T-219 "Yachta", analog voice scrambler

Thanks to my friend Mario, who recently sent me some recordings, I had the opportunity to study the Russian T-219 system, codenamed "Yachta" (Russian: ЯХТА). Yachta is a Russian analog voice scrambler featuring a Frequency Shift Keying (FSK) signal transmitted in the center of the spectrum, with the encrypted voice stream split above and below the FSK signal (Figure 1). Although dating back to the Cold War era, the system is still used for tactical communication in the combat field as recordings are only a few days old and heard in the lower VHF range (just above the upper HF limit). The stream consists of unequal time segments, within which the two voice subchannels are swapped and inverted.

Fig. 1 - T-219 "Yachta" signal

The FSK signal is used as a synchronization sequence and is transmitted at a rate of 100 bps with a 150 Hz shift (Figure 2).

Fig. 2 - T-219 FSK parameters

As shown in Figure 3, after FSK demodulation the resulting synchronization bitstream is an M-sequence based on the irreducible polynomial x^52+x^49+1.

Fig. 3 - the M-sequence based on the irreducible polynomial x^52+x^49+1

It turned out that during the formation of the FSK signal the pahses of the two frequencies are preserved after each "shift" (Figure 4 shows two periods): that suggests that it's formed by switching (mechanically or electronically) two independent F1 F2 frequency generators which bear some inter-relationships or by using a VCO system.

Fig. 4 - two periods of the FSK frequencies

By the way, looking at the durations of two periods:
F1 = (2:0.001285470) = 1555,851167277338
F2 = (2:0,001422470) = 1406,005047558121
the shift is just about 150 Hz

https://disk.yandex.com/d/M60fqwh32SbNFQ 

TADIRAN HF modem running in scrambler mode (2)

Fig. 1

Tadiran/ElbitHF modem, probably the HF-6000 model, running in COMSEC mode using FSK 125Bd/300Hz Digital Coded Squelch (DCS) and scrambled voice-comms. The FSK segmentes (the DCS part) sent during the scrambled voice-comms have a speed of 125Bd and 300Hz shift, ie same parameters of the initial F7B (apparently MFSK-4) waveform, and cosists of a 160-bit period bitstream (Figure 2).

Fig. 2 - main DCS parameters

 It's worth note that the transmission was sent using LSB (Figure 3).

Fig. 3

https://disk.yandex.com/d/novPamUmQksXmg

HARRIS PSK8 2400 Bd Digital Voice, an autobaud waveform?

Discussing with my fiend ANgazu about the HARRIS Digital Voice waveform (see this post), it turns out that likely that waveform is designed to provide the autobaud feature which is coded - in our opinion - in its initial header just before the normal frames' structure. As shown in figure 1, the "presumed" autobaud header consists of 8 frames each with a duration of 13.3 ms and a length of 32 bit (given the PSK2 modulation at 2400 Bd) for a total length of 256 bit. The synchronization functions would then be performed by the preamble sequences which are transmitted every 106.6 ms.  The autobaud function it may be necessary  since, according to the RF-5800 data sheet, the narrowband digital voice mode may use MELP and LPC-10 algorithms at 2400 and 600 bps.

Fig. 1 - the presumed autobaud header

Moreover, looking at the bitstream of an entire session (figure 2) it can be argued that the shorter segments are used for the management of the voice-link (ARQ mode); selcall, link setup and link closure are performed by the HARRIS specific waveform.

Fig. 2

Harris RF-5800 Digital Voice PSK8 serial waveform (yet another 106.6 ms ACF)

A friend of mine sent me these signals consisting of a complete session utilizing the Harris 600/2400 bps Digital Voice (DV) mode:

1- selcall & link setup
2- 600/2400 bps vocoder PSK segments
3- link terminate

Fig. 1 - Harris Digital Voice mode session

Selcall is quite clear:  it's an MSK/OQPSK modulation at 2000 Baud speed, followed by short MFSK-8 125 Baud in non-standard MS-188-141A fomat, ACF is 50 ms (100 bit) and the resulting bitstream is characterized by the presence of the usual pattern (figures 2a, 2b).

Fig. 2a - Harris selcall MSK/OQPSK part

Fig. 2b - Harris selcall MFSK segment part

The VD mode PSK8 serial waveform is used only when a voice link is selected, although it also allows data to be sent over the same link; both data and voice are secured with Citadel encryption. Its ACF is the quite common 106.6 ms and that causes false-positive STANAG-4285 detections by decoders. As shown in figures 3a 3b, each frame consists of 256 tribit symbols, according to SA raster and bitstream each frame consisting of 66 sync sequence symbols (instead of 80 as in other similar 106.6 ACF waveforms), followed by a data block consisting of 190 symbols. The sync sequence is transmitted recurrently every 106.6 ms and uses PSK2 modulation.

Fig. 3a - Harris VD PSK8 serial

Fig. 3b - Harris VD framing

From Harris RF-5800 datasheet: "The digital voice mode utilizes the latest military MELP and LPC-10 algorithms for high-quality secure narrowband voice at 2400 bps. The Harris 600 bps vocoders extend the communication range beyond conventional 2400 bps systems." [1]

About the 106.6 ms ACF waveforms (figure 4), as said here, it seems that decoders such as Sorcerer and therefore also K500 try to identify a signal by measuring its ACF and comparing it against an internal table that allows the identification: likely, the length of the ACF and the initial PSK2 sync sequence mislead the decoders which consequently give a false positive STANAG-4285 id.

Fig. 4 - some common 106.6 ms ACF waveforms

https://disk.yandex.com/d/jMGcjN4lD8RH9Q 

[1] https://disk.yandex.com/i/sFOl3aX98-d6SQ

 

CIS Makhovik (T-230) in CIS-12 and PSK2/1200bps waveforms

Recently my friend KarapuZ gave me the chance to analyze a CIS-12 bitstream and I took the opportunity to wotk on the "format" of Makhovik and then compare the CIS-12 stream with other Makhovik  streams coming from PSK2/1200bps modulations. The results are rather interesting even if the lack of official documentation and the number of available samples do not allow any exact classification but only hypotheses.

Makhovik (the "flywheel") is a well known Soviet-Mil crypto system also used by The National People's Army of the former German Democratic Republic (NVA, Nationale Volksarmee). Although someone classifies Makhovik as vocoder, it can can be used for time-multiplexed encryption of both voice and data up to 9600 bps. It's official name is "T-230 bundle ciphering device for teleprinter and data connections" and was designed to operate in UHF but very often is found in LF and in HF.

T-230 main unit (Fig. 1) consists of four slots:
AT-3002M multi-channel modem for LF channels,
AT-3004D multi-channel modem for HF channels (CIS-12 waveform, also known as MS5 or "Fire"),
AT-3001M voice scrambler (five per unit system maximum),
AT-3025 signaling unit and pager (two per device system).

The T-230-1A is a single-channel version of the T-230. The device contains the cipher, modem and radio as well the vocoder. The system is constructed with 3 modules / blocks and provides  two 1200bps channels in its basic configuration. Several T-230-1A can be used in stationary operation with the modem of the multi-channel variant, AT-3002 and AT-3004D. 8 keys can be set for a maximum of 8 subscriber networks.

Fig.1 - a T-230 system

AT-3004D/AT-3104 (CIS-12)
CIS-12 is a pseudo OFDM 12-tone (+ 1 pilot) waveform using PSK2 or PSK4 modulation at speed of 120 Baud while the modem name is AT-3004D (or its newer counterpart AT-3104). Channels 1-10 are used for data, 11 and 12 are test/service channels, therefore the "aggregate" speed is 1200 Baud (just as the baudrate of the waveform of T-230-1A system).
The structure of the preamble (Fig. 2) in some way resembles the one described in MIL 188-220 Appendix D, "standards for COMSEC transmissions": I refer to that terminology just for the sake of clarity and to better illustrate my guess, as said there is no confirm about it. 

Fig.2 - CIS-12 Makhovik

The two "frame sync" blocks consist of a 15/30-bit repeating pattern. The block bewteen the two frame sync blocks is the more interesting (Fig. 3). It consists of 511 bits long pseudo-random sequences generated by the primitive polynomial x^9+x^5+1 [1], thus meeting with ITU Recommendation O.153 [2]. This pattern is primarily intended for error measurements at bitrates up to 14.4 kbit/s. Anyway, 511-bit length sequences are also used for synchronization purposes as in 188-110B "39-tone parallel mode" (see Appendix B #5.4.3). Since the 511-bit block is not reinserted, I tend to think that it's used to sync the receive side (the modem or the crypto device). It's worth noting that although ITU O.153 reports that the longest sequence of ZEROs is 8 (non-inverted signal), I found some sequences with a greater length: maybe it can depend on the OFDM demodulator or the quality of the signal, or maybe the used sequences are not fully ITU O.153 compliant.

Fig.3 - CIS-12 511-bit sequences

Finally, what I call here as the "Message Indicator" is a 720-bit long block consisting of 8-time triplicate 30-bit sequences. This part is composed of eight strings of 30 bits and each string is repeated 3 times (Fig. 4). The x3 redundancy, as well as in other krypto device as KG-84, is used to improve the accuracy and realiability of the reception. Encrypted data follow this block.

Fig.4 - CIS-12 720-bit MI

T-230-1A (PSK2 1200bps)
The same blocks (sync,511,MI), with a different arrangement, can be observed in a full sample of a PSK2 1200bps (file "_b" in the downloadable zip archive). In this case the 30-bit sync pattern is reinserted several times as well as the MI blocks (Fig. 5).

Fig.5 - T-230-1A Makhovik

In my archive I found other samples that presumably are attributable to T-230-1A (files "_a" and "_c" in the downloadable zip archive): unfortunately I went late on these transmissions therefore it was not possible to examine their preamble.
In these samples (Fig. 6) the 30-bit sync frame block is missing but, as I specified, it could be inserted at the start of the transmission. A second interesting feature is the use of sequences of 511 bits of length but which are not originated by the polynomial x^9+x^5+1! (fixed in this post)
 

Fig.6 - other PSK2 1200bps samples with Makhovik format

All the three PSK2 samples anyway have the same 30-bit MI structure as the one seen in CIS-12 (Fig. 7)

Fig.7 - 30-bit MI blocks

I would like to point out that this post does not claim to provide a description of the Makhovik encryption protocol but is just limited to the presentation of results obtained from the analysis of some samples: further (many) recordings are needed as well as tips and help from friends.

https://yadi.sk/d/j9HShkWFQo5z9g

[1] https://en.wikipedia.org/wiki/Linear-feedback_shift_register
[2] https://www.itu.int/rec/T-REC-O.153/en

Telsy/Q-MAC MPSK 30+1 48.8Bd 60Hzi56578, DF3LZ,KarapuZ

Radio-check bewteen voice callsigns GAMMA 130 and ROSTRO 530 (respectively It-GdF shore station and patrol-boat) followed by short MPSK blocks, most likely digital voice.  
The MPSK signal occupies a bandwidth of ~2280Hz and has a FSK-2 600Hz shift preamble lasting 150ms (Fig. 1). Except for the 1st block, the FSK preambles of the following 3 blocks are similar. The 30 tones are 60Hz spaced: in the lower group of 20 tones the π/4-DQPSK modulation at 48.8Bd is used; in the upper group of 10 tones, a mix of modulations (MFSK, DBPSK and π/4-DQPSK) at same 48,8Bd speed is used (Fig. 2).

Fig. 1

Fig. 2 - upper group of 10 tones (credits to KarapuZ)

The tone in between the two groups is modulated using DBPSK2 at 48.8Bd (same speed as above) and is used for for synch purposes. The 3 blocks have the same sequences transmitted in the sync channel (Fig. 3). 

Fig. 3

This signal is similar to the Q-MAC HF modem waveform reported by radioscanner, except for the presence of the FSK preamble (Fig. 4). Indeed, a DXer from UDXF suggested the  Telsy TCH01c  rather than Q-MAC modem. Quoting form Telsy documentation [1]: "The TCH01c – Telsy Crypto Handset – is a unique and sophisticated encryption unit, combining an encryption module, a vocoder and a modem in a single handset."  Well, in August 2009 Barrett Communications has announced its acquisition of Q-MAC Electronics:
http://www.barrettcommunications.com.au/.../
and it's interesting to note that Barrett recommends the Telsy TCH01c crypto handset for some of their transceivers:
http://www.italponti.it/_files/download/allegati/2090.pdf
That said, perhaps Telsy embeds the modem in their handset using a Q-MAC/Barret EOM license? I emailed Telsy but I did not have any reply.

 

Fig. 4 - signal by radioscanner (upper) and the signal being analyzed

It's also interesting to note that the digital signal was preceded by the following comms:
GAMMA 160: let's have a try with a 'passage' in red, I'll take you
ROSTRO 530: yes go ahead, take me up
usually "red" stands for not encrypted transmissions so it seems that they used a clear-text transmission for the modem check.

[1] http://www.telsy.com/wp-content/uploads/2016/07/TCH01c_UK120914.pdf

https://yadi.sk/d/XJWRrvoK3Ut87Y

about LPC-10 frames (STANAG-4197)

A few days ago me and KarapuZ were discussing about a way to detect/isolate the LPC-10 digital voice encoded frames from a STANAG-4197 waveform and avoid false decoding. I took advantage of an heavy cold to stay at home and deepen the subject a little more

Briefly, the 4197 modem generates two separate signal formats based on two tone libraries: the 16-tone library is used for the system preamble and the 39-tone library is used for digital voice data. The initial preamble (modem preamble) is used in the receive modem for the detection of signal present, the correction of doppler, and the identification of the beginning of the system preamble. The system preamble tones are modulated at 75 Baud and the encoded voice (say LPC) segment at 44.44 Baud : both the segments are formed using OFDM technology (Figure 1). 

Fig. 1

As said above, the aim was to dig the demodulated bitstreams and find the period of the LPC frames.  In all the demodulated streams, from different registered 4197 samples, we highlight a period of 252 bits that is due to the system preamble frames (Figure 2). Indeed, quoting STANAG-4197, "The system preamble consists of a 4-bit code word to indicate the mode of the transmitting terminal combined with a 108-bit COMSEC message indicator, plus a 16-bit all-zero word. These 128 bits are encoded by a Bose-Chaudhuri-Hocquenghen (BCH) error correction code (252,128) which provides a 252-bit which are transmitted as 126 dibits on the 16-tone library." 

 

Fig. 2

To avoid their "interference", the system preambles were removed from all the streams getting the only LPC segments. From the reading of STANAG-4197 we expected a LPC period of 54 bits: "The Linear Predictive Code provides 54 bits per frame at 44.44 frames per second. [...] The modulator shall accept 78 bits per frame from the encoder. The data shall be assigned to 39 dibits (one dibit symbol per tone)", as depicted in Figure 3.

 

Fig. 3

Well, what we have seen are random-bit periods, never a 54-bit period, sometimes bursts with 78-bit periods (Figure 4). Perhaps the periods of 78 bits are just a coincidence, but given that the modulator works on frames of this length (Figure 3)  in my opinion this result should not be underestimated.

Fig. 4

The reason, the most probable, is the use of a ciphering device in the chain (Figure 5): the signal coming from a headset/handset or from on-board communication systems is digitalized by the LPC vocoder, encrypted and then modulated in accordance with STANAG 4197.

 

Fig. 5

Although a period of 252 bits is a hallmark of 4197, it is not sufficient to identify LPC frames, at least as long as a ciphering device is used. The doubt remains on those 78-bit period frames, a length that corresponds exactly to the 39 dibits assigned to the LPC tones.
The tests were done on about two dozen samples, some of them coming from the same source, so it would be useful to repeat the measurements on other and different recordings, better if un-encrypted. 
Unfortunately, 4197 / LPC-10 are not very frequent but 188-110 39-tone (also known as M-39) could be a way out: according to 188-110B #5.3.1.3 "the modem should be expandable to include the Advanced narrowband digital voice terminal (ANDVT) (thirty-nine tone) mode. If included, this mode shall be in accordance with MIL-C-28883 and STANAG 4197." This is possible since 188-110B App. 8 waveform adopts a same 39-tone libray as STANAG-4197.

Fig. 6

Looking at one of these demodulated streams we had more luck and we found a period of 54 bits length that could be(!) what we were looking for (Figure 7).  More over, quoting STANAG-4197 "The 39 dibit/tone assignments shall be permuted to minimize the effect of the frequency selective fading and narrow-band interference [...]. The permutation pattern shall repeat after 39 frame periods.", we have also tried a 78 x 39 = 3042 bits period getting a quite good result.

Fig. 7

Fig. 8

Further 4197/M39 recordings will help.

TADIRAN HF modem running in scrambler mode

Tadiran/ElbitHF modem, probably the HF-6000 model, running in COMSEC mode using FSK 125Bd/300Hz Digital Coded Squelch (DCS) and scrambled voice-comms. Transmission heard on 5885.0 KHz/USB at 0755z with a very poor SNR. The sample marked as "A" is the "autocall" waveform: it precedes the MFSK/scrambler sessions, marked as "B", and terminates the link (Figure 1).

Fig. 1

The FSK segmentes (the DCS part) sent during the scrambled voice-comms have a speed of 125Bd and 300Hz shift, ie same parameters of the F7B (apparently MFSK-4) waveform, and cosists of 84 bit repeated strings:

Fig. 2

Fig. 3

Thales Systeme-3000 analog voice scrambler

The scrambler has been heard on 5320.0 KHz/USB around 0700 UTC. It is recognizable by the two 2000 Baud OQPSK bursts preceeding and concluding the scrambled speech and by the charactistic 100Hz gap between about 1500 and 1600 Hz.

https://yadi.sk/d/LWtSp_BowKEFM

HF CRY-2001 (Sailor-2001) analog voice scrambler

HF CRY-2001 (Sailor-2001) uses basic rolling code inversion, the transmitted audio bandwidth is split, inverted and spaced separately at an audio frequency point which changes with each over. The short sync burst (100 Baud 170 Hz shift FSK-2) at the beginning and end of each transmission is what lets the receiving unit know at which audio frequency the split has occurred and its spacing so it can be reassembled. This transmission was heard on 6446.0 KHz on USB at 2058 UTC.

One would think that the split/spacing value is easily obtained by demodulating the FSK sync, but it's not so easy. Indeed, each CRY-2001 unit has a 6 digit key assigned to it, in normal operation a user will exchange keys with another approved operator and this key will be used to encrypt the FSK sync burst so without it anyone listening (including other CRY-2001 units), can't get the split/spacing data to reassemble it.

This system is frequently used for comunications between small fishing boats, images and docs are available on the web.

Harris AVS (Analogue Voice Security)

Discussing about an odd MS 188-110 App.B sample found in the web,  KarapuZ sent me a recording with a "combined" of signals in which are visible not only the 39-tone signal but also some Harris vocoder (AVS) segments. The ending ALE segment, once decoded, reveals the Roumenian Police network as source: [TO ][1P ][TWS][SIB]

Harris AVS

I take this opportunity to speak briefly about it. The Harris AVS (Analogue Voice Security) is a not-synced scrambler that use 24 subchannels and spreads about a  2700 Hz band. A detailed analysis can be read in the radioscanner.ru forum http://signals.radioscanner.ru/base/signal111/

Harris offers both digital encrypted and analog scrambler systems for COMSEC, below their short introduction to the AVS system: "In voice communications systems that do not require extremely high security, you can protect against casual eavesdropping by scrambling. Scrambling, as an analog COMSEC technique, involves separating the voice signal into a number of audio sub-bands, shifting each sub-band to a different audio frequency range, and combining the resulting sub-bands into a composite audio output that modulates the transmitter."
 

Hagelin HC-256

14397.5 ---: unid 1440 Hagelin HC-256 voice scrambler, short QSO (23Apr15) 

The HagelinCryptos HC-265 is an analog dynamic synchronized voice scrambler.Preamble is transmitted on two FSK-2 channels, with periodic synchronization of every 400 milliseconds.

More info here (signals.radioscanner.ru)