28 July 2021

an interesting start of a CIS-75 transmission

Interesting CIS-75 75Bd/250 FSK heard on 6404.0 KHz (cf): the encrypted data are preceeded by a sync sequence of reversals that - according to my measurements - is sent at the speed of 100Bd. My friend cryptomaster suggested that the 100Bd are actually the 50Hz taken from the AC mains. Given the instability, can be assumed that the equipment is operated "in the field" and is associated with the instability of the autonomous power supply.

Fig. 1

 TDoA runs indicate the Kaliningrad Oblast (
Kaliningradskaja oblast) as possible location of the Tx (figure 2).

Fig. 2


26 July 2021

playing with Arduino and a 12-bit LFSR


The circuit is just a test of the operation of the 12-bit LFSR x^12+x^6+x^4+x+1 used in 188-110A serial tone modems, in view of its full implementation; its software simulation has already been seen in a previous post, to which I refer for further insights. The 12 flip-flops and the 3 XOR gates implement the "one-to-many" configuration, according to the 188-110A standard. Since the 74xx374 does not provide the asynchronous preset / clear inputs, the LFSR is a "free runner" that is, it is not reset to a certain initial state (seed) after n-cycles; therefore all the circuits related to loading the initial pattern (0xBAD) are missing. 

Pinning and logic circuit (connections) are shown in figure 2: the electric connections (+/- 5V power) are omitted, the connections to the pins of the Arduino board are indicated (notice I used AT MEGA 2560 board so you had to change connections and code in case you use a different board).

Fig. 2 - logic connections and pinning

The 220 ohm resistor & the blue led visible in the photo on the clock line, are not reported in the circuit, they just show the clock pulses... obviously in case of a very low clock speed.

The code of the sketch is quite simple, I just used a random number generator to simulate symbols 0-7 from Modified-Gray Decoder (MGD) and a 8x8 array to perform the scrambler: the tribit number supplied from the random number generator is modulo 8 added (mod8[LFSRsymbol][randSymb]) to the three bit value supplied by LFSR (pins 53,51,49). Results are written into a buffer which is then sent to the serial port (figure 3).

Fig. 3

The 74HC374 is an octal positive-edge triggered D-type flip-flop with 3-state outputs (the second 74HC374 is half used, ie it provides only 4 flip-flops). The device features a clock (CP) and output enable (OE) inputs. The flip-flops will store the state of their inndividual D-inputs that meet the setup on the LOW-to-HIGH clock transition. A HIGH level on OE causes the outputs to assume a high impedance OFF state (OE input does not affect the state of the flip-flops). The74HC86 is a quad 2-input EXCLUSIVE-OR gate used to form the feedback chain.


22 July 2021

SCS/ALE: a 2G ALE Modem/Controller for DR-7400 and DR-7800 P4 modems


SCS/ALE controller (2G MIL 188-141 ALE) supports two modes: ALE/PACTOR, see the video below, and full stand alone ALE. In ALE/PACTOR existing PACTOR software needs to know nothing about ALE. The PACTOR Connect request is turned into an ALE Linking Call, which if should fail, results in the modem telling the PACTOR software that the PACTOR Connect failed. If the ALE Link is achieved then the PACTOR Connect process proceeds. After the PACTOR is complete, the ALE Link is cleared and ALE Scanning resumes. Thus no modification of existing PACTOR software is required for an ALE front end operation. The Bluetooth option must be installed to have full ALE operational awareness when in ALE/PACTOR mode.


In stand alone ALE one can use PACTOR or AMD messaging or any external modem where the DR-7800 series modems provide an external modem sense PTT line to reset the ALE Link timeout. The MS110A hardware or MS-DMT software modems can be used. To use PACTOR the Bluetooth option is required.
In addition many additional HF transceiver used in MARS and SHARES have been added from reuse of source code from the MARS-ALE Radio Control Library where simple split VFO is being applied where needed for ALE Quiet Scanning and dropping out of split for TX. The use of PA relay bypass commands where applicable. No other external ALE controller on the market takes these steps.

Thanks to my friend Steve Hajducek from "MIL-STD tools for MARS Multimedia Library" group:

19 July 2021

tools to generate 188-110A channel probes... and not only them

I recently checked the 188-110A transmissions - referred to in this post - characterized by a secondary protocol not (yet) identified, the purpose was to verify if in the meantime some novelties had intervened such to shed a more light on the protocol itself: the attempt, however, was unsuccessful... though I paid more attention to the 188-110A channel probes patterns. After demodulating the signal, he channel probes do not show regular (known) patterns as instead it should happen, according to what is indicated in the documentation and looking at a synthesized waveform (figure 1).

Fig. 1 - synthesized and real-world 188-110A 2400bps

During the periods where channel probe symbols are to be transmitted, the channel symbol formation output is set to 0 (000) except for the two known symbol patterns D1 and D2 preceding the transmission of each new interleaved block. The symbol formation output is then scrambled  with the three bits supplied by the  randomizing generator,  a 12 bit shift register with the functional configuration shown on figure 2.
The shift register is pre-loaded with the initial pattern 101110101101 or 0xBAD and advanced eight times. Since after 160 transmit symbols the shift register is reset, each 480 transmist symbols the scrambler will produce the same ten patterns for the 16-symbols channel probes. 

Fig. 2 - 188-110A randomizing generator

As you can see, the patterns are so alternating that it looks like an artificial "variation", even if this "effect" is due to poor signal reception (mostly fading). The bitstream of figure 1 are obtained at the output of a generic PSK8 demodulator (SA), so I don't know exactly how a specific demodulator for 188-110A reacts to such sequences of the channel probes; probably it does not lose the synchronism ... even if some doubts arise about the exact demodulation of the signal (thank goodness that FEC exists). 

However, I have decided to spend some time examining the sequences generated by this circuit. As shown in figure 2, the randomizing generator implementation is a x^12+x^6+x^4+x+1 LFSR which is converted into its "one-to-many" counterpart, ie the most-significant bit is fed back directly into the least significant bit, and is also individually XORed with the other bits 6,4,1. Notice that using this style means that there is never more than one level of combinational logic in the feedback path, irrespective of the number of taps being employed in the traditional "many-to-one" implementation (increasing the levels of logic in the combinational feedback path can negatively impact the maximum clocking frequency).
At first I used two excellent "software" simulators: the first for PC - LFSR testbench, figure 3 [1] - the second for Samsung android tablet - Logic Simulator pro, figure 4 [2]. As soon as possible - or as soon as I recover the missing components - I will try a hardware simulation using my Arduino board.

Fig. 3 - LFSR Testbench simulating the sequence randomizing generator

Fig. 4 - Logic Simulator PRO simulating the sequence randomizing generator

These two tools are very interesting and useful also for simulating LFSRs that are used for sync sequences or scramblers, give them a try.

[1] https://www.fpga4fun.com/files/LFSRTestbench.zip
[2] https://logic-circuit-simulator-pro.it.aptoide.com/app

7 July 2021

unid STANAG-4539 3200bps bursts

Interesting and unid STANAG-4539 bursts recorded on 5270.0 KHz/usb. The user data rate is 3200 bps and is obtained using QPSK modulation, short interleaver is used. Notice that the quadrature phase-shift keying constellation is scrambled to appear, on-air, as a PSK8 constellation. The bursts have a duration of 1350 ms, each transports nine 256-symbols data blocks, and do not seem to obey to a particular timing.

Fig. 1 - S4539 3200bps waveform

The bitstreams after demodulation have a common preamble consisting of three components (Figure 2):

a) idle sequences of '0's and '1's (depending on the polarity of the receive modem)
b) initial 334-bit (frame sync?) sequence
c) 128-bit length Initialization Vector, three times repeated (3x128-bit)

encrypted data block follow.

Fig. 2 - COMSEC preambles

The most interesting component is the 334-bit sync sequence that has a particular 24-bit period and - as a mere attempt - I found that it could be generated by the polynomial x^21+x^10+1.

Fig. 3 - 334-bit sync sequence

By the way, MIL 188-220D describes the three components which compose the initial COMSEC preamble: the Bit Synchronization subfield or the Phasing subfield (it may consists of a string of alternating ones and zeros), the Frame Synchronization subfield, and the Initialization Vector subfield (Figure 4); it must be said, anyway, that the Bit Synchronization patterns do not match. Notice that Figure D3 illustrates the case where the Robust Frame Synchronization is not used (see 188-220D #D.5.2.2)

Fig. 4

User, purposes of the transmissions, and Tx location(s) are unidentified; the only thing I can add is that the better reception is possible by using receivers located in the north Europe countries: by the way, I used two KiwiSDRs located in Denmark [1] and Norway [2].


[2] http://kiwi.wlansupport.no:8073/

1 July 2021

8N1 async operations

8N1 async operations using STANAG-4285 and 110A Serial modems (1200bps/S, 1200bps/L respectively) recorded on 6.9 MHz band, the first likely from Turkey. After the removal of the framings, the 8-bit streams are not in clear text and therefore (off-line) encrypted.

Fig. 1 - STANAG-4285 user data
Fig. 2 - 110A ST user data