CIS-14 FSK 100Bd/2000 (CIS 3x100)

Interesting 100Bd/2000 FSK signal spotted on 16059.5 KHz (CF), most likely a Russian Governative transmission. This signal is not a separate one, actually it must be considered as part of the CIS 3x100 "system" visible on the left in figure 1. Indeed, the main station operates a VFT 3x100bd/1440 signal and works simultaneously three outstations which in turn run the FSK 100Bd/2000 waveform (outstations are usually not far apart in frequency).

Fig. 1

As well as the mainstation (VFT 3x100Bd/1140), outstations too use CIS-14/T-207 (as from the analysis of the demodulated stream in figure 2); all use the same checksum mode [0312].

Fig. 2

A clearer illustration of this "system" is visible in the spectrum of figure 3, the IQ recording of which was provided by my friend KarapuZ [1] who discussed the signal here.

Fig. 3

https://yadi.sk/d/__AKCwIuMGF6gw

[1] https://yadi.sk/d/XeLE8tAX70PAKA (~100 MB) 

redefining T207 (CIS-14) checksums

T-207 (T-207, T-207 2M "VIKTORIA" - Soviet teletype encryption device) is a multiplexed two channels "system" that is used in several CIS waveforms. Since the lack of official documentation it's difficult to say much more about the T207: guys from radioscanner talk about "equipment" as a in-line ciphering device while ex DDR STASI archives refer to T207 as an "encryption algorithm".
CIS-14 (also known as as TORG 14) is a designation of a transmission mode: a full duplex system using FSK at several speeds (42.1Bd, 47.5Bd, 48Bd, 50Bd, 70.5Bd, 72Bd, 83.3Bd, 84.21Bd, 94.11Bd, 96Bd, 100Bd, 144Bd, 192Bd, 200Bd, 288Bd, ...) and shifts. Data of two independent data channels can be processed; they are in MTK-2 alphabet (Russian [Cyrillic] Third-shift ITA-2, sometimes also called "ITA-2 Cyrillic M2") thus have 5 bits per character, but are transmitted in 14-bit frames, each containing two characters.
As shown in figure 1, the data code words (A in the figure) of the two channels are amended with two leading "channel state" bits and then either word-interleaved (case B) or bit-interleaved (case C). Two parity bits are calculated over the complete 12-bit frame generated and expand it to the final 14-bit frame. The two bits indicating the channel state signify whether the channel contains traffic(bit = 0) or idle (bit = 1) sequences at the moment.

Fig. 1 - 14 bit frame (from R&S Manual of transmitting methods)

Additionally, a variant of CIS-14 has been observed using frames of 28 bits. As can be seen in figure 2, after having established the 14-bit frame(s) (B) form the datawords (A) as explained above, two of these frames are bit-interleaved (C) to the new28-bit frame.

Fig. 2 - 28 bit frame (from R&S Manual of transmitting methods)

Note that although T207 is "hardware" while CIS-14 is a transmission mode, I use T207 in this blog as an implicit reference to CIS-14.

software tools (download)
- The Octave script T207_detect.m  has been used for the check of T207/CIS-14 mode:
T207_detect.m
- The Octave script T207_detect_e.m also extracts the two world and bit interleaved channels:
https://yadi.sk/d/zsCD73C9DZpHPQ
(the two Octave scripts are coded by me and Christoph, you will need GNU Octave package [1] to run them)
- The software CIS14-C.exe (coded by cryptomaster) can be used to etract the two 5-bit channels from a 10-bit stream C-interleaved:
https://yadi.sk/d/IfdhHvf3mMcZXQ

As said in a previous posts, T207 detection had to be manually spotted by processing the demodulated bitstream and checking if it matches the criteria described in this post in radioscanner forum: the Octave scripts are now improved and detects the presence of T207 checksums in a given bit stream and for each permutation of the checksum bits.  T207_detect scripts are very useful since encrypted CIS-14 messages have ACF=0 and anonymous demodulated streams, clear-text messages instead may be recognized as CIS-14 by the "solid" columns of the channel state bits.

I run the script against several waveforms and the results are very interesting.So far, I found two checksum modes termed "3" or [3120] and "20" or [0312]:

  

T207/CIS-14 verified waveforms (so far)
(note that some waveforms  can be coded with both the two checksums)

checksum mode 3 [3120]:
VFT 3x100Bd/1440, VFT 6x100Bd/120
FSK 50Bd/1000, FSK 100Bd/500 
F7B 100Bd/1000 (on one channel)

checksum mode 20 [0312]:
VFT 3x100Bd/1440, VFT 6x100Bd/120
FSK 50Bd/1000, FSK 96Bd/500, FSK 96Bd/1000
FSK 100Bd/500, FSK 100Bd/1000, FSK 100Bd/2000
F7B 96Bd/500 (on one channel), F7B 100Bd/1000 (on one channel) 

T-207 2M "VIKTORIA"

[1] https://www.gnu.org/software/octave/

"T207" recognition in CIS VFT systems

Some days ago I heard some CIS VFT systems and in particular one of them, a six  100Bd/120Hz channels, caught my attention. I already logged it but sent its main parameters as speed, modulation and shift, to my friend Karapuz asking if he knew the real name of that signal or the name of the modem. He told me that in last January he had just the same receptions and pointing an interesting discussion in radioscanner.ru about the encryption/coding used in such signals: T-207.  Although radioscanner is entirely in Russian, reading the opinion of the expert analyzers from this forum was interesting and I could figure out how detect the T-207 presence. In this post I describe the way I sought its "signature" in some CIS VFT signals as:

a) 3 x 100Bd/1440Hz VFT system
b) 6 x 100Bd/120Hz VFT system

replicating the experiences seen in radioscanner.ru and getting the expected results. 
By the way, these VFT systems are easy to receive (with good strength, at least here in JN52) on 13-16 MHz USB bands, mainly during the morning  and seldom during weekends.
 
T-207 detection has to be manually spotted by processing the demodulated bitstream and checking if it matches the criteria described in the cited post. We have first to choose a 14 bit period for the bistream and then focus on the first 12 positions and count the amount of "1" symbols:

- if the amount counts 2 or 6 or 10: the last two symbols (13th and 14th bits) must be 10

- if 3 or 7: 00

- if 4 or 8: 11

- if 5 or 9: 01

In case the sum is 0, 1, 11 and 12, it can be assumed that the last two symbols will be 11, 01, 00 and 11, respectively. These rules are shown in tab. 1.

Tab.1 - T-207 criteria

Since the above rules act presumably as a synchronization mechanism, the signal will be decoded and decrypted once removed the columns 13 and 14.

 a) 3 x 100Bd/1440Hz VFT

fig. 1 - 3 x 100Bd/1440Hz VFT

In this signal we have three channels modulated at 100Bd and a pilot tone at ~3300 Hz (characteristic feature of Russian systems). Every channel has a 1440 Hz shift and 100 Baud speed, channels are separated by 480Hz steps and interleaved as in figure1.

In my test I used the lower channel (fig. 2).
 

fig. 2

The obtained bitstream must be processed using the right/left shift (one bit at time) and sometimes the negative polarity:  criteria of Tab. 1 must be checked in all the rows at each shift-step, in case of fails we go on shifting. Unless possible interferences and demodulator errors, I confirmd the T-207 signature (fig. 3).
 

fig. 3

https://yadi.sk/d/SlYz9x6JllZhDg

b) 6 x 100Bd/120Hz VFT

Fig.4

the 6 x 100Bd/120 system (a variant of the 3 x 100Bd/1140 system) allows six independent channels, each of them exhibits 440 Hz shift and 120 Baud speed: in this sample the one-of-six mode is used. T-207 signature was found after processing the demodulated bitstream in the usual way (figs 5,6).

fig.5

fig.6

https://yadi.sk/d/wqahxt8RDXEBoA

CIS 3 x 100Bd/1440Hz VFT system

fig.1

CIS 3x100 waveform consists of three FSK2 channels modulated at 100Bd and a pilot tone at ~3300 Hz (characteristic feature of Russian systems). Every channel has a 1440 Hz shift and 100 Baud speed, channels are separated by 480Hz steps (figs. 2,3) and interleaved as in fig.1

fig. 2 - 1440 Hz shift

fig. 3 - channel separation

The 100 symbols/sec modulation rate, is obtained by highlighting a single channel in the FFT and measuring its speed (fig. 4).

fig.4

update
in this post it has been verified that the system carries up to tree T207/CIS-14 channels for a total of six independent 5-bit channels.

https://yadi.sk/d/SlYz9x6JllZhDg 

CIS 6 x 100Bd/120Hz VFT system

fig. 1

CIS 6x100 VFT is a variant of the CIS 3x100 waveform and consists of 6 x 100Bd channels with 120 Hz shift and 100 Baud speed, separation bewteen channels is 480 Hz (figs 2,3). Channels are arranged as in fig. 1.

 

fig. 2

fig. 3

This system can serve up to six outstations, in this sample only the lower channel is used (one-of-six mode),  according to the needs at that time (number of the outstations to serve)  other modes are frequently observed:

update
in this post it has been verified that the system carries up to six T207/CIS-14 channels for a total of 12 independent 5-bit channels.

https://yadi.sk/d/wqahxt8RDXEBoA 

Swiss 2 x 100Bd/170Hz VFT system

fig 1

VFT 2 x FSK 100Bd/170Hz system used by Swiss Air Force, likely the modem is the "Telematik-Set TmS-430". Channels are simply arranged as in fig. 1.

fig. 2

fig. 3

fig. 4