27 September 2024

QPSK & "SPIDER HF" MFSK8 waveforms (ROK Military)

I monitored the 8235.0 KHz/USB frequency (maritime band) since some days using some remote KiwiSDRs in Oita, Okayama (both Japan) and Daegu (South Korea) [1] recording several and very interesting QPSK and MFSK8 signals that I had never met before.

1) I noticed that QPSK transmissions usually start from 0730 UTC while MFSK8 transmissions start from around 0900 UTC; probably they have different contents and purposes. In this regard, it should be noted that I monitored only during the morning and early afternoon UTC and that Korean Standard Time (KST) is UTC+9. A second interestig aspect is that both types of transmission are not preceded by selcalls or ALE, perhaps 8235.0 KHz is a "stand-by" frequency of that net? 
As shown in Figure 1, other than QPSK & MFSK8 data transfers, transmissions consist of voice comms that have been very useful since the analysis of the audio files (speech & accent), and in part of the waveforms too, allowed me to trace it back to a South Korean user; also note in Figure 1 the slight mistuned frequency between the operators.

Fig. 1 - QPSK and MFSK8 signals

2) QPSK transmissions consist of a series of "segments" that are sent consecutively, the longest I have seen is about 32 seconds; voice comms occur before and after a series has been transmitted. 
 
Each segment has a modulation rate of 750 Baud (1500 bps) and a 1600 Hz bandwidth. Each segment is preceded by two unmodulated tones lasting approximately 5 seconds and end with a short tone transmitted at the sub-carrier frequency (Figs 2,3); the distance between the two initial tones is 750 Hz.
 
Fig. 2 - QPSK signal parameters

Fig. 3 - QPSK modulation
 
As confirmed by my friend ANgazu, the two initial tones make a BPSK signal whose modulation speed has the same value as their shift, ie 750 Bd; the carrier is the center of both. They transmit reversals and are very useful to adjust the AGC, fine-tuning the signal and synchronizing the demodulator's PLL. In this case, if using a QPSK demodulator, the initial preambe is "0202020202" and it achieves the same functions (Figure 4).
 
Fig. 4 - QPSK demodulation of the two initial tones

I couldn't find a characteristic period of the demodulated QPSK bitstreams (Figure 5): instead, since they are raw PSK demodulations and NOT the result of a decoding, we should see something similar to a "framing" of the used HF waveform, as we usually see in these cases, even if bits are encoded and interleaved.
 
fig. 5 - a bitstream after QPSK demodulation (BPSK preamble is omitted)

 
Statistical analysis of one of these bitstreams (Figure 6) shows a compressed or encrypted stream: probably the encryption device is built into the modem or the encrypted streams are sent directly to a "simple" QPSK modulator.
 
Fig. 6 - statiscal analysis of a demodulated QPSK bitstream

3) MFSK8 transmissions,
unlike QPSK, consist in a "single" transfer, voice comms occur before and after each individual transmission. 
Transmissions are preceded by two unmodulated tones with a separation of 500 Hz and a duration of about 5 seconds (as in the QPSK waveform). The unmodulated ending tone, lasting about 1 second, coincides with the lowest data tone (the initial two tones do not match any data tone). The eight data tones are modulated at the speed of 250 Baud (750 bps) and the space between the tones is 250 Hz giving an occupied bandwidth of 2250 Hz (Figs 7,8). Each tone (symbol) represents three bits of data as follows (least significant bit (LSB) to the right):
 
   tone       Gray   bin
• 1000 Hz  000    000
• 1250 Hz  001    001
• 1500 Hz  011    010
• 1750 Hz  010    011
• 2000 Hz  110    100
• 2250 Hz  111    101
• 2500 Hz  101    110
• 2750 Hz  100    111
 
(the frequency of the tones was established based on the correct tuning of the operators' voice)
Note that aurally it cannot be confused with the Thales Robust MFSK8 or MS-141A waveforms as they have a 250 Hz lower tones allocation and a lower Baud rate (125 Bd). By the way, the SPIDER MFSK8 its usage is probably similar to the Thales one, i.e. data transmission.
 
Fig. 7

Fig. 8

The analysis of ACF and bitmap rasters reveals the presence of structured blocks at the beginning and at the end of each transmission (Figure 9): these blocks have a duration of 1364 ms that makes 341 symbols (at modulation speed of 250 Bd).

Fig. 9 - MFSK8 ACF and bitmaps

I also tried a "plain" 8-tone demodulation using the SA demodulator and according to the tone order shown in Figure 10; for completeness I used both binary and Gray (MS-141 style) conversion. Again, Bit streams show two initial and final blocks that have equal length of 1023 bits, ie 341 symbols (each tone represents a 3-bit symbol).
 
Fig. 10 - binary and Gray coded MFSK8 bitstreams

 
4) Why am I thinking of South Korean users?
My friend cryptomaster told me a great lead by reporting that the MFSK8 250Bd/250Hz is a "proprietary" waveform of the "SPIDER Tactical Communication System" by Huneed Technologies (Figure 11), a South Korea-based company engaged in the provision of tactical communication equipment to South Korea Army [2]; the system was deployed in the early 2000s. According to some Google searches, the transceiver used could be the SPIDER (CNR) HF PRC/VRC-950K, suited for either army and navy [3][4]. It's not known if, in addition to MFSK8, the QPSK waveform too is provided by that same device.  
Since the speech & accent, the voice comms language is definitely Korean, as Max (KJ4WNA) from UDXF emailed me "a tell tale sign is the endings -nida". As for the North/South Korea ambiguity due to the use of the same language, AFAIK the North Korean military (Korean People's Army, KPA) uses communication equipments by Glocom Corp. and not South Korean ones. Unfortunately, further "geographic" confirmation was not possible because radio direction finding results were not reliable due to the brevity and near unpredictability of the transmissions as well as the lack of receivers west of the Korean peninsula.
 
Fig. 11 - SPIDER (Combat Net Radio) HF transceiver by Huneed

As far as possible, I transcribed the Korean-language audio files into texts using some online tools [5], then I translated the txt files into English using Google/Yandex/DeepL translators obtaining rather interesting conversation' snippets (Figure 12). Although transcriptions and translations may results a bit "odd" and discordant, actually there are clues that point to South Korea.
 
Fig. 11 - example of a machine transcription & translation

Speeches seem refer to a maritime scenario, as from the exchanged informations related to weather conditions, sailing, heading etc.: it must be said that the use of the SPIDER HF waveform would indicate an usage in a military environment such as the Navy and not in fishing boats. In addition to usual coordination and voice checks relating to the sending/receiving of data,  operators cite names of some South Korean places such as "I'm going to go to Namhae by the South Sea"(1),"There's nothing else in Busan "(2), or "Mapo is 7 Km away" (3).
As I said, the transmissions are not preceded by selcal/ALE and I did not hear - or perhaps I did not figure out - any callsigns pronounced by the operators. Only in a few transmissions I came across sentences such as "I've communicated with all the surrounding turns... I've communicated with both SP3 and SP4" but I haven't heard anything else or additional context that actually confirms that these are callsigns. Only once I heard a link termination:  "This is Yanglak-Dong 146 / This is Maunoi" (or perhaps "This is Yangrak-Dong 146 / This is Maunnoi").
Amogng other txt files, a September 23 0923 UTC (1623 KST) voice recording requesting the location of a boat carrying (North Korean) defectors must be noted (Figure 12). North Korean "defectors" are Koreans who have fled North Korea seeking asylum in South Korea or other nations. For the sake of completeness, I must say that the day after I looked at the Yonhap news agency website [6] but I did not find any reference to alleged defectors. Perhaps the news was not so relevant or there was no intervention by South Korean assets ...but here we enter the realm of suppositions.
 
Fig. 12

5)
Given the the use of a "informal language", the machine transcriptions/translations might sometimes generate military jargon terms and names that seem a bit odd and out-of-context, as the the classic term "Christmas trees" used in board U.S. submarines and reffered to nuclear missiles. For example, I have often noticed the use of the term "seagull" which, judging by the speeches context, may not refer to the well-known bird. Also, it must be said that the operators speak Korean(!) and not more "easy" languages ​​such as English, Spanish or even French, so I could not correct the errors as I should desire and confirm that the transcriptions were accurate, but I simply copied and pasted the automatically transcripted texts.

6) At present I do not have sufficient evidence to confirm whether this is the South Korean Navy (ROKN, Republic of Korea Navy) or possibly other assets such as the Coast Guard (KCG, Korea Coast Guard), although the latter is not under the Ministry of Defense (the Coast Guard is an independent and external branch of the Ministry of Maritime Affairs and Fisheries). Therefore I can't not exclude that users may be other South Korean military/civilian organization: further recordings & analysis and blog readers too will help.
(to be continued)
 
https://disk.yandex.com/d/_Ab_KPufsyPGPw (waveforms and a relevant op-chat)

(1) Namhae is the site of the South Regional HQ of Korean Coast Guard and also a Mine Sweeper Hunter of Korean Navy

(2) The Busan Naval Base is a group of ports and land facilities of Korean Navy (ROKN), located at Nam-Gu, Busan. The United States Naval Forces Korea headquarters sit within this base

(3) "Mapo" could be a mistranscription of the word "Mopko" which is the Third Fleet Command HQ of ROKN and also the West Sea Regional HQ of KCG. This way, the sentence "Mopko is 7 Km away" would make sense

30 August 2024

Citadel II encryption in sync/async MS-110A transmissions (Algerian AF)

Altought it was introduced in 2004 [1], so far I had always seen the Citadel II encryption algorithm occur in 3G-ALE/STANAG-4538 contexts which use the circuit mode service [2][3]; conversely, in 3G-ALE/S-4538 packet mode service (xDL protocols), and just few times in async S-4285 and MS-110A transmissions, I met the Citadel I algorithm. Of course this doesn't mean that Citadel II is only used in S-4538 circuit mode: it's just a commentary on my experiences. Finally, after almost one year since the last "Citadel detection", some interesting recordings show the use of Citadel II also in a 2G-ALE/MS-110A context (1).
Transmissions were recorded a few days ago on 11480.0 KHz/USB thanks to the EA5JGN KiwiSDR located in Hondon Valley (Spain) [4]: that frequency - as is known - is largely used by the Algerian Air Defence/Territorial Air Defence (say Algerian AF), as confirmed by the decoding of the 2G-ALE 188-141A exchanged messages (2).

Fig. 1

Figures 2,3 show the decoded bitstreams of the first two MS-110A segments of Figure 1 (T08_02_07Z recording) before and after the removal of the well-known sync sequence

0x [1E 56 1E 56 1E 56 1E 00 1A 5D 1A 5D 1A 5D 1A 5D]

In both the cases, 12-byte/96-bit length Initialization Vectors (3 times repeated) are used.

Fig. 2

Fig. 3

The 3d MS-110A segment in Figure 1 is the most interesting one since - curiously - its decoded bitstream shows an async 8N1 framing: perhaps the related file comes from a different workstation of the network, also connected to the same messaging server. Figure 4 shows the 12-byte Initialization Vector after start/stop bits and sync sequence were removed.

Fig. 4

As I mentioned before, Algerian AF network (in this example nodes CNC and CM3) usually uses this frequency as well as MS-110A asynchronous transmissions; for this reason I went to search for similar transmissions in my files and found - right in the blog - a post dated December 2017 [5]. The analysis of the bitstream shows that Citadel II encryption was already used since then in that network. At that time I was a bit less experienced and probably I focused on the particular 8-bit pattern, neglecting to search for other possible sequences.

Fig. 5

https://disk.yandex.com/d/BwSBToYfOJp5TA

(1) please note that although Citadel I and II  are referred to as algorithms, they are actually ASIC chips (Application-Specific Integrated Circuit), ie algorithms rendered in hardware, which are embedded - for example - in L3Harris Falcon II, Falcon III family radios.  

(2) collected ALE Address
BLD: [Air Defense] Blida
TDF: [Air Defense] Tinduf
COF: [Air Defense] Cheraga
ANB: [Air Defense] Annaba
CM5: Commandement de la 5e Région Militaire, Constantine
CM3: Commandement de la 3e Région Militaire, Bechar
CNC: Commandement des Forces Aériennes d'Alger, Cherage 

[1] https://www.cryptomuseum.com/crypto/harris/citadel2/
[2] http://i56578-swl.blogspot.com/2023/05/harris-citadel-ii-secured-traffic.html
[3] http://i56578-swl.blogspot.com/2023/06/harris-citadel-ii-secured-transmissions.html
[4] http://ei2hh.proxy.kiwisdr.com:8073/
[5] http://i56578-swl.blogspot.com/2017/12/a-ms-110a-modem-running-in-async-mode.html
 

26 August 2024

about the unid 32-bit protocol used in S-4538 + MS-110A transfers

This is the third time I have encountered these transmissions [1] and, given the good number of recordings made over a few days on the frequency 6964.5 KHz/USB, it is now possible to draw a more definitive "picture".

Transmissions normally occur each 5 minutes and last 1.5 - 2 minutes average. STANAG-4538 (3G-HF) "circuit mode service" is used, where MS-110A (usually in 75bps/Long Interleaver mode) is the used traffic waveform; sometimes a transmission may consist of two or more distinct data transfer sessions (Figure 1).

Links are established using the FLSU (Fast Link SetUp) Asynchronous scanning call, using BW5 and an "optimized" waveform which provides no repetition of the initial TLC section (used for transmitter level control and receiver AGC settling). Such a scanning call is exactly described in paragraph C.5.2.4.5.2 of  MIL 188-141B Appendix C: "The LE_Scanning_Call PDU shall be sent repeatedly to capture scanning receivers [...] During a scanning call, only the first LE_Scanning_Call PDU shall include TLC. All succeeding LE_Scanning_Call PDUs and the LE_Call PDU shall omit TLC, and include only the BW0 preamble and data portions" (1)(2). So, we look at a STANAG-4538 FLSU Async call (since the use of BW5 waveform) which is 188-141B compliant for what regards its formation (since the omission of  the TLC sections): ie, a sort of  188-141B/STANAG-4538 mixed implementation most likely implemented by L3Harris [2][3]. That "formation" of the Async call clarifies why decoders recognize only the "first" BW5 PDU. 

Fig. 1

Looking at the asynchronous scan calls, at first glance it seems that Linking Protection (LP) is not used: in fact, as you can see, the decoded strings are identical. This should not happen since when operating in encrypt mode, the LP algorithm takes as inputs the PDU to be scrambled, a key variable, and a “seed” that contains Time of Day (TOD) and the frequency that carries the protected transmission.

2024-08-21T09_54_32Z BW-5 00111001010000100011011001001010011110001000011010
2024-08-21T09_56_17Z BW-5 00111001010000100011011001001010011110001000011010
2024-08-21T10_01_54Z BW-5 00111001010000100011011001001010011110001000011010

2024-08-22T07_46_52Z BW-5 00010110100000110011111110111010101110111100000110
2024-08-22T07_51_52Z BW-5 00010110100000110011111110111010101110111100000110

Anyway, it's to note that when the protection against spoofing offered by LP is not required, LP may be used without a key variable or seed to provide only scrambling based on the network number as described in STANAG-4538 4.1.2 (in this regard, note that the scanning calls of 2024-08-22, for example, do not have the expected value "001" in the first three bits). 

The analysis of the MS-110A decoded bitstreams show initial 100 bytes length headers which have some parts common to all the bitstreams, the header "format" is more evident after the removal of the initial "10"s sequence (Figures 2,3).

Fig. 2

Fig. 3

In my opinion, headers are made up of the following structure (Figure 4):

1) common initial sequence

1100000100011100101001 (maybe 001100000100011100101001, 0x0CE294)

2) common 193 bits length "01"s sequence, (phasing?). Boundaries are marked by two consecutive logical "1"

3) common 160 bits / 20 bytes length sequence (sync sequence for the receive crypto device?)

10001011010001111000010010000111
01111011101101001011100010000111
01000100011110000100100001110111
10111011010010111000101101110100
01000111100001001000011101111011

4) 256 bits / 32 bytes length sequence which is different in every bitstream (Initialization Vector?)

5) common 5×32 bits / 4 bytes repeated sequence (frame sync?). Note that the sequence can't be an Initialization Vector since it's always the same in every bitstream.

10001011010001111000010010000111
10001011010001111000010010000111
10001011010001111000010010000111
10001011010001111000010010000111
10001011010001111000010010000111


Also note that the 4 bytes repeated sequence is used in the first 4 bytes of the 160 bits sequence.

Fig. 4 - the common blocks in the headers of the bitstreams

According to the results of the "Shannon Entropy" and "Statistical" tests, the ansferred data are most probably encrypted (Figure 5).
The measure of the Shannon Entropy can be used, in a broad sense, to detect whether data is likely to be structured or unstructured. 8 is the maximum, representing highly unstructured, 'random' data. Properly encrypted or compressed data should have an entropy of over 7.5 The statistical test below determines the randomness, the number of single bits in the stream is counted, then the double bits, then the triple bits and so on to the end. The result is a graph: if the information is not systematic, the adjacent columns should be half the size of the previous ones. Both the test shows good encryption quality.

Fig. 5 - Shannon Entropy and Statistical tests on the data portions

The transmissions are fairly receivable only in the northern regions of Europe, likely a low power transmitter is used or a local/domestic area shall be served. Just about the site of the transmitter,  all my direction finding attempts point to a quite large area in Norway (Figure 6): maybe a Royal Norwegian Navy Tx? Anyway, it's to notice that the DF results "suffer" from the lack of detection points west of Norway.

Fig. 6 - Direction finding attempts (TDoA algorithm)

Monitoring & recordings thanks to the remote KiwiSDRs SM0KOT (Sweden) and OZ1AEF (Denmark) [4][5]. 

https://disk.yandex.com/d/AcwncUTKxXlQ_A (decoded bitstreams)

(1) MIL 188-141B refers to BW0 as the waveform to convey "LE_Scanning_Call PDU" and "LE_Call PDU" (LE stands for Link Establishment): FLSU, and consequently the BW5 waveform, were not yet defined at that time.

(2) 188-141B (released on March 1999!) was superseded by 188-141C (December 2011), in its turn superseded by 188-141D (December 2017): the last two standards no longer have the Appendix C but only some short paragraphs, among them the #C.6 says "The specifications previously contained in this appendix have been replaced with reference to the essentially identical NATO STANAG 4538".

[1] http://i56578-swl.blogspot.com/search/label/P%3D32
[2] http://i56578-swl.blogspot.com/2022/10/harris-3g-ale-flsu-async-call.html
[3] http://i56578-swl.blogspot.com/2022/10/harris-3g-ale-flsu-async-call-2.html
[4] http://aspliden.kostet.se:8074/
[5] http://85.191.35.22:8073/

 

31 July 2024

unid FSK 300Bd/300 bursts

Interesting and unidentified FSK 300Bd/300 bursts heard on ~14490 KHz and sent to me by my friends ANgazu and cryptomaster (Figure 1).

Fig. 1 - FSK 300Bd/300 bursts

The signals recorded by the latter (6 bursts) have a better SNR and therefore more suitable to be analyzed. As you can see in Figure 2, the demodulated bitstreams (d1-d6) can be divided into the 4 groups G1, G2, G3, and G4:

Fig. 2 - couples of demodulated bitstreams d1-d2, d3-d4, d5-d6
 

G1: (40 bits) probably a header/SOM sequence, this group is common to all the bitstreams;

G2: (40 bits) this group is different in every bitstream and maybe consists of something related to the message. In a 10-bit format it's possible to see repeated "fields", when reshaped to a 20-bit format the groups may consist of a 11-bit "field" followed by a common 9-bit pattern (Figure 3);

Fig. 3 - G2 groups

G3: (variable length)  I think this group is the data part of the message, this is sent twice into two different bursts (sometimes 3 times in 3 bursts). These groups have a period of 50 bits in length that appears to have some form of structure (Figure 4);

Fig. 4 - G3 groups

G4: (20 bits) probably the EOM sequence, this group is common to all the bitstreams.

During the formation of this FSK signal the phases of the two frequencies are preserved after each "shift" (Figure 5), ie the frequency shift is generated by a single generator and its clock frequency changes, so the manipulation is achieved without disrupting the phase of the signal. If two frequency generators are used then we should see changes of phase in both f1 and f2, unless the two generators are in some way phase synchronized.

f2 ~ 1976,98 HZ (2:0,001011640)
f1 ~ 1676,95 Hz (2:0,001192640)

as expecetd, 300 Hz shift (f2 - f1).

Fig. 5 - phases of the two frequencies

The prevailing opinion is that this is probably some type of selcall or ALE probing, in which case the G2 groups could be the addresses.

https://disk.yandex.com/d/3gK_L2RqFjHXXQ



19 July 2024

CIS-1200 SDPSK 1200Bd ("Makhovik", T-230-1A)

updated (23 July 2024)

This transmission, along with a probably spurius emission 600 Hz above, was recorded on 13002.5 KHz (cf) thanks to the remote KiwiSDR located in Azumino-city Nagano, Japan [1].

Fig. 1 - main signal and its spurius

The signal that I assume is the "actual" one and that I analyzed is characterized by a SDPSK (Simmetrical Differential PSK) modulation at a speed of 1200 Baud. Indeed SDPSK is equivalent to π/2 DBPSK or PSK2 with phase rotation: ie, as shown by the transitions in absolute mode, SDPSK assumes that the phase is rotated by +π/2 for bit “0” and by -π/2 for bit “1” thus there is not a 180° turn (transitions do not pass through 0). The information transmitted is encoded in the transition and not in the state. The signal can be demodulated using the differential mode (diff=1).

Fig. 2 - SDPSK modulation

The transmission consists of some segments that differ by the presence or absence of an initial preamble (signals A and B in Figure 3) which consists of a repeated 511-bit length pseudo-random sequence generated by the polynomial x^9+x^5+1 (1) as for the ITU Recommendation O.153 [2] (188-110B "39-tone parallel mode" too uses that sequences).

Fig. 3
 
Fig. 4 - 511 bits length sequence

The presence of such sequences is one of the features of the so-called Makhovik (aka the "flywheel"), a well known Soviet-Mil crypto system. Although someone classifies Makhovik as vocoder, it can can be used for time-multiplexed encryption of both voice and data up to 9600 bps. It's official name is "T-230 bundle ciphering device for teleprinter and  data connections" and was designed to operate in UHF but very often is found in LF and in HF.
After the removal of the initial preamble, the following data block consists of a "common" sequence:

110101100100011110101100100011

followed by 240-bit Initialization Vectors that are sent in 8x30-bit groups, each group repeted three times (Figure 5): these 30-bit groups are another peculiar feature of  the Makhovik system.

010000111011001110010100001110
011101100101000011001010000111
110010100001110010000111011001
001110110010100000111011001010
001110110010100011001010000111
111111111111111000011101100101
001110110010100111011001010000
101100101000011011101100101000

Fig. 5

Segments sent w/out the initial preamble (type B in Figure 3) show exactly the same structure: note as the Initialization Vectors slightly differ (Figure 6): this feature should be further studied (it is probably somehow related to the presence/absence of the initial preamble) but it is necessary to obtain several more recordings.

010000111011001110010100001110
011101100101000011001010000111

110010100001110010000111011001
001110110010100000111011001010
001110110010100011001010000111
111111111111111000011101100101
001110110010100111011001010000
101100101000011011101100101000

010000111011001110010100001110
011101100101000011001010000111

011001010000111100001110110010
111011001010000110010100001110
010100001110110110110010100001
100101000011101001010000111011
111011001010000111111111111111
011101100101000100001110110010

Fig. 6

It's worth noting that in some previous Makhovik recordings I saw differential encoded data & BPSK, while this ones consist of  plain encoded data & SDPSK [3].

update (23 July 2024)
I willingly add a comment sent me by my friend cryptomaster.
The common sequence in Figs 5,6

110101100100011110101100100011

shall be right shifted to appear as

111101011001000111101011001000

which in turn is the repetition of the 15 bits length M-sequence generated by the polynomial x^4+x+1 (Figure 7).

111101011001000

Fig. 7 - the repetition of the 15 bits M-sequence generated by the polynomial x^4+x+1

https://disk.yandex.com/d/Vg5XruORhd8_5A

(1) the use of the polynomial x^9+x^5+1 is quite common in CIS waveforms,see http://i56578-swl.blogspot.com/p/polynomials.html

[1] http://jf0fumkiwi.ddns.net:8073/
[2] https://www.itu.int/rec/T-REC-O.153/en
[3] https://i56578-swl.blogspot.com/search/label/Makhovik 

16 July 2024

MS-110D App.D (WBHF) transmissions, Collins Aerospace over-the-air testing? (2)

Yet another MS-110D sample [1] transmitted from Oxford Junction (IA) site, recorded on 19825.7 KHz/USB and sent me by my friend linkz: this signal too is PSK8 modulated at the symbol rate of 2400 Bd but occupies a 3 KHz bandwidth (Figure 1).

Fig. 1 - waveform main parameters
 
The ACF results  shown in Figure 2 formally show the same characteristics, that is, a sort of "superframe" lasting 840 ms (corresponding to 2016 PSK8 symbols, or 6048 bits) comprising seven frames each lasting 120 ms (corresponding to 288 PSK8 symbols, or 864 bits).
 
Fig. 2 - results from the Auto Correlation Function
 
Bandwidth, modulation and framing match the Waveform Number 7 described in MIL-STD 110D Appendix D (WBHF, WideBandHF)
 

The demodulated bitstreams conform to the bitmaps in Figure 2: in particular, the sequences circled in in Figs. 2, 3 are special mini-probes used to mark the interleaver boundaries. In this case they are transmitted every 64 frames, corresponding to the use of the "long interleaver" mode.
 
Fig. 3 - 864 bits (266+32 PSK8 symbols) period demodulated bitstream

Just to verify compliance with the MS-110D standard, the mini-probes are made up of a repeated sequence of 16 symbols while the miniprobes used to mark the boundaries of the interleaver block are shifted by 8 steps (Figure 4).
 
Fig. 4 - the generic mini-probe and the interleaver marker mini-probe

As expected, the 840 ms spikes resulting from  ACF are due to the cyclic nature of the transmitted data: that is, the same block of data consisting of 7 frames (Figure 5).
 
Fig. 5 - data blocks after the removal of mini-probes

As stated at the beginning, Direction Finding (TDoA algorithm) tests done by my friend linkz indicate Oxford-Junction as the site of the transmitting antenna (Figure 6); more over "It's interesting to note that this data seems to be sent always 22.5 kHz lower than the ALE slots. So far noticed on: 8000.7 USB (8023.2 - 22.5kHz), 18275.7 USB (18298.2 - 22.5kHz), 19825.7 USB (19848.2 - 22.5kHz)" linkz write.
 
Fig. 6 - Direction Finding tests results (thanks to linkz)

https://disk.yandex.com/d/LcwmPMweeu6C0A
 

25 June 2024

MS-110D App.D (WBHF) transmissions, Collins Aerospace over-the-air testing?

Wideband transmission heard a few days ago on 19829.0 KHz (cf) around 1713Z, the recording was kindly sent to me by my friend linkz who also performed - successfully - the Direction Finding attempts (see below).
As from Figure 1, the signal occupies a 6 KHz bandwidth and is modulated using PSK8 at the symbol rate of 4800 Baud. Given that the subcarrier is about 6000 Hz, and it shall be 3300 Hz (300 + 1/2 BW, as usual), the signal should be -2700 Hz shifted (the tuning frequency should be around 19826.0 KHz/USB). 

Fig. 1 - signal parameters

The ACF value and its framing are quite interesting: as can be seen in Figure 2, the autocorrelation plot shows pronounced spykes at 892.4 ms (4284 symbols/12852 bits) due to the existence of a sort of "superframe" consisting of seven frames marked by less evident spikes. The latter have a value of 127.5 ms (612 symbols/1836 bits) consisting of 544 symbols of unknown data followed by 68 (known) channel mini-probe symbols.

Fig. 2 - 127.5 ms & 849.4 ms ACFs

From the above results (bandwidth, modulation and framing) the signal belongs to MIL-STD 110D Appendix D (WBHF, WideBandHF), more precisely the Waveform Number 7: this appendix is a non-mandatory part of MIL-STD-188-110C; however, when data is to be communicated in single contiguous HF radio bandwidths greater than 3 kHz, up to 48 kHz, the waveforms employed shall be in accordance with this appendix. The PSK8 demodulated bitstream is shown in Figure 3.

Fig. 3 - bitstream after PSK8 demodulation

It is worth noting (and verify) some features of this waveform.
As per Table D-XXI the mini-probes consists of a 36 symbol "base sequence" cyclically extended to the required length: in our case, 68 symbols. W/out going into the merits of the mini-probes formation, some resulting mini-probes are shown in Figure 4.


Fig. 4 - 68 symbols mini-probes

In the zoomed bitstream in Figure 5, a characteristic pattern of the mini-probes is seen at intervals of 64 frames: this is because the mini-probes are also utilized to identify the long interleaver block boundary. Indeed, in our case the block length is just 64 frames. The boundary marker is accomplished by tansmitting a cyclically rotated version of the mini-probe (#D.5.2.2).

Fig. 5 - interleaver block boundary

Figure 6 shows the mini-probe marking the long interleaver block boundary: in accordance with Table D-XXI, the mini-probe is formed of the 36 symbols base sequence after 18 cyclic rotations.

Fig. 6
 
As shown in Figure 7, the data block is formed of groups of seven 544 symbol frames (7×544 data symbols) each group consisting of the same data, regardless of the scrambler since the scrambling sequence generator polynomial (x^9 +x^4 +1) is initialized to 00000001 at the start of each data frame (the 511 bits length scrambling sequence is repeated just slightly more than 3 times). The repetitions of these seven groups cause what I designed as "superframe" (see Figure 2) which indeed has a 892.49 ms ACF, corresponding to 7 frames (7×127.5 ms).  Based on the above, it can be said that 127.5 ms is the ACF value of frames and 892.4 is the ACF value of data symbols.
Investigating the nature of these bits does not make much sense since they are actually demodulated "symbols", i.e. data bits after having passed through the modulation chain (FEC encoder, interleaver, Gray decoder, scrambler). The repetitions could suggest a test transmission, but that's just my guess.
 
Fig. 7 - the 7-frame groups that form the data block and that cause the 892.4 ms ACF

As said above, my friend linkz did a great Direction Finding job and pinpointed Oxford Junction (IA) as Tx site location (see Figure 8 below).

Fig. 8 - DF runs (TDoA algorithm), thanks to linkz

The Oxford Junction transmitter site was operated by Rockwell Collins (now part of Collins Aerospace): a paper that they presented at HFIA Meeting in San Diego (February 4, 2010) just confirms the assumption and also shows an aerial photo of the HF station (Figure 9), notice that both EarthExplorer and Google Earth obscured that site.

Fig. 9

Since the Tx location, probably the heard transmissions are WBHF over-the-air test by Collins Aerospace... but that's another guess.

https://disk.yandex.com/d/oj5V4VHl6zb9Gg 

https://www.dropbox.com/scl/fi/4hc6eszz6xvo689b2ah5o/...