27 June 2025

IPSec (ESP) over HF using STANAG-5066

For a few days I have been monitoring the 20.5 MHz/USB frequency, thanks to the KiwiSDR owned by IZ6BYY [1], recording some transmissions such as the sample in Figure 1, by the way such transmissions are not at all frequent. Data transfer is via the HF waveforms MS-110A and STANAG-4539 (MS-110B App.C), the links are managed by BW5 FLSU (Fast Link SetUp protocol) bursts and therefore everything happens according the "circuit mode service" of  STANAG-4538 (1). 

Fig. 1 - the transmission being analyzed

HF layer
The symbol rate of both waveforms is 2400 Baud, but it was not immediately detectable. In fact, in Figure 2a the automatically detected baud rate value is about 100 Bd (!): a value that is clearly inconsistent. I then used the "modified amplitude detector" function (Figure 2b) which shows a solid continuous line of 2400 Hz and therefore the correct value of 2400 Bd. But the function also reveals faint horizontal lines that "should" represent the baud rate and harmonics and which - unfortunately - should not be there and therefore fool the automatic detection (in PSK modulation the amplitude of the carrier signal remains constant). As a further test I used the automatic detection after the "hard-limited amplitude control" (Figure 2c) and in this case the result is the expected one.

Fig. 2 - Baud rate measurements

Apparently, there is a superimposed 100 Hz signal: according my friend cryptomaster it could be the residual ripple from a full-wave rectifier operating on a 50 Hz AC mains supply, which is then imperfectly filtered by smoothing capacitors.

Fig. 3 - residual ripple from a full-wave rectifier operating on a 50 Hz AC mains supply

The ACF values of MS-110A and STANAG-4539 signals (in the current sample) are respectively ~66.6 ms and ~119.5 ms which - at the speed of 2400 Bd - make 160 symbols frames for MS-110A and 287 symbols frames (256 symbols data block + 31 symbols mini-probe) for STANAG-4539. Actually the length of MS-110A frames is 40 symbols (20 symbols data block + 20 symbols mini-probe) but at slow data rates the length of the scrambler (160 symbols) matches 4 frames and originates the 66.6 ms ACF. Bitmaps and ACFs are shown in Figure 4 (note the four MS-110A frames within the 66.6 ms interval).

Fig. 4 - Bitmaps and ACFs

Figure 5 displays PSK8 constellations that appear "odd" or "twisted" compared to an ideal one. Instead of distinct, equally spaced points on a single circle, we see a slight amplitude variation and a twisted/spiral arrangement of the points. This odd appearance is most likely due to the superposition of the 100 Hz signal, as already highlighted during the baud rate measurement.

Fig. 5 - "twisted" PSK8 constellations

data-link layer
The demodulation of the signals inevitably "suffers" from the non-perfect PSK8 constellations, however it is still possible to analyze the resulting bitstreams and find a 1776-bit period that reveals the use of the STANAG-5066 suite at the data-link layer, presence which is also confirmed by some detections of the 16-bit synchronisation sequences 0x90EB, typical of that Standard.

Fig. 6 - an MS-110A decoded bitstream

The bitstreams have been analyzed using the "STANAG-5066 Dissector" tool [2]; below the traffic-flow output from one of the demodulated bitstreams (S4539.txt) that clearly shows the use of the ARQ DATA-ONLY (simplex) transfer mode; traffic flows from node 001.001.001.101 to node 001.010.010.110 (STANAG-5066 address):


Further "technical" information can be extracted by examining the data transfer frames as for examle the one shown in Figure 7 (frame #26 of 49):

Fig. 7 - a STANAG-5066 frame

As shown, the source and destination Service Access Point Identifiers (SAP ID, equivalent to the “ports” of the TCP protocol) have value 9 (1001 binary) and according to STANAG-5066 they refer to an IP based client/application, more precisely the traffic consists of segmented IPSec (IP Security) packets sent by node 001.001.001.101 to node 001.010.010.110.

user-to-user data
For further analysis of the IP packet we need to extract and edit a "reassembled" C_PDU and then save it as an HEX dump file. Figures 8,9 show an example.

Fig. 8 - an extracted STANAG-5066 C_PDU

We have to remove the first 6 bytes, ie the headers of C (Channel Access Sublayer) and S (Subnetwork Interface Sublayer) Protocol Data Units:
00 07 99 4B 5E 4F
where:
00 C_PDU type (0 = data)
07 S_PDU type (0 = data)
99 S_PDU source & destination SAP IDs (1001 & 1001)
4B 5E 4F S_PDU control and TDD fields
After removing these first 6 bytes you can copy and paste the hexadecimal data and save it to a .txt file, as for example "hex_dump_001.txt":

Fig. 9 - HEX dump file

The HEX dump file can be now analyzed by using the well-known "wireshark" tool [3]: first click "File" -> "Import from Hex Dump", select the file to be imported, set offsets to "none" and Encapsulation Type to "Raw IP" then click Import (Figure 10).

Fig. 10 - wireshark: import from hex dump file

Figure 11 displays the hexadecimal and ASCII representation of the imported IP packet. You can see the bytes that make up the IP header and the subsequent ESP (Encapsulating Security Payload) header and its (encrypted) payload. In summary, this image shows an IPSec (IP Security) ESP packet traveling from the IP addresses 192.168.10.48 to 192.168.1.48. The ESP protocol provides confidentiality, data origin authentication, data integrity, and anti-replay services for IP packets. This type of packet is common in VPN connections or other secure network communications.

Fig. 11 - imported IP packet

The IP header can also be parsed by using the tool CyberChef [4], obviously getting the same results.

Fig. 12 - CyberChef IP parser

Further analysis is not possible since the IP packets payloads are protected by encryption,  however some comments can be added.

The first one concerns the HF waveforms. As seen in Figure 1, HF traffic is conducted in STANAG-4538 "circuit mode". The FLSU Request specifies the traffic waveforms that will be used during the circuit mode service: for example, STANAG-4285 can be specified as the traffic waveform. Once circuit mode begins, any station can initiate transmissions using the specified traffic waveform. Indeed, quoting Annex C to STANAG-4538 "For circuit mode connections, the called station can issue a FLSU Confirm with a different modem parameter (data rate or interleaving), but it shall not change the waveform selection". Well, this is in contrast to what I saw, ie two different waveforms: MS-110A 600bps/S and STANAG-4539 (MS-110B App.C) 4800bps/S, and 9600bps/S also. Although MS-110B superseding MS-110A, Appendix C uses a completely different framing.

Unlike typical IP networks where addresses might be dynamically assigned via DHCP, STANAG-5066 addresses are generally statically configured and are part of the network's design and planning, ie each STANAG-5066 server or device is manually configured with its unique address (Figure 13).

Fig. 13 - manually assignment of a STANAG-5066 address

While STANAG-5066 has its own addressing, it can also provide IP and IPv6 address translation for its subnetwork addresses to allow IP-based applications to communicate over the HF link. In such cases, the mapping between STANAG 5066 addresses and IP addresses would also be part of the static configuration. For example, the sample being analyzed shows the matches:

[STANAG-5066]     [IP]
001.001.001.101  192.168.10.48 source
001.010.010.110  192.168.1.48  dest

Well, about seven years ago (respectively november and october, 2018) I found these matches:
 
[STANAG-5066]     [IP]
001.001.001.101  192.168.2.48  source          
001.003.003.103  192.168.12.48 dest

001.001.001.101  192.168.1.48  source
001.005.005.105  192.168.14.48 dest

Assuming that it is the same HF network(!) and trusting in the goodness of the decoders, you may see that the STANAG-5066 node 001.001.001.101 was always the sender and had 3 different IP mappings (192.168.10.48, 192.168.2.48, 192.168.1.48), as well as the IP node 192.168.1.48 had two different STANAG-5066 mappings (001.010.010.110, 001.001.001.101). Obviously over the time the servers/devices may have changed as well as the related configurations, furthermore only three samples are not so significant.
However, it must be said that ESP protocol may work in "tunnel" and "transport" mode. In tunnel mode, the entire original IP packet (including its original IP header) is encapsulated and becomes the payload of a new, outer IP packet. This means you will see two IP headers:
* an outer IP header that contains the source and destination IP addresses of the IPSec gateways or tunnel endpoints.
* an inner (original) IP header that contains the actual source and destination IP addresses of the end-hosts. This inner header is encrypted along with the original payload(!).
In transport mode, the original IP header is retained. There is only one IP header in the packet. This header contains the source and destination IP addresses of the actual end-hosts communicating.

I can't reliably determine whether these IPSec ESP headers are operating in transport or tunnel mode, thus the above IP addresses may belong to tunnel endpoints (tunnel mode) or directly correspond to the ultimate source and destination hosts (transport mode).
By the way, according to Annex N to STANAG-5066 (Guidance on Address Management in STANAG 5066 Networks) the address range 1.0.0.0-1.255.255.255 is managed by US DoD and includes US Armed Forces and Homeland Security as major S’5066 users.

(1) In the context of STANAG-4538, when we talk about "circuit mode service," we generally refer to establishing a dedicated, continuous connection between two points for the duration of the communication. This is in contrast to the packet mode service, where data is broken into discrete packets and sent independently via xDL protocols.

https://disk.yandex.com/d/LSGj4GzIpjBYOg 
https://disk.yandex.com/d/iZNNGFhziG5opA 

[1] https://iz6byy.k1fm.us/
[2] http://i56578-swl.blogspot.com/2021/02/a-stanag-5066-off-line-dissector.html
[3] https://www.wireshark.org/
[4] https://gchq.github.io/CyberChef/

28 May 2025

Norwegian Navy STANAG 4481-PSK Serial Tone Mode

STANAG 4481 defines the minimum technical standards for Naval shore-to-ship broadcast HF communication. The standard describes three data modem variants, namely the S4481-PSK Serial Tone Mode (STM) providing a BPSK modulated waveform offering data rate of 300 bps coded, the S4481-FSK Single-Channel Two-Tone FSK Mode providing data rates from 50 bps to 600 bps, and the S4481-FSK Multi-Channel (up to 16) Two-Tone FSK Mode providing date rates of 50 bps and 75 bps in a 3 kHz channel. The STANAG 4481-PSK waveform is a Non-Autobaud capable STM (Serial Tone Mode) waveform providing the BPSK modulated 300 bps coded data modem in a 3 kHz channel. The STANAG 4481-PSK modem waveform is identical to the 300 bps long interleaver (10.240 seconds) waveform of STANAG 4285. An example of the S4481-PSK waveform is the fleet brodcast transmitted on 6243.7 KHz/USB by the Royal Norwegian Navy (Figure 1). 

Fig. 1

While the ACF bitmap of Figure 1 clearly shows the classic S-4285 framing, Figure 2 shows the BPSK modulation: notice that some decoders such as Sorcerer and K500 show the constellation related to the type of data modulation (BPSK, QPSK, PSK8) and NOT the "on-air" constellation (usually PSK8).

Fig. 2 - BPSK modulation at 300 bps Long interleaver

User data, at least in this case, are encrypted using KW-46 (or equivalent device) given the presence of the M-sequence generated by the polinomyal x^31 + x^3 +1  (KW-46T uses that M-sequence to synch the KW-46R receive devices).

Fig. 3 - presence of x^31 + x^3 +1 M-sequence

Direction Finding tries (TDoA algorithm) seem to indicate the area of Stavanger as the probable site of the transmitter.

https://disk.yandex.com/d/lo9hwFmEV774Iw

24 April 2025

CIS-Navy & Akula transmission

My friend Mario often monitors the frequency of 9201.0 KHz/USB in search of "Akula" signals: he mainly uses a KiwiSDR receiver located in Japan (Azumino-city, Nagano) [1] and it seems that this frequency (certainly one of the many) is quite active for this kind of transmissions, as collected by my friend Dave too. Most of the time it is usually a pair of signals that repeat at irregular intervals.
A few days ago he kindly sent me an interesting and "curious" recording of a transmission in which both an FSK 50Bd/1000 signal and Akula (FSK 500Bd/1000) are used with a central frequency of 9202 KHz (Figs. 1,2) 

Fig. 1

Fig. 2

The first thing that catches the eye is the particular "shape" of the Akula signals in which the well-known initial synchronization and preamble groups are missing but the EOM + EOT groups (101111 100010 100010 101111 011110) are exactly in their place, as can be seen from the demodulated bitstream in Figure 3. Just one year ago I had already come across these (let's call them) "anomalies" [2]. "It could depend on a malfunction of the modem or on the receiver's attack time" my friend cryptomaster says.

Fig. 3 - Akula bitstream
 
The most interesting thing however is the presence of a 50Bd/1000 FSK modulation preceding an Akula burst: something I had never seen before (and not even that type of FSK modulation). After demodulating it and reshaped to a 7-bit format, in addition to the initial inversions, I noticed a final sequence composed of five identical 7-bit words "000100" which - as far as I know - is the typical EOM sequence used in the CIS-Navy waveform (also known by the nicknames T-600, BEE-36, CIS 36-50). However, compared to the latter, it lacks the initial part consisting of a sequence of 2 bit sequence 
(usually) "100001010010111110000101001101011010110101101"
followed by 70-bit Initialization Vector (ten 7-bit words) that is repeated twice (Figure 4).

Fig. 4 - FSK 50Bd/1000 bitstream

As per previous analysis of the CIS-Navy waveform [3], its payload data consists of 5-bit characters coded into 7-bit sequence with a fixed ratio of '1's vs. '0's of 4 to 3 (or vice versa, depending on polarity of reception) so I decided to check the 4:3 ratio in this demodulated bitstream: the result (97.5%) indicates a very good probability of success.
 
Fig. 5 - 4:3 ratio in FSK 50Bd/1000 bitstream

CIS-Navy waveform has been logged with different Baud rates (36, 50, 75, 100 and 150) and shifts (85, 125, 250 and 500 Hz) so, likely, that's another variation.

https://disk.yandex.com/d/E29PupqpJg3UTQ

[1] http://jf0fumkiwi.ddns.net:8073/?f=9201.00usbz9
[2] http://i56578-swl.blogspot.com/2024/05/akula-always-reserves-surprises.html
[3] http://i56578-swl.blogspot.com/2016/10/cis-navy-50bd200-fsk-t600-bee-36-cis-36.html

18 April 2025

STANAG-4415, a NATO specific 188-110 75 bps waveform

The waveform of STANAG-4415 is the same as the 75 bps waveform of 188-110 (MS-110), but the requirements of receiver performance in STANAG-4415 are stricter than those of MS-110 (the mode is referred to as "NATO Robust 75 bps mode"). It was promulgated by NATO in 1999.

The idea for this post came from an interesting discussion with some friends on the UDXF group mailing list about an apparently unidentified signal recorded on 15091.0 KHz/USB on April 9th: "this recorded signal should be psk-8 modulated, modulation speed = 2400 Bd, ACF = 66.5 ms. What mode is it ? Not STANAG-4285, nor MIL-STD-188-110A serial, nor LINK-11 or 22 ...Any idea ?"

"Why not 188-110?" I replied. Maybe the exact ACF value is something like to 66.67 ms given that in case of MS-110 low data rates (from 150 up to 1200 bps) four groups of the pairs "data block + probe"  count 160 symbols (4 x 40) and they are just in sync with the scrambler length (160 symbols) causing 66.67 ms ACF spikes. Moreover, in case of the lowest speed (75 bps data rate) the channel probes are not sent(!) so the 66.67 mS ACF is just due to the scrambler length (MS-110B Table XIX).  

MS-110B - Table XIX

The recorded signal posted in the mailing list is quite clean but it lasts about twenty seconds and it is just a transmission segment without the (important) header/preamble part, the analysis of the ACF value is however equal to about 66.67 ms (Figure 1). Note that in the bitmap of Figure 1 there are no probes (known symbols) but rather a bit-arrangement that closely resembles Walsh Modulation.

Fig. 1 - ACF value and bitmap of a transmission (data) segment

The ACF value, the lack of known symbols and the format of the bitmap are clues in favor of the MS-110 75 bps waveform. Indeed, quoting MIL-STD 188-110B 5.3.2.3.7.1.1 "At 75 bps fixed-frequency operation, the channel symbols shall consist of two bits for 4-ary channel symbol mapping. Unlike the higher rates, no known symbols (channel probes) shall be transmitted and no repeat coding shall be used. Instead, the use of 32 tribit numbers shall be used to represent each of the 4-ary channel symbols".

A decisive step forward in identifying the signal came from my friend linkz who posted a recording of an identical transmission (same day and frequency) "extracted from the HF Time Machine" in the UDXF mailing list. The long data segment obviously has the same characteristics seen above (ACF, no known symbols, Walsh modulation) but in this recording it is possible to analyze the initial synchronization preamble preceding the long data segment (Figure 2).
The 200 ms ACF value is compliant with the sync pattern of MS-110. As for 5.3.2.3.7.2.1 "The synchronization pattern shall consist of either three or twenty four 200 millisecond (ms) segments (depending on whether either zero, short, or long interleave periods are used)". The 4.8 s length of the sync preamble indicates the long interleaver setting and a 24 preamble "superframes" (4.8/0.2), each superframe consisting of the transmission of 15 ortogonally Walsh modulated frames.

Fig. 2 - initial synchronization part
 
A "coarse" demodulation of the signal sent by linkz produces an asynchronous bitstream with 5N1 framing, so I set my Harris RF-5710A modem accordingly to process the signal as a MS-110 (serial) waveform in 75 bps long interleaver mode and connected it to a serial terminal (Figure 3).
 
Fig. 3

The resulting bitstream in the right column in Figure 5 has the classic 8-bit format from which the three leading "0" columns must be removed to obtain a clean 5-bit stream that I have named "demod-MS-110A-5bit.txt". The decoding is in clear-text (Figure 4) and shows a continuous repetition of 5 sentences (the first one I have chosen is just for convenience):
 
A1B2C3D4E5F6G7H8I9J10K11L12M13N14O15P16Q17R18S19T20U1V2W3X4Y5Z6789-
1234567890().,/-:?
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZ
-?:38().,9014572/6
 
Fig. 4 - decoded 5-bit stream

Just to do a second test, I processed the recording using a software decoder (Sorcerer) with the same settings, i.e. MS-110A 75 bps/L and 5N1 framing: the result is identical to that obtained with the RF-5710A modem (Figure 5).
 
Fig. 5 - Sorcerer at work

The final step in identifying the signal came from my friend Rolf: "It’s STANAG-4415!".

Quoting RapidM [1]: "STANAG-4415 is a NATO standard for robust, non-hopping digital data communication, used on severely degraded HF channels with poor signal-to-noise ratios, large Doppler and multipath spreads. The on-air waveform specified in STANAG-4415 is equivalent to the 75 bps variant of the MIL-STD-188-110 serial mode. However, STANAG-4415 modems are required to meet more challenging multipath delay and Doppler spread performance targets. STANAG-4415 75 bps modem waveform is typically used to send ACKs and NACKs in Automatic Repeat Request (ARQ) systems (e.g. STANAG 5066) because of its robustness".
 
Figure 6 shows a block diagram of the transmitter modem. The information data rate is fixed at 75 bps, while the transmission symbol rate is 2400 baud, as for the other waveforms. Hence a large number of redundant bits are used in transmitting an information stream of 75 bps. The coded bits are represented by orthogonal Walsh functions so that for each pair of coded bits, 32 BPSK channel symbols (one Walsh symbol) are transmitted. Initially a synchronisation sequence is transmitted, containing information about the data rate and interleaver setting, so that the waveform has an auto baud facility in conjunction with an ARQ data link protocol [2]. 

Fig. 6 - block diagram of the STANAG-4415 transmitter modem

For the sake of completeness, I used the same stuff as in Figure 3 but set the RF-5710A modem to STANAG-4415 75 bps Long mode and produced the file "demod-5bit.txt": the decoding result is obviously identical to that obtained in the case of MS-110 demodulation (Figure 7).
 
Fig.7

STANAG-4415 requirements are also applied to the 75 bps mode of STANAG-4539 which is the NATO version of MS-110B but having more stringent modem receiver decoding requirements. STANAG-4415 is mentioned in MS-110B #5.3.4 when it comes to 75bps if robust operation is required, but it is not mandated. Some MS-110B modems provide STANAG-4415 performance at 75 bps: those who have MS-110B hardware modems need to read the docs to determine if their modem's 75 bps is to the MIL-STD performance requirements or to the STANAG requirements [2].
The difference between MS-110 75 bps and STANAG-4415 are that there are no known symbols (probes) except for an initial synchronization preamble, and that the code bits are modulated by orthogonal Walsh functions in STANAG-4415. A different set of Walsh functions is used for the last Walsh symbol in each interleaver block for synchronization purposes.
 
Although STANAG-4415 works well in much more severe channel conditions it has the disadvantage of a low data rate and no chance of decoding in case of late entry (as seen, probes are not sent).
 

[1] https://www.rapidm.com/standard/stanag-4415/
[2] https://scholar.google.it/scholar?q=FFI/...

4 April 2025

SkyOFDM, still on air

Since some days I'm following transmissions on 14693.0 KHz/USB consisting of exchanges of messages between two nodes, as the different fading patterns in Figure 1 suggest.

Fig. 1

Messages are sent using OFDM modulation occupyng a 2400 Hz bandwidth and consisting of 28 tones with a frequency spacing of ~86 Hz, each tone is modulated using PSK2 at the symbol rate of 62.6 Bd (Fig. 2). The same results are obtained/verified by analyzing a single channel as shown in Fig. 3 (lowest tone).

Fig. 2 - OFDM parameters

Fig. 3 - single tone (yhe lowest) analysis

The parameters resulting from the analysis are very similar to those of the Skysweep Technologies proprietary "SkyOFDM" waveforms family (Table I). Quoting the SkySweeper Reference Manual #82.2 General Description: "SkyOFDM is a state of art high speed modem based on the OFDM and turbo coding technologies. It offers several baud rates (300 -9600 bps) and two different interleaving options (short and long). Also there are two bandwidth options: 2.0 (OFDM-22) and 2.4 kHz (OFDM-28)".

Table I

Note the different number, position and duration of the header tones compared to the values ​​of the "original" waveform: this is probably an improved version of the previous SkyOFDM waveforms (Figure 4). 

Fig. 4

The signal has an ACF value of approximately 957.8 ms which identifies a super-frame composed of 11 frames, the latter with an ACF value of approximately 79.8 ms (Figure 5).

Fig. 5 - ACF values

Direction Finding tests using TDoA algorithm (Figure 6) indicate an area north of Helsinki as the site of the transmitter (or rather, the radiating antenna): this makes sense because, acccording to some DXers, SkyOFDM waveforms were/are used by Finnish MFA and SkySweep Technologies was a Finnish high tech company. By the way, although there are still many references in the web to SkySweep, their official website is no longer online since SkySweeper software was discontinued on June 1st 2009.

Fig. 6 - Direction Finding

 https://disk.yandex.com/d/A9UHdyMAXeOUlA

1 April 2025

CIS FTM-4 transitions

CIS FTM-4 (FTM stands for Frequency-Time Matrix) is an unknown Russian "domestic" system, also known as CIS 4FSK 150 Bd, using MFSK4 150Bd/4000Hz modulation.
The recorded transmission consists of two alternating FTM-4 sets (L = lower set, H = higher set) with a total bandwidth occupation slightly over 25 KHz, the separation between the two sets (i.e. H1-L4) is 1 KHz. It's worth noting that when the L set is transmitted, the signal on the H1 frequency (i.e. the lowest of the H set) is continuous; vice versa, when the H set is transmitted the signal on the L1 frequency (i.e. the lowest of the L set) is continuous (Figure 1). Also note that the two sets are transmitted simultaneously forming a sort of MFSK-8 "construct" for a period of about 3 seconds.

Fig. 1 - the two FTM-4 "sets"


As for FMT-4 specifications, both the MFSK4 sets are modulated at the rate of 150 Baud with a spacing of 4000 Hz (Figure 2).

Fig. 2 - CIS FTM-4 main parameters

The L set has an ACF value of ~718 ms which corresponds to a repeated sequence of 216 bits length (assuming that MFSK4 uses 2 binary digits (dibit) per modulation symbol (0-3), the ACF value of 718 ms @150 symbols/sec corresponds to a period of 108 dibit symbols or 216 bits). I could not find a specific generator polynomial for that sequences.

Fig. 3

The study of the ACF value of the set H can be done on three different intervals: main, intermediate and unitary (Figs. 4, 4b). 

Fig. 4
 
Fig. 4b
 
The main ACF measures about 1920 ms which corresponds to a period of 288 symbols or 576 bits (Figure 5).
 
Fig. 5

The intermediate ACF measures about 480 ms which corresponds to a period of 72 symbols or 144 bits (Figure 6).
 
Fig. 6

The unitary ACF has a value of ~80 ms which corresponds to a period of 12 symbols or 24 bits (Figure 7).

Fig. 7

In this case (H set) it is possible to see that the demodulated bitstream consists of a repeated scheme formed of 4 patterns, as in Figure 8:

(MSB first)
P1: 0x21BE41
P2: 0xB1BE41
P3: 0xB8D727
P4: 0x28D727 

Fig. 8
 

N.B. all the the "designations" I used here are only mine; the first pattern P1 is chosen just for convenient reference, choosing a different initial pattern the "logic" does not change.

A possible interpretation (just a guess) is that the L set is transmitted as "idle" or alignment sequence for the receiving modem and the transition to the H set occurs when sending data, even if, as in this case, the data are repetitive sequences. In this regard, remaining in the realm of hypotheses, the P1-P4 patterns could be telemetry data or tele-commands.

The recording was made using a remote Airspy HF+ Located in Haapavesi, Finland (belonging to the Airspy server network) [1].

https://disk.yandex.com/d/Flr5-Ops8dRBJQ

[1] sdr://178.55.138.222:5000

14 March 2025

unid PSK2/FSK2 combined bursts

This is a very interesting transmission heard on 14736.5 KHz/USB which consists of repetitive bursts lasting about 12.6 s and separated by an interval of 1300 ms. The most interesting aspect is that a "combined" waveform is used, that is, a first segment with PSK2 modulation followed by a second segment with FSK2 modulation: both the segments are modulated at the same rate of 31 bps (Figure 1).

Fig. 1 - PSK2/FSK2 "combined" waveform

An interesting feature that my friend cryptomaster pointed out is the PSK2 mode, where the bitstream is transmitted in single bits: this feature can be seen in Figure 2 using both the "oscilloscope" function and the AM demodulator of SA. The demodulation of this bit-keying mode is complicated, apparently due to the division of the carrier into separate bits.

Fig. 2 - PSK2 segment

The FSK2 segment modulation uses a shift of about 370 Hz (measured 373) and the resulting bitstream after demodulation has an 8N1 framing which appears to be transmitted in reverse polarity (Figure 3).

Fig. 3 - FSK2 segment

The interesting things about this curious transmission don't end here: going back to the previous posts I discovered that the FSK2 segment carries exactly the same content as the 50Bd/612 FSK2 bursts analyzed some months ago [1] and compared in Figure 4.

Fig. 4 

So, it's likely the same (unid) user, maybe experimenting with different waveforms... who knows.

The PSK2 segment too probably carries the same content of the FSK2 segment, unfortunately demodulation with SA was not successful due to the particular mode which is here used.

https://disk.yandex.com/d/HV3j9zdSSRqLww

[1] http://i56578-swl.blogspot.com/2024/11/unid-fsk-50bd612-bursts.html