(cryptomaster, I56578, KarapuZ)
This post may be considered as a continuation of an interesting analysis started by my friends cryptomaster and KarapuZ, see
the radioscanner post for background. The signals analyzed by my friends and me consist of STANAG-4481F waveform (also known as NATO-75, FSK 75Bd/850) and have been spotted on 8202.5 KHz/usb (tuning frequency, CF = +2000 Hz): in our opinion they seem to be (off line) fleet broadcasts of 3 x 7-bit multiplexed encrypted channels.
I want to thank my friend AngazU and the owner of the KiwiSDR in Alicante (Spain) who allowed me to use his device w/out time limits in order to monitor these transmissions.
The interesting aspect is the 3-bit structure which is visible in SA raster (Fig. 1) by using, for example, a time window of 200ms (=15 bits @75bps); notice that it does not occur in time windows that implie a number of bits which is not an integer multiple of 3.
Fig. 1 - 3-bit structure in a 200ms raster window |
Following this results, the demodulated stream has been reshaped into a 3-bit framing (Fig. 2): it is easy to see that two columns have the same content.
Fig. 2 - 3-bit framing of the demodulated stream |
Then, each column in turn has been reshaped in a 7-bit pattern in order to obtain 3 separate files corresponding to the three channels. Karapuz noted that the Fibonacci's bit sequence (generated by the polynomial x^31 + x^3 + 1) is present in each channel (Fig. 3): this is the main indication that the source data was encrypted using the KW-46/KIV-7 cryptographic device, according to STANAG -5065.
Fig. 3 - the KW-46 M-sequences in the 3 channels conveyed by a single S-4481F trasnmission |
The presence of three distinct channels suggests that a time division multiplexer (TDM) be used upstream of the S-4481F modem, but there is a problem with the speeds at stake. The used TDM must have a 75bps "aggregate" speed in order to meet the S-4481F waveform requirements, thus each (encrypted!) input channel should have a speed of 25bps... but crypto devices such as KG-46 or KIV-7 do not work at speeds lower than 50 bps! (Fig. 4).
Fig. 4 |
So, it seems that a kind of "rate change" occurs between TDM and S-4481F modem but a such kind of
store-and-forward device to down the speed appears unrealistic in case of long broadcasts.
During my monitoring I had the luck to catch the beginning of a transmission. Interestingly, the M-sequences generated by the polynomial x^31 + x^3 + 1 just start from the very first bit of the 3 demodulated streams (100% indication in Fig. 5), there are no signatures or magic numbers attributable to transfer protocols or to file formats, neither preambles or synch sequences
Fig. 5 |
According to TDoA direction finding tries, the transmitter site is the Naval Radio Transmitter Facility (NRTF) in Niscemi, Italy (Fig. 6): an infrastructure of the NATO communication system that is linked with other US military bases [1]. It's to notice that similar transmissions (3-bit structure S-4481F) can be heard on 7545.5 and 6383 KHz (CF), also them from NRTF Niscemi!
Fig. 6 - TDoA result |
As I said, two channels have the same content, as indeed shown in the raster (Fig. 1): it's to notice that such repetitions of encrypted channels were also noted in some KW-46/KIV-7M secured fleet broadcast of the Australian Ny, see
the blog post. In that case we have an aggregate speed of 600bps and 12 multiplexed channels, i.e. 50bps speed per channel.
I checked sveral other S-4481F transmissions but so far these odd 3-bit structure is present only in the ones coming from Niscemi: help and comments from readers are very apreciated and welcome.
High Frequency dual mode antennas at NRTF Niscemi (source Wikipedia) |
24 Feb update
As expected, parallel transmissions on 8204.5 KHz and 6383 KHz convey the same content (Fig. 7); the third frequency (7545.5 KHz) is not used at this time.
Fig. 7 - same contents on parallel transmissions |
(to be continued)
[1] https://www.globalsecurity.org/military/facility/niscemi.htm