A fewer days ago I came across any transmissions that caught my attention for at least 3 good reasons:
1. the frequency used, i.e. 7312.7 KHz/USB, within the 42 metre broadcast band;
2. the usage of different traffic waveforms, i.e. PSK8 serial speech and STANAG-4539, in ARQ and non-ARQ modes. The ARQ mode is easy recognizable by the difference between the frequencies of the subcarriers (around 50Hz) of data and ACK segments (1);
 |
| Fig. 1 - different traffic waveforms |
3. the usage of a waveform composed of GMFSK-2000Bd + MFSK8 for the link setup procedure (Figure 2): as far as I know, this peculiar waveform is utilized by both Thales and Harris. announcement that the MFSK8 part is 188-141A compatible (125Bd & 250Hz separation between the 8 tones) but usage a diferrent speech library.
 |
| Fig. 2 - GMFSK + MSK8 link setup waveform |
I had already met specified transmissions, noting how the strategy was able to simultaneously demodulate 2/3 waveforms (or more if we consider the ALE exchanges) even during the same logical link. In these recordings a single waveform (PSK8 ST or S-4539) is mostly utilized and I took advantage of this to survey the characteristics of the utilized datalink protocol; a protocol which - in my opinion and according to my analysis - turns out to be proprietary and rather complex.
PSK8 Serial Tone
Figure 3 shows the 8-ary constellation (states and transitions) as well as the rasters of the 2 PSK8 modulated waveforms A and B. In the phase states, and especially looking at the transitions, 1 can easy announcement the presence of a PSK2 modulation which is surely utilized for the synchronization sequences visible in the bitmaps below. As usual, the resulting PSK2 symbols are then mapped and scrambled to appear, on-air, as a PSK8 costellation. Bot the the waveforms have an ACF of 106.6 ms that makes a 256 PSK8 symbols frame at the modulation rate of 2400Bd. However, although of the same length, 2 different framings are adopted, in peculiar the kind B waveform uses a framing akin in composition to that of STANAG-4285.
Figure 3 shows the 8-ary constellation (states and transitions) as well as the rasters of the 2 PSK8 modulated waveforms A and B. In the phase states, and especially looking at the transitions, 1 can easy announcement the presence of a PSK2 modulation which is surely utilized for the synchronization sequences visible in the bitmaps below. As usual, the resulting PSK2 symbols are then mapped and scrambled to appear, on-air, as a PSK8 costellation. Bot the the waveforms have an ACF of 106.6 ms that makes a 256 PSK8 symbols frame at the modulation rate of 2400Bd. However, although of the same length, 2 different framings are adopted, in peculiar the kind B waveform uses a framing akin in composition to that of STANAG-4285.
 |
| Fig. 3 - constellation and bitmaps of the PSK8 Serial speech waveform |
It is crucial to note both in the bitmaps of Figure 3 and in the demodulated bistream of Figure 4 (related to the kind A waveform) the presence of "regular" and akin patterns, as well as the "invariance" of the symbols of the synchronization sequences. In my opinion specified patterns and sequences could indicate the usage of a uncoded mode and even no interleaving (or 1 frame dimension interleaver), furthermore the dimension of the scrambler should coincide with that of the frame (256 symbols) or at least it should be initialized at the beginning of each frame (2).
 |
| Fig. 4 - PSK8 ST kind "A" waveform: demodulated bitstream |
Examining the symbols of the synchronization sequences offers further food for thought. In kind A waveform, the usage of PSK2 modulation is confirmed by the 2-state transitions in the sync sequence, the second consisting of a pseudorandom series of 31 symbols that is repeated twice for a full of 62 symbols (Figure 5).
 |
| Fig. 5 - sync series symbols, PSK8 kind "A" waveform |
Two state-transitions are besides visible in the sync series of kind B waveform (Figure 6). Given its similarity to the S-4285 framing, the synchronization series consists of 80 symbols and it besides is simply a pseudorandom series of dimension 31, which is repeated periodically within the 80-symbol window (2 periods of dimension 31 plus the first 18 symbols of another period).
 |
| Fig. 6 - sync series symbols, PSK8 kind "B" waveform |
The most interesting thing, apart from the state values which may be due to both the scrambler and the the possible phase-offset errors of the SA PSK demodulator (3), is that both the 2 Types of waveforms usage the same 31-symbol sync sequence: indeed, as can be seen in Figure 7, the 2-state transitions are the same. possibly the dimension of the sync series is utilized by the receiving modem to figure out which of the 2 waveforms is incoming, but it's just a my guess.
 |
| Fig. 7 - sync series symbols, PSK8 kind "B" and "A" waveforms |
Since the kind B waveform has the same framing as S-4285, an S-4285 decoder recognizes the kind B waveform samples (100% confidence) but since the synchronization sequences are different (see the 2-state transitions in Figure 8) it does not successfully engage any sub-modes.
 |
| Fig. 8 - comparison between sync sequences of PSK8 kind "B" and STANAG-4285 |
STANAG-4539
As per STANAG-4539, both the QAM16 and PSK8 waveforms have the same 287-symbol framing (119.6ms ACF, 2400Bd) although the user data rate is different: 6400bps and 3200bps respectively for QAM16 and PSK8.
 |
| Fig. 9 - constellations and bitmaps of STANAG-4539 QAM16 and PSK8 waveforms |
If in the case of PSK8 ST it was only possible to analyse the symbols after demodulation, in the case of STANAG-4539 it is possible to decode the signals and then analyse the composition of the advanced layer datalink protocol(s).
Figure 10 shows a item of a bitstream obtained after removing the S-4539 QAM16 overhead and consists of 96-byte (768 bits) Protocol Data Units (PDUs), each PDU consisting of 3 bytes header followed by 93 bytes of data:
1st byte: a ID/value field, in this sample: 0x09 (LSB first)
2nd byte: down-counter field (LSB first)
3rd byte: up-counter field (LSB first)
As 1 can see looking at the values of the 2 counters in Figure 10, the example consists of 55 PDUs, numbered from 0 (00000000) to 54 (00110110).
Figure 10 shows a item of a bitstream obtained after removing the S-4539 QAM16 overhead and consists of 96-byte (768 bits) Protocol Data Units (PDUs), each PDU consisting of 3 bytes header followed by 93 bytes of data:
1st byte: a ID/value field, in this sample: 0x09 (LSB first)
2nd byte: down-counter field (LSB first)
3rd byte: up-counter field (LSB first)
As 1 can see looking at the values of the 2 counters in Figure 10, the example consists of 55 PDUs, numbered from 0 (00000000) to 54 (00110110).
 |
| Fig. 10 - headers and part fo bitstream after S-4539 QAM16 decoding |
The same fields' structure can be found in the PDUs extracted from a example of STANAG-4539 PSK8 (Figure 11). Since the half of the user data rate (3200bps Vs 6400bps), each PDU consists of 48 bytes: 3 bytes for the header fields followed by 45 bytes of data. It's interesting to see that a change in the first field (from 01001000 (36) to 00001000 (8)) occurs erstwhile the down-counter field restarts its value after reaching the 0: curiously, the up-counter does not "reset" but continues its counting.
It's worth noting that that patterns highlighted in the bitstream of Figure 4 (and the bitmaps of Figure 3) are most likely the 2 counter fields of Figure 11: if so, both tPSK8 ST and S-4539 traffic waveform transport the same datalink PDUs.
It's worth noting that that patterns highlighted in the bitstream of Figure 4 (and the bitmaps of Figure 3) are most likely the 2 counter fields of Figure 11: if so, both tPSK8 ST and S-4539 traffic waveform transport the same datalink PDUs.
 |
| Fig. 11 - headers and part fo bitstream after S-4539 PSK8 decoding |
Even more interesting. After removing the 3 bytes of the headers, I reshaped the stream into a 128 bit strategy (16 bytes), i.e. to the most probable value of its period, and I noticed the repetition of the string 0x3CF04F; so I synced the stream on this value (Figure 12), fixing a minimum dimension of 128 bits. The consequence highlights the presence of 45 PDUs of a "secondary" datalink protocol where each PDU has an header consisting of 4 bytes and a minimum dimension of 16 bytes (128 bits), the maximum is over 600 bytes (I was not able to establish it accurately):
bytes 1-3: a ID/value field, [001111001111000001001111] 0x3CF04 (LSB first)
4th byte: up-counter field (LSB first)
bytes 1-3: a ID/value field, [001111001111000001001111] 0x3CF04 (LSB first)
4th byte: up-counter field (LSB first)
 |
| Fig. 12 - the emerging "secondary" datalink protocol PDUs |
This may be a hasty statement, but it seems that the "secondary" datalink protocol PDUs > 16 bytes dimension are fragmented into tiny segments and then incapsulated into the 45/95 bytes payload of the "primary" datalink protocol PDUs. By the way, at least in these samples, the "secondary" PDUs have been found only in the primary PDUs which have the first byte of the hedaer equal to 0x48, possibly just a specified coincidence (Figure 13,14).
 |
| Fig. 13 |
 |
| Fig. 14 |
comments
Since the deficiency of clear-text callsigns it's impossible to id the user, we may speculate just any guess about the maker of the utilized devices:
Since the deficiency of clear-text callsigns it's impossible to id the user, we may speculate just any guess about the maker of the utilized devices:
- as far as I know both Thales and L3Harris make usage of the GMSK-MFSK8 waveform to manage HF links: unfortunately the GMFSK signals portions are besides short to let the analysis of the bitmaps (L3Harris GMFSK has a well recognizable pattern [1]);
 |
| L3Harris typical pattern in GMFSK-MFSK8 signals |
- the patterns highlighted in Figures 3,4 are very akin to the ones visible in the demodulated bitmaps of PSK8 Voice Digital waveform (L3Harris VD mode) [2];
 |
| L3Harris VD mode bitstream |
- from Harris RF-5800 datasheet "L3Harris VD mode besides allows data to be sent...both data and voice are secured with Citadel encryption" [2]: well, I did not find the Citadel characteristic pattern within the decoded bitstream, even if they could be plain-text transmissions.
So: Thales? L3Harris? either of them? ...hints and comments are welcome.
(1)50Hz difference between 1800Hz sub-carriers
(2) FEC encoding and interleaving should supply time separation between contiguous values.
(3) SA is simply a signal analyzer and not a decoder, so its phase-plane demodulator does not sync any peculiar protocol, as it happens for example in STANAG-4285 "suited" decoders. Working with phase keyed signals, the SA phane-plane demodulator produces right interpretations and views (number of phases, angles, modulation speed, carrier frequency,...) but it may return incorrect demodulated streams due to the possible phase-offset errors.
[1] http://i56578-swl.blogspot.com/2015/06/harris-selective-call-msk-2000bd1000.html
[2] http://i56578-swl.blogspot.com/2021/11/harris-rf-5800-digital-voice-psk8.html
[2] http://i56578-swl.blogspot.com/2021/11/harris-rf-5800-digital-voice-psk8.html
