From 19 to 23 June I monitored interesting transmissions on 5091.5 KHz/USB that seem to use a kind of "combined" waveform which consists of FLSU BW5 waveform followed by 188-110A 300bps waveform. For what concerns the timing, the sendings occur each minute, they last about 31 seconds and are arranged in a way that resembles the circuit mode service of STANAG-4538. Starting from thursday 24, these broadcasts have not been repeated (at least until today).
 | |||||
| Fig. 1 - ACFs |
As said, it seems that the data are sent using a transmission composed of two parts: a sequence of FLSU PDUs, which are transmitted using the BW5 burst waveform, and the payload data, transmitted using the 188-110A serial waveform. These two parts are transmitted contiguously with no dead time separating them (Figure 2).
 |
| Fig. 2 - framing |
That kind of waveform (BW5 + 110A) is indeed very odd, unless I have
been mistaken and it is an overlapping of two distinct transmissions...
but it would still odd that the overlapping be so perfect and continuous
for more than two days. Anyway, if it's a real "combined" waveform then it's definitely a synthesized waveform (SDR).
For clarity - however - it must be said that:
a) BW5 waveform (and thus the FLSU protocol) has been detected by the examination of the signal's ACF and its payload;
b) the length (duration) of the initial BW5 sequence finds a clarification in this post;
c) BW5 waveform could also be used to transport other types of PDUs and not only the PDUs of the FSLU protocol.
data link protocol
The used data link protocol is also interesting: its initial structure consists of 32-bit (4 bytes) patterns which are common to all the payloads (Fig. 3):
192-bit idle sequences of reversals (alternating sequences of '0's and '1's)
10001011010001111000010010000111 (0xD1E221E1) sequence #1
01111011101101001011100010000111 (0xDE2D1DE1) sequence #2
11 bytes length data block
10001011010001111000010010000111
10001011010001111000010010000111
10001011010001111000010010000111 (5 x sequence #1)
10001011010001111000010010000111
10001011010001111000010010000111
(data block follows)
 |
| Fig. 3 - data link protocol after 188-110A removal |
The two 4-byte sequences are not originated by polynomials and are likely used as sync patterns, although the five repetitions of the sequence #1 lead to think to an Initialization Vector; in my opinion, a such method could be risky in terms of security since the same IV sequence is used for all the forwarded messages (unless they are test transmissions and/or pseudo random traffic). Data blocks seem anyway encrypted.
 |
| Fig. 4 - details of the 32-bit structure of the data link protocol |
The exact same structure and 32-bit sequences have already been detected in some recordings of 2018 (!): also in this case they were "plain" 188-110A transmissions forwarded in circuit mode service [4].
TDoA direction finding
The transmissions are fairly receivable only in the northern regions of Europe, more precisely I used KiwiSDRs in Norway and Denmark [1][2]: that's a sign that a low power transmitter is used or that they serve a local area. Just about the site of the transmitter, all my direction findings point to a well-restricted area north from Oslo, Norway (Figure 5).
 |
| Fig. 5 - TDoA results |
Norway has released an interactive map of all the military locations where it is forbidden to operate a drone [3]. All the markers indicate an area where it is illegal to take aerial photographs or video using a camera or any other type of sensors: in figure 6 I have cut out an area that more or less follows the area identified by the DF.
 |
| Fig. 6 |
remarks
Starting from June 22 the transmissions show a paradigm change,
a bit more in line with the circuit service model of STANAG-4538: the
structure of the used data-link protocol, anyway, remains unchanged.
These transmissions raise several questions, the first being whether or not it is an experimental combined waveform (and therefore if they are test transmissions). It would also be interesting to identify the transmitter site with greater precision and - if anything - which data protocol is used.
https://disk.yandex.com/d/2I0bzM2nDShWGA
https://disk.yandex.com/d/kD-9y_TFkZoFqQ
https://disk.yandex.com/d/Bt2pIPxE-o6Udw
[1] LB3J SDR in Smøla, Norway http://77.223.174.203:8073/
[2] KiwiSDR by OZ1BFM in Vejby, DENMARK http://oz1bfm.proxy.kiwisdr.com:8073
[3] http://googlemapsmania.blogspot.com/2018/09/norways-secret-military-sites.html
[4] https://i56578-swl.blogspot.com/2018/03/unid-32-bit-secondary-protocol.html
No comments:
Post a Comment