31 May 2017

3G link + S5066: example of Circuit Mode (HF2000, Swedish Army)

Nice example of how to send STANAG-5066 data on a 3G link, using the Circuit Mode service provided by the 3G-HF STANAG-4538 profile.
The link is established with the 2-way FLSU procedure: the FLSU_Request PDU (BW5) sent by the caller station specifies the traffic waveforms that will be used during circuit mode, in this case MIL 188-110 (also termed MS110), and it is followed by an FLSU_Confirm PDU by the called station (not heard at my side). Once circuit mode begins, any station can initiate transmissions using the specified traffic waveform. A CSMA/CA process is used to avoid collisions. After the transfer is completed, an FLSU_Term PDU is sent by the caller and the link is terminated (Fig. 1).

Fig. 1
The most interesting aspect is the use of STANAG-5066, which has been detected thanks to the lack of the encryption before the MS110 modem: indeed, STANAG-5066 allows to indentify the Authority/Country by the addresses coded into the Data PDU (D_PDU), unless dummy addresses are used:

Once removed the overhead bits added by MS110, the D_PDUs can be isolated by syncing the resulting bitstream with the sequence 0xEB90 (regardless of type, all the D_PDUs begin with the same sync sequence): the result is displayed in Figure 2.

Fig. 2
The Size-of-Address Field specifies the number of bytes in which the source and destination address are encoded, the address field may be from 1 to 7 bytes in length (as in this case), with the source and destination address of equal length.The first half is the destination address and the second half is the source address:

In this case:
source address:
destination address:
both belonging to the block 6.46.x.y allocated to Sweden (Table N-6 European National Addressing Schema):

Fig. 3
Maybe it's the the HF2000 System ?

By the way, the transmission has been copied on 10590.5 KHz/USB and thanks to S5066 Addresses this is the firts time I identify a 3G-HF transmission.

  1. Antonio hello!
    Interesting material, I want to supplement it with statistics.
    A similar combination of 3G-HF and MIL-110A (where the secondary protocol is S-5066), I watch at a frequency of 6761 kHz USB. It is noteworthy that in the data, the same address is detected. Unfortunately, the recording of the communication session was not conducted, but there is a bitstream after the removal of the primary protocol MIL-110A.
    Here is the link: https://yadi.sk/d/oPKIOeyU3Jx2gB
    Sincerely, Daniel

    1. thanks for your file and hints Daniel. I saw your bitstream and confirm the addresses (note that in your and in my sample the source node is always the same Indeed, I'm studying this unid protocol which sits on top of S-5066. It's worth to note the structure of the header that is in the form {len,element}
      Most likely the first two elements indicate source and dest node.
      I have several recordings from different QRGs and hope to publish soon a "tentative" post about these transmissions.