26 August 2019

6 KHz wideband OFDM-160 PSK2/QAM-16

6 KHz wideband OFDM-160 30.469 Bd/37.5 Hz PSK2 & QAM-16 spotted on 10342 KHz (CF), probably it's connectd to the OFDM-80 seen a few days ago. Some packages of this  transmission have PSK2 modulation, other QAM-16. ACF of the transfers is equal to zero. As suggested by my friend KarapuZ, for a correct analysis it is necessary to load only the central body of a package excluding preamble and trailer.
Friends from radioscanner.ru have noticed versions of this OFDM with QPSK, PSK8, and QAM-32 modulations in the channels.



Transfers begin and end with short MFSK sessions although they are shifted upwards with respect to the central frequency of the OFDM. Don't know if the MFSK waveforms are used for link establishment or for other communication-oriented signaling.


23 August 2019

CIS-75 FSK 75Bd/250 (2): 128-bit LFSR sequence

This post is a follow-on of the previous one and shows some findings due to the collaboration between myself and my friend Valentin (cryptomaster).
In the analyzed CIS-75 recordings, we saw the use of a 128-bit length pseudo-random sequence which is inserted repeatedly in the data stream probably to re-sync the receive modem. As it turned out, the sequence is transmitted in positive and negative polarity according to an alternation  of patterns which are easily identifiable by inspecting the stream with a window of 385 bits width (Fig. 1)

10101011010100010100110100000100101100010000110010000001101011110100100100011100111000001110100011011000011110111011001100000000

Fig. 1 - sequences patterns
The sequence positions emerge after descrambling the stream using either the x^8+x^6+x+1 polynomial or the x^9+x^8+x^7+x^6+x^2+1 polynomial (Fig. 2): since they are not primitive polynomials the 128-bit sequence can't be considered as an m-sequence [1] but rather a scrambler sequence. Notice that the descrambled streams show opposite polarity.

Fig. 2 - descrambled stream
The sequences (the positive and negative one) have the interesting property of being both parts of the same 256-bit sequence generated by the polynomial 9,8,7,6,2 ...subject to some errors that apparently have been added to the sequence in order to complicate its analysis.

1110010011110000100010011001111111101010110101000101001101000001
0010110001000011001000000110101111010010010001110011100000111010
0011011000011110111011001100000000101010010101110101100101111101
1010011101111001101111110010100001011011011100011000111110001000


Interestingly, if the stream is decoded in differential mode the sequence changes its length to 127 bits and acquires only one polarity (Fig. 3): in this case both the descrambler polynomials 8,6,1 and 9,8,7,6,2 are suitable (Fig. 4).

Fig. 3 - sequences in the diff. decoded stream
Fig. 4
We also saw that syncing the diff. stream, the sequences appear in regular positions so that they could also be used to separate data blocks, but it's just our guess (Fig. 5).

Fig. 5 - sinched stream
During one of his monitorings, Valentin caugth an interesting transmission: after a stop the only "space" frequency was emitted for a long time and then followed by a short-term transmission (~ 3 sec). The signal contains the 128-bit sequence that we discovered and another 114-bit sequence repeating in the stream: the most interesting thing is that also that sequence is a consequence of the mentioned scramblers (Fig. 6 shows the descrambled stream).

Fig. 6


By the way... just another feature: when the modem works in idle mode the speed is set to 100 Bd (Fig. 7). Actually, in idle mode a "meander" is transmitted with a frequency of 50 Hz. The source of this frequency is a 50 Hz AC network. The meander is used to correctly configure the correspondent station, as well as to ensure that no one else occupies the HF frequency.
Notice that 50 Hz frequency originates a 100 bps stream: "1" value during the positive period (the first half cycle) and "0" value during the negative period (the second half of the cycle): if considered as speed, then it is 100 bps. 


Fig. 7

CIS-75_stream.bin
CIS-75_diff_stream.bin
Short_75-250.wav
izh.swl.su_2019-08-15T09_38_31Z_9187.00_usb_idling.wav

[1] http://www2.siit.tu.ac.th/...m-sequence.pdf

Signals for analysis was mostly gathered thanks to the KiwiSDRs:
http://sdr.ok2kyj.cz:8073/   (Pohorany near Olomouc, Czech Republic)
http://r3tio.proxy.kiwisdr.com:8073/  (Nizhny Novgorod, Russia)
http://kiwi-kuo.aprs.fi:8073/  (Kuopio, Finland)

20 August 2019

OFDM-80 30Bd/37.5Hz

Unid (to me) OFDM 80-tones 30Bd/37.5Hz K=1/4, spotted with good SNR on 9400 KHz (cf) and resampled to 9600 Hz.

Fig. 1
Some channels show a clear PSK2 modulation while in other channels I could not successfully detect the used modulation (looks like a differential PSK but I could be wrong).

Fig. 2 - observed modulations
Data seem to be sent in blocks while the ACF of the transfer is 133.4 ms with a bit of instability which is probably due to the observed modulations in the channels (see Fig. 2). Since the aggregate speed of 2400 symbols/sec (30x80), the ACF value reveals a 320-symbols length frames. 

Fig. 3
The signal was recorded using the KiwiSDR http://sdr.ok2kyj.cz:8073/ (Pohorany near Olomouc, Czech Republic).

14 August 2019

CIS-75 FSK 75Bd/250

CIS-75-75/250  is a Russian/CIS system supposed in use by Military in HF. As its name, this system use F1B modulation with 250 Hz shift and 75 bps speed, most likely a broadcast with linear encryption (ACF=0). The transmission was heard today on 9188 KHz (cf), operating continuously from the first morning. It's worth noting that during the days back, while I was monitoring the Swiss-MIL on 9187 KHz/USB, this FSK signal was not present: maybe 9188 KHz is not a primary channel, but it's a my guess.


According to several TDoA localizations, the site of Tx is in the area of Moscow.


kiwi-kuo.aprs.fi_2019-08-14T13_08_37Z_9188.00_iq.wav