Chiński modem 4x4 (prawdopodobnie PLA Navy)

i56578-swl.blogspot.com 13 godzin temu

Chinese 4x4 waveform consisting of 2 groups of 4 PSK channels modulated at a rate of 75 Bd, the 2 groups are spaced by 450 Hz and channel separation is 300 Hz. The signal spreads about 2500 Hz bandwidth (Figure 1). The modem is most likely utilized by the The People's Liberation Army Navy, besides known as the People's Navy, PLA Navy or simply Chinese Navy.

Fig.1 - Chinese 4x4 modem

I isolated a single channel to identify velocity and what kind of PSK modulation is used, the spectrum of the 3rd order harmonics (x^3) shows the typical central line (subcarrier frequency) of PSK8 modulation; indeed, the phase plane exhibits a 8-ary constellation, but there is no transition paths through the center (as in case of PSK-8) and the comparative constellation (Diff-1) is simply a 90 degrees rotated QPSK: this propose the usage of π/4 DQPSK (Differential Quadrature phase Shift Keying) modulation.
The π/4 DQPSK modulation uses 2 QPSK constellations offset by 45 degrees (π/4 radians) and transitions happen from 1 constellation to the another making the illusion of a PSK-8 modulation; data bits are encoded by phase changes, alternatively of absolute value of the phase. By the way, the π/4 DQPSK modulation format is besides utilized in TETRA.

Fig. 2 - π/4 DQPSK modulation @ 75 Baud (single data channel)

The resulting bitstream after differential demodulation has a 22-bit (11 dibit symbols) dimension period, as shown in Figure 3.

Fig. 3 - demodulated bistream (single data channel)

The preamble preceding the data is besides modulated in π/4 DQPSK mode at a velocity of 75 Baud (Figure 4). The bitstream resulting from its demodulation (Figure 5) is formed by the repetition of a 22 bits dimension pattern, likely for AGC, fine-tuning, and synchronizing. Attempts to find the generating polynomial propose x^23+x^22+x+1. In addition to the same period dimension (22 bits), the "similarities" between the 2 bitstreams (data Vs preamble) is to be noted.

Fig. 4 - π/4 DQPSK modulation @ 75 Baud (single preamble)

Fig. 5 - demodulated bistream (single preamble)

Messages addressed to multiple recipients are queued in a same transmission and, as shown in Figure 6, messages may have 3 different "formats" which here I call mode-A, mode-B, and mode-C (please announcement that the "designations" utilized are only mine and are introduced just for convenient reference). In a same transmission may cohexist messages sent in different modes.

Fig. 6 - messages' formats

mode-A examples
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
JYJYJYJYJYJY HR MSG GA
41149 25 51 1001 1605
UXEE---Y9R
1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062
MSG AGN
41149 25 51 1001 1605
UXEE---Y9R
1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062

B81L B81L B81L DE JQ02 JQ02 JQ02
B81L B81L B81L DE JQ02 JQ02 JQ02
B81L B81L B81L DE JQ02 JQ02 JQ02
JYJYJYJYJY HR MSG GA
82230 23 51 1001 1025
UXEE---YXE
1243 0255 1667 1611 3469 2053 0063 5501 7301 1940
2587 7681 6966 7814 0584 6978 0091 2647 7217 7042
7179 5854 5844
MSG AGN
82230 23 51 1001 1025
UXEE---YXE
1243 0255 1667 1611 3469 2053 0063 5501 7301 1940
2587 7681 6966 7814 0584 6978 0091 2647 7217 7042
7179 5854 5844

3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK 3BLK 3BLK DE JQ02 JQ02 JQ02
3BLK called station address
from
JQ02 caller station address

JYJYJYJYJYJY HR MSG GA
JYJYJYJYJYJY ?
HR MSG GA are telegraphic abbreviations:
HR = here or hear
MSG = message
GA = good afternoon

it is common to read another abbreviations specified as "message repetition":
MSG AGN
MSG = message
AGN = again

or even the "link termination"
AHR ZNN SK
AHR = ?
ZNN = All clear of traffic now
SK = End of contact

41149 25 51 1001 1605
41149 ?
25 number of the 4FGs groups that make up the message (seems to be always odd)
51 message group identifier?
1001 date (mmdd)
1605 local time (hhmm), possibly for drafting

UXEE---Y9R
probably these are military addresses which are expressed as "source---destination"; at least in my recordings, the origin address seems to be composed of 4 digits. Cross-referencing the callsigns of the first calls gives this (small) table:

JQ02 = UXEE
82VP = YXY
3BLK = Y9R
B81L = YXE
IJDW = YXX
THGM = 21II
WMBZ = 227
F9ED = 201
LTPE = 811
FMRK = 818

The messages consists of 4-digit codewords (here referred to as 4FGs groups or simply "groups") which are sent 10 per row in enumbered blocks, each block consisting of 100 groups. Given that the Chinese writing strategy is by nature nonalphabetic and thus noncipherable, Chinese cryptography was bound to the usage of codebooks (Chinese Telgraph Code, Chinese Standard character table or another unknown military codebook) containing a max of 10000 characters (0000-9999).

1213 0044 4433 7814 2404 2166 5873 4084 6463 2053
3462 8669 3268 6541 0511 3039 3930 2944 3388 6895
7921 4851 3871 2507 0062

Interestingly, the 9th and 10th groups of the first line of each message block do not follow the rules seen in the case of akin 4FGs messages sent via M-39 modem (Chinese Air Force/Air Defense) [1]. Also note that the message sent to B81L contains the string: 82230 23 51 1001 1025 i.e. same date (1001, October 1st) but earlier time (1025) than that reported in the same string of the message sent to 3BLK (1605). In this regard, it should be noted that the timestamp of the recording is 2024-10-01T14_40_13Z and the authoritative time of China (CST, China Standard Time) is UTC+8 so at the time of transmission it was 2240 Chinese local time. Perhaps it is simply a selective repetition of any messages sent during the day, it could besides be following circumstantial requests (it happens besides in NATO fleet broadcasts).

mode-B examples
82VP 82VP 82VP DE JQ02 JQ02 JQ02
82VP 82VP 82VP DE JQ02 JQ02 JQ02
82VP 82VP 82VP DE JQ02 JQ02 JQ02
JYJYJYJYJY HR ++ GA
++
59628 1724
UXEE---YXY
6475/0/0/07/8877/08677/96277/767/74
MSG AGN
++
59628 1724
UXEE---YXY
6475/0/0/07/8877/08677/96277/767/74

IJDW IJDW IJDW DE JQ02 JQ02 JQ02
IJDW IJDW IJDW DE JQ02 JQ02 JQ02
IJDW IJDW IJDW DE JQ02 JQ02 JQ02
JYJYJYJYJY HR ++ GA
++
27016 1724
UXEE---YXX
2624/9/4/07/8587/95777/92087/977/75
MSG AGN
++
27016 1724
UXEE---YXX
2624/9/4/07/8587/95777/92087/977/75

These types of messages are much more cryptic and beyond the first "sentences" it is hard to guess the meaning of the digits separated by slashes.

mode-C examples
NR920 CK93 35 1011 1447 --
215 203 011 326 314 004 773 353 246 351
420 938 407 445 486 382 005 773 353 246
351 403 938 417 445 486 382 006 773 353
246 351 403 938 417 445 486 382 008 773
353 403 938 417 445 486 382 009 773 357
403 938 417 445 466 486 382 010 773 357
403 446 486 382 011 773 353 403 938 417
445 466 486 382 012 773 357 403 447 486
384 938 383 013 773 357 372 403 446 486
758 483 382
MSG AGN
NR920 CK93 35 1011 1447 --
215 203 011 326 314 004 773 353 246 351
420 938 407 445 486 382 005 773 353 246
351 403 938 417 445 486 382 006 773 353
246 351 403 938 417 445 486 382 008 773
353 403 938 417 445 486 382 009 773 357
403 938 417 445 466 486 382 010 773 357
403 446 486 382 011 773 353 403 938 417
445 466 486 382 012 773 357 403 447 486
384 938 383 013 773 357 372 403 446 486
758 483 382

AHR MSG GA

NR921 CK165 35 1011 1447 --
215 203 011 326 004 773 318 357 407 445
486 319 353 938 354 373 418 445 486 758
483 005 773 318 353 417 938 407 445 486
319 357 372 407 938 418 445 486 758 483
006 773 318 357 417 938 407 445 486 319
357 372 407 445 486 338 758 482 008 773
318 357 417 445 486 319 357 372 417 938
418 445 486 338 758 482 009 773 318 357
372 417 445 466 486 758 483 319 354 372
417 938 418 445 486 758 483 010 773 318-1
357 403 446 486 319 357 403 446 938 445
486 011 773 318 357 417 445 466 486 319
357 372 417 938 407 445 486 758 483 012
773 318 353 403 447 938 446 467 486 319
353 403 446 938 445 466 486 013 773 318
354 246 353 403 445 466 486 319 357 372
404 445 486 758 483
MSG AGN

...

This kind of message follows the same rules seen in mode-A but that the numeric groups are made up of 3 digits (3FGs) alternatively of 4.

Monitoring was possible thanks to KiwiSDRs located in Osaka and Okayama (Japan) [2][3].

(to be continued)

https://disk.yandex.com/d/R5vz9TzK35r7CA

[1] http://i56578-swl.blogspot.com/2023/10/chinese-air-forceair-defense-plaaf.html

[2] http://nr601sdrnet.ddns.net:8073/?#

[3] http://22052.proxy.kiwisdr.com:8073/

Idź do oryginalnego materiału