28 May 2019

KW-46/KIV-7M secured fleet broadcast using the GA-205 multiplex (Australian RAN)


This is a very interesting STANAG-4285 signal spotted on May 24 on 6378.0 KHz USB thanks to the KiwiSDR owned by VK6QS in Collie, Western Australia. About the 6378 KHz, some old WUN logs report the callsign VZD800, at that time attribuited to the Royal Australian Navy (RAN). On my side, on that same frequency I spotted the Australian MHFCS net operating in ISB/FSK: so, as also confirmed by the direction finding, the source is definitely in Australia. 
In my opinion, I believe this is a KW-46 (or KIV-7M) secured multichannel fleet broadcast originated by the GA-205 TDM [1]: a 12-channel time division multiplexer that was just deployed at RAN by DRS Technologies (Fig. 1).

Fig. 1

Now, the way I came up to this conclusion.
The HF waveform is STANAG-4285, here used in the usual "600bps/Long" sub-mode (Fig. 1): waveform that is easily recognizable and then demodulable by almost all software decoders. Given the evidence of regular patterns, I reshaped the demodulated stream to a 12-bit format, just as the number of the input ports of the GA-205 TDM. After reshaping, you can clearly see that the 12 input channels transport exactly the same data (Fig. 2).

Fig.2
Then I exctracted a single payload (i.e. a column of the stream), reshaped it to a 7-bit frames format and tested it for LFSR delimitation: as expected, the KW-46 "sign" was detected (Fig. 3). Indeed, as from STANAG-5065, the "Fibonacci bits" originated by the polynomial x^31+x^3+1 are used by KW-46 cryptographic equipment to provide  synchronization.  

Fig.3
In synchronous mode the TDM works by the muliplexer giving exactly the same time slot to each device connected to it even if one or more devices have nothing to transmit. The data rates of different input devices control the number of the slots: a device may have one slot, other may have two or three according to their data rate. In this case, all the input channels have the same data rate of 600:12=50 Baud, therefore share the same number of slots.  Managing a TDM requires that some control bits (sync, device tagging, ...) be appended to the beginning of each slot, but I did not find such bits in the streams I demodulated: a recording of the initial part of a similar transmission could help.
From what above, in my opinion the heard S4285 transmission is a fleet broadcast consisting of 12 "flat multiplexed" [2] channels that transport the same KW-46/KIV-7M secured payload (real traffic or pseudo-random chars).

Monitoring the 6378.0 KHz frequency, on May 25 I saw that they switched to the ISB mode (Fig. 4), more precisely: LSB for a single channel fleet broadcast and USB for a multi channel (GA-205 TDM) fleet broadcast; both the broadcasts are KW-46 secured and use the same STANAG-4285 600bps/L waveform. Don't know if they carry the same payloads. 
The same STANAG-4285 configuration and broadcast paradigm were also spotted on 7462, 8460.2, 9140, 10368, 10407, and 10847.2 KHz (logged on May, 28): surely there are many other operating frequencies that I do not currently know.


For what concerns the source of the signal, TDoA direction findings indicate the "Naval Communication Station Harold E. Holt" (NCS HEH) which is located 6km north of Exmouth (Fig. 5). COMMSTA HEH is jointly manned by Royal Australian Navy and US Navy Personnel. The High Frequency Transmitter (HFT) site building houses a number of transmitters, many of which are dedicated to point to point communication circuits. These circuits are established with shore facilities and navy surface ships operating within the station's area of communications responsibility.
My friend Eddy Waters (member of Utility DXers Forum) from Australia emailed me: "there seem to be transmitter site changes happen at different times of the day. Sometimes these signals come from Exmouth Western Australia, sometimes from Lyndoch, New South Wales, sometimes from Humpty Doo, Northern Territory. There are more and more frequencies changing over to the ISB STANAG setup that you describe".
 
Fig. 5

As far as I know, RAN fleet broadcasts come in using the GA-205 in a 6-channels configuration, it's not clear to me the use of 12-channels that - moreover- transport the same payload. I tried to reshape the stream to a 6-bit frames format (and 6-bit multiples)... but the KW-46 synch missed. By the way,  it's interesting to mention the KW-46 secured transmissions (probably also them from RAN) reported here: https://i56578-swl.blogspot.com/.../kw-46-secured-traffic-over-188-110a.html
 
[1]  https://www.yumpu.com/.../ga-205-time-division-multiplexer
[2] I used the term "flat multiplexed" to mean the fact that no classified multiplexing algorithm seems to be used.

24 May 2019

KG-84, KW-46, ...

In this blog I often use terms like "KG-84", "KW-46", "BID",..., as well as the names of other cryptographic devices, but this does not necessarily mean that those devices are physically used ashore or on aboard of ships! Rather than to the equipments, those names must be understood as referring to the used "algorithms", since - unless few exceptions - many of those devices are now obsolete and no longer used. Actually, the algorithms are emulated by interoperable and more compact devices such as - for example - the KIV-7M Programmable Multi-Channel Encryptor that can be used for communicating with a KIV-7 family device or the older KG-84/BID family of devices.
In general:
KG means Key Generator which could be used with any digital input device;
KI is for data transmission;
KW is the prefix for a Teletype encryption device;
KY stands for a voice encryption device. 

Also note that these products are only used by the US Government, their contractors, and federally sponsored non-US Government activities, in accordance with the International Traffic in Arms Regulations (ITAR), as well as by NATO and by the administrations of some NATO countries.

22 May 2019

THALES HFXL, "wide band link" phase? (tentative)
AngazU, i56578


In our recent THALES HFXL monitorings we noted an initial "leader" burst which is exchanged in each frequency of the channel between the peers, the exchanges occurs after the 2G-ALE phase and just before the traffic starts: in our guess it appears to be the "wide band link", i.e. the third step of the HFXL link establishment procedure.
The used waveform is the same of HFXL-S4539: you may note the presence of the Thales "extented" preamble in Fig. 1

Fig. 1 . the presence of the THALES extened preamble following the S4539 normal preamble
It's interesting to note that after removing the mini-probes, the data blocks symbols show a regular structure of 768 bits (!), i.e. the 256 tribit data symbols of the S4539 framing appear as composed of repeated sequences/data; indeed, such a perfect 768-bit period does not occur in cases where user data such as chat, HTML, FTP, emails,... are sent. The presence of such repetitions is also clearly visible at a glance in the bistream (Fig. 2).

Fig. 2
Another clue in favor of repeated sequences in the data blocks is the ease with which the autocorrelation of 27648 bits is detected (Fig. 3): that's the length of the inteleaver block and just thanks to repeated data that it's possible to mark it. Also, the strong result of the autocorrelation leads to think of the use of Walsh Orthogonal Modulation, although it's not provided in S4539. Indeed, the detection of the interleaver length is facilitated because the last di-bit in any interleaver block is identified by the use of alternate set of Walsh sequences.

Fig. 3 - result from the autocorrelation
AngazU edited a header to eliminate the miniprobes (roughly)  and the resulting ACF is 26.6 ms considering both polarities and 13.3 ms considering only one. This indicates that it could be a walsh code of 32 symbols that is repeated inverted (Fig.4): 64 (32+32) symbols lasting ~26.6ms makes a data rate of 2400 Baud.
But be careful, it's just a speculation! We'll need a good quality recording to demodulate it and to verify it at  bit level.

Fig. 4

From the above, we think that the initial bursts use Walsh modulation and are used as a negotiation phase before the traffic starts: possibly we are facing with the "wide band link" (Fig. 4) that makes use of the "Cognitive Engine" software during the link establishment procedure, taking into account information on MUF, requested SNR, noise level, propagation modes, antenna performances.
As said, the above are only our hypotheses, we do not yet have any confirmation of them. Comments are welcome.

Fig. 4 - HFXL link establishment procedure

18 May 2019

KW-46 secured traffic over 188-110A, prob. US/Australian NCS HEH


These signals were recorded and monitored on 14462.0 KHz/USB thanks the KiwiSDRs at OI33 and OI33SA in Jakarta, Indonesia:

behavior and waveform Transmissions take place mainly during the morning time UTC, probably scheduled from Thursday to Saturday, and consist of very long traffic sessions (
although not continuous, as S4285 broadcasts are) alternated with equally long idling sequences. Several times I went late on the signal and given the lack of preamble re-insertions in the 110A waveform, the acquisition of sync, and the consequent decoding, were impossible. After days of long monitoring I had the chance to record the start of a transmission and then identify the mode, i.e.: 600bps/Long.
Since the absence of any "ALE phase" in the time interval immediately preceding the start of the transmission (Fig. 1), it's difficult say if we're dealing with PtP or broadcast transmissions to staring receivers in standby.

Fig. 1
The analysis of the frame structure (Fig. 2) confirms 110A operations at low datarates: each frame is composed of 40 tribit symbols, or 120 bits, (20 symbols for miniprobe + 20 symbols for data). In low datarate modes, from 150 to 1200 bps, the 480-bit length of the 110A scrambler exactly matches four frames (i.e.: 4 x 120 bits) and so it produces the strong 66.67ms spikes which are visible in the auto-correlation function.

Fig. 2
bitstream analysis The most certainly interesting aspect is the use of KW-46 encryption to secure data transfers (Fig. 3). Usually, the KW-46 crypto device is used in USN/NATO fleet broadcast paired with FSK 50Bd/850 or S4285 modems: it's the first time I see KW-46 secured traffic carried on air by 188-110A.

Fig. 3 - Fibonacci's bits in the demodulated bitstream
source and user As for the signal source, although the TDoA algorithm may be inaccurate due to the few KiwiSDRs in that region, considering the use of KW-46 crypto devices a plausible hypothesis can be the Royal Australian Navy (RAN) Naval Communication Station "Harold E. Holt" at Exmouth (NCS HEH) [1]. Royal Australian Navy is the naval branch of the Australian Defence Force (ADF).

Fig. 4 TDoA result and HEH site

NCS HEH is a joint US/Australian radio relay station comprising three separate main areas: Area A (Register no. 103552), located at Cape Murat, the VLF facility comprises the Very Low Frequency Transmitter, a deep-water pier, the primary Power Plant and a POL Tank Farm; Area B (Register no. 102767) includes Administration and HF Transmission; and Area C (Register no.103554) HF Reception. Areas "B" and "C" facilities are dedicated to point to point communication circuits. These circuits are established with shore facilities and navy surface ships operating within the station's area of communications responsibility. 


https://yadi.sk/d/xOD5_rlCK2I5NA

15 May 2019

why use of scrambling

Some days ago a friend of mine drop me an email asking about a signal recorded at 428 MHz. It's clearly an FSK modulation (probably GFSK) at the rate of 318124 bps as shown in Fig. 1, but the most interesting aspect was pointed out to me by my friend KarapuZ: he suggested me to investigate the signal in order to detect the presence of a scrambler. Indeed, after demodulation of the signal I found that a scrambler described by the polynomial x^9+x^4+1 was used.
 
Fig. 1
In normal usage, scrambling is used for two reasons:

1) it is used to remove the possibility of a long sequence of 1's and 0's in the bit sequence. The long sequence of 1's and 0's make timing synchronisation and clock synchronisation tougher at the receiver as regular transitions help in working of adaptive circuits like AGC and phase locked loop;
2) it eliminates the dependence of signal's power spectrum on  the transmitted information sequence thereby keeping it below the maximum power spectral density requirement. If scrambling is not done, power might be concentrated in a narrow frequency band thereby causing intermodulation and crossmodulation distortion to adjacent channels.

As a proof, KarapuZ kindly sent me two synthesized FSK signals: with and w/out the use of a scrambler. The used source bitstream and modulation are just the same of the real 428MHz signal. As you can easily see, the bitstream structure, if not scrambled, introduces an imbalance in the formation of the spectrum by a modulator (Fig. 2a) and the pseudo-random sequence originated by the scrambler "aligns" the spectrum (Fig. 2b): that's useful to us in order to understand the formation of signals. 
For the sake of completeness, the spectrum of the 428MHz signal is shown in Fig 2c: note also that in the synthesized signals the Gauss filter was not used.

Fig. 2a - unscrambled signal, unbalanced spectrum in its low part
Fig. 2b - same signal when scrambling is used
Fig. 2c - 428MHz signal
The same motivations seen above also apply to more complex signals which use PSK-n modulation.

Just to complete the analysis of the 428MHz signal, the source bitstream got after descrambling shows a 3420/6840 bits period that can be reduced to 18/39 bits patterns (Figs. 3,4).

Fig. 3
Fig. 4
 

1 May 2019

OFDM-30 (+1 pilot, +2) DPSK 50Bd

updated

The signal was recorded at 8403.5 KHz (CF) thanks to the use of some KiwiSDRs [1], it occupies a bandwidth of 2500 Hz  and seemigly consists of 35 tones (Fig. 1a). The lower tone (in case of USB) most likely is the "pilot" one, used for Doppler correction, and its level is 7 dB higher than the normal level of any one of the the remaining 34 tones (Fig. 1b). The pilot seems followed by four tones: actually two PSK2 channels modulated at 25 and 50 Bd.
The remainig 30 tones are used for data transfer, they are ~71 Hz spaced and are formed using the OFDM technology. Curiously, the transition from idle/data phases does not happen simultaneously for all the channels, the delay is approximately 3500ms starting from the lowest channel (Fig. 1c). The same signal was already meet here (thanks pir3 for his comment in twitter).

Fig. 1a
Fig. 1b
Fig. 1c

The two lower 25Bd and 50Bd PSK2 channels after the pilot tone send a continuous sequence of zeros and ones which is most likely used for sync purposes.

Fig. 2a
Fig. 2b

The analysis of the 30 data tones shows a 4-ary constellation in absolute mode and a 2-ary constellation in relative mode (Fig. 3), in my opinion these tones are keyed using DPSK ,or MSK, modulation with symbol-rate of 50 Baud and 25Hz shift (note that MSK is a particolar form of QPSK); the analysis of a single tone confirms my guess (Fig. 4). No particular patterns were detected during the data phase.

Fig.3
Fig.4

A raw demodulation (!) results in a 100-bit period stream (Fig. 5). As you see, 100-bit period makes a 2000ms interval that matches the intervals in Fig. 1c.


Fig.5
Signal localization is rather difficult, indeed several TDoA runs result in the middle of nowhere in Pacific Ocean (Fig. 6).

Fig.5

4 April update (replying to my friend Daniel's comment)
I simply used DPSK but I should have specified if it is a CDPSK or a SDPSK.
Indeed, "the difference between PSK and DPSK (Differential PSK) is in their encoding of the input data sequence. PSK encodes the input data sequences in-pahes (states), while DPSK encodes it in the phase difference (transitions) between successive bits or symbols.
This means that there would be a phase change in the modulation signal if the two successive bits in the input data sequence are different (0 to 1 or 1 to 0), and no phase changes if the successive bits are the same. DPSK is called conventional DPSK (or CDPSK) if the phase differences is in the set of [0,π] and symmetrical DPSK (SDPSK, also called π/2-DPSK) if the phase difference is in the set of [π/2,-π/2]". As you see in Figs. 3 and 4 the transitions are in the set
of [π/2,-π/2] so most likely it's a SDPSK (π/2-DPSK). 
As a further proof, I synthesized a OFDM-30 SDPSK 50Bd using the OCG tool: the results are shown in Figs 6 and 7 below.

Fig. 6
Fig. 7
The "delay" in the transitions from idle to data and from data to idle (Fig. 1c) are clearly visible in the demodulated bitstream in Fig. 8 that my friend Daniel linked in his comments.
 
Fig. 8


https://yadi.sk/d/2Qs8X9e1sr1Pgg  (OCG synthesized OFDM-30 SDPSK 50Bd)
https://yadi.sk/d/cn6iqtWQhn-Sig 
https://yadi.sk/d/CUxayO9wyIeeAw

[1] the recordings were possible mainly thanks to the owner of KiwiSDRs at:
AI6VN/KH6 - Kahakuloa, Maui, Hawaii 

other useful KiwiSDRs used in monitoring: 
Marahau, Tasman District, New Zealand 
Northeast Asian Broadcasting Institute - Seoul, Republic of Korea
ZMH292 - Bay of Islands, New Zealand
Yokohama, Japan