30 January 2016

KG-84 evidences

I tried out to look at some signals that use KG-84 encryption (based on Saville algorithm) in order to identify its footprint inside them and differences (if any), specifically: the two NATO widely used waveforms STANAG-4285 and STANAG-4481-FSK, one of the STANAG-4285 variants (this one possibly a Croatian version) and the FSK 600Bd/400Hz by Turkish Military. Since only four waveforms, this does not claim to be a complete view, rather it will be updated as soon as I'll get other such encrypted signals.
Given a signal, as previously seen, the existence of  KG-84 encryption can be detected by its well-known 64-bit sync pattern that is inserted at the beginning of each session/message and followed by the encryption initialization:
In order to highlight the sync pattern we need to work with bitstream files, also known as ASCII-bits file, containing only the binary symbols 0 and 1 and provided by decoders such as k500 or Sorcerer (in the picture belows). This because - for example - the PSK-8 demodulated output from signals analyzers such SA, provide on-the-air symbols that still contains extra-symbols due to FEC and they should de-scrambled, de-interleaved and converted from HEX values to binary. 
The bitstream analysis is performed using a bit flow processor and editor.

STANAG-4481P (STANAG-4285 300bps/L)

pic. 1 - NATO STANAG-4481P
in this case the sync is followed by a 512 bits group consisting of two 64 bits sequences repeated 4 times: the two 64 bits sequences form the 128 bits key, k500 call them as "inizialization vectors" and are clearly indicated in its output as two strings each of 32 HEX characters. As far as I can see, both the sync and the key are inserted at the beginning of the session and are not re-inserted or repeated so that the message can not be deciphered in case of late entry.

STANAG-4481F (FSK 75Bd/850)
pic. 2 - NATO STANAG-4481-FSK
since the same operating environment (NATO), STANAG-4481-FSK adopts the same structure as in 4285. It is worth noting in pic. 3 that the 64-bit sync patterns produce ~850ms ACF spikes visible in the initial part of the signal.

pic. 3 - 850ms ACF spikes due to key insertion

STANAG-4285 variant

pic. 4 a STANAG-4285 variant
although it's compatible with NATO S-4285, this waveform (the user is suggested to be Croatian) does not provide KG-84 encryption (coud not find the sync pattersn) but rather a sort of linear encryption taht is not detected by the standard S-4285 decoders such as k500 and Sorcerer.

Turkish FSK 600Bd/400Hz

pic. 5 - the Turkish FSK/600/400
for what concerns KG-84 encryption, this waveform exhibits an interesting peculiarity: the sync pattern is not followed by the 512-bits key block as seen in NATO 4285 and 4481 implementations. I do not know if the  128 bits immediately following the syncr are indeed the key or else the key is obscured to standard decoders. 
As expected, since this trasmission consists of 7 blocks, the sync is repeated  7 times each 3954 bits exactly: since the apparently lack of the key I don't know if the transmission carries seven distinct messages or if the repetion is an help in case of late entry (so the messages are the same?).

pic. 6 - the seven resolvers

It's quite useless and waste of space and bandwidth to list here concepts and images that are easily found on the web about KG-84, below just few links:
Thanks to my friend KarapuZ for pointing me this argument and his stimolous to deepen.

29 January 2016

BELL 103 compatible FSK modem 300Bd/200 (Algerian AF)

heard on 11446.2 KHz (cf) at 0756 UTC. FSK bursts preceeded by three unmodulated tones 150 Hz spaced, manipulation speed is 300 symbols/s and shift is 200 Hz. A short 250ms preamble is embedded in the 3 pre-tones (pic.3) , data are encrypted. Since the baudrate (300Bd) is higher than the shift (200Hz), modulation could be a so-called semi-mode such as MSK or GMSK.
The waveform is compatible with AT&T Bell 103 modem and suggested to be used by Algerian Air Force. A short recording is available here
pic. 1 baudrate 300Bd
pic. 2 shift 200 Hz
pic. 3 FSK preamble

26 January 2016

Iranian-QPSK 468.75, 937.5 Baud

Heard on 10724.0 KHz and 17382.2 (cF) on USB at 2120z, this signal is known as "Iranian-QPSK" since its QPSK modulation QPSK. For what is known, the Iranian-QPSK occurs in some variants that differ in speed such as: 1875, 937.5, 468.75 and 207 Baud. It seems that there is also a variant with a speed of 234 baud. The 207 Baud waveform is reported in radioscanner.ru while qrg.globaltuners.com   identifies the signal as belonging to the Iranian Navy: I did not find such match looking at UDXF logs.


21 January 2016

Turkish Mil, FSK 600Bd/400Hz KG-84C

Although the signal is weak, you could easily find its basic parameters as in pictures 1 and 2. The signal has been heard on 07932.5 KHz (cf) around 0744z and also analyzed here by radioscanner.ru friends.
pic. 2
This signal use cipher NATO KG-84, it can be identified by the 64-bit sequence in each session (the KG-84 frame sync)
highlighted in pic. 3

The KG-84A and KG-84C are encryption devices developed by the U.S. National Security Agency (NSA) to ensure secure transmission of digital data. The KG-84C is a Dedicated Loop Encryption Device (DLED), and both devices are General-Purpose Telegraph Encryption Equipment (GPTEE). The KG-84A is primarily used for point-to-point encrypted communications via landline, microwave, and satellite systems. The KG-84C is an outgrowth of the U.S. Navy high frequency (HF) communications program and supports these needs. The KG-84A and KG-84C are devices that operate in simplex, half-duplex, or full-duplex modes. The KG-84C contains all of the KG-84 and KG-84A modes, plus a variable update counter, improved HF performance, synchronous out-of-sync detection, asynchronous cipher text, plain text, bypass, and European TELEX protocol. 
Compared to the KG-84A, the KG-84C had some interesting extras. It has a variable update counter,
improved HF performance, out-of-sync detection (when in synchronous mode), asynchronous ciphertext, plaintext bypass, and the European Telex protocol. When used with a suitable digital telephone unit, the KG-84 could also be used for secure voice transmissions. Data could be handled by the KG-84 in asynchronous mode at rates between 50 and 9600 baud. In synchronous mode, it could even go up to 32,000 baud (or even 64,000 baud when used in combination with an external clock). 

17 January 2016


from http://www.marsregionone.org/Temp/rfsm-8000.pdf
"The RFSM-8000 (Radio Frequency Software Modem) is a software by RFSM-IDE Group, it operates under standards MIL 188-110A / MIL 188-110B App. C, (also under a modified version) providing a maximum speed of 8000bps (standard mode), or 6670bps (non-standard "narrow" mode). Signal bandwidth: 0.3-3.3 kHz (standard mode) and 0.3-2.7 kHz (non-standard mode).
Some technical descriptions: 
- real-time signal spectroscope/waterfall view, and IQ-diagram;
- operates under standards MIL-STD 188-110A / MIL-STD 188-110B App. C, (also under a modified version);
- maximum speed: 8000 bps (standard mode), or 6670 bps (non-standard "narrow" mode);
- signal bandwidth: 0.3-3.3 kHz (standard mode) and 0.3-2.7 kHz (non-standard mode).
- uses adaptive correction;
- file transfers are accomplished utilizing ARQ;
- uses SSE2 optimization (if available on CPU);
- transmitter control over COM-port (DTR or RTS line, or CI-V interface);
- allow correction of sound card discretization error;
- allow simple remote control and file-based IPC (for automatic connecting and file transfer)"

I did some tests to check the MS188-110 compatibility and their differences, below are shown the results
- RFSM-8000 modem settings: no DataMasking, standard mode, synchronous
- text sent: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
- decoder used: k500 in both MS188-110A and MS188-110B/App.C synchronous mode

75, 300 bps
2400Bd PSK-8 preamble, headers MS188-110 not compatible
- 75bps: special very robust mode (32-Walsh-based), works under very poor conditions ( -8 dB ), data PSK-8, ACF ~13.6ms (32 symbols)
-300bps: special robust mode - 300bps (16-Walsh-based), works under poor conditions ( -3 dB ), data PSK-8, ACF 13.6ms
About the robust modes the spectrogram shows a sort of inserts with irregular repetition interval, probably due to Walsh modulation, which makes the corrispondent ACF spikes. The 32 tribit symbols, i.e. 96 bits, are clearly visible in the "period" highlighted by BEE (pic. 2b). Standard MS188-110 doesn't exhibit such ACF for the 75bps waveform (pic. 2). 
75bps and 300bps are a sort of proprietary waveforms and need more investigations.

RFSM-modem -> k500
75 long  -> 4800 uncoded (not recognized)
300 long -> 2400 voice
(not recognized)

pic. 1
pic. 2
pic. 2b - 96 bits ACF in RFSM-8000 75bps as seen by BEE
600, 1200, 2400 bps
2400Bd PSK-8 preamble
- 600bps: data PSK-8,  ACF = MS188-110A (pic. 3)
- 1200bps: data PSK-8,  ACF = MS188-110A
- 2400bps: data PSK-8,  ACF = MS188-110A
source text is not clearly returned (7 bit shift ?) 

RFSM-modem -> k500 
600 long -> 600 long
1200 long -> 1200 long
2400 long -> 2400 long 
pic. 3 - RFSM-8000 2400bps ACF
3200 bps
2400Bd PSK-8 preamble, headers not MS188-110A compatible
data PSK-8,  ACF = MS188-110A

RFSM-modem -> k500
3200 long -> 75 long
(not recognized)

4800, 6400, 8000 bps (MS188-110B/App.C High-Speed WF)
(4800bps only uncoded in MS188-110A, coded in MS188-110B/App.C )
2400Bd PSK-8 preamble

- 4800bps: data PSK-8,  ACF ~119.5ms or 287 symbols frame (pic. 4)
- 6400bps: data QAM-16, ACF ~119.5ms (pic. 5)
- 8000bps: data QAM-32, ACF ~119.5ms (pic. 5)

RFSM-modem -> k500
4800 long -> 4800 long
6400 long -> 6400 long
8000 long -> 8000 long

pic. 4 - RFSM-8000 4800bps frame
pic. 5 - RFSM-8000 6400bps, 8000bps

As pointed and tested by AngazU, more likely RFSM chops the info into 59 byte groups and adds its own 6 bytes to build 65 chars chunks for a total of 520 bits frame. The example in pic. 6 is a null file sent by RFSM-8000 at 1200bps: he kindly gave me this file so I could replicate his investigation and get the same results:

pic. 6 - RFSM-8000 data framing (do not mix up with protocol framing)
As you can see in pic. 7, plain MS188-110A doesn't exhibit such beavior since each "period" is just 8 bit length.
pic. 7 -  8 bits period of MA188-110A

12 January 2016

an RFSM network on 9050.0 KHz (almost surely Bulgarian Diplo)

I followed these signals on 9050.0 KHz USB mainly in the morning and during the last days, from 0700 to 1100 UTC. Looking at UDXF logs and talking with some friends of mine, the network using 9050.0 Khz is probably Bulgarian or  Romanian Diplo (since some ALE calls such as RETEA, FARAONRETEA, SC1DSRETEA), the QRX is visible on 9055 kHz but sometimes only one frequency may be used. Is not sure if also a similar signal heard on 9040.0 KHz belongs to the same net. My friend Kristian from Germany suggested to be Bulgarian Diplo net and kindly pointed a Monitoring Times issue (May 2011) talking about this mode and Bulgarian Diplo activity:

Transmissions on 9050.0 seem to be scheduled at 0830, 0900 and 0930 UTC Mon-Fri, almost all the sessions start with a ~ 15sec tone at 9051.8 KHz (sent about two minutes before) and they last the time necessary for interchanging/sending the messages, usually few minutes.
From previous recordings they used plain MIL-STD 188-110A and now they switched to RFSM (Radio Frequency Software Modem) with Data Masking (link protect) feature, an MS188-110 ST based software-modem by "RFSM-IDE Group". 
Carrier frequency (1800Hz), symbol speed (2400Bd) and modulation (PSK-8)  are the same as that standard (pic. 1) and may be misunderstood and wrongly identified as MS188-110 4800bps/uncoded (the RFSM 75bps/L) and 2400bps/voice (the RFSM 300bps/L), as it happens with both k500 and sorcerer; the 13ms ACF is a clue in favor of RFSM (pic. 2). The structure of the signal is quite complicated, the PSK-8 preamble is followed by the data transfer in PSK-8, QAM-32 or QAM-16 according to needed data-rate. Just as aside note, a sort of 2-ISB signal + carrier has been seen on 9050.0 as central frequency: signal is very week and is difficult to say it's nature.
The RFSM-2400/8000 is a software by "RFSM-IDE Group", it operates under standards MIL 188-110A / MIL 188-110B App. C, (also under a modified version) providing a maximum speed of 8000bps (standard mode), or 6670bps (non-standard "narrow" mode). Signal bandwidth: 0.3-3.3 kHz (standard mode) and 0.3-2.7 kHz (non-standard mode).

8 January 2016

Unid FSK 1200Bd 850Hz

10186.0 --- Unid 1340z (cf +1800Hz on USB) strong FSK-2 1200Bd/850, ~1500 Hz bandwidth, heard on 07Jan16: probably GMSK or CPFSK.

2 January 2016

HFDL Ground Stations (traffic to and from)

HFDL (High Frequency Data Link) is a HF data link protocol, defined in ARINC spec 635-3.It may be described as some sort of HF ACARS.  It's used to exchange data such as Aeronautical Operational Control (AOC) messages, Controller Pilot Data Link Communications (CPDLC) messages and Automatic Dependent Surveillance (ADS) messages between aircraft end-systems and corresponding ground-based HFDL ground stations.
Transmissions on HF are in USB on a sub carrier of 1440 Hz with a symbol speed of 1800 baud. Modulation is 2-PSK, 4-PSK or 8-PSK with effective bit rates of 300, 600, 1200 or 1800 bits/sec.
The HFDL service is operated by ARINC as GLOBALink service through a worldwide network of HF stations. 

Ground Station ID 1
Longitude 121 45 34  W  Latitude 38 22 48  N 

Ground Station ID 2
Longitude 157 10 46  W  Latitude 21 10 47  N 

Ground Station ID 3
Longitude 21 50 59  W  Latitude 64 4 47  N 

Ground Station ID 4
Longitude 72 38 22  W  Latitude 40 52 47  N 

Ground Station ID 5
Longitude 174 48 35  E  Latitude 37 1 10  S

Ground Station ID 6
Longitude 100 23 24  E  Latitude 6 56 23  N 

Ground Station ID 7
Longitude 8 55 46  W  Latitude 52 43 48  N

Ground Station ID 8
Longitude 28 12 35  E  Latitude 26 7 46  S

Ground Station ID 9
Longitude 156 46 46  W  Latitude 71 18 0  N 

Ground Station ID 11
Longitude 79 32 59  W  Latitude 8 58 12  N

Ground Station ID 14
Longitude 92 18 0  E  Latitude 56 6 0  N 

Ground Station ID 13
Longitude 63 7 46  W  Latitude 17 40 11  S 

Ground Station ID 16
Longitude 144 48 0  E  Latitude 13 28 11  N  

Ground Station ID 15
Longitude 50 39 0  E  Latitude 26 16 12  N 

Ground Station ID 17
Longitude 15 23 23  W  Latitude 27 56 59  N