Dutch Navy CARBs, a curious 8 times expanded 5N1.5 framing

On December 13th morning I accidentally tuned a KiwiSDR receiver on the well-known frequency of 8437.0 KHz USB, i.e. the Dutch Navy CARB channel operating in S-4481 FSK (8439.0 CF). Suddenly, about 1050 UTC, the usual FSK "melody" disappears to make room for a transmission in S-4285 600bps/Long mode (Figure 1): intrigued, I recorded that transmission. 

Fig. 1 - STANAG-4285 transmission

As in Figure 2, dhe decoded bitstream shows a repeating "message" characterized by a pattern with a period length of 61 bits.

Fig. 2 - 61-bit period bitstream

I then isolated a single "message" and after the appropriate shifts a 5N1.5 framing emerges where each bit is repeated eight times. The stop bits should be 12 (8x1.5) but for some reason I don't know 13 bits are reproduced (Figure 3).

Fig. 3 - 8 times expanded 5N1.5 framing

After the removal of the start/stop bits, the source 5 bits of data can be obtained after removing the overhead bits: this can be easily done by manually editing the demodulated bitstream, for example with BEE, or by "downsampling" the bitstream by a factor of 8 using a simple script coded - for example - in Octave. The result (5x10 decoded) is the well known CARB string "02A   04B   06A   08B   12A   PBB" which is usually transmitted in S-4481 mode by the Dutch Navy (Figure 4).

Fig. 4 - the resulting CARB string "02A   04B   06A   08B   12A   PBB"

Obviously I don't know the purpose of such a transmission except - obviously - for the CARB (Channel Availability and Receipt Broadcast) string. I had already encountered something similar some time ago, a particular transmission of UK DHFCS: in that case it was a 5N1 framing where each bit was repeated 16 times [1].

It is worth noting that transmission in S-4285 was in 600bps mode and 600:8 gives 75! That is the same speed as CARBs transmissions in S-4481.

https://disk.yandex.com/d/3A2Ouj9TBQERZw

[1] http://i56578-swl.blogspot.com/2022/01/an-odd-16-times-expanded-5n1-framing-uk.html

256-bit IVs & 0xD1E221E1 sequence

Just a quick note to observe that bitstreams using (alleged) 256-bit Initialization Vectors (IV) encryption have the same 32-bit/4-byte sequence repeated three times. For example, in the bitstream in Figure 1 (MS-110A transmission) you can clearly see the 256-bit IV sequences, each repeated eight times. 

Fig. 1

But if you reshape the same bitstream into columns of 32 bits the same 32-bit sequence 0xD1E221E1 emerges (Figure 2).

Fig. 2

I have previously encountered bitstreams with 256-bit IVs [1] but at that time I had not investigated further, focusing only on those sequences. As a counter-proof, I took back and analyzed those signals and - surprise - they also all present the same sequence 0xD1E221E1 after the IVs (Figure 3).

Fig. 3

It should also be said that I have also encountered the sequence 0xD1E221E1 three times previously [2] but, when I re-analyzed those transmissions, the 256-bit IVs were not found (Figure 4).

 

Fig. 4

Both for the position of the 4-byte string 0xD1E221E1 (after or WITHOUT the alleged IVs) and for its presence in different streams it is difficult to say whether it identifies a sync string for a cipher device or whether it identifies a particular datalink protocol. However, in all cases I could analyze, STANAG-4538 (3G-HF) "circuit mode service" is used along with MS-110A as the traffic waveform.

Comments and suggestions on this matter are welcome!

 

https://disk.yandex.com/d/DxsFHMYcLIw4cA 

[1] https://i56578-swl.blogspot.com/2020/09/s-4538110a-transmissions-using-unid-256.html
[2] http://i56578-swl.blogspot.com/search/label/P%3D32