19 August 2022

unid 2400Bd/1200 MSK signals

 

Unid transmissions heard on 14669.0 KHz and 14693.0 KHz (USB) around 0800-0900 UTC. At first glance the signals may appear to be a PSK-4 modulation, as indicated by the fourth degree harmonics and 4-state constellation (figure 1-a,b) but actually it's the MSK Minimum-Shift Keying transmission mode (..even if it could be considered as a form of QPSK), indeed:
 
- the frequency spacing (1200 Hz) is numerically equal to half the manipulation speed (2400 Bd)
- there is no zero-crossing transitions in the 4-state phase-plane (figure 1-b)
- there is a long state staying in one frequency: if should it be PSK, the state should come back to carrier and stay there till a new phase change (figure 1-c)

Fig. 1 - a: speed and harmonics, b: constelation, c: phase-detector

The signal can be easily demodulated in SA using the MFSK level 2 demodulator, although it could be also demodulated as a differential mode by sampling data only from the code positions of the phases 90 and -90 degrees: the resulting bitstreams are the same (figure 2).

Fig. 2 - demodulation methods: MFSK-2 and PSK-2s

The signal has a 100 msec ACF that corresponds to a 240-bit length period of the demodulated bitstream (figure 3): each fame consists of the 47-bit length sequence
11100000101010111110000010101011111000001010101
which is probably used for synch, followed by 193-bit length data block. The synch pattern does not seem generated by an LFSR.

Fig. 3 - ACF and frames
 

The short duration of the transfers (<30 sec) did not allow me Direction Finding attempts, however it is possible to hypothesize a Chinese "source" given the remote KiwiSDR receivers which I used [1][2].

https://disk.yandex.com/d/m9vHldGREa0mxQ  (wav)
https://disk.yandex.com/d/jFVhT7cf-086kQ  (bin)

[1] https://khv.swl.su/  Khabarovsk, Russia
[2] https://nsk.swl.su/  Novosibirsk, Russia

3 August 2022

unid 150-300Bd/500 FSK

 (updated)

Since some days me and my friend Cryptomaster are discussing an FSK signal detected on 6511.50 Khz (CF). Transmissions starts (and ends) with a long reversals sent at 150 baud speed followed by (repeated) messages sent at 300 baud; although some slight fluctuations,  we decided to fix the shift to 500 Hz.

Fig. 1 - FSK main parameters

The bitstream shows a 24-bit lenght period, one of which is the phasing bit (the last column of "0s"); data are preceeded by a 240-bit sequence generated by the polynomial x^12+x^10+x^9+x^3+1.

Fig. 2 - the resulting bitstream after demodulation

 
Again, the question arises of whether or not to use Differential FSK mode: infact, as already cited in some previous posts [1][2], as result of the differential decoding, we get a uniform parity check, except for the first combination of bits (figure 3). We think that the differential mode probably does not apply, and that's a kind of "trick". 

Fig. 3 - parity checked stream obtained after differential decoding

Speaking with some of his friends, Cryptomaster was able to use their particular program capable of detecting the presence of any CRC sequences in bitstreams: as a result, after inverting the 9th column of the stream, a clear H(24,16) coding was found, ie 16-bit data followed by 8-bit CRC. We then found and verified the relative (8,24) check matrix

1 0 1 1 0 0 1 0 1 1 1 1 1 0 0 0   1 0 0 0 0 0 0 0
0 1 0 1 1 0 0 1 0 1 1 1 1 1 0 0   0 1 0 0 0 0 0 0
0 0 1 0 1 1 0 0 1 0 1 1 1 1 1 0   0 0 1 0 0 0 0 0
0 0 0 1 0 1 1 0 0 1 0 1 1 1 1 1   0 0 0 1 0 0 0 0
0 0 1 1 1 0 0 1 1 1 0 1 0 1 1 1   0 0 0 0 1 0 0 0
1 0 1 0 1 1 1 0 0 0 0 1 0 0 1 1   0 0 0 0 0 1 0 0
0 1 1 0 0 1 0 1 1 1 1 1 0 0 0 1   0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0   0 0 0 0 0 0 0 1

Fig. 4 - bitstream (left) and CRC (right) computed using the (16,8) check sub-matrix: the two CRC sections coincide

The program that generated the matrix, during the flow check, "fixed the error" in the 9th column of the bitstream, the correction consists of the reversal of the ninth column, perhaps this is done during signal formation. Something similar has been observed in some CIS signals and in Finnish NOKIA. We also found that the check matrix is generated with the polynomial x^7+x^3+x^2+x+1 (figure 5).

Fig. 5

The message data is therefore made up of 202 bytes, organized in a 16 x 101 bit matrix; statistical analysis does not seem to indicate the use of cryptography (figure 6)

Fig. 6

 

For the sake of completeness, I add that in the first instance we tried to de-interlace the stream thinking that it was previously undergoing a block interleaver: then we get a stream arranged as a (24,101) bit matrix. As a result, a (101,84) check matrix was obtained which really encodes the information. But we were puzzled by the fact that only 101-84 = 17 bits of information remain in each codeword (51 bytes of data transferred) with a Hamming distance of 48: quite irrealistic in our opinion.

Fig. 7

3rd August update

The signal reappeared, but with less amplitude, on the frequency of 8084.0 KHz (cf). Attempts at Direction Finding (TDoA algorithm) indicate the Kaliningrad oblast as a possible site of the Tx, see figure 8. Further confirmations are however necessary.

KiwiSDR receivers used for monitoring:
http://77.223.174.203:8073 (Smøla, Norway)
http://julussdalen.proxy.kiwisdr.com:8073 (Julussdalen, Elverum-Norway)

Fig. 8 - TDoA results (tentative)


https://disk.yandex.com/d/7JHDI9np2IXR3Q

[1] https://i56578-swl.blogspot.com/2021/12/chinese-psk2-2400bd-serial-waveform.html
[2] https://i56578-swl.blogspot.com/2022/06/akula-almost-always-holds-surprises.html