a good step forward.
 

14 August 2023

ECCM Frequency Hopping Spread-Spectrum (FHSS) example

Looking at the spectrum of the receivable signals around 7 MHz in the UKR skyes, as well as numerous and very frequent STANAG-4538 and L3Harris WHARQ waveforms, it may happen that we observe transmissions in frequency hopping mode (FHSS, or Frequency Hopping Spread-Spectrum) as shown in Figure 1.
Frequency hopping (also known as ECCM, Electronic counter-countermeasures) is the most commonly used Transmission Security (TRANSEC) technique. The frequency hopping capability provides advanced anti jam protection for communications. In HOP radio mode, the transmitter frequency changes so rapidly that it is difficult to intercept or jam the signal. For additional security, hopping data and digital voice data can be encrypted. 

Fig.1 - FHSS transmission

Me and my friend ANgazu from radiofrecuencias.es had the chance the analyze these signals and share the results. We observed transmissions which use 26 or 27 channels and occupy a bandwidth of 81 KHz, since each channel is 3 KHz wide (2700 + 300 Hz separation). Hopping rate is 8.88 sps with an hop time of ~112.5 ms (say 102 ms ON, 10.5 ms OFF).

Fig. 2 - FHSS single channel frequency occupation

Fig. 3 - FHSS timing

Like a single-channel serial tone waveform, the modulation used is 2400 Bd PSK8 for both voice and data (Fig. 4).

Fig. 4 - FHSS modulation

This waveform is fielded in AN/PRC-150(C) radios by L3Harris. Wideband hopping covers a frequency band that is bounded by a lower and upper frequency specified in multiples of 100 Hz, frequency exclusion bands may also be programmed. AN/PRC-150 narrow band hopping uses frequencies within a defined bandwidth of the center frequency (Fc) as in the Table below: notice the reported 81 KHz bandwidth  in case of  3.5 MHz <= Fc < 9.995 MHz.

Table 3.16 - L3Harris AN/PRC-150 operation manual

An important aspect of hopping is synchronization, ie all radios in a net shall use the same frequency at the same time intervall: that alignment may be accomplished with the use of GPS, but is some in cases (very very rare) it uses the manual  3x4 sync sequences as shown in Figure 5.

Fig. 5 - 3x4 sync sequences

If our guess is correct, we can assume a large employ of L3Harris equipmente in that (war) theatre.

https://disk.yandex.com/d/YFFDFIUrTFQ2oA

4 August 2023

FSK 150Bd/500, prob. RusAF "Chayka" (telecode "Seagull")

Interesting catch of some short FSK signals on 6885.5 KHz (cf) with modulation speed of 150 bps and shift of 500 Hz. The FSK parameters and the receiver used, an AirSpy server in Ukraine, are good indications in favor of the Russian Air Force system called "Chayka" ("Чайка", Seagull): a command/signaling message system, encrypted, used for military aircraft-ground communications.

Fig. 1

The used equipment could be Р-095 or Р-099 (R-095 and R-099, if translated), that is "aviation on-board telecode communication equipment" [1][2]: increasing the gain of the spectrum to 65 dB (Figure 2) is also possible to detect the message sent by the corresponding station so that we can see both the air & ground versions (...admitted that I have really heard a Chayka signal).

Fig. 2

A "Chayka codegram" may consist of separated segments and/or insertions, as clearly visible in Figure 3 where the signal has been resampled to 3788 KHz.

Fig. 3

By the way, specialists of the Kaluga Research Institute developed the high-speed communication P-097M, that is the successor of P-099 Chaika: one of the key differences between the new system and its predecessors is the high automation [3].

source: (http://wiki.airforce.ru/ - List of airborne radio communications: Data communication equipment)

As a final note, Figure 4 shows that the phases of the two frequencies are not constant and change after every switch:  probably two not-synched frequency generators are used (if a single oscillator, maybe a VCO, was used we would see no phase changes). Given that Figure 5 shows the durations of two periods, it's possible to come back to the two tones frequency:

2: 0.001286 = 1555.20 Hz
2: 0.001896 = 1054.85 HZ

ie just 500 Hz shift.

Fig. 4

https://disk.yandex.com/d/toc0K7MpLq94ZQ

[1] http://wiki.airforce.ru/
[2] http://www.rwd-mb3.de/ntechnik/pages/ng_r.htm
[3] https://www.aviaport.ru/digest/2020/07/06/644509.html