unid 188-110A transmissions... and equally curious bitstreams

Some interesting transmissions were noticed last weekend on 5074.20 KHz/USB, transmissions consisting of continuous blocks of different durations and sent using the standard MS-110A modem with a fixed data rate of 1200 bps/S. Judging by the intensity of the signals and the fading patterns shown in the FFT-Spectrum, the transmissions were one-sided, ie PtP or PtMP (like a broadcast style).

Fig. 1

Analyzing the resulting bitstream after the demodulation of the signals, surprisingly, it can be noted that one bit is replaced by 16 bits during the reversals section (Figure 2).

Fig. 2 - 16-bit stream

However, looking more closely, it can be stated that the 1->8 replacement is adopted during the traffic period, i.e. each data bit is sent 8 times (Figure 3).

Fig. 3 - 1to8 bit replacement during traffic period

In order to get some more information, I reshaped the bitstreams to a 8-bit format and then removed the 7 extra bit columns: as you can see in Figure 4, not all the single transfer sessions have a same period, indeed it may vary from 91 to 111 bit. 

Fig. 4

Also, for some reason that I do not know, there are very few single bits of information, just pairs 11s or 00s; just for a try I arbitrarily replaced the pairs with  single bits of the same value: the resulting stream, after the removal of the reversals sections, shows 60-bit patterns. I also tried the differential decoding but I didn't get any other interesting results about the nature of the data and the used transport protocol. My friend cryptomaster, who too heard and analyzed that transmissions, got the same results.
The working frequency (5074.20 KHz/usb) is not among those known or at least it is not reported on the UDXF logs, and given that the transmissions have not been repeated and the strange characteristic of the bitstreams, it could also be test transmissions.
What is certain is the geographic area where the Tx site is located: all the direction finding tries (TDoA method) point to the state of Lower Saxony, Germany (Figures 5,6).

Fig. 5

Fig. 6

I just want to report that a similar stream has been noted in some STANAG-4285 transmissions [1]: maybe these "expansions" are used to add redundancy and then increase the reliability of the channel, although HF protocols use their own FEC encoding.

https://disk.yandex.com/d/QgDFohyS8dqeVg

[1] http://i56578-swl.blogspot.com/2022/01/an-odd-16-times-expanded-5n1-framing-uk.html?m=0

RapidM proprietary WB-LDL & WB-RDL waveforms (2)

Thanks to a nice catch by my friend ANgazu from radiofrecuencias.es, who I thanks, it's now possible to add two other waveforms (#9, #11) to the Table II of the previous post [1]. The waveforms belong to the "120 ms frames" family, respectively 30 KHz bandwidth 24000 Bd (WF #9, Figure 1) and 42 KHz bandwidth 33600 Bd (WF #11, Figure 2).

Fig. 1 - 30KHz/24000Bd waveform

Fig. 2 - 42KHz/33600Bd

https://disk.yandex.com/d/o8htpYuX7xSXuw

[1] https://i56578-swl.blogspot.com/2022/12/wale-wideband-traffic-probably-rapidm.html

 

 

unid "mixed-mode" transmission

 updated

 Very interesting "mixed-mode" transmission cathced and sent me by by friend Michel (F1GOC)

Fig. 1

Segment 1 consists of an FSK modulation keyed at 200 Baud and 1000 Hz shift (Figure 2). The demodulated bitstream has a well defined period of 288 bit consisting of a data segment preceded/followed by a sync/probe sequence (Figure 3).

Fig. 2

 

Fig. 3

Segment 2 consists of an MFSK-7 modulation keyed at 30 Baud and 400 Hz separation between the tones. The raw demodulation of the seven tones (0-6;000-110) shows a repeated sequence of 940 bit length (Figures 4,5).

Fig. 4

Fig. 5

Segment 3 is the most interesting one. This segment consists of 7 subcarriers which coincide with the tones of the previous MFSK segment (see Figure 1), the modulation used for each subcarrier - in my opinion - seems to be ASK2/OOK. The "aggregate" speed of modulation is 200 Baud, ie 28.5 Baud per channel (Figure 6). The autocorrelation function of the signal shows a period of 10 seconds, corresponding to 2000 bit frames (Figure 7).

Fig. 6

Fig. 7

As a simple curiosity, the central frequency of the FSK segment does not coincide with the value of the center band of the following two segments (see Figure 1). Difficult to state the user and the purpose of the transmission, many "experimental" signals are in the air especially during this period, comments are welcome.

------- update  --------------------------------------------------------

As my friend cryptomaster commented (and my friend Nicola too in pvt), the FSK segment is the well-known Russian Intel "F06" waveform. Indeed, after the change of the bit-order is possible to clearly see the typical F06 32-bit sync sequence 7D12B0E6 (Figure 8). The final part of the decoding, thanks to the rivet_b90 tool, is shown below (Figure 9). 

And... yes, I'm a bit out of shape since the 288-bit period should have suggested the solution 😁

Fig .8 - F06 sync sequence

 

Fig. 9 - F06 decoding

https://disk.yandex.com/d/2hsIqrswtSwzHw

unid ASK2/OOK transmissions

updated

Unid transmissions heard on 8120, 8130, 8140, and 8150 KHz (the latter moved to 8160 Khz) thanks to the KiwiSDR located at N4BUT Orlando, FL [1].

Fig. 1

At first sight the signal seemed a MPSK modulation, but working the signal along with my friend cryptomaster some other interesting features came out. Each transmission consists of four 100 Hz separated channels (a,b,c,d) each occupying a band of about 900 Hz, for a total bandwidth occupation of about 3900 Hz (Figure 2).

Fig. 2

In turn, each of the 4 channels consists of 4 sub-channels with a modulation rate of 49.6 Baud, the used modulation seems to be ASK2/OOK [2].

Fig. 3

Each of the four sub-channels shows strong ACF peaks of 1290 ms corresponding to a 64-bit length frame: the "aggregate" frame therefore has a length equal to exactly 1 Kb, ie 1024 bits or 128 bytes (64x4x4).

Fig. 4

Below in Figure 5 is a comparison of the four channels obtained from the analysis of my friend cryptomaster.

Fig. 5

Although I have kept an eye on that initial portion of the 8 MHz band (fixed/mobile band, shared with marine for simplex purposes), those transmissions have not appeared again (at least until today): difficult to define their purpose and user(s).

Below the interesting comment sent me by my friend Nicola, who I thanks for the collaboration:

"The interesting signal discussed in the blogpost “Unid ASK2/OOK transmissions” dated 1 February is probably a Frequency-Time Matrix (FTM) system, where a data symbol (bit string) is represented by FT-matrices, i.e. combinations of frequency and time domain positions. The 'secret' of this robust mode is that no frequency is repeated within each matrix. This characteristic is used to enhance the resilience against frequency domain broadband noise (or fading) affecting a broad range of frequencies and time domain narrowband noise (or fading)." 

https://disk.yandex.com/d/7u74pzY-bPntXg

[1] http://sdr.n4but.com:8173/?f=8120.00iqz10&pbw=10000
[2] https://en.wikipedia.org/wiki/Amplitude-shift_keying

4529.75 KHz (cf), yet another async 5N1 STANAG-4481F (to replace 4539.7 KHz?)

Some days ago my dear friend Karapuz noted the transmission of STANAG-4481F segments centered on 4529.75 KHz, data were transferred using 5N1 framing and apparently not in clear text. In the following days I monitored, albeit occasionally, the channel until the transmissions started to be continuous (Figure 1).

Fig. 1

Analyzing the bitstream after the start/stop bits have been removed, it turns out that the messages are sent in protected mode using KG-84/KIV-7 encryption... as it was expected since the used protocol (S-4481F, 75Bd/850). As already noted in other similar STANAG-4481F transmissions, the 128-bit Initialization Vector is splitted in two 64-bit groups and each group is repeated twice rather than four times (as instead it's used to do in STANAG-4285 transmissions).

Fig. 2 - notice the presence of the KG-84 64-bit sync sequence and the 128-bit Initialization Vector (after the removal of the start/stop bits)

As happened for the 4539.7 KHz channel, in the same way the 4529.7KHz channel started with test transmissions and then switched to the usual secured broadcast [1]. TDoA runs indicate the DHFCS site in Crimond UK.

 https://disk.yandex.com/d/6Q_7zvpMlBb8ow

[1] https://i56578-swl.blogspot.com/2021/09/async-5n1-stanag-4481f-likely-tests-or.html

a curious AT-3400D/AT-3104 (CIS-12) modem configuration

Interesting catch of an AT-3400D modem (also known as CIS-12 or MS-5) running on 14344.0 KHz/USB with the quite uncommon 9 channel configuration (3-out-of-12) as shown in Figure 1 below

Fig. 1

CIS-12, as you know, is a pseudo OFDM 12-tone (+ 1 pilot) waveform using PSK2 or PSK4 modulation at speed of 120 Baud while the modem name is AT-3004D (or its newer counterpart AT-3104). Channels 1-10 are used for data, 11 and 12 are test/service channels, therefore the "aggregate" speed is 1200 Baud. 

Fig. 2

https://disk.yandex.com/d/HWWIfdAR6aLKuA

WALE & wideband traffic, probably RapidM proprietary WB-LDL & WB-RDL waveforms

My friend ANgazu and I are almost done going through nearly 30GB of recordings of broadband transmissions that took place in the portfion of 6.9-7 MHz band during October and November, monitoring was also possible thanks to SM5TAH/Mats who made available its broadband SDR receiver (Airspy HF+, SDR-IQ). As already discussed in previous posts, we think they were trial transmissions aimed at fixing the performance of modified waveforms with respect to the relative reference standards (118-110D App.D and 188-141D App.G) especially with regard to the fourth-generation ALE. Some of these tests were most likely conducted by Harris, as they more specifically concerned the 3GWB ALE (WBALE) and WHARQ broadband waveforms, although we did not find news or information about.

We also found 188-141D 4G-ALE (WALE) waveforms that use a modified/improved initial preamble that are probably traceable to trials by RapidM [1]: also in this case no direct confirmation other than a presentation given at an HFIA Industries meeting on March 2020. The traffic waveforms following those WALE handshakes are totally "new" (or at least never meet before for me) and defintely not 188-110D App.G compliant. Obviously, since these waveforms are used in the WALE trials they are developed, along with the related modem, by the same manufacturer.

bandwidths. We could detect waveforms spreading from 3 Khz to 48 Khz, their allocation within a wideband channel is negotiated during the WALE link setup stage and follows the specifications required by 188-141D (1). The examples in Figures 1a,1b show the wideband channel allocations of some of the monitored waveforms.

Fig. 1a

Fig. 1b

paradigma. The first consideration to make is that the traffic segments look like a ARQ system, but after the last data transfers the responder' ACKs are missing (Figure 2), maybe they are forward/reverse traffic links or the latest ACK is not required/mandatory by the system. Also notice that, although the wideband channel has been negotiated, the called station uses a different channel for its sendings, this channel is anyway "within" the one of the caller. Probably the responder announces it's own 16-bit sub-channel vector in the WALE confirm PDU.

Fig. 2

modulation. All the waveforms utilize eight-ary phase-shift keying (PSK8) constellation, the symbol mapping is the same used in 188-110D (Figure 3). As usual, the modulation rate varies according to the bandwidth.

Fig. 3

waveforms. According the used framing (ACF of 25.4 and 120 ms), we identified 2 families of waveforms, each consisting of 9 waveforms differing in bandwidth (3-24 and 48 KHz) and modulation rate (2400-19200 and 38400 Baud): unfortunately, the waveforms of the intermediate badwidths 30,36,42,.. KHz have not been found and therefore (hopefully at the moment) are missing.

25.4 ms framing. The frame structure consists of a "Tx Frame" consisting of a synchronization preamble followed by N "data packets" of fixed duration of 25.41 ms (except the 7200 Bd waveform), where N depends on the chosen waveform. Each data packet consists of alternating data (Unknown) and probe (Known) symbols. The frame structure is shown in Figure 4.

Fig. 4

A transmission consists of 1 or 3 Tx Frames separated by a "dead time" or a "guard interval", only the the first Tx Frame is preceeded by a TLC sequence (Figure 5).

Fig. 5

Main features of this family waveforms (so far seen) are sumarized in Table I.

Table I

The 25.4 ms periodicity of the data packets and their number N within each Tx frame can be seen in Figures 6 and 7 respectively.

Fig. 6

Fig. 7

However, I'm facing an odd problem about the length of the (known symbols) probes; let's see for example the 2400 Bd data packet: as from Figure 8, the 9.996 ms probe makes a length of 24 PSK8 symbols but after its demodulation the bitstream shows 75-bit lenght patterns, ie 25 PSK8 symbols! 

Fig. 8

The discrepancy is probably due to the SA PSK demodulator. Indeed, it must be noticed that either the preamble sequences and the probes are characterized by the lack of the sub-carrier in their harmonic spectrum (Figure 9): this feature has already been found in the modified/enhanced WALE preambles discussed in the previous post.

Fig. 9

 

120 ms framing. The frame structure consists of a TLC & synchronization preamble followed by fixed length 120 ms data packets, each data packet consisting of alternating data (Unknown) and probe (Known) symbols. The most interesting aspect is that the initial TLC & preamble sections consist of the same Tx Frame of the correspondent 25.4 ms family waveforms (Figure 10): it could be said that both waveforms (25.4 ms and 120 ms) present the same "front-end" to the receiving modem.

Fig. 10

The complete frame structure is shown in Figure 11.

Fig. 11

Figure 12 shows the 120ms period of some waveforms, unfortunately not all the samples have a good quality.

Fig. 12

The main features of this family waveforms (so far seen) are sumarized in Table II. It's interesting to see what came up when comparing the values of Table II with the correspondent values of the Waveform Number 7 of 188-110D App.D: as you see, most of the framings (ie the number of the PSK8 symbols) match the ones of the correspondent 188-110D waveforms. 

Table II

Although in some cases the durations are the same, the mini-probes sequence is different so there is no compatibilty between the observed waveforms and 188-110D. Figure 13 shows two frames of the 12 KHz 9600 Bd waveforms.

Fig. 13

RapidM Since these traffic waveforms are used together with the modified WALE waveforms seen in the previous post, it is logical to assume that they too are developed by the same manufacturer, ie - in our opinion - by Rapid Mobile (RapidM) [1]. A positive feedback comes from reading the technical documentation of their RM10 modem [2] "In addition, the RapidM proprietary wideband HF packet data modems known as WB-RDL is offered in the RM10 as a software option.  The WB-RDL waveforms and protocols are integrated with the WALE/4G ALE controller for link setup and dynamic forward/reverse traffic channel bandwidth negotiation. The combination of WALE/4G ALE with the WB-RDL provide data communication in challenged channel (e.g., SNR < 0 dB, high-latitude, high interference) conditions". More precisely, the documentation talks about the future WB-LDL & WB-RDL packet waveforms used with WALE: the acronyms could mean WideBand Low latency DataLink and WideBand Robust DataLink, that is the two families we have singled out (25.4 & 120 ms waveforms).

Fig. 12

We have quite a lot of assumptions and conjectures about it but at the moment we prefer to wait for "news" from RapidM on their official website (new RM12 wideband modem?) and monitor the HF bands for (hopefully) such new trials.

https://disk.yandex.com/d/CrBy3GAUjyaLdA 

(1) the wideband channels are described in WALE PDUs using 16-bit “sub-channel” vectors, each bit element of a sub-channel vector refers to a sub-channel within an assigned wideband channel and describes 1.5 kHz sub-channels, range of 24 kHz, or 3 KHz sub-channels, range up to 48 KHz

[1] https://i56578-swl.blogspot.com/2022/11/an-enhanced-design-for-deep-fast-wale.html
[2] https://www.rapidm.com/product/rm10-wideband-software-defined-modem/

an enhanced design for Deep & Fast WALE preambles (RapidM RM12 HF modem?)

This post briefly summarizes the analysis of the Deep & Fast WALE waveforms seen so far, discussing in particular the acquisition preambles whose formation does not comply with the reference standard 188-141D (Appendix G, WALE or 4G-ALE). Some indications suggest that the monitored transmissions could be trials of a specific WALE implementation by Rapid Mobile adopted in their newest RM12 HF modem, but at present it's only a my guess.

1. Preamble
The preamble is used for rapid initial synchronization and provides time and frequency alignment. Both the Deep WALE and Fast WALE preambles use 4-ary orthogonal Walsh modulation by mapping each di-bit of the preamble sequence to "normal" or "exceptional" sets of 4-element Walsh repeated sequences.

 Walsh Sequences for WALE Preambles (MIL 188-141D, Table G-VIII)

Each 32-element is then scrambled by performing a modulo 8 addition between the PSK8 symbol sequence below and the corresponding Walsh element
{7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6}

2. Deep WALE
Deep WALE uses a 240 ms preamble consisting of 18 orthogonal Walsh modulated channel symbols. The first 14 fixed di-bits {0,1,2,1,0,0,2,3,1,3,3,1,2,0} are fixed, the final four di-bits are protocol-dependent and mapped using the "exceptional" 32-element Walsh sequences set. Each 32-element is then scrambled in accordance with 1. for a resulting sequence  of 576 PSK8 symbols.

Fig. 1 - Deep WALE preamble

I coded a C++ Deep WALE modulator in order to get a (synthesized) 188-141D compliant bitstream and then compare it to the bitstreams got by demodulating the (real) over-the-air Deep WALE calls extracted from a monitoring file. Since I was only interested on the preamble formation, to simplify the code I used a random generator in place of the 192 coded and interleaved PDU bits;  the "modulator" is limited to the PSK8 symbol mapping  (1).

Fig. 2

 

Sumarizing what seen in the previous posts, durations and symbols "into the game" are shown in Table I below:

Table I - comparison between real (on-air) and sythesized Deep WALE PDUs

As expected from the time-based analysis, the comparison of the bitstreams confirms that the real signals differ from the standard ones in the way their preamble is formed: specifically the real preambles have a longer duration (350 ms, 840 PSK8 symbols) and do not have sequence repeats (autocorrelation = 0). Conversely, the inevitable repetitions of the scrambling sequence during the formation of the synthesized preamble cause a 96-bit/32-symbols ACF (on the right of figure 3).

Fig. 3- on-air (left) and sythesized (right) DeepWALE bitstreams

The symbols of the real & synt preambles are shown below in figure 4:

Fig. 4

3. Fast WALE

As per 188-141D, Fast WALE uses a 120 ms preamble consisting of 9 orthogonal Walsh modulated channel symbols. The first 5 di-bits {3,3,1,2,0} are fixed, the final four di-bits are protocol-dependent and mapped using the exceptional set. Conversely to Deep modulation, the final two di-bits are unused and are set to 0. Each 32-element Walsh sequence of the preamble is scrambled in accordance with 1. for a resulting sequencetotal of 288 PSK8 symbols. By the way, the duration of the preamble is the same of the following coded and interleaved data frame and it's the half of the Deep WALE preamble.

Fig. 5 - Fast WALE preamble

A second C++ "sketch" was coded to produce a (synthesized) 188-141D compliant bitstream to be compared with the ones coming from the demodulation of the real signals. As in the previous code, a random generator is used in place of the coded and interleaved data bits.
From the analysis of the recordings I was able to detect at least four types(!) of Fast WALE framing which differ in the length of the preambles (figure 6) while keeping the duration - and therefore the symbols - of the data portion unchanged (120 ms, 288 PSK8 symbols) .

Fig. 6 - different Fast WALE framings

Table II - comparison between real (on-air) and sythesized Fast WALE PDUs

As in Deep modulation, the on-air preambles have no sequence repeats even when their duration matches the standard 240 ms; in the other cases, duration and therefore the number of symbols, are less than the ones specified in the standard. Figures 7,8 depict such differences, notice the 32 known symbols probes in both the bitstreams and the 96-bit/32-symbols ACF of the synthesized preamble.

Fig. 7 - on-air and sythesized Fast WALE bitstreams

Fig. 8

 

4. "RapidM RM12 modem" supposition
Unless there are other protocol "options" that I'm not aware of, the differences between the analyzed preambles and those described by 188-141D are due to a specific (proprietary?) implementation. In this regard, my friend ANgazu found an interesting document by Rapid Mobile - literally entitled "Considerations for Synchronization Enhancements for 4G/WALE" - where two proposed improvements to the WALE synchronization preambles are illustrated. Specifically, the second proposal presented by RapidM (slide 18, "WALE Enhanced Preamble") perfectly fits with durations and symbols of the on-air signals:

As said, according 188-141D every Walsh Symbol repeats the same scrambling sequence

{7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6} 

and such repetitions have detrimental effect on synchronization acquisition performance: avoiding such on-air repetitions during the preamble removes false peaks in acquisition correlations. RapidM "Enhanced Preamble" proposal just consists of the replacement of the scrambled sequences with CAZAC sequences (2) consisting of 168 PSK8 symbols for Fast WALE and 840 PSK8 symbols for Deep WALE (the other proposal concerns a 448-symbol extended scrambling sequence).
By the way, figure 9 shows the measured autocorrelations for on-air and synthesized preambles of both Deep & Fast WALE PDUs.

Fig. 9 - autocorrelations

The RapidM slides, which also announce the upcoming RM12 48kHz Wideband Modem, were presented at the HFIA meeting of March 2020: since the first WALE signals I could analyze date back January 2021, timings are consistent.

If my guesses are right, the analyzed transmissions could just be trials by RapidM, also because - at the time of writing - the RM12 modem is not yet in their catalog [1]. However, I haven't found any confirmation yet and furthermore there are some other aspects, such as the lack of the 1800 Hz carrier in the preamble sectors or the CAZAC sequences formation, which need further investigation. Probably the lack of the carrier during the preamble modulation (figure 10) is due to the "tone excision" feature, since the suppression of the 1800 Hz tone improves the waveform resilience and performance in the presence of channel interference [2]: that's another (RapidM?) enhancement to the WALE preamble.

Fig. 10 - the lack of the carrier in a Deep WALE PDU preamble

https://disk.yandex.com/d/CQum1JvCqMzEFQ

[1] https://www.rapidm.com/
[2] https://www.rapidm.com/standard/stanag-4539/ 

(1) C++ code for Deep WALE PDU formation (Arduino Mega-2560)

char buffer[60];
int preamble[18] = {0,1,2,1,0,0,2,3,1,3,3,1,2,0,0,0,0,0};
int pScramble[32] = {7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6};

int preambNorWalsh[4][32] = {
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4},
{0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4},
{0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0}
};

int preambExcWalsh[4][32] = {
{0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4},
{0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0},
{0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0},
{0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4}
};

int pduWalsh[16][64] = {
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4},
{0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4},
{0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0},
{0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4},
{0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0},
{0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0},
{0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4},
{0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4},
{0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0},
{0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0},
{0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4},
{0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0},
{0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4},
{0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4},
{0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0}
};

int shiftRegister[159] = {
0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1,
1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0,
1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0,
1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1,
0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1,
1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1,
1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0,
1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0,
1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1
};

void setup() {
  Serial.begin(9600);
}

void printBin(byte tribit) {
  for(int i=2; i>=0; i--){
    Serial.print(bitRead(tribit,i),BIN);
  }
  Serial.print(" ");
}

int getQuadbit(void) {
   return (random(16));   
}

int getTribit(void) {
  int bitout, bittap, bitin;
  int i,j;
  for(j=0; j<16; j++) {
    bitout = shiftRegister[158];
    bittap = shiftRegister[31];
      for(i=158;i>=1;i--){
        shiftRegister[i]=shiftRegister[i-1];
      }
    bitin = bitout^bittap;
    shiftRegister[0]=bitin;
  }
  return (shiftRegister[2]<<2)+(shiftRegister[1]<<1)+shiftRegister[0];
}

int doScramble (int a,int b) {
  if (a+b < 8) {
    return (a+b);
  }
  else {
    return (a+b-8);  
  }
}

void loop() {
  int scramblingSym;
  int tribit;
  int psk8;

  // preamble
  for (int i =0;i <14;i++){
    int y =preamble[i];
    for (scramblingSym=0;scramblingSym <32;scramblingSym++) {
      psk8 =doScramble(preambNorWalsh[y][scramblingSym],pScramble[scramblingSym]);
      Serial.println(psk8); //check        
    }
  }  
  for (int i =14;i <18;i++){
    int y =preamble[i];
    for (scramblingSym=0;scramblingSym <32;scramblingSym++) {
      psk8 =doScramble(preambExcWalsh[y][scramblingSym],pScramble[scramblingSym]);
      Serial.println(psk8); //check        
    }
  }  
    
  // PDU
  for (int quadBitSet =0;quadBitSet <48;quadBitSet++){
    int pduSymbol =getQuadbit();
    for (scramblingSym=0;scramblingSym <64;scramblingSym++) {
      tribit =getTribit();
      //printBin(getTribit()); //check    
      psk8 =doScramble(pduWalsh[pduSymbol][scramblingSym],tribit);
      Serial.println(psk8); //check    
      //sprintf(buffer, "Walsh modulated PDU symbol:%i  scrambling symbol:%i  PSK8:%i",pduWalsh[pduSymbol][scramblingSym],tribit,psk8);
      //Serial.println(buffer);        
    }
  }
  for( ; ; );
}


(2) Constant Amplitude Zero AutoCorrelation waveform (CAZAC) is a periodic complex-valued signal with modulus one and out-of-phase periodic (cyclic) autocorrelations equal to zero. CAZAC sequences find application in wireless communication systems for synchronization of mobile phones with base stations. Zadoff–Chu sequences are well-known CAZAC sequences with special properties. 
https://en.wikipedia.org/wiki/Constant_amplitude_zero_autocorrelation_waveform