25 November 2021

HARRIS PSK8 2400 Bd Digital Voice, an autobaud waveform?

Discussing with my fiend ANgazu about the HARRIS Digital Voice waveform (see this post), it turns out that likely that waveform is designed to provide the autobaud feature which is coded - in our opinion - in its initial header just before the normal frames' structure. As shown in figure 1, the "presumed" autobaud header consists of 8 frames each with a duration of 13.3 ms and a length of 32 bit (given the PSK2 modulation at 2400 Bd) for a total length of 256 bit. The synchronization functions would then be performed by the preamble sequences which are transmitted every 106.6 ms.  The autobaud function it may be necessary  since, according to the RF-5800 data sheet, the narrowband digital voice mode may use MELP and LPC-10 algorithms at 2400 and 600 bps.

Fig. 1 - the presumed autobaud header

Moreover, looking at the bitstream of an entire session (figure 2) it can be argued that the shorter segments are used for the management of the voice-link (ARQ mode); selcall, link setup and link closure are performed by the HARRIS specific waveform.

Fig. 2

22 November 2021

THALES Robust MFSK-8, TRC-1752 STANAG-4285 FEC, STANAG-4539


Interesting sessions recorded some days ago on 9072.0 KHz (CF) consisting of an initial THALES Robust MFSK-8 session followed by THALES TRC-1752 STANAG-4285 + STANAG-4539 encrypeted traffic, the latter used in QAM-16 6400bps mode (figure 1).The MFSK-8 waveform uses the same tone library as 188-141A/B 2G ALE but callsigns are limited to a maximum length of 2 figures only and can also be used as a robust-data mode. Aurally and visually it is easily mistaken for a normal ALE since the 250 Hz spaced eight tones and 125Bd speed. 
 
Fig. 1

Direction Finding tests, TDoA method,  point to center of France as shown below in figure 2:
 
Fig. 2 - Direction Finding tests

It must be said that the TRC-1752 modem is a bit old and therefore has probably been replaced by the new TRC-177x multi-mode modems.


19 November 2021

Harris RF-5800 Digital Voice PSK8 serial waveform (yet another 106.6 ms ACF)

A friend of mine sent me these signals consisting of a complete session utilizing the Harris 600/2400 bps Digital Voice (DV) mode:

1- selcall & link setup
2- 600/2400 bps vocoder PSK segments
3- link terminate

Fig. 1 - Harris Digital Voice mode session

Selcall is quite clear:  it's an MSK/OQPSK modulation at 2000 Baud speed, followed by short MFSK-8 125 Baud in non-standard MS-188-141A fomat, ACF is 50 ms (100 bit) and the resulting bitstream is characterized by the presence of the usual pattern (figures 2a, 2b).

Fig. 2a - Harris selcall MSK/OQPSK part

Fig. 2b - Harris selcall MFSK segment part

The VD mode PSK8 serial waveform is used only when a voice link is selected, although it also allows data to be sent over the same link; both data and voice are secured with Citadel encryption. Its ACF is the quite common 106.6 ms and that causes false-positive STANAG-4285 detections by decoders. As shown in figures 3a 3b, each frame consists of 256 tribit symbols, according to SA raster and bitstream each frame consisting of 66 sync sequence symbols (instead of 80 as in other similar 106.6 ACF waveforms), followed by a data block consisting of 190 symbols. The sync sequence is transmitted recurrently every 106.6 ms and uses PSK2 modulation.

Fig. 3a - Harris VD PSK8 serial

Fig. 3b - Harris VD framing

From Harris RF-5800 datasheet: "The digital voice mode utilizes the latest military MELP and LPC-10 algorithms for high-quality secure narrowband voice at 2400 bps. The Harris 600 bps vocoders extend the communication range beyond conventional 2400 bps systems." [1]

About the 106.6 ms ACF waveforms (figure 4), as said here, it seems that decoders such as Sorcerer and therefore also K500 try to identify a signal by measuring its ACF and comparing it against an internal table that allows the identification: likely, the length of the ACF and the initial PSK2 sync sequence mislead the decoders which consequently give a false positive STANAG-4285 id.

Fig. 4 - some common 106.6 ms ACF waveforms


https://disk.yandex.com/d/jMGcjN4lD8RH9Q 

[1] https://disk.yandex.com/i/sFOl3aX98-d6SQ

 


16 November 2021

unid OFDM-121 system

Unid Russian OFDM-121 system recently heard on 11071.0 KHz (CF) until monday morning, frequency spacing between channels is 25 Hz, symbol rate in channels is 21 Baud, the used modulation seems to be a form of PSK4. As from figure 1, not all of the 121 available channels are used and it's possible to note a different arrangement of the channels in different days. The modulation used in the 2400Bd bursts preceeding the OFDM segments remains to understand, although there is a prevalence of PSK2 blocks.

Fig. 1

For what concerns the 2400Bd bursts which preceede the OFDM segments, I could not get a clean constellation; anyway looking at SA phase detector and 2nd order harmonics (figure 2), I think it is some kind of PSK2 modulation, or at least it's the prevalent one.
 
Fig. 2 - 2nd order harmonics, phase detector e constellation
 

4-ary constellation test

Moreover, the ACF has a 20ms value (figure 3) that makes 48 over-the-air symbols per frame, each frame consisting of 32 unknown data symbols followed by 16 known symbols. If the 20ms pattern in figure 3 represented bits then it would count a 32-bit length for the data block, therefore 1 symbol = 1 bit and thus we have a PSK2 modulation. As rightly suggested by my friend KarapuZ, in this case, the palette of the pattern consists of more than two or three colors: what does this mean? That we see more than just two or three levels of manipulation.
 
Fig. 3 - 2400Bd bursts framing

Apparently, this is one of the command and control systems and is associated with the recent military exercises in Belarus. Direction Finding indicate the Moscow area as Tx site location, as shown in figure 3.

Fig. 3

https://disk.yandex.com/d/qQrCn43mL0UO1Q


4339.8 KHz, an occasional French-Ny fleet broadcast FSK channel ?

On Sunday evening I came across an FSK 50Bd/850 transmission on 4339.8 KHz (CF): first time I have ever seen a S-4481 on this frequency, usually occupied by French Navy fleet broadcast in STANAG-4285 from FUG Saissac on 4338.0 KHz (// 4325.0 Khz). The dozens of DF tests carried out have all indicated the same FUG site as the location of the transmitter, while the analysis of the bitstream revealed the use of KW-46 encryption which is normally used in NATO 50Bd/850 FSK fleet-broadcast.
Actually I expected to find the classic 21-bit pattern, typical of domestic broadcast, even if 4339.8 is not among the FSK channels used by the French navy (see here).  I thought about a new FSK channel, but in subsequent monitoring the frequency has always resulted to be occupied by STANAG-4285 transmissions.
It's interesting to note that the same frequency/mode appears only once in the UDXF logs, precisely on March 21  of this year and only nighttime: coincidentally this too during the night between Sunday and Monday.  

Fig. 1 - STANAG-4285 & 50Bd/850 FSK both KW-46 secured from FUG

Fig. 2 - 4339.0 KHz FSK Direction Findings (TDoA algorithm)


https://disk.yandex.com/d/laasTSzeM0o7fQ

10 November 2021

unid PSK8 2400Bd burst waveform

Unid PSK8 2400 Baud burst waveform spotted on 10557.0 KHz (CF) by using OZ1AEF KiwiSDR (Skanderborg, Denmark). ACF value is 293.4 ms, which makes a period length of 704 tribit symbols or 2112-bit length frames (figs 1,2). The resulting bitstream after demodulation does not have a well defined structure formed by known/unknown data blocks,  it could be a Walsh modulation but it is only a guess.

Fig. 1
Fig. 2

As a test I tried to analyze the bursts using a STANAG-4538 demodulator and surprisingly the decoder reacts but only to the first 700ms of each burst by identifying a 256 symbols initial segment (!) and a subsequent block of data (960 symbols only), even if not identifying any of the xDL traffic waveforms that it knows (BW1-BW7) and thus reporting the phase positions only:

6231017000770100000702070000001700000107010107000701070000000000
0000001001000070000010000000000107000000000000000010000000000000
0000000000000000000000000000000000000000000000000000000000070000
2357710003120162744325456425622470623725424155361132757073500120
 
0014030174251457266112142317764402235571057447051475133602436767
2703175471117746713161441063517300743117565244064305766450657067
3543135630554510775272301561043433561260120020160261523037545324
2056267511155732621360060321622731415212020343736426773247451624
1334736342650470251144547564221770112446074633674036402257132565
6167206436000663560205033075240623327644201057731763021170310231
2243202452744340766416127045073236601451345335341351405636207065
7530151204440026515461331365415522030410171723262531566213715260
5435401652143142551606034474235200464762472263162671465355421572
7246675441411506774573373574776501311646273035007266555622770517
4374175707126456760404241210370111043001250537550271063761077252
5455361471666153216322237212306173775100324261130557670052346734
3347363427504702511445475642217771124460746336740364022571325656
1672064360006635602050330752406233276442010577317630211703102312
2432024527443407664161270450732366014513453353423514056362070657

The period of the data bitstream is however in contrast to the value measured by the ACF (figure 3) but it could due to the short segment which is recognized and demodulated (700ms) and by now I still prefer to rely on SA.

Fig. 3

The shorter burts like those in figure 4 are instead recognized as BW0 waveform, Robust Link Setup RLSU protocol (1), although the latter has a slightly shorter duration, and then decoded:

11010000100010001010111011
11010100010010010000001110
11010000100010001010111011

Fig. 4

Regarding the initial segment of 256 symbols, mentioned above, it's important noting that the bursts of the BW0, BW1, BW4, and BW5 waveforms begin with 256 “throwaway” symbols that are sent while the transmitter level control and receiver AGC are settling (the so-called TLC/AGC guard sequence); this is probably the reason of the STANAG-4538 false-positives detections.

Despite this, I think that the similarity with the burst waveforms of STANAG-4538 should be taken into consideration in view for further insights and analysis of these signals.

https://disk.yandex.com/d/s8BveGOqLx_s2g
https://disk.yandex.com/d/X4z5LZJK59_QxA 

(1) robust burst waveform 0 (BW0) is used by the robust link setup (RLSU) protocol and carries a payload of 26 protocol bits

6 November 2021

a note about CIS Navy FSK (T-600)

My friend Nicola, whom I thank for the collaboration, reported to me an inaccuracy in the post of April 16, 2021 "CIS Navy FSK 50Bd/250 (T-600)", more precisely regarding the 44-bit sequence which is sent after the reversals:

11100001010010111110000101001101011010101101  

The 44-bit sync sequence is in fact a 42-bit sequence (six 7-bit characters). The reason is that the transition from idle to traffic condition is signalled by a violation of the bit reversal structure so that a '1' is inserted instead of a '0' when the systems transits to traffic condition, ie the end is '...0101011' and not '01010' as given in my post (figure 1). That initial sync sequence of six 7-bit characters is also a violation of the 4:3 ratio. This ensures that sync is reliable. To use violation as signalling is quite common in many protocols, e.g. Ethernet LAN protocols.

Fig. 1

Generally speaking, one should notice that 'primitive' block protocols as the ones used by the Russian Navy will have this general structure:
- Call and acknowledgement provided by morse coded session
- Bit sync provided by bit reversals with or without a final violation
- Character sync provided by an initial Unique Word (or sync sequence, the designation is a matter of semantics)
- Possibly, but not necessarily a header (address, length, type of message etc.)
- Data, including possible initialization vectors or session keys
- End-of-Message
- End-of-Transmission, which could be provided by yet another morse session

3 November 2021

again about crypto devices with (5x) 128-bit Initialization Vectors

Recently in the list of the UDXF group a log of the UTE listener howardhawks (HH) appeared about transmissions of the Royal Navy of Oman (RNO) in 110A 1200bps/S mode on 8403.0 KHz/USB: nothing special except the use of encryption with 128-bit length initialization vectors, as indicated by KarapuZ in his comments to the message. This fact intrigued me and, since I have already met crypto systems that use initialization vectors of equal length and with the same format (ie five times repeated) [1], I decided to monitor those transmissions and collect some recordings to compare with other similar ones stored in my hard disks, ie:

- STANAG-4285 from Croatia (TDoA), recorded on January 2020 (*)
- 110A and STANAG-4539 attribute to the Swiss Emergency Network, recorded on October 2017 (*)

The bitstreams after demodulation of the above signals are shown all together in Figure 1:

Fig. 1 - COMSEC preambles using 5x128-bit length IVs

As you can see, the three COMSEC preambles - highlighted in figure 1 - have the same pattern, regardless of polarity:

  • 000110000100000111000101111001011011101101001001011111010101 60-bit length frame sync
  • 128-bit (16 bytes) sized Initialization Vector (5x)
  • 0101010101010101010101010101010101010101010101010101010101010101 64-bit length phasing/idling sequence

I don't know if it's an external COMSEC devices (ie standalone equipment such as KG-84) or communications equipment with built-in COMSEC, the fact is that the preambles are the same and this leads me to think that the above  transmissions - coming from three different countries/organizations - are secured by the same COMSEC device. In this respect, it would be important to know which providers of communication equipments the above users have in common.

By the way, signals gathering has been possible thanks to the KiwiSDRs operated by Kuwait Amateur Radio Society [2]. Transmissions on 8403.0 KHz, at least those listened to, mainly consist of voice calls/radio-checks and short exchanges of  messages using as mentioned 188-110A in 1200bps/S mode. Unlike other HF networks, neither 188-141A or some other ALE system is used for link setup so it is assumed that the nodes are simultaneously listening on the same frequency and responding when called by the net control station (callsign F4). Stations mentioned in traffic on this net so far include H5R, O5H, R7N, W6J, W3M, O3P and G9I, as well as vessels RNOV Al Mubshir S11, RNOV Al Seeb Z20, Shabab Oman II (thanks to the logging by howardhawks).

http://9k2ra-2k.proxy.kiwisdr.com:8073

(*) 188-110A and STANAG-4285 modems show a slightly modified waveform due to the addition of 4 unmodulated initial tones

[1] https://i56578-swl.blogspot.com/p/initialization-vectors.html
[2] http://9k2ra-2k.proxy.kiwisdr.com:8073