Przebiegi QPSK & "SPIDER HF" MFSK8 (ROK Military)

i56578-swl.blogspot.com 1 dzień temu

I monitored the 8235.0 KHz/USB frequency (maritime band) since any days utilizing any distant KiwiSDRs in Oita, Okayama (both Japan) and Daegu (South Korea) [1] recording respective and very interesting QPSK and MFSK8 signals that I had never met before.

1) I noticed that QPSK transmissions usually start from 0730 UTC while MFSK8 transmissions start from around 0900 UTC; most likely they have different contents and purposes. In this regard, it should be noted that I monitored only during the morning and early afternoon UTC and that Korean Standard Time (KST) is UTC+9. A second interestig aspect is that both types of transmission are not preceded by selcalls or ALE, possibly 8235.0 KHz is simply a "stand-by" frequency of that net?
As shown in Figure 1, another than QPSK & MFSK8 data transfers, transmissions consist of voice comms that have been very useful since the analysis of the audio files (speech & accent), and in part of the waveforms too, allowed me to trace it back to a South Korean user; besides note in Figure 1 the slight mistuned frequency between the operators.

Fig. 1 - QPSK and MFSK8 signals

2) QPSK transmissions consist of a series of "segments" that are sent consecutively, the longest I have seen is about 32 seconds; voice comms happen before and after a series has been transmitted.

Each section has a modulation rate of 750 Baud (1500 bps) and a 1600 Hz bandwidth. Each section is preceded by 2 unmodulated tones lasting about 5 seconds and end with a short speech transmitted at the sub-carrier frequency (Figs 2,3); the distance between the 2 first tones is 750 Hz.

Fig. 2 - QPSK signal parameters


Fig. 3 - QPSK modulation

As confirmed by my friend ANgazu, the 2 first tones make a BPSK signal whose modulation velocity has the same value as their shift, i.e. 750 Bd; the carrier is the center of both. They transmit reversals and are very useful to adjust the AGC, fine-tuning the signal and synchronizing the demodulator's PLL. In this case, if utilizing a QPSK demodulator, the first preambe is "0202020202" and it achieves the same functions (Figure 4).

Fig. 4 - QPSK demodulation of the 2 first tones

I couldn't find a characteristic period of the demodulated QPSK bitstreams (Figure 5): instead, since they are natural PSK demodulations and NOT the consequence of a decoding, we should see something akin to a "framing" of the utilized HF waveform, as we usually see in these cases, even if bits are encoded and interleaved.


fig. 5 - a bitstream after QPSK demodulation (BPSK preamble is omitted)

Statistical analysis of 1 of these bitstreams (Figure 6) shows a compressed or encrypted stream: most likely the encryption device is built into the modem or the encrypted streams are sent straight to a "simple" QPSK modulator.

Fig. 6 - statiscal analysis of a demodulated QPSK bitstream

3) MFSK8 transmissions, unlike QPSK, consist in a "single" transfer, voice comms happen before and after each individual transmission.

Transmissions are preceded by 2 unmodulated tones with a separation of 500 Hz and a duration of about 5 seconds (as in the QPSK waveform). The unmodulated ending tone, lasting about 1 second, coincides with the lowest data speech (the first 2 tones do not match any data tone). The 8 data tones are modulated at the velocity of 250 Baud (750 bps) and the space between the tones is 250 Hz giving an occupied bandwidth of 2250 Hz (Figs 7,8). Each speech (symbol) represents 3 bits of data as follows (least crucial bit (LSB) to the right):

tone grey bin
• 1000 Hz 000 000
• 1250 Hz 001 001
• 1500 Hz 011 010
• 1750 Hz 010 011
• 2000 Hz 110 100
• 2250 Hz 111 101
• 2500 Hz 101 110
• 2750 Hz 100 111

(the frequency of the tones was established based on the correct tuning of the operators' voice)
Note that aurally it cannot be confused with the Thales Robust MFSK8 or MS-141A waveforms as they have a 250 Hz lower tones allocation and a lower Baud rate (125 Bd). By the way, the SPIDER MFSK8 its usage is most likely akin to the Thales one, i.e. data transmission.

Fig. 7


Fig. 8

The analysis of ACF and bitmap rasters reveals the presence of structured blocks at the beginning and at the end of each transmission (Figure 9): these blocks have a duration of 1364 ms that makes 341 symbols (at modulation velocity of 250 Bd).

Fig. 9 - MFSK8 ACF and bitmaps

I besides tried a "plain" 8-tone demodulation utilizing the SA demodulator and according to the speech order shown in Figure 10; for completeness I utilized both binary and grey (MS-141 style) conversion. Again, Bit streams show 2 first and final blocks that have equal dimension of 1023 bits, i.e. 341 symbols (each speech represents a 3-bit symbol).

Fig. 10 - binary and grey coded MFSK8 bitstreams

4) Why am I reasoning of South Korean users?
My friend cryptomaster told me a large lead by reporting that the MFSK8 250Bd/250Hz is simply a "proprietary" waveform of the "SPIDER Tactical Communication System" by Huneed Technologies (Figure 11), a South Korea-based company engaged in the provision of tactical communication equipment to South Korea Army [2]; the strategy was deployed in the early 2000s. According to any Google searches, the transceiver utilized could be the SPIDER (CNR) HF PRC/VRC-950K, suited for either army and navy [3][4]. It's not known if, in addition to MFSK8, the QPSK waveform besides is provided by that same device.
Since the speech & accent, the voice comms language is definitely Korean, as Max (KJ4WNA) from UDXF emailed me "a tell tale sign is the endings -nida". As for the North/South Korea ambiguity due to the usage of the same language, AFAIK the North Korean military (Korean People's Army, KPA) uses communication equipments by Glocom Corp. and not South Korean ones. Unfortunately, further "geographic" confirmation was not possible due to the fact that radio direction uncovering results were not reliable due to the brevity and close unpredictability of the transmissions as well as the deficiency of receivers west of the Korean peninsula.

Fig. 11 - SPIDER (Combat Net Radio) HF transceiver by Huneed

As far as possible, I transcribed the Korean-language audio files into texts utilizing any online tools [5], then I translated the txt files into English utilizing Google/Yandex/DeepL translators obtaining alternatively interesting conversation' snippets (Figure 12). Although transcriptions and translations may results a bit "odd" and discordant, actually there are clues that point to South Korea.

Fig. 11 - example of a device transcription & translation

Speeches seem mention to a maritime scenario, as from the exchanged informations related to weather conditions, sailing, heading etc.: it must be said that the usage of the SPIDER HF waveform would indicate an usage in a military environment specified as the Navy and not in fishing boats. In addition to usual coordination and voice checks relating to the sending/receiving of data, operators mention names of any South Korean places specified as "I'm going to go to Namhae by the South Sea"(1),"There's nothing else in Busan "(2), or "Mapo is 7 Km away" (3).
As I said, the transmissions are not preceded by selcal/ALE and I did not hear - or possibly I did not figure out - any callsigns pronounced by the operators. Only in a fewer transmissions I came across sentences specified as "I've communicated with all the surrounding turns... I've communicated with both SP3 and SP4" but I haven't heard anything else or additional context that actually confirms that these are callsigns. Only erstwhile I heard a link termination: "This is Yanglak-Dong 146 / This is Maunoi" (or possibly "This is Yangrak-Dong 146 / This is Maunnoi").
Amogng another txt files, a September 23 0923 UTC (1623 KST) voice recording requesting the location of a boat carrying (North Korean) defectors must be noted (Figure 12). North Korean "defectors" are Koreans who have fled North Korea seeking asylum in South Korea or another nations. For the sake of completeness, I must say that the day after I looked at the Yonhap news agency website [6] but I did not find any mention to alleged defectors. possibly the news was not so applicable or there was no intervention by South Korean assets ...but here we enter the realm of suppositions.

Fig. 12

5) Given the the usage of a "informal language", the device transcriptions/translations might sometimes make military jargon terms and names that seem a bit unusual and out-of-context, as the the classical word "Christmas trees" utilized in board U.S. submarines and reffered to atomic missiles. For example, I have frequently noticed the usage of the word "seagull" which, judging by the speeches context, may not mention to the well-known bird. Also, it must be said that the operators talk Korean(!) and not more "easy" languages such as English, Spanish or even French, so I could not correct the errors as I should desire and confirm that the transcriptions were accurate, but I simply copied and pasted the automatically transcripted texts.

6) At present I do not have adequate evidence to confirm whether this is the South Korean Navy (ROKN, Republic of Korea Navy) or possibly another assets specified as the Coast defender (KCG, Korea Coast Guard), although the second is not under the Ministry of defence (the Coast defender is an independent and external branch of the Ministry of Maritime Affairs and Fisheries). so I can't not exclude that users may be another South Korean military/civilian organization: further recordings & analysis and blog readers besides will help.

(to be continued)

https://disk.yandex.com/d/_Ab_KPufsyPGPw (waveforms and a applicable op-chat)

(1) Namhae is the site of the South Regional HQ of Korean Coast defender and besides a Mine Sweeper huntsman of Korean Navy

(2) The Busan Naval Base is simply a group of ports and land facilities of Korean Navy (ROKN), located at Nam-Gu, Busan. The United States Naval Forces Korea office sit within this base

(3) "Mapo" could be a mistranscription of the word "Mopko" which is the 3rd Fleet Command HQ of ROKN and besides the West Sea Regional HQ of KCG. This way, the conviction "Mopko is 7 Km away" would make sense