110A 2400bps modem carrying 1536-bit protocol

Signal recorded on 14600.0 KHz/USB tranks to the KiwiSDR http://collie2.ddns.net:8073/ located in Western Australia. 

The used HF waveform is 188-110A Serial in 2400 bps mode, note the 48 symbols length frames (32+16 UK). ACF value is 200ms that makes 1440-bits/480-symbols: the length of the ACF is due to the short interleaver matrix dimensions for 2400 bps speed (40 rows x 70 columns) as discussed here.

Fig. 1

Once demodulated, we get a stream that has the well-known period of 1536 bits length that can be attributable to the GA-205 multiplexer: don't know if they were using 4 of 12 channels only. Also found the sync characters 9C16 and 9D16 ... but it might be a mere coincidence.  Most likely it's a naval broadcast by the Australian Navy RAN.

Fig. 2

Fig. 3

https://yadi.sk/d/yNUqhxj7Qca6TA

KW-46 secured fleet broadcast using the GA-205 multiplex (Australian RAN)

This is a very interesting STANAG-4285 signal spotted on May 24 on 6378.0 KHz USB thanks to the KiwiSDR owned by VK6QS in Collie, Western Australia. About the 6378 KHz, some old WUN logs report the callsign VZD800, at that time attribuited to the Royal Australian Navy (RAN). On my side, on that same frequency I spotted the Australian MHFCS net operating in ISB/FSK: so, as also confirmed by the direction finding, the source is definitely in Australia. 
In my opinion, I believe this is a KW-46 (or KIV-7M) secured multichannel fleet broadcast originated by the GA-205 TDM [1]: a 12-channel time division multiplexer that was just deployed at RAN by DRS Technologies (Fig. 1).

Fig. 1

Now, the way I came up to this conclusion.

The HF waveform is STANAG-4285, here used in the usual "600bps/Long" sub-mode (Fig. 1): waveform that is easily recognizable and then demodulable by almost all software decoders. Given the evidence of regular patterns, I reshaped the demodulated stream to a 12-bit format, just as the number of the input ports of the GA-205 TDM. After reshaping, you can clearly see that the 12 input channels transport exactly the same data (Fig. 2).

Fig.2

Then I exctracted a single payload (i.e. a column of the stream), reshaped it to a 7-bit frames format and tested it for LFSR delimitation: as expected, the KW-46 "sign" was detected (Fig. 3). Indeed, as from STANAG-5065, the "Fibonacci bits" originated by the polynomial x^31+x^3+1 are used by KW-46 cryptographic equipment to provide  synchronization.  

Fig.3

In synchronous mode the TDM works by the muliplexer giving exactly the same time slot to each device connected to it even if one or more devices have nothing to transmit. The data rates of different input devices control the number of the slots: a device may have one slot, other may have two or three according to their data rate. In this case, all the input channels have the same data rate of 600:12=50 Baud, therefore share the same number of slots.  Managing a TDM requires that some control bits (sync, device tagging, ...) be appended to the beginning of each slot, but I did not find such bits in the streams I demodulated: a recording of the initial part of a similar transmission could help.
From what above, in my opinion the heard S4285 transmission is a fleet broadcast consisting of 12 "flat multiplexed" [2] channels that transport the same KW-46/KIV-7M secured payload (real traffic or pseudo-random chars).

Monitoring the 6378.0 KHz frequency, on May 25 I saw that they switched to the ISB mode (Fig. 4), more precisely: LSB for a single channel fleet broadcast and USB for a multi channel (GA-205 TDM) fleet broadcast; both the broadcasts are KW-46 secured and use the same STANAG-4285 600bps/L waveform. Don't know if they carry the same payloads. 
The same STANAG-4285 configuration and broadcast paradigm were also spotted on 7462, 8460.2, 9140, 10368, 10407, and 10847.2 KHz (logged on May, 28): surely there are many other operating frequencies that I do not currently know.

For what concerns the source of the signal, TDoA direction findings indicate the "Naval Communication Station Harold E. Holt" (NCS HEH) which is located 6km north of Exmouth (Fig. 5). COMMSTA HEH is jointly manned by Royal Australian Navy and US Navy Personnel. The High Frequency Transmitter (HFT) site building houses a number of transmitters, many of which are dedicated to point to point communication circuits. These circuits are established with shore facilities and navy surface ships operating within the station's area of communications responsibility.
My friend Eddy Waters (member of Utility DXers Forum) from Australia emailed me: "there seem to be transmitter site changes happen at different times of the day. Sometimes these signals come from Exmouth Western Australia, sometimes from Lyndoch, New South Wales, sometimes from Humpty Doo, Northern Territory. There are more and more frequencies changing over to the ISB STANAG setup that you describe".
 

Fig. 5

As far as I know, RAN fleet broadcasts come in using the GA-205 in a 6-channels configuration, it's not clear to me the use of 12-channels that - moreover- transport the same payload. I tried to reshape the stream to a 6-bit frames format (and 6-bit multiples)... but the KW-46 synch missed. By the way,  it's interesting to mention the KW-46 secured transmissions (probably also them from RAN) reported here: https://i56578-swl.blogspot.com/.../kw-46-secured-traffic-over-188-110a.html
 

[1]  https://www.yumpu.com/.../ga-205-time-division-multiplexer
[2] I used the term "flat multiplexed" to mean the fact that no classified multiplexing algorithm seems to be used.

https://yadi.sk/d/xAuyLscfTDVCAQ (USB signal)
https://yadi.sk/d/icaUluG2MVpcNw (LSB signal)
https://yadi.sk/d/ppWjnYGFfsPw4A (USB stream)
https://yadi.sk/d/Fj3qaB5_Mndc3g (LSB stream)

DHFCS 1536-bit TDM protocol (2)

In the previous post I associated the 1536-bit TDM protocol to the DHFCS network, and that's correct, but I wrongly ascribed this protocol to Rockwell Collins. Indeed, looking carefully at the two slides below you can see that they refer to the products GA-123 (HF modem) and GA-205 (TDM multiplexer), both are produced by DRS Technology, a Leonardo (formerly Finmeccanica) company.

Fig. 1

Reading the GA-205 datasheet [1] we can shed a bit of light on the 1536-bit protocol: GA-205 is a 12-channel Time Division Multiplexer (TDM) that provides full-duplex and half-duplex transmission and reception of data at selectable user port rates of 75 x 2n up to 9,600 bps. The system accommodates user data that do not share common timing sources and provides for isochronous, bit stuff, synchronous and asynchronous operation.

Fig. 2 - the GA-205 multiplexer

In Time Division Multiplexing (TDM) the communication resource is shared by assigning input channels the full spectral occupancy of the system for a fixed duration of time called time slots.

Synchronous TDM works by the muliplexer giving exactly the same time slot to each device connected to it even if one or more devices have nothing to transmit. The data rates of different input devices control the number of the slots: a device may have one slot, other may have two or three according to their data rate. 
Asynchronous TDM, or statistical TDM, is a more flexible method of TDM since slots are assigned dynamically as needed, ie slots are not assigned to devices that have nothing to transmit. Variable-Length Time Slots Asynchronous TDM can accommodate traffic of varying data rates by varying the length of the time slots. Stations transmitting at a faster data rate can be given a longer slot.

Since GA-205 multiplexer can handle up to 12 channels, the four ports you see in Figure 1 can be misleading: it is possible that the "preset" shown in the screenshot (identified as TDM1 in the upper right), refers to a particular configuration used to manage only 4 input channels of the 12 available. Maybe a default? who knows, the slide dates back to 2006. Notice that in the shown preset the input channels exhibit different baud rates: 600, 300, and 75. In that condition, bit stuffig or variable length slots can be used.
 
Given the above considerations:
1) at most, the DHFCS 1536-bit format carries up to 12 channels (by the way, 1536 bits = 1024+512, ie 1.5 Kb);
2) managing TDM requires that some control bits (sync, device tagging, ...) be appended to the beginning of each slot and this overhead is clearly part of the raw bitstream that we get after S4285 removal;
3) since we do not manage the control bits, when the the GA-205 is used in async mode we can't say the number of the channels currently transmitted; as well as we do not know the number of "traffic" channels when GA-205 is used in sync mode.

My guess is that the 1536-bit period could be the frame length (the slots gathered in a complete cycle), no matter if GA-205 works in sync or async mode. 
Channels are encrypted individually before being applied to the multiplexer, they probably use BID-950 or KIV-7 (KIV-7 may work as KW-46).

DHFCS STANAG-4285 stations logged and DF'ed so far:
05553.2 Cyprus Is.

07937.0 Crimond 

11015.0 Crimond 

14390.0 Ascension Is. 

14548.2 Cyprus Is. 
15812.1 Cyprus Is.

16106.3 St. Eval 

16287.0 Ascension Is. 
16398.2 Cyprus Is. 
17398.2 Cyprus Is. 

[1] http://www.drs-ds.com/media/1414/ga205.pdf

DHFCS 1536-bit TDM protocol (1)

This afternoon I spotted a STANAG-4285 1200bps/L transmission on 7937.0 KHz/usb carrying the 1536-bit TDM data protocol already seen in some previous recordings discussed here. The most important thing is that the signal, with very a good reliability, comes from the RNAS (Royal Naval Air Station) near Crimond, Aberdeenshire (UK) and I remembered that a transmission that had the same characteristics (STANAG-4285 1200bps/L, 1536-bit protocol) was identified as coming from Cyprus Island (Figure 1).

Fig. 1

Well, both the stations belong to the Defence High Frequency Communications Service (DHFCS),  a British military beyond line-of-sight communication system operated by the Ministry of Defence (MOD) and used predominately by the Royal Air Force, Royal Navy and British Army, as well as other authorised users (Fig. 2).

Fig. 2 

This being said, it's likely to assume that the 1536-bit TDMA format is a proprietary protocol of used by DHFCS, maybe developed by Rockwell Collins who deployed the system? Some interesting information about DHFCS can be read from some presentations held in HFIA meetings. In particular, in the slides of Rockwell Collins - albeit a little dated - some screenshots related to the modem preset are shown where it is possible to see the setup of the waveform 4285 at 1200 bps/Long interleaver in async mode as well as the the GA-205 TDM multiplexer preset (Figs. 3,4). 

Fig. 3

Fig. 4

It is noteworthy that these slides date back to 2006.

27 August 2018 update
as expected, 14390.0 and 16287.0 transmissions (S4285 1200bps/L & 1536-bit TDM protocol) are from Ascension Island, overseas DHFCS stations:

Fig.5

Fig.6

STANAG-4285 unid 1536-bit secondary protocol (UK MoD?)

In most cases, STANAG-4285 transmissions running at 1200bps/L or 2400bps/L carry a data protocol with a period of 1536 bits, most likely a multiplex system (TDM) capable of carrying data and sync channels.

I followed these STANAG-4285 transmissions on 14548.2/usb throughout the morning and the first part of the afternoon. Unlike similar S-4285 broadcasts, there is not a continuous broadcast and the messages are transmitted to the need and always using the 1200bps Long interleaver sub-mode.
TDoA multilateration using 5 KiwiSDRs as sensors points to Cyprus Island as Tx site: maybe UK MoD DHFCS?

https://yadi.sk/d/Lpdff9ZZ3Y2NFi

https://yadi.sk/d/KH9n8Geo3Y2NRf

https://yadi.sk/d/TYCBcVds3Thyjx (1200bps)
https://yadi.sk/d/nwEpmsxO3ThyoN (2400bps)