29 June 2026

CIS 20Bd/7000 Wide FSK

In the world of HF, spectral efficiency is usually the gold standard. Modern digital modes strive to pack as much data as possible into narrow bandwidths. However, when monitoring tactical networks originating from the CIS (Commonwealth of Independent States) region, we may encounter a signal that flips this paradigm entirely: the 20Bd/7000 Wide FSK waveform. Operating at a "glacial" 20 Baud but utilizing a massive 7000 Hz frequency shift, this waveform intentionally sacrifices spectral real estate.
On a standard SDR waterfall display, the CIS 20Bd/7000 is highly distinctive yet easily misidentified by automated classification algorithms. Instead of a single coherent data stream, it appears as two completely detached Continuous Wave (CW) carriers separated by a 7 kHz void (Figure 1).
I recently heard this waveform on 25th June at about 2235 UTC on 6945.0 kHz (CF) using the remote AirSpy SDR receiver managed by EA1FAQ in Spain, whom I wish to thank. 

Fig. 1: CIS 20Bd/7000 Wide FSK

Technical Specifications & RF Fingerprint (Figure 2):
Modulation: Frequency Shift Keying (FSK / F1B), Lower tone: 6941.5 kHz, Upper tone: 6948.5 kHz, Center freq: 6945.0 kHz
Symbol Rate: 20 Baud (Symbol duration: 50 ms)
Shift (Δf): 7000 Hz (±3500 Hz from center)
Modulation Index β = fm/​Δf ​= 20/7000 ​= 350
Primary Users: Russian / CIS Military and Diplomatic Networks

Fig. 2: main FSK technical parameters (shift & speed)

Apart from the center frequency noted here (6945.0 kHz), this same transmission can be observed on various other frequencies around 7 MHz, acting as an intruder and causing interference within the corresponding amateur radio band, as regularly documented by the IARU Monitoring System (IARUMS). Specifically, I observed a "twin" transmission at 9966.5 kHz. While it is difficult to establish whether both originate from the same transmitter site, their signal strengths on the waterfall display are nearly identical, suggesting they might be emitted from antennas with different take-off angles.

An intriguing aspect captured in Figure 3 is the simultaneous ±1500 Hz offset from the center frequency of both transmissions, with the signals returning to their baseline values within a few minutes.

Fig. 3 : simultaneous ±1500 Hz offset from the center frequencies

Such a deterministic and simultaneous shift points to two likely scenarios. The first is that this offset is pre-programmed by design, requiring the receiving modem to have prior knowledge of the transition to maintain carrier lock and ensure uninterrupted demodulation. Alternatively, if no prior agreement exists, the receiving system must employ an aggressive Automatic Frequency Control (AFC) or a wide DSP tracking loop capable of instantly detecting the energy shift and re-synchronizing within milliseconds.

By appropriately filtering the signal, it can be easily demodulated using the Signals Analyzer (SA) FSK demodulator. The resulting bitstream—at least in this sample—features a continuously repeating 255-bit pattern (typical of an 8-bit LFSR, 2^8 −1), as shown in Figure 4. However, the pattern does not appear to be generated by a polynomial.

Fig. 4: 255-bit period demodulated bitstream

To confirm this finding, I retrieved two additional recordings of this signal from separate YouTube channels. In both samples, the demodulated bitstreams exhibited the exact same characteristic (a 255-bit pattern length). However, analyzing further recordings could help to better characterize the payload.

Fig. 5: comparison of 3 demodulated bitstreams

Why Spend 7 kHz on 20 Baud?
This signal is engineered for high-availability survivability in contested environments. Using a massive 7000 Hz shift in HF FSK modulation deliberately trades away channel space to achieve near-indestructible reliability. Here is the breakdown of why it is used:

- Beating Ionospheric Fading. The ionosphere often creates narrow "dead zones" in the spectrum. By separating the two signaling tones by 7 kHz, it is statistically impossible for a single ionospheric drop-out to wipe out both frequencies at the same time. If one tone dies, the other gets through.

- Crushing Electronic Jamming. Spreading a slow data rate across such a massive frequency gap creates a huge modulation index. To block the signal, an adversary has to dilute their jamming power across a wide 7 kHz swath, making the jamming highly ineffective.

- Immunity to Doppler Drift. In unstable conditions (like polar regions or solar storms), frequencies can drift by tens of Hertz. For narrow shifts, this blends the tones together; for a 7,000 Hz shift, a 50 Hz drift is completely negligible.

- Signal Obfuscation (Stealth). Because it spans a bandwidth wider than a normal 3 kHz HF intercept receiver's window, an operator or automated classifier looking at a standard waterfall display will simply see isolated, alternating CW (Continuous Wave) pulses separated by a massive gap. It effectively hides its identity as a unified, synchronized FSK data stream, making it harder to automatically classify, intercept, or parse unless the intercepting party knows exactly what to look for.

The CIS 20Bd/7000 is a textbook example of Soviet-legacy military engineering surviving into the modern era. It prioritizes absolute link reliability and Electronic Counter-Countermeasures (ECCM) over spectral efficiency, providing a robust, jam-resistant command link that remains a frequent sight on the HF bands for modern SIGINT monitors.

https://disk.yandex.com/d/iwfwZCwjPiNq9Q

24 June 2026

DTE-DCE Handshaking and Transmission Management

Following my previous post, a colleague reached out asking for clarification on the real-world, non-simulated operations of Data Terminal Equipment (DTE, typically a host PC) and Data Circuit-terminating Equipment (DCE, the HF modem). This inspired this post, which consolidates and structures the technical information scattered across the web. To ground these concepts in a practical scenario, this analysis focuses on an SDTE — more formally specified in NATO documentation as the SIS-DTE (Subnetwork Interface Service Data Terminal Equipment) — executing the STANAG 5066 stack. For clarity and consistency, this component will be referred to simply as the DTE throughout the remainder of this post.

Operating high-speed data networks over the High Frequency (HF) ionospheric channel presents an exceptional engineering challenge. The channel is inherently non-stationary, susceptible to severe multipath fading, atmospheric noise, and Doppler shifts. To maintain physical-layer synchronization under these hostile conditions, tactical waveforms such as MIL-STD-188-110A and NATO STANAG 4285 decouple the physical modulation speed from the actual user throughput.
Regardless of the data rate selected by upper-layer protocols, the physical over-the-air modulation speed remains strictly locked at 2400 baud (symbols per second). Scaling the data rate down from 2400 bps to a ruggedized 75 bps is achieved not by slowing down the radio's RF emission engine, but by dynamically increasing the density of Forward Error Correction (FEC) codes, interleaver settings, and bit-repetition factors. Managing this asymmetry requires an explicit structural division between session logic and physical timing. This post outlines the interface architecture, the real-world transactional flow, the critical impact of interleaver latency, and the modern IP-based evolution of systems operating between a STANAG 5066 DTE server and a DCE tactical radio modem.

1. Deconstructing the Interface: Baud, Bits, and Protocol Overhead
A frequent point of confusion in tactical data link design is the relationship between the over-the-air symbol rate (baud) and the baseband clock frequency driven across the physical DTE/DCE interface.

1.1. The 8-PSK Modulation Reality
In a standard MIL-STD-188-110A single-tone waveform, the modem operates at 2400 baud using 8-Phase Shift Keying (8-PSK). Because each symbol represents one of eight distinct phase states, it encodes exactly 3 bits of raw information (23=8). This establishes a constant over-the-air aggregate physical line rate of: 2400 baud × 3 bits/symbol = 7200 bps

1.2. Waveform Geometry vs. Coding Overhead
By subtracting the useful user payload from this 7200 bps aggregate line rate, we can isolate the exact volume of protocol overhead. However, this overhead is not strictly composed of Forward Error Correction (FEC). In military standard waveforms, a significant portion of this bandwidth is consumed by waveform geometry—specifically, channel-probing blocks.
The waveform structure alternates strictly between blocks of unknown data symbols and blocks of known pseudo-random training patterns (e.g., 20 data symbols followed by 16 probe symbols). The receiving Digital Signal Processor (DSP) uses these known probes to continuously map and counteract ionospheric fading and multipath distortion.

- At the maximum user rate (2400 bps):
7200 bps (Total Rate)−2400 bps (User Payload)=4800 bps (Overhead)
In this high-clearance scenario, the modem dedicates exactly 66.67% of its total over-the-air bandwidth to the combination of FEC data packing and synchronization probes to stabilize the link.
- At a highly ruggedized sub-rate (150 bps):
7200 bps (Total Rate)−150 bps (User Payload)=7050 bps (Overhead)
When channel conditions deteriorate, the protocol overhead consumes 97.92% of the total bandwidth. This mathematically demonstrates how aggressively the physical layer wraps each individual user bit in an extensive repetition and convolutional coding matrix to survive extreme signal degradation.

1.3. The Shift in Timing Leadership
To prevent buffer underrun or overflow during these speed adjustments, the system splits leadership between two distinct control domains:
- The DTE (STANAG 5066 Server) rules Session Configuration: It evaluates link performance via Automated Repeat Request (ARQ) frame error rates and dictates what data rate and interleaver depth must be utilized via its Dynamic Rate Adaptation (DRA) algorithms.
- The DCE (Modem) rules Physical Timing: Once a rate is selected, the modem operates as the master metronome. 

In a legacy synchronous interface—such as RS-530 or MIL-STD-188-114—the modem physically scales its baseband clock output (TX_CLK) to match the active user bit rate. If STANAG 5066 commands a 150 bps rate, the modem's internal oscillators drop the physical hardware line clock on the data cable to exactly 150 Hz. The DTE functions as a slave to this clock, forcing its internal serial shift registers to march precisely to the physical rhythm driven by the DCE.

2. Legacy Chassis Topology: Separating the Data and Control Planes
Using a legacy, rack-mounted standalone tactical modem—such as the Harris RF-5710A—as an architectural reference, the physical implementation mandates two completely independent cabling pathways to separate synchronous data delivery from runtime reconfiguration.


2.1.The J3 Remote Control Port (The Control Plane)
The J3 interface is an asynchronous serial port (typically configured as standard RS-232). It handles no user payload data. Instead, the STANAG 5066 subnetwork layer uses this link exclusively to transmit out-of-band management commands directly to the modem's central processor. These commands are formatted using either proprietary command architectures or standardized STANAG 5066 Annex E modem control strings.

2.2. The J2 Data Port (The Data Plane)
The J2 interface is a high-speed synchronous serial interface configured for RS-530 or MIL-STD-188-114 balanced signaling. It contains the physical baseband data lines (TX_DATA, RX_DATA), the master hardware clocks driven by the modem (TX_CLK, RX_CLK), and the discrete hardware flow control lines: Request to Send (RTS) and Clear to Send (CTS).

3. The Real-World End-to-End Transaction Flow
When an application connected to a STANAG 5066 server attempts to transmit a data block across an adaptive HF link, the interaction across the J3 control plane and the J2 data plane executes a precise sequence.
 
Step 1: Link Adaptation Assessment
The STANAG 5066 subnetwork layer processes incoming link-quality statistics from the distant receiving station. Noting a drop in the Signal-to-Noise Ratio (SNR), the DTE's Dynamic Rate Adaptation algorithm calculates that the link must drop from 2400 bps to 150 bps with a Long Interleaver setting to penetrate local atmospheric noise.

Step 2: Out-of-Band Reconfiguration (J3 Interface)
Before asserting any data lines, the STANAG 5066 server constructs a management frame enclosing Annex E configuration strings, e.g.:
[DTE -> J3 Async Input]: Command -> Set Waveform: 110A_SINGLE_TONE; Rate: 150; Interleaver: LONG;

 
The internal controller of the Harris RF-5710A parses the asynchronous packet, reconfigures its internal DSP algorithms, and prepares the physical layer to alter its baseband clock distribution.

Step 3: Interface Clock Realignment (J2 Interface)
The modem immediately scales its physical hardware clock synthesizer engine down. The physical TX_CLK line output on the J2 serial connector drops from a 2400 Hz square wave down to a steady 150 Hz pulse train. The hardware interface is now locked into the correct physical sub-rate window.

Step 4: The Physical Transmission Handshake
With the interface speed stabilized at 150 bps, the synchronous data transfer proceeds:
- DTE Asserts RTS: The STANAG 5066 server drives the physical RTS line on the J2 connector LOW (Active State). This serves as a direct hardware interrupt instructing the modem to key the attached HF radio transmitter.
- The Transmitter Keying and Preamble Phase: The modem keys the radio transmitter. It keeps the physical TX_CLK signal silent and the CTS line de-asserted. During this turnaround window, the modem generates and broadcasts a physical-layer over-the-air synchronization preamble. This known tone pattern allows the distant station’s receiver to achieve phase lock and evaluate interleaver synchronization.
- Modem Asserts CTS: Once the over-the-air preamble transmission concludes, the DCE drops the physical CTS line on the J2 connector LOW. Simultaneously, it activates the 150 Hz synchronous TX_CLK line.
- Synchronous Bit Burst: The STANAG 5066 DTE detects the active CTS boundary. On every rising edge of the incoming 150 Hz clock pulse provided by the modem, the DTE shifts one bit of data onto the TX_DATA wire. The modem samples this data precisely on the subsequent falling edge, funneling it directly into the DSP's FEC packing matrix.

4. The Interleaver Latency Penalty: The Hidden Operational Constraint
A critical operational factor that engineers must account for when deploying STANAG 5066 protocols over sub-rates is interleaver latency.
To protect data from long, continuous bursts of noise (fade duration), the modem utilizes a block or convolutional interleaver matrix. The transmitter rearranges the chronological order of bits over a specific time window before sending them over the air. The worse the channel conditions, the larger the interleaver matrix required.
When dropping to a sub-rate like 150 bps with a Long Interleaver, this matrix introduces severe physical delivery delays:
- The Buffering Constraint: The transmitter's DSP must wait until enough bits have accumulated to completely fill the structural interleaver matrix before it can shuffle them and begin actual over-the-air transmission.
- The Latency Cost: At 150 bps, filling a Long Interleaver matrix introduces a processing latency of 4.8 seconds or more at the transmitter, and another 4.8 seconds for de-interleaving at the receiver.
Consequently, the first bit of the user payload does not emerge from the receiving station's modem until nearly 10 seconds after the DTE begins shifting data. This structural delay dictates that the STANAG 5066 layer must scale its internal Automated Repeat Request (ARQ) frame timers aggressively. If the software's acknowledgment timeout timers are set too short, the DTE will prematurely assume a packet was dropped and retransmit it, clogging the narrow 150 Hz pipeline with duplicate traffic.

5. The Modern Evolution: Transitioning to IP-Based Software Defined Radios
The legacy Harris RF-5710A represents a 'High-Data-Rate, IP-Ready, and Annex-E Compliant' evolution capable of driving the HF channel up to 9600/12800 bps via adaptive QAM, enabling the efficient utilization of modern STANAG 5066 servers featuring Dynamic Rate Adaptation (DRA). It serves as the ultimate historical bridge between old-world balanced cabled engineering and modern consolidated networking architectures.
In contemporary Software Defined Radios (SDRs)—such as the Harris Falcon III series—the separate physical modem and transceiver chassis collapse into a single integrated unit. Physical J2 and J3 serial connectors are completely replaced by a single Ethernet interface running standard IP stacks. This shifts the implementation from hardware-level pinning to software-defined protocol boundaries:
- The Control Plane is virtualized. Instead of serial strings sent over a dedicated RS-232 line, the STANAG 5066 node establishes a TCP/IP or UDP socket connection to a designated management port on the radio, sending configuration packets using modernized subnetwork control protocols (such as the HF Radio Control Protocol / HRCP).
- The Data Plane eliminates physical clock lines (TX_CLK). The Data Plane eliminates physical clock lines (TX_CLK). Baseband streaming bits are packaged into standardized encapsulation networks, such as STANAG 4538 or virtual synchronous serial profiles over IP. The radio's internal software clocks handle the synchronization between incoming IP packets and the underlying DSP modulator frame boundaries.

Despite this transition to IP-routed pipelines, the core architectural logic remains completely unchanged. The STANAG 5066 software node remains the logical king of data rate selection based on link performance, while the radio's internal DSP remains the absolute metronome of physical over-the-air ionospheric synchronization.


12 June 2026

Simulating ADF ISB Transmissions: 12-Bit Repetition Coding on the USB Channel

The idea for this post stems from an interesting RAN (Royal Australian Navy) fleet broadcast originating from the MHFCS (Modernised High Frequency Communications System) utilized by the ADF (Australian Defence Force). The captured transmission employs STANAG-4285 at 600 bps/L in ISB (Independent SideBand) mode on 14874.0 kHz (Figure 1), and was successfully recorded thanks to the remote KiwiSDR VK6QS2 located in Augusta, Western Australia.

Data redundancy is a mission-critical asset in military HF communications. To ensure reliable delivery over thousands of miles, this transmission architecture departs from standard handling, utilizing the ISB spectrum to securely distribute the payload. 

Fig. 1: ADF MHFCS in ISB mode

As mentioned, the transmission relies on an asymmetric Independent Sideband (ISB) framework: the Upper Sideband (USB) delivers a redundant 600 bps stream wherein each individual bit is replicated 12 times, while the Lower Sideband (LSB) simultaneously transmits a "standard" signal at an identical 600 bps clock rate. This dual-path configuration mitigates severe ionospheric fading, allowing the receiver to cross-correlate the sidebands and reconstruct the payload without data loss. 

Technical analysis confirms that the LSB stream represents a broadcast encrypted by a KW-46 (or compatible) crypto-device, identified by the m-sequence of the generator polynomial x^31+x^3+1. This sequence is natively employed by the KW-46T transmitter for remote receiver synchronization (KW-46R). In contrast, the USB data structure exhibits 12-bit blocks of uniform logical states, most likely originated by a GA-205 12-channel Time-Division Multiplexer. This sideband similarly secures its payload using KW-46 protocols: as illustrated in Figure 2, by isolating a single multiplexed channel, stripping the remaining 11, and reshaping the data into a 7-bit architecture, the presence of the identical x^31+x^3+1 m-sequence was conclusively verified.

Fig. 2 : LSB and USB demodulated bitstreams

In this sample, both STANAG-4285 modems have the exact same clock speed and line rate of 600 bps on the physical serial line (the DTE/DCE interface) (1).  However, the amount of unique, useful information (the actual payload) is highly asymmetric: the USB channel carries a 50 bps information rate (Strategic Command & Control ?) protected by the 12x repetition code, while the LSB channel carries a native 600 bps information rate (Routine Data Traffic & Logistics ?).

The ultimate operational of ISB in this scenario is spectrum optimization.  Instead of requesting two distinct HF frequency allocations from military spectrum management, which would tie up vital radio assets and increase the station's electronic footprint, the user allocates a single suppressed carrier frequency. By utilizing ISB, the transmitter concurrently radiates two separate, parallel operational environments on a single RF assignment. 
A similar ISB paradigm is utilized, for example, by specific Portuguese Navy transmissions operating in STANAG-4285 600 bps/L mode, notably on the 12704.5 kHz Center Frequency (CF), using the HF callsign CTA12 (Figure 3). The bandwidth allocation is split as follows:
LSB Channel: Transmits the plain text Channel Availability and Receipt Broadcast (CARB), also frequently designated as the FAB (Frequency Availability Broadcast)
USB Channel: Carries a secure, encrypted fleet broadcast utilizing a legacy KW-46 cryptographic device.

Fig. 3: Portuguese Navy CT12 working in ISB mode

Concerning the source of the transmission, TDoA geolocation points to the 'Naval Communication Station Harold E. Holt' (NCS HEH), situated 6 km north of Exmouth (Figure 4). COMMSTA HEH is jointly operated by Royal Australian Navy and US Navy personnel. The High Frequency Transmitter (HFT) site houses an array of hardware, much of which is dedicated to point-to-point communication circuits linked to shore facilities and surface vessels operating within the station's operational footprint.


Fig. 4: Direction Finding (TDoA) results


The remainder of this post aims to simulate the generation of the baseband data stream for the USB (Upper Sideband) channel, alongside DTE-DCE timing management, using hardwired digital logic managed by Arduino microcontrollers. Naturally, this is a standalone proof of concept and does not reflect the actual hardware infrastructure utilized by the MHFCS.
To evaluate the generation of the cloned 12-bit redundant stream, the simulation leverages a CD4067 multiplexer (MUX) to closely mirror the hardware-level TDM implementation of the GA-205 12-channel multiplexer used by the Australian Defence Force. I followed the logical block diagram illustrated in Figure 5, implemented using breadboards, TTL and CMOS chips, and two Arduino microcontrollers. Figure 6 shows the components prior to wiring.

Fig. 5: USB channel formation

Fig. 6

A: extender buffer 
Implementing a 1-to-12 output bit extender (also known in electronics as a fan-out replicator or distribution buffer) using TTL logic is a classic and very straightforward project. The crucial factor is the current: a single output pin of a standard chip does not have the electrical strength to drive the 12 inputs of the following multiplexer (MUX) simultaneously while maintaining the correct voltage levels. For this reason, buffers are required. I used the 74LS04 chip, which contains 6 inverters (NOT gates). By routing the signal through two inverters in cascade, the bit is inverted twice, returning to its original state but with all the necessary driving power. Using the common 74LS04 chips we need to employ a 'cascade' logic: one gate acts as a pilot (inverting the signal the first time), and the other gates act as splitters (inverting it a second time, thus restoring the original signal). Given that each chip contains 6 gates, using 3 chips gives us a total of 18 gates: one will serve as the pilot, and 12 will provide the desired outputs.

B: multiplexer
The CD4067B module, a CMOS single-ended 16-channel pre-monted board, is utilized as a synchronous time-division multiplexer (TDM), serving as the critical link that generates the redundant serial stream. Driven by the binary addressing logic of Arduino #1, the CD4067B sequentially samples each input channel. By allocating an identical, deterministic time slot to every channel, the chip enforces the strict synchronous timing required to mimic real-world TDM hardware like the GA-205. The multiplexer acts as the true functional centerpiece of the system that replicates the structural signature observed in the original MHFCS transmission.

C: Arduino #1
The first microcontroller serves as the data source and hardware controller, driven by Arduino 2 clock. It is responsible for generating or forwarding the low-speed baseband bitstream (e.g., 50 bps) and generating the necessary addressing logic to drive the multiplexer. It ensures that the correct channel is actively routed into the system pipeline with precise timing.

D: Arduino #2 
The second microcontroller functions strictly as a downstream monitoring and simulation of the digital front-end of a STANAG-4285 modulator: it processes the incoming bitstream exactly as the STANAG-4285 hardware would see it, capturing the raw, synchronous 12-bit sequences directly from the multiplexer's output. The line tapped by the Arduino RX carries the exact, fully formed digital data that is ready to be applied to the physical input of the modem. This allows for comprehensive loopback testing, signal verification, and diagnostic analysis of the transmission line without needing to connect a physical modem unit.

This architecture functions as a redundant 12-bit serializer achieving high noise immunity and fault tolerance. On top of this hardware-level redundancy, the STANAG-4285 modem will introduce an extra layer of protection against fading and burst noise, thanks to its robust FEC (Forward Error Correction) and configurable interleaver mechanisms.

The fully wired circuit is depicted in Figure 7.


Fig. 7

Figure 8 displays the serial monitors of the two Arduino microcontrollers: the data source (top) and the receiver (bottom). Two "COM4" ports are displayed because the Arduino boards are driven by two separate PCs. Note that a very low clock rate was chosen in the firmware implementation allow easy reading of the serial monitors.

Fig. 8:serial monitors output of the two microcontrollers

A note about Bitrate Expansion vs. Datarate Preservation
The integration of the buffer-extender and the hardware multiplexer within this data pipeline serves a dual purpose: expanding the transmission bitrate while strictly preserving the baseline datarate (the actual information payload). 
Bitrate Expansion (50 bps→600 bps): The system ingests a baseline digital signal at 50 bps and up-rates the transmission frequency by a factor of 12, delivering a 600 bps synchronous stream at the final output. This high-speed clocking is structurally required to match the ingestion constraints of the STANAG-4285 modem. 
Datarate Preservation: While the physical signaling speed increases, the net information throughput remains exactly identical to the 50 bps input. The system does not inject new data or alter the original message content. Instead of increasing information capacity, the remaining bandwidth created by the 12x clock multiplier is entirely dedicated to data redundancy. Each original bit is algorithmically mapped across the 12-bit output frame.

https://disk.yandex.com/d/-9xhLnBZ-7RPKw  Royal Australian Navy, 14874.0 kHz CF
https://disk.yandex.com/d/MyzyM20VOnYTvg Portuguese Navy, 12704.5 kHz CF


(1) In professional HF communications (such as STANAG 4285 or MIL-STD-188-110A), the DCE (Data Circuit-terminating Equipment / Modem) acts as the master of the communications link, while the DTE (Data Terminal Equipment / Data Source) acts as a slave regarding timing and throughput.