PolAF, UUCP over RSX.25 to exchange HF email messages

i56578-swl.blogspot.com 9 miesięcy temu

I have already encountered the Rohde & Schwarz RSX.25 protocol in any transmissions of the German BPOL and Italian GdF, this time (just a fewer days ago) I spotted specified transmissions from the Polish AirForce (Siły Powietrzne - Ministerstwo Obrony Narodowej, MON) on 6884 KHz/USB where they usage R&S GM2100 proprietary waveforms as HF bearer and UUCP over RSX.25 to send PostMan II email messages (Figure 1). Transmission were recorded utilizing a Polish KiwiSDR [1].

Fig. 1

Particularly, 1 of the transmissions being analyzed refers to the nodes with ALE address WARSZAWA2 and BYDGOSZCZ:

TO WARSZAWA2 TIS BYDGOSZCZ
TO BYDGOSZCZ TIS WARSZAWA2
TO WARSZAWA2 TIS BYDGOSZCZ User Unique Function 00 07 (CMD USER UNIQUE WORD)

The utilized 2G-ALE protocol is the well-known standard 188-141A: the first thing that catches the eye is the usage of a User Unique Function (UUF) [2] with the value 00 07 (14-bit ASCII [nul][bel]) in the 3rd frame of the ALE handshake. User Unique Functions enable the transmission of a manufacturer-specific Unique Index which may be utilized for controlling the subsequent data transmission protocol; in this case, the value 0007 is most likely the peculiar "index" that R&S uses to signal UUCP/RSX.25 protocol to the receive node.

Data are sent utilizing the HF waveform "Signal Format", a alleged R&S proprietary advanced waveform provided by their GM2100/GM2200 HF modem. The utilized waveform is the rather common 2400Bd PSK8 occupying a 3 KHz bandwidth (Figure 2). With 8PSK the net data rate of the serial modem is 5400 bit/s, errors are at first corrected by FEC, which reduces net data rate to 2700 bit/s.

Fig. 2

The framing consists of a 192-symbol series preamble followed by 1 ore more data blocks each consisting of 64-symbols: 48 unknown symbols (coded data) + 16 known symbols ("test sequences"). The postamble terminates the data blocks and consists of a 64-symbol End Of Message sequence. but for the presence of an first TLC section(s), the full dimension is then a multiple of 64 symbols.

Fig. 3

Figure 4 shows the ACF/period of the GM2100 waveform: since the 2400 Baud, the ACF value of 133.33ms corresponds to a 320-symbol period, i.e. to 5 64-symbol data blocks.

Fig. 4

The dimension of 320 symbols is due to the fact that the 16-symbol test sequences are actually "segments" of a longer 80-symbol series and so they are 5 times repeated, as visible in Figure 4 (unless demodulation errors), hence the dimension of (48+16)×5=320 symbols, or 960 bit since each PSK8 symbol is mapped to a tri-bit series (000...111).

Fig. 5

After the removal of the HF waveform overhead, the well-known 8-bit patterns of RSX.25 appear (Figure 6). RSX.25 virtually stands for R&S adaptation of wired X.25 protocol to the HF radio channel,ie a modified AX.25 packet radio protocol.
Quoting R&S papers: "RSX.25 organizes the data to be transmitted in packets, which are successively transferred to the data modem. The packets contain a variable number of frames, the number per packet depending on radio-link quality and being adapted at regular intervals. The data transmitted in a packet are distributed among the frames. The dimension of the frame data is variable and besides depends on radio-link quality: in channels of very good quality, a frame contains up to 250 data bytes, in powerfully disturbed channels 4 bytes. Errors escaping FEC are eliminated by the ARQ procedure of the RSX.25 protocol." [3]

Fig. 6

The transmitted data are obtained after the removal of RSX.25 encapsulation and packets' reassembly, the file (Hex codes and ASCII text) is edited utilizing the XVI32 hex editor [4] and shown in figure 7. any known "reserved words" and syntax say that's an email transport performed by the usage of UUCP: all messages in the first handshake begin with a `^P' (a byte with the octal value \020, hex 0x10) and end with a null byte (octal \000, hex 0x00).

Fig. 7

UUCP (Unix-to-Unix copy) suite is simply a set of computer programs and protocols that let for the distant execution of commands and the transfer of email and files between computers, in this script it is utilized over RSX.25. The human-readable version of the UUCP "conversation" (just the first part) is shown in Figure 8.

Fig. 8

The messages can be parsed according to the UUCP protocol internals [5] so to get any another informations about users, SW/HW equipment... and so on.

login section

S Bydgoszcz_HF -pz -vgrade=z -R -N07 ROKN07 Pyie Uy

UUCP handshake
S caller hostname = Bydgoszcz_HF
-pz -vgrade=z requests the called strategy to only transfer files of the specified grade or higher = z (grades in UUCP links means 'priorities')
-R caller UUCP understands how to restart failed file transmissions. Supported only by strategy V Release 4 UUCP, so this is simply a strategy V release.
-N07 - caller UUCP understands the Taylor UUCP size negotiation extension (only for UUPlus, so this is UUPlus)
ROKN07 – called station acknowledgement of ‘R’ options. The caller UUCP is acceptable, it specified `-N', and the called UUCP besides understands the Taylor UUCP size limiting extensions
Pyie the called station supports the following UUCP protocols y, i, e
Uy the calling station selects which protocol to usage out of the protocols offered by the called station, in this case the UUCP protocol 'y'

pm2mrs -CR D.0097 0666 dso22odn@bydgoszcz.airforce.pl 0x3d26

most likely R&S PostMan II messenger

D.0097 file to send
0666 mode of file, if UUPlus always = 0666 for outgoing files
dso22odn@bydgoszcz.airforce.pl file name
0x3d26 file size (15654 bytes)

rsmail -v2 -f dso22odn@bydgoszcz.airforce.pl dsocop@warszawa2.airforce.pl

Since PostMan offers e-mail, fax and file transfer, my guess is that the additional command rsmail (most likely R&S mail) following the pm2mrs invocation just specifies the email service

dso22odn@bydgoszcz.airforce.pl the caller station (ALE address: BYDGOSZCZ) is the "22 Ośrodek Dowodzenia i Naprowadzania" (22 Command and Guidance Center) [6] located st Bydgoszcz Airport: it's a civilian airport but shared with the Polish Air Force
dsocop@warszawa2.airforce.pl it's the called station (ALE address: WARSZAWA2) , "dso cop" is most likely the Armed Forces Operational Command in Warzawa (it's a my guess)

It's interesting to note that in any another recordings the email address are user@warszawa2.airforce.pl and user@bydgoszcz.airforce.pl ("user@" is the common default username as in another message handling systems), although the ALE address stay the same, i.e. WARSZAWA2 and BYDGOSZCZ.

BZh9
Bzip2 4 bytes header, here starts the file to be sent (Bzip compressed)
BZ Signature (0x425A magic number)
h Bzip2 (h is for Huffman coding)
9 increments of 100 kB block-size uncompressed

It's truly apparent that the 2 stations belong to the Polish Air Force (indeed "airforce.pl" is the email domain name) as well as the usage of R&S hardware/software equipment (STANAG/MIL-STD waveforms cannot be utilized along with the RSX.25 protocol [7]).

A bit of OSINT demonstrates the R&S support to the Polish Armed Forces:

https://www.epicos.com/article/475115/rohde-schwarz-supports-polish-armed-forces

as well as the usage of R&S XK2500L and XK2900L radios (along with Harris RF-5800) at the "Radio Center, Region 4 Air Force ICT Support":

http://www.szpzl-zegrze.waw.pl/pdf/k/29/5.pdf

https://archiwum-4rwt.wp.mil.pl/pl/31.html

Must be noted that PostMan II (now superseeded by PostMan III) is simply a combined R&S hardware & software product moving on a Unix-like communication server: hence the usage of specified OS, at least in the message server of the local nets.