26 October 2023

NILE/Link-22, likely QAM traffic waveforms

Two NILE/Link-22 close channels recorded this morning (26th October) on 14.656 KHz and 14.659 KHz using a remote AirSpy server located in Romania [1], traffic in the two channels flowed in alternating mode.

Fig. 1 - NILE/Link-22 transmissions

Link-22 use the TDMA (Time Division Multiple Access) waveforms, as for STANAG-4539 Annex D: modulation technique consists of phase shifting of a 00 Hz sub-carrier and speed of 2400 baud. In TDMA mode each user is allowed to transmit only within specified time intervals named as "Time Slots" so that different users transmit in differents time slots (1). According to S-4539 Annex D, a TDMA slot is the high level structure in which information will be transmitted/received and it is composed of a Preamble, a certain number of Media Code Frames and a Guard Time.

 

A Media Code Frame is composed of 270 symbols to be transmitted at the modulation rate of 2400 baud and using different Traffic Waveforms and modulations. Each Traffic Waveform is composed of a sequence of different Data blocks and Mini Probe (MP) blocks: the Data block contains coded information symbols and the MP block contains known training symbols to be used by the equaliser. The Mini Probes symbols, prior to scrambling, are all symbols number 0. Since the 270 symbols of the Media Code Frame, regardless the used Traffic Waveform, it's ACF has a value of 112.5 ms.
Figures 2 & 3 show that the two Link-22 channels use two different Traffic Waveforms to arrange the 112.5-ms/270-symbol length of the media code frame; also notice that they use the same time slot duration since both send 15 media code frames per time slot.

Fig. 2 

Fig. 3

Given the poor SNR of the signals I was unable to find clear constellations and therefore identify the type of the Traffic Waveforms that were used; attempts suggest the use of QAM modulations (Figure 4).

Fig. 4

Unfortunately I don't have the 2019 edition of Stanag-4539 but only the first edition dated 2005 which specified only three waveforms (QPSK & PSK8): as you may see, the framings resulting in figures 2,3 do not correspond.


https://disk.yandex.com/d/xPhBz07F5Oh5tg

(1) separation among users is performed in the time domain https://en.wikipedia.org/wiki/Time-division_multiple_access

[1] sdr://79.118.167.161:5556 

24 October 2023

CIS VFT 12-FSK async channels system (P-327-12)

Very interesting and rather rare capture sent me by my friend AngazU, of a CIS VFT (Voice-Frequency Telegraphy) waveform which uses twelve  independent FSK channels multiplexed onto a single 3 KHz wide HF channel. The transmission was recorded on 4567 Khz USB , just while monitoring the close well-known "buzzer". Regardless of the nickname we would like to give to these signals, the name of the equipmnet is P-327-12, or in Russian language П-327-12  (thanks to Cryptomaster for the info).
The P-327-12 equipment provides up to 12 channels of Voice-Frequency Telegraphy with a speed of up to 100 baud in one HF channel or 6 channels in wo standard HF channels. The occupied band of each VFT channel is 160Hz. The characteristic (upper and lower) frequencies of a single channel are determined by the formulas:
f1 = 180 + 240n Hz
f2 = 300 + 240n Hz

where f1 and f2 are the lower and upper characteristic frequencies (ie the FSK shift) of the nth channel. If there is no traffic onthe  nth input channel, only the higher frequency (f2) is transmitted. The "pilot tone", as usual, is transmitted on 3300 Hz.

Fig. 1 - CIS 12-FSK spectrum

It's worth noting that the P-327 system is asynchronous(!), i.e. the transmission speed of each channel can be any in the range of 0-100 or 200 Baud. For example, in this sample channels 1 and 3 have a speed of 50 Baud while channel 6 is keyed at the speed of 100 Baud (Figs. 2,3).

Fig. 2a

Fig. 2b
 
Be careful not to confuse the CIS-12 (AT-3400D equipment) and CIS VFT-12 (P-327-12 equipment) waveforms: although "at first sight" on the waterfall they look like the same signal, they sound different and have a slight difference in the occupied bandwidth; furthermore, while CIS-12 consists of 12 continuous PSK channels, the T-237-12 signal consists of twelve not simultaneous FSK channels (Figure 3).
 
Fig. 3 -comparison of the spectra of VFT-12 and CIS-12 signals

At least in this sample, the data do not appear to be formatted according to the Russian CIS-11 and/or CIS-14 standards (Figure 4).
 
Fig. 4 -  CIS-11 & CIS-14 test results
 
P-327 system was adopted as weapons to replace the P-318M voice-frequency telegraphy equipment. Thanks to the use of modern digital components and new technical solutions, it was possible to improve the quality of telegraph communications, simplify the process of operating equipment, and reduce weight and size indicators.


Fig. 5 - P327-12 system: note the 12 "slots" of the modem (https://infopedia.su/18xc490.html?ysclid=lo41wlbhdo570983862)

https://disk.yandex.com/d/uD1tKwWOX3CN8A

references:
http://www.newreferat.com/ref-9052-15.html?ysclid=lo42dv39yj543186787 
https://www.myfreedom.ru/articles/tekhnika-svyaz/tekhnika-telegrafnoj-svyazi/apparatura-T-327-12.html
https://studfile.net/preview/7270398/page:28/ 

9 October 2023

Chinese Air Force/Air Defense (PLAAF) async M39

These transmissions were recorded on the 10 MHz band (10388.30, 10401.0, 10348, 10436.0, ... all KHz/USB) mostly after 1100UTC by means of the FlyDog SDR located in Oita, Japan [1].  Usually, op-chats and data transfers follow the link setup by MS 188-141 handshakes: some observed ALE IDs are:

111 164 166 184
212 219 220 222 223 231 236 254 257 273 283 290
320 347 383
428 438 455 476 485 490 498
513 526 552 583 595
603 609 612 620 653 658 696
738 747 758 775 778 781
839
910 966

According to a friend of mine, the op-chats are in Mandarin Chinese with a northern accent.

Fig. 1 - one of the recorded transmissions

The analysis of the traffic waveforms reveals the use of MIL 188-110A Appendix B (also referred to as M39): an OFDM modulation technique using 39 orthogonal subcarriers 56 Hz spaced and an additional unmodulated Doppler reference tone at 393.75Hz. The 39 tones are are PSK4 modulated the way that, although data rates can vary from 75 bit/s to 2400 bit/s, a fixed baud rate of 44.44 Bd arises in any case (see Figs 2,3). In these transmissions, usually, the speed of 150 and 300 bps is used.

Fig. 2 - OFDM analysis

Fig. 3 - analysis of a single tone

Given the operator's language, the ALE IDs and the used mode (188-110 App. B) I'm quite sure that the People's Liberation Army Air Force (PLAAF), also referred to as the Chinese Air Force/Air Defense, is the user of this net: since the signals strength, it could be the Southern Theater Command Air Force... but the latter is just a my guess. 

Analyzing in detail the Chinese M39 waveform, however, some differences emerge in the structure of the preamble compared to what is specified in the related MIL-STD #B.5.4.1: "Prior to the transmission of data, a three part preamble shall be transmitted. Part one shall last for 14 signal element periods and consist of four equal amplitude unmodulated data tones of 787.5, 1462.5, 2137.5, and 2812.5 hertz (Hz). Part two shall last for 8 signal element periods and consist of three modulated data tones of 1125.0, 1800.0, and 2475.0 Hz. Part three shall last for one signal element period and consist of all 39 data tones plus the Doppler correction tone". 

 
Indeed, as shown in Figure 4, since one signal element period corresponds to 22.5 ms, part one of the Chinese M39 preamble lasts for 11 signal element periods (247.5ms) thus is a bit shorter (I think we may accept an error of about 500µs). Block sync may depend on the speed and interleaver length. Also notice the lower amplitude of the 1462.5 tone, probably caused by modem malfunction.
 
Fig. 4 - plain and Chinese M39 waveforms

Figure 5 shows the two preambles as function of the 22.5ms signal element period: the difference, however marginal, do not affect the demodulation of the signal.  
 
Fig. 5

 
The demodulated bitstreams have a 8N1 asynchronous start/stop character format and exhibit a quite clear repeated "patterns" as shown in Figure 6.  

Fig. 6 - M39 demodulated bitstream

After the removal of the start/stop bits, the decoded messages consist of 4-digit codewords (here referred to as 4FGs groups or simply "groups") which are sent 10 per row in enumbered blocks, each block consisting of 100 groups: it's the same format of the messages used by the so-called "VC03" (a Chinese Air Defense net). Below a pretty long message consisting of  599 groups: 

3415 3415 3415 XXXXJGJGXXX 11
290 130191209032184  fb0237.txt230902190040                                                                                 
016/JC   599   42   0902   1900
6497---1549---1114---1113---1355---1822---3177---
1482---1362---4499---1896---1836---1547---6497

3421 8994 2267 1703 1963 0520 8446 4305 0147 0033
8234 6413 4554 2374 5684 5250 4025 9563 9069 9119
6871 0179 4924 0782 9157 6996 9815 4064 4061 5312
2104 4338 7161 2751 5486 9607 6046 3198 7947 8450
6379 4171 4671 3204 5836 1693 1067 6773 0508 7636
1205 2881 8767 2810 4537 8465 9718 7606 8460 8964
0973 4238 4192 3252 9602 5332 8917 5801 0870 2025
3204 7083 8983 7851 0818 7935 4658 9254 7035 1034
3530 2940 3279 5623 8282 9146 5949 9671 3504 3884
0424 1297 4832 2723 6395 6248 8661 0136 7304 6189-1

4927 2716 4521 6114 3627 2713 7346 0872 0147 0036
7124 6002 1205 9793 6873 9063 2598 4553 7238 5230
2417 5731 4632 7882 0024 8903 5881 4908 3413 4782
1645 9492 2871 2046 4529 8945 1400 3960 1606 6069
4536 6500 6930 9438 7990 3048 2317 1048 2194 6794
9505 6481 6721 3068 3012 6485 8269 8910 8425 9872
3693 3945 6290 5309 3041 8664 5278 2561 5214 1182
5026 4037 5737 0198 7194 6875 7871 9574 5860 4351
8702 3783 0552 2174 8260 6816 1464 1338 7970 8534
5467 5858 3591 9312 3415 9096 6505 1319 6787 9392-2

4823 5741 3721 8794 3447 6443 5719 9243 0147 0039
9838 2061 1301 7473 4990 2042 7942 9815 2474 4963
8575 3541 3992 7510 2596 1213 6767 8287 7648 9442
2064 5691 3532 6702 3065 5821 7042 1278 4397 9264
8118 1230 0787 2839 0565 8536 7865 5103 0805 2943
9596 2852 7545 0681 2070 8275 1526 9851 1009 8505
9095 7276 5781 6954 1090 0929 8196 3638 3708 8791
0290 4030 5894 8998 0680 1568 2369 6030 7573 1938
7423 7581 6426 6841 3667 1462 3290 3034 0557 1661
7672 4160 3484 6334 7595 6481 5994 1763 8012 2163-3

4591 7885 2907 3230 5731 3794 3807 6064 0147 0042
4082 3194 1908 7554 8100 6734 9446 8777 5392 0143
8207 5150 2467 2563 8196 4095 5250 5803 2634 3185
4328 4183 5618 9824 5841 6432 2939 9793 2964 2793
1030 3797 8002 3491 3209 5180 5415 8661 1267 3201
3446 9114 5060 0797 7509 9781 8776 6254 2550 8280
7621 9429 1627 9467 8105 0280 9032 4173 1002 1590
6778 9809 1903 7640 8325 1672 5723 5850 8949 6487
9831 6883 3604 6232 6452 0429 2681 8417 4118 9840
5771 0509 8367 0194 5170 2763 9449 9796 0303 8130-4

5059 5293 9063 2156 9489 9177 7371 9543 0147 0045
7017 4024 1685 6761 0236 1671 3746 1446 0023 2320
4603 9204 2881 6004 4217 5904 7218 2583 1023 9095
8767 1881 8784 6978 7327 7858 4241 9911 7885 3927
9182 0598 5797 0941 4513 2231 0530 3698 3551 7237
3175 5438 9756 5798 3652 2297 3523 0089 6867 6347
8438 8634 9150 7040 7090 4302 2361 9513 3465 6623
6548 3582 9066 6074 1874 6228 6708 8918 4925 6506
6815 6041 4016 5489 6432 5229 7195 7546 1408 7515
3968 3150 5926 4840 0401 5423 8941 3897 6327 0219-5

5831 1584 2697 6824 1508 2155 2370 5037 0147 0048
0360 6101 8113 1384 1920 7382 9193 2805 8949 8607
7008 4942 1396 5484 0425 0336 9724 0384 5954 1456
8193 7607 9551 6942 1345 0965 4617 5614 5719 2626
3783 8968 1982 7037 9832 9302 0404 4350 3167 5601
4670 8131 8104 2693 8978 3425 5780 3908 1954 2061
6095 1336 2823 4076 0348 8515 7184 3558 9667 7132
2781 3632 9504 7075 1225 5310 5030 8578 9487 9269
3616 8278 4240 9210 9764 8274 5963 9837 6049 7041
3299 0594 6226 7475 1496 5379 7668 2512 7247

Although I don't have a large number of demodulated messages at my disposal, only a few dozen so far, it's nevertheless possible to do some comments and parsings of the messages headers. As an example, Figure7 is an overall view of three complete 201-groups messages sent by the same station (the ALE ident 620) within minutes and on the same frequency (10401.0 KHz/USB), I also added the related ALE calls in the upper part of the messages. At this regard, unlike other protocols such as S-5066, must be noticed that the ALE addresses match those used in the message headers.

 
Fig. 7
 
As a format' example, I took the message #1 of Figure 7: you can check looking at the other two messages. 

MIL-STD 188-141A ALE:START TIS [620] TO [485]
the ALE call precceding op-chat and data transfer

1277 1277 1277 XXXXJGJGXXX 11
1277 1277 1277 type of message? some seed indicator? (always in the format "nnnn") 
XXXJGJGXXX this string is present in the headers of all the message I've heard, don't know its meaning/purpose. At glance, it looks like the Russian flash "XXX XXX" messages... By the way, in the Chinese 4x4 messages it's possible to see a similar string "JYJYJYJYJYJY"
11 precedence indicator of the message? (happens to be the length of the preceeding string 'XXXXJGJGXXX')

485 311291609032620 fb6183.txt230906192112
485 digit ALE ID of the called/destination node (as from the ALE call)
311291609032620 timestamp in reverse order (from right to left: ssmmhhddmmyy), ie 23.09.06 19:21:13
311291609032620 digit ALE ID of the caller/source node (as from the ALE call)
fb6183.txt the file name being sent, "6183" seems to be a sequence number
230906192112 timestamp in the format ymmddhhmmss, ie 23.09.06 19:21:13, no time zone indicator. Indeed, the transmission was registered at the same date at 11:21:45 UTC (a few seconds after) and that makes sense since the user time zone is UTC+8. In some messages this field is not present.
It's worth noting the difference of 1 second between the two times reported in the header, perhaps the earlier time is related to the file (its reception?) and the more recent one is the time related to the formation/sending of the message. Sometimes that interval is longer, as for example 17:50:54 Vs 17:53:22 (223571); probably a timestamp for transmission and another one for saving the .txt file

150 201 72 0906 1900
150 likely it's the daily serial number of the message sent by the sender, in these samples, message #151 miss. In certain cases it's reported  using the "nnn/CCK" format (see below)
201 number of the 4FGs groups that make up the message
72 message group identifier?
0906 date (mmdd)
1900 rough time (hhmm), maybe for drafting

0712---4771
0712 four digit military address of the originating establishment/unit?
4771 four digit military addresse(s) of destination establishment(s)/unit(s)?
(it's interesting to notice that there is a one-to-one matching between the mil address of the originating unit and the ALE ID of the caller/sender node: in Figure 7, for example, 0712 refers to the ALE ID 620, as well as 4771 to 485, 4321 to 476, 4351 to 747). Only the node with the ALE ID 111 seems to use more than one military address (I noted 6497, 7234, 8759).
If I'm right about the meaning of these fields, then the nodes seem to act like a forwarder, for example in the headers below the destination addresses are more than one. Note also the different format of the (supposed) daily serial number of the message:

3415 3415 3415 XXXXJGJGXXX 11
290 130191209032184  fb0237.txt230902190040                                                                                 
016/JC   599   42   0902   1900
6497---1549---1114---1113---1355---1822---3177---
1482---1362---4499---1896---1836---1547---6497

The same for the ALE global call issued by the node 198 (Figure 8):
[2023-09-14 11:17:04] MIL-STD 188-141A ALE: TIS [198] TO [@?@]
indeed this call was then followed by the transmission of a message originating from node 111 (not 198!) and addressed to node 222 (all ALE IDs)
 
1274 1274 1274  XXXXJGJGXXX  11         
222 957191419032111 fb5042.txt230914191456                                                                                 
 
The same message was transmitted three consecutive times using three M39 segments and leaving the headers unchanged.
 
By the way, the 8660 ms duration of the global ALE call (ie a "scanning call") provides some indications about the number of the available channels in the 10 MHz band: assuming full compatibility with MS-141, the scan list should consist of approximately 10 channels (1). As shown in Figure 8, in order to be sure to reach all the stations, the global call is five times transmitted (the first four global calls are followed by a TWAS).

Fig. 8

The number of the 4FGs groups in a message is always odd and message lengths seem to be standardized (199, 201, 499, 599 groups). Could this be due to the messages being stadardized reports or does it indicate fillers? Anyway, I do not know - and I don't care(!) - contents/purposes of these messages, however out of curiosity I did some research on the web and found some interesting articles and documents, even if they are historical [2][3][4].
Given that the Chinese writing system is by nature nonalphabetic and thus noncipherable, Chinese cryptography was bound to the use of codebooks rather than ciphers [2]. Therefore the use of 4FGs groups indicate either the use of the Chinese Telgraph Code (CTC, Mainland ed. 1983) (2), the Chinese Standard character table (GB 2312-83) or another unknown military codebook containing a max of 10000 characters (0000-9999).

It's interesting to study the values of the 9th and 10th groups of the first row of each block of the messages: as you see in Figure 7, the 9th has a costant value (0177) while the value of 10th is incremented by 1, also passing from one transmission to another (say a "transversal" increment): I noticed this feature in many messages:

message 1
4387 1271 8451 5086 9408 2928 9293 8639 0177 0029
9795 3224 4617 5389 5581 8337 9987 9763 0177 0030

message 2
9687 8557 2807 4801 5091 8197 5497 5683 0177 0031
8070 5341 9351 8807 3837 9663 0992 9425 0177 0032

message 3
5031 2635 3964 6880 5961 0957 0937 0613 0177 0033
8091 4724 1223 4879 8728 2646 4051 6061 0177 0034

In some messages, as the 599-group one reported before, while the 9th group does not change (0147) the 10th is incremented by 3

3421 8994 2267 1703 1963 0520 8446 4305 0147 0033
4927 2716 4521 6114 3627 2713 7346 0872 0147 0036
4823 5741 3721 8794 3447 6443 5719 9243 0147 0039
4591 7885 2907 3230 5731 3794 3807 6064 0147 0042
5059 5293 9063 2156 9489 9177 7371 9543 0147 0045
5831 1584 2697 6824 1508 2155 2370 5037 0147 0048

But this is not the only strangeness. Indeed, there are messages as the one shown below where both the 9th and 10th groups have always the value 0000: in these cases the message serial number has always the "nnn/CCK" format.

1274 1274  1274  XXXXJGJGXXX  11  
111 100371509032222 fb1945.txt230905170941                                                                                 
052/CCK   199   96   0905   1700
1836---6497

9385 5023 9762 6394 3051 5012 4576 2836 0000 0000
4682 2013 5471 1602 0749 9482 6073 6938 3182 4198
9674 9465 4075 5974 5437 4689 2043 3586 1498 7951
3561 1763 8105 4706 5087 4025 4387 9784 6470 8036
8039 8067 9135 1573 2765 2764 5196 0781 9056 9037
7308 4862 3194 4728 2381 6901 1556 5814 5162 3021
8075 9104 9536 8937 2560 9261 7032 9371 4825 9712
9682 3104 4190 1492 2981 2069 7853 4273 9156 1583
4728 1584 8609 3528 7249 9236 3961 4672 5104 6379
2016 6104 8910 9601 2037 2754 8357 2958 4285 3490-1

6485 9832 5902 7802 4504 7591 4973 9182 0000 0000
8501 2063 3872 6187 1398 5784 6482 6348 2637 6293
5674 2403 4865 9760 9406 1806 2651 1261 5670 3245
6591 2546 6851 2075 9304 7284 3729 1289 9674 3664
8140 3176 7392 4508 6072 6927 8592 8705 6053 8159
0549 5037 2681 3106 6334 0437 8014 6175 2091 9827
1603 7451 9134 7156 6546 5982 1379 5198 0159 9530
5632 7402 2087 7849 7545 4057 2160 4912 3284 4917
1793 1386 3418 8591 9603 9018 9256 3689 2879 4316
6018 7453 2097 9310 6513 8542 3247 5321 4758

Likely the 9th and 10th groups of the first row of each block have some "special" meaning and are not coded. At glance, the 9th seems related to the sender and the 10th seems something like a "block counter" ...but we have just seen that the value of 10th codeword maybe incremented by 3 or be "0000".

Some messages end with strings consisting of typical telegraphic abbreviations, as for example:
QSL ? = confirm?
HR NR 1271 TKS = here (I'm going to send) (message number) 1271 thanks
HR WK NR 1113 = here working/worked (message number) 1113
and a final sequence of "(unprintable)b Kvj" (hex 0862 4b766a) which could be the break and End-of-Message indicator.

Short messages (199, 201 groups) have 1-5 repeating groups while longer messages (499,599 groups) have 20-30 groups which repeat two or three times within the same message (except the group "0000"), common and usual characters such as space and linebreak don't seem emerge. It would be interesting to do a cross-checking of the messages in order to find the shared groups and their number, but to do this many other recordings are needed and therefore the opportunity to have a parked SDR and IQ recordings of that portion of the 10 MHz band.

(to be continued)

https://disk.yandex.com/d/ZvK55ZQMdTR4xQ

(1) 188-141 A.5.5.3.1 "If the called station (JOE) is known to be listening on the chosen channel (not scanning), the calling station (SAM) shall transmit a single-channel call that contains only a leading call and a conclusion (see upper frame in figure A-29). Otherwise, it (SAM) shall send a longer calling cycle that precedes the leading call with a scanning call of sufficient length to capture the called station’s receiver as it scans (lower frame in figure A-29). The duration of this scanning call shall be 2 Trw (784ms) for each channel that the called station is scanning". 

 
(2) The CTC is organised as 100 (1-100) pages each contaning 10 (0-9) lines of 10 characters (0-9). The 4 digits words in the message text are thus indices into the CTC and is interpreted as follows: two first digits = page, third digit = line and fourth digit = character position on line. CTC contains both simplified Chinese characters as well as Japanese kanji, cyrillic and latin characters and interpuncuation signs.
 

[1] http://flydog.web-sdr.net/?f=10388.30usnz11
[2] Ulug Kuzuoglu (2018): Chinese cryptography: The Chinese Nationalist Party and intelligence management, 1927–1949, Cryptologia https://disk.yandex.com/i/SbCtQ-Q02u8Slw
[3] http://cryptiana.web.fc2.com/code/chinesecrypto_e.htm
[4] https://en.m.wiktionary.org/wiki/Appendix:Chinese_telegraph_code/Mainland_1983 

3 October 2023

QPSK 2400Bd unid waveform (Chinese modem?)

QPSK 2400Bd waveform heard on 10221.0 KHz USB around 1400 UTC, probably a Chinese modem.

Fig. 1

Autocorrelation of the signal produces sharp 16.6 ms spikes tnat makes 80 bit or 40 dibit symbols (QPSK modulation) period at the rate of 2400 symbols/sec. Indeed, after demodulation the resulting bitstream has a framing of 40 symbols length consisting of 20 known symbols (probe)

33031002310112003303

followed by 20 unknown symbols (data): obviously, since QPSK, 1 symbol = 2 bit. 

Fig. 2 - autocorrelation and bitstream

After the removal of the 20 known symbols, the initial & ending data blocks show 64-symbols/128-bit patterns even if - actually - the ending blocks consist of a 32-symbols/64-bit pattern (as it was already visibile in Figure 2).

Fig. 3

Fig. 4

 As usually, comments are welcome.

[1] https://disk.yandex.com/d/5g-pEgBTLIxSmg