27 April 2019

9MR Royal Malaysian Navy, two FSK channels

"RY/SG" test tape continuously transmitted by 9MR Royal Malaysian Navy (RMN) [1], spotted thanks to the KiwiSDR owned by SWLOI33 in Jakarta, Indonesia. The interesting aspect is that the test seems transmitted simultaneously on two FSK channels, 2 KHz away: 50Bd/900 on 6483 KHz and 50Bd/1800 on 6485 KHz (Figs. 1,2), unless it's a bad defect in the FSK modulator.

Fig. 1
Fig. 2
The test message
JULL JULL 9MR 5/9/10 RMMJ MRB MRB RYRYRYRYRY 9MR 5/9/10 RMMJ MRB MRB SGSGSGSGSG AR
is transmitted in blocks of 718 bits using 5-bit ITA2 (Baudot) alphabet, decoded using a variable framing which results in alternation of stops with a length of 2 and 1 bit (say 5N1V i.e. a variable number of stop bits but at least one) as already specified in this post (Fig. 3)

16 April 2019

Harris wideband operations, WHARQ and WBALE waveforms (2)


Recently we had the chance to monitor and record the wideband transmissions on 7.9 MHz thanks to the use of four fairly close together KiwiSDRs [1] (we think transmitters use low power and NVIS) and this allowed us to have a better understanding of the whole scenario.
The data waveforms occupy a bandwidth from 3 to 24 KHz (grouped together under the title, courtesy of radiofrecuencias.es) and use an adaptive ARQ pattern with modulations from PSK-8 up to QAM-64. As said, most probably they are part of the Harris WHARQ development: a proprietary wideband HF waveforms family, already discussed here and
largely discussed by my friends ANgazu, Malak and Rapidbit in radiofrecuencias forum [2]. The burst waveforms are the WBALE PDUs, i.e. the Harris design choices for the implementation of 188-141D extensions for 3GWB mode [3]. 
 
Fig. 1 - spectrogram of a WHARQ waveform (credits to ANgazu)
WHARQ waveforms have a preamble/header followed by slots of miniprobe and data, 8 slots make a frame (or 8 frames grouped into a super-frame). Header modulation is always PSK-8 and it's followed by a "double" miniprobe. The duration of the header relies on the speed of the waveform (baud rate) and not depends on the used modulation. Frame is made up by 8 slots (data + miniprobe) consisting of 8 different miniprobes for each frame. ACF varies depending on modulation and baudrate. For further details on WHARQ I suggest to read the relevant posts and analysis in radiofrecuencias forum, here I focused on the WBALE bursts.

A quite clear WBALE/WHARQ scenario is visible in the IQ recording below in Figure 2:

Fig.2
The upper bursts are 3G STANAG-4538 BW5 and BW6: BW5 is used for Fast Link Setup (FLSU) and BW6 used as acknowledgemts PDUs. Lokking at these samples, in my guess it seems that BW6 ACK is used with 3 KHz WHARQ waveforms and a proper WHARQ ACK burst is used with wider waveforms. 
Harris approach for 3GWB is based on a simple enhancement to the Fast Link Setup protocol defined in STANAG 4538. The primary modification is the use of an additional 3 kHz bandwidth burst handshake (WBALE HS in Fig. 3) which exchanges profiles of the two linking radios' locally measured interference environments and negotiates a waveform bandwidth, offset from the specified channel frequency, and modulation and coding selection suitable for reliable high-performance communications.

Fig. 3 - Harris WBALE (not in scale!)

The WBALE handshakes are clearly visible in Fig. 4, it's worth noting the change of the traffic waveform after bandwidth negotiation:

Fig. 4 - WBALE handshakes

WBALE PDUs are very similar to BW5 FLSU PDUs so I analyzed them using a 3G demodulator: the following are therefore my hypothesis that need further confirmations.
 
Fig. 5 - WBALE waveform
The PDUs have a duration of 525ms and consist of 1216 PSK8 (2400Bd on-air) symbols: 256 PSK8 symbols (768 bits) for the preamble which is followed by 960 PSK8 symbols (2880 bits) for the ALE payload. I don't know, though it's likely, if the preamble is preceded by one or more short TLC blocks (they might be ignored by demodulator). Since Harris WBALE it's 3G based, i.e. network participiants are synched, I do not think to "variable" length PDUs to best fit the scanning lists: there is no need since the peers are already linked by the previous BW5 FLSU handshakes (this means that WBALE bursts are not "caller" PDUs!).

1216 symbols @ 2400Bd are well suited to the duration of 525 ms
After a raw PSK-8 demodulation the payloads show a 3-bit structure (Fig. 6) and are possibly modulated using a Walsh function: it's difficult to establish the actual length of the payload since FEC coding and Walsh format info missing (by the way, payloads could be descrambled using the polynomial x^4+x^3+x+1 to obtain a 12-bit stream... but it's just a speculation!).  

Fig. 6 - payload 3-bit structure after raw psk8 demodulation

WBALE/WHARQ transmissions was spotted on 4 and 7 MHz bands, the former on 4950 KHz i.e. in the 60mt broadcast band: the choice of these HF portions is probably linked to the concept of "primary and secondary users" [4]. This concept has been borrowed from the cognitive radio paradigm which divides users into primary users (licensed) and secondary users (unlicensed). Primary users “own” the bandwidth allocation while secondary users are only allowed to use this spectrum in a non-interfering basis. 
a) For WBALE primary user mode, stations that link for the purpose of transferring data will use a bandwidth and offset in each direction that is chosen to maximize the signal-to-noise ratio (SNR) with which transmissions in each direction are received. Stations will avoid
interference with other stations within the same network, but will make no effort to prevent interference with other stations outside the network, except as a byproduct of optimizing communications within the network.  This can have at least two significant implications:
1. the bandwidth and offset used in each direction of the link may be different;
2. the stations may cause harmful interference to communications in other networks while themselves not experiencing harmful interference. 

b) In secondary user mode, stations will not (as far as is practical) cause interference to other stations outside the network that are operating within the same channel allocations used by the network. In particular, whenever a link is established for a wideband data transfer, the bandwidth and offset used for the link will be chosen so as to avoid interference with any transmission detected by either side. Due to hidden-node considerations, this is likely to require that the same bandwidth and offset be used in both link directions.  
As a side note, remember that WBALE (or 3GWB) is not WALE (or 4G-ALE): they use different waveforms.
(to be continued)
 
spectrum sensing performed by a Rockwell Collins modem (2013)

[1] thanks to the owners of the KiwiSDRs
http://eemedia.mynetgear.com:8073/
http://n4ttn.ham-radio-op.net:8073/
http://rx.jimlill.com:8073/
http://38.86.67.206:8078/

[2] http://radiofrecuencias.es/viewtopic.php?f=11&t=1204&hilit=wharq 
[3] http://i56578-swl.blogspot.com/2018/04/3gwb-3g-ale-extensions-for-wideband.html 
[4] William N. Furman, John W. Nieto, Eric N. Koski: The 10th Nordic Conference on HF Communications, At Fårö, Sweden (2013)

5 April 2019

8-ary constellation bursts at 12800bps data rate (4)

Just another followup about the 8-ary constellation bursts. By the way, I also want to point out the interesting work that Christoph is pursuing in his blog.

Recently, Martin G8JNJ pointed out two new series of bursts on 2501.2 KHz and 2668.2 KHz USB. Bursts are STANAG-4539 12800bps compliant and use 8 points of the outer ring of the QAM-64 constellation, just like those covered here. The timing of the bursts is a further analogy and appears "connected" to the two previous and following clusters (Fig. 1): this way - if my guess is confirmed- we have now a total of seven clusters, or sets, of channels.

Fig. 1
It's worth noting in the tables below that the sequence 2082.2->7822.2 KHz now lasts about 40 seconds (A-G) while the same sequence had previously (i.e. before the two new bursts appear) a duration of 36 seconds (A-F). Therefore, since the introduction of the 2501.2 & 2668.2 KHz bursts have affected the duration of the 2082.2->7822.2 KHz sequence, I'm quite positive that all the bursts belong to the same sequence. But it's just a my guess.


 
Fig. 2 - the whole sequence A->G

downloads:
https://yadi.sk/d/RlxGYd3sYkWH-A
https://yadi.sk/d/ozXrjS54njfLGw

1 April 2019

CCIR-493 "Australian" selcall FSK 100Bd/170 (4-digit IDs, 1000ms preamble)


I preferred to change the title "CODAN selcall" with "Australian selcall" since this system is used by many manufacturers such as Codan, Barret, QMAC, ..., and its decoding is not unique (see the image at the bottom of this post). 

Several 3 KHz spaced channels which use the CCIR-493 "Australian" Selcall FSK 100Bd/170 (4-digit IDs) sometimes erroneously referred to as CODAN-8580, spotted on 8MHz using Hong Kong KiwiSDR:
 http://kb7gkh6.proxy.kiwisdr.com:8073.
The system is a synchronous system based on ITU Recommendation M.493 [1] [2], Digital selective-calling system for use in the maritime mobile service, and is very similar to GMDSS/DSC (Fig. 1).

Fig. 1- ITU M.493 FSK parameters
Each data byte consists of 7 data bits and 3 parity bits (10-bit error detecting code), thus the duration of each character is 100 ms. The first seven bits (1-7) of the code are information bits; bits 8, 9 and 10 indicate, in the form of a binary number, the number of B elements that occur in the seven information bits, a Y element being a binary number 1 and a B element a binary number 0. For example, a BYY sequence for bits 8, 9 and 10 indicates 3 B elements in the associated seven information bit sequence; and a YYB sequence indicates 6 B elements in the associated seven information bit sequence.

The bitstreams after demodulation, as the one reported in Figure 2, can be easily parsed according the Table A1-1 "Ten-bit error-detecting code" from ITU M.493-15: the table is published at the end of the post for your convenience. The seven information bits of the primary code express a symbol number from 00 to 127, as shown in Table A1-1, where:
– the symbols from 00 to 99 are used to code two decimal figures;
– the symbols from 100 to 127 are used to code service commands.


Fig. 2 - bitstream after demodulation of a CODAN Selcall
A preamble of dot reversals, to provide appropriate conditions for earlier bit synchronization and to allow for scanning methods, precedes the data block.
As I verified, in all these selcall messages the preamble consists of 50 changes between "0" and "1" i.e. 100 bits(!) and therefore it has duration of 1 second (as also shown in Fig.3). Note that the 100 bits length is not provided in ITU M.493-15 or in other similar documents; quoting a comment from my friend hf_linkz: "it all depends on how many freqs are in the scanning list of each radio of a net. It has to be long enough so radios can detect the preamble while scanning so then stopping on the channel for a decode. On my Codan 9360’s the value is 6 seconds and you can’t change it while on my Barrett 950 & Codan NGT-SR you can set manually the preamble length in seconds. I’m not sure but I guess the radios of this net are not scanning freqs at all, so 1 sec is prob the best value to optimize transfers/min ratio".

Fig. 3 - preamble duration
The preamble pattern is followed by a synchronization sequence called the "phasing sequence" in which the characters 125,109,125,108,125,107,125,106,125,105,125,104 are transmitted. The phasing sequence provides information to the receiver to permit correct bit phasing and unambiguous determination of the positions of the characters within a call sequence (remember that Y = 1 and B =0):

YBYYYYYBBY 125
YBYYBYYBYB 109
YBYYYYYBBY 125
BBYYBYYBYY 108
YBYYYYYBBY 125
YYBYBYYBYB 107
YBYYYYYBBY 125
BYBYBYYBYY 106
YBYYYYYBBY 125
YBBYBYYBYY 105
YBYYYYYBBY 125
BBBYBYYYBB 104

The phasing sequence is followed by the "call content" with addresses and command/control characters. The Specifier symbol establishes the general nature fo the call; these basic options are: allcall and selective call. The Address consists of a special symbol in the case of alcalls and the identification symbols for the required station for selective calls:

YYBYYYYBBY 123
YYBYYYYBBY 123
BYBYBBYYBB  74
called station: 7474
YYBYYYYBBY 123
BYBYBBYYBB  74
YYBYYYYBBY 123
BBYBBYYYBB 100
BYBYBBYYBB  74
YBYBYYBBYY  53
calling station: 5348
BYBYBBYYBB  74
BBBBYYBYBY  48

123 = Format: selective call to a particular individual station using the semi-automatic/automatic service
100 = Category: routine

Messages and "end of sequence” (EOS) follow.

downloads:
not-unique decoding of a same sample