30 June 2021

unid FSK/MFSK SELCAL

6907.0 KHz (cf): unid SELCAL waveform spotted on 6907.0 KHz (cf),. The waveform consists of 40Bd/240 FSK idling part  followed by MFSK-36 40Bd/40 (likely the Id of called station).

Fig. 1
 
Fig. 2

https://disk.yandex.com/d/XlHhceBC9fLlvQ

26 June 2021

3G-HF "BW5 + 110A" combined waveform ...or just coincidence?

 

From 19 to 23 June I monitored interesting transmissions on 5091.5 KHz/USB that seem to use a kind of "combined" waveform which consists of FLSU BW5 waveform followed by 188-110A 300bps waveform. For what concerns the timing, the sendings occur each minute, they last about 31 seconds and are arranged in a way that resembles the circuit mode service of STANAG-4538. Starting from thursday 24, these broadcasts have not been repeated (at least until today).

Fig. 1 - ACFs  



As said, it seems that the data are sent using a transmission composed of two parts: a sequence of FLSU PDUs, which are transmitted using the BW5 burst waveform, and the payload data, transmitted using the 188-110A serial waveform. These two parts are transmitted contiguously with no dead time separating them (Figure 2).

Fig. 2 - framing

That kind of waveform (BW5 + 110A) is indeed very odd, unless I have been mistaken and it is an overlapping of two distinct transmissions... but it would still odd that the overlapping be so perfect and continuous for more than two days.  Anyway, if it's a real "combined" waveform then it's definitely a synthesized waveform (SDR).
For clarity - however - it must be said that:
a) BW5 waveform (and thus the FLSU protocol) has been detected by the examination of the signal's ACF and its payload;
b) the length (duration) of the initial BW5 sequence finds a clarification in this post;
c) BW5 waveform could also be used to transport other types of PDUs and not only the PDUs of the FSLU protocol.

data link protocol
The used data link protocol is also interesting: its initial structure consists of 32-bit (4 bytes) patterns which are common to all the payloads (Fig. 3):

192-bit idle sequences of reversals (alternating sequences of '0's and '1's)
10001011010001111000010010000111 (0xD1E221E1) sequence #1
01111011101101001011100010000111 (0xDE2D1DE1) sequence #2
11 bytes length data block
10001011010001111000010010000111
10001011010001111000010010000111

10001011010001111000010010000111 (5 x sequence #1)
10001011010001111000010010000111
10001011010001111000010010000111

(data block follows)

Fig. 3 - data link protocol after 188-110A removal

The two 4-byte sequences are not originated by polynomials and are likely used as sync patterns, although the five repetitions of the sequence #1 lead to think to an Initialization Vector; in my opinion, a such method could be risky in terms of security since the same IV sequence is used for all the forwarded messages (unless they are test transmissions and/or pseudo random traffic). Data blocks seem anyway encrypted.

Fig. 4 - details of the 32-bit structure of the data link protocol

The exact same structure and 32-bit sequences have already been detected in some recordings of 2018 (!): also in this case they were "plain" 188-110A transmissions forwarded in circuit mode service [4].

TDoA direction finding
The transmissions are fairly receivable only in the northern regions of Europe, more precisely I used KiwiSDRs in Norway and Denmark [1][2]: that's a sign that a low power transmitter is used or that they serve a local area. Just about the site of the transmitter,  all my direction findings point to a well-restricted area north from Oslo, Norway (Figure 5).

Fig. 5 - TDoA results

Norway has released an interactive map of all the military locations where it is forbidden to operate a drone [3]. All the markers indicate an area where it is illegal to take aerial photographs or video using a camera or any other type of sensors: in figure 6 I have cut out an area that more or less follows the area identified by the DF.

Fig. 6

remarks
Starting from June 22 the transmissions show a paradigm change, a bit more in line with the circuit service model of STANAG-4538: the structure of the used data-link protocol, anyway, remains unchanged. 

These transmissions raise several questions, the first being whether or not it is an experimental combined waveform (and therefore if they are test transmissions). It would also be interesting to identify the transmitter site with greater precision and - if anything - which data protocol is used.

https://disk.yandex.com/d/2I0bzM2nDShWGA
https://disk.yandex.com/d/kD-9y_TFkZoFqQ
https://disk.yandex.com/d/Bt2pIPxE-o6Udw

[1] LB3J SDR in Smøla, Norway http://77.223.174.203:8073/
[2] KiwiSDR by OZ1BFM in Vejby, DENMARK http://oz1bfm.proxy.kiwisdr.com:8073
[3] http://googlemapsmania.blogspot.com/2018/09/norways-secret-military-sites.html
[4]  https://i56578-swl.blogspot.com/2018/03/unid-32-bit-secondary-protocol.html

17 June 2021

a STANAG-4481F temporary channel activation?

Heard 75Bd/850 FSK transmissions (broadcasts?) on 6372.0 KHz CF until sunday 13th June, no transmission in the following days (at least until today). Transmissions were KW-46 secured and sourced most likely from Barford St.John USAF transmitter. Think of a temporary activation on the occasion of the G7 summit just in UK... is that too imaginative?

Fig. 1

Fig. 2
https://disk.yandex.com/d/e1BfYmNeUhHa1A

10 June 2021

Echotel 1810 and STANAG-4285, ie don't blindly trust decoders

It happened by chance to analyze a complete session of data exchange in MAHRS mode (ALE + traffic) while I had a STANAG-4285 decoder in active state on the desktop: to my surprise the decoder started printing out a bitstream though - as said - it was set for STANAG-4285 (Figure 1)

Fig. 1

Intrigued by that fact, I went to see the points that S4285 and MAHRS Echotel HF modem have in common enough to confuse the decoder, other than the obvious features such as speed (2400Bd) and modulation (PSK8).  

The first thing that stands out is the equality of the ACF values, Figure 2: 106.6 ms, or 256 symbols. Thus - in my opinion - it seems that the decoder in question (Sorcerer and therefore also K500) tries to identify a signal by analyzing its ACF: probably those kind of decoders have an internal table that allows this association.  

Fig. 2 - ACF values for STANAG-4285 and Echotel serial

The structure of the frames is anyway very different, unless the first 80-symbol preamble which is common to both the waveforms (Figure 3): S-4285 framing consists of an initial 80 symbol preamble followed by 4x32-symbols data segments and 3x16-symbol probes; Echotel framing consists of the initial 80 symbol preamble that is followed by a data block consisting of 176 data symbols. 

Fig. 3 - framing structure for STANAG-4285 and Echotel

As third common feature, both the 80-symbol preambles are modulated using BPSK: the pronounced BPSK states in the constellation plane of the Echotel 1810 signal are quite eloquent (Figure 4)

Fig. 4

STANAG-4285 is not an autobaud waveform so the decoding is based on the user settings, just for fun I played with some sub-modes even if - as obvious - the decoder can't find the expected known symbols (16-symbol probes). The best results, in terms of "confidence", were obtained by setting the bit rate to 2400 bps, obviously the corrections are equal to zero in the uncoded mode:

It must be said that this Echotel 1810 waveform is not the only S4285-like waveform, another example is the 2400Bd PSK-8 serial waveform from the THALES TRC-1752 modem (Thales Système 3000 family), although the latter is more properly defined as "variant".

Fig. 5 - THALES TRC-1752 STANAG-4285 variant
 

At the end, do not blindly trust decoders: they are not infallible and there is no magic wand; just open your wav files and analyze them.

4 June 2021

Three new fleet broadcast channels

Three new fleet broadcast channels spotted in these days, all STANAG-4481F:  

4987.0 KHz (cf) 50Bd from NSS Davidsonville
7455,5 KHz (cf) 75Bd from NSY Niscemi
7457.0 KHz (cf) 50Bd from NAU Isabela

All the the broadcast are KW-46 secured(!), although 75Bd/850 usually run KIV-7/KG-84 devices.

These and other recent catches seem to confirm a change in some transmission frequencies, mostly of 2000 Hz or , even stranger, of 1300 Hz. "There is currently a Navy exercise in progress off the east coast, so the shift may perhaps be supporting that effort or maybe to avoid interference or harmonics on other services at the sites", my friend Mike mco say.

I have updated the page related to the BRASS STANAG-4481F page, it is even more evident that all the transmissions that use the waveform 50Bd / 850 are protected with KW-46.

https://disk.yandex.com/d/XJVGUnkI4D4etg 

 

1 June 2021

188-110A, ACF lengths and interleaved blocks boundaries

MIL 188-110A, unlike other waveforms such as STANAG-4539  or STANAG-4285, does not always show the same ACF value as the data rate changes: it is mainly due to the variations of the frame structure (Table XIX) and the way it interacts with the length of the scrambling sequence. The corresponding periods lengths of the bit streams then make it possible to identify the interleaved block boundaries which in turn depend on the bit rate and the interleave delay (Long or Short). 

Fig. 1 - 188-110A Serial Tone blocks

Table X lists the interleaver matrix dimensions (rows and columns) that shall be allocated for each required bit rate and interleave delay.

The bits obtained from the interleaver matrix are grouped together as one-, two-, or three-bit entities that will be referred to as "channel symbols" (or - more simply - "symbols"): the number of bits that must be fetched per symbol is a function of the bit rate. 
The scrambler is feed with a number from 0 to 7 supplied by the data sequence randomizing generator, a 12 bit shift register with the initial state 101110101101 (0xBAD, hexadecimal). After 160 transmit symbols, the shift register is reset to 0xBAD and this sequence produces a periodic pattern 160 symbols in length.  

The interleaved blocks boundaries can be identified by looking carefully at the probes in the demodulated bit streams. As per MIL-STD 188-110: during the periods where known (channel probe) symbols are to be transmitted, the channel symbol formation output shall be set to 0 (000) except for the two known symbol patterns preceding the transmission of each new interleaved block. When those two known symbol patterns are transmitted, the 16 tribit symbols are set to Dl and D2, respectively, as defined in table XV and table XVII. 

2400 bps
Each data frame has a length of 48 symbols and consists of a data block consisting of 32 data symbols, followed by a probe consisting of 16 symbols of known data. Although the expected ACF is 20 ms, the actual value is 200 ms ie corresponding to a block of 10 frames (Figure 2). Since 10 frames contain 10×16 = 160 probe symbols, the 200ms ACF spikes are likely due to a kind of "resonance"  between the 160 probe symbols and the 160 symbols of the scrambing sequence.

Fig. 2 - 200 ms ACF for 110A 2400 bps

The short interleaver matrix for 2400 bps consists of 40 rows and 72 columns, ie a length of 2880 bit: that means that 960 tribit symbols will be fetched and transmitted as 30 data blocks (960:32); thus, one interlever block needs 30 frames to be transmitted. As you may see in Figure 3,  each three rows the patterns of the last two probes exhibit a discontinuity that is not present in the other probes: that's what we were looking for. Indeed - as seen abvove - 3 period rows contain 3×10 = 30 frames that just identify a single short interleaved block for the 2400 bps speed. The interleaver matrix is fetched  in 600 ms, ie  200 ms  × 3.

Fig. 3 - 2400 bps Short interleaver

A similar calculation can be verified for the long interleaver. In this case the interleaver matrix consists of 40 rows and 576 columns, ie a length of 23040 bit or 7680 tribit channel symbols. Since the 32 symbols length frame, one long interleaved block will be sent into 7680:32 = 240 frames, thus 24 rows (Figure 4). The interleaver matrix is fetched  in 4.8 s, ie  200 ms  × 24.

Fig. 4 - 2400 bps Long interleaver

1200 bps
In case of low data rates (from 150 up to 1200 bps) the data frames are structured as a 40-symbol pattern: each frame consisting of a data block consisting of 20 data symbols, followed by a probe consisting of 20 symbols of known data. The expected ACF value is then 16.67 ms, but the actual one is 66.67 ms ie four times greather (Figure 5). The reason is that four groups of the pairs data + probe  count 160 symbols (4×40) and they are just "in sync" with the scrambler length (160 symbols) causing the strong 66.67 ms ACF spikes of Figure 5.

Fig. 5 - 66.67 ms ACF for 110A 1200 bps

The short interleaver matrix consists of 40 rows and 36 columns, ie a length of 1440 bit: that means that 720 dibit symbols will be fetched and transmitted as 36 data blocks (720:20); thus, one interlever block needs 36 frames to be transmitted.  Nine period rows are indeed the boundary of a single short interleaved block (Figure 6).

Fig. 6 - 1200 bps Short interleaver

The long interleaver matrix consists of 40 rows and 288 columns, ie a length of 5760 dibit symbols that will be fetched and transmitted as 288 data blocks (5760:20); thus, 288:4 = 72 period rows is the boundary of each long interleaved block (Figure 7).

Fig. 7 - 1200 bps Long interleaver

600-150 bps
The short interleaver matrix for 600-150 bps consists of 40 rows and 18 columns. Given that only one-bit per channel symbol is fetched, a single short interleaved block will be trasmitted as (40×18):20 = 36 frames. The boundaries of the short interleaved blocks are clearly visible each 9 rows in the usual 480-bit/4-frame period (Figure 8). 

Fig. 8 - 600-150 bps Short interleaver

The long interleaver matrix for 600-150 bps consists of 40 rows and 144 columns. Given that only one-bit per channel symbol is fetched, a single long interleaved block will be trasmitted as (40×144):20 = 288 frames. By grouping the bit stream in a 8-frame period, the boundaries of the long interleaved blocks are clearly visible each 36 rows (Figure 9).

Fig. 9 - 600-150 bps Long interleaver

As a last thought consider that since the bit streams come from demodulating the on-air signals, we see the "coded" data rate and not the actual "input" data rate... FEC coding is still there.