Norwegian Navy STANAG 4481-PSK Serial Tone Mode

STANAG 4481 defines the minimum technical standards for Naval shore-to-ship broadcast HF communication. The standard describes three data modem variants, namely the S4481-PSK Serial Tone Mode (STM) providing a BPSK modulated waveform offering data rate of 300 bps coded, the S4481-FSK Single-Channel Two-Tone FSK Mode providing data rates from 50 bps to 600 bps, and the S4481-FSK Multi-Channel (up to 16) Two-Tone FSK Mode providing date rates of 50 bps and 75 bps in a 3 kHz channel. The STANAG 4481-PSK waveform is a Non-Autobaud capable STM (Serial Tone Mode) waveform providing the BPSK modulated 300 bps coded data modem in a 3 kHz channel. The STANAG 4481-PSK modem waveform is identical to the 300 bps long interleaver (10.240 seconds) waveform of STANAG 4285. An example of the S4481-PSK waveform is the fleet brodcast transmitted on 6243.7 KHz/USB by the Royal Norwegian Navy (Figure 1). 

Fig. 1

While the ACF bitmap of Figure 1 clearly shows the classic S-4285 framing, Figure 2 shows the BPSK modulation: notice that some decoders such as Sorcerer and K500 show the constellation related to the type of data modulation (BPSK, QPSK, PSK8) and NOT the "on-air" constellation (usually PSK8).

Fig. 2 - BPSK modulation at 300 bps Long interleaver

User data, at least in this case, are encrypted using KW-46 (or equivalent device) given the presence of the M-sequence generated by the polinomyal x^31 + x^3 +1  (KW-46T uses that M-sequence to synch the KW-46R receive devices).

Fig. 3 - presence of x^31 + x^3 +1 M-sequence

Direction Finding tries (TDoA algorithm) seem to indicate the area of Stavanger as the probable site of the transmitter.

https://disk.yandex.com/d/lo9hwFmEV774Iw

CIS-Navy & Akula transmission

My friend Mario often monitors the frequency of 9201.0 KHz/USB in search of "Akula" signals: he mainly uses a KiwiSDR receiver located in Japan (Azumino-city, Nagano) [1] and it seems that this frequency (certainly one of the many) is quite active for this kind of transmissions, as collected by my friend Dave too. Most of the time it is usually a pair of signals that repeat at irregular intervals.
A few days ago he kindly sent me an interesting and "curious" recording of a transmission in which both an FSK 50Bd/1000 signal and Akula (FSK 500Bd/1000) are used with a central frequency of 9202 KHz (Figs. 1,2) 

Fig. 1

Fig. 2

The first thing that catches the eye is the particular "shape" of the Akula signals in which the well-known initial synchronization and preamble groups are missing but the EOM + EOT groups (101111 100010 100010 101111 011110) are exactly in their place, as can be seen from the demodulated bitstream in Figure 3. Just one year ago I had already come across these (let's call them) "anomalies" [2]. "It could depend on a malfunction of the modem or on the receiver's attack time" my friend cryptomaster says.

Fig. 3 - Akula bitstream

 

The most interesting thing however is the presence of a 50Bd/1000 FSK modulation preceding an Akula burst: something I had never seen before (and not even that type of FSK modulation). After demodulating it and reshaped to a 7-bit format, in addition to the initial inversions, I noticed a final sequence composed of five identical 7-bit words "000100" which - as far as I know - is the typical EOM sequence used in the CIS-Navy waveform (also known by the nicknames T-600, BEE-36, CIS 36-50). However, compared to the latter, it lacks the initial part consisting of a sequence of 2 bit sequence 

(usually) "100001010010111110000101001101011010110101101"

followed by 70-bit Initialization Vector (ten 7-bit words) that is repeated twice (Figure 4).

Fig. 4 - FSK 50Bd/1000 bitstream

As per previous analysis of the CIS-Navy waveform [3], its payload data consists of 5-bit characters coded into 7-bit sequence with a fixed ratio of '1's vs. '0's of 4 to 3 (or vice versa, depending on polarity of reception) so I decided to check the 4:3 ratio in this demodulated bitstream: the result (97.5%) indicates a very good probability of success.

 

Fig. 5 - 4:3 ratio in FSK 50Bd/1000 bitstream

CIS-Navy waveform has been logged with different Baud rates (36, 50, 75, 100 and 150) and shifts (85, 125, 250 and 500 Hz) so, likely, that's another variation.

https://disk.yandex.com/d/E29PupqpJg3UTQ

[1] http://jf0fumkiwi.ddns.net:8073/?f=9201.00usbz9
[2] http://i56578-swl.blogspot.com/2024/05/akula-always-reserves-surprises.html
[3] http://i56578-swl.blogspot.com/2016/10/cis-navy-50bd200-fsk-t600-bee-36-cis-36.html

STANAG-4415, a NATO specific 188-110 75 bps waveform

The waveform of STANAG-4415 is the same as the 75 bps waveform of 188-110 (MS-110), but the requirements of receiver performance in STANAG-4415 are stricter than those of MS-110 (the mode is referred to as "NATO Robust 75 bps mode"). It was promulgated by NATO in 1999.

The idea for this post came from an interesting discussion with some friends on the UDXF group mailing list about an apparently unidentified signal recorded on 15091.0 KHz/USB on April 9th: "this recorded signal should be psk-8 modulated, modulation speed = 2400 Bd, ACF = 66.5 ms. What mode is it ? Not STANAG-4285, nor MIL-STD-188-110A serial, nor LINK-11 or 22 ...Any idea ?"

"Why not 188-110?" I replied. Maybe the exact ACF value is something like to 66.67 ms given that in case of MS-110 low data rates (from 150 up to 1200 bps) four groups of the pairs "data block + probe"  count 160 symbols (4 x 40) and they are just in sync with the scrambler length (160 symbols) causing 66.67 ms ACF spikes. Moreover, in case of the lowest speed (75 bps data rate) the channel probes are not sent(!) so the 66.67 mS ACF is just due to the scrambler length (MS-110B Table XIX).  

MS-110B - Table XIX

The recorded signal posted in the mailing list is quite clean but it lasts about twenty seconds and it is just a transmission segment without the (important) header/preamble part, the analysis of the ACF value is however equal to about 66.67 ms (Figure 1). Note that in the bitmap of Figure 1 there are no probes (known symbols) but rather a bit-arrangement that closely resembles Walsh Modulation.

Fig. 1 - ACF value and bitmap of a transmission (data) segment

The ACF value, the lack of known symbols and the format of the bitmap are clues in favor of the MS-110 75 bps waveform. Indeed, quoting MIL-STD 188-110B 5.3.2.3.7.1.1 "At 75 bps fixed-frequency operation, the channel symbols shall consist of two bits for 4-ary channel symbol mapping. Unlike the higher rates, no known symbols (channel probes) shall be transmitted and no repeat coding shall be used. Instead, the use of 32 tribit numbers shall be used to represent each of the 4-ary channel symbols".

A decisive step forward in identifying the signal came from my friend linkz who posted a recording of an identical transmission (same day and frequency) "extracted from the HF Time Machine" in the UDXF mailing list. The long data segment obviously has the same characteristics seen above (ACF, no known symbols, Walsh modulation) but in this recording it is possible to analyze the initial synchronization preamble preceding the long data segment (Figure 2).
The 200 ms ACF value is compliant with the sync pattern of MS-110. As for 5.3.2.3.7.2.1 "The synchronization pattern shall consist of either three or twenty four 200 millisecond (ms) segments (depending on whether either zero, short, or long interleave periods are used)". The 4.8 s length of the sync preamble indicates the long interleaver setting and a 24 preamble "superframes" (4.8/0.2), each superframe consisting of the transmission of 15 ortogonally Walsh modulated frames.

Fig. 2 - initial synchronization part

 

A "coarse" demodulation of the signal sent by linkz produces an asynchronous bitstream with 5N1 framing, so I set my Harris RF-5710A modem accordingly to process the signal as a MS-110 (serial) waveform in 75 bps long interleaver mode and connected it to a serial terminal (Figure 3).

 

Fig. 3

The resulting bitstream in the right column in Figure 5 has the classic 8-bit format from which the three leading "0" columns must be removed to obtain a clean 5-bit stream that I have named "demod-MS-110A-5bit.txt". The decoding is in clear-text (Figure 4) and shows a continuous repetition of 5 sentences (the first one I have chosen is just for convenience):

 

A1B2C3D4E5F6G7H8I9J10K11L12M13N14O15P16Q17R18S19T20U1V2W3X4Y5Z6789-
1234567890().,/-:?
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZ
-?:38().,9014572/6

 

Fig. 4 - decoded 5-bit stream

Just to do a second test, I processed the recording using a software decoder (Sorcerer) with the same settings, i.e. MS-110A 75 bps/L and 5N1 framing: the result is identical to that obtained with the RF-5710A modem (Figure 5).

 

Fig. 5 - Sorcerer at work

The final step in identifying the signal came from my friend Rolf: "It’s STANAG-4415!".

Quoting RapidM [1]: "STANAG-4415 is a NATO standard for robust, non-hopping digital data communication, used on severely degraded HF channels with poor signal-to-noise ratios, large Doppler and multipath spreads. The on-air waveform specified in STANAG-4415 is equivalent to the 75 bps variant of the MIL-STD-188-110 serial mode. However, STANAG-4415 modems are required to meet more challenging multipath delay and Doppler spread performance targets. STANAG-4415 75 bps modem waveform is typically used to send ACKs and NACKs in Automatic Repeat Request (ARQ) systems (e.g. STANAG 5066) because of its robustness".

 

Figure 6 shows a block diagram of the transmitter modem. The information data rate is fixed at 75 bps, while the transmission symbol rate is 2400 baud, as for the other waveforms. Hence a large number of redundant bits are used in transmitting an information stream of 75 bps. The coded bits are represented by orthogonal Walsh functions so that for each pair of coded bits, 32 BPSK channel symbols (one Walsh symbol) are transmitted. Initially a synchronisation sequence is transmitted, containing information about the data rate and interleaver setting, so that the waveform has an auto baud facility in conjunction with an ARQ data link protocol [2]. 

Fig. 6 - block diagram of the STANAG-4415 transmitter modem

For the sake of completeness, I used the same stuff as in Figure 3 but set the RF-5710A modem to STANAG-4415 75 bps Long mode and produced the file "demod-5bit.txt": the decoding result is obviously identical to that obtained in the case of MS-110 demodulation (Figure 7).

 

Fig.7

STANAG-4415 requirements are also applied to the 75 bps mode of STANAG-4539 which is the NATO version of MS-110B but having more stringent modem receiver decoding requirements. STANAG-4415 is mentioned in MS-110B #5.3.4 when it comes to 75bps if robust operation is required, but it is not mandated. Some MS-110B modems provide STANAG-4415 performance at 75 bps: those who have MS-110B hardware modems need to read the docs to determine if their modem's 75 bps is to the MIL-STD performance requirements or to the STANAG requirements [2].

The difference between MS-110 75 bps and STANAG-4415 are that there are no known symbols (probes) except for an initial synchronization preamble, and that the code bits are modulated by orthogonal Walsh functions in STANAG-4415. A different set of Walsh functions is used for the last Walsh symbol in each interleaver block for synchronization purposes.

 

Although STANAG-4415 works well in much more severe channel conditions it has the disadvantage of a low data rate and no chance of decoding in case of late entry (as seen, probes are not sent).

 

 https://disk.yandex.com/d/38E3SGt25By07w

[1] https://www.rapidm.com/standard/stanag-4415/
[2] https://scholar.google.it/scholar?q=FFI/...

SkyOFDM, still on air

Since some days I'm following transmissions on 14693.0 KHz/USB consisting of exchanges of messages between two nodes, as the different fading patterns in Figure 1 suggest.

Fig. 1

Messages are sent using OFDM modulation occupyng a 2400 Hz bandwidth and consisting of 28 tones with a frequency spacing of ~86 Hz, each tone is modulated using PSK2 at the symbol rate of 62.6 Bd (Fig. 2). The same results are obtained/verified by analyzing a single channel as shown in Fig. 3 (lowest tone).

Fig. 2 - OFDM parameters

Fig. 3 - single tone (yhe lowest) analysis

The parameters resulting from the analysis are very similar to those of the Skysweep Technologies proprietary "SkyOFDM" waveforms family (Table I). Quoting the SkySweeper Reference Manual #82.2 General Description: "SkyOFDM is a state of art high speed modem based on the OFDM and turbo coding technologies. It offers several baud rates (300 -9600 bps) and two different interleaving options (short and long). Also there are two bandwidth options: 2.0 (OFDM-22) and 2.4 kHz (OFDM-28)".

Table I

Note the different number, position and duration of the header tones compared to the values ​​of the "original" waveform: this is probably an improved version of the previous SkyOFDM waveforms (Figure 4). 

Fig. 4

The signal has an ACF value of approximately 957.8 ms which identifies a super-frame composed of 11 frames, the latter with an ACF value of approximately 79.8 ms (Figure 5).

Fig. 5 - ACF values

Direction Finding tests using TDoA algorithm (Figure 6) indicate an area north of Helsinki as the site of the transmitter (or rather, the radiating antenna): this makes sense because, acccording to some DXers, SkyOFDM waveforms were/are used by Finnish MFA and SkySweep Technologies was a Finnish high tech company. By the way, although there are still many references in the web to SkySweep, their official website is no longer online since SkySweeper software was discontinued on June 1st 2009.

Fig. 6 - Direction Finding

 https://disk.yandex.com/d/A9UHdyMAXeOUlA

CIS FTM-4 transitions

CIS FTM-4 (FTM stands for Frequency-Time Matrix) is an unknown Russian "domestic" system, also known as CIS 4FSK 150 Bd, using MFSK4 150Bd/4000Hz modulation.
The recorded transmission consists of two alternating FTM-4 sets (L = lower set, H = higher set) with a total bandwidth occupation slightly over 25 KHz, the separation between the two sets (i.e. H1-L4) is 1 KHz. It's worth noting that when the L set is transmitted, the signal on the H1 frequency (i.e. the lowest of the H set) is continuous; vice versa, when the H set is transmitted the signal on the L1 frequency (i.e. the lowest of the L set) is continuous (Figure 1). Also note that the two sets are transmitted simultaneously forming a sort of MFSK-8 "construct" for a period of about 3 seconds.

Fig. 1 - the two FTM-4 "sets"

As for FMT-4 specifications, both the MFSK4 sets are modulated at the rate of 150 Baud with a spacing of 4000 Hz (Figure 2).

Fig. 2 - CIS FTM-4 main parameters

The L set has an ACF value of ~718 ms which corresponds to a repeated sequence of 216 bits length (assuming that MFSK4 uses 2 binary digits (dibit) per modulation symbol (0-3), the ACF value of 718 ms @150 symbols/sec corresponds to a period of 108 dibit symbols or 216 bits). I could not find a specific generator polynomial for that sequences.

Fig. 3

The study of the ACF value of the set H can be done on three different intervals: main, intermediate and unitary (Figs. 4, 4b). 

Fig. 4

 

Fig. 4b

 

The main ACF measures about 1920 ms which corresponds to a period of 288 symbols or 576 bits (Figure 5).

 

Fig. 5

The intermediate ACF measures about 480 ms which corresponds to a period of 72 symbols or 144 bits (Figure 6).

 

Fig. 6

The unitary ACF has a value of ~80 ms which corresponds to a period of 12 symbols or 24 bits (Figure 7).

Fig. 7

In this case (H set) it is possible to see that the demodulated bitstream consists of a repeated scheme formed of 4 patterns, as in Figure 8:

(MSB first)
P1: 0x21BE41
P2: 0xB1BE41
P3: 0xB8D727
P4: 0x28D727 

Fig. 8

 

N.B. all the the "designations" I used here are only mine; the first pattern P1 is chosen just for convenient reference, choosing a different initial pattern the "logic" does not change.

A possible interpretation (just a guess) is that the L set is transmitted as "idle" or alignment sequence for the receiving modem and the transition to the H set occurs when sending data, even if, as in this case, the data are repetitive sequences. In this regard, remaining in the realm of hypotheses, the P1-P4 patterns could be telemetry data or tele-commands.

The recording was made using a remote Airspy HF+ Located in Haapavesi, Finland (belonging to the Airspy server network) [1].

https://disk.yandex.com/d/Flr5-Ops8dRBJQ

[1] sdr://178.55.138.222:5000

unid PSK2/FSK2 combined bursts

This is a very interesting transmission heard on 14736.5 KHz/USB which consists of repetitive bursts lasting about 12.6 s and separated by an interval of 1300 ms. The most interesting aspect is that a "combined" waveform is used, that is, a first segment with PSK2 modulation followed by a second segment with FSK2 modulation: both the segments are modulated at the same rate of 31 bps (Figure 1).

Fig. 1 - PSK2/FSK2 "combined" waveform

An interesting feature that my friend cryptomaster pointed out is the PSK2 mode, where the bitstream is transmitted in single bits: this feature can be seen in Figure 2 using both the "oscilloscope" function and the AM demodulator of SA. The demodulation of this bit-keying mode is complicated, apparently due to the division of the carrier into separate bits.

Fig. 2 - PSK2 segment

The FSK2 segment modulation uses a shift of about 370 Hz (measured 373) and the resulting bitstream after demodulation has an 8N1 framing which appears to be transmitted in reverse polarity (Figure 3).

Fig. 3 - FSK2 segment

The interesting things about this curious transmission don't end here: going back to the previous posts I discovered that the FSK2 segment carries exactly the same content as the 50Bd/612 FSK2 bursts analyzed some months ago [1] and compared in Figure 4.

Fig. 4 

So, it's likely the same (unid) user, maybe experimenting with different waveforms... who knows.

The PSK2 segment too probably carries the same content of the FSK2 segment, unfortunately demodulation with SA was not successful due to the particular mode which is here used.

https://disk.yandex.com/d/HV3j9zdSSRqLww

[1] http://i56578-swl.blogspot.com/2024/11/unid-fsk-50bd612-bursts.html

unid FSK 6Bd/50

No, it's not a typo: this FSK signal (kindly sent me by my friend cryptomaster) is really modulated at the speed of 6 Bd and 50Hz shift (Figs. 1,2).

Fig. 1 - modulation speed

Fig. 2 - 50Hz shift

The demodulated bitstream has a period of 696 bit (Figure 3): we do not know the source and the user.

Fig. 3 - 696 bit period

https://disk.yandex.com/d/d3Arg5sX2rXwhA

 

T-219 "Yachta", analog voice scrambler

Thanks to my friend Mario, who recently sent me some recordings, I had the opportunity to study the Russian T-219 system, codenamed "Yachta" (Russian: ЯХТА). Yachta is a Russian analog voice scrambler featuring a Frequency Shift Keying (FSK) signal transmitted in the center of the spectrum, with the encrypted voice stream split above and below the FSK signal (Figure 1). Although dating back to the Cold War era, the system is still used for tactical communication in the combat field as recordings are only a few days old and heard in the lower VHF range (just above the upper HF limit). The stream consists of unequal time segments, within which the two voice subchannels are swapped and inverted.

Fig. 1 - T-219 "Yachta" signal

The FSK signal is used as a synchronization sequence and is transmitted at a rate of 100 bps with a 150 Hz shift (Figure 2).

Fig. 2 - T-219 FSK parameters

As shown in Figure 3, after FSK demodulation the resulting synchronization bitstream is an M-sequence based on the irreducible polynomial x^52+x^49+1.

Fig. 3 - the M-sequence based on the irreducible polynomial x^52+x^49+1

It turned out that during the formation of the FSK signal the pahses of the two frequencies are preserved after each "shift" (Figure 4 shows two periods): that suggests that it's formed by switching (mechanically or electronically) two independent F1 F2 frequency generators which bear some inter-relationships or by using a VCO system.

Fig. 4 - two periods of the FSK frequencies

By the way, looking at the durations of two periods:
F1 = (2:0.001285470) = 1555,851167277338
F2 = (2:0,001422470) = 1406,005047558121
the shift is just about 150 Hz

https://disk.yandex.com/d/M60fqwh32SbNFQ 

Dutch Navy CARBs, a curious 8 times expanded 5N1.5 framing

On December 13th morning I accidentally tuned a KiwiSDR receiver on the well-known frequency of 8437.0 KHz USB, i.e. the Dutch Navy CARB channel operating in S-4481 FSK (8439.0 CF). Suddenly, about 1050 UTC, the usual FSK "melody" disappears to make room for a transmission in S-4285 600bps/Long mode (Figure 1): intrigued, I recorded that transmission. 

Fig. 1 - STANAG-4285 transmission

As in Figure 2, dhe decoded bitstream shows a repeating "message" characterized by a pattern with a period length of 61 bits.

Fig. 2 - 61-bit period bitstream

I then isolated a single "message" and after the appropriate shifts a 5N1.5 framing emerges where each bit is repeated eight times. The stop bits should be 12 (8x1.5) but for some reason I don't know 13 bits are reproduced (Figure 3).

Fig. 3 - 8 times expanded 5N1.5 framing

After the removal of the start/stop bits, the source 5 bits of data can be obtained after removing the overhead bits: this can be easily done by manually editing the demodulated bitstream, for example with BEE, or by "downsampling" the bitstream by a factor of 8 using a simple script coded - for example - in Octave. The result (5x10 decoded) is the well known CARB string "02A   04B   06A   08B   12A   PBB" which is usually transmitted in S-4481 mode by the Dutch Navy (Figure 4).

Fig. 4 - the resulting CARB string "02A   04B   06A   08B   12A   PBB"

Obviously I don't know the purpose of such a transmission except - obviously - for the CARB (Channel Availability and Receipt Broadcast) string. I had already encountered something similar some time ago, a particular transmission of UK DHFCS: in that case it was a 5N1 framing where each bit was repeated 16 times [1].

It is worth noting that transmission in S-4285 was in 600bps mode and 600:8 gives 75! That is the same speed as CARBs transmissions in S-4481.

https://disk.yandex.com/d/3A2Ouj9TBQERZw

[1] http://i56578-swl.blogspot.com/2022/01/an-odd-16-times-expanded-5n1-framing-uk.html

256-bit IVs & 0xD1E221E1 sequence

Just a quick note to observe that bitstreams using (alleged) 256-bit Initialization Vectors (IV) encryption have the same 32-bit/4-byte sequence repeated three times. For example, in the bitstream in Figure 1 (MS-110A transmission) you can clearly see the 256-bit IV sequences, each repeated eight times. 

Fig. 1

But if you reshape the same bitstream into columns of 32 bits the same 32-bit sequence 0xD1E221E1 emerges (Figure 2).

Fig. 2

I have previously encountered bitstreams with 256-bit IVs [1] but at that time I had not investigated further, focusing only on those sequences. As a counter-proof, I took back and analyzed those signals and - surprise - they also all present the same sequence 0xD1E221E1 after the IVs (Figure 3).

Fig. 3

It should also be said that I have also encountered the sequence 0xD1E221E1 three times previously [2] but, when I re-analyzed those transmissions, the 256-bit IVs were not found (Figure 4).

 

Fig. 4

Both for the position of the 4-byte string 0xD1E221E1 (after or WITHOUT the alleged IVs) and for its presence in different streams it is difficult to say whether it identifies a sync string for a cipher device or whether it identifies a particular datalink protocol. However, in all cases I could analyze, STANAG-4538 (3G-HF) "circuit mode service" is used along with MS-110A as the traffic waveform.

Comments and suggestions on this matter are welcome!

 

https://disk.yandex.com/d/DxsFHMYcLIw4cA 

[1] https://i56578-swl.blogspot.com/2020/09/s-4538110a-transmissions-using-unid-256.html
[2] http://i56578-swl.blogspot.com/search/label/P%3D32