31 March 2016

Unid 2400Bd PSK-2 burst waveform (prob. SAT Telemetry downlink)


This signal was heard at 1245 UTC on 12168.0 KHz/USB on March 30th.
The burst waveform use a PSK-2 (prob. DBPSK) serial tone modulation of an 1800 Hz carrier at 2400 symbols per second (pics 1 and 2). Each transmission consists of 12 x 4000ms bursts, ending with a single 1500ms burst. 

pic. 1
pic. 2 - PSK-2 modulation of a 1800Hz carrier at 2400 Baud

Each 4000ms burst consists of 8 x 500ms frames (pic.3), for a total of 9600 bits; ACF = 500ms/1200 bits (of course). 

pic. 3 - frame structure
Each 1200-bit frame is structured as a preamble followed by a 67/134 bits period sub-frames, as shown in pictures 4 and 5 (the underlying sub-frames structure is also visible above in pic. 3).

pic. 4 - possible frame periods
pic. 5 - 1200 bit frame seen as a 134 bits period

Using a test-string such as "0011011000010101111" and synchronizing the stream on a 67-bit period, it's clearly visible that the burts send repetitive blocks of data
 
pic. 6 - 67-bit synchronized period

Such parameters (500 mS ACF, BPSK, 2400 Baud and repetitive blocks) are typical for SAT Telemetry downlink, my friend AngazU says. Searching the web I found that this mode is used by DELFI-N3XT cube-nano-picosat and cube-sat QB50. Downlink frequencies are planned on VHF 145 MHz so I don't know why 12168.0 KHz, maybe a relay for sporadic use... but who knows?

27 March 2016

Unid FSK 100Bd/500, 40-bit/400ms ACF


16340.1 ---: Unid (prob. Russian) 1014 (cf) FSK-2 100Bd/500, strong ACF 400 ms (25Mar16) (AAI)



Probably an "old" RTTY transmitter sending the same pattern as a frequency marker.




26 March 2016

SVO SiTOR-B: a curious feature

SVO Olympia Radio (formerly SVA Athinai Radio) belongs to Hellenic Telecommunication Organization, S.A. (OTE) and is a telecommunications network that serves the needs of maritime security sector as well as the needs of commercial maritime communications  across the world.
At a first glance, its SiTOR-B broadcasts comply the standard 100Bd/170Hz that is common for such transmissions (pic.1) 

pic. 1
But looking closely at the signal there is a curious feature of the Sitor transmitter which is  evident in the oscillograms of the WF module (pic.2,3)

pic. 2
pic. 3
It is not clear what causes such behavior, if it's a requested feature or a transmitter "sign", anyway is present only in the Greek SVO SiTOR-B and in all their SiTOR-B bands (8, 12, 16 and 22 MHz/USB). 

update (from my Fb page):
Reed Gaede Ha! It's clearly a harmonic resonance in the exciter, modulator, or PA. Common flaw/issue in tank-tuned tube PAs, less so in broadband solid-state units. Their engineering department is slacking.
 

24 March 2016

logs

02767.7 ---: Unid 2354 (cf) FSK 1200Bd/850 (19Mar16) (AAI)
08060.0 BS008CB: Macedonian Mil, MKD 0740 USB MIL 188-141 link setup with CS003A then into MIL 188-110A serial sending files via FED-1052 App.B ARQ mode (12Mar16) (AAI)
08174.0 AC01: Algerian Military, ALG 0857 USB MIL 188-141 ALE calling XV01 (14Mar16) (AAI)
08987.7 MKL: NATO MATELO, Northwood Bcasts 1015 NATO-75 75Bd/850 KG-84C enctyption (20Mar16) (AAI)
09186.0 ---: 0921 USB STANAG-4538 BW3, BW4 waveforms (15Mar16) (AAI)
09300.0 ---: Unid (most likely Russian) 1432 USB MFSK-11 125Bd 250Hz, first tone +675Hz, ACF 792ms,  (23Mar16) (AAI)
09378.5 ---: Unid 0824 (cf +1500Hz on USB) R&S ALIS 228.65Bd/170 calling 220, rptd each ~3 mins (14Mar16) (AAI)
09906.0 ---: Unid NATO 0855 USB LINK-11 serial PSK-8 2400Bd (17Mar16) (AAI)
10156.5 OEY80: Austrian Mil. Villach, AUT 0948 USB MIL 188-141 ALE calling OEY61 (11Mar16) (AAI)
10165.0 ---: Unid 0805 USB RFSM serial modem with Data Masking, QRX 10170.0 (11Mar16)
10211.0 ---: Russian Intel, RUS 0725 (cf) CIS FTM-4, MFSK-4 150Bd (effective 37.5Bd) 4000Hz (tones at: -6, -2, +2, +6 KHz) (16Mar16) (AAI)
10300.0 OEB: Algerian AF Oum El Bouaghi, ALG 0759 USB MIL 188-141 ALE calling CM5 (15Mar16) (AAI)
10552.7 ---: Turkish Mil 0805 (cf) FSK-2 300Bd/400 & 1200Bd/800 (17Mar16) (AAI)
10958.0 ---: Unid 1503 USB STANAG-4538 BW3, BW4, BW5 waveforms, sending CITADEL encrypted file using LDL protocol (14Mar16) (AAI)
11056.0 P34: Unid (prob. Algerian AF) 0915 USB MIL 188-141 ALE sounding (11Mar16) (AAI)
11081-0 ---: Russian Mil, RUS 0748 CIS-45 OFDM HDR modem v1 33.33Bd BPSK, many sessions (14Mar16) (AAI)
11106.0 EK9: Greek Military, GRC 0708 USB MIL 188-141 ALE calling GEF (14Mar16) (AAI)
11464.5 ---: Unid NATO (Croughton? Akrotiri?) 1105 (cf) NATO-50 50Bd/850 (20Mar16) (AAI)
12155.0 ---: Russian Intel, RUS 0715 (cf) CIS FTM-4, MFSK-4 150Bd (effective 37.5Bd) 4000Hz (tones at: -6, -2, +2, +6 KHz) (16Mar16) (AAI)
12209.0 8451: TUR Turkish Civil Defense Manisa, TUR 0722 USB MIL 188-141 ALE sounding (16Mar16) (AAI)
13454.0 ---: Unid (most likely Russian) 0836 CIS MFSK-11 125Bd 250Hz, first tone +685Hz ACF 792ms lasting 47 secs (16Mar16) (AAI)
14550.0 J62: Moroccan Military, MRC 0925 USB MIL 188-141 ALE sounding (21Mar16) (AAI)
14907.0 ---: prob. Russian Gov. 1330 CW "UEB UEB UEB QSY 12221T" (15Mar16) (AAI)
14908.0 ---: Russian Intel, RUS 1320 (cf) CIS FTM-4, MFSK-4 150Bd (effective 37.5Bd) 4000Hz (tones at: -6, -2, +2, +6 KHz) (15Mar16) (AAI)
14936.0 ---: Russian Diplo 1310 (cf) prob. Serdolik selcall, MFSK-31 40Bd 40Hz sometimes seen preceeding Serdolik MFSK-34 (CROWD-36) transmissions (16Mar16) (AAI)
15822.5 ---: Unid 1240 AM 10 stepped tones (1 KHz increments, 1 sec step) from +1 Khz to +10 kHz (10Mar16) (AAI)
15824.0 ---: Russian Intel, RUS 1340 (cf + 1600Hz USB) 5 x MFSK-16 10Bd 20Hz BPSK 250Bd Hybrid modem, WWCR on 15825.0 AM (23Mar16) (AAI)
15864.0 ---: Russian Diplo, RUS 0916 Serdolik OFDM 35-tone 40Bd 50Hz BPSK flwd by MFSK-34 (Crowd-36) (18Mar16) (AAI)
15956.5 ---: Australian MHFCS net 0900 (cf) GFSK 600Bd/340 (13Mar16) (AAI)
16227.0 ---: Russian Mil, RUS 1040 USB CIS-112 OFDM 22.22Bd DBPSK (18Mar16) (AAI)
16240.0 2002: Unid (prob. Algerian Mil, ALG) 1015 USB MIL 188-141 ALE calling 1305 (17Mar16) (AAI)
16716.0 ---: Unid 0735 USB STANAG-4538 LDL-BW3 carrying Harris "Citadel" encrypted traffic + ACK packets (BW4) (22Mar16) (AAI)
17440.1 ---: Russian Diplo, RUS 0830 (cf) Serdolik MFSK-34 40Bd 40Hz (aka CROWD-36) (14Mar16) (AAI)
17459.0 ---: Russian Intel, RUS 0930 (cf + 1600Hz USB) 5 x MFSK-16 10Bd 20Hz BPSK 250Bd Hybrid modem (21Mar16) (AAI)
17928.0 017: ARINC Telde Gran canaria, CNR 1134 USB HFDL 300bps uplink to SU2406 (17Mar16) (AAI)
17967.0 015: ARINC Al Muharraq, BHR 1051 USB HFDL 300bps uplink to KC0881, RJ0821 (17Mar16) (AAI)
19356.0 ---: Unid 1305 USB THALES Skymaster ALE flwd by TRC-177x 2400Bd serial modem (15Mar16) (AAI)
19431.0 ---: Russian Intel, RUS 1230 (cf + 1600Hz USB) 5 x MFSK-16 10Bd 20Hz BPSK 250Bd Hybrid modem (21Mar16) (AAI)

 
USB MFSK-11 125Bd 250Hz, first tone +675Hz, ACF 792ms

22 March 2016

Japanese Military, MSK-30 +2 (mutichannel hybrid modem)


For several days, at a frequency of 12384.0 and 16553.0 kHz on USB (16553.0 is a constant for the Japanese MIL 8 freq signal), we heard unmodulated carriers only, and then finally they went to the data! 
At a first glance the signal looks like an OFDM 32 tones, ~70Hz spaced and BPSK modulation at 50 Baud (pic.1). A separated unmodulated tone, the lower in the spectrum, acts as a pilot-tone for Doppler correction and is transmitted at a higher level that the other tones.
 
pic.1 - OFDM analysis
studying more carefully the individual tones and especially the first two tones in the lower part of the spectrum, the signal is not properly constructed with OFDM technology but rather is a multichannel waveform with a curious MSK modulation with 25 Hz shift and 50 Baud speed for what concerns the 30 highest channels.
Indeed, once isolated the higher tone, there is no evicence of carrier harmonics in the 2^ power and the phase detector shows a characteristic FSK-2 shape with 25Hz shift (pic.2).
pic.2 - absence of the carrier in the 2^ power harmonics
The 4-ary phase plane related to such channel reveals no diagonal transitions and two-state  transitions in Diff.1: signs of a MSK modulation (pic.3)
pic. 3
The highest 30 tones are then MSK 50Bd 25Hz shift, spaced by 70 Hz.
The two lower tones after the pilot exhibit a BPSK modulation, as revelaed by the presence of the carrier in the 2^ power harmonics: speed is 25 Baud for the first channel (pic. 4) and 50 Baud for the second one (pic. 5). It is worth noting that:
- the sequence "0101010101" which is transmitted with these two channels:  maybe for sync purposes,
- the 2 lower tones are tranmitted at a lower level that the upper 30 tones.
pic. 4 - the lower BPSK channel
pic. 5 - BPSK 50Bd in the second channel
Sumarizing the characteristics (pic. 6):
30 data-channels MSK 50Bd/25Hz, 25Hz spaced
2 service-channels BPSK 25 and 50 Baud, transmitted at lower level than the 30 upper tones
1 pilot-tone, transmitted at higher level that the 30 upper tones
pic.6
Both 16553.5 kHz USB and 12384.5 kHz USB was previously channels for the old Japanese 8-tone mode, probably a litlle mis-tuning.

21 March 2016

CIS 5 x MFSK-16 + BPSK 250Bd Hybrid modem (II)

Just to point out some interesting analogies with a similar MFSK-16 signal, heard in the latest days of the past September 2015.
That signal had the same MFSK parameters, 5 x 16 tones 10Bd 20Hz, but with FSK inserts each 10 seconds rather than the BPSK inserts seen in these days . SOM and EOM shows the same style. While the BPSK version has a fixed lenght of 21:05 minutes, the FSK version had a 33 seconds lenght and was repeated each 15 minutes.
One could say that the BPSK version seen in these days is a sort of evolution of the semptember FSK (test ?) version, but it's probably a speculation.

20 March 2016

SYNC or ASYNC, that is the question

(Hamlet, famous ancient prince and analyst)
Although a bitstream analyzer recognizes physical or data-link layer protocols by matching known patterns and sequences, it isn't source-coding aware then  in order to get something that makes sense is important to know if we face a synchronous or asynchronous mode. For example, my friend AngazU sent me a STANAG-4285 transmission which transports a Citadel encrypted file: 75bps speed and long interleave are the settings for its right decoding into an ASCII-bits file.
Looking at the graphic representation of the stream it's possible identify something like the characteristic pattern of Citadel... but  it isn't: there are some bits more. The reason is that that STANAG-4285 was in asynchronous mode with 8N1 framing: eight data bits, no parity bit, one start bit and one stop bit and then each character will be transmitted using a total of 10 bits. This framing could be guessed looking at the period back from the analyzer: just ten bits (pic. 1).

Pic. 1
After removed both the start and the stop bits we get the clean 8-bit data and the Citadel pattern. It is worth nothing that processing the new stream, the analyzer easily detect the encryption (pic. 3).

Pic. 2
Pic. 3
The same issue may occur analyzing a Baudot (ITA-2) coded stream: five data bits, no parity bit, one start bit and two stop bit. The example is related to a STANAG-4285 transmission in clear text (no encryption and no re-protocolled) from French Navy FUG8. The bit analyzer correctly returns an 8-bit period and after removed the extra bits added by ITA-2 (1 bit start + 2 bits stop) we get the well-known text "VOYEZ VOUS LE BRICK..."

Pic. 4

Pic. 5
Then a big help comes from the period returned back from the analyzer: not always a stream is encrypted or looks not identifiable, sometimes it's only processed as synchronous when it's coded in async mode.

19 March 2016

HARRIS 'Citadel' cryptographic engine


This is a classic example of automatic aink setup (ALE) and subsequent traffic forward performed through the use of the well-known couple MS188-141A & MS188-110A Serial Tone: the calls in the play belongs to Romanian Military,  the trasmission has been caught on 8000.5 KHz on USB. Sorcerer decoder prints out the bitstream as it appears after having removed the "carrier" waverform MS188-110A (pic. 1).

pic. 1
The protocol used at Data Link layer is FED-1052 Appendix B,  the transferred files  are encrypted by the HARRIS "Citadel"  system encryption as revealed by the bitstream analyzer in pic. 2.

pic. 2

Some logs in the web report the pattern "]]]VVV" as a sort of footprint related to Citadel encryption: maybe this is right but I did not not find such pattern, or any particular sequence, in the ASCII output of this signal. So, as in the KG-84 encryption, I processed some bitstreams that exhibit the Citadel encryption just to find the its discriminating sequence and I think to have identified it in the 128-bit lenght pattern highlighed in pic. 3 and 4:

Pic. 3
Pic. 4
 Curiously, in some cases the first 64 bits of the pattern is repeated two times as visible in pic. 5:
 
Pic. 5
"The Citadel cryptographic engine provides military-grade encryption for non-Type 1 applications for U.S. and international users. It is approved for export with configurable key lengths and multiple algorithm options, making it an ideal encryption solution for a broad range of modern communications products. Citadel has three algorithm options: a standard Citadel high-grade algorithm; a Harris-configured, customer-unique Citadel algorithm; and a customer-configurable unique Citadel algorithm. All Citadel cryptographic algorithms are based on a mixed-mode, arithmetic block cipher and support both communications security and transmission security functions."

Links:

18 March 2016

CIS 5 x MFSK-16 + BPSK 250Bd Hybrid modem


this interesting signal (supposed to be used by "Russian Intelligence") has been heard on 13497.0 KHz and 15812.0 KHz USB on 30 October (from 1300z to 1330z) and on 15845.0 KHz USB on 18 March (from 1300z to 1320z).
The most interesting feature are the BPSK inserts, each 10 seconds, that modulate in turn 6 different 250 Hz spaced carriers at 250 symbols/sec. Apparently there isn't a certain order of choice of the six carriers or a sort of cycle so it's difficult to say something about the scope of these inserts. Since they do not carry informations, they could be sent for tuning filters and equalizing MFSK demodulator purposes, but it's only my guess.



About the MFSK part, it's possible to individuate five distinct MFSK-16 channels with tone separation of 20Hz and 10Bd speed


Most likely the signal is a sort of FTD waveform. All the heard transmissions end with the same ~860 ms sequence  2 frequencies, modulated in some frequency time shifted method.




17 March 2016

Turkish Mil, FSK 600Bd/400Hz & 1200Bd/800Hz KG-84C


weak signal heard on 10551.0 KHz/USB  0805z, variant of the more frequent 600Bd/400 reported here.


The low quality of my recordings does not allow its demodulation and then further investigations to check the presence of KG-84 encryption, anyway generally used in this kind of signals (FSK, both 600 and 1200 Baud speed). KarapuZ provided me a better quality recording so it was pretty easy to verify the KG-84 "flag"



13 March 2016

Sending files using MS188-110A and FED-STD 1052 App.B (H520) Data Link Protocol


FED-STD-1052 Appendix B (FS-1052B) specifies a first generation Data Link Protocol (DLP) layer with priority messaging and multiple pre-emptive resume queuing ARQ (it is basically the equivalent of MS188-110A Serial Tone as to the modems). The FS-1052B HF DLP as designed will work with other data modems and not just the FS-1052 and MS110A ST modems, as in this sample. However FS-1052 it is optimized for use with a data modem having those same data rates from 75-2400bps and also supporting auto-baud.
FS-1052B provides three modes of operation:
ARQ mode The primary mode of operation is the automatic repeat request (ARQ) mode, which provides for error-free point-to-point data transfer and
employ a control frame acknowledgment scheme.
Broadcast mode A secondary mode of operation is the Broadcast (non-ARQ) mode. The Broadcast mode allows unidirectional data transfer using fixed-length frames to multiple (as well as to single) receivers. No transmissions from the receiving terminal are desired or required.
Circuit mode The other secondary mode, the Circuit mode, allows a link to be established and maintained in the absence of traffic. The ARQ variable-length frame protocol is used along with a technique to maintain the data link connection in the absence of user data.  


In the samples below, signals come from the real-world, for example the above picture  is related to a link between the callsigns BS008CB and CS003A: after the link setup, performed by MS188-141 2-G, they go into MS 188-110 for data transfer. 
After removed MS188-110A headers and other stuff (scramber, interleave and FEC coding) the resulting bistream exhibits a clear 520 bits period that is characteristic of FED-1052 App.B or H520 protocol (pic 2)


pic. 1 - over-the-air bitstream, as demodulated by SA

In the case shown in pic.2, the transmission is performed through an exchange of protocol frames so here we face the primary ARQ mode.

pic.2 - FS-1052B in ARQ mode
If the data are corrupted (strong fading, interferences, too weak signal,...) the analyzer will print out the "CRC Error" message, moreover the sessions should be taken from the beginning to the end since any lack of bits affects the integrity of the data.

pic. 3 - FS-1052B in Broadcast mode
Each new transmission begins with a three byte (24 bits) frame synchronization pattern to identify the following traffic as DLP processed traffic. The frame synchronization sequence in hexadecimal format is "5C5C5C". The sync pattern is transmitted such that the first eight bits in order of transmission are "00111010". Note: As shown here in transmission sequence, the left-most bits are the LSBs (pic. 4). If a transmission contains more than one frame, a two-byte sync sequence shall be inserted between each pair of adjacent frames, this pattern (hexadecimal) is "5C5C".

pic.4 - frame synchronization pattern
The Frame Header fields (consisting of the Sync Mismatch Bit and the Frame Type bit) and then Control Frame Header fields (pic. 5) follow the 3-byte sync pattern: their possible values and meanings are illustrated in paragraph 50.1.2 of "FS-1052: Letter of Promulgation" (see the link at the end).
 
pic.5 - Frame Header and Control Frame Header fields

In Broadcast mode (the receiver does not send acknowledgments) the transmit peer sends 520 bits (or 65 bytes) fixed-length frames structured as (pic. 6):

a) 40-bits header
8-bits synchronization, depends on the communication line (observed patterns: "10010000", "10110000" 10001000");
8-bits descending counter indicating the frame number inside the block (pic. 7);
24-bits offset (in bytes) from the beginning of the message;
+
b) 448-bits information field;
+
c) 32-bits CRC field (computed over the preeceding 448-bits data).

pic.6 - 40 bits header
pic. 7 - the 8-bits descending counter
The information field can be obscured using cryptographic encoders such as KG-84A, KG-84C, KY-99, KY-57, KIV-7, KY-58 and  KY-68.

With this protocol, E-mail, files in MS-TNEF format, text messages, graphics extensions (TIF, GIF, JPG, BMP), Microsoft Word and Excel documents, Power Point presentations, PDF documents, HTML and other types of file can be transmitted: unfortunately, my analyzer does not have all handlers so, once removed FS-1052B protocol (pic. 8) the resulting stream/file may contain other protocols that will require further processing.
pic. 8 - after FS-1052B removal
FS-1052B is limited to a 2400bps maximum data rate by design, whereas the newer STANAG-5066 (second generation Data Link Protocol) has no such limitation.
An interesting  E-mail Performance comparison with 2nd and 3rd Generation Data Links protocols can be seen here (.pdf file).

About the user equipment, the popular Harris family of tactical HF radios includes models that implement a draft Proposed FS-1052B DLP (pFS-1052) they adopted and fielded years prior (!) to the published 1996 FS-1052 standard. So, more likely, the heard trasmissions just come from Harris tactical radios.

Links