27 May 2020

unid 200Bd/800 FSK (2)

tags: ,
(see the previous post for background)
My friend cryptomaster suggested me an interesting way to measure and analyze the two component frequencies of the 200Bd/800 FSK signal by using the VMW module of SA. Indeed, using that tool it is quite possible to obtain additional phase characteristics of the signals. For this, it is necessary to consider the bitmap picture of the carrier signal, adjusting the scan so that one period of the carrier wave fits on the line of the raster. Two columns of red and blue colors  on the screen of the WMV module reflect the positive and negative half-cycles of the oscillation (Fig. 1).

Fig. 1 - oscillation period (thanks to cryptomaster)
Well, it turned out that during the formation of this FSK signal the pahses of the two frequencies are preserved after each "shift" (Figs 2a,2b): that suggests that it's formed by switching (mechanically or electronically) two independent F1 F2 frequency generators which bear some inter-relationships or by using a VCO system.

Fig. 2a - F1 component phase (on a 2 periods view)
Fig. 2b - F2 component phase (on a 3 periods view)
Phase analysis was performed on a signal recorded in IQ mode exactly on its center fequency of 5094.7 KHz: in this case the two values of the frequency generators are:

F1 ~ 5602,6 HZ (2:0,000356972)
F2 ~ 6402,6 Hz (3:0,000468558) 

as expecetd, 800 Hz shift.
Me and cryptomaster discussed these values and he obtained an interesting result recording the signal at a frequency of 5093.50 KHz/usb. In this case, the carriers are equal to F1 = 800Hz F2 = 1600 Hz (Fig. 3).
 
Fig. 3 - F1 F2 components (thanks to cryptomaster)
Probably the lower frequency is obtained using a divide-by-2 circuit. Anyway, examining the signal at different intervals, one can notice a small discrepancy in the phases of these two frequencies (Fig. 4): thus, it is once again proved that the signal is generated by two different generators.

Fig. 4 - discrepancy between F1 F2
  https://yadi.sk/d/O4B9Vvoi7AT0IQ

2 comments:

22 May 2020

unid 200Bd/800 FSK

tags:
Odd  and unid (to me) 200Bd/800 FSK spotted this morning on 5094.7 KHz (CF). ACF shows a transmission period of 15 bit: 111101011100101
Apparently, no relevant results after defferential decoding or descrambling tries.
Fig. 1
Fig. 2 - 15-bit pattern in the decoded bitstream
Note also in Fig. 3 the unwanted "spikes" during the manipulation when carrier (and carrier phase too in this case) change:

Fig. 3
All my TDoA Direction Finding runs point to the District of Poznan, Poland.

Fig. 3 - TDoA results
https://yadi.sk/d/OIm7MzUJKRx9Sw
https://yadi.sk/d/dLieSh9imUYBfg
No comments:

16 May 2020

yet another odd STANAG-4481F channel

tags: , ,
(for background read all the post of this topic
 
May 16th update
Interesting tip from my friend cryptomaster (thanks) who pointed me the 13229 KHz (cf) fequency: also in this case it's a STANAG-4481F transmission with the characteristic of the 3-bit pattern (and obviously KW-46 encryption) but the source, however, is NAU Naval Radio Transmitter in Isabela  (PTR).



Therefore, contrary to what I had observed so far, such broadcasts do not come only from Niscemi (NSY) and Barford (AJE). Below the updated list of the successful frequencies and sites (all CF):

05120.5 NSY
06383.0 NSY
06732.0 AJE
07545.5 NSY
08145.0 NSY, AJE
08204.5 NSY
13229.0 NAU


May 9th
6732.0 KHz: another STANAG-4481F KW-46 secured channel that use the odd 3-bit pattern discussed here. This one is most likely from AJE (Barford St, John, UK) and // with 8204.5 KHz from NSY (Niscemi, Italy). 

Fig. 1
Fig. 2
Fig. 3


So far, it seems that only the transmissions from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Below the current list of the successful frequencies which I observed (all CF):

5120.5 NSY
6383.0 NSY
6732.0 AJE (new update)
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

In winter, my friend cryptomaster observed two more frequencies: 4723.9 and 5118.6 kHz (the latter probably NSY tuning freq.).

As said, it's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station  Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant). 



No comments:

13 May 2020

(slow) 19.5Bd/97Hz FSK, likely a Russian-Mil network

tags:
19.5Bd/97Hz (slow) FSK waveform spotted on 5331.0 KHz followed by opchat in Morse:
"RGJV de PZSF QSY 17542 K"


Source is probably some Russian-Mil network. Transmission consists of a repeated 126-bit sequence (Figs. 1,2).

Fig. 1
Fig. 2
 Interesting: a time shift of half bit is added after each sequence most likely for synch purposes (Fig. 3)

Fig. 3
A similar signal, except the 125 Hz shift, was also noted by my friend Cryptomaster:


2 comments:

26 April 2020

STANAG-4285 async 1200bps test transmissions from Turkey

tags: , ,
For about a week I monitored STANAG-4285 1200bps async transmissions heard on several frequencies in the 6 MHz band according to Table I; after April 23th the transmissions have stopped (at least in the 6 MHz band and until today). About the used frequencies, I have not found any match either in the UDXF group logs database or in other resources on the web.

Table I
The transmissions take place with a cycle of about 2 minutes and 25 seconds and seem to use a kind of "call/reply" mode between two stations a,b (since the different strength of the signals); don't know who's the caller and who's the called, but I noticed different patterns depending on the monitored day, as for example in Fig. 1

Fig. 1
The use of two frequencies was also observed (Fig. 2). Obviously it is automated transmissions or controlled by software. Messages, net of 32 bits each for SOM & EOM, have the same length each day, e.g. 8832/5760 bits (caller/called); user-data are encrypted and then transmitted using the 8N1 framing (Fig. 2). Note that the Turkish S-4285 async transmissions I have met so far used the 5N1.5 framing.

Fig. 2 - (the different durations of the signals on the left depend on the waterfall rate that has been selected)

As from Table I, the STANAG-4285 submode 1200bps/L was used from April 15th to April 19th, then the submode 1200bps/S was used.

The direction finding (TDoA) results indicate an area of southern Turkey as a possible transmitter site (Fig. 3); results may be a bit incorrect since the short durations of the signals, anyway it's quite credible. Such a location, along with the transmission schedule and with the encryption algorithm, allows for some observations and comments.


Fig. 3
As seen, the contents of the messages are encrypted but the encryption algorithm does not correspond to the known ones such as KG-84/BID and KW-46/KIV-7 therefore the use of a "national algorithm" can be assumed. TÜBİTAK (Technological Research Council of Turkey) National Electronic and Cryptology Research Institute (UEKAE) developed secure communication solutions in terms of cryptographic algorithms, protocols, and architecture as well as data encryption devices such as the MİLON family (MİLON-4A was also approved by NATO) [1] [2]. It is reasonable to think that these transmissions, as well as other encrypted transmissions from Turkish Armed Forces which are reported in this blog, use such encryption systems.

Fig. 4 - some encryption devices by TUBITAK
(https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf)
The way these transmissions are conducted suggests that they are tests. STANAG-4285 is now a consolidated and widely used waveform and therefore the tests could concern the installation of a new HF system (maybe a MRL system?). There is also another somewhat "suggestive" hypothesis: on-field tests of a SCA-based 4285 waveform on proprietary advanced SDR transceivers. Indeed, TUBITAK UEKAE ported two different waveforms to the Spectrum's flexComm SDR-4000 for demonstration to the Turkish Ministry of Defense: an implementation of STANAG-4285 for high frequency (HF) radio links and APCO Project 25 (P25) for public safety links [3].
[1] https://www.hurriyet.com.tr/gundem/natonun-kripto-cihazlari-tubitaktan-9191151
[2] https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf
[3] https://pdfs.semanticscholar.org/

No comments:

8 April 2020

MFSK-4with mixed offsets mode (likely Ukr nets)

tags: ,
Some days ago my friend Mike (mco) sent me an interesting record about a seeming MFSK-4 signal (fig. 1) originating north of Rivne, Ukraine; such (duplex) transmissions are frequently heard on 13873.55, 15833.55, 15863.55, 16354.55, 17412.55, 17442.55 & 17469.55 KHz (Rivne TX).

Fig. 1
This sample I think it's a  combined mode in which the used offsets and speeds are: -1200 -400 +400 +1200 400Bd, -750 -250 +250 +750 250Bd, and -600 -200 +200 +600 200Bd; anyway, it's to be noticed a change of the center frequency between the first and the second mode (Figs 2,3).

Fig. 2
Fig. 3
"They use a wide range of frequencies and I've not noted all of them. This list seems ok but it certainly include Main stn freqs and also side B stations ones and some are missing. They are working full duplex with abroad stations according to multiple TDoAs. So far I've seen them using MFSK-4 with 50/100 80/160 100/200 125/250 160/320 200/400 250/500 400/800 500/1000 settings" my friend Linkz say.

Fig. 4 - TDoA Tx site (thanks to Mike)
https://yadi.sk/d/WQrHjOlxMkH48A
[1] http://resources.rohde-schwarz-usa.com/c/manual-of-transmissi-2
No comments:

30 March 2020

few comments on the secured 50-75Bd/850 FSK transmissions

tags:

 The post you are looking for has been moved here

No comments:

15 March 2020

Again about the 3-bit format STANAG-4481F transmissions

tags: , ,
(cryptomaster, I56578. KarapuZ)

STANAG-4481F on 18370 KHz from NPN US Navy, Guam
This is an update and just some remarks to a previous post post which I reference for background. All frequencies are CF (tuning + 2k).

1) the signal

Discussing the signal together, my friend cryptomaster had the suspect that a 50 bps data flow is transmitted using a device which is designed to transmit only with a speed of 75 bps: it could be correct.  The ratio 75/50 is equal to 1.5 thus each "original" bit is repeated 1.5 times. The bit editors work with an integer number of bits (they can't represent half bit) thus the 1.5 bit view is possible only by aggregating two consecutive frames and then getting an integer number of 3 consecutive bits (i.e. 1.5 x 2): thus the 3-bit structure that we see (it's the same of the async 5N1.5 framing which is represented as a 15-bit pattern, i.e. 7.5 x 2). Therefore the bits of the stream are allocated as follows:


A S-4481F transmission lasting 10 seconds produces 750 bits that can be arranged into a 3 x 250 bits pattern; by removing one column we get 2 x 250 = 500 bits that just match a 50bps transmission of the same duration (10 seconds).
But what about the M-sequence generated by the polynomial x^31+x^3+1 ? Notice that the Wagner(13,12) coding, which is used for example in STANAG-5065, replaces each second Fibonacci bit with the parity bit: well, the new Fibocaccci sequence bits (the half of the original one!) still belongs to the same polynomial x^31+x^3+1 (see this post).
Indeed, filtering out the replicated third bits from a 75bps demodulated stream  and resizing the resulting stream into a 7-bit pattern, it turns out that we get an usual KW-46 encrypted 7-bit stream (Fig. 1).

Fig. 1
In the light of the above, I analyzed again the signals in order to verify what we hypothesized and found above. I compared a signal from NSY Niscemi recorded on 6383 KHz (3-bit pattern S-4481F) and another one from NAU Isabela 12120 KHz (plain S-4481F) by using the modified quadrature amplitude detector of SA software: you can valuate the different results (Fig. 2).

Fig. 2
Even more interesting: all the signals from Niscemi show the extra harmonics EXCEPT the signal on 6942 KHz which is correctly modulated (Fig. 3) and coincidentally does not has the 3-bit pattern (Fig. 8).

Fig. 3
Then I selected the 50 Hz clock from the NSY signal and subsequently I demodulate it by using the synch'ed FSK demodulator: the test was successful and replicated the same results that I found using the theory and manipulating the bitstreams (Fig. 4). So, 50 bps seems to be the right working speed.

Fig.4
If our analysis is correct and we are right, it seems that they use the 75 bps STANAG-4481F waveform to send 50 bps streams (?!). We do not know the reason but probably you can  do this. In synchronous transmissions the DTE usually provides the transmit clock to the modem but perhaps they could use a modem - e.g. like the Harris RF-5710A - which can recover the clock automatically from the incoming transmit data (transmit clock set to "DATA" or in "recovery mode").

As proved, decoding those signals using standards modes, or changing the speeds to 50 bps, unfortunately does not work: the only successful way is to sync the FSK demodulator to the 50 Hz clock of the signals. Since we are talking about shore-to-ship broadcast, I wonder how the receive ships may manage these transmissions.


2) the source

(monitoring was carried out according to a list of frequencies from logs and in any case not 24/7)
a) Using remote KiwiSDRs, and with the help of my friend Mike "mco", I checked several S-4481F transmissions  but - at present day - only those from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Below the current list of the successful frequencies:

5120.5 NSY
6383.0 NSY
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

It's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters [1][2]. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant) [3][4]. 

b) Interestingly, 8145 KHz is shared by NSY and AJE; often I have been able to see contemporary broadcasts and same contents (Figs 5,6). The modified AM detector shows the same results as the ones of Fig. 3

Fig.5
Fig.6
The modified AM detector shows the same results as the ones of Fig. 3:

Fig. 7

 c) According to the Tx sites (NSY in Italy and AJE in UK) this type of traffic is beamed only by some European stations. 

d) As said above, I also spotted a S-4481F transmission on 6942 KHz that DF points to southern Sicily, thus it's again NSY. However, this signal does not have the expected 3-bit structure although it's contemporaneous to another S-4481F transmission beamed from NSY on 6383 Khz (Figs 8,9). So, it seems that most of the 3-bit structured signals come from NSY,  but not all those coming from NSY have that feature. Still not heard S-4881F transmissions on the other NSY frequencies 10974 and 15018 KHz.

Fig.8
Fig.9

https://yadi.sk/d/ZhGp8Ay7Jk4UEA


No comments:

28 February 2020

Makhovik (T-230) secured CIS PSK2/1200Bd

tags: , , , ,
This post is an update and a correction to a previous post to which reference. I want to thank an anonymous reader who in his comment to that post suggested to use differential PSK2 decoding.
In that post I verified the use of Makhovik crypto system (T-230 bundle ciphering device for teleprinter and data connections) in CIS-12 transmissions as well as in CIS PSK2/1200Bd (CIS-1200) transmissions. One of Makhovik's features that can be considered as a signature, in addition to the characteristic 30-bit Message Indicators, is the use of 511-bit pseudo-random sequences generated by the primitive polynomial x^9+x^5+1. These sequences follow the ITU Recommendation O.153 [1] and are primarily intended for error measurements at bitrates up to 14400bps  and synchronization purposes (188-110B "39-tone parallel mode" too uses that pattern).
I searched just these 511-bit sequences in three different CIS-1200 recordings (files psk2_a, psk2_b, and psk2_c) and the search was successful in all the three files but I did not find the right sequences, and then the generator polynomial x^9+x^5+1, in the _a recording (Fig. 1).

Fig. 1
As said above, an anonymous reader suggested to use differential decoding for the _a file: well, I took his advice and results are interesting: as shown in Fig. 2, after the differential decoding the bitstream have the right 511-bit sequences generated by the polynomial x^9+x^5+1 !

Fig. 2 - psk2_a diff. decoded bitstream
This is a further indication in favor of the use of  Makovik encryption with the CIS-1200 waveform,  in these cases the modem T-230-1A (a single channel version of T-230) should have been used. 
As usual, further recordings are needed.

psk2_a_diff.bin 

[1] https://www.itu.int/rec/T-REC-O.153/en
No comments:

24 February 2020

3 x 7-bit KW-46 secured channels over STANAG-4481F, NRTF Niscemi

tags: , ,
(cryptomaster, I56578, KarapuZ)

This post may be considered as a continuation of an interesting analysis started by my friends cryptomaster and  KarapuZ, see the radioscanner post for background. The signals analyzed by my friends and me consist of STANAG-4481F waveform (also known as NATO-75, FSK 75Bd/850) and  have been spotted on 8202.5 KHz/usb (tuning frequency, CF = +2000 Hz): in our opinion they seem to be (off line) fleet broadcasts of 3 x 7-bit multiplexed encrypted channels.
I want to thank my friend AngazU and the owner of the KiwiSDR http://158.255.239.102:8073/ in Alicante (Spain) who allowed me to use his device w/out time limits in order to monitor these transmissions.

The interesting aspect is the 3-bit structure which is visible in SA raster (Fig. 1) by using, for example, a time window of 200ms (=15 bits @75bps); notice that it does not occur in time windows that implie a number of bits which is not an integer multiple of 3.

Fig. 1 - 3-bit structure in a 200ms raster window
Following this results, the demodulated stream has been reshaped into a 3-bit framing (Fig. 2): it is easy to see that two columns have the same content.

Fig. 2 - 3-bit framing of the demodulated stream
Then, each column in turn has been reshaped in a 7-bit pattern in order to obtain 3 separate files corresponding to the three channels. Karapuz noted that the Fibonacci's bit sequence (generated by the polynomial x^31 + x^3 + 1) is present in each channel (Fig. 3): this is the main indication that the source data was encrypted using the KW-46/KIV-7 cryptographic device, according to STANAG -5065.

Fig. 3 - the KW-46 M-sequences in the 3 channels conveyed by a single S-4481F trasnmission
The presence of three distinct channels suggests that a time division multiplexer (TDM) be used upstream of the S-4481F modem, but there is a problem with the speeds at stake. The used TDM must have a 75bps "aggregate" speed in order to meet the S-4481F waveform requirements, thus each (encrypted!) input channel should have a speed of 25bps... but crypto devices such as KG-46 or KIV-7 do not work at speeds lower than 50 bps! (Fig. 4).

Fig. 4
So, it seems that a kind of "rate change" occurs between TDM and S-4481F modem but a such kind of store-and-forward device to down the speed  appears unrealistic in case of long broadcasts.

During my monitoring I had the luck to catch the beginning of a transmission. Interestingly, the M-sequences generated by the polynomial x^31 + x^3 + 1 just start from the very first bit of the 3 demodulated streams (100% indication in Fig. 5), there are no signatures or magic numbers attributable to transfer protocols or to file formats, neither preambles or synch sequences.

Fig. 5
According to TDoA direction finding tries, the transmitter site is the Naval Radio Transmitter Facility (NRTF) in Niscemi, Italy (Fig. 6): an infrastructure of the NATO communication system that is linked with other US military bases [1]. It's to notice that similar transmissions (3-bit structure S-4481F) can be heard on 7545.5 and 6383 KHz (CF), also them from NRTF Niscemi!

Fig. 6 - TDoA result
As I said, two channels have the same content, as indeed shown in the raster (Fig. 1): it's to notice that such repetitions of encrypted channels were also noted in some KW-46/KIV-7M secured fleet broadcast of the Australian Ny, see the blog post. In that case we have an aggregate speed of 600bps and 12 multiplexed channels, i.e. 50bps speed per channel.

I checked sveral other S-4481F transmissions but so far these odd 3-bit structure is present only in the ones coming from Niscemi: help and comments from readers are very apreciated and welcome.

High Frequency dual mode antennas at NRTF Niscemi (source Wikipedia)
24 Feb update
As expected, parallel transmissions on 8204.5 KHz and 6383 KHz convey the same content (Fig. 7); the third frequency (7545.5 KHz) is not used at this time. 

Fig. 7 - same contents on parallel transmissions

  (to be continued)
[1] https://www.globalsecurity.org/military/facility/niscemi.htm

158.255.239.102_2020-02-18T21_13_33Z_8203.00_usb.wav 
transmission_start.wav
158.255.239.102_2020-02-18T21_13_33Z_8203.00_usb.txt.bin
start.txt.bin
3 comments:
Subscribe to: Comments (Atom)