3 August 2022

unid 150-300Bd/509 FSK

(updated)

Since some days me and my friend Cryptomaster are discussing an FSK signal detected on 6511.50 Khz (CF). Transmissions starts (and ends) with a long reversals sending at 150 baud speed, messages are repeated and are sent at 300 baud; since the measurement of the shift varies slightly from 507 Hz in traffic mode to 513 Hz in idle (figure 1) we decided to fix it in 509 Hz.

 Fig. 1 - FSK main parameters

The bitstream shows a 24-bit lenght period, one of which is the phasing bit (the last column of "0s"); data are preceeded by a 240-bit sequence generated by the polynomial x^12+x^10+x^9+x^3+1.

 Fig. 2 - the resulting bitstream after demodulation

Again, the question arises of whether or not to use Differential FSK mode: infact, as already cited in some previous posts [1][2], as result of the differential decoding, we get a uniform parity check, except for the first combination of bits (figure 3). We think that the differential mode probably does not apply, and that's a kind of "trick".

 Fig. 3 - parity checked stream obtained after differential decoding

Speaking with some of his friends, Cryptomaster was able to use their particular program capable of detecting the presence of any CRC sequences in bitstreams: as a result, after inverting the 9th column of the stream, a clear H(24,16) coding was found, ie 16-bit data followed by 8-bit CRC. We then found and verified the relative (8,24) check matrix

1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0   1 0 0 0 0 0 0 0
0 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0   0 1 0 0 0 0 0 0
0 0 1 0 1 1 0 0 1 0 1 1 1 1 1 0   0 0 1 0 0 0 0 0
0 0 0 1 0 1 1 0 0 1 0 1 1 1 1 1   0 0 0 1 0 0 0 0
0 0 1 1 1 0 0 1 1 1 0 1 0 1 1 1   0 0 0 0 1 0 0 0
1 0 1 0 1 1 1 0 0 0 0 1 0 0 1 1   0 0 0 0 0 1 0 0
0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1   0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0 0 0 0 0 0 0 1

 Fig. 4 - bitstream (left) and CRC (right) computed using the (16,8) check sub-matrix: the two CRC sections coincide

The program that generated the matrix, during the flow check, "fixed the error" in the 9th column of the bitstream, the correction consists of the reversal of the ninth column, perhaps this is done during signal formation. Something similar has been observed in some CIS signals and in Finnish NOKIA. We also found that the check matrix is generated with the polynomial x^7+x^3+x^2+x+1 (figure 5).

 Fig. 5

The message data is therefore made up of 202 bytes, organized in a 16 x 101 bit matrix; statistical analysis does not seem to indicate the use of cryptography (figure 6)

 Fig. 6

For the sake of completeness, I add that in the first instance we tried to de-interlace the stream thinking that it was previously undergoing a block interleaver: then we get a stream arranged as a (24,101) bit matrix. As a result, a (101,84) check matrix was obtained which really encodes the information. But we were puzzled by the fact that only 101-84 = 17 bits of information remain in each codeword (51 bytes of data transferred) with a Hamming distance of 48: quite irrealistic in our opinion.

 Fig. 7

3rd August update

The signal reappeared, but with less amplitude, on the frequency of 8084.0 KHz (cf). Attempts at Direction Finding (TDoA algorithm) indicate the Kaliningrad oblast as a possible site of the Tx, see figure 8. Further confirmations are however necessary.