28 July 2021

an interesting start of a CIS-75 transmission

Interesting CIS-75 75Bd/250 FSK heard on 6404.0 KHz (cf): the encrypted data are preceeded by a sync sequence of reversals that - according to my measurements - is sent at the speed of 100Bd. My friend cryptomaster suggested that the 100Bd are actually the 50Hz taken from the AC mains. Given the instability, can be assumed that the equipment is operated "in the field" and is associated with the instability of the autonomous power supply.

Fig. 1

 TDoA runs indicate the Kaliningrad Oblast (
Kaliningradskaja oblast) as possible location of the Tx (figure 2).

Fig. 2

 https://disk.yandex.com/d/y3nMgqsSLmpTvw

26 July 2021

playing with Arduino and a 12-bit LFSR

 

The circuit is just a test of the operation of the 12-bit LFSR x^12+x^6+x^4+x+1 used in 188-110A serial tone modems, in view of its full implementation; its software simulation has already been seen in a previous post, to which I refer for further insights. The 12 flip-flops and the 3 XOR gates implement the "one-to-many" configuration, according to the 188-110A standard. Since the 74xx374 does not provide the asynchronous preset / clear inputs, the LFSR is a "free runner" that is, it is not reset to a certain initial state (seed) after n-cycles; therefore all the circuits related to loading the initial pattern (0xBAD) are missing. 

Pinning and logic circuit (connections) are shown in figure 2: the electric connections (+/- 5V power) are omitted, the connections to the pins of the Arduino board are indicated (notice I used AT MEGA 2560 board so you had to change connections and code in case you use a different board).

Fig. 2 - logic connections and pinning

The 220 ohm resistor & the blue led visible in the photo on the clock line, are not reported in the circuit, they just show the clock pulses... obviously in case of a very low clock speed.

The code of the sketch is quite simple, I just used a random number generator to simulate symbols 0-7 from Modified-Gray Decoder (MGD) and a 8x8 array to perform the scrambler: the tribit number supplied from the random number generator is modulo 8 added (mod8[LFSRsymbol][randSymb]) to the three bit value supplied by LFSR (pins 53,51,49). Results are written into a buffer which is then sent to the serial port (figure 3).

Fig. 3


The 74HC374 is an octal positive-edge triggered D-type flip-flop with 3-state outputs (the second 74HC374 is half used, ie it provides only 4 flip-flops). The device features a clock (CP) and output enable (OE) inputs. The flip-flops will store the state of their inndividual D-inputs that meet the setup on the LOW-to-HIGH clock transition. A HIGH level on OE causes the outputs to assume a high impedance OFF state (OE input does not affect the state of the flip-flops). The74HC86 is a quad 2-input EXCLUSIVE-OR gate used to form the feedback chain.

https://disk.yandex.com/d/7gestYtENRF6VQ

22 July 2021

SCS/ALE: a 2G ALE Modem/Controller for DR-7400 and DR-7800 P4 modems

 

SCS/ALE controller (2G MIL 188-141 ALE) supports two modes: ALE/PACTOR, see the video below, and full stand alone ALE. In ALE/PACTOR existing PACTOR software needs to know nothing about ALE. The PACTOR Connect request is turned into an ALE Linking Call, which if should fail, results in the modem telling the PACTOR software that the PACTOR Connect failed. If the ALE Link is achieved then the PACTOR Connect process proceeds. After the PACTOR is complete, the ALE Link is cleared and ALE Scanning resumes. Thus no modification of existing PACTOR software is required for an ALE front end operation. The Bluetooth option must be installed to have full ALE operational awareness when in ALE/PACTOR mode.


 

In stand alone ALE one can use PACTOR or AMD messaging or any external modem where the DR-7800 series modems provide an external modem sense PTT line to reset the ALE Link timeout. The MS110A hardware or MS-DMT software modems can be used. To use PACTOR the Bluetooth option is required.
In addition many additional HF transceiver used in MARS and SHARES have been added from reuse of source code from the MARS-ALE Radio Control Library where simple split VFO is being applied where needed for ALE Quiet Scanning and dropping out of split for TX. The use of PA relay bypass commands where applicable. No other external ALE controller on the market takes these steps.

Thanks to my friend Steve Hajducek from "MIL-STD tools for MARS Multimedia Library" group:
https://www.facebook.com/groups/MARS.MIL.STD.TOOLS.LIB

19 July 2021

tools to generate 188-110A channel probes... and not only them

I recently checked the 188-110A transmissions - referred to in this post - characterized by a secondary protocol not (yet) identified, the purpose was to verify if in the meantime some novelties had intervened such to shed a more light on the protocol itself: the attempt, however, was unsuccessful... though I paid more attention to the 188-110A channel probes patterns. After demodulating the signal, he channel probes do not show regular (known) patterns as instead it should happen, according to what is indicated in the documentation and looking at a synthesized waveform (figure 1).

Fig. 1 - synthesized and real-world 188-110A 2400bps

During the periods where channel probe symbols are to be transmitted, the channel symbol formation output is set to 0 (000) except for the two known symbol patterns D1 and D2 preceding the transmission of each new interleaved block. The symbol formation output is then scrambled  with the three bits supplied by the  randomizing generator,  a 12 bit shift register with the functional configuration shown on figure 2.
The shift register is pre-loaded with the initial pattern 101110101101 or 0xBAD and advanced eight times. Since after 160 transmit symbols the shift register is reset, each 480 transmist symbols the scrambler will produce the same ten patterns for the 16-symbols channel probes. 

Fig. 2 - 188-110A randomizing generator

As you can see, the patterns are so alternating that it looks like an artificial "variation", even if this "effect" is due to poor signal reception (mostly fading).
The bitstream of figure 1 are obtained at the output of a generic PSK8 demodulator (SA), so I don't know exactly how a specific demodulator for 188-110A reacts to such sequences of the channel probes; probably it does not lose the synchronism ... even if some doubts arise about the exact demodulation of the signal (thank goodness that FEC exists). 

However, I have decided to spend some time examining the sequences generated by this circuit. As shown in figure 2, the randomizing generator implementation is a x^12+x^6+x^4+x+1 LFSR which is converted into its "one-to-many" counterpart, ie the most-significant bit is fed back directly into the least significant bit, and is also individually XORed with the other bits 6,4,1. Notice that using this style means that there is never more than one level of combinational logic in the feedback path, irrespective of the number of taps being employed in the traditional "many-to-one" implementation (increasing the levels of logic in the combinational feedback path can negatively impact the maximum clocking frequency).
At first I used two excellent "software" simulators: the first for PC - LFSR testbench, figure 3 [1] - the second for Samsung android tablet - Logic Simulator pro, figure 4 [2]. As soon as possible - or as soon as I recover the missing components - I will try a hardware simulation using my Arduino board.

Fig. 3 - LFSR Testbench simulating the sequence randomizing generator

 
Fig. 4 - Logic Simulator PRO simulating the sequence randomizing generator

These two tools are very interesting and useful also for simulating LFSRs that are used for sync sequences or scramblers, give them a try.

[1] https://www.fpga4fun.com/files/LFSRTestbench.zip
[2] https://logic-circuit-simulator-pro.it.aptoide.com/app

7 July 2021

unid STANAG-4539 3200bps bursts

Interesting and unid STANAG-4539 bursts recorded on 5270.0 KHz/usb. The user data rate is 3200 bps and is obtained using QPSK modulation, short interleaver is used. Notice that the quadrature phase-shift keying constellation is scrambled to appear, on-air, as a PSK8 constellation. The bursts have a duration of 1350 ms, each transports nine 256-symbols data blocks, and do not seem to obey to a particular timing.

Fig. 1 - S4539 3200bps waveform

The bitstreams after demodulation have a common preamble consisting of three components (Figure 2):

a) idle sequences of '0's and '1's (depending on the polarity of the receive modem)
b) initial 334-bit (frame sync?) sequence
c) 128-bit length Initialization Vector, three times repeated (3x128-bit)

encrypted data block follow.

Fig. 2 - COMSEC preambles

The most interesting component is the 334-bit sync sequence that has a particular 24-bit period and - as a mere attempt - I found that it could be generated by the polynomial x^21+x^10+1.

Fig. 3 - 334-bit sync sequence

By the way, MIL 188-220D describes the three components which compose the initial COMSEC preamble: the Bit Synchronization subfield or the Phasing subfield (it may consists of a string of alternating ones and zeros), the Frame Synchronization subfield, and the Initialization Vector subfield (Figure 4); it must be said, anyway, that the Bit Synchronization patterns do not match. Notice that Figure D3 illustrates the case where the Robust Frame Synchronization is not used (see 188-220D #D.5.2.2)

Fig. 4

User, purposes of the transmissions, and Tx location(s) are unidentified; the only thing I can add is that the better reception is possible by using receivers located in the north Europe countries: by the way, I used two KiwiSDRs located in Denmark [1] and Norway [2].

https://disk.yandex.com/d/KgUT7aaESDD6hA

[1] http://85.191.81.117:8073/
[2] http://kiwi.wlansupport.no:8073/

1 July 2021

8N1 async operations

8N1 async operations using STANAG-4285 and 110A Serial modems (1200bps/S, 1200bps/L respectively) recorded on 6.9 MHz band, the first likely from Turkey. After the removal of the framings, the 8-bit streams are not in clear text and therefore (off-line) encrypted.

Fig. 1 - STANAG-4285 user data
 
Fig. 2 - 110A ST user data
 

https://disk.yandex.com/d/oYXY9Rh4c9dm8Q

30 June 2021

unid FSK/MFSK SELCAL

6907.0 KHz (cf): unid SELCAL waveform spotted on 6907.0 KHz (cf),. The waveform consists of 40Bd/240 FSK idling part  followed by MFSK-36 40Bd/40 (likely the Id of called station).

Fig. 1
 
Fig. 2

https://disk.yandex.com/d/XlHhceBC9fLlvQ

26 June 2021

3G-HF "BW5 + 110A" combined waveform ...or just coincidence?

 

From 19 to 23 June I monitored interesting transmissions on 5091.5 KHz/USB that seem to use a kind of "combined" waveform which consists of FLSU BW5 waveform followed by 188-110A 300bps waveform. For what concerns the timing, the sendings occur each minute, they last about 31 seconds and are arranged in a way that resembles the circuit mode service of STANAG-4538. Starting from thursday 24, these broadcasts have not been repeated (at least until today).

Fig. 1 - ACFs  



As said, it seems that the data are sent using a transmission composed of two parts: a sequence of FLSU PDUs, which are transmitted using the BW5 burst waveform, and the payload data, transmitted using the 188-110A serial waveform. These two parts are transmitted contiguously with no dead time separating them (Figure 2).

Fig. 2 - framing

That kind of waveform (BW5 + 110A) is indeed very odd, unless I have been mistaken and it is an overlapping of two distinct transmissions... but it would still odd that the overlapping be so perfect and continuous for more than two days.  Anyway, if it's a real "combined" waveform then it's definitely a synthesized waveform (SDR).
For clarity - however - it must be said that:
a) BW5 waveform (and thus the FLSU protocol) has been detected by the examination of the signal's ACF and its payload;
b) the length (duration) of the initial BW5 sequence finds a clarification in this post;
c) BW5 waveform could also be used to transport other types of PDUs and not only the PDUs of the FSLU protocol.

data link protocol
The used data link protocol is also interesting: its initial structure consists of 32-bit (4 bytes) patterns which are common to all the payloads (Fig. 3):

192-bit idle sequences of reversals (alternating sequences of '0's and '1's)
10001011010001111000010010000111 (0xD1E221E1) sequence #1
01111011101101001011100010000111 (0xDE2D1DE1) sequence #2
11 bytes length data block
10001011010001111000010010000111
10001011010001111000010010000111

10001011010001111000010010000111 (5 x sequence #1)
10001011010001111000010010000111
10001011010001111000010010000111

(data block follows)

Fig. 3 - data link protocol after 188-110A removal

The two 4-byte sequences are not originated by polynomials and are likely used as sync patterns, although the five repetitions of the sequence #1 lead to think to an Initialization Vector; in my opinion, a such method could be risky in terms of security since the same IV sequence is used for all the forwarded messages (unless they are test transmissions and/or pseudo random traffic). Data blocks seem anyway encrypted.

Fig. 4 - details of the 32-bit structure of the data link protocol

The exact same structure and 32-bit sequences have already been detected in some recordings of 2018 (!): also in this case they were "plain" 188-110A transmissions forwarded in circuit mode service [4].

TDoA direction finding
The transmissions are fairly receivable only in the northern regions of Europe, more precisely I used KiwiSDRs in Norway and Denmark [1][2]: that's a sign that a low power transmitter is used or that they serve a local area. Just about the site of the transmitter,  all my direction findings point to a well-restricted area north from Oslo, Norway (Figure 5).

Fig. 5 - TDoA results

Norway has released an interactive map of all the military locations where it is forbidden to operate a drone [3]. All the markers indicate an area where it is illegal to take aerial photographs or video using a camera or any other type of sensors: in figure 6 I have cut out an area that more or less follows the area identified by the DF.

Fig. 6

remarks
Starting from June 22 the transmissions show a paradigm change, a bit more in line with the circuit service model of STANAG-4538: the structure of the used data-link protocol, anyway, remains unchanged. 

These transmissions raise several questions, the first being whether or not it is an experimental combined waveform (and therefore if they are test transmissions). It would also be interesting to identify the transmitter site with greater precision and - if anything - which data protocol is used.

https://disk.yandex.com/d/2I0bzM2nDShWGA
https://disk.yandex.com/d/kD-9y_TFkZoFqQ
https://disk.yandex.com/d/Bt2pIPxE-o6Udw

[1] LB3J SDR in Smøla, Norway http://77.223.174.203:8073/
[2] KiwiSDR by OZ1BFM in Vejby, DENMARK http://oz1bfm.proxy.kiwisdr.com:8073
[3] http://googlemapsmania.blogspot.com/2018/09/norways-secret-military-sites.html
[4]  https://i56578-swl.blogspot.com/2018/03/unid-32-bit-secondary-protocol.html

17 June 2021

a STANAG-4481F temporary channel activation?

Heard 75Bd/850 FSK transmissions (broadcasts?) on 6372.0 KHz CF until sunday 13th June, no transmission in the following days (at least until today). Transmissions were KW-46 secured and sourced most likely from Barford St.John USAF transmitter. Think of a temporary activation on the occasion of the G7 summit just in UK... is that too imaginative?

Fig. 1

Fig. 2
https://disk.yandex.com/d/e1BfYmNeUhHa1A

10 June 2021

MAHRS-serial and STANAG-4285, ie don't blindly trust decoders

It happened by chance to analyze a complete session of data exchange in MAHRS mode (ALE + traffic) while I had a STANAG-4285 decoder in active state on the desktop: to my surprise the decoder started printing out a bitstream though - as said - it was set for STANAG-4285 (Figure 1)

Fig. 1

Intrigued by that fact, I went to see the points that S4285 and MAHRS-serial have in common enough to confuse the decoder, other than the obvious features such as speed (2400Bd) and modulation (PSK8).  

The first thing that stands out is the equality of the ACF values, Figure 2: 106.6 ms, or 256 symbols. Thus - in my opinion - it seems that the decoder in question (Sorcerer and therefore also K500) tries to identify a signal by analyzing its ACF: probably those kind of decoders have an internal table that allows this association.  

Fig. 2 - ACF values for STANAG-4285 and MAHRS serial

The structure of the frames is anyway very different, unless the first 80-symbol preamble which is common to both the waveforms (Figure 3): S-4285 framing consists of an initial 80 symbol preamble followed by 4x32-symbols data segments and 3x16-symbol probes; MAHRS-serial framing consists of the initial 80 symbol preamble that is followed by a data block consisting of 176 data symbols. 

Fig. 3 - framing structure for STANAG-4285 and MAHRS serial

As third common feature, both the 80-symbol preambles are modulated using BPSK: the pronounced BPSK states in the constellation plane of the MAHRS serial signal are quite eloquent (Figure 4)

Fig. 4

STANAG-4285 is not an autobaud waveform so the decoding is based on the user settings, just for fun I played with some sub-modes even if - as obvious - the decoder can't find the expected known symbols (16-symbol probes). The best results, in terms of "confidence", were obtained by setting the bit rate to 2400 bps, obviously the corrections are equal to zero in the uncoded mode:

It must be said that MAHRS serial is not the only S4285-like waveform, another example is the 2400Bd PSK-8 serial waveform from the THALES TRC-1752 modem (Thales Système 3000 family), although the latter is more properly defined as "variant".

Fig. 5 - THALES TRC-1752 STANAG-4285 variant
 

At the end, do not blindly trust decoders: they are not infallible and there is no magic wand; just open your wav files and analyze them.