29 July 2016

STANAG-4538, HDL+ BW7 waveforms

Bearing in mind the results and considerations about STANAG-4538 HDL+ protocol, as reported in the previous post, one can easily face the analysis of 3G-HF burst signals like this (fig. 1)

fig. 1
Once checked the headers and the length of the data sections, and found to be 288 symbols, I used the "harmonics" tool in order to get the modulations: I also used the zoom tool to better clarify the differences in each forward burst. A partial result at 8^ power is shown in figure 2: the PSK-8 harmonics due to BW6 headers are well visible, while the data sections (BW7) use different modulations according to the table of figure 3.

Fig. 3
 Analyzing all the forward bursts, it's possible identify the presence of the QAM-16 and QAM-64 BW7 waveforms, other than the PSK-8 BW6 waveform. 

fig. 4 - 4800 bps PSK-8 BW7 waveform
fig. 5 - 6400 bps BW7 QAM-16 waveform

fig. 6 - 9600/12800 bps BW7 QAM-64 waveform
It is worth noting in figs. 5,6 that the used constellations for QAM modulations are in 'circular rings' and then they are modified with respect to the standard ones.


28 July 2016

HDL+ (a proposed enhanced protocol for STANAG-4538)

At a first glance this transmission resembles the STANAG-4538 forward+ACK structure, but the lengths of the bursts and their frame formats do not match the ones specified for the HDL and LDL protocols. Encouraged by my colleague KarapuZ, I tried the HDL+ approach in the analysis of these signals.

The HDL+ data link protocol combines high data rate waveforms similar to those of STANAG 4539 or MIL-STD-188-110C Appendix C with incremental redundancy (Type II Hybrid-ARQ) techniques similar to those of the STANAG 4538 LDL and HDL protocols.

fig. 1 - BW7 waveforms
As in STANAG-4538, the HDL+ transmisssion is composed of data forward bursts and ACK messages bursts. The forward transmission (datagram) in HDL+  consists of a header, which is transmitted using the Burst Waveform 6 (BW6) for robustness, and a data section sent with the Burst Waveform 7 (BW7) for higher speed: the BW6, which is also used for the ACK messages, is much more robust than BW7.

The structure of the HDL+ forward burst can be verified isolating a single burst and zooming the FFT as in figure 2, it's worth noting the presence of the 2 mini-probes initial sequence that follows the header and marks the beginning of the data section.

fig. 2 - BW7 header and data section
The constellation in figure 3, obtained from that same burst, reveals a PSK-8 modulation with constant symbol rate of 2400Bd: it's another clue in favor of HDL+ since it is based on STANAG-4539/188-110B waveforms.

fig. 3 - PSK-8 constellation for BW7 4800 bps
From documentation available in the web, the BW7 data section consists of an initial probe sequence of 64 symbols followed by a data sequence of 256 data symbols alternated with 32 symbols long mini-probes (fig. 4): so total frame symbols sums to 288, 256/32 unknown/known format (by the way, STANAG-4538 HDL provides PSK-8 32/16 unknown/known frame format for its forward transmissions).

fig. 4 - BW7 frame format
My results exactly match such frame format (fig. 5): the ACF value is 120ms, that makes 288 symbols @ 2400 Baud. Note that the two mini-probes initial sequence indicated in fig. 4 was seen above in the zoomed FFT in fig. 2.

fig. 5 - ACF and frame format or HDL+ BW7
As further confirmation, the analysis of the demodulated bitstream produces the same results: the frame period is 864 bit long and the mini-probes length is 96 bit (fig. 6).

fig. 6 - analysis of the demodulated BW7 bitstream
Since the results (header structure, signal constellation, and frame format) the signal can be identified as HDL+ BW7, in this case the 4800bps PSK-8 waveform.

One could confuse  "HDL+ BW7" with "188-110C App.D 3KHz WID7" and conversely since they just use the same 288 symbols 256/32 frame structure. In the absence of appropriate analysis tools, one  may discriminate between HDL+ and 188-110C by carefully analyzing, at physical layer, the preambles (the "synchronization preamble" in 188-110C and the  "header" in HDL+) and the data sections:

- "The 188-110C synchronization preamble consists of two main sections, a transmitter level control (TLC) settling time section, and a synchronization section containing a repeated preamble super-frame." [D.5.2.1 MS188-110C App.D]

- HDL+ does not have TLC, its header is shorter than 188-110C App. preamble and is  transmitted  in  386.67  ms

fig. 7 - 188-110C synchronization preamble
fig. 8 - HDL+ header
- the HDL+ data section begins with 2 mini probes
- the 188-110C data section begins with 1 mini-probe

fig. 9 - data sections

No initial synchronization preamble is required, since this role is filled by the BW6 burst waveform that is used to transmit the header immediately preceding each BW7 transmission (the payload section). Instead, an initial probe sequence containing two repetitions of a 32-symbol Frank-Heimiller sequence (a total of 64 known symbols) is transmitted.
The payload section is used to convey between one and fifteen (inclusive) packets of payload data, after their contents have been coded and interleaved. Each packet is conveyed by a sequence of unknown/known (“UK”) frames. Each UK frame contains a data block, a sequence of 256 unknown symbols modulated with payload data, followed by a 32-symbol mini-probe. The number of UK frames used to convey each payload data packet depends on the signal constellation, the code rate, and the packet payload size as shown in fig. 10 (quoted from STANAG 4538 Annex C Edition 1, Amendment 21, Draft 0.3).
fig. 10

For what concerns the Burst Waveform 6 (BW6), it is used to convey the BW7 header, ACK, and EOT (EOM) PDUs of the HDL+ data link protocol, and to convey PDUs of the FLSU and FTM protocols on a packet link established for delivery of data traffic using HDL+. BW6 burst has an on-air duration of 386.67 msec and 51 bits of payload that are Walsh modulated using a Walsh sequence and then PN-spread (Pseudo Noise) to produce 544 channel symbols.
The initial TLC/AGC guard sequence of 192 tribit symbols and the 544-length sequence of BW6 channel symbols is used to PSK-8 modulate an 1800 Hz carrier signal at 2400 channel symbols/sec. The 544 PSK-8 symbols, ie 1632 bit, are clearly visible once removed the TCL/AGC section (fig. 11 and 12).

fig. 11
fig. 12

The end of a HDL+ data transfer is reached when the sending PU has transmitted BW7 data PDUs containing all of the payload data in the delivered datagram, and the receiving PU has received these data without errors and has acknowledged their successful delivery. When the sending PU receives an ACK PDU indicating that the entire contents of the datagram have been delivered successfully, it sends one or more (up to four) EOT PDUs, starting at the time at which it would have otherwise transmitted the next BW7 data PDU, to indicate to the receiving PU that the data transfer will be terminated (quoted from STANAG 4538 Annex C Edition 1, Amendment 21, Draft 0.3)
This link termination scenario is depicted in figure 13 where the two PUs are distinguishable by the strengths of the signals:

fig. 13
The link is terminated by the FLSU_TERM PDU which is transmitted using the burst waveform 6, according to STANAG 4538 Annex C Edition 1, Amendment 2, Draft 03 (in HDL+ links FLSU and FTM PDU shall be use BW6 waveforms). It's interesting to see that the receive peer transmits the optional FLSU_TERM confirm PDU (fig. 14)

fig. 14

25 July 2016

STANAG-4538, LDL complete session

15945.0 ---: Unid 0918 UTC USB, STANAG-4538 Fast Link setup (FLSU) bursts followed by Low rate Data Link (LDL) forward transmissions and ACK bursts (BW3 and BW4 bursts). The transfer session end is signaled by the LDL EOM burst, similar to a normal BW4 acknowledgement but sent by the source ie in the data forward direction (Fig. 1).

Since the presence of the HARRIS Citadel encryption pattern in  the forward bursts (fig. 3), most likely the used equipment is the HARRIS Falcon II family RF-5800H.
fig.2 - LDL BW3 autocorrelation
fig. 3 - BW3 frame (32 symbols) and Citadel encryption pattern
The presence of the Fast Link Setup (FLSU) burst at the beginning of the transmission (fig. 4) say that this is not a MIL 188-141B/C waveform since FLSU is not defined in such standard but only Robust Link Setup (RLSU). RLSU is hence the only link setup mode providing interoperability between STANAG 4538 and 141B/C.
fig. 4 - FLSU burst

23 July 2016

PacTOR-II, modulation changes

In this examples (recordered on 16285.0 KHz/USB) the PacTOR-II modem exhibits the ability to adapt its modulation method (and data rate) dynamically based on channel conditions or on current needs (ie broadcast/PtP). Since PacTOR is not an auto-baud waveform, this routine (knows as 'PacTOR-II AUTO') is usually implemented in the controller/modem firmware.
Looking at this case, Tunisian Minister of Interior network, the used mode seems to be reported in the addresses of the email (HFARQ STAT11, HFARQ STAT151) sent after the 188-141 2G-ALE handshake (fig. 1): most likely, their adopted messaging system is implemented on ARQ just per deafult.

fig. 1 - 188-141 2G-ALE followed by PacTOR-II email
These records (figs 2,3) refer to two separate email transmissions: in the former (1137 local time) the modem use the DPSK-8 FEC mode while in the latter (1213) the modem switched to the more reassuring DBPSK ARQ. Modulation rates remain constant (100 symbol/sec).

fig. 2 - PacTOR-II FEC PSK-8 100Bd
fig. 3 - PacTOR-II ARQ PSK-2 100Bd
According to the two spectrograms, the channel conditions degrade since the strength of the received signal decreases and this could justify the change of modulation. However it is fair to say that the tx antenna may use different beamings.

22 July 2016

CIS Navy FSK 50Bd 40Hz

quite unusual FSK signal heard on 12592.5 KHz and by my friend KarapuZ on 14581.0 KHz on USB: such shift (40 Hz) is rare on these high frequencies. ACF not measurable (=0). Thanks to KarapuZ for sending me the record.

As suggested by cryptomaster, these transmissions have characteristic SOM and EOM; the transfer is performed using a code 4/3 four "1" and three "0".

16 July 2016

unid QPSK PSK-8 4800/2400Bd & OFDM 15-tones

This is an example of a "teamgroup" analysis: the signals were originally spotted by KarapuZ, then analyzed together by me, cryptomaster and IK1YDE: the discussion can be read here ("ansanto" is my nickname in radioscanner.ru forum)

The signal show up in FEC burst and ARQ modes with symbol rates of 4800 Baud (6000Hz bandwidth) and 2400 Baud (3000Hz bandwidth). 
The first weirdness we saw is just related to the baudrate lines of the signal in both the two speeds. As shown in figure 1, each burst consists of the preamble segment followed by the data segment: a strong 4800Bd line is visible only in the firts segments of the bursts, preambles, while just weak nuances are visible in the second segments.

fig. 1 - strong 4800Bd lines for preamble segments
In order to understand the used modulation we have isolated a single burst and then tried its harmonics: results are another weirdness. As shown in figure 2, the signal exhibits a clear PSK-8 modulation in preamble segment "A" (as expected, since its baudrate line) followed by short PSK-2 insert but no signs of modulation in the second segment "B" (altough the weak baudrate lines in fig.1).

fig. 2 - modulation harmonics in a single burst
Other than the 4800 Baud 8-ary constellation (shown in fig. 3) the segments A are characterized by a 53.33ms ACF that matches a 256 bits frame structure (fig. 4).

fig. 3 - PSK-8 single tone modulation at 4800 Baud in segments A
fig. 4 - 53.33ms ACF in segments A
For what concerns the segments B I suggested to isolate each of them from the ARQ signal and merge them together to form one unique file and then use the OFDM approach to study just that file. Cryptomaster spotted OFDM 15-tones structure and also isolated a single channel, detecting the presence of QPSK modulation: figures 5 and 6 show my tests that confirm his OFDM-15 238Bd QPSK observations.

fig. 5 - OFDM 15-tones in segments B
fig. 6 - inspecting a single OFDM channel
What remains still unclear, other than the source/user of the transmissions, is the reason of the baudrate line in the segments B since OFDM normally does not cause such pattern in the modulation harmonics.
To be thorough, figs 7,8 show the same behaviors in the 2400Bd waveform.

fig. 7 - strong 2400Bd lines in segments A
fig.8 - PSK-8 modulation only in 2400Bd waveform segments A

10 July 2016

"Serdolik" 40Bd mixed mode: OFDM 45 and 60 tones, MFSK-31, and a pich of FSK

One of the numerous variant of the nicknamed "Serdolik" system heard on 11469.0 KHz on USB. Such composite signals are not frequent in the air but sometimes, and for a short period of days, they spring up like magic. Who knows?  maybe the Russian Academy of Communication students take graduate work :).
Most of the transfer is performed with OFDM with short MFSK/FSK inserts at irregular cadences: it's interesting to note that all these modulations are characterized by the same 40 symbols/sec data rate. 

The used OFDM are the 60 (60 +1 pilot) and 45 (45 +1 pilot) tones waveforms, both with channel separation of 50Hz and - as said - 40 Baud speed (figs 1,2). The MFSK/FSK inserts occur in both the two modes. The 60+1 tones waveform was already meet here.

fig. 1 - OFDM 60-tones (+ 1 Pilot)
fig. 2 - OFDM 45-tones (+ 1 Pilot)
The switch bewteen the two modes just occured after an MFSK/FSK insert (fig-3)

fig. 3 - switch between the two OFDM waveforms
The parameters of the MFSK/FSK inserts are easy to measure: MFSK-31 40BD speed and 40Hz separation, FSK 40Bd 200Hz and 600 Hz shifts. I only show the MFSK detection in figure 4.

fig. 4 - MFSK parameters
Trasmission was closed by a series of MFSK/FSK bursts as shown in fig. 5

fig. 5
Apart from the affinity to the Serdolik "family" (clues are the MFSK-31 and the OFDM waveforms), it's improbable to say something more precise since the lack of official documentation.