24 October 2024

Chinese 4x4 modem (probably PLA Navy)

Chinese 4x4 waveform consisting of two groups of four PSK channels modulated at a rate of 75 Bd, the two groups are spaced by 450 Hz and channel separation is 300 Hz. The signal spreads about 2500 Hz bandwidth (Figure 1). The modem is probably used by the The People's Liberation Army Navy, also known as the People's Navy, PLA Navy or simply Chinese Navy.

Fig.1 - Chinese 4x4 modem

I isolated a single channel to identify speed and what kind of PSK modulation is used, the spectrum of the third order harmonics (x^3) shows the typical central line (subcarrier frequency) of PSK8 modulation; indeed, the phase plane exhibits a 8-ary constellation, but there is no transition paths through the center (as in case of PSK-8) and the relative constellation (Diff-1) is a 90 degrees rotated QPSK: this suggest the use of π/4 DQPSK  (Differential Quadrature phase Shift Keying) modulation.
The π/4 DQPSK modulation uses two QPSK constellations offset by 45 degrees (π/4 radians) and transitions occur from one constellation to the other making the illusion of a PSK-8 modulation; data bits are encoded by phase changes, instead of absolute value of the phase. By the way, the π/4 DQPSK modulation format is also used in TETRA.

Fig. 2 - π/4 DQPSK modulation @ 75 Baud (single data channel)

The resulting bitstream after differential demodulation has a 22-bit (11 dibit symbols) length period, as shown in Figure 3.

Fig. 3 - demodulated bistream (single data channel)

The preamble preceding the data is also modulated in π/4 DQPSK mode at a speed of 75 Baud (Figure 4). The bitstream resulting from its demodulation (Figure 5) is formed by the repetition of a 22 bits length pattern, likely for AGC, fine-tuning, and synchronizing. Attempts to find the generating polynomial suggest x^23+x^22+x+1. In addition to the same period length (22 bits), the "similarities" between the two bitstreams (data Vs preamble) is to be noted.

Fig. 4 - π/4 DQPSK modulation @ 75 Baud (single preamble)

Fig. 5 - demodulated bistream (single preamble)

Messages addressed to multiple recipients are queued in a same transmission and, as shown in Figure 6, messages may have three different "formats" which here I call mode-A, mode-B, and mode-C (please notice that the "designations" used are only mine and are introduced just for convenient reference). In a same transmission may cohexist messages sent in different modes.

Fig. 6 -  messages' formats

mode-A examples
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
JYJYJYJYJYJY HR MSG GA
41149   25   51   1001   1605
UXEE---Y9R
1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062
MSG AGN
41149   25   51   1001   1605
UXEE---Y9R
1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062

B81L B81L B81L DE JQ02 JQ02 JQ02
B81L B81L B81L DE JQ02 JQ02 JQ02
B81L B81L B81L DE JQ02 JQ02 JQ02
JYJYJYJYJY HR MSG GA
82230   23   51   1001   1025
UXEE---YXE
1243 0255 1667 1611 3469 2053 0063 5501 7301 1940
2587 7681 6966 7814 0584 6978 0091 2647 7217 7042
7179 5854 5844
MSG AGN
82230   23   51   1001   1025
UXEE---YXE
1243 0255 1667 1611 3469 2053 0063 5501 7301 1940
2587 7681 6966 7814 0584 6978 0091 2647 7217 7042
7179 5854 5844

3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02

3BLK called station address
from
JQ02 caller station address

JYJYJYJYJYJY HR MSG GA
JYJYJYJYJYJY ?
HR MSG GA  are telegraphic abbreviations:
HR = here or hear
MSG = message
GA = good afternoon

it is common to read other abbreviations such as "message repetition":
MSG AGN  
MSG = message
AGN = again 

or even the "link termination"
AHR ZNN SK
AHR = ?
ZNN = All clear of traffic now
SK = End of contact

41149   25   51   1001   1605
41149 ?
25 number of the 4FGs groups that make up the message (seems to be always odd)
51 message group identifier?
1001 date (mmdd)
1605 local time (hhmm), maybe for drafting

UXEE---Y9R
probably these are military addresses which are expressed as "source---destination"; at least in my recordings, the source address seems to be composed of 4 digits. Cross-referencing the callsigns of the initial calls gives this (small) table:

JQ02 = UXEE
82VP = YXY
3BLK = Y9R
B81L = YXE
IJDW = YXX
THGM = 21II
WMBZ = 227
F9ED = 201
LTPE = 811
FMRK = 818

The  messages consists of 4-digit codewords (here referred to as 4FGs groups or simply "groups") which are sent 10 per row in enumbered blocks, each block consisting of 100 groups. Given that the Chinese writing system is by nature nonalphabetic and thus noncipherable, Chinese cryptography was bound to the use of codebooks (Chinese Telgraph Code, Chinese Standard character table or another unknown military codebook) containing a max of 10000 characters (0000-9999). 

1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062

Interestingly, the 9th and 10th groups of the first line of each message block do not follow the rules seen in the case of similar 4FGs messages sent via M-39 modem (Chinese Air Force/Air Defense) [1]. Also note that the message sent to B81L contains the string: 82230 23 51 1001 1025 i.e. same date (1001, October 1st) but earlier time (1025) than that reported in the same string of the message sent to 3BLK (1605). In this regard, it should be noted that the timestamp of the recording is 2024-10-01T14_40_13Z and the official time of China (CST, China Standard Time) is UTC+8 so at the time of transmission it was 2240 Chinese local time. Perhaps it is a selective repetition of some messages sent during the day, it could also be following specific requests (it happens also in NATO fleet broadcasts).

mode-B examples
82VP 82VP 82VP DE JQ02 JQ02 JQ02
82VP 82VP 82VP DE JQ02 JQ02 JQ02
82VP 82VP 82VP DE JQ02 JQ02 JQ02
JYJYJYJYJY HR ++ GA
++
59628   1724
UXEE---YXY
6475/0/0/07/8877/08677/96277/767/74
MSG AGN
++
59628   1724
UXEE---YXY
6475/0/0/07/8877/08677/96277/767/74

IJDW IJDW IJDW DE JQ02 JQ02 JQ02
IJDW IJDW IJDW DE JQ02 JQ02 JQ02
IJDW IJDW IJDW DE JQ02 JQ02 JQ02
JYJYJYJYJY HR ++ GA
++
27016   1724
UXEE---YXX
2624/9/4/07/8587/95777/92087/977/75
MSG AGN
++
27016   1724
UXEE---YXX
2624/9/4/07/8587/95777/92087/977/75
 
These types of messages are much more cryptic and beyond the initial "sentences" it is difficult to guess the meaning of the digits separated by slashes.

mode-C examples
NR920 CK93 35 1011 1447 --
215 203 011 326 314 004 773 353 246 351
420 938 407 445 486 382 005 773 353 246
351 403 938 417 445 486 382 006 773 353
246 351 403 938 417 445 486 382 008 773
353 403 938 417 445 486 382 009 773 357
403 938 417 445 466 486 382 010 773 357
403 446 486 382 011 773 353 403 938 417
445 466 486 382 012 773 357 403 447 486
384 938 383 013 773 357 372 403 446 486
758 483 382
MSG AGN
NR920 CK93 35 1011 1447 --
215 203 011 326 314 004 773 353 246 351
420 938 407 445 486 382 005 773 353 246
351 403 938 417 445 486 382 006 773 353
246 351 403 938 417 445 486 382 008 773
353 403 938 417 445 486 382 009 773 357
403 938 417 445 466 486 382 010 773 357
403 446 486 382 011 773 353 403 938 417
445 466 486 382 012 773 357 403 447 486
384 938 383 013 773 357 372 403 446 486
758 483 382

AHR MSG GA

NR921 CK165 35 1011 1447 --
215 203 011 326 004 773 318 357 407 445
486 319 353 938 354 373 418 445 486 758
483 005 773 318 353 417 938 407 445 486
319 357 372 407 938 418 445 486 758 483
006 773 318 357 417 938 407 445 486 319
357 372 407 445 486 338 758 482 008 773
318 357 417 445 486 319 357 372 417 938
418 445 486 338 758 482 009 773 318 357
372 417 445 466 486 758 483 319 354 372
417 938 418 445 486 758 483 010 773 318-1
357 403 446 486 319 357 403 446 938 445
486 011 773 318 357 417 445 466 486 319
357 372 417 938 407 445 486 758 483 012
773 318 353 403 447 938 446 467 486 319
353 403 446 938 445 466 486 013 773 318
354 246 353 403 445 466 486 319 357 372
404 445 486 758 483
MSG AGN
...
...

This type of message follows the same rules seen in mode-A except that the numeric groups are made up of 3 digits (3FGs) instead of 4.
 
Monitoring was possible thanks to KiwiSDRs located in Osaka and Okayama (Japan) [2][3].
(to be continued)