30 September 2017

Chinese PSK-2 ...and errors in its baud rate measurement

Some days ago I had a talk (...email exchange) with my friend KarapuZ about the way to get correct measurements of the baud rate in noisy signals or in uncommon waveforms. I always relied on the tools provided by SA program as the "Auto define param" and mostly the amplitude detectors, but KarapuZ warned me that sometimes they may fail and notably the "Auto define param" tool fails in case of strictly filtered or weak signals.
As a test, KarapuZ sent me a sample (the "x-Bd" wav file in Figure 1) without specify its baudarate and asking me to measure it.

Fig. 1
I used the "Auto define" tool and the modified amplitude detector searching for the lower more bright line and got a baud rate of 1000 symbols/sec in both their outputs (Fig. 2).
 
Fig. 2
KarapuZ replied: "The speed line of manipulation is 1500 baud unchanged in the preamble! This is a Chinese PSK-2 modem". 
Indeed, in my measurement I simply took in consideration the lower line - as usual - and did not put attention to the discontinuity in the 1000 Hz (999.44) line between preamble and data segments (Figs. 3,4). Really a my hasty measurement (I already had this signal but I forgot).

Fig. 3
Fig. 4
KarapuZ also drawn my attention on the "raster" of the signal that clearly exhibits 15 bits within 10 msec, ie a speed of 1500 baud (Fig. 5)

Fig. 5
Apart from my error in the evaluation of the amplitude detector, why the SA "Auto define param" failed so clumsily?
Quoting KarapuZ "it can be assumed that in the transmitting equipment, filters are used at the output of the signal formation which in some circumstances may influence the determination of the speed of the manipulation of the SA program." So, in order to demonstrate the influence of the filtering in the Chinese PSK-2 signal, KarapuZ synthesized an absolute PSK-2 modulation at 1500 baud with the same 3-bit structure of the Chinese waveform and sent me that file (Fig. 6)

Fig. 6
Then I measured the manipulation speed of the syntesized signal just using the "Auto define param" and it works like a charm.

Fig. 7
 The influences of the filtering is thus well quantifiable (other than visible)

Fig. 8
Things are even more worse since the bitstream  has a relative form and a three-bit structure, visible in raster, which generates many harmonics in the power spectrum! This is China, they love such tricks :)

Fig. 9
Fig.10
Thanks to KarapuZ for the great lesson!

Nokia M/90 (Panasonic CF-U1): FSK 301-151Bd 780Hz shift

I reported Nokia M/90 / Panasonic CF-U1 301-401Bd/780Hz in this post, this time I copied the 301-151Bd waveform on 10737.7 KHz (cf) around 1235 UTC. In this sample the initial 301Bd burst seems to be used with a different functionality (fig. 1).
Sanomalaite M/90 (SANLA) (Literally "Message device M/90") is a digital, portable and encrypted text-based communications device developed by Nokia and used by all branches of Finnish Defence Forces. From 2013 onward, these devices are being replaced with Panasonic CF-U1 Toughbook.
Fig. 1
Note that also in this case, the preamble is always modulated at 301Bd (fig. 2).
Fig. 2
For what concerns the characteristics of the demodulated stream, refer to the mentioned post.



https://yadi.sk/d/DhKXi9ga3NLzFg 





error in measuring a PSK baud rate


25 September 2017

5400 KHz (cf) 2380Bd mix-mode burst waveform
(by: i56578, ANgazu, KarapuZ, Rapidbit)



This is a very strange burst waveform modem that can be heard on 5398.2 KHz/USB (the central tone is exactly at 4000.0 Khz) at different times and SNRs. As Karapuz sais, probably it is Chinese equipment, but ANgazu guess the transmitter is near Spain, perhaps in Algeria: it's worth noting that there are 3 Chinese made ships in Algerian Navy and probably they maintained the factory radio-equiment:
http://www.defenceweb.co.za...Sea&Itemid=106 are
http://news.xinhuanet.com/english...29326.htm

The analysis of the bursts is not simple since the results exibith four different modulations in each burst (GFSK, MFSK-4, PSK-4, PSK-2), anyway all the transmissions have two fixed points (fig. 1):

-  constant manipulation rate of ~2380 symbols/sec 
-  all the bursts end with a PSK-2 segment

Fig. 1
Some good recordings can be download from here:
i56578-23-September
i56578-10-October 
Rapidbit-rec05

1. i56578-23-September recording
A detailed analysis of the bursts reveals a mix of GFSK 2380Bd/1500 and PSK-2 in both the two groups A and B, as shown in Figures 2-4.

Fig. 2 - group A
Fig. 3 - group B
Fig. 4 - modulation used

2. i56578-10-October & Rapidbit-rec05 recordings
The analysis of these recording reveals the use of QPSK and PSK-2 modulations in the group A and MFSK-4 and PSK-2 modulations in the group B (Figures 5-8).

Fig. 5 - group A
Fig. 6 - group B

Fig. 7 - QPSK and PSK-2 modulations used in group A

Fig. 8 - MFSK-4 and PSK-2 modulations used in  group B

3. observations & oddities
Tx windows are 4 min alternating short and long runs: the short transmissions are about 86 sec and the long ones last about 172 sec (twice the short). ANgazu recorded about 6 hours of monitoring period and processed the files using SA raster: as you can see, time window is 4 m. There are 13 transmissions and a no Tx period, building up groups of 14 frames starting by long Tx (Fig. 9)

Fig. 9

Each transmission consists of two groups of bursts (here termed "A" and "B"), possibly the group B is a repetition of A using different modulation to improve the reliability of the system. Every group starts using a longer carrier and a wider burst (about 2 sec). Unless some little variations, burts have a duration of ~720 msec and are spaced by a 500 msec unmodulated 1800Hz tone. It seems that if QPSK is used in the group A then group B will use MFSK; as seen, all the bursts end with BPSK segments.


In this signal, there are transients when changing modulation even if all modulations are BPSK, so no phase continuity is in use (Fig. 10)

Fig. 10

Phase vector rotates in one or other sense avoiding continous rotation in one sense. In this sample it can rotate both senses, mostly CCW or mostly CW (Fig. 11)

Fig. 11
In most systems, sync sequences are placed at signal start. In this one, after demodulated some BPSK bursts Sync seems to be 256 bits at the end (Fig. 12). Perhaps the burst shoul be reversed?

Fig. 12
(to be continued)

22 September 2017

TE-204 (Rockwell AN/USC-11) 75Bd in-band frequency and time diversity HF modem


TE-204 (AN/USC-11) is most commonly used by Allied Air Forces as an air-to-ground messaging system as well as in ground and naval applications. The transmission was heard on 11220.0 KHz/USB, HF-GCS frequency, at 2145 UTC.
The modem converts the incoming serial binary data stream into an FSK audio signal at baseband and appears on-air as MFSK-4 150Bd/440Hz (Figure 1) although the real transfer speed is 75 Baud: the reason is in the "in-band frequency and time diversity" mode used by this modem.

Fig. 1 Over-the-air parameters
Four data subcarriers are used at 935 Hz through 2255 Hz with tones spaced every 440 Hz: TE-204 transmits a "mark" on 935 Hz for 6.67 msec period followed by another 6.67 msec period at 1815 Hz. Similarly, a "space" is transmitted at 1375 Hz for 6.67 msec period followed by another 6.67 msec period at 2255 Hz (Fig. 2).

Fig. 2 in-band frequency and time diversity mode
This "mode" provides an in-band frequency diversity function for each data bit while also transmitting the same data bit over two(!) separate 6.67 msec periods of time, thus achieving a frequency and time diversity function  (thus the speed is the half of the measured one). As for above, from the perspective of the data-transfer, the modem works as a FSK-2 75Bd/880Hz modem.
No special preamble or SOM/EOM codes are employed, decoding the signal as in the depicted mode will be possible to get the 128-bit KG-84 Message Indicators (Figs. 3,4)
By the way, the TE-204 modem is embedded in the  Rockwell Collins MDM2001 Multimode HF Modem.

Fig. 3
Fig. 4


11 September 2017

MFSK 21/13 tones 31.5/63 Bd (125 and 250 Hz spaced)


unid MFSK modem spotted on 12138.8 KHz/USB, according to the suppressed carrier during MFSK, and switching from 21-tones 31.5Bd (125Hz shift) to 13-tones 63Bd (250Hz shift).  Note also the espansion of the spectrum since the occupied bandwidth varies from 2600Hz (MFSK-21) to 3000 Hz (MFSK-13).

Fig. 1
Fig. 2
Apart from the two edge tones, the MFSK-13 uses the same ten odd tones of the MFSK-21 waveform:

Fig. 3
Transmissions may have different duration, maybe depending on the length of the messages to be sent: from few seconds up to 6 minutes (the longest I copied). Sometimes the transmissions use only the MFSK-21 waveform and two adiacent channels for the peers (maybe ISB?):

Fig. 4

The MFSK-21/13 signal was also copied on 9280.0 KHz (frequency of the carrier) and reported in radioscanner here. They ascribe the transmissions to not well identified "domestic" (Russian?) telecomm operators.



 

8 September 2017

K4MT/NT9P Net, Russian Intel/Diplo (M42b)


K4MT/NT9P network, also known as Enigma designator M42b, is a quite common Russian Intel/Diplo network which uses both CW-Morse and FSK 50Bd/500.

Fig. 1
In this recording, FSK follows a CW call "NT9P NT9P NT9P DE K4MT K4MT K" and in turn it's followed by a "CFM QRU K" request: most likely the CW is used for setup or operators chat. The FSK is a Baudot 5FG coded stream using a preamble and 7-bit period (fig. 2):

Fig. 2
note the markers at every group of 50 x 5FGs (Fig. 3):
Fig. 3


7 September 2017

BPSK 4800Bd 6KHz (Maritime Band)


Bursts copied on USB 16975.0 and 17157.0 KHz, in the 16-17 MHz Marine band segment. The waveform uses BPSK modulation at 4800 Baud and a bandwidth of 6 Khz, the copied bursts have a duration of ~386 and ~505 msecs.
Speed and bandwidth lead to think to MIL 188-110C App.C "WBHF" but this standard povides BPSK/4800Bd waveform only for 9 KHz bandwidth.

Fig. 1

Fig. 2


1 September 2017

PWZ-33 Bazilian Navy and Pactor-FEC frame lengths


Some days ago my friend KarapuZ pointed my attention on a FSK transmission running on 8582.0 KHz/USB and that, at a first glance, appeared a bit uncommon. Once analyzed and decoded it was identified as PWZ-33 ERMRJ (Estação Rádio da Marinha no Rio de Janeiro) belonging to Brazilian Navy and operating in Pactor-FEC at 100Bd/200: just another proof of the "Occam's razor" (simpler theories are preferable to more complex ones).
Given the time we spent on signal analysis and the differences between Pactor-FEC modes, maybe is worth to publish a short post about it.

Pactor-FEC is a synchronous simplex system based on Pactor and used for broadcast transmissions, ie it has no acknowledge return channel and the receiving stations perform error correction. The Pactor-FEC modem uses a FSK 200Hz shift waveform and operates adaptively so the baud rate can be either 100 or 200 Baud: during daylight time the speed of 200 Baud may be successfully used, while in night time, due to the propagation distortions,  the speed may necessitate a reduction to 100 Baud. 
The speed influences the period lenght of Pactor-FEC and due to the positive/negative coding, the BEE software is a bit confused and computes periods lengths as the double of the real ones and shows seemingly equal period lengths in both the cases (Figure 1):

200Bd speed: frame length 194 bits (period: 388 = 194+194)
100Bd speed: frame length 97 bits (period: 194 = 97+97) 

Fig. 1
Indeed, altough Pactor-FEC frames consist of the same fields (header, data, status and 16 bit CRC calculated over the entire frame  except the header) their lengths differ.   As per above: at speed of 100 Baud the data field is 64 bits (8 bytes), while at 200 Baud the data field increases to 160 bits (20 bytes) as shown in Figs. 2,3. 

Fig. 2 - Pactor-FEC 100Bd/200 frames
Fig. 3 - Pactor-FEC 200Bd/200 frames
To increase reliability data are transmitted twice (in positive/negative), as shown by a decoding of a short fragment in Fig. 4

Fig. 4

In contrast to Pactor, all data blocks are in consecutive order with no or little space between them: indeed, Pactor 200Bd has 250-bit length frames (Fig. 5).

Fig. 5 - Pactor 200Bd Vs Pactor-FEC 200Bd