Harris wideband operations (a bit "intruding" within the 7 MHz HAM band)

Wideband activity was heard at the end of August around 7 MHz (figure 1) using mainly Romanian and Greek KiwiSDR receivers, my friend KarapuZ sent me his recordings which are of a much better quality than mine and therefore more suitable for analysis. According my friend, this network was set up around March-April 2022 and is well audible in our area since the network is presumably deployed in the south-east of Europe.

Fig. 1 - wideband transfers

Waveforms, durations and signal sequences in my opinion point to Harris devices: they have in fact developed and implemented  a wide band ALE (WBALE) adaptive system that selects the best channel, the available bandwidth and the frequency offset required for optimal wideband communications [1]. As I already mentioned in some blog posts, Harris WBALE relies on 3G-HF STANAG 4538 Fast Link Setup (FLSU) to establish a wideband link:

- the calling station first places a call using STANAG 4538 FLSU to exchange profiles of the two linking radios’ and and negotiate a traffic waveform
– the standard FLSU Request PDU has a traffic type parameter; Harris uses a new value of this parameter (reserved but not defined in  STANAG 4538: see table 4.6.1-2 "second 6-bit argument field") to indicate that a wideband link is to be established
- the radios then use an additional handshake (not defined in STANAG 4538) to negotiate bandwidth and offset (from the assigned frequency, see figure 1) to be used, based on the results of the preceeding "spectrum sensing"  (1).

Figure 2 shows the timing diagram of all the signalling required for the Harris WBALE protocol: the timing diagram follows the one described in 188-141D App.G, even if the used waveforms are different!

Fig. 2 - wideband session timing and real-world wideband transfer

 

Traffic is exchanged using Harris proprietary WHARQ waveforms family, quite well recognizable by their "superframe" consisting of a STANAG-4538 BW6 preamble followed by 8 frames each characterized by a different miniprobe pattern.  An ACK PDU is transmitted by the receive station using a BW6 burst waveform. Figure 3 shows the main parameters of the WHARQ 2400 Bd 3-KHz bandwidth waveform.

Fig. 3 - WHARQ 2400 Bd 3-KHz bandwidth waveform

As I titled, the problem lies in the fact that one of the WB channels occupies about 12 kHz of the low part of the 7 HAM MHz band. It must be said that the 7 MHz band is primarily assigned to radio amateurs, however also shortwave broadcasters and land mobile users have primary allocations in some countries so amateur stations must share bandwidth with these users. 

The choice of the 7 MHz for such milcomms is probably related to the "primary and secondary users" concept [3] which divides the users into primary users (licensed) and secondary users (unlicensed): the first “own” the bandwidth allocation while secondary users are only allowed to use this spectrum in a non-interfering basis:

a) for WBALE primary user mode, stations that link for the purpose of transferring data will use a bandwidth and offset in each direction that is chosen to maximize the signal-to-noise ratio (SNR) with which transmissions in each direction are received. Stations will avoid interference with other stations within the same network, but will make no effort to prevent interference with other stations outside the network, except as a byproduct of optimizing communications within the network.  This can have at least two significant implications:
1. the bandwidth and offset used in each direction of the link may be different;
2. the stations may cause harmful interference to communications in other networks while themselves not experiencing harmful interference. 

b) in secondary user mode, WBALE stations will not (as far as is practical) cause interference to other stations outside the network that are operating within the same channel allocations used by the network. In particular, whenever a link is established for a wideband data transfer, the bandwidth and offset used for the link will be chosen so as to avoid interference with any transmission detected by either side. This is likely to require that the same bandwidth and offset be used in both link directions.  

As you may see in figure 1, the bandwidth and offset used in each direction of each logical link are the same, threfore, in my opinion, it seems that they use this portion of band (7 MHz) in secondary user mode.

Fig. 4 - a Rockwell Collins modem performing the spectrum sensing (2)

(1) To effectively utilize the allocated bandwidth, WBALE will need to listen to an entire wideband channel of up to 24 kHz, detect the presence of interfering signals on the channel that could render all or part of the channel unusable, and identify any portion of the channel that may still be usable even if the channel is partly blocked. This function is referred to as "spectrum sensing".

2) Initial Wideband ALE developing and testing was condected togheter by Harris and Rockwel Collins.

 

https://disk.yandex.com/d/aKhFfmBa3QNkrA 

 

[1] https://disk.yandex.com/i/69TapvtM0Z0G-A
[2] https://i56578-swl.blogspot.com/search/label/WBALE

[3] William N. Furman, John W. Nieto, Eric N. Koski: The 10th Nordic Conference on HF (2013)

 

Harris wideband operations, WHARQ and WBALE waveforms (2)

Recently we had the chance to monitor and record the wideband transmissions on 7.9 MHz thanks to the use of four fairly close together KiwiSDRs [1] (we think transmitters use low power and NVIS) and this allowed us to have a better understanding of the whole scenario.
The data waveforms occupy a bandwidth from 3 to 24 KHz (grouped together under the title, courtesy of radiofrecuencias.es) and use an adaptive ARQ pattern with modulations from PSK-8 up to QAM-64. As said, most probably they are part of the Harris WHARQ development: a proprietary wideband HF waveforms family, already discussed here and largely discussed by my friends ANgazu, Malak and Rapidbit in radiofrecuencias forum [2]. The burst waveforms are the WBALE PDUs, i.e. the Harris design choices for the implementation of 188-141D extensions for 3GWB mode [3]. 
 

Fig. 1 - spectrogram of a WHARQ waveform (credits to ANgazu)

WHARQ waveforms have a preamble/header followed by slots of miniprobe and data, 8 slots make a frame (or 8 frames grouped into a super-frame). Header modulation is always PSK-8 and it's followed by a "double" miniprobe. The duration of the header relies on the speed of the waveform (baud rate) and not depends on the used modulation. Frame is made up by 8 slots (data + miniprobe) consisting of 8 different miniprobes for each frame. ACF varies depending on modulation and baudrate. For further details on WHARQ I suggest to read the relevant posts and analysis in radiofrecuencias forum, here I focused on the WBALE bursts.

A quite clear WBALE/WHARQ scenario is visible in the IQ recording below in Figure 2:

Fig.2

The upper bursts are 3G STANAG-4538 BW5 and BW6: BW5 is used for Fast Link Setup (FLSU) and BW6 used as acknowledgemts PDUs. Lokking at these samples, in my guess it seems that BW6 ACK is used with 3 KHz WHARQ waveforms and a proper WHARQ ACK burst is used with wider waveforms. 

Harris approach for 3GWB is based on a simple enhancement to the Fast Link Setup protocol defined in STANAG 4538. The primary modification is the use of an additional 3 kHz bandwidth burst handshake (WBALE HS in Fig. 3) which exchanges profiles of the two linking radios' locally measured interference environments and negotiates a waveform bandwidth, offset from the specified channel frequency, and modulation and coding selection suitable for reliable high-performance communications.

Fig. 3 - Harris WBALE (not in scale!)

The WBALE handshakes are clearly visible in Fig. 4, it's worth noting the change of the traffic waveform after bandwidth negotiation:

Fig. 4 - WBALE handshakes

WBALE PDUs are very similar to BW5 FLSU PDUs so I analyzed them using a 3G demodulator: the following are therefore my hypothesis that need further confirmations.

 

Fig. 5 - WBALE waveform

The PDUs have a duration of 525ms and consist of 1216 PSK8 (2400Bd on-air) symbols: 256 PSK8 symbols (768 bits) for the preamble which is followed by 960 PSK8 symbols (2880 bits) for the ALE payload. I don't know, though it's likely, if the preamble is preceded by one or more short TLC blocks (they might be ignored by demodulator). Since Harris WBALE it's 3G based, i.e. network participiants are synched, I do not think to "variable" length PDUs to best fit the scanning lists: there is no need since the peers are already linked by the previous BW5 FLSU handshakes (this means that WBALE bursts are not "caller" PDUs!).

1216 symbols @ 2400Bd are well suited to the duration of 525 ms

After a raw PSK-8 demodulation the payloads show a 3-bit structure (Fig. 6) and are possibly modulated using a Walsh function: it's difficult to establish the actual length of the payload since FEC coding and Walsh format info missing (by the way, payloads could be descrambled using the polynomial x^4+x^3+x+1 to obtain a 12-bit stream... but it's just a speculation!).  

Fig. 6 - payload 3-bit structure after raw psk8 demodulation

[1] thanks to the owners of the KiwiSDRs
http://eemedia.mynetgear.com:8073/
http://n4ttn.ham-radio-op.net:8073/
http://rx.jimlill.com:8073/
http://38.86.67.206:8078/

[2] http://radiofrecuencias.es/viewtopic.php?f=11&t=1204&hilit=wharq 
[3] http://i56578-swl.blogspot.com/2018/04/3gwb-3g-ale-extensions-for-wideband.html 

Harris WB operations and UK MoD XMPP over HF: interesting confirmations

Reading the Harris and Isode-Babcock presentations at the recent HFIA Meeting in San Diego, CA (February 14, 2019) I had an interesting feedbacks which could confirm the guess I did about:

1) new wideband HF waveforms tested by Harris (the analysis is posted here)

2) XMPP chat over HF by UK MoD (the analysis is posted here).

1) In the Harris presentation "Summary of Harris on-air testing of WBHF systems 2010-2018" you can read that since 2015 Harris began development of a WBHF Hybrid Automatic Repeat Request (ARQ) waveform for use on HF (WHARQ). It supports 3, 6, 9, 12, 15, 18, 21, 24 kHz. WHARQ is bundled in a new radio mode called 3G Wideband IP (3GWBIP) which has been tested extensively on the bench and over the air. On-air 3GWBIP testing took place on november-december 2018 using NVIS link and 150 Watt power.

As posted here, me and some friend of mine saw 3-24 Khz bandwith waveforms with modulations from PSK-8 to QAM-64 and data rates from 75 to 120,000 bps. Although the characteristics such as BWs, modulations and speeds are the same as those indicated in Appendix D of MIL-STD 188-110D (WBHF), these adaptive waveforms definitely do not belong to that standard. 
Maybe we just hear those WHARQ/3GWBIP waveforms?


2) in the Isode-Babcock presentation "UK Mod XMPP over HF Pilot" you find that UK MoD Funded Babcock to run an XMPP over HF trial using Isode XMPP Software. “Group Chat” provided by XMPP Multi-User Chat (MUC) is the core service Highly desirable to use Real Time Chat for Naval and Airborne communication when HF is the only available bearer. In the paper they presentred the trials run to evaluate viability of providing this service over STANAG 5066 ARQ.

 Well, I'm happy to see that this paper matches the results posted here.

wideband operations on 4950 KHz, new Harris wideband HF waveforms

since few weeks me and my friend and colleague ANgazu are studying interesting wideband waveforms family spotted on 4950 KHz (central frequency), just in the middle of the 60 mt Broadcast band, these transmissions have been also reported here by our friend KarapuZ from radioscanner.  Monitoring was done thanks the KiwiSDR owned by WA2ZKD that can provide up to 20KHz IQ band http://rx.jimlill.com:8073/.

As shown in Fig. 1, they use Harris WB-ALE paradigm for call and link negotiation:

- STANAG-4538 FLSU initial call for link setup
- spectrum sensing to measure interference within the selected wideband channel
- new burst handshake exchanges spectrum sense measurements
- data exchange
- STANAG-4538 FLSU for link term

Fig. 1

The Harris wideband ALE approach and the 3G extensions for wideband have been previously discussed in this post.  

For what concerns tha data waveforms, we saw bandwiths from 3-24 Khz and modulations from PSK-8 to QAM-64 with a data rate from 75 to 120,000 bps.

Each transmission begins with a transmit level control (TLC) block to allow radio transmit gain control (TGC), transmitter automatic level control (ALC), and receiver automatic gain control (AGC) loops to settle before the actual preamble is sent/received. A variable length preamble for reliable synchronization and autobauding follows the TLC section and it's followed by ariable length frames of alternating data (unknown) and mini-probes (known) symbols: times vary depending on the combinations of speed and modulation.

Although the characteristics such as BWs, modulations and speeds are the same as those indicated in Appendix D of MIL-STD 188-110D (WBHF), these adaptive waveforms definitely do not belong to that standard. Indeed, as shown in the following figures (2-5), the waveforms exhibit a common structure consisting of a super frame which is formed of 8 frames probably related to the 8 different allowable bandwidths: a similar structure and the duration of the frames (i.e., the number of K and U symbols) are quite different from what is stated in the Appendix D.

Fig. 2 - 4800Bd/6KHz waveform

Fig. 3 - 7200Bd/9KHz waveform

Fig. 4 - 9600Bd/12KHz waveform

Fig. 5 - 16800Bd/18KHz waveform

The frames structures have been verified also by analyzing some streams after the demodulation of the signals: in figure 6 the result of the demodulation of a 9600Bd/12KHz chunk (in this case using PSK-8 modulation):

Fig. 6

When measuring  the symbole rate using the quadrature detector, an interesting pattern shows up: a repetitive 8 blocks group which are generated by miniprobes. Up to date, we know the "frequency" in these blocks is different for every speed, starting in lower freq and going upwards. In some modes a mirror image can be seen as in Fig. 7. This is an odd feature since it looks like miniprobes are not phase modulated as data are.

Fig. 7

The 8 different minprobes repeat in a particular series and are complicated to study, their structure point to a sequence (maybe using Walsh modulation?) that repeats 4 times: this pattern seems to be the same in all waveforms varying frequency/duration.

Fig. 8

We have other examples of such miniprobes but we prefer to postpone to a next post, if possible with more precise details. For this purpose, ANgazu and I would like to have some other better recordings (i.e., with IQ band > 20KHz) from friends in US so that we can gather more informations. Thanks!

https://yadi.sk/d/9Imj9tLkYZHGTQ
https://yadi.sk/d/cGzxKGCXHfUuFQ

3GWB, 3G ALE extensions for wideband operations (Harris WB ALE)

I was investigating some wideband HF (WBHF) scenarios and spotted unexpected 3G-HF FLSU bursts in some recordings: it's a unexpected presence because for circuit mode connections WBHF is not comprised in the types of traffic that will be delivered on the link (the available types of traffic are listed in STANAG-4538 Table 4.6.1-2). Such transmissions can be observed by monitoring the band around 9.2 MHz.
Reading the Appendix-G to MIL 188-141D, I found an answer to my perplexities: most likely those intercepts are related to 3GWB: a set of "extensions" to 3G-HF linking for wideband. Indeed, quoting MIL 188-1414D §G.5.5.7, "It is possible to set up a narrowband link using 3G-HF FLSU and then to negotiate a wideband channel for traffic via a second handshake that uses 3GWB extensions to the FLSU protocol, the link shall be terminated with FLSU_term. The extensions for this 3GWB mode are not standardized here". Figure 1 provides a timing diagram of all the signalling required. 

 

Fig. 1 - 3G wideband point-to-point link setup example (timing not to scale)

Since Harris developed a similar system for wideband ALE termed "WB ALE" [1] [2], I am inclined to think that part of the heard WBHF transmissions are just examples of WB ALE/3GWB system tests. 

Figure 2 reports a such transmission recorded on 5365.0 KHz/USB. The link setup of standard 3G-HF is unaffected: link request and confirm control FLSU bursts remain unchanged. Harris say that the only modification to 3G linking is the addition of a new traffic type to support wideband data (as I supposed). After the link has been established, both radios simultaneously perform a spectrum sensing operation to determine the currently interference-free bandwidth at each end. Once spectrum sensing has determined the available bandwidth and offset, a second two-way handshake (WB handshake) is used to exchange the required information for the wideband transfer. Once the data transfer is complete, FLSU terminate bursts will tear down the link as is done in 3G-HF.

Fig. 2 - on-air 3G wideband point-to-point link

Fig. 3

By the way, the traffic waveform (Fig. 4) has a symbol rate of 14400Bd and uses the 18 KHz bandwidth.

Fig. 4

I do not have informations about the format of the PDUs (Protocol data Units) employed in the WBALE handshake (are they addressed?), unfortunately the quality of recordings doesn't allow accurate investigations as the ACF and the period framing. I can only state that WB ALE request and confirm bursts last about 530ms and are modulated at 2400 symbols/sec using PSK-8 modulation.  Quoting Harris [1]:

"The two-way WB handshake has been designed using burst waveforms very similar to BW5 of STANAG-4538 and allows the exchange of the following information:

- SNR values measured at each end
- Quantized representation of local interference environment
- Coordinated decision on available bandwidth (i.e. 3, 6, 9, 12, 15, 18, 21, 24 kHz)

- Coordinated decision on offset (i.e. frequency offset of available bandwidth in the up to 24 kHz allocation; offset value is quantized and is in the range of +/- 10500 Hz)
- Coordinated decision on initial data rates.

Bandwidth and offset decisions will be based on either a primary or secondary usage of channel. In primary user mode, bandwidth and offset decisions can be made independently for each direction of transmission. In secondary user mode, bandwidth and offset will be the same in both directions."

Given the latest "D" release of MIL 188-110 (December 2017), it would be interesting to know if Harris has upgraded  WB ALE to support up to 48 KHz bandwidth waveforms introduced by the Appendix D. 

Thanks to KarapuZ who sent me some of his rercordings.

[1] https://yadi.sk/i/ZZRMxf4Cqa832g

[2] https://yadi.sk/i/fZU6oT6KD4llTw

[3] https://www.researchgate.net/.../On-Air-Test-Results.pdf

The multiplicity of abbreviations and acronyms sometimes doesn't help, below what I used:

WBHF, Wideband HF waveforms (MIL 188-110C/D App.D)
3G-HF, third generation HF protocol suite for 3G ALE and data-link (STANAG-4538), FLSU is the 3G-HF Fast Link Setup protocol
3GWB, third generation ALE with wideband extensions
WB ALE (or WBALE), Harris implementation of 3GWB
WALE (or 4G ALE), wideband ALE as for MIL 188-141D App.G, fourth generation ALE

note that WB ALE is not synonymous with WALE since the latter has its own PDUs and waveforms.