29 June 2016

Siemens CHX200 F1-modem (CHP-200): FSK 249 & 250 Bd /170 Hz waveform

The CHX200 F1-modem (also known as CHP200 or CHP-200, i.e. the name of the embedded comunications processor) has been built in Germany by Siemens and under license in Indonesia (for domestic use).  It is part of their CHX200 family of HF ECCOM frequency hopping equipment and it has been in production since 1981. Ops 1.3-30 MHz (all mode transceiver), 10 KHz-30 MHz (receive), in 100 Hz steps. Dependent on the deployment, its RF power levels range from 100 to 1000 Watts (CHX250 1000 watt station, CHX240 400 watt station, CHX210 100 watt station). Known accessories and major items include PA-400 power amplifier, ATU-400 antenna tuning unit, PA/ATU-100 power amplifier/antenna tuner, CHP-200 receiver/exciter with communications processor.

This transission consists of the selcall part followed by the non-hopping ARQ part and was heard on 10154.0 KHz, with a +1600Hz shift on USB, at 0815 UTC. The signals belong to the FSK family, the ARQ part is characterized by a costant 250 Bd manipulation speed and a shift of 170 Hz (figs. 1a, 1b).

fig. 1a - constant 250 Baud speed
fig. 1b - ISS bursts and IRS ACKs

The most interesting feature of this FSK signal consists in the different manipulation speeds used in the two 'segments' (here indicated as A and B) of the selcall procedure. Although the CHP200 logs (at least the ones that I found) report the 250 symbols/sec speed, a more accurate analysis of the signals shows two different speeds and this could suggest the use of the 2-way ARQ mechanism.
According to the speed measurements (and to the ARQ mechanism) it seems that the sender transmits data at 250 Baud while the acknowledgements are sent back by the receive peer at 249 Baud (fig. 2).

fig. 2
One could say that it's a tollerance question since the two speeds differ in only one sybol, but the difference between the segments A and B is real and is clearly shown in figure 3 (obtained after the demodulation of the signal)
fig. 3
Other than the speeds, the two segments adopt different frame structures for their data transfer: 46 bits length (corresponding to a duration of 184ms) for the segment A and 36 bits length (144.5s) for the segment B, as shown in figs 4 and 5. Since these characteristics, I think that discussing about two distinct waveforms - rather than two segments of the same waveform - would be more appropriate.

fig. 4 - the 46 bits frame structure of the waveform A
fig. 5 - the 36 bit frame structure of the waveform B

The patterns visible in the two bistreams (fig 6) resemble data + ACKs and are another clue in favor of the ARQ.

fig. 6
Unfortunately I could not find official Siemens documentation about this modem and the selcall procedure: it would be interesting if someone could provide such info.
I want to thanks my friend Karapuz for pointing e in the right direction.

27 June 2016

Russian Air Force "Chayka", FSK 150Bd/500

This transmission was heard this morning on 14781.1 Khz (cf) at 0720 UTC sending encrypted bursts of ~21 secs duration. "Chayka" is the nick name for this commands/signaling FSK messaging system used  for  (military) aircrafts-ground communications.
The shift is costant 500 Hz while the manipulation speed may be 75, 150, 300 and 1200 Baud: in this sample the measured speed is 150 Baud (fig. 1).

fig. 1 - manipulation speed and shift
Each "message" consists of a preamble phase and the data phase; during the preamble phase the lower tone frequency is transmitted followed by the alternation of the two tone frequencies. The data phase may consist of separated segments and/or insertions of the 2-tones alternation, as clearly visible in figure 2 where the signal has been resampled to 4 KHz.

fig. 2
At least according to this sample, the messages can be continuously transmitted as 2 in-a-row or 3 in-a-row without manipulation breaks (figure 3) and this affects the lengths of the preambles.

fig. 3

23 June 2016

MIL 188-110B App. C (STANAG-4539 Annex B)

in this recording a MIL 188-141 2G-ALE link setup between ALE calls 5CIND2 and 5CIND1, and two MIL 188-110B App.C 4800bps short sessions for data transfer. The Appendix C of MIL 188-110B describes the HF data modem waveforms for data rates above 2400 bps (3200, 4800, 6400, 8000, 9600, and optional uncoded 12800 bps) and  is  defined as High Data Rate Traffic Waveforms in STANAG-4539 Annex B (the counterpart NATO compatible standard).
This transmission was spotted on 10074.0 KHz/USB @ 0710 UTC, on June 22.

There are two clues that confirm this waveform:
1) the ACF value is 119.58ms and corresponds to a frame structure consisting of 287 symbols data block consisting of 256 data symbols followed by a mini-probe of 31 symbols of known data  (188-110C Appendix D has 120ms ACF and 256 +32 = 288 symbols per data block)

fig. 1 - ACF and frame structure
2) the preamble exhibits a clear 184 symbols blocks structure 

fig. 2 - preamble
Both the two structures are also visible looking at the bistream obtained after the PSK-8 symbols demodulation: the preamble consists of 552 bits and each data frame consists of 861 bits  (fig. 3)

fig. 3
Unfortunatelly it's a poor quality signal and the constellation is not so clear, although the 8-ary modulation is quite evident in figure 4. Since the 3200bps QPSK constellation is scrambled to appear on-air as a PSK-8 constellation, we can't be positive about the data rate. Compatible decoders say 4800bps Short interleaver.
filg. 4 -  PSK-8 'over-the-air' constellation
According to the standard, preamble re-insertions occur each 72 data frames, thus the reinsertion period Tr is 8,61 secs (20664 symbols): since the duration of each session is <Tr (in this recording we count 36-37 data frames) we then do not see such reinsertions (they are not transmitted).

Using the PSK-8 symbol mapping, each mini-probe is based on the repeated Frank-Heimiller sequence. The sequence that is used, specified in terms of the 8PSK symbol numbers, is given by:
0, 0, 0, 0, 0, 2, 4, 6, 0, 4, 0, 4, 0, 6, 4, 2, 0, 0, 0, 0, 0, 2, 4, 6, 0, 4, 0, 4, 0, 6, 4
This mini-probe are designated ‘+’. The phase inverted version of this is:
4, 4, 4, 4, 4, 6, 0, 2, 4, 0, 4, 0, 4, 2, 0, 6, 4, 4, 4, 4, 4, 6, 0, 2, 4, 0, 4, 0, 4, 2, 0
and mini-probes using this sequence are designated ‘-’ (as the phase of each symbol has been rotated 180 degrees from the ‘+’). The 72 mini-probes before the preamble reinsertion are grouped into four sets of 18 consecutive mini-probes (1 to 18, 19 to 36, 37 to 54, and 55 to 72). Pictorially, this length 18 sequence is:
- - - - - - - + S0 S1 S2 S3 S4 S5 S6 S7 S8 +
where the Si sign values are defined in Tables C-IX, C-X, and C-XI of MIL 188-110B. No scrambling is applied to the mini-probes symbols.
Since the low quality of the recording and the characteristics of the SA universal PSK demodulator, we can just apreciate a "nuance" of the mini-probe pattern (fig. 5). Maybe further and better recordings will help.

fig. 5 - 188-110B App.C mini-probes

18 June 2016

'Arcotel MAHRS 2400' and 'THALES TRC-1752': same PSK-8 2400Bd, same 468 bits ACF, but two different waveforms

Single tone PSK-8/2400Bd waveforms are very common and it's easy to get mistakes in their identification, sometimes also their ACF values are equal and so things get complicated (it could also happen that the same waveform exhibits different ACFs according to the input data signaling rate). In cases of uncertainty or ambiguity, a careful examination may decide the questions.
Below just an example about  the THALES TRC-1752 and ARCOTEL MAHRS 2400 "signals": they not only have the same PSK-8 2400Bd single tone features but also the same ACF. Note that, althought THALES TRC-1752 is a "modem" and MAHRS (Multiple Adaptive HF Radio System) is an "operating mode" developed by Telefunken-Racon (ARCOTEL is the radio processor), I  generically refer to both as "signals".

Looking at their representation in the waterfall, they have a quite similar shape characterized by the same bandwidth, a non-fixed length duration and a short preamble: a first difference is visible just in this part. Looking with a little more attention, the Arcotel preamble is composed of 8+8 simmetrical tones while Thales signal exhibits a different header (fig. 1).

fig. 1
The data transfer parts of the two signals share the same features: 8-ary phase-shift keying of a single 1800 Hz carrier and 2400 symbols/sec modulation rate (input data signaling rate is not detected here). It's interesting to note the pronounced BPSK states that, unless their phase shift, appear in both the constellations of the two signals (fig. 2).

fig. 2
These footprints suggest the presence of BPSK segments in the structure of both the two signals. As from literature, they consist of known-data symbols, in contrast with the unknown (user) data, and are are scrambled to appear, on-air, as PSK-8 symbols.
The BPSK insertions, as well as the differences between the two preambles, are more evident reducing the FFT size in the waterfall (fig. 3).

fig. 3
Looking at the two waterfalls, both with the same settings, we can also estimate that the two signals have the same pattern repetition rate (pic.3). Running the ACF and CCF functions for a better accuracy of the repetition rate, we get the same 106.665 ms result for both the signals: this value makes 468 bits, or 256 PSK-8 symbols periods since the manipulation speed is 2400Bd.
At this point, the real difference between these two signals, unless the preamble, can only be found by examining their frame structures.

The frame structure for the Arcotel signal is shown in figure 4. The preamble is followed by 256 symbols blocks, each block consisting of 176 unknown data symbols and a mini-probe consisting of 80 symbols of known data.

fig. 4 - frame structure for Arcotel MAHRS serial
The frame structure for the Thales signal is shown in figure 5. As well as in the frame of Arcotel signal, the frame cosists of 256 symbols blocks, each block consisting of 80 symbols preamble followed by 176 symbols data block, each data block consisting of 4 x 32 unknown data symbols and 3 x 16 symbols mini-probes (S4285-like waveform).

fig. 5 - frame structure for THALES TRC-1752
It's worth noting that the two signals have the same length, 80 symbols, for the BPSK modulated  segment.

So, although both accomodate the same room, 256 symbols, they are framed in different ways and thus belong to two different waveform families: 110A-like (Arcotel MAHRS 2400 serial) and S4285-like (THALES TRC-1752), each with its specific features and performances.

13 June 2016

MS188-110 poor man ASCII-bit stepper simulator (I)

the poor-man ASCII-bit stepper simulator implements a fixed-frequency serial (single-tone) waveform as speciefied in MIL-STD 188-110B 5.3, it only supports the 1200/2400 bps data rate and short interleaver only.

-why poor man
I'm just an hobbist in signals analysis and do not have resources to invest in sophisticated hw-devices or sw-tools suited to this specific activity (it's not my work).

- why ASCII-bit
the simulator does not treat the data in a bitwise mode but rather it uses their ASCII text representation, i.e. the data are written (and processed) as ASCII chars of zeroes and ones ("0" and "1") and so it's not a real modem since each ASCII character is a 7-bit code stored in a byte. This means, for example, that an initial ASCII string such
will end in a different baseband signal if processed by a real MS188-110 software modem as, for example, MS-DMT. 
Nevertheless, the ASCII-bit representation of data doesn't alter the way these are processed and appear at the input of the SSB modulator and, unless data representation, it's always possible to get a valid baseband waveform once the scrambled data 000,001,010,... are mapped into PSK-8 complex symbols 1+j0, 1+j1, 0+j1,...
Note that the binary values for ASCII text '0' and '1' are 00110000 and 00110001 respectively.

- why stepper
the simulator is not a single piece of software running in concurrent mode but rather it is composed of a series of pipeline modules, which have as their input-file the output-file of the preceeding module and therefore the modules are executed one at time (by manually running each of them). This allows the chance to examine step-by-step the evolution and the contents of the bitflow along the functional blocks of the modem.

- why simulator
from the above, it can't replace the original for a real use and it could be seen as a (limited) model for analysis.

The simulator is coded using the Lua language, a fast and powerfull interpreter (altough the sources could be compiled) and is limited to 1200/2400bps and short interleaver (I did not want to code a 188-110 compatible modem but just a way to look inside it). Please, at least now, do not ask for the code: it needs to be further debugged, does not have GUI , it's roughly written and need more lines to be user safe and 100% error-free.

unknown (user) data

In this eaxmple the input user data come from a random generator (https://www.random.org/bytes/): the randomized binary strings are printed on the screen and have to be cut&past into a simple editor (such as notepad) to create the input data file.  This procedure will cause a weird (but predictable) result once the data are passed through the FEC encoder.

FEC Encoder block

In this example, the output data from the FEC encoder exhibit a fixed pattern characterized by a 130 bits length period. As said above, this (apparently) weird result is due to the way Windows OS store the text files and to the length of the randomized binary strings printed out by the random generator.
Looking closely at the input file using a Linux terminal, we realize that is composed of 64 chars rows (the lenght of the random strings produced by the random generator), each row terminated by the DOS/Windows line-ending character ^M (or ctrl M, not visible using Windows notepad) that make 65 chars per row.

Since at the 1200bps rate the convolutional coder performs an effective code rate of 1/2, coded rows streams of 130 bits are generated for input data rows of 65 bits length 

remember that the simulator treats each single ASCII text '1' or '0' as one bit!


Interleaver block

The interleaver matrix accommodates a block storage of 600ms of receiving bits in case of short interleaver and 1200bps rate. Because the bits are loaded and fetched in different orders, two distinct interleave matrices are used: this allows one block of data to be loaded while the other is being fetched!
At the 1200bps rate the short interleaver matrix has a dimension of 40 rows x 36 cols, providing 1440 bits room: this value matches the number of output bits from the FEC encoder during the 600ms interleaver load period, i.e. 1200 * 2 * 0.6 (remember that FEC encodes at 1/2 rate).
The effect produced by the interleaver is most evident forcing a long sequences of zeroes and ones at its input:

MGD and Symbol Formation blocks

At the 1200bps rate, the bits fetched from the interleaver matrix are grouped together as  two bit entities (dibit channel symbols) and applied to the Modified Gray Decoder (MGD) to guarantee that only one bit changes. Three bit entities (tribit channel symbols) are used in case of the 2400bps rate. 
Following the above example of a long sequences input file:

The function of Symbol Formation block is one of mapping the channel symbols from the MGD (or from the sync preamble sequence) into tribit numbers compatible with transmission using an 8-ary modulation scheme. For user data, at the 1200-bps rate the dibit channel symbol formation use tribit numbers 0, 2, 4, and 6. At the 2400-bps rates, all the tribit numbers (0-7) are used for symbol formation. A different mapping process is used for preamble transmissions.

Sync Preamble Sequence
The waveform for synchronization is essentially the same for all data rates. The synchronization pattern shall consist of either three or twenty four 200ms segments (depending on whether either zero, short, or long interleave periods are used). Each 200-ms segment shall consist of a transmission of 15 three bit channel symbols
0, 1, 3, 0, 1, 3, 1, 2, 0. Dl, D2, C1, C2, C3, 0
The three bit values of Dl and D2 designate the bit rate and interleave setting of the transmitting modem. The three count symbols C1, C2, and C3 represent a count of the 200 ms segments starting at 2 for the zero and short interleave setting cases and 23 for the long interleave case.

Scrambler block

The Scrambler block modulo 8 adds the tribit number supplied from the Symbol Formation block for each 8-ary transmitted symbol to a three bit value supplied by either the data sequence randomizing generator or the sync sequence randomizing generator.
The bitstream at the 1200bps rate exhibits a 480 bit period corresponding to 160 symbols or 66.66ms: as seen in a previous post, this value is due to scrambler length. The frame structure, at the 1200bps rate, is the expected 20 (unknown) + 20 (known) symbols as specified in standard

Modulator block
The modulator block will be discussed closely in a further post (...I'm still working at it). The output data from the Scrambler block, after converted to the 0-7 numbers, will be mapped into the PSK-8 constellation complex symbols 1+j0, 1+j1, 0+j1,... to form the baseband waveform file: in a few words, a sequence of "samples" of the modulated signal (2400 samples/sec).

It's worth noting that the 0-7 numbers file is the same as the one obtained by the SA phase-demodulator (unless the phase offset):

After the complex-symbols conversion, the baseband file must  be up-sampled and filtered to spectrally constrain the waveform to within the specified bandwidth. A square root of raised cosine filter is recommended with a roll off factor, excess bandwidth, of 35% (as specified in standard) then, since the baseband signal has a center frequency of 0 Hz, it must be translated to the 1800 Hz center frequency and finally saved in the wave format to get the audio signal.
The modulator block will be implemented using the SciLab environment. By now, just for fun, it's possible to plot the numbers-baseband file to get the 8-ary constellation and transitions

(to be continued)

10 June 2016

Unid MSK 1200Bd 800Hz

Yesterday (10 June) morning I spotted this weird signal on 20877.0 KHz/USB at 0725 UTC, unfortunatelly some statics due to a thunder storm ruin the reception.
The signal has a 1200 Hz bandwidth and is characterized by a strong tone at ~1400 Hz (1394) and two simmetical tones at +600 and -600 Hz which are transmitted at lower level than the central one. A sort of "marks" are transmitted each 137.5 ms (pic. 1)

pic. 1

FSK bursts are inserted in a seemingly random way, they have a shift of about 800Hz and manipulation speed of 1200Bd: curiously it's the same value of the bandwidth (pic. 2)

pic. 2
The 137.5ms marks make the period of the signal = 165 bits.

pic. 3

8 June 2016

CIS MFSK-16 175Hz (updated)

This 16-tones signal occupy a bandwidth of about 2700 Hz, from 385Hz of the lower tone to 3010Hz of the top tone (dF = 2625Hz), with 175Hz increment steps as shonw in pics. 1,2:

pic. 1 - spectrum of the MFSK-16 signal
pic. 2 - the 16 tones grid
Since last January, this modem has been observed on several frequencies on USB and running at multiple speeds but all with the same constant frequency shift of 175Hz 
An interesting feature of this signal is its speed of manipulation, I spotted 4 different waveforms with speed that increases about at a '2x' rate, i.e.: 16.4, 33, 66.6 and 132.4 symbols/sec (pics 3,4,5,6)

pic. 3 - 16,4 Bd
pic. 4 - 33 Bd
pic. 5 - 66.6 Bd
pic. 6 - 132.4 Bd
Formerly the MFSK-16 phase was preceded by an MSK preamble with ~1866Bd and ~928Hz shift (pic. 7)
pic. 7 - MSK preamble before MFSK-16 transfer
Although the preamble may appear as a QPSK modulation, a more carefull analysis indicates the MSK mode (pic. 8)

pic. 8 - preamble speed and mode