25 November 2021

HARRIS PSK8 2400 Bd Digital Voice, an autobaud waveform?

Discussing with my fiend ANgazu about the HARRIS Digital Voice waveform (see this post), it turns out that likely that waveform is designed to provide the autobaud feature which is coded - in our opinion - in its initial header just before the normal frames' structure. As shown in figure 1, the "presumed" autobaud header consists of 8 frames each with a duration of 13.3 ms and a length of 32 bit (given the PSK2 modulation at 2400 Bd) for a total length of 256 bit. The synchronization functions would then be performed by the preamble sequences which are transmitted every 106.6 ms.  The autobaud function it may be necessary  since, according to the RF-5800 data sheet, the narrowband digital voice mode may use MELP and LPC-10 algorithms at 2400 and 600 bps.

Fig. 1 - the presumed autobaud header

Moreover, looking at the bitstream of an entire session (figure 2) it can be argued that the shorter segments are used for the management of the voice-link (ARQ mode); selcall, link setup and link closure are performed by the HARRIS specific waveform.

Fig. 2

19 November 2021

Harris RF-5800 Digital Voice PSK8 serial waveform (yet another 106.6 ms ACF)

A friend of mine sent me these signals consisting of a complete session utilizing the Harris 600/2400 bps Digital Voice (DV) mode:

1- selcall & link setup
2- 600/2400 bps vocoder PSK segments
3- link terminate

Fig. 1 - Harris Digital Voice mode session

Selcall is quite clear:  it's an MSK/OQPSK modulation at 2000 Baud speed, followed by short MFSK-8 125 Baud in non-standard MS-188-141A fomat, ACF is 50 ms (100 bit) and the resulting bitstream is characterized by the presence of the usual pattern (figures 2a, 2b).

Fig. 2a - Harris selcall MSK/OQPSK part

Fig. 2b - Harris selcall MFSK segment part

The VD mode PSK8 serial waveform is used only when a voice link is selected, although it also allows data to be sent over the same link; both data and voice are secured with Citadel encryption. Its ACF is the quite common 106.6 ms and that causes false-positive STANAG-4285 detections by decoders. As shown in figures 3a 3b, each frame consists of 256 tribit symbols, according to SA raster and bitstream each frame consisting of 66 sync sequence symbols (instead of 80 as in other similar 106.6 ACF waveforms), followed by a data block consisting of 190 symbols. The sync sequence is transmitted recurrently every 106.6 ms and uses PSK2 modulation.

Fig. 3a - Harris VD PSK8 serial

Fig. 3b - Harris VD framing

From Harris RF-5800 datasheet: "The digital voice mode utilizes the latest military MELP and LPC-10 algorithms for high-quality secure narrowband voice at 2400 bps. The Harris 600 bps vocoders extend the communication range beyond conventional 2400 bps systems." [1]

About the 106.6 ms ACF waveforms (figure 4), as said here, it seems that decoders such as Sorcerer and therefore also K500 try to identify a signal by measuring its ACF and comparing it against an internal table that allows the identification: likely, the length of the ACF and the initial PSK2 sync sequence mislead the decoders which consequently give a false positive STANAG-4285 id.

Fig. 4 - some common 106.6 ms ACF waveforms


[1] https://disk.yandex.com/i/sFOl3aX98-d6SQ


16 November 2021

CIS OFDM-121 system


Unid Russian OFDM-121 system recently heard on 11071.0 KHz (CF) until monday morning, frequency spacing between channels is 25 Hz, symbol rate in channels is 21 Baud, the used modulation seems to be a form of PSK4. As from figure 1, not all of the 121 available channels are used and it's possible to note a different arrangement of the channels in different days. The modulation used in the 2400Bd bursts preceeding the OFDM segments remains to understand, although there is a prevalence of PSK2 blocks.

Fig. 1

For what concerns the 2400Bd bursts which preceede the OFDM segments, I could not get a clean constellation; anyway looking at SA phase detector and 2nd order harmonics (figure 2), I think it is some kind of PSK4 modulation.
Fig. 2 - 2nd order harmonics, phase detector e constellation
The ACF has a 20ms value (figure 3) that makes 48 over-the-air symbols per frame, each frame apparently consisting of 32 unknown data symbols followed by 16 known symbols.
Fig. 3 - 2400Bd bursts framing

Apparently, this is one of the command and control systems and is associated with the recent military exercises in Belarus. Direction Finding indicate the Moscow area as Tx site location, as shown in figure 3.

Fig. 3


4339.8 KHz, an occasional French-Ny fleet broadcast FSK channel ?

On Sunday evening I came across an FSK 50Bd/850 transmission on 4339.8 KHz (CF): first time I have ever seen a S-4481 on this frequency, usually occupied by French Navy fleet broadcast in STANAG-4285 from FUG Saissac on 4338.0 KHz (// 4325.0 Khz). The dozens of DF tests carried out have all indicated the same FUG site as the location of the transmitter, while the analysis of the bitstream revealed the use of KW-46 encryption which is normally used in NATO 50Bd/850 FSK fleet-broadcast.
Actually I expected to find the classic 21-bit pattern, typical of domestic broadcast, even if 4339.8 is not among the FSK channels used by the French navy (see here).  I thought about a new FSK channel, but in subsequent monitoring the frequency has always resulted to be occupied by STANAG-4285 transmissions.
It's interesting to note that the same frequency/mode appears only once in the UDXF logs, precisely on March 21  of this year and only nighttime: coincidentally this too during the night between Sunday and Monday.  

Fig. 1 - STANAG-4285 & 50Bd/850 FSK both KW-46 secured from FUG

Fig. 2 - 4339.0 KHz FSK Direction Findings (TDoA algorithm)


10 November 2021

unid PSK8 2400Bd burst waveform

Unid PSK8 2400 Baud burst waveform spotted on 10557.0 KHz (CF) by using OZ1AEF KiwiSDR (Skanderborg, Denmark). ACF value is 293.4 ms, which makes a period length of 704 tribit symbols or 2112-bit length frames (figs 1,2). The resulting bitstream after demodulation does not have a well defined structure formed by known/unknown data blocks,  it could be a Walsh modulation but it is only a guess.

Fig. 1
Fig. 2

As a test I tried to analyze the bursts using a STANAG-4538 demodulator and surprisingly the decoder reacts but only to the first 700ms of each burst by identifying a 256 symbols initial segment (!) and a subsequent block of data (960 symbols only), even if not identifying any of the xDL traffic waveforms that it knows (BW1-BW7) and thus reporting the phase positions only:


The period of the data bitstream is however in contrast to the value measured by the ACF (figure 3) but it could due to the short segment which is recognized and demodulated (700ms) and by now I still prefer to rely on SA.

Fig. 3

The shorter burts like those in figure 4 are instead recognized as BW0 waveform, Robust Link Setup RLSU protocol (1), although the latter has a slightly shorter duration, and then decoded:


Fig. 4

Regarding the initial segment of 256 symbols, mentioned above, it's important noting that the bursts of the BW0, BW1, BW4, and BW5 waveforms begin with 256 “throwaway” symbols that are sent while the transmitter level control and receiver AGC are settling (the so-called TLC/AGC guard sequence); this is probably the reason of the STANAG-4538 false-positives detections.

Despite this, I think that the similarity with the burst waveforms of STANAG-4538 should be taken into consideration in view for further insights and analysis of these signals.


(1) robust burst waveform 0 (BW0) is used by the robust link setup (RLSU) protocol and carries a payload of 26 protocol bits

6 November 2021

a note about CIS Navy FSK (T-600)

My friend Nicola, whom I thank for the collaboration, reported to me an inaccuracy in the post of April 16, 2021 "CIS Navy FSK 50Bd/250 (T-600)", more precisely regarding the 44-bit sequence which is sent after the reversals:


The 44-bit sync sequence is in fact a 42-bit sequence (six 7-bit characters). The reason is that the transition from idle to traffic condition is signalled by a violation of the bit reversal structure so that a '1' is inserted instead of a '0' when the systems transits to traffic condition, ie the end is '...0101011' and not '01010' as given in my post (figure 1). That initial sync sequence of six 7-bit characters is also a violation of the 4:3 ratio. This ensures that sync is reliable. To use violation as signalling is quite common in many protocols, e.g. Ethernet LAN protocols.

Fig. 1

Generally speaking, one should notice that 'primitive' block protocols as the ones used by the Russian Navy will have this general structure:
- Call and acknowledgement provided by morse coded session
- Bit sync provided by bit reversals with or without a final violation
- Character sync provided by an initial Unique Word (or sync sequence, the designation is a matter of semantics)
- Possibly, but not necessarily a header (address, length, type of message etc.)
- Data, including possible initialization vectors or session keys
- End-of-Message
- End-of-Transmission, which could be provided by yet another morse session

3 November 2021

again about crypto devices with (5x) 128-bit Initialization Vectors

Recently in the list of the UDXF group a log of the UTE listener howardhawks (HH) appeared about transmissions of the Royal Navy of Oman (RNO) in 110A 1200bps/S mode on 8403.0 KHz/USB: nothing special except the use of encryption with 128-bit length initialization vectors, as indicated by KarapuZ in his comments to the message. This fact intrigued me and, since I have already met crypto systems that use initialization vectors of equal length and with the same format (ie five times repeated) [1], I decided to monitor those transmissions and collect some recordings to compare with other similar ones stored in my hard disks, ie:

- STANAG-4285 from Croatia (TDoA), recorded on January 2020 (*)
- 110A and STANAG-4539 attribute to the Swiss Emergency Network, recorded on October 2017 (*)

The bitstreams after demodulation of the above signals are shown all together in Figure 1:

Fig. 1 - COMSEC preambles using 5x128-bit length IVs

As you can see, the three COMSEC preambles - highlighted in figure 1 - have the same pattern, regardless of polarity:

  • 000110000100000111000101111001011011101101001001011111010101 60-bit length frame sync
  • 128-bit (16 bytes) sized Initialization Vector (5x)
  • 0101010101010101010101010101010101010101010101010101010101010101 64-bit length phasing/idling sequence

I don't know if it's an external COMSEC devices (ie standalone equipment such as KG-84) or communications equipment with built-in COMSEC, the fact is that the preambles are the same and this leads me to think that the above  transmissions - coming from three different countries/organizations - are secured by the same COMSEC device. In this respect, it would be important to know which providers of communication equipments the above users have in common.

By the way, signals gathering has been possible thanks to the KiwiSDRs operated by Kuwait Amateur Radio Society [2]. Transmissions on 8403.0 KHz, at least those listened to, mainly consist of voice calls/radio-checks and short exchanges of  messages using as mentioned 188-110A in 1200bps/S mode. Unlike other HF networks, neither 188-141A or some other ALE system is used for link setup so it is assumed that the nodes are simultaneously listening on the same frequency and responding when called by the net control station (callsign F4). Stations mentioned in traffic on this net so far include H5R, O5H, R7N, W6J, W3M, O3P and G9I, as well as vessels RNOV Al Mubshir S11, RNOV Al Seeb Z20, Shabab Oman II (thanks to the logging by howardhawks).


(*) 188-110A and STANAG-4285 modems show a slightly modified waveform due to the addition of 4 unmodulated initial tones

[1] https://i56578-swl.blogspot.com/p/initialization-vectors.html
[2] http://9k2ra-2k.proxy.kiwisdr.com:8073