14 July 2017

short bit-analysis of a STANAG-4538 HDLn transfer (BW2 bursts)


Each HDLn transfer consists of n TX Frames (n = 24, 12, 6, or 3) each consisting of n data packets; each data packet consists of 233-byte data segment plus a 17-bit Sequence Number. Each TX Frame is sent using burst waveform BW2.
During the construction of BW2, a 32-bit Cyclic Redundancy Check (CRC) value is computed across the 1881 payload data bits of each data packet (233 bytes of user data, plus the 17-bit of Sequence Number) and is then appended to the data packet. Then, seven encoder flush bits with values of zero (Flush) are appended to produce an Extended Data packet of 1920 bit length,ie: 233 data bytes + 7 overhead bytes (17-bit sequence number + 32-bit CRC + 7-bit flush). See this post about the formation of a BW2 burst.

Fig. 1 - BW2 formation
That said, we can go back to the original datagram by inspecting the last 56 bits of the Extended Data packets in the two BW2 bursts (Fig. 2a).
The value of the Packet Number fields varies from 0 to 5, this means that it's a 2 x HDL6 transfer; looking carefully at CRC fields we note that the two HDL6 bursts carry exactly the same datagram: maybe the destination station requested a retransmission (the first BW1 ACK burst) or the datagram is sent twice so to improve the reliability of the transfer (Fig. 2a):

Fig. 2a
That said, we can focus on the Extended Data packets (below termed only "packets") of a single BW2 burst (Fig. 2b).
The values of the six Packet Number fields are: 0,1,2,3,0,1. If TxDatagram buffer is not completely emptied the remaining packet positions are filled with repetitions of packets already residing in other positions of TxFrame buffer. The HDL transmitter is at liberty to select packets from the current datagram to repeat as it pleases (the HDL receiver shall inspect the sequence number of each packet received without errors,and use this information to discard duplicate packets).
The original datagram, in this sample, is then composed of the packets #0 #1 #2 #3.

Fig. 2b
Looking at the Packet Byte Count fields in the first four packets (Fig. 2c) we see that the firts three packets carry 233 bytes of user data (as expected, since HDL) and the last packet carries 224 bytes of user data (the remaining 9 bytes are filled with "0" value bytes).
Thus, the length of the original datagram is (233 x 3 ) + 224 = 923 bytes. 

Fig. 2c
Back to the whole bitstream, once structured in a 1920-bit period (the Extended Data packet length), the original datagram can be extracted by isolating the firts 4 rows and removing the overhead bytes: the resulting is an HARRIS "Citadel" encrypted file of 923 bytes length (Fig. 3).

Fig. 3
The duplicated HDL6 burst (A,B), the retransmitted packets (C,D) and the "0" value bytes filling a single packet can be noted looking at the whole bitstream in Figure 4. 
Please note as the bitstream is misleading: at a superficial glance, one could think to four "Citadel" encrypted files!

Fig. 4

13 July 2017

a burst ARQ mixed system (MS110 & S4539)

transmission was spotted only once on 7906.0 KHz from 0603 UTC (tune time) until 0639 (signal off). It's a burst ARQ system in which one station uses STANAG-4539 and the other one uses MIL 188-110A, both running at fixed data rates (respectively4800 and 2400 bps) and carrying STANAG-5066 frames. 
Difficult to say who sends data and who send ACKs. Only the Stanag-4539 bursts have a relative good quality for their analysis (Figs. 1,2): these bursts in large part carry STANAG-5066 DTS control frames (D_PDU type 6) so the station that uses 188-110A could be the data sender, although their duration is very short. Most likely it's a test transmission.

Fig. 1 - frame structure of STANAG-4539 bursts
Fig. 2 - 287 symbols period of STANAG-4539 bursts
Since the different framings of MS110A and S4539, the two stations could use a "special" adhoc configuration or a sort of two-demodulation requirement so to discriminate the incoming signals.

It's worth noting that in many D_PDUs (S4539 bursts) the address of the destination node belongs to the block assigned to France (006.014.yyy.zzz) while the source address belongs to a reserved block (015.xxx.yyy.zzz).

Fig. 3

7 July 2017

STANAG-4538, optimized Asynchronous FLSU call ?

I copied these 3G-HF transmissions very often and, since the "extended" duration of the first burst, I always thinked to Asynchronous FLSU calls; but, apart from the un-expected ending BW5 burst, a careful examination of the first burst in some cases may reserve an interesting aspect as in the present sample.

Asynchronous FLSU calls consist of a sequence of Async_FLSU_Req PDUs sent consecutively on the channel: FLSU protocol use burst waveform 5 so an Async FLSU call can be easily detected in the ACF output screen just thanks to the BW5 spikes (Figs. 1,2).

Fig. 1 - BW5 timing
Fig. 2 - ACF output of an asynchronous FLSU request
Analyzing the recording in question, my analysis tool reveals only one initial BW5 burst, instead of the expected n-bursts (!), which is then followed by a block consisting of 2400Bd PSK-8 modulated symbols. I had a look at the on-air symbols and found that they have a 768-bit period length which corresponds to 256 PSK-8 symbols (Fig. 3).

Fig. 3
BW5 uses a Psuedo Noise spreading sequence that is generated using a table that just contains 256 values [S-4538 #13.9.6] thus the whole first burst match the BW5 waveform (also note the repeated patterns that characterize the bitstream).

Looking at the BW5 timing (Figure 1) and the ACF output screen of the signal (Fig. 4), it seems that the TLC (Transmit Level Control) section is sent only in the first BW5 burst while the following bursts are a bit shorter and consist only of the preamble and data sections, as shown in Figure 5.

Fig. 4
Fig. 5 - the Async FLSU request in question
This is in contrast with what I seen so far in Async FLSU requests in which the BW5 bursts are contiguously transmitted, each with its own TLC section (Figs. 2,6) 
Fig. 6 - ASsync FLSU request as depicted in STANAG-4538
Indeed, STANAG-4538 does not specify this point "The Asynchronous call begins with the LBT (for at least one dwell period), followed by the transmission of about 1.35N Async_FLSU_Request PDUs on the requested link frequency, where N is the number of channels in the scan list, and 1.35 is the duration of each dwell (in seconds)." [STANAG-4538 #5.1.3].

The initial TLC section is used for transmitter level control and receiver AGC settling [1], thus sending TLC sections in contiguous BWn bursts make a poor sense: it's my guess that probably the removal of the redundant TLCs is an optimized implementation adopted by this manufacturer.
By the way, my analysis tool fails because most likely uses a burst-duration approach in order to identify the waveform.

[1] Johnson, Koski, Furman, Jorgenson, "Third Generation and Wideband HF Radio Communications"
Existing HF radios were generally not designed with burst waveforms in mind. For example, MIL-STD- 188-141 military radios are allowed 25 ms to reach full transmit power after keying. While the transmitter radio frequency stages are ramping up, the input audio signal level is adjusted by a transmit level control (TLC) loop so that it fully modulates the transmit power. At the receiver, an automatic gain control (AGC) loop must also adjust to a new receive signal. To accommodate these characteristics of existing radios, the 3G burst waveforms begin with a TLC section of “throwaway” 8-ary PSK symbols that are passed through the system while the transmitter’s and receiver’s level control loops stabilize. 

5 July 2017

unid STANAG-5066 RCOP/UDOP client, Swedish Army (update-1)

[ previous post ]
A recent copy of S-5066 transmissions exhibits a change of paradigm in the so-termed "wrapper" protocol (depicted in the previous post), more precisely the content length of the header Timestamp is reduced from 10 to 9 bytes: 

Fig. 1
Most likely the change happened in coincidence with the reset of the timestamp, ie on 2 July 00:00:00 UTC as can be deduced from a simple calculation (time and date of reception has been taken as the starting date!) and the exposed timestamp (296595868):

Fig. 2
Other than a RCOP new transfer (the above copies regard UDOP protocol), we have also to wait for a capture of a multi-block transmissions to verify if the MTU too is changed.
Note that the copied transmission also offers the opportunity to see the new magic string "ZXPBG", so far never encountered.

For what concerns the source/destination IDs, I could find a possible clue about "HWK01".
Sweden Air Defense Regiment has two air defence battalions equipped with Robotsystem 70 (RBS 70) and Robotsystem 97 (RBS 97): 
Recently, defence and security company SAAB has signed a contract with the Swedish Defence Materiel Administration (FMV) for a service life extension of the RBS 97 air defence missile system, this order ensures the continuing effectiveness of a missile system that is the backbone of Sweden's two air defence battalions:
The RBS 97 is a surface-to-air missile system that is better known as "HAWK", then  it could be that HWK01 = HAWK 01 = Air Defence Battalion 1.

(to be continued)