(updated)
[1][segnali.png]
Interesting transmissions spotted on 4381.0 KHz and 4833.5 KHz (all
usb) consisting of MIL 188-110A Serial HF waveform (fixed 600bps/S) and
6-bit code clear text (6x28) & STANAG-5066 as bearer for XMPP
Multi-User Chat (MUC) messages.
XMPP, the Internet Standard eXtensible Messaging and Presence Protocol,
is the open standard for Instant Messaging (IM), Group Chat and
Presence services. XMPP is widely used for military deployments, where
operation over constrained and degraded networks is often essential,
particularly for tactical operation.
Multi-User Chat (MUC) is a central service for military communication.
If data is being provided, it makes sense to share it so that all
interested parties can see it. For example, it will enable external
strategists or lawyers to observe communication in real time, and
provide input as appropriate. It often makes sense to share information
in the field, for example a group of ships jointly working out who will
target what and how. MUC is an important operational capability.
In XMPP a client connects locally to its server, and then there are
direct server to server connections (S2S) to support communication with
clients on other servers. The mapping of XEP-0361 (Zero Handshake
Server to Server Protocol) onto STANAG-5066 is standardized in
"XEP-0365: Server to Server communication over STANAG-5066 ARQ”.
XEP-0365 is mapped onto the S5066 SIS and transferred using RCOP
protocol.
The 6-bit text and S5066 bitstream (Fig. 1) is obtained after
demodulating the 188-110A Serial waveform:
[2][11.png]
Fig. 1
S5066 peers have the addresses 010.050.066.001 and 010.050.066.003
(odd) in 4381.0 KHz channel; the addresses 010.050.066.002 and
010.050.066.004 (even) are used in the 4833.5 KHz channel. These are
probably "exercise" addresses since the block 10.50 is allocated to
Uganda.
These transmissions have been monitored for about one day so I could
collect hundreds of messages, only some of them are shown below as
examples: you can see groupchat messages, Instant Messaging (private
messages) and Presence/IQ messages. My friend and colleague Guido
[3]@decodesignals logged same transmissions (and same addresses) on
4613.0 Hz, in his catches the S4539 4800bps is used as the HF waveform.
(a3d5bb51-70c3-4152-9a29-ab7cddbb47a3; 20181207T224101.034169)
Test Message H - Private Message From GROUND Latency Acct
UNCLASSIFIED
(29f06ec4-a4a9-4849-bd46-42c54efa42ea; 20181207T224452.309137)
Test Message T - MUC From GROUND Latency Acct
UNCLASSIFIED
A bit of intelligence gathering can be done by the reading of the
messages and from TDoA.
Direction finding is not easy since the transmissions originate from
two different sites, however the results obtained indicate UK as the
area of operations (Fig. 2): maybe UK MoD?
[4][tdoa-1.png]
Fig. 2 - TDoA result
The namespace attribute fmuc xmlns='http://isode.com/protocol/fmuc can
be a clue of the use of the M-Link software developed by Isode for XMPP
[1]. By the way, reading some Isode documentation available in the web
you can see odd 10.x.y.w S5066 addresses like the ones used in the
heard transmissions (Fig. 3)
[5][66.png]
Fig. 3 - from XMPP5066EVAL.pdf by Isode
Servers names and nodes names as:
mission-one@chat.ground.net/LATENCY_GROUND and
mission-one@chat.ground.net/LATENCY_AIR, as well as the Test Message
format suggest a test phase aimed to measure the latency of air and
ground links. Note also that the tests are performed using different HF
waveforms: MIL 188-110A Serial 600bps and STANAG-4539 4800bps.
That being said, probaby these are UK MoD test transmissions concerning
(Isode) XMPP over HF radio but it's only my guess. Ropey
[6]@Topol_MSS27 suggests that "maybe P8 (chat.p8-one.net) is a clue and
references new ops for upcoming P-8A's due to join RAF from Nov next
year" [2].
12 December update
My friend [7]Martin G8JNJ, owner of the
[8]http://southwest.ddns.net:8073/ KiwiSDR, reports he heard synch'ed
transmissions on 4381.0 KHz and 5505.0 KHz too, all usb. His TDoA runs
point to Inskip (Former RNAS Inskip), a transmitting site of UK DHFCS
located in Lancashire, North England: it confirms my TDoA and is a
further clue in favor of RAF operations.
References
1. https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS-LISxA52ReNmvzBWDoANn9AwuuU1EyckfqEeBJP1bU-oZYdx5gyVFPJRf_e6l6iCxNsWY34gEQ3f39eU0ptfyt6VXUcV8-E1x3cR5wh7JFUN6HgjiKoa6fNjHETmV_69a-XPog07wWk/s1600/segnali.png
2. https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOzpJffgmozUy9dpYlQzmT6-UXui67tTiWTiZAZsrov3tCajFF-wwt-TIVQUbwfyGrM3wYVUzfANwS6r0BcpruON9aH-6jRhSReUxx8MbNW8YS306jSsqKSNJIYcMY-Hjv_Oof52uoQjg/s1600/11.png
3. https://twitter.com/decodesignals
4. https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLVujrXdcEVwG2l3fIdKO8u7yln1jsmhZdvB6OrVma_eq-WqAZ6CwLWGGEH4pyRJv_YbOMF0X3U6emcumoc9qWFHsWouWIbhJlDZze8Gc7x85-m4EtFntGD_Q45U8YMOH9XlAJI_Kl-CM/s1600/tdoa-1.png
5. https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhva-_fOJ8YfCWJQnkFqvRFVr3I5yS2S1cSf0ZwpThi3K5Bc97VNofUOU2qptHhHpIFzUDi0a4WzEXuKngZ20AuZEu7OOEBwtQpFbQGNfQyJsFjFYGvTdMM_aMGKbAOBJORtygJVQ3tukI/s1600/66.png
6. https://twitter.com/topol_mss27
7. https://www.g8jnj.net/
8. http://southwest.ddns.net:8073/