31 July 2024

unid FSK 300Bd/300 bursts

Interesting and unidentified FSK 300Bd/300 bursts heard on ~14490 KHz and sent to me by my friends ANgazu and cryptomaster (Figure 1).

Fig. 1 - FSK 300Bd/300 bursts

The signals recorded by the latter (6 bursts) have a better SNR and therefore more suitable to be analyzed. As you can see in Figure 2, the demodulated bitstreams (d1-d6) can be divided into the 4 groups G1, G2, G3, and G4:

Fig. 2 - couples of demodulated bitstreams d1-d2, d3-d4, d5-d6
 

G1: (40 bits) probably a header/SOM sequence, this group is common to all the bitstreams;

G2: (40 bits) this group is different in every bitstream and maybe consists of something related to the message. In a 10-bit format it's possible to see repeated "fields", when reshaped to a 20-bit format the groups may consist of a 11-bit "field" followed by a common 9-bit pattern (Figure 3);

Fig. 3 - G2 groups

G3: (variable length)  I think this group is the data part of the message, this is sent twice into two different bursts (sometimes 3 times in 3 bursts). These groups have a period of 50 bits in length that appears to have some form of structure (Figure 4);

Fig. 4 - G3 groups

G4: (20 bits) probably the EOM sequence, this group is common to all the bitstreams.

During the formation of this FSK signal the phases of the two frequencies are preserved after each "shift" (Figure 5), ie the frequency shift is generated by a single generator and its clock frequency changes, so the manipulation is achieved without disrupting the phase of the signal. If two frequency generators are used then we should see changes of phase in both f1 and f2, unless the two generators are in some way phase synchronized.

f2 ~ 1976,98 HZ (2:0,001011640)
f1 ~ 1676,95 Hz (2:0,001192640)

as expecetd, 300 Hz shift (f2 - f1).

Fig. 5 - phases of the two frequencies

The prevailing opinion is that this is probably some type of selcall or ALE probing, in which case the G2 groups could be the addresses.

https://disk.yandex.com/d/3gK_L2RqFjHXXQ



19 July 2024

CIS-1200 SDPSK 1200Bd ("Makhovik", T-230-1A)

updated (23 July 2024)

This transmission, along with a probably spurius emission 600 Hz above, was recorded on 13002.5 KHz (cf) thanks to the remote KiwiSDR located in Azumino-city Nagano, Japan [1].

Fig. 1 - main signal and its spurius

The signal that I assume is the "actual" one and that I analyzed is characterized by a SDPSK (Simmetrical Differential PSK) modulation at a speed of 1200 Baud. Indeed SDPSK is equivalent to π/2 DBPSK or PSK2 with phase rotation: ie, as shown by the transitions in absolute mode, SDPSK assumes that the phase is rotated by +π/2 for bit “0” and by -π/2 for bit “1” thus there is not a 180° turn (transitions do not pass through 0). The information transmitted is encoded in the transition and not in the state. The signal can be demodulated using the differential mode (diff=1).

Fig. 2 - SDPSK modulation

The transmission consists of some segments that differ by the presence or absence of an initial preamble (signals A and B in Figure 3) which consists of a repeated 511-bit length pseudo-random sequence generated by the polynomial x^9+x^5+1 (1) as for the ITU Recommendation O.153 [2] (188-110B "39-tone parallel mode" too uses that sequences).

Fig. 3
 
Fig. 4 - 511 bits length sequence

The presence of such sequences is one of the features of the so-called Makhovik (aka the "flywheel"), a well known Soviet-Mil crypto system. Although someone classifies Makhovik as vocoder, it can can be used for time-multiplexed encryption of both voice and data up to 9600 bps. It's official name is "T-230 bundle ciphering device for teleprinter and  data connections" and was designed to operate in UHF but very often is found in LF and in HF.
After the removal of the initial preamble, the following data block consists of a "common" sequence:

110101100100011110101100100011

followed by 240-bit Initialization Vectors that are sent in 8x30-bit groups, each group repeted three times (Figure 5): these 30-bit groups are another peculiar feature of  the Makhovik system.

010000111011001110010100001110
011101100101000011001010000111
110010100001110010000111011001
001110110010100000111011001010
001110110010100011001010000111
111111111111111000011101100101
001110110010100111011001010000
101100101000011011101100101000

Fig. 5

Segments sent w/out the initial preamble (type B in Figure 3) show exactly the same structure: note as the Initialization Vectors slightly differ (Figure 6): this feature should be further studied (it is probably somehow related to the presence/absence of the initial preamble) but it is necessary to obtain several more recordings.

010000111011001110010100001110
011101100101000011001010000111

110010100001110010000111011001
001110110010100000111011001010
001110110010100011001010000111
111111111111111000011101100101
001110110010100111011001010000
101100101000011011101100101000

010000111011001110010100001110
011101100101000011001010000111

011001010000111100001110110010
111011001010000110010100001110
010100001110110110110010100001
100101000011101001010000111011
111011001010000111111111111111
011101100101000100001110110010

Fig. 6

It's worth noting that in some previous Makhovik recordings I saw differential encoded data & BPSK, while this ones consist of  plain encoded data & SDPSK [3].

update (23 July 2024)
I willingly add a comment sent me by my friend cryptomaster.
The common sequence in Figs 5,6

110101100100011110101100100011

shall be right shifted to appear as

111101011001000111101011001000

which in turn is the repetition of the 15 bits length M-sequence generated by the polynomial x^4+x+1 (Figure 7).

111101011001000

Fig. 7 - the repetition of the 15 bits M-sequence generated by the polynomial x^4+x+1

https://disk.yandex.com/d/Vg5XruORhd8_5A

(1) the use of the polynomial x^9+x^5+1 is quite common in CIS waveforms,see http://i56578-swl.blogspot.com/p/polynomials.html

[1] http://jf0fumkiwi.ddns.net:8073/
[2] https://www.itu.int/rec/T-REC-O.153/en
[3] https://i56578-swl.blogspot.com/search/label/Makhovik 

16 July 2024

MS-110D App.D (WBHF) transmissions, Collins Aerospace over-the-air testing? (2)

Yet another MS-110D sample [1] transmitted from Oxford Junction (IA) site, recorded on 19825.7 KHz/USB and sent me by my friend linkz: this signal too is PSK8 modulated at the symbol rate of 2400 Bd but occupies a 3 KHz bandwidth (Figure 1).

Fig. 1 - waveform main parameters
 
The ACF results  shown in Figure 2 formally show the same characteristics, that is, a sort of "superframe" lasting 840 ms (corresponding to 2016 PSK8 symbols, or 6048 bits) comprising seven frames each lasting 120 ms (corresponding to 288 PSK8 symbols, or 864 bits).
 
Fig. 2 - results from the Auto Correlation Function
 
Bandwidth, modulation and framing match the Waveform Number 7 described in MIL-STD 110D Appendix D (WBHF, WideBandHF)
 

The demodulated bitstreams conform to the bitmaps in Figure 2: in particular, the sequences circled in in Figs. 2, 3 are special mini-probes used to mark the interleaver boundaries. In this case they are transmitted every 64 frames, corresponding to the use of the "long interleaver" mode.
 
Fig. 3 - 864 bits (266+32 PSK8 symbols) period demodulated bitstream

Just to verify compliance with the MS-110D standard, the mini-probes are made up of a repeated sequence of 16 symbols while the miniprobes used to mark the boundaries of the interleaver block are shifted by 8 steps (Figure 4).
 
Fig. 4 - the generic mini-probe and the interleaver marker mini-probe

As expected, the 840 ms spikes resulting from  ACF are due to the cyclic nature of the transmitted data: that is, the same block of data consisting of 7 frames (Figure 5).
 
Fig. 5 - data blocks after the removal of mini-probes

As stated at the beginning, Direction Finding (TDoA algorithm) tests done by my friend linkz indicate Oxford-Junction as the site of the transmitting antenna (Figure 6); more over "It's interesting to note that this data seems to be sent always 22.5 kHz lower than the ALE slots. So far noticed on: 8000.7 USB (8023.2 - 22.5kHz), 18275.7 USB (18298.2 - 22.5kHz), 19825.7 USB (19848.2 - 22.5kHz)" linkz write.
 
Fig. 6 - Direction Finding tests results (thanks to linkz)

https://disk.yandex.com/d/LcwmPMweeu6C0A