31 July 2015

Using SA to measure and fix sound card digitizer errors

(by Angazu)
All sound cards and A/D converters have some clock error. This is especially true if converters are commercial and cheap ones, like PC sound cards and similar. Professional and expensive converters exhibit a much better clock stability and jitter. To correct this error, one must know nominal parameters of the signal under test. If these parameters are known, it is quite easy to correct digitizing clock error using SA.
 
Information for this doc was obtained from:
Unfortunately, Baudline has no windows version, but the web contents can be useful for the reader.

The SA method of  “Correction of BR” is quite good for this job, but perhaps using resampler as data input is a better procedure.
The correction factor will have to be measured for any digitizing speed and mode. Bear in mind that for cheap cards, the speed can vary due to various factors, so if high precission measurements are required, a new calculus should be carried out. For a good measurement, a quite big signal is needed.
This method is useful for PSK,FSK,MFSK and other modulations. To use it with OFDM, some more operations should be carried out using SA. Ideally, an external signal like GPS 1000 Hz or a signal from a high end signal generator will provide the best results. Also, a radio timing signal should be good enough.
The best way to understand the subject are examples. 

A well known signal as Stanag-4285 (sampled at 8000 sps) will be used to show the method.
We know 4285 has a nominal speed of 2400 sps. Since a frame is 256 symbols, the frame time must be 106,666666 mS. This is the value that should be obtained if using the VMW feature of SA when signal structure is perfectly vertical. As we can see, the measured value is 106,69241


Correction factor = measured value/nominal value = 106.69241/106.66666= 1.000241
Error PPM = (correction factor-1)* 1000000 = (1.000241-1)*1000000=  241 PPM.
Real Digitizing speed = 8000*1.000241 =  8001.931
Real modulation speed (Br) = 2400/1.000241 =  2399.421739
Measured SA Br = 2399.41

Now, lets go to correct the signal using calculated BR in SA.


The signal parameters are almost perfect, so we can save the corrected signal and after this procedure, we can be quite sure the new signal will be demodulated using any comercial demodulator.
Also, we know the correction factor for the used card in that speed.
In this sample, error is quite small and no problem for demodulators, but bear in mind that error can be very  big. I measured errors of more than 100 samples in an 8000 nominal sample rate. That means that demodulators will fail to demodulate the signal and even analysis will be quite complicated and erroneous
.

The MIL-STD 188-110 App.B is a well known OFDM waveform: baudrate 44.44, channel separation 56.25 Hz, 39 tones + I pilot, correlation triangle (k) = 17/64 and modulation "pi/4 DQPSK" in all channels. The analysed sample, although it exibiths the expected 39 +1 tones, is not protocol compliant for what concern baudrate, separation and K (and OFDM parameters too)


The measured clock is 44.48 Hz and according to this article  the signals has a native sample rate of multiple of 3600 Hz.
As said above, go on fixing the baudrate and re-sampling to the correct frequency (7200 Hz in this case)



Although the absolute constellation is not stable, all the mentioned parameters are now correct and the fixed sample can be saved and published.

calcolo delle constellazioni pi/4 DQPSK e (D)QPSK

the OFDM SA module calculates the arity (n-Ary) in automatic mode: in order to detect if the modulation in the channels is pi/4 DQPSK or QPSK/DQPSK we have to get a stable absolute constellation (with the help of shift)  and look at its arity. Carriers have pi/4 DQPSK modulation in case of the absolute constellation exhibits an 8 arity (Figure A)

Figure A

Modulation is QPSK if the arity of the absolute constellation is 4 (Figure B)

Figure B

Working with phase modulation, the arity must be calculated manually. In the phase module the button button Diff 0 - corresponds to an absolute mean  and Diff 1 - corresponds to the relative. In order to calculate the-arity, it is necessary to consider the harmonics at different degrees. 

For example (Figure 1) QPSK carrier and side harmonics are manifested in grade 4. Accordingly, it should be seen in the phase module with the n-Ary = 4 (Figure 2).

Figure 1
Figure 2
Now PSK-8, carrier and the side harmonics can be seen in the eighth degree (Figure 3). Next phase module, n-Ary = 8, pay attention to the trajectory of the constellations that pass through the center ! (Figure 4).

Figure 3
Figure 4

Finally, pi/4 DQPSK, the carrier and the harmonics are in degree 8 (the fourth degree exhibits only 2 harmonics unlike the 3 harmonics shown in QPSK!) (Figure 5).
And now attention - look in the phase module with the n-Ary = 8 (Figure 6). Notice that there is no transition paths through the center of the constellation (as real PSK-8 does), and the constellation of a relative is ike QPSK, but rotated 90 degrees !!!

Figure 5
Figure 6


Below, another example of  pi/4 DQPSK measurement:




Harris AVS (Analogue Voice Security)


Discussing about an odd MS 188-110 App.B sample found in the web,  KarapuZ sent me a recording with a "combined" of signals in which are visible not only the 39-tone signal but also some Harris vocoder (AVS) segments. The ending ALE segment, once decoded, reveals the Roumenian Police network as source: [TO ][1P ][TWS][SIB]

Harris AVS
I take this opportunity to speak briefly about it. The Harris AVS (Analogue Voice Security) is a not-synced scrambler that use 24 subchannels and spreads about a  2700 Hz band. A detailed analysis can be read in the radioscanner.ru forum http://signals.radioscanner.ru/base/signal111/
Harris offers both digital encrypted and analog scrambler systems for COMSEC, below their short introduction to the AVS system: "In voice communications systems that do not require extremely high security, you can protect against casual eavesdropping by scrambling. Scrambling, as an analog COMSEC technique, involves separating the voice signal into a number of audio sub-bands, shifting each sub-band to a different audio frequency range, and combining the resulting sub-bands into a composite audio output that modulates the transmitter."
 

SA: symbol-by-symbol e funzione "Each" nel modulo OFDM

e' possibile esplorare un segnale OFDM con la tecnica symbol-by-symbol, ovvero visualizzando l'insieme dei canali spostandoci avanti/indietro un simbolo alla volta cliccando nello spazio a sinistra e destra del cursore.

Questo serve per vedere se la struttura dei canali (numero, ampiezza,...) cambia e se cambia, ogni quanti simboli. Guardiamo come abbiamo ottenuto la situazione mostrata nella figura in alto.

Qui sotto si vede che una certa struttura dei canali cambia ogni 5 simboli:


Si nota come ogni 5 simboli trasmessi (LS6 - LS11) si ripeta la medesima struttura dei canali. Per vedere in dettagliocosa accade ogni 5 simboli selezionamo un simbolo in cui la struttura da indagare si presenta e da qui impostaiamo la funzione "Each" sul valore 5 (ciclo di ripetizione) e vediamo in corrispondenza quale forma assumano le constellazioni. Questa indagine puo' anche essere ripetuta canale per canale, esplorando i vari tipi di modulazione all'interno di un medesimo simbolo (come nel caso del modem HVDVL).


Si vede chiaramente che ogni 5 simboli viene trasmesso un simbolo non-modulato che puo' essere chiamato di "servizio". La modulazione usata nei canali e' visibile impostando la funzione "Each" al valore di default (1)


Aumentando la risoluzione e precisione, quindi aumentando il numero dei simboli utilizzati per l'analisi, si puo' notare la presenza di questo simbolo di servizio.
Per questo tipo di indagine occorre avere pero' un buon segnale, ben centrato nella sua frequenza e campionato alla sua frequenza nativa. Qualcosa si puo' sempre correggere con la funzione "Shift Frequency" (shift virtuale, il segnale rimane dove e') oppure shiftando sempre virtualmente il segnale di uno o piu' canali in alto o in basso con la funzione accanto al "Mode A" (solo per questo modo).

SA: ricampionare un segnale OFDM

http://www.radioscanner.ru/info/article450/ 
Il segnale OFDM ha bisogno di essere ricampionato alla sua requenza nativa di campionamento. Se questa non e' nota ma lo sono i valori di formazione del segnale OFDM, allora si puo' ricorrere alla formula:

freq. di ricampionamento = LS * baudrate
 dove LS = LU+LG.

Ad esempio nel segnale qui sotto conosciamo il valore di K ed il baudrate, i corretti valori di LU e LG possono essere recuperati tramite il programma OCG. 


Sappiamo che il coefficiente k per questo segnale e' uguale a 0,34375 (11/32). Per questo fattore OCG visualizza le seguenti  coppie di LU e LG:


Possiamo scegliere qualsiasi coppia LU-LG ma conviene lasciare il segnale il piu' possibile cosi' come e' ovvero senza ricampionamenti "pesanti". Per far questo usiamo una coppia il piu' possibile vicino alla coppia che abbiamo trovato dal modulo OFDM, prendiamo quindi la seconda serie di parametri LU e LG.  
Quindi:
LU = 96, LG = 33, LS = LU + LG = 129 e la frequenza di campionamento corretta per l'analisi / demodulazione e' pari a (129 * 64.099364) = 8268.817956 Hz. Arrotondato a 8269 Hertz.

Non conoscendo i valori fondamentali di un segnale OFDM, un trucco per ottenere una o piu' frequenze di campionamento "efficaci" e' quello di moltiplicare il valore ottenuto dello shift per un numero intero.

freq. di ricampionamento = Sh * num_intero

SA: shift "virtuale" (x canale e x frequenza) nel modulo OFDM

http://www.radioscanner.ru/info/article450/ 
 
Dopo aver ricampionato il segnale abbiamo una situazione stabile nella costellazione relativa ma la costellazione assoluta e' ancora confusionaria (b1). La modulazione puo' essere PSK oppure pi/4 dqpsk. Cerchiamo innanzitutto se esistono simboli speciali, esaminando il segnale symbol-by-symbol.

b1
Dall'indagine symbol.by-symbol ediamo che ogni 5 simboli viene trasmesso un simbolo speciale, forse di sincronizzazione (b2)

b2
Shiftiamo "virtualmente" il segnale lungo la griglia dei canali (in alto o in basso) fino a trovare una posizione il piu' possibile stabile nelle costellazioni: l'indagine viene fatta ovviamente con Each=1. Il valore migliore trovato e' -7 (b3). Per ottenere lo stesso risultato dovremmo fisicamente shiftare in basso di un valore pari a 7 * Sh e non e' detto che dopo lo shift fisico il segnale rientri senza distorsioni nella banda visualizzata (4 Khz, dato il campionamento a 8 KHz). Questo shift virtuale sposta il segnale con step di un canale, potremmo chiamarlo shift di canale.

b3
Una volta individuato il miglior shift di canale, ci aiutiamo con lo shift virtuale di frequenza (quindi a step variabile, molto preciso) e otteniamo quello che cercavamo, ovvero costellazioni stabili in grado di rivelare il tipo di modulazione: in questo caso PSK-4 (b4). 

b4
Il discorso vale anche per il carattere speciale trasmesso ogni 5 simboli: anche in questo caso si ottiene una costellazione assoluta stabile (b5).
Come si nota, lo shift virtuale di frequenza agisce sulla costellazione assoluta del segnale.

b5

29 July 2015

Logs

29/07/15 10595.0 RKD48 Russian Mil, RUS 0725 F1B 100Bd/500
27/07/15 14977.5 OEY80 Austrian Army, AUT 1027 USB MIL 188-141A clg OEY61
27/07/15 10139.2 --- Unid prob. Russian Mil 1510 MFSK-68 (34+34) (11510.2 12163.2 13392.2)
27/07/15 16297.0 --- Unid 1035 USB MIL 188-110A 2400bps/voice
27/07/15 14390.0 --- Russian Mil, RUS 0648 USB OFDM 112-tone Br=22.2 Sh=25.6 PSK-2
26/07/15 10311.0 KF Algerian Mil, ALG 2044 USB MIL 188-110 App.B to ND (french lang. call)
24/07/15 14827.0 --- Russian Mil, RUS 1228 USB CIS-45 HDR modem v2, OFDM 45-tone Br=40 Sh=62.5 BPSK
24/07/15 17495.0 --- Russian Mil, RUS 0648 USB CIS-112 modem, OFDM 112-tone Br=22.2 Sh=25.6 BPSK


23 July 2015

Logs

23/07/15 04553.5 ZLST Bundes Zoll, D 2229 USB clg ZSHO + handshake then into R&S GM2100 ARQ [1]
23/07/15 05785.0 ZANOTTI Guardia Di Finanza patrol boat, I 2209 USB MIL 188-141A clg VIBOVALENTIA
23/07/15 0943.0 --- Chinese Mil, CHN  2142 USB MFSK-8 (125Bd/250) + QPSK 2400Bd [2]
23/07/15 09343.0 D54 Chinese Mil, VHN 2141 USB MIL 188-141A clg A99

23/07/15 13425.2 --- Russian Mil, RUS 1423 USB CIS-3000 PSK-8 serial tone 3000Bd
22/07/15 13406.0 --- Russian Navy, RUS 1417 CIS Navy "Akula" BPSK 500Bd + FSK 500Bd/1000
22/07/15 14646.0 NMPL Russian Mil 0648 CW "TKOT TKOT DE NMPL NMPL NMPL K"
21/07/15 20698.0 --- Unid 1445 USB RACAL/THALES Pather-H serial PSK-4 2400Bd bursts

21/07/15 15786.0 --- Unid 0655 USB MIL 188-141A (undecoded) then MIL 188-110A 
21/07/15 19168.0 --- Russian Mil 0645 USB AT-3004D/3104 modem 120Bd BPSK (CIS-12)

[1] http://i56578-swl.blogspot.it/search/label/R%26S%20GM2100
[2] http://i56578-swl.blogspot.it/search/label/Chinese%20mixed-mode

CIS-3000 PSK-8 serial tone 3000Bd

CIS-NAVY "AKULA"

22 July 2015

RACAL/THALES PANTHER-H: Intelligent Frequency Hopper

Pic. 1: the 8-bursts train
I heard this signal several times, and today too on 20698.0 KHz on USB at 1445z. The waveform: 760 mSec spaced bursts (always eight), ~2500 Hz bandwidth, serial tone with sub-carrier at 1800Hz and PSK-4 2400 Bd manipulation, as shown in picture 2. Always a "train" of 8 bursts (pic. 1) during the SOC (Start Of Conversation) sync procedure, after synchronization the next hops are within 2 MHz.The signal belongs to the RACAL/THALES HF transceiver Pather-H, running in the Intelligent Frequency Hopper mode, and it is reported in radioscanner.ru at this address:
http://www.radioscanner.ru/forum/topic39959-65.html#msg1068885
Thanks to my great friend KrapuZ (radioscanner.ru) for pointing me to the right signal name.

Pic. 2: manipulation speed and serial tone sub-carrier
PANTHER-H is an intelligent frequency hopping transceiver and is the result of many years research to find a tactical HF radio system which provides a Low Probability of Intercept (LPI) and anti-jamming protection whilst delivering reliable, good quality communications on all types of HF link: http://www.railce.com/cw/casc/racal/panther-h.htm
Racal was purchased by Thomson-CSF (now Thales Group) in 2000.
RACAL/THALES-PANTHER-H.wav

Several times I noticed spread spectrum transmissions (hopping frequency spectrum transmissions, HFSS) after few seconds the end of the SOC sync: possibly it is the traffic just following that sync. Below an eaxmple of these HFSS

 

21 July 2015

Logs

20/07/15 14590.0 --- Unid 1157 USB Arcotel MAHRS 2400bd PSK burst ALE
17/07/15 12165.0 --- Unid NATO 1235 USB LINK-11 clew
17/07/15 19565.0 CENTR4 MFA Bucarest, ROU 1202 USB MIL 188-141A/B clg KNY25
16/07/15 16230.0 --- Russian Mil, RUS 1412 USB OFDM 45-tone HDR Modem v1, 33.33Bd 62.5Hz DBPSK bursts
16/07/15 16230.0 --- Russian Mil, RUS 1410 USB OFDM 45-tone HDR Modem v2, 40Bd 62.5Hz pi/4 DQPSK then BPSK stream
16/07/15 16223.0 --- Russian Mil, RUS 1306 A1A flash message to VN6B "XXX XXX VN6B VN6B 359 24 WZOSLANIE 8213 652..."

16/07/15 16070.0 ACN01D possibly French Navy ship 0724 USB MIL 188-141A clg DXD05D
16/07/15 16065.0 --- Unid 0705 USB THALES Systeme-3000 MFSK-8 Robust + prop. PSK-8 serial waveform
16/07/15 16019.5 --- Russian Gov, RUS Unid 0655 RUS-ARQ 100Bd/2000 (prob. outstation to home)
16/07/15 14569.5 --- Russian Gov, RUS Unid 0620 RUS-ARQ 100Bd/2000 (prob. outstation to home)
15/07/15 16066.0 MFA Cairo, EGY 2115 USB SITOR-ARQ message to Washington Embassy
15/07/15 04553.5 ZLST Customs Control Post Cuxhaven, D 2040 USB MIL 188-141A/B clg ZBOR

18 July 2015

Unid MFSK-7 200Bd 400Hz


This waveform is an MFSK-7 running at 200 baud, the seven tones are 400 Hz spaced. The ACF is 350 mSec then 70 bits long. Looking at its frame (pic. 3,4,5) it seems that 7 bits transport something like data while the other 63 bits have a constant sequence (Sync?).
It looks like a "selective call" and the only think that I could find in the web is a reference to the "AirCal": an MFSK 7 tone system by the old Racal (!?): http://www.scancat.com/rvw-faqc.html 
Well, Racal was taken over by Thomson-CSF and now it's Thales. Although Thales has continued part of the former Racal product line, most products have gradually disappeared along with the name 'Racal' itself. 
The signal was caught by KarapuZ on 10150.0 KHz on USB, around 1540z on 15 July (present year): it's available on request for your further analysis: just email me.

pic.1 - speed

pic.2 grid
pic.3 ACF

pic.4 frame structure

pic.5 FSK demod

16 July 2015

CIS-45 v2 HDR modem: modulation switching

16230.0 --- Russian Mil, RUS:
   1412 USB OFDM 45-tone HDR Modem v1, 33.33Bd 62.5Hz DBPSK bursts
   1410 USB OFDM 45-tone HDR Modem v2, 40Bd 62.5Hz pi/4 DQPSK then BPSK stream

Today I heard the CIS-45 OFDM HDR modem running on 16230.0 KHz on USB around 1410z. More precisely, the heard signals were the two well known CIS-45 waveforms: the 33.33 Baud version (v1) in burst mode and the 40 Baud version (v2) in bistream. The v2 modem came with a discrete signal so I decided to record it for later analysis. The signal clearly exhibits the CIS-45 v2 features: baudrate = 40, Sh = 62.5 and BPSK modulation in the channels as in:


I was surprised by analyzing another segment of that signal: the modulation in the channels is no more the expected BPSK but pi/4 DQPSK and still running at 40 Baud. So, it seems that the system has the capability to change the modulation mode (from pi/4 DQPSK to BPSK) on-the-fly, mantaining the same baudrate:


I do not know the reasons of such behavior, possibly an adaptive feature? I searched the web to get some other informations and found that KarapuZ too recently noticed this beahavior: http://www.radioscanner.ru/forum/topic36750-153.html#msg1183165

As the others, this signal is available on request: just email me.