19 May 2021

UK MoD 12800bps bursts: other oddities

I was just monitoring some interesting sequences of 2400Bd PSK bursts occupying 3 out of 6 channels (each 3 KHz width) according to alternate timings of 40 and 20 seconds: frequencies 5742.5, 5748.5, and 5757.5 (all USB). The 119.6 ms ACF value corresponds to a framing of 287 symbols @2400Bd, ie the waveform STANAG-4539: more precisely, according to its self-identifying feature, a 32QAM modulation at 8000bps speed (Figure 1).

Fig. 1 - STANAG-4539 framing structure

Unfortunately, I was not able to get the expected 32QAM constellation but only few states of the outer 32QAM ring (Figure 2).

Fig. 2

I was a bit puzzled until I realized I was seeing an already known signal, more precisely the UK MoD 12800 bps 64QAM bursts [1]: the signals were just badly-tuned (300 Hz frequency offset).
A question arose almost immediately: why, despite the out-of-tuning, the signals are recognized as a 32QAM/8000bps modulation with a sub-carrier error of only 0.2 Hz?  I thought about a decoder error, but examining the 103 preamble' symbols that carry information regarding the data rate and interleaver settings, I found that those are actually different in the two cases of 5757.20 and 5757.50 Hz (Figure 3).

Fig. 3 - data rate and interleaver settings

I repeated the measurements of modulation and speed using other tuning frequencies, results are in the table below. Notice the discrepancies between the tuning frequency and the error detected by the decoder, expecially in 5757.20 and 5757.50 cases where the signal seems to be exactly tuned:

According to SATANAG-4539 #2.1, the accuracy of the sub-carrier frequency shall be 3×10^-5, ie a max tollerance of ±172 Hz @5,757 MHz is allowed: probably the autobaud feature fails since that kind of "symbols distortion"?

Assuming 64QAM/12800bps as the actual mode (as already assumed at the time), I tried to demodulate a same single burst using two different decoders (say A and B, without naming them). The expected length of the bitstream will be:

13 frames × 256 = 3328 symbols × 6 = 19968 bit

Fig. 4
Results are a bit perplexing:

- decoder A, 1536-bit length of the resulting bitstream, seems to successfully demodulate only one frame (1 × 256 × 6)
- decoder B, 36864-bit length of the resulting bitstream, seems to demodulate 12-out-of-13 frames and, in some way, duplicate the results (12 × 256 × 6 × 2)

(the 5750.20 KHz signal was resampled to 8000 Hz before its demodulation).

Fig. 5

I don't know if the use of only 8 out of 20 points of the 64QAM outer ring confuses the decoders, however I think these bursts (and maybe the waveform?) are not fully clarified yet.

8 May 2021

yet another STANAG-4481F 50-75Bd broadcast

5716.0 KHz (cf): STANAG-4481F (apparently) 75Bd fleet broadcast from NAU Isabela (PTR), running with the "odd" and already observerd 3-bit format (Figure 1).

Fig. 1

Removing the third column which contains the replicated bits and then reshaping the resulting bitstream to a 7-bit pattern, it turns out the actual 50Bd speed and the usual KW-46/KIV-7 encrypted stream (Figure 2).

Fig. 2
As mentioned, this behavior has already been noted previously in STANAG-4481F transmissions from NSY Niscemi, AJE Barford and just from NAU: for more informations, the related posts are grouped under a specific tag.


7 May 2021

Canada's East Coast Navy STANAG-4481P broadcasts

STANAG-4481 PSK (4481-P) waveform carrying the KW-46 secured fleet broadcast of the Canada's East Coast Navy.  STANAG-4481P is basically a STANAG-4285 sub-mode which adopts fixed 300 bps data-rate and long interleaving. As well as 4285, 4481-P is mostly used in  NATO Naval broadcast  due to its repeated preamble for which it's easy to maintain sync during long transmissions.  

Fig. 1
Fig. 2 - x^31+x^3+1 m-sequence used to sync the receive KW-46 unit

Transmitter site is most likely the Naval radio Station (NRS) of Newport Corner (NS). Both the NRS Newport Corner transmitter and NRS Mill Cove receivers were automated and are currently operated by HMCS Trinity at CFB Halifax [1]. 

Fig. 3 - TDoA results


[1] https://military.wikia.org/wiki/CFB_Halifax

3 May 2021

unid, and somewhat peculiar, 1200Bd BPSK

Cleaning up one of my hard disks I came across an old recording (year 2014) that had no comment file associated with it, so I decided to take a look at it and see what exactly it was. The recording consists of different length bursts, each burst is modulated with PSK2 at a symbol rate of 1200Bd: nothing particularly interesting unless its ACF and, consequently, its period. Indeed, the ACF results in 373.74 ms (Figure 1) that make a length of the period of 448.5 bit (PSK2 @1200Bd), but after the differential decoding the bitstream shows a 897 bit length period, ie just the double of the value obtained using the phase detector. 

Fig. 1 - 373.74ms ACF corresponding to a 448.5 bit length period

As you know, a such situation is typical in asynchronous framings that have the stop-bit of 1.5 or 2.5 in length: for example, in case of a 5N1.5 framing the bit editor groups two 7.5 bit frames into a single 15 bit pattern because it can't represents a length of half bit. That's just what may happen here: the bit editor reshapes the bistream to a 897 bit length period and draws two frames (Figure 2) consisting of two 100 bit sync sequence, each followed by a data block.

Fig. 2 - 897 bit period

However, it's to notice in Figure 2 that the lengths of the two data blocks are different (348 and 349 bit) while the sync sequences have a constant length of 100 bit. Looking at Figure 3, the synchronization patterns are left and right inclined for periods of length 488 and 489 bits respectively: that behavior may confirm the 448.5 bit frame as measured above.

Fig. 3 - inclined 100 bit patterns in 448 and 449 bit framings

Talking about it with my friend cryptomaster, we agreed two possible hypothesis:

1) the length of the frame is 897 bit: the framing consists of  two 100 bit sync sequences that are interspersed with two data blocks of  348 and 349 bit; the variable length of the two data blocks and the two sync patterns are a proper feature of this waveform;

2) the length of the frame is 448.5 bit: the framing consists of 100.5 bit for the sync sequence (possible, even if unlikely) followed by 348 bit for the data block.

In order to verify the second assumption,  I set the speed of the PSK demodulator to a double value (2400Bd) so to emerge the missing half bit, if any. The resulting bitstream is shown in Figure 4: the period has the expected length of 1794 bit (2 × 897) and it's possible to see sync sequence patterns of 201 bit in length, ie just the extra bit that was missing.

Fig. 4 - 201 bit sequences in the bitstream @2400Bd

Indeed, the 1794 bit period is arranged as: | 201 bit sync  | 696 bit data | 201 bit sync | 696 bit data |;  since the speed of demodulation is doubled, dividing by 2 we get a 448.5 bit frame consisting of 100.5 bit for the sync sequence followed by 348 bit for data:

However, keep in mind that the above bitstream was achieved after a forcing of the demodulation speed to 2400Bd (instead of the effective 1200Bd) and the subsequent differential demodulation: more observations are needed to confirm the 100.5 bit length of the sync sequence.
By the way, the 100 bit sequence may be de-scrambled by the polynomial x^7+x^4+1. Looking for a scrambler polynomial in the 201-bit sequence does not make sense since the way it was obtained.
Fig. 5 - x^7+x^4+1 polynomial

Back to the signal, it's interesting to note that some burts have a ~230ms preamble consisting of 8 x PSK2 1200Bd "pulse" (Figure 6): I don't know the reasons and what it can depend on, signal strength and fading seem to indicate that it is not an exchange of messages between two nodes or an ARQ mode.

Fig. 6