an enhanced design for Deep & Fast WALE preambles (RapidM RM12 HF modem?)

This post briefly summarizes the analysis of the Deep & Fast WALE waveforms seen so far, discussing in particular the acquisition preambles whose formation does not comply with the reference standard 188-141D (Appendix G, WALE or 4G-ALE). Some indications suggest that the monitored transmissions could be trials of a specific WALE implementation by Rapid Mobile adopted in their newest RM12 HF modem, but at present it's only a my guess.

1. Preamble
The preamble is used for rapid initial synchronization and provides time and frequency alignment. Both the Deep WALE and Fast WALE preambles use 4-ary orthogonal Walsh modulation by mapping each di-bit of the preamble sequence to "normal" or "exceptional" sets of 4-element Walsh repeated sequences.

 Walsh Sequences for WALE Preambles (MIL 188-141D, Table G-VIII)

Each 32-element is then scrambled by performing a modulo 8 addition between the PSK8 symbol sequence below and the corresponding Walsh element
{7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6}

2. Deep WALE
Deep WALE uses a 240 ms preamble consisting of 18 orthogonal Walsh modulated channel symbols. The first 14 fixed di-bits {0,1,2,1,0,0,2,3,1,3,3,1,2,0} are fixed, the final four di-bits are protocol-dependent and mapped using the "exceptional" 32-element Walsh sequences set. Each 32-element is then scrambled in accordance with 1. for a resulting sequence  of 576 PSK8 symbols.

Fig. 1 - Deep WALE preamble

I coded a C++ Deep WALE modulator in order to get a (synthesized) 188-141D compliant bitstream and then compare it to the bitstreams got by demodulating the (real) over-the-air Deep WALE calls extracted from a monitoring file. Since I was only interested on the preamble formation, to simplify the code I used a random generator in place of the 192 coded and interleaved PDU bits;  the "modulator" is limited to the PSK8 symbol mapping  (1).

Fig. 2

 

Sumarizing what seen in the previous posts, durations and symbols "into the game" are shown in Table I below:

Table I - comparison between real (on-air) and sythesized Deep WALE PDUs

As expected from the time-based analysis, the comparison of the bitstreams confirms that the real signals differ from the standard ones in the way their preamble is formed: specifically the real preambles have a longer duration (350 ms, 840 PSK8 symbols) and do not have sequence repeats (autocorrelation = 0). Conversely, the inevitable repetitions of the scrambling sequence during the formation of the synthesized preamble cause a 96-bit/32-symbols ACF (on the right of figure 3).

Fig. 3- on-air (left) and sythesized (right) DeepWALE bitstreams

The symbols of the real & synt preambles are shown below in figure 4:

Fig. 4

3. Fast WALE

As per 188-141D, Fast WALE uses a 120 ms preamble consisting of 9 orthogonal Walsh modulated channel symbols. The first 5 di-bits {3,3,1,2,0} are fixed, the final four di-bits are protocol-dependent and mapped using the exceptional set. Conversely to Deep modulation, the final two di-bits are unused and are set to 0. Each 32-element Walsh sequence of the preamble is scrambled in accordance with 1. for a resulting sequencetotal of 288 PSK8 symbols. By the way, the duration of the preamble is the same of the following coded and interleaved data frame and it's the half of the Deep WALE preamble.

Fig. 5 - Fast WALE preamble

A second C++ "sketch" was coded to produce a (synthesized) 188-141D compliant bitstream to be compared with the ones coming from the demodulation of the real signals. As in the previous code, a random generator is used in place of the coded and interleaved data bits.
From the analysis of the recordings I was able to detect at least four types(!) of Fast WALE framing which differ in the length of the preambles (figure 6) while keeping the duration - and therefore the symbols - of the data portion unchanged (120 ms, 288 PSK8 symbols) .

Fig. 6 - different Fast WALE framings

Table II - comparison between real (on-air) and sythesized Fast WALE PDUs

As in Deep modulation, the on-air preambles have no sequence repeats even when their duration matches the standard 240 ms; in the other cases, duration and therefore the number of symbols, are less than the ones specified in the standard. Figures 7,8 depict such differences, notice the 32 known symbols probes in both the bitstreams and the 96-bit/32-symbols ACF of the synthesized preamble.

Fig. 7 - on-air and sythesized Fast WALE bitstreams

Fig. 8

 

4. "RapidM RM12 modem" supposition
Unless there are other protocol "options" that I'm not aware of, the differences between the analyzed preambles and those described by 188-141D are due to a specific (proprietary?) implementation. In this regard, my friend ANgazu found an interesting document by Rapid Mobile - literally entitled "Considerations for Synchronization Enhancements for 4G/WALE" - where two proposed improvements to the WALE synchronization preambles are illustrated. Specifically, the second proposal presented by RapidM (slide 18, "WALE Enhanced Preamble") perfectly fits with durations and symbols of the on-air signals:

As said, according 188-141D every Walsh Symbol repeats the same scrambling sequence

{7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6} 

and such repetitions have detrimental effect on synchronization acquisition performance: avoiding such on-air repetitions during the preamble removes false peaks in acquisition correlations. RapidM "Enhanced Preamble" proposal just consists of the replacement of the scrambled sequences with CAZAC sequences (2) consisting of 168 PSK8 symbols for Fast WALE and 840 PSK8 symbols for Deep WALE (the other proposal concerns a 448-symbol extended scrambling sequence).
By the way, figure 9 shows the measured autocorrelations for on-air and synthesized preambles of both Deep & Fast WALE PDUs.

Fig. 9 - autocorrelations

The RapidM slides, which also announce the upcoming RM12 48kHz Wideband Modem, were presented at the HFIA meeting of March 2020: since the first WALE signals I could analyze date back January 2021, timings are consistent.

If my guesses are right, the analyzed transmissions could just be trials by RapidM, also because - at the time of writing - the RM12 modem is not yet in their catalog [1]. However, I haven't found any confirmation yet and furthermore there are some other aspects, such as the lack of the 1800 Hz carrier in the preamble sectors or the CAZAC sequences formation, which need further investigation. Probably the lack of the carrier during the preamble modulation (figure 10) is due to the "tone excision" feature, since the suppression of the 1800 Hz tone improves the waveform resilience and performance in the presence of channel interference [2]: that's another (RapidM?) enhancement to the WALE preamble.

Fig. 10 - the lack of the carrier in a Deep WALE PDU preamble

https://disk.yandex.com/d/CQum1JvCqMzEFQ

[1] https://www.rapidm.com/
[2] https://www.rapidm.com/standard/stanag-4539/ 

(1) C++ code for Deep WALE PDU formation (Arduino Mega-2560)

char buffer[60];
int preamble[18] = {0,1,2,1,0,0,2,3,1,3,3,1,2,0,0,0,0,0};
int pScramble[32] = {7,1,1,3,7,3,1,5,5,1,1,6,7,1,5,4,1,7,1,6,3,6,1,0,4,1,0,7,5,5,2,6};

int preambNorWalsh[4][32] = {
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4},
{0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4},
{0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0}
};

int preambExcWalsh[4][32] = {
{0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4},
{0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0},
{0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0},
{0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4}
};

int pduWalsh[16][64] = {
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4,0,4},
{0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4},
{0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0,0,4,4,0},
{0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4},
{0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0},
{0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4,0,0},
{0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4,0,4,4,0,4,0,0,4},
{0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4},
{0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0},
{0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0},
{0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4},
{0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0},
{0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4,0,4,0,4,4,0,4,0,4,0,4,0,0,4,0,4},
{0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4,0,0,4,4,4,4,0,0,4,4,0,0,0,0,4,4},
{0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0,0,4,4,0,4,0,0,4,4,0,0,4,0,4,4,0}
};

int shiftRegister[159] = {
0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1,
1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0,
1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0,
1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1,
0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1,
1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1,
1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0,
1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0,
1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1
};

void setup() {
  Serial.begin(9600);
}

void printBin(byte tribit) {
  for(int i=2; i>=0; i--){
    Serial.print(bitRead(tribit,i),BIN);
  }
  Serial.print(" ");
}

int getQuadbit(void) {
   return (random(16));   
}

int getTribit(void) {
  int bitout, bittap, bitin;
  int i,j;
  for(j=0; j<16; j++) {
    bitout = shiftRegister[158];
    bittap = shiftRegister[31];
      for(i=158;i>=1;i--){
        shiftRegister[i]=shiftRegister[i-1];
      }
    bitin = bitout^bittap;
    shiftRegister[0]=bitin;
  }
  return (shiftRegister[2]<<2)+(shiftRegister[1]<<1)+shiftRegister[0];
}

int doScramble (int a,int b) {
  if (a+b < 8) {
    return (a+b);
  }
  else {
    return (a+b-8);  
  }
}

void loop() {
  int scramblingSym;
  int tribit;
  int psk8;

  // preamble
  for (int i =0;i <14;i++){
    int y =preamble[i];
    for (scramblingSym=0;scramblingSym <32;scramblingSym++) {
      psk8 =doScramble(preambNorWalsh[y][scramblingSym],pScramble[scramblingSym]);
      Serial.println(psk8); //check        
    }
  }  
  for (int i =14;i <18;i++){
    int y =preamble[i];
    for (scramblingSym=0;scramblingSym <32;scramblingSym++) {
      psk8 =doScramble(preambExcWalsh[y][scramblingSym],pScramble[scramblingSym]);
      Serial.println(psk8); //check        
    }
  }  
    
  // PDU
  for (int quadBitSet =0;quadBitSet <48;quadBitSet++){
    int pduSymbol =getQuadbit();
    for (scramblingSym=0;scramblingSym <64;scramblingSym++) {
      tribit =getTribit();
      //printBin(getTribit()); //check    
      psk8 =doScramble(pduWalsh[pduSymbol][scramblingSym],tribit);
      Serial.println(psk8); //check    
      //sprintf(buffer, "Walsh modulated PDU symbol:%i  scrambling symbol:%i  PSK8:%i",pduWalsh[pduSymbol][scramblingSym],tribit,psk8);
      //Serial.println(buffer);        
    }
  }
  for( ; ; );
}


(2) Constant Amplitude Zero AutoCorrelation waveform (CAZAC) is a periodic complex-valued signal with modulus one and out-of-phase periodic (cyclic) autocorrelations equal to zero. CAZAC sequences find application in wireless communication systems for synchronization of mobile phones with base stations. Zadoff–Chu sequences are well-known CAZAC sequences with special properties. 
https://en.wikipedia.org/wiki/Constant_amplitude_zero_autocorrelation_waveform

WALE (4G-ALE) three-way traffic channel negotiation

This post can be considered a continuation of the previous one since it too is based on the observations and analyzes of the same monitoring file. Also in this case these are asynchronous calls but with the particularity of using three-way handshakes. 

Although the common protocol exchange for 4G-ALE link establishment is the two-way handshake, it may occurs a traffic channel negotiation which requires a three-way handshake. When sending a link setup request, the caller is able to measure occupancy in its assigned sub-channels, but will not generally know whether the Confirm PDU from the called station will be strong enough to overcome low-level local interference in some sub-channels. However, after measuring the SNR of the Confirm PDU, the caller may compute that there will be adequate SNR on sub-channel(s) that it initially reported as occupied. In such a case, the caller should send a Caller Confirm PDU with Rx sub-channel vector bits set to indicate the wider available traffic channel (figure 1),

Fig. 1 - example 3-Way Computation of Traffic Channel (188-141D Figure G-19)

However, as shown in figure 2, it's worh noting that in these samples no data traffic was recorded after the channel negotiations (the "responder" is here termed by me as "called").

Fig. 2 - contiguous 3-way handshakes

Aside from the 3-way handshakes, it must be noted that both "Deep" and "Fast" WALE waveforms are used throughout the same handshake (see figure 3) conversely to what specfied by 188-141D: " Either of the waveforms may be used in any transmission, but the same waveform shall be used throughout a transmission" (#G.5.1). The transmissions could also be Point-To-Multipoint (PTM) Async link setups and consequently the third burst could be actually the Confirm PDU from a "second" called node, however the (deprecated) mix of  waveforms still remains as well as the suspect that these are modified waveforms.

Fig. 3 - use of both Deep and Fast waveforms throughout the same handshakes

As said, this sample is not a "spot" one but it's extracted from a quite large monitoring file that has already been (partially) analyzed previously,  consequently it was logical to expect WALE PDUs with observed on-air durations different than the ones specified in the relevant 188-141D.

Fig. 4

As well as  the not-compliant durations of Deep and Fast PDUs (due to their preambles length), in my opinion  the lack of (expected) traffic after the 3-way channel negotiations and the "unusual" (if not deprecated) use of both Deep and Fast waveforms throughout a same transmission, are clues that reinforce the hypothesis of test transmissions aimed to verify the performance of modified 188-141D WALE waveforms and therefore of a "new" 4G HF modem... further analysis and investigations will follow in next posts.

https://disk.yandex.com/d/StTSEFMeLOXNkQ

Deep WALE (4G-ALE) Async call

Thanks to my friend and collegue ANgazu, I was able to analyze some WALE (4G-ALE, 188-141D App.G) asynchronous calls transmissions which reveal some aspects that are not entirely clear or even a bit discording with the relevant standard, at least according my analysis and the docs at my disposal. Perhaps it is some specific implementation or maybe tests, as a lot of 4G-ALE & wideband activity has been recently monitored in the 6.9 - 7 MHz portion. 

Fig. 1

As in the "Fast" WALE async call [1], the LSU Request PDU must be preceded by a scanning call (the so-called "capture probe") which is designed to capture asynchronously scanning receiver(s) so that they will stop scanning to receive the final LSU Request. The capture probe consists of repeated blocks of 96 known PSK8 symbols that permit rapid detection of the call, and therefore very short scanning dwell times. As in 2G and 3G ALE, the duration of the WALE scanning call dependes on the number of channels in the scan set and is as follows:
Tcapture ≥ Dmin(N+2)
where Dmin is the asynchronous-mode minimum dwell time (200 ms as default setting) and N is the number of channels. However, conversely of 2G and 3G ALE, the scanning call portion of the async WALE call is unaddressed: that is, the addresses of the stations are not sent during the capture probe (1).

Fig. 2 -  Deep WALE async call

In the sample being analyzed, after demodulation the 6000 ms capture probe consists of 150 blocks which corresponds to a scan set of 28 channels and confirms the use of the minimum dwell time (6000=200*30).

Fig. 3

As per 188-141D App.G, the capture probe is followed by a 240 ms acquisition preamble, followed in its turn by one (or more) coded and interleaved WALE Request PDU. The WALE LSU protocol use a fixed 96-bit length PDU for both Fast and Deep waveforms with a correction coding consists of a constraint length 9 (CL-9), half rate convolutional code producing a 192-bit coded block to be interleaved (ie, for each bit input to the encoder, two bits are taken from the encoder).
Using the Deep WALE waveform, the coded and interleaved PDU bits are sent four at a time. Each set of four bits (a “quad-bit”) is used to select one of the 16-element Walsh sequences, the selected 16-element Walsh sequence is then repeated 4 times to yield a 64-element Walsh sequence. Each 64-element channel symbol is scrambled using 64 8PSK symbols of a scrambling sequence generated using a 159-bit shift register with a single tap after bit 31 which run without re-initialization for all PDUs in a transmission (the shift register is initializated only at the beginning of a the Deep ALE transmission) (2).
Therefore a (coded and interleaved) 192-bit WALE PDU resolves in 48 "quad-bit" sets each consisting of 64-element Walsh sequence, for a total of 48 * 64 = 3072 PSK8 symbols, and has a duration of 1280 ms (Known Symbols segments are not sent in Deep WALE PDUs, so Walsh coded data symbols are sent continuously after the initial preamble).

 

The lack of mini-probe shapes in the PDU portion and its 1630 ms duration (figure 2) allow to Id a Deep WALE modulation. Unfortunately, the autocorrelation of the signal is not of much help. Given that the scrambling shift register x^159+x^31+1:

• is iterated 16 times between the generation of each scrambling symbol
• run without re-initialization(!) for all PDUs in a transmission
• has a max sequence length of 2^159 -1
• is used to scramble a small number of PDUs (if not only one)

it will be impossible to get repetitions in the portion of the WALE PDU but - obviously - only the strong 40 ms spikes due to the 96-symbol blocks of the capture probe (figure 4).

Fig. 4 - ACF values of the scanning call and WALE pdu portions

However, it should be noted that the 1630 ms duration of the Deep WALE PDU does not match the expected 1520 ms one (240 preamble + 1280 data): thus, there is somewhere an "extra" duration of 110 ms. In this regard, figure 6 shows a short segment "S" where, although the lack of the 1800 Hz carrier (or not detected/detectable by SA), the signal is still actually keyed at 2400 symbols/sec; also notice that in place of the carrier rather fairly solid "diagonal traces" show up. 

Fig. 6

Looking at the time durations in figure 7, the segment "S" lasts ~350 ms and "positionally" it coincides with the preamble preceding the Request PDU data: here it's the reason of the extra 110 ms duration, ie an "extended" 350 ms (240+110) preamble which consists of 840 PSK8 symbols that - anyway - does not resolve into an integer number of Walsh modulated symbols! (188-141D #G.5.1.7.1 specifies a 18 Walsh modulated symbols preamble).

Fig. 7

Such discrepancies between the actual on-air signals and the relevant standard have already been highlighted in the Fast WALE PDUs, at least in the ones that I had the chance to analyze [2]. It must be noted that the recent releases of 188-110D and 188-141D extend the max bandwidth to 48 KHz therefore 110C/141C compliant waveforms are in some way a bit "obsoleted" as well as HF modems such as Harris RF-5800 (WBALE & WHARQ waveforms), RapidM RM10 and others. What do I mean? My point is that probably we are dealing with a proprietary implementation/enhancement of the latest WBHF standards (ALE and traffic waveforms): given the quite long monitoring available (more than 30 GB of recordings to review), further analysis and investigations will follow in next posts.

https://disk.yandex.com/d/oBD93dy4dY3BeA 

(1) In 2G and 3G-ALE the address of the called station is contained in the scanning call, thus all stations that are not included in the call are free to resume scanning. The 4G-ALE scanning call consists of repeated blocks of known symbols so that a station must wait for the final Request PDU  to find out if it's the recipient of the call:

That choice of unaddressed scanning calls has interesting consequences:

• all scanning stations are captured and held until the WALE Request PDU (which contains the address) is received. This is a drawback, but the short dwell time (200 ms) results in short scanning calls, so this is mitigated;

• because it does not contain station addresses, the capture probe of the async call is not encrypted.

 

(2) the same (159,31) scrambling polynomial and Walsh sequences are used in MIL-STD 188-110C for the Waveform ID-0

[1] https://i56578-swl.blogspot.com/2021/02/4g-ale-async-two-way-point-to-point.html
[2] https://i56578-swl.blogspot.com/2021/01/4g-ale-fast-wale-188-141d-and-wbhf.html

Harris' 3G-ALE FLSU Async call (2)

Commenting the recent post about the Harris's implementation of the FLSU Async call [1], an anonymous reader sent me a good quality recording of that signal. Observing the spectrum/time FFT of figure 1 the call has a duration of about 9 seconds (9170 ms) and, according to the value of the ACF , it consists of 10 BW5 frames. By calculating the respective durations and taking into account the omission of the TLC sections exceeding the first, we get

1013.33 + (9 × 906.66) = 9173.27 ms

ie a value that matches the duration of the call and confirms the FLSU Async call implementation adopted by Harris (by the way, a 7-channel scan list in this sample).

Fig. 1

In addition to the time based approach, in order to verify the above results I tried a tribit symbols based analysis of the demodulated bitstream. Indeed, as per STANAG-4538 (and 188-141B too) the TLC section (256 pseudo-random tribit symbols) and BW5 preamble sequence (576 tribit symbols) are modulated directly without undergoing the PN spreading thus their patterns are easily identifiable within the bitstream. A good way to bring out the two desired sequences is to use synchronization of the bitstream:

a) synchronizing on the preamble sequence
10 rows come out, which therefore correspond to the preambles of the 10 BW5 PDUs (don't fall into the 4-bit HEX trap: since the PSK8 modulation, the symbols we are looking consist of tribit values, ie 4,4,7,3,... = 100, 100, 111, 011,...):

Fig. 2

b) synchronizing on the TLC sequence
as expected, the result consists of only 1 row which is just the one relating to the "entire" first BW5 PDU:

Fig. 3

As a further confirmation, I synchronized the stream on the "border" of the two sequences getting a single row result:

Fig. 4

So, in my opinion, both approaches demonstrate the composition of the FLSU Async call which is implemented by Harris: ie, the TLC section is sent only in the firts BW5 PDU (as per 188-141B #C.5.2.4.5.2):

 

Looking at the bitstream, it's also  evident that this network uses the Linking Protection (LP) procedure [2]. As per STANG-4538 #9.3.2 "Scanning call PDUs shall be scrambled using alternating word numbers 00000000 and 00000001. The word number used in scrambling the first scanning call PDU shall be selected so that the scanning call PDU sent immediately before the Call PDU is scrambled using word number = 00000001. The Call PDU that concludes an asynchronous-mode call shall be scrambled using word number = 00000010": that's the reason of the alternating patterns of figure 5.

 

Fig. 5

By the way, it's worth noting that LP does not address jamming or similar techniques, which are best countered by TRANSEC, nor is it intended to replace the COMSEC function of traffic protection: indeed, LP protects the linking function, including related addressing and control information.

 

A recent monitoring of 6.9 MHz band by my friend ANgazu (who I thanks for sending some recordings) shows the use of the same async call also in WBALE & WHARQ scenarios:

 

Fig. 6

 

https://disk.yandex.com/d/JCbCPlmTV_wl1g (Harris Async call)

https://disk.yandex.com/d/IQe71tmy0VIA3g  (WBALE & WHARQ)

[1] https://i56578-swl.blogspot.com/2022/10/harris-3g-ale-flsu-async-call.html
[2] https://i56578-swl.blogspot.com/2017/02/stanag-4538-3g-ale-flsu-calls-with.html

Harris' 3G-ALE FLSU Async call: a 141B/STANAG-4538 optimised implementation?

I recently had the chance to study some good quality recordings of (certified) Harris 3G-ALE Asynchronous calls and surprisingly I found some features of implementation derived from the now superseded 188-141B that are not defined - or even not supported - by the relevant standard STANAG-4538.

More than once I came across such type of "long duration" FLSU bursts and so far I have always identified them as FLSU Asynchronous calls (STANAG-4538) [1][2] ...but this time it is not like that. What doesn't fit is that while each burst 2-4-6 consists of a single FLSU BW5 PDU (Protocol Data Unit), as expected, also the bursts 1-3-5, although of longer duration, seem apparently formed of single FLSU BW5 PDUs (figure 1).

Fig. 1 - Harris 3G-ALE bursts

A short recap for background... 

As per STANAG-4538 #5.1.3, the Asynchronous call consists of a "sequence" of FLSU PDUs sent consecutively, more precisely:
"The Asynchronous call begins with the LBT [...] followed by the transmission of about 1.35N Async FLSU_Request PDUs on the requested link frequency, where N is the number of channels in the scan list, and 1.35 is the duration of each dwell (in seconds) [...] the sequences of the Async FLSU_Requests (Type-3 PDU) is then terminated by one normal FLSU_Request (Type-0 PDU)"(1):

Fig. 2 - Asynchronous FLSU call (1) (FIGURE 5.1.10-4 STANAG-4538)

Therefore, the Async FLSU call is easily reacognizable by the 1013ms "spikes" (ie the duration of the BW5 PDU) resulting from its Cross-Correlation Function. Obviously, the 7296-bit (or 2432-tribit symbols) period of the bitstream matches the PSK8 symbols of the BW5 waveform. Figure 3 shows the CCF and the bitstream of an Async call recording ( the .wav file is in the download list).

Fig. 3 - CCF and bitstream of the FLSU Async call

The 50-bit frames resulting from its demodulation (fortunately Linking Protection was not used) are consistent with the standard protocol. By the way, since the 10 Type-3 PDUs, the scan list consists of 8 channels.

 

That said, let's back to the Harris 3G-ALE recordings.

The Cross-Correlation Function of bursts 1-3-5 shows strong ~906ms spikes instead of the expected 1013ms ones, consequently the demodulated bitstreams have a 6528-bit period length which in turn makes 2176 PSK8 symbols: so, we have  

 

(2432 - 2176) = 256 missing symbols

Fig. 4 - CCF and bitstream of the Harris FLSU Async call

Looking at the BW5 timing, the initial TLC section consists of 256 PSK8 symbols: well, these are exactly the symbols that we are looking for! 

I mean that the TLC section is sent only in the first BW5 PDU thus the following ones are a bit shorter being composed of only the preamble and data sections: hence the (576 + 1600) = 2176 symbol length period and the ~906ms CCF spikes. This "formation" of the Async call also clarifies why my decoder recognizes only the "first" BW5 PDU (figure 1). By the way, the value 

1013.33 + (5 × 906.66) = 5546.63ms 

fits perfectly in Harris recordings.

Fig. 5 - formation of the Harris FLSU Async call

Such a call is exactly described in paragraph C.5.2.4.5.2 of  MIL 188-141B Appendix C:
"The LE_Scanning_Call PDU shall be sent repeatedly to capture scanning receivers [...] During a scanning call, only the first LE_Scanning_Call PDU shall include Ttlc (used for transmitter level control and receiver AGC settling). All succeeding LE_Scanning_Call PDUs and the LE_Call PDU shall omit Ttlc, and include only the BW0 preamble (Tpre) and data (Tdata) portions".(2)(3)

So, we face a STANAG-4538 FLSU Async call (since the use of BW5 waveform) which is 188-141B compliant for what regards its formation (since the omission of  the TLC sections): ie, a sort of  188-141B/STANAG-4538 mixed implementation. Below I have tried to find a satisfactory answer to this "particular" 3G-ALE call.

For simplicity and clarity of exposition, for now on I will refer to:
- "188-141B" as an FLSU Async call with omitted TLC sections (only the firts one is sent);
- "STANAG-4538" as an FLSU Async call w/out the omission of the TLC sections;
the FLSU protocol obviously implies the use of BW5 PDUs.

One could say that, given the nature of the TLC section (basically 256 throwaway symbols), sending it in a sequence of contiguous BW5 PDUs would makes a poor sense... but that's not entirely true. It is possible to verify that, starting from a certain number of channels onwards, the TLC sections act as a "buffer" and, ultimately, allow a successfully link establishment. Indeed, defining "scan time" the interval of time required for scan N-1 channels, linking is successful as long as the scan time does not exceed the duration of the Async call (figure 6).

Fig. 6 - "scan time" Vs Async call duration

Suppose we have a 21 channel network: the worst case that can happen is that a 141B async caller begins a call on the last channel of the scan list (after a successful Listen Before Transmit interval) while the called station has just begun to dwell on the first channel. Let's calculate how many PDUs must be sent in the call:

1.35 × 21 = 28.35 ≅ 28 Async FLSU_Request PDUs + 1 normal FLSU_Request PDU

for a total duration of (including the initial 1350 milliseconds LBT interval):

1350 + 106.66 + (906.66 × 29) = 27749.8 ms.

The called station will employ (20 x 1350) = 27000 ms to come upon channel 21, so it will receive only a portion of  (27750 - 27000) = 750 ms of the Async call: this means that a part of the acquisition preamble of the final FLSU_Request will be lost and presumably the linking attempt will fail or at least will be at risk. Such a problem will not happen in case of a STANAG-4538 async caller, since its call will last:

1350 + (1013.33 × 29) = 30736.57 ms

therefore the called station will receive a quite large portion of about (30736.57 - 27000) = 3736.57 ms of the Async call (ie more than 3 times the duration of a BW5 FLSU PDU).(4)

I plotted the durations of Async calls and scan times versus a scan list of 5 to 30 channels: the results are quite interesting (figure 7). In case of 141B, starting from channel 16 the distance between the duration of the call and the scan time is getting thinner, until it becomes null or even negative. STANAG-4538 implementation instead maintains a quite wide margin (figures 7a). Then I plotted the the difference (async call duration - scan time) referred to the "useful" duration of a BW5 PDU ( 906.66ms, ie preamble + data): say a sort of measure of the "linking useful margin" versus the number of channels. In case of 141B calls, as expected, the linking gets problematic starting from a 16-channel scan list (figure 7b); no problems in case of S4538 calls (figure 7c).

Fig. 7

Well, how many channels can be allocated to a scan list? Looking at the framing of BW5, the "Argument 1" field reserves 6 bit for the channel; excluding the default value ("111111"), 63 values (0...62) remain available. As it was already evident from figure 7, a 141B Async call does not capture the called station in case of such a large number of channels but - conversely - it's best performing then STANAG-4538 in a network with a smaller scan set (number of channels < 17) just because it has a shorter call duration and therefore a faster linking time (figure 8).

Fig. 8

Probably the Harris' choice of omitting the exceeding TLCs just lies in the fact of better performance in small scan lists (say an "optimised" implementation): perhaps a specific algorithm chooses whether or not to omit the TLCs exceeding the first, or perhaps it's a manual setting. That solution is anyway not compatible with the 188-141B implementation (BW5 is unknown to that standard) and probably also with a "strict" implementation of STANAG-4538: the unanswered calls in figure 1 could be a sign of interoperabilty problems (5), who knows. Judging by the behavior of my decoder, however, I verified that in case of a "late entry" the decoding is successfully only when the Async call contains multiple TLCs: but it's just a decoder, I don't know the algorithm it uses and doesn't matter. Unfortunately I don't have a military grade STANAG-4538 appliance to test its responses, so further analysis are needed to confirm my guess.

I want to thank my friend ANgazu who helped in the analysis and identification of the signal and sent me some recordings of these "mixed" Async calls that he heard just some days ago around 6950 KHz: sign that this solution is still in use today.

https://disk.yandex.com/d/xbGLZvU5y5A1Qg 188-141B FLSU Async call (single TLC)
https://disk.yandex.com/d/gXsMejYAvHFstA   S4538 FLSU Async call (multiple TLCs)
(regarding the Harris recordings, the author prefers that I keep this material confidential)

Some ending comments:

a) I played Lego ® bricks with the burst #1 of the Harris recordings. Using the great tool Audacity ® [3] First I isolated and removed the TLC section of the first BW5, then I did my best by cutting the burst into segments each of 906.66 ms duration. Then I assembled a new burst by inserting the TLC section before each segment and putting it all together. The result confirms the expectations, apart from two error PDUs due to the approximate way of the cut & paste. By the way, five scanning PDUs mean 4 channels in the scan list.

b) You've probably noticed the possibility of a 768-bit/256-symbol period in figure 4:

 

As per STANAG.4538 #13.9.6, the BW5 PDU data symbols are PN-spread using a spreading sequence which is repeated every 4 blocks of 64 tribit sequences, ie every (64×4) = 256 symbols: these repetitions cause the 106.66ms ACF and hence the 256-symbol periodicity:

 By the way, yet another 106.66ms ACF...

(1) Transmitting 1.35N Async FLSU_Request PDUs guarantees that all other scanning PUs (Partecipating Units, ie the other nodes in the HF network) will scan the calling channel during the Async call, even under the worst case time of day offset conditions. If the time of day offset can be estimated more accurately, fewer than 1.35N Async FLSU_Request PDUs may be sent to capture the desired PU. Since the address of the called PU(s) is contained in the Async FLSU_Req PDU, all PUs that are not included in the call are free to resume scanning. Called PU(s) that receive one of the Async FLSU PDU’s stop scanning and wait for the normal FLSU_Request.

(2) MIL 188-141B refers to BW0 as the waveform to convey "LE_Scanning_Call PDU" and "LE_Call PDU" (LE stands for Link Establishment): FLSU, and consequently the BW5 waveform, were not yet defined at that time. 

(3) 188-141B (released on March 1999!) was superseded by 188-141C (December 2011), in its turn superseded by 188-141D (December 2017): the last two standards no longer have the Appendix C but only some short paragraphs, among them the #C.6 says "The specifications previously contained in this appendix have been replaced with reference to the essentially identical NATO STANAG 4538".

(4) The Called station that receive one of the asynchronous FLSU PDUs stop scanning and wait for the normal FLSU_Request PDU, which is sent immediately after the final Async_FLSU_Request PDU. After receiving a valid FLSU_Request PDU, the addressed stations responds normally with the FLSU_Confirm PDU (STANAG-4538 #5.1.3)

(5) The BW5 bursts 2-4-6 of figure 1 may convey the FLSU_Terminate link PDU (type-2) which is sent by the caller station in case of link failure (STANAG-4538 #5.1.5). Unfortunately, Linking Protection is used so the decoding does not help to indentify the used BW5 types.

[1] https://i56578-swl.blogspot.com/2019/10/async-flsu-followed-by-stanag-4197-3g.html
[2] https://i56578-swl.blogspot.com/2021/04/a-long-and-protected-flsu-async.html
[3] https://www.audacityteam.org/download/

unid 150-300Bd/1000 FSK (150-300Bd/500 same system?)

 
This FSK signal has the same characteristic switch of the modulation speed (150Bd during reversals, 300Bd in traffic mode), but a different shift (~1000Hz instead of ~500Hz), compared to the one seen here (150-300Bd/500Hz FSK). The different speeds are well visible in the 93.33 ms raster in figure 2.  However it must be said that I rounded the value of the shift to the nearest thousand Hz, given that - in some parts and without filtering - the signal can vary from 997 to 1000Hz. By the way, the same rounding was also applied to the measure of the shift  of the similar 150-300Bd/500Hz signal.

Fig. 1

The similarities are not limited only to the FSK parameters but also to the bitstream' formation (figure 2):
* 24-bit length period with the presence of a "phasing" bit (the column of "0s");
* initial sequence generated by the polynomial x^12+x^10+x^9+x^3+1;
* even parity-check on the differential decoded stream. 

Fig. 2

Me and my friend cryptomaster also verified that the bitstream complies the same (8,24) check matrix generated with the polynomial x^7+x^3+x^2+x+1

1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0   1 0 0 0 0 0 0 0
0 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0   0 1 0 0 0 0 0 0
0 0 1 0 1 1 0 0 1 0 1 1 1 1 1 0   0 0 1 0 0 0 0 0
0 0 0 1 0 1 1 0 0 1 0 1 1 1 1 1   0 0 0 1 0 0 0 0
0 0 1 1 1 0 0 1 1 1 0 1 0 1 1 1   0 0 0 0 1 0 0 0
1 0 1 0 1 1 1 0 0 0 0 1 0 0 1 1   0 0 0 0 0 1 0 0
0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1   0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0 0 0 0 0 0 0 1

that detects and fixes the polarity reversal of the ninth column of the bitstream and performs a H(24,16) coding (figure3).

Fig. 3

That said, we think that these two FSK waveforms belong to the same system although user and purposes are still unidentified. Monitoring is quite difficult since - apparently - a scheduling does not seem used (short transmissions have been heard "by chance" on 4535, 6511, and 8084 KHz).

https://disk.yandex.com/d/hYquU1-3wlvKTQ