28 October 2016


03806.5 OE3XEC: Amsstetten AUT, 0754 WinLink traffic (23Oct16) (AAI)
05115.0 ---: Turkish Mil, TUR 0549 (cf) FSK 300Bd/400, KG-84C encrypted (24Oct16) (AAI)
05140.0 ---: Russian Mil (prob. AF) 0602 J3E/USB female voice comms (24Oct16) (AAI)
05182.0 ---: Unid 0722 R&S ALIS 228.65Bd/200 calling address 2190 (25Oct16) (AAI)
05210.0 BU4: Roumenian Police Bucuresti, ROU 0602 USB MIL 188-141 2G-ALE handshake TUL flwd by MIL 188-110A (19Oct16) (AAI)
05211.5 6GW0: Italian Mil, I 0647 J3E/USB radio-check with FB4T, 0WPF, Q77V, 3X0N, Q67Z (25Oct16) (AAI)
05258.0 J62: Moroccan Mil, MRC USB MIL 188-141 2G-ALE sounding (19 Oct16) (AAI)
05316.0 K1U: Slovakian AF, SVK 0637 USB MIL 188-141 2G-ALE calling Z1V (25Oct16) (AAI)
05316.0 P1O: Slovakian AF Prezov, SVK 0637 USB MIL 188-141 2G-ALE calling Z1V (25Oct16) (AAI)
05316.0 S1L: Slovakian AF, SVK 0637 USB MIL 188-141 2G-ALE calling Z1V (25Oct16) (AAI)
05316.0 Z1V: Slovakian AF Zvolen, SVK 0637 USB MIL 188-141 2G-ALE calling S1S (25Oct16) (AAI)
05340.0 LY01: Algerian Mil, ALG 0549 USB MIL 188-141 2G-ALE calling PY01 (26Oct16) (AAI)
05352.5 HG7BHB: propagation beacon, HUN  0545 CW "VVV DE HG7BHB  QTH JN97LE 34SF PWR 50W" (24Oct16) (AAI)
05371.5 9A3WD1P: Global ALE HFnet 0630 USB MIL 188-141 2G-ALE sounding (22Oct16) (AAI)
05400.0 DG501D: French Navy, F 0737 USB 188-141 2G-ALE handshake DG401D flwd by STANAG-4285, KG-84C encrypted (20Oct16) (AAI)
05405.0 YK01: Algerian Mil, ALG 0551 USB MIL 188-141 2G-ALE calling PY01 (26Oct16) (AAI)
05410.0 3127: Sonatrach, ALG 0647 USB MIL 188-141 2G-ALE sounding (24Oct16) (AAI)
05415.5 ---: Russian Mil (prob. AF) 0710 J3E/USB female voice comms (24Oct16) (AAI)
05420.0 IU01: Algerian Mil, ALG 0634 USB MIL 188-141 2G-ALE calling JP01 (27Oct16) (AAI)
05424.0 5B: Bosnia Herzegovina Defense 5th Infantry Brigade Tuzla, BIH 0722 USB MIL 188-141 2G-ALE handshake 2PB flwd MIL 188-110A (24Oct16) (AAI)
05453.0 FP: prob.Italian Guardia Costiera, I 0645 J3E/USB stations: WW, EA, EB, EF, radio-checks, coded msgs as ADA,ASA,ASB,ATA,ANA,ATB using NATO phonetic, prob voice-net parallel to data-net (20Oct16) (AAI)
05455.0 RD21: Algerian Mil, ALG 0557 USB MIL 188-141 2G-ALE handshake PY20 flwd by 188-110A (25Oct16) (AAI)
05500.0 5555: Unid net 0610 USB MIL 188-141 2G-ALE calling 4444 [CMD AMD][/>A2001  ] (20Oct16) (AAI)
05792.0 2212: Unid net 0614 USB MIL 188-141 2G-ALE sounding (20Oct16) (AAI)
05813.5 DO7: Polish Mil, POL 0619 USB MIL 188-141 2G-ALE calling RA2 (26Oct16) (AAI)
05813.5 DO7: Polish Mil, POL 0621 USB MIL 188-141 2G-ALE calling PT1 (26Oct16) (AAI)
05813.5 WI5: Polish Mil, POL 0619 USB MIL 188-141 2G-ALE sounding (26Oct16) (AAI)
05850.0 BU4: Roumenian Police, ROU 0633 USB MIL 188-141 2G-ALE handshake TUL flwd by 188-110A transporting STANAG-5066 HBFTP msgs (24Oct16) (AAI)
05903.0 DO7: Polish Mil, POL 0621 USB MIL 188-141 2G-ALE handshake WI5 (26Oct16) (AAI)
05903.0 DO7: Polish Mil, POL 0627 USB MIL 188-141 2G-ALE calling TE6 (26Oct16) (AAI)
06450.0 ZOCCOLA: Guardia di Finanza, I 0720 USB MIL 188-141 2G-ALE handshake CAGLIARI, voice comms using callsigns ROSTRO549 (ALE ZOCCOLA) and SIRIO60 (ALE CAGLIARI): position, heading and speed of ROSTRO549 (27Oct16) (AAI)
06510.0 Z1V: Slovackian AF Zvolen, SVK 0633 USB 188-141 2G-ALE handshake P1O Prezov flwd by 188-110A transporting Stanag-5066 HBFTP msgs (20Oct16) (AAI)
06779.0 ---: Unid 0705 USB RFSM-8000 modem with data-masking (21Oct16) (AAI)
06806.0 ---: Unid 0845 USB MIL 188-141 2G-ALE using App.B Linking Protection (27Oct16) (AAI)
06905.0 BX02: Algerian Mil, ALG 0757 USB MIL 188-141 2G-ALE calling PY01 (22Oct16) (AAI)
06905.0 HN02: Unid (Algerian Military?) 0824 USB MIL 188-141 2G-ALE handshake BZ01, no traffic (27Oct16) (AAI)
06931.0 ---: Unid 0628 USB modified STANAG-4285 waveform (21Oct16) (AAI)
07316.0 ---: Russian Nvay, RUS 0615 (cf) CIS Navy "Akula" FSK 500Bd/1000 (25Oct16) (AAI)
07535.0 CP01: Algerian Mil, ALG 0541 USB MIL 188-141 2G-ALE calling PY01 (25Oct16) (AAI)
07656.0 ---: Russian Intel, RUS 0710 USB CIS FTM-4, MFSK-4 150Bd (effective 37.5Bd) 4000Hz modem (tones at: -6, -2, +2, +6 KHz) (26Oct16) (AAI)
07745.0 TBB: Turkish Navy Ankara, TUR 0520 USB STANAG-4285 600bps/L CARBs//TBB040I(0)/TBB041I(0)/TBB043I(0)/TBB045I(0)/TBB049I(0)/TBB050I(0)// (25Oct16) (AAI)
08950.0 83401: Turkish Emergency Net, TUR 2037 USB MIL 188-141 2G-ALE sounding (22Oct16) (AAI)
09095.0 ---: Unid (prob. Ukrainian net) 0522 USB 3 of 6x100Bd/120Hz VFT system (26Oct16) (AAI)
10168.0 ---: Unide 1229 USB Arcotel MAHRS-2400 ALE bursts (25Oct16) (AAI)
11155.0 RIT: Rus Navy HQ Severomorsk, RUS 0846 CW "RAL65 DE RIT QSA?" (23Oct16) (AAI)
11155.0 RIT: Rus Navy HQ Severomorsk, RUS 0857 CW "RKN64 DE RIT RIT QSA 2 QRV K" (23Oct16) (AAI)
11429.0 ---: Russian Intel, RUS 1045 (cf) MFSK-68 (34+34) + QPSK 2400Bd 10KHz wide-band inserts (25Oct16) (AAI)
11470.0 ---: Unid (prob. Russian Navy) 1315 FSK 50Bd/500, no traffic (25Oct16) (AAI)
13215.0 201067: USAF unid asset 1113 USB MIL 188-141 2G-ALE sounding (27Oct16) (AAI)
13220.0 ---: no call 1323 USB MIL 188-141 2G-ALE calling CHARLY46 Italian AF (46th Air Brigade) (27Oct16) (AAI)
13499.0 11021: Moroccan Civil Defence, MRC 1122 USB MIL 188-141 2G-ALE sounding (27Oct16) (AAI)
13499.0 2215: Moroccan Civil Defence, MRC 1108 USB MIL 188-141 2G-ALE sounding (27Oct16) (AAI)
13499.0 2415: Moroccan Civil Defence, MRC 1109 USB MIL 188-141 2G-ALE sounding (27Oct16) (AAI)
13505.0 ---: Unid 1120 USB STANAG-4538 LSU + LDL, Harris Citadel encryption (27Oct16) (AAI)
13538.0 ---: Russian Mil, RUS 1213 USB CIS-45 OFDM HDR modem v2 BPSK 40Bd 62.5Hz (23Oct16) (AAI)
13554.0 CENTR3: MAECT Bucarest Centrala3, ROU 1047 USB MIL 188-141 2G-ALE handshake BLJ Telaviv Embassy, flwd by 188-110A transporting STANAG-5066 messages (27Oct16) (AAI)
14493.0 RGG: Russian Mil, RUS 1134 CW "RGP RGP RGP DE RGG RGG QSY 14653 QSY 14653" (21Oct16) (AAI)
14581.5 ---: Russian Navy, RUS 1330 FSK 50Bd/40, 7-bit code 4/3 (four 1 + three 0) (23Oct16) (AAI)
14968.0 XSS: DHFCS Forest Moor, G 1337 USB MIL 188-141 2G-ALE calling XDV (22Oct16) (AAI)
16000.0 6207: Unid 1213 USB MIL 188-141 2G-ALE calling 6202 (26Oct16) (AAI)
16103.0 Russian Mil, RUS 1244 USB CIS-112 OFDM modem 22.22Bd BPSK (24Oct16) (AAI)

26 October 2016

Turkish Mil, FSK 300Bd/400Hz KG-84C

Weak signal heard on 5115.5 KHz, central frequency, at 0549 UTC. Analysis with SA reveals an FSK signal running at 300Bd and 400 Hz shift.
fig. 1
fig. 2
Once demodulated, the presence of the KG-84C 64-bit sync pattern (fig. 3)  leads to think about a NATO partner Nation: looking at precedent posts,  most likely the signal belongs to the Turkish  FSK waveforms.
fig. 3


24 October 2016

Unid BPSK 1500Bd (prob. Chinese modem)

Unid modem (prob. Chinese origin) using BPSK modulation at 1500 Baud and 1500 Hz sub-carrier. Since the alternation of frames with different strength, this may be a duplex channel.

fig. 1
fig. 2
fig. 3
Once demodulated, the analysis of the bitstream reaveals an interesting 3 bit structure (fig. 4): my friend Karapuz suggested to try a differential (relative) decoding of the signal.

fig. 4
Differential decoding can be obtained directly by running the proper tool of  the bit-editor or by demodulating the signal using the SA demodulator with option "Diff 1" as in fig. 5

fig. 5
Results are similar and in the output bistream, visually more logical, is visible the sync bit and the two data bits (fig. 6).

fig. 6

19 October 2016

cars, chameleons, networks, and other stories (part II)

In the first part of this post there were the cars, here are the chameleons: such name is not related to the ALE Addresses but rather to the configuration of the stations. A third part will follow in case of news or updates.
The two following networks, although they exhibit different behaviors, share some aspects which lead to think to the same source/organization or at least to the same Country. As said in the first part, the purpose is only hobbystic; sensitive and confidential messages contents, if any, are anyway not published. I'm interested on the way the "boxes" travel and NOT on their content.

AB net (5838.0 KHz, ...)
Stations and ALE addresses of this network are: ABD1, ABG6, ABF2, ABS5, ABK4, ABH3, and ABC7 that acts as net-control. Transmissions are scheduled on tuesday and thursday from about 0730 UTC and usually follow the schema link-send-terminate. Links are initiates by ABC7 and always in the same order, ie: ABD1 first then, ABG6, ABF2, ABS5, ABK4, and ABH3 as last. Other than 188-141A for ALE, STANAG-5066 is used for messaging and STANAG-4285 as HF waveform (fig. 1), settings are 1200bps and short interleaver. I monitored this net on 5838.0 KHz/USB, that seems to be the main channel, but other frequencies are also used.

fig. 1
In the firts loop, stations are contacted by ABC7 for a radio-check, then  in case the net-control has messages to send, the stations are again contacted and always in the same order. Sometimes the sending phase follows the radio-chek so that the stations are worked one time only, the sending is always preceeded by a voice-exchange of a pair of authentication keys according to the sequence diagram of fig. 2. A common phrasebook for telecommunications, in english, is strictly used.

fig. 2 - sequence diagram
The authentication keys consist of 4 numeric digits for the "my-auth-id" key and 2 numeric digits for the "auth-id" key , eg:

ABC7: alpha bravo x y this is alpha bravo charlie seven, authenticate 79
ABXY: alpha bravo charlie seven, this is alpha bravo x y, my authenticate 6843, authenticate 74
ABC7: this is alpha bravo charlie seven, my authenticate 2895
ABXY: ok send your message

A fter finishing sending the message, the net-control station asks the receiver peer to confirm the message-number then link is terminated and the next station in turn is contacted.

fig. 3 - 188-141A 3-way handshake and Auth keys exchange
The messaging system use the HBFTP protocol to deliver compressed e-mail files, COMSEC devices are not present (unclassified messages?) so, once removed STANAG-4285 and STANAG-5066 overheads, important clues and information can be drawn from an examination of the e-mail headers (fig. 4).

fig- 4
The sender and receiver stations belong to the e-mail domain 123 (point 1) and it's the common domain of all the stations of this network. The message has been received from, and by, the same host whose name is linux.site; "CROZ ESMTP/HMTP Gateway" most likely is the name of the STANAG-5066 application (point 2).  The IP address in the field "Received from" is or localhost (not wired to a LAN ?).
The hostname and the e-mail client fingerprint (point 4) clearly reveal that they use a Linux system, specifically: SUSE Linux 3.1.14. Indeed, the mention of chameleons I adopted  just derives from the official logo of SUSE.
The system language is the plain en-US without  language/keyboard customization.

The use of Linux is per se an interesting and peculiar element of this network, but it's not the only one.  The email includes one attached jpeg/image file whose name is "PRILOG 5 - PRILOG ZA SLANJE E-MAILA.jpg". This language suggest a Slavic origin (google-translator), as confirmed by the system timezone at point "3" (+0200), time-zone and especially the language restrict the candidate Countries to two: HIB and HRV. Anyway, the most surprising fact is that the e-mails I decoded have that same attached filename although it refers two images, in other words  they always use the same name for the attachments (fig. 5).

fig. 5 - two e-mails, different ricipients but same attached filename
On my side I can't rebuild the original images from the received S-5066 fragments but I can see at least the upper part of such images: they are always the same (fig. 6), although the image "B" is the most used in the attachments.

fig. 6
The reasons behind such way to comunicate are obscure: test? steganography?.., difficult to state unless speculations

In the above fig. 2 we have seen that the net-control stations asks a confirm of the received message-number: this a progressive number and matches the subject of the corresponding e-mail. The message-number is initialized to a new initial value at each day and assigned to the subject of the e-mail sent to the first station in the calling list (ie: ABD1, user1@asdf.123) and then is incremented by one at each step (fig. 7).

fig. 7
The choice of the initial value is apparently odd: fig. 8 is an example
06 Oct: initial value 600
11 Oct: initial value 603 
13 Oct: initial value 508
18 Oct: initial value 610  

fig. 8

5054 net (5054 KHz)
I spotted a QRG, 5054.0 KHz/USB, where stations of this network do not use 188-141A before messages sending and traffic is less frequent, not to say sporadic.  STANAG-5066 HMTP protocol is used instead of HBFTP (fig. 9) and, as for the AB-net, STANAG-4285 is the transporting HF waveform. The lack of the ALE phase is quite odd since the heard transmissions are not bcasts but rather PtP messages: or links are negotiated in other channels/way or receivers are always in listening state. For sure, no 188-141A means no ALE Addresses to collect from this network. 

fig. 9 - HMTP-66 protocol
By a quick examination of the e-mails headers (fig. 10) it's easy to see that this network belongs to the same organization/authority of the previous AB-net: same OS (Linux SUSE), same STANAG-5066 application (CROZ ESMTP/HMTP Gateway) and - above all - same attachment filename (PRILOG 5 - PRILOG ZA SLANJE E-MAILA.jpg) can't be a coincidence.

fig. 10

Addresses and origin/owner of the networks
I never heard e-mail exchanges between the two nets but only e-mails sent from linux-a5kz to the other stations of AB-net and e-mails sent from linux-2o6y.site to other stations of 5054-net: this leds to think that these are the main stations of their respective networks. It's interesting to pay a look at the e-mail addresses of the two newtorks:

ALE  e-mail address
ABC7 user1@asdf.123
ABD1 user1@sdfg.123
ABG6 user1@dfgh.123
ABF2 user1@fghj.123
ABS5 user1@ghjk.123
ABK4 user1@jklp.123
ABH3      ?

  -  user1@aysxd.111
  -  user1@lost62.111
  -  user1@dres32.111
  -  user1@fejk8.111

As expected, the networks belong to two different e-mail domains "123" and "111": behind such choice there is surely a certain logic but unfortunately do not offer any clue for identification.
AB-net seems to use non-sense (?) alphabetical addresses (asdf, sdfg,...) while 5054-net seems to use a sort of "structured" names (lost62, dres,32, fejk8,...).  It's worth noting that the AB-net addresses, if listed in the order of the calling list,  exhibit a left-shift of 3 letters. According to this schema, ABH3 could have the address user1@klpq.123 (m,n,o seem to be not used).

A big help in the identification of the source is given by the examination of the collected STANAG-5066 nodes addresses:

ALE  Stanag-5066 address e-mail address
ABC7     user1@asdf.123 (ncs)
ABD1     user1@sdfg.123
ABG6     user1@dfgh.123
ABF2     user1@fghj.123
ABS5     user1@ghjk.123
ABK4     user1@jklp.123
ABH3          ?

  -     user1@aysxd.111 (ncs)
  -     user1@lost62.111
  -     user1@dres32.111
  -     user1@fejk8.111

About the assignments of the STANAG-5066 addresses, the global-regional blocks are defined by the 4 most-significant bits of the full length address (i.e., the first element w of the dotted-decimal form w.x.y.z): from fig. 11, 6.x.y.z is assigned to Europe. 

fig. 11
Within the global-regional blocks, specific 5066 addresses are assigned to individual Nations using the second element “x” of the dotted-decimal address form w.x.y.z.
Now, what european nation matches 6.8.y.z ?
The answer is in Table N-6 "National Address Schema" STANAG-5066 Edition 3 Annex N: 5066 is a NATO unclassified document that may circulated freely and is available on:
Sadly, no part of S-5066 Edition 3 can be published but the mentioned Table N-6 matches the "proposed allocations" which are visible at page 14 (here reported in fig. 12) of  a very interesting pdf file freely downloadable from: http://www.hfindustry.com (note that NC3A, NATO C3 Agency, is now NCIA or NATO Communications and Information Agency).

fig. 12

It's worth noting that the stations dfgh.123 and aysxd.111 exhibit the same S-5066 address, i.e. the same node: as far as I know a certain S-5066 address should not be shared by two or more nodes (duplicate address) hence we face the same physical node. Looking at the "Received" headers of one e-mail sent by aysxd.111 (fig. 13) we see that the e-mail is originated (from) and received (by) the same host linux-2o6y.site: this means that the e-mail client and the S-5066 gateway application are running inside that same host. Moreover, the IP address (which refers the sender) is the address of the localhost: this means that the host  linux-2o6y.site, i.e. the S-5066 node, is not wired to a LAN.

fig. 13
Keeping in mind that a node is generally assumed to include the HF modem and radio (and cryptographic) equipment required for communications, a possible explanation could be the configuration in fig. 14, that also clarifies the lack of "cross-messaging" between AB-net and 5054-net: such traffic is handled "inside" the hosts. Unless they assigned the same S-5066 address to two distinct S-5066 nodes or use some other configuration that I do not know.
fig. 14

Rockwell-Collins HF Messenger allows a such configuration (fig. 15) in which two clients, belonging to different domains (i.e. two e-mail accounts), share the same S-5066 resource. Anyway, this is not our case since HFM only run on Windows-based pc and we face a Linux based nodes (SUSE Linux 3.1.14).

fig. 15

STANAG-5066 gateway application
The S-5066 application running in the Linux gateway nodes add the string "CROZ ESMTP/HMTP gateway" in the received-by header, most likely its "fingerprint":

It is an application that acts either as Extended SMTP server (on the LAN side) or as HMTP gateway (on the HF network side). They do not use a Stanag-5066 applications from the most "popular" manufacturers in the place:

IsodeIcon 5066**(development, not released)
Rohde & SchwarzR&S 5066*-(client part in Java)
Selex (Leonardo)MDH*-
Thales-*-(client part in Java)

but rather the MoD preferred to have a proprietary product, entrusting the development of the application to CROZ, an IT Company located in Zagreb and Belgrade http://croz.net/en/, as contractor partner in the project. The result of this collaboration is the NATO Stanag-5066 compatible application named CroS5066 (fig. 16).

fig. 16 - CroS5066 schema
The mean features of the product can be read in their pubblication "CRO FYI" of  September 2009, page 14: the publication is available for reading and download on their web site:
CroS5066 is fully interoperable with other S-5066 systems, positive tests were made during NATO exercises Combined Endeavor 2008 (Lager Aulenbachhere, Germany and Lora Naval Base in Split, Croatia).

(to be continued)

13 October 2016

CIS Navy 50Bd/200 FSK (T-600, BEE-36, CIS 36-50)

Sinchronous FSK 36-50Bd/200 system also known as CIS 36-50 and used by CIS Navy for their fleet broadcast. Transmissions start with an initial revs sequence transmitted at 36 Bd followed by traffic in 50 Bd mode. In case of more than one message, the initial 36 Bd reversals are not sent (Fig. 1).

Fig. 1
Frames (Fig. 3) are constructed from data blocks consisting of 7-bit elements: a packet of pay-load data of basically arbitrary length is surrounded by a start and an end sequence (EOM). Sometimes blocks of data already transmitted are observed to be repeated, verifying the contents by the recipient can be performed easily this way. Idle sequences of reversals, i.e. strictly alternating sequences of '0's and '1's, of 36 Bd and 50 Bd are used to introduce and to terminate a transmission or also (50 Bd only) to separate data blocks. A data block itself consists of the three sections start sequence, payload data and EOM sequence; all payload data consist of 5-bit characters coded into 7-bit sequence with a fixed ratio of '0's vs. '1's of 3 to 4 (or vice versa, depending on polarity of reception).  
The start sequence is transmitted after the last '0' bit of the idle sequence and consists of a 44 bit sequence (usually  "11100001010010111110000101001101011010101101") the ratio of three '0's to four '1's is not followed here to make the start sequence distinguishable from the actual data. The payload data is preceeded by a 70-bit Initialization Vector (ten 7-bit words) which is repeated twice. All subsequent data (arbitrary length) do not obey a special regularity anymore. The end sequence shows five equal 7-bit words "000100", again disregarding the bit ratio of the data section.

Fig. 3
Sometimes T600 is also used to forward flash messages in FSK/Morse mode as in Fig. 4 (transmitted by RDL HQ)

Fig. 4