31 March 2021

CIS-1200 DBPSK 1200Bd ("Makhovik", T-230-1A)

Good quality CIS-1200 (T-230-1A, DBPSK 1200Bd) transmission spotted on 9073.80 KHz (cf) thanks to the ArcticSDR. The transmission consists of a series of encrypted messages, the 240-bit Initialization Vectors are sent in 8x30-bit groups, each group repeted three times (Figure 2).

Fig. 1

Fig. 2

The transmission ends with a long "idling" part consisting of the 511-bit m-sequence generated by the polynomial x^9+x^5+1 (Figure 3). All is ok with previous CIS-1200 recordings [1].

Fig. 3

[1]  https://i56578-swl.blogspot.com/search/label/Makhovik

24 March 2021

async STANAG-4481F with KG-84/KIV-7 encryption (DHFCS)

updates: spotted on 6245.20, 8127.0, and 10272.0 KHz (all Cf)

We are used to see (and recognize) KG-84/KIV-7 encryption in synchronous STANAG-4481F, but this time I ran across such encryption in async S-4481F (75Bd/850) transmissions heard on 8127.0 KHz (cf). The demodulated bitstream has the classic 5N1 framing (Baudot) from which you don't get much, at least until you have the chance to record the beginning of a new message, as shown in Figure 1 (monitoring gets on files).

Fig. 1 - 5N1 bitstream after demodulation

One way to get an idea of what you heard is obviously to remove the start/stop bits and then examine the Baudot code you get, then the experience comes in help. Infact, if it happens to  see the words:
VMGTCNJ <line feed>
we are facing a message which is secured by KG-84/KIV-7 devices. Notice that due to the add of the framing bits, your decoders (such as K500 or Sorcerer) wont intercept the typical KG-84 sync pattern. The classic approach is the examination of the headers of the message after the removal of the start/stop bits and 64-bit period reshaping (Figure 2).

Fig. 2 - analysis of the message headers
The first two lines are a short idle state (RYRYRYRY...)
The third line is the well-known 64-bit sync pattern used by KG-84/KIV-7 devices
(just the Baudot chars VMGTCNJ <line feed> BH)
The following 128-bit Initialization Vector is splitted in two 64-bit groups: 0x118A4DBCD0FA80BE 0x01AC4C5F065D8517 each repeated twice (lines 4,5 and 6,7). That's another interesting feature of these transmissions: indeed the two 64-bit groups forming the initialzation vector are usually repeated four times (the same behavior was noted in 2815.0 KHz transmissions, 75Bd/850 fom UK MoD).

Direction finding tests indicate north UK as probable transmitter' location, more precisely I think it's the DHFCS (UK MoD) Tx station located in Crimond (Aberdeenshire, Scotland): operations are remotely managed by Forest Moor net center. As a further clue, it's to be noticed that the DHFCS ALE callsign "XSS" has been heard many times on 8125.0 KHz/USB, ie on the tuning frequency of the S-4481F transmissions (cf - 2000Hz).

Fig. 3 - TDoA runs point to DHFCS site of Crimond

From what I have been able to see these days, the transmission take place only in the morning (never heard after 1300Z), don't know if they are training transmissions or scheduled broadcasts.


Fig. 4 - DHFCS Crimond, former RNAS Rattray (HMS Merganser) (1)

(1) photo on the left by flickr  https://www.flickr.com/photos/53277566@N06/36701528042/

22th March update
same on 10272.0 KHz (cf)

23 March 2021

Unid 100Bd/1500 FSK

Unid and unusual 100Bd/1500 FSK spotted on 4010.0 KHz (cf) on 10th march thanks to the KiwiSDR in Skerjafjörður Reykjavik; although the numerous attempts in the days to follow, unfortunately I no longer had the opportunity to tune it. The analysis was done a little blindly, not having the initial sequences but only traffic: also, I went late on the signal so Df was not possible. Below are the two different approaches adopted by me(1) and my friend cryptomaster(2).

Fig. 1 - 100Bd/1500 FSK

1) The search for a scrambler results in the polynomial x^6+x^5+x^4+x^3+x^2+x+1. The bitstream after scrambler removal has a 7-bit frame consisting of (presumed) six bit of data + 1 bit set to "0". The 6-bit "code" doesn't seem meaningful.

Fig. 2 - 7-bit framing

 2) I noticed that the seven-column raster resembles an RTTY code (start + 5 bits + stop), folded into some kind of sequence: In addition, blocks with small displacements are visible on the raster (Fig. 3)

Fig. 3

If we discard the conditional start/stopbits and start the search for a scrambler for the remaining 5-bit code, we get the polynomial x^35 + x^25 + x^10 + 1. The result after removing the scrambler is shown in Figure 4. The search for patterns in the received 5-bit code was not found.

Fig. 4 - 10-bit framing


15 March 2021

dwell on STANAG-4481F is always interesting

Sometimes we overlook the usual STANAG-4481F or similar FSK signals, but they are precisely the ones that turn out to be the most interesting: just in these days I heard two STANAG-4481F transmissions that, one way or another, are both notable.
The first one is the Dutch Navy which operates at 6358.5 KHz (cf). That channel is normally used by PBBs for their well known Frequency Availability Broadcast (FAB, also known as CARB) but I was lucky enough to listen to them in "traffic" mode, more precisely using the waveform 50Bd/850 in secured mode (KW-46 device). Likely it was a Maritime Rear Link to communicate with a specific ship. 


Fig. 1

Fig. 2

The second one has been heard on 8994.0 KHz (cf) using the waveform 75Bd/850, it also secured with KW-46 encryption: Tx site is AJE Barford St. John (UK). Well, apart from the use of KW-46 with the 75Bd waveform, the transmission is interesting since the tuning frequency (8992.0 KHz/USB) is one of the primary channels of the HFGCS network. One can object that 8992.0 KHz is CRO - Croughton, actually  both sites (Croughton and Barford St. John) belong to the same communications complex, being just a few miles apart. One site is the receiving station, the other one the transmitting station.

Fig. 3

Fig. 4
It may happen (Figure 5) that the FSK transmission is momentarily suspended to make way for an EAM message which - as you know - has a higher priority ("Ubi maior minor cessat").
Fig. 5 - higher prority EAM breaks a STANAG-4481F broadcast


12 March 2021

Rus PSK4 1200Bd: solved

The questions related to the "nature" of the 1022-bit period of the QPSK 1200Bd signal (see the previous post) has been solved thanks to the help of my friend cryptomaster: I was waiting for traffic ("I tuned it waiting for traffic, but luckless until it went off") but actually it was already there!
He had the great intuition to reshape the bitstream into di-bit symbols, ie 2 bits per row given the 4ary modulation, then we gone on analyze the two columns separately and found the m-sequence x^9+x^5+1 (or the equivalent x^9+x^4+1) in the second column: therefore, each bit of data is followed by one bit of the m-sequence, ie the 1022-bit period consists of 511 bit of data interleaved with the 511 bit of the sequence generated by the LFSR x^9+x^5+1 (Figure 1).

Fig. 1 - x^9+x^5+1 sequence in the 2nd column
The next step was to see if the same polynomial is to some extent involved in the bits of the first column. Based on the ninth degree of the polynomial x^9+x^5+1, a 9x511 parity check matrix was constructed, assuming that an H(511,502) code - based on that same polynomial - is used in the fomation of the bits of column #1. Notice that  a H(m,k) code is a Hamming code that encodes k bits of data into m bits (the codeword), adding m-k parity bits (CRC). 
Our parity matrix consists of a 9x502 check sub-matrix and a 9x9 identity sub-matrix (Figure 2):
Fig. 2 - Hamming parity check (511,502) matrix

As you know, the CRC formation is carried out by comparing column-by-column the k bits of each data row in turn with all the (m-k) rows of the check sub-matrix and counting the "vertical" correspondences of the "1"s of the data row and the r-row of the check sub-matix: if the count is odd then the CRC bit #r will be set to "1", otherwhise will be set to "0". That way, the (m-k) bits of the CRC is appended to the k bits of the data row just examined and the computation go ahead with the next data row.
That said, the bitstream of column #1 (the file demod-bit1.txt) has been reshaped to form a 511-column matrix of codewords. Manually checking the about two hundred 511-bit length codewords would have been a nightmare, so I wrote a short Octave script that would do the job for me and calculate the 9-bit CRC of each row along with a simulation of the final PSK4 modulation - the result in Figure 3.

Fig. 3 - 9 bit CRC rows (left); PSK4 modulation of data +CRC (right)

By comparing the calculated CRC bits (Figure 3 on the left) with the bit stream of column n. 1 (Figure 4), it is clear that each row of the bitstream is nothing more than a "codeword" consisting of 502 bits for data plus 9 bits for Hamming CRC, ie the 511-bit period that we saw.

Fig. 4 - the bistream of column #1

My friend cryptomaster tested also a 2016 recording and found it matches with the above conclusions (Figure 5). For what concerns the nature of the 502-bit strings of data they are probably telecontrols, further recordings are need. A possible (!) functional block diagram of the modulator is shown in Figure 6.
Fig. 5

5 March 2021

Rus PSK4 1200Bd

Transmission heard on 8741.5 KHz/USB, thanks to the KiwiSDR owned by YO3IBZ (Bucharest, Romania), on march 3rd. Although I tuned it on 8741.5 KHz I think the real tuning frequency be 8742.0 KHz (usual 1800 Hz subcarrier). As shown in Figure 1 the waveform employs a QPSK modulation at a rate of 1200Bd, ACF  result is 425 ms, ie 511 dibit symbols @1200Bd speed.

Fig. 1

As expected from ACF (511 symbols), the demodulated bitstream consists of a continuous repetition of the same 1022-bit pattern (Figure 2) thus - from time to time - I tuned it waiting for traffic, but luckless until it went off. All I can tell is that the signal was on-air all the "monitoring" period (ie 12 hours, from 0700 to 1900 utc), but in the following days and until today (March 5th), the transmissions seem to have ceased, at least on the reported frequency.

Fig. 2
 TDoA attempts clearly indicate an area south-east from Moscow as the most probable site of the Tx (Figure 3)

Fig 3