22 May 2016

logs


06250.0 IABC: Italian Navy, I 1318 USB opchat with IDR, testing a faulty STANAG-4285 modem (17May16) (AAI)
06300.0 AVE: Unid Italian station 0920 J3E/USB op-chat with ROMA, QSY 5800.0  (20May16) (AAI)
06341.0 ---: Unid 1248 USB Thales Systeme3000 ALE (17May16) (AAI)
06417.0 XSL: Japanese Navy (aka Japanese Slot Machine) 2025 USB QPSK encrypted shore to ship (12May16) (AAI)
06790.0 4042: Sonatrach, ALG 0608  LSB MIL 188-141 2G-ALE sounding (21May16) (AAI)
06795.0 316013: Turkish Civil Defense, TUR 2202 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 318018: Turkish Civil Defense, TUR 2153 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 334018: Turkish Civil Defense, TUR 2201 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06795.0 370018: Turkish Civil Defense, TUR 2156 USB MIL 188-141 2G-ALE global AllCall (16May16) (AAI)
06803.0 OC00: Austrian Mil, AUT 0754 USB MIL 188-141 2G-ALE handshake with OP00 then into MIL 188-110 App.B 39-tone (12May16) (AAI)
06815.0 JP20: Algerian Mil, ALG 0731  USB MIL 188-141 2G-ALE handshake with PY20 then into MIL 188-110 serial (12May16) (AAI)
06831.0 D20: National Protection and Rescue Directorate, HRV 0838 USB MIL 188-141 2G-ALE calling E5X (22May16) (AAI)
06831.0 E5X: National Protection and Rescue Directorate, HRV 0839 USB MIL 188-141 2G-ALE calling D20 [CMD AMD][RADIO TEST MESSAGE 22052016] (22May16) (AAI)
06831.0 R51: National Protection and Rescue Directorate, HRV 0839 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
06831.0 Z01: National Protection and Rescue Directorate, HRV 0825 USB MIL 188-141 2G-ALE sounding (22May16) (AAI)
06834.0 ---: Unid 1223 USB Thales Systeme3000 ALE (17May16) (AAI)
06867.0 (no call): Unid net 0736 USB MIL 188-141 2G-ALE calling ABK4 (12May16) (AAI)
06867.0 ABC7: Unid net 0729 USB MIL 188-141 2G-ALE calling ABD1 (12May16) (AAI)
06906.0 5001: Unid net 0607  USB MIL 188-141 2G-ALE sounding (21May16) (AAI)
06931.0 ---: Unid (prob. Croatian Mil/Gov) 0611 USB modified STANAG-4285 modem (21May16) (AAI)
06952.0 ---: Russian Intel, RUS 2044 (cf + 1600Hz USB) 5 x MFSK-16 10Bd 20Hz, BPSK 250Bd Hybrid modem (12May16) (AAI)
07739.0 4204: Sonatrach, ALG 0729 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
07814.3 C3: Royal Moroccan Army, MRC 0622 USB MIL 188-141 2G-ALE calling R3 (14May16) (AAI)
07890.0 CS001: Macedonian Mil, MKD 0635 USB MIL 188-110 ST sending FED-1052 App.B data to RS002 then terminate link (16May16) (AAI)
07950.0 FN01: Algerian Mil, ALG 0857 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
08016.0 Z01: National Protection and Rescue Directorate, HRV 2001 USB MIL 188-141 2G-ALE sounding (12May16) (AAI)
08023.0 FQ55: Algerian Mil, ALG 0753 USB MIL 188-141 2G-ALE calling PY40, flwd by short (prob. Hagelin HC-256) scrambler and terminate link (20May16) (AAI)
08162.0 BX01: Algerian Mil, ALG 0737 USB MIL 188-141 2G-ALE calling BX02 (20May16) (AAI)
08162.0 MDN:  (prob. Algerian Ministry of Defence, ALG) 0745 USB MIL 188-141 2G-ALE sounding (20May16) (AAI)
08162.0 MV01: Algerian Mil, ALG 0738 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
08162.0 PC02: Algerian Mil, ALG 0742 USB MIL 188-141 2G-ALE calling PY01 (20May16) (AAI)
13449.5 ---: Uk Mil/Gov, UK 1500 USB WINDRM modified waveform OFDM 51-tone (20May16) (AAI)
14710.0 RIA: Finnish Embassy Riyadh, ARS 1734 USB MIL 188-141 2G-ALE calling HKI2 Helsinki, flwd by SKY-OFDM 22-tone (12May16) (AAI)
17500.0 ---: Russian Intel/Diplo 0833 USB CIS-3000: PSK-8 serial tone, 2000Hz carrier, 3000Bd (17May16) (AAI)

21 May 2016

Unid FSK 300Bd/850


This FSK signal has been heard on 6699.0 KHz (cf), manipulation speed is 300 symbols/sec (quite unusual) and the shift between tones is ~850 Hz (pics. 1,2)

pic. 1
pic. 2
The transfer is continuous and data are encrypted but since I tuned it after its initial phase, I did not found any particular sequence in the demodulated bistream. However friends from radioscanner.ru that spotted a whole transmission say it contains KG-84 identifier in the initial part of the trasmission: this signal is reported here
The signal has a characteristic "batman-like" spectrum that exhibits 955Hz bandwidth (pic. 3)

pic. 3

19 May 2016

Unid PSK-8 2400Bd burst waveform (prob. 3G-ALE)


this transmission was spotted on 6550.0 KHz/USB (16 May) at 2024 UTC and consists of a 3-bursts train: each burts has a duration of ~1048ms and the interval between two consecutive bursts is ~385ms. The signal spreads a bandwidth of 2880 Hz (pic. 1).

 
pic. 1
The signal shares the common PSK-8 waveform features, 1800Hz single tone carrier, and 2400Bd symbol-rate,  although the 8-ary constellation is a bit confused: four "clear" points and four "nuanced" points, as shown in pic. 2. Such feature has been observed in some Chinese waveforms but in this case, since the strength of the signal, it's difficult to confirm this origin.

pic. 2
About the structure of the waveform, it's possible to detect the presence of a preamble sequence (CCF of pic. 3) which has a duration of 200ms and preceedes the data transfer.

pic. 3
Data are structured in a 32 symbols frame, or 96 bits (pic. 4). The frame duration of 13.33 ms (32 symbols @ 2400Bd) is the same than the STANAG-4538 BW-3 (LDL traffic data PDUs)  but the burst duration does not match the BW3 characteristics (pic. 5): for example, burst duration is computed to 1226.45ms in case of a packet of 64 frames while the burst of the signal being analyzed has a duration of 1048ms.
pic. 4

pic. 5
By the way, as seen in some previous posts, the measurement of the period of a certain signal could not coincide with its frame structure: it has been shown that in particular circumstances the period lenght, and hence the ACF value too, is produced by the lenght of the scrambler or the interleaver combined with the real frame lenght.
 
Similar transmissions are often spotted on 14870.0 KHz/USB kHz and "rumors" say it could be a modified 3G-ALE waveform. Comments are welcome, short recording is available on e-mail request.

16 May 2016

phase keyed signals, SA, and fake demodulations

Playing with a STANAG-4285 signal and SA (Signals Analayzer) I met some problems in understanding correctly the synchronization sequence pattern of this waveform: the solution is very simple indeed and must be sought in the way the SA phase-plane module demodulator works. Below the story.
 
SA phase-plane demodulating a STANAG-4285 signal
 "The synchronization phase of the STANAG-4285 waveform consists of 80 symbols and is transmitted recurrently every 106.6 ms. This sequence uses 2-bit phase shift keying (2-PSK) modulation and the modulation rate is equal to 2400 bauds. The sequence is identical to a pseudorandom sequence of length 31, which is repeated periodically within the 80-symbol window, i.e., the synchronization sequence consists of 2 periods of length 31 plus the first 18 symbols of another period. A generator for the synchronization sequence is described in pic. 1. The generator polynomial is: x^5 + x^2 +1.
At the beginning of every frame the generator is initially set to the following value: 11010. The first symbol of the synchronization sequence is identical to the least significant bit of this initial value. The remaining 79 symbols are obtained by applying the clock 79 times.
The scrambling operation is carried out on reference and data symbols only, not on the synchronization sequence."
pic. 1 - S-4285 sync sequence generator
Coding into 8-ary is achieved by mapping one-bit to one-symbol according to the following rule in pic. 2: "000" for bit "0" (symbol 0) and "100" for bit "1" (symbol 4)
pic. 2 - coding 04
Such sync sequence generator can be simulated running a simple Lua program: since the sync sequence is not subjected to the scrambling, the output file generated by the program is just the STANAG-4285 sync sequence that we want. The pattern of the sync sequence is visible using the BEE bitstream analyzer (pic. 3).

pic. 3 - sync sequence pattern (mapping 0-4)
Curiously, looking at a real world STANAG-4285 signal demodulated by SA phase-plane, its 80 symbols sync sequence has a different pattern than the one expected (pic. 4)

pic. 4 - sync sequence pattern of a S4285 real-world signal
Inspecting the same sync sequence of a STANG-4285 modem, an orignal and clean signal, things seem even worse (pic. 5)
pic. 5 - sync sequence pattern of a S4285 modem
  
The interesting matter is that editing the mapBit() function of the Lua code as below:
  
local function mapBit(Ubit)
   if (Ubit == "0") then 
      8ary_symbol = {"1","1","1"} -- # symbol number 7
   else  
      8ary_symbol = {"0","1","1"} -- # symbol number 3
   end
    return 8ary_symbol
end

we can get the same sync sequence pattern of the modem sample just by using the mapping 7-3 rather than 0-4, which is equivalent to add a negative π/4 phase rotation to the original mapping 0-4 (pics 6,7)

pic. 6
 
pic. 7
Same conclusions for the over-the-air (real world) STANAG-4285 signal: in this case the used mapping is 4-0, equivalent to a π phase rotation or phase opposition (pics 8,9)

local function mapBit(Ubit)
   if (Ubit == "0") then 
      8ary_symbol = {"1","0","0"} -- # symbol number 4
   else  
      8ary_symbol = {"0","0","0"} -- # symbol number 0
   end
    return 8ary_symbol
end
pic. 8
pic. 9
The reason of the above incongruencese between the expected pattern and the obtained ones,  is very simple: SA is a signal analyzer and not a decoder (and I had forgotten!).
Being part of an analyzer, the SA phase-plane module uses a sort of "universal demodulator" that does not match  any particular protocol to exactly sync its demodulator, as it happens instead in STANAG-4285  (for example) "suited" decoders such as Sorcerer, Sigmira and many others. In other words, SA  phase-plane demodulator is not synchronized with the waveform being analyzed and the resulting phase-offset may cause different (fake) results for the same waveform. So, the more the phase values, the more the variants that the demodulator produces: for example, in case of a π/4 DQPSK modulation  24 different decodings are possible, and it isn't surely the worst case. 
Working phase keyed signals, the SA phane-plane demodulator produces correct interpretations and view under a "quantitative" profile (number of phases, angles, modulation speed, carrier frequency,...) but uncertain results under a qualitative (demod) one.

13 May 2016

STANAG-5511 (Link-11) SLEW: scrambler length and ACF value


Single tone Link Eleven Waveform (SLEW) is one of the modes defined within the Link 11 NATO standard. For SLEW, a single analog waveform is generated for the upper side band, the PSK-8 modulation process is achieved by assigning the tri-bit numbers from the scrambler to 45-degree phase increments of a 1800 Hz carrier. Symbols rate is 2400 Bd while the user data rate is 1800 bps (pic. 1).

pic. 1
The SLEW waveform transmission format consists of an acquisition preamble followed by two or more fields. Each 45 symbols field is followed by a 19 symbols reinsertion probe. The first field  after the preamble is the header field and contains information that is used by the Combat Data System (CDS) and the encryption device. If there are data to transmit, successive data fields follow the reinsertion probe of the preceding fields (pic. 2,3).

pic. 2 SLEW waveform structure
pic. 3
Running the Cross Correlation or Auto Correlaton functions, a 64 symbols or 192 bits frame are expected, but in contrast the CCF output exhibits clear and strong 320 symbols spikes corresponding to a period of 960 bits. Note that five data and reinsertion-probe pairs are arranged inside the period window (pic. 4).

pic. 4 - SLEW waveform CCF result (133.33ms)
So, why the 133.33ms, or 320 symbols, period?
As in pic. 5, the 45 phase encoded pairs (values 0, 1, 2, 3) are mapped into tri-bit numbers (by multiplying by 2).  The tri-bit numbers (0, 2, 4, 6) are used for symbol generation and scrambled  to take on all 8 phase states. During the reinsertion probe, 19 tri-bits (set all to "000") are used for known symbol formation and scrambled.
 
pic. 5 - SLEW wavefrom formation (reinsertion probe and data field)
Since the scrambler could be an important factor in ACF generation,
let's give it a close look: it's worth to noting that the data sequence randomizing generator is the same 12-bit shift register used in MS188-110 serial tone!

"The tri-bit numbers supplied for the symbols (both data and probe) are modulo-8 added to a three-bit value supplied by the data sequence randomizing generator. At the start of the data phase, the shift register is loaded with the initial pattern 101110101101 (binary) or BAD (hex) and advanced 8 times. The resulting three bits are used to supply the scrambler with a number from 0 to 7 which is modulo-8 added to the data/probe symbol. The shift register is shifted eight times each time a new three-bit number is required (every transmit symbol period). After 160 transmit symbols, the shift register is reset to BAD (hex) prior to the eight shifts."

As seen in MS188-110 low data rates, this 12-bit randomizing generator is the cause of the Link-11 SLEW ACF.
In fact, since the scramble length of 160 symbols coincides with 2.5 frames, we get that each five frames - or just two scramble cycles(!) - the same probe value "000" is scrambled exactly after the same number of shifts and hence produce the same probe patterns (pic. 6). These same patterns repetion produces the 320 symbols (or 960 bit) spikes in CCF and ACF function.

pic. 6 (qualitative rapresentation, not in scale)

12 May 2016

SkyOFDM 22-tone, 64Bd QPSK, 2KHz bandwidth


this modem can be frequently spotted after the 2G-ALE handshake between Finnish MFA stations, being used to transfer data. Probably its development is by Sky Sweeper team, hence its name SkyOFDM. 
From Sky Sweeper manual
"SkyOFDM is a state of art high speed modem based on the OFDM and turbo coding technologies. It offers several baud rates (300-9600 bps) and two different interleaving options (short and long). Also there are two bandwidth options: 2.0 and 2.6 kHz.The receiver should be set to the USB reception mode.
The VHF/FM variant is not included in the SkySweeper Professional product.
"
 
This version use 22 tones with QPSK modulation at 64 Baud (pic. 2) and exhibits the same special char sent each 5 signal element periods, also visible after the ACF function (pic. 3)

pic. 2
pic. 3
This special symbol is also visible by highlighting a single tone and inspecting the bistream after the demodulation (pics. 4,5)

pic. 4 - analysis of the bottom tone
pic. 5
More info in the radioscanner site: 

 

logs

05892.0 ---: Unid (prob. Austrian Mil) 1505 USB MIL 188-110 App.B 39-tone QPSK (11May16) (AAI)
05892.0 OP00: Austrian Mil, AUT 1516 USB MIL 188-141 2G-ALE calling OC00 (11May16) (AAI)
05892.0 OY00: Austrian Mil, AUT 1513 USB MIL 188-141 2G-ALE calling OC00 (11May16) (AAI)
06329.0 OSY: Sailmail Brugge, BEL 2150 (cf +1500 USB) PacTOR-III, working PF6269  Dutch "Pleasure Ship" REBEL "PF6269 de OSY" (11May16) (AAI)
07617.0 302013: Turkish Civil Defense, TUR 2102 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 311013: Turkish Civil Defense Bilecik, TUR 2116 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 315018: Turkish Civil Defense Burdur, TUR 2054 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 324013: Turkish Civil Defense Erzincan, TUR 2053 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 327018: Turkish Civil Defense Gaziantep, TUR 2119 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 332013: Turkish Civil Defense Isparta, TUR 2118 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 349013: Turkish Civil Defense Mus, TUR 2058 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 357013: Turkish Civil Defense Sinop, TUR 2054 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 360018: Turkish Civil Defense Tokat, TUR 2101 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 364013: Turkish Civil Defense Usak, TUR 2100 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 371013: Turkish Civil Defense Kirikkale,TUR 2059 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 376013: Turkish Civil Defense Igdir, TUR 2121 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07617.0 8181: Turkish Civil Defense Cankiri, TUR 2121 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 3404: Sonatrach, ALG 2135 USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 4216: Sonatrach, ALG 2137 LSB USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07739.0 4216: Sonatrach, ALG 2137 USB USB MIL 188-141 2G-ALE sounding (11May16) (AAI)
07803.5 ---: Unid (prob. French AF) 2145 USB J3E male, loop recordered message “Execute TOABCD1910608K 2115z” (10May16) (AAI)
07898.0 049116: Deutsches Rotes Kreuz, D 2129 LSB MIL 188-141 2G-ALE sounding (11May16) (AAI)
08016.0 P34: NPRD Net Pozega, HRV 1534 USB MIL 188-141 2G-ALE sounding (25Apr16) (AAI)
08070.0 PY50: Algerian Mil, ALG 15:41 USB MIL 188-141 2G-ALE calling XS50 (25Apr16) (AAI)
08115.0 PY30: Algerian Mil, ALG 1537 USB MIL 188-141 2G-ALE calling RK31 (25Apr16) (AAI)
08182.0 XSS: UK DHFCS TASCOMM Forest Moor, G 1548 USB MIL 188-141 2G-ALE calling XBP (25Apr16) (AAI)
08190.0 RHN: Saudi AF Riyadh, ARS LSB MIL 188-141 2G-ALE calling AAN (11May16) (AAI)
10272.5 049119: German Red Cross, D 1521 LSB MIL 188-141 2G-ALE sounding (25Apr16) (AAI)
13233.0 ---: NATO French station 0836 USB (cf +2 Khz) NATO-FSK 75Bd/850 sending KG-84 encrypted traffic, opchat in French (30Apr16) (AAI)
17513.1 M42b: Russian Government & Intel, RUS 1504 (cf) FSK 50Bd/800 messages (10May16) (AAI)
18038.0 ---: Russian Mil, RUS 1034 USB CIS-45 OFDM HDR modem v1 33.33Bd BPSK (11May16) (AAI)
22499.7 ---: Unid 1356 BPSK 125Bd traffic, s/off 1400 (10May16) (AAI)

 

9 May 2016

Unid PSK-8 Serial and non-standard LFM 2G-ALE (prob. Iranian source)


this transmission is composed of messages that are sent using standard MS188-110 Serial Tone waveform (the ones indicated as 3, 4 , 9, ...) and other messages (as 9, 11, ...) that are transmitted using a waveform that most likely is a proprietary variant of 188-110. The transmission ends with a short op-chat (providing some clues about the source) and one interesting not-standard ALE message the closes the link and characterized by the presence of an LFM pulse waveform preamble.
Below the analysis of the message #11 only since it's the better recording among the not-standard 188-110 signals.

For what concerns the carrier, modulation and symbols rate, the signal shares the same parameters of an MS188-110 modem: PSK-8 on a single 1800 Hz carrier frequency and a constant 2400 symbols/sec output waveform (pic. 1)

pic. 1
 The structure of the signal is indeed different: after a ~211ms sync preamble phase, the data phase consists of 51.25ms frames of alternating data and known symbols (pic. 2). After 57 data frames a symbol sequence (most likely a subset of the initial preamble) is reinserted possibly to facilitate late acquisition, doppler shift removal, and sync adjustment as requested by 188-110 standard (pic. 3).

pic.2 - sync preamble and data phases
pic. 3 - preamble re-insertions
The most peculiar aspect of this waveform is its data frame that counts 123 symbols or 369 bit (51.25ms, as indicated by the ACF function in pic 4). The data frame consists of 91 data symbols and a mini-probe of  32 symbols of known data (pic. 5).
The length of the mini-probe, 32 symbols, is quite common and is largely used in 188-110 waveforms, including the appendix D and C. The oddity is the 91 symbols length of the data block. 

We will need additional recordings to indagate it.

pic. 4 - 51.25ms ACF
pic. 5 - frame structure
 
About the short op-caht in the final part of the transmission, a friend of mine suggests that the language may belong to the  Iranian group (Dari, Pushto, Kurdish) and possibly the protocol itself is developed there. That recording is available for who wants to indagate, simply email me.

The ALE sequence the closes the link is shown in the zoomed FFT of pic. 6.
pic. 6 - the ending 2G-ALE sequence
It consists of three messages, each consisting of an Linear Frequency Modulation (LFM) pulse preamble followed by the "common" MS188-141 2G-ALE waveform (8 tones, manipulation speed of 125 baud and 250Hz step between carriers) as in pics. 7,8.
 
pic. 7
pic. 8 MFSK-8 grid
update: comment sent by ANgazu
I agree with your analysis. Just an error, probably a typo one: preamble reinsertion is in every 42 frames and lasts for about 2 frames, so the superframe should be 40 data frames + reinserted preamble ( 2.160 s) or preamble + 40 data frames.
The preamble is much longer than annex C (about 110  ms in this case) and probe is 32 symbols instead of 31, so I agree with you that this looks like a new variant.


That's correct ANgazu, thanks !

7 May 2016

CIS 3 x 100Bd/1440Hz VFT system


fig.1
In this signal we have three channels modulated at 100Bd and a pilot tone at ~3300 Hz (characteristic feature of Russian systems). Every channel has a 1440 Hz shift and 100 Baud speed, channels are separated by 480Hz steps (figs. 2,3) and interleaved as in fig.1
fig. 2 - 1440 Hz shift
fig. 3 - channel separation
The 100 symbols/sec modulation rate, is obtained by highlighting a single channel in the FFT and measuring its speed (fig. 4).

fig.4

CIS 6 x 100Bd/120Hz VFT system

fig. 1
in 6 x 100Bd VFT systems every channel has 120 Hz shift and 100 Baud speed, separation bewteen channels is 480 Hz (figs 2,3). Channels are arranged as in fig. 1.
 
fig. 2

fig. 3
This system can serve up to six outstations, in this sample only the lower channel is used (one-of-six mode) according to the needs at that time (number of the outstations to serve)  other modes are frequently observed: