27 December 2020

async 5N1.5 STANAG-4481F in cleartext

Yet another interesting STANAG-4481F signal, this time operated in async 5N1.5 mode and in cleartext(!): first time I see a not encrypted S-4481F transmission (obviously except FABs/CARBs). Signal spotted on 11123.55 KHz (CF) at 2220Z a few days ago (24th Dec) thanks to the AI6VN/KH6 KiwiSDR at Kahakuloa, Maui, HI.

Fig. 1

Curiously, since the poor quality of the signal, the bitstream sometimes appears as 5N1 and sometimes as 5N2 (Figure 2).

Fig. 2 - 5N1 and 5N2 bitstreams

The decoded text concerns the AOMSW exercise in the Arabian Gulf on December 21 [1] and since the title ("Navy News Stories of the day" ) and the text, I think it's probably a kind of "press review" for the fleet at sea. 

Fig. 3 - decoded text

Don't know which USN/NATO station operates on that frequency (11223.55 KHz, CF) and unfortunately I went late on that transmission so I didn't have time to DF the signal.

[1] https://www.centcom.mil/MEDIA/NEWS-ARTICLES/


22 December 2020

An odd STANAG-4481F link

Odd STANAG-4481F transmissions consisting of (apparently) continuous KG-84/KIV-7 64-bit sync sequence, spotted on 11222.0 Khz (CF): this is the first stime I hear S-4481F on that frequency. These transmissions have been going on h24 for days and always keeping the same modality.

Fig. 1 - note the oscillations during the mark-space switch

As pointed out by my friend cryptomaster, although k500 decoder recognizes the KG-84 64-bit sync sequence, actually the stream consists of the 63-bit m-sequence generated by the polynomial x^6+x^5+1, or its counterpart x^6+x+1 (Figure 2); this way, the KG-84 sync sequence is obtained by adding one "1" bit. Otherwise, the KG-84 sync sequence may be obtained assuming (as the decoder does) the last bit "1" of the sequence n as the first bit of the sequence n+1, i.e. as if that bit were "in common" bewteen two consecutive sequences (Figure 3). In a few words, decoders are tricked by that 63-bit sequence.
In my opinion, the choice to send that m-sequence is not a "casual" one - they could have used any other test pattern - but raher it's a deliberate choice since its closeness to the KG-84 sync sequence (just one bit) and the fact that KG-84 is largely used in S-4481F links. Interestingly, the stream resulting after the removal of the scrambler consists of  bits all set to "1"; as above, they could have used any other scrambler polynomial.
Fig. 2
Fig. 3
Fig. 4 - a STANAG-4481F decoder working the 11222.0 KHz transmission

It's difficult to say what it is exactly: maybe tests in view of the setup of a new link,  a frequency marker or maybe some trials. Every attempt to find the Tx site by using TDoA method is different, almost surely it's somewhere in the North-East of US, most likely NSS/AFA Davidsonville (Figure 5).
I will update the post as soon as something new comes out. 
Fig. 5a - according to these DF attempts, TX seems located north of Baltimore (likely Davidsonville)
Fig. 5b - other TDoA attempt obtained by selecting receivers from east to west (...still Davidsonville)

16 December 2020

Unid MFSK-13 system

Unid MFSK-13 system running at different speeds (31/62.5/125 Baud) and intervals (125/250 Hz) spotted on Twente WebSDR on ~10625, ~9091, ~7779 KHz/USB thanks to friend radiotehnikaT101

Fig. 1
Fig. 2

It's to be noticed the quick change of the waveform in the 10625 KHz recording (from 31Bd/250 to 125Bd/126): maybe the first part could be the "call" segment. I tried a rough demodulation by replacing the Hex characters (0...C) with their binary value (0000...1100) but I didn't find anything interesting in the bitstreams except some patterns in the 31Bd/250 segment (88/176 bit period).
Most likely  these are experimental transmissions in the network of the Ministry of Foreign Affairs of the Russian Federation. 

Fig. 3


11 December 2020

unid 216-bit Initialization Vectors


Interesting MIL 188-110A segments which transport encrypted data. The bitstreams corresponding to the eigth segments - after 110A removal - are shown in Fig. 2; unless segments e and f, each bitstream consists of an initial block followed by encrypted data.

Fig. 2 - demodulated bitstreams

The initial blocks consist of a 216-bit (27 bytes) sequence, most likely the initialization vector, which is 3 times repeated: obviously, the initialization vectors are different in each segment. It's to be notice thatsegment h (the last) is preceeded and followed by 3G-HF Fast Link Setup bursts (FLSU, BW5 waveform); most likely it's an incomplete recording of a 3G-HF Circuit Service mode using 110A.

Fig. 3 - 3x216-bit IV