Thanks to SDRplay, I was sent both their new RSPdx and older RSPduo SDRs at the end of January free of charge.
The main reason was to get them integrated into Procitec’s go2MONITOR and go2DECODE software, to increase the number of SDRs that the company’s products are compatible with.
This I’ve been successful in doing with the RSPdx – I’m still to unbox the RSPduo at this time of writing.
First of all though, I’ve been extremely pleased with the RSPdx in its own right. The SDRuno software works really well, is pretty easy to use – and it looks good too.
The fact that you can have up to 10 MHz of bandwidth is brilliant, and it isn’t too bad on the CPU usage either – running at around 25% with 10 MHz bandwidth on my ancient PC. Used with SDRConsole you can cover a good number of frequencies at once, and can record them if necessary. Of course, you can do this with SDRuno too, but at the moment only IQ – you can’t record individual frequencies.
Saying that, I’ve seen the SDRuno Roadmap for future releases and not only will recording of individual frequencies be possible, a more advanced scheduler is to be included. This is something I feel SDRConsole – amazing though it is – is lacking when it comes to single frequency recording. There is also the issue with SDRConsole that you are limited to recording only 6 hours worth of wav file per frequency.
Anyway, I digress. Back to the RSPdx and go2MONITOR.
To get the SDRs to work correctly with any of the go2 products means creating a configuration file and adding a ExtIO DLL file to the software. This is reasonably easy to do once you get use to it and it enables a GUI to become active so that you can control the SDR through go2MONITOR.
One interesting aspect with the RSPdx GUI is that regardless of what you enter as some of the parameters in the configuration file, the ExtIO file overrides these. Effectively, I just left some of the data as found in a basic configuration template and let the GUI do all the work for me.
So, below are some of the results with today’s first test.
First of all I went into the VHF/UHF side of things and targeted the local TETRA networks. These were found easily and after messing around with the GUI, I was able to get go2MONITOR set up to nicely find all the emissions within the 1.6 MHz bandwidth I’d chosen to use
From there, all I had to do was to select one of the found emissions and let the software do its thing.
Next I moved on to HF where there’s a plethora of data to choose from to test out the SDR. There was quite a large storm going through at the time and my Wellbrook loop and coax feed were getting a bit of a bashing with some considerable interference being produced with the really strong gusts, as can be seen below – the interference between the two HFDL bursts is one such gust.
I’ve frequently mentioned the Results Viewer that’s part of go2MONITOR and with things such as HFDL and TETRA, that process data quickly from lots of signals, this part of the software comes into its own.
The image below is two minutes of HFDL monitoring. All the red blocks is received data that scrolled through the Channel window too quickly to read live. In the viewer you can select any of the signals and you’ll be shown the message as sent. In this case, it is one sent by an Open Skies Treaty observation flight OSY11F.
By looking at the Lat/Long and comparing it to the flight history from FlightAware and its location at 1313z it ties in nicely. This flight was carried out by the German Air Force A319 1503 specially kitted out to make these flights.
go2MONITOR has a basic map function within the Result Viewer function so if there’s any Lat/Long position within any message it will plot it – as shown below for OSY11F at 1313z.
Within the General tab of Result Viewer you can get all the parameters of the signal.
One final test that I carried out was how well everything coped with a bigger bandwidth. In HF I can use up to 3 MHz of bandwidth with the licence I have – going up to 10 MHz once into VHF/UHF. In HF then, I selected 3 MHz in the GUI and then ran an emissions search.
My PC is nearing the end of its life but it coped easily with the amount of data found despite only having 4 GB of RAM with a 3.6 GHz AMD processor – a new PC is in the pipeline that is going to give me much better processing power.
Despite having 3 MHz available, not everything was identified. Most of this was at the fringes of the bandwidth, but some of the weaker signals also failed. That doesn’t mean you can’t then process them further, you can, it’s just the Emissions scan hasn’t quite been able to ID them. Saying that, the software managed to ID things within 2.2 MHz of the 3 MHz bandwidth.
I picked one of the weaker signals to see how both the RSPdx and software coped and they did very well, pretty much decoding all of the CIS-50-50 messages that were coming through on 8678 kHz.
So, overall, pretty pleased with how the RSPdx works with go2MONITOR.
Once I get a better PC I’ll be able to test at bigger bandwidths but even with 3 MHz here I was able to achieve the same, if not better, results than I have with the considerably more expensive WinRadio G31 Excalibur I have been using previously (running with the G33 hack software).
Not that I’m likely to really use go2MONITOR at big bandwidths – 1.6 MHz is probably fine for me – but for Pro’s there’s no doubt that having these “cheaper” SDRs would make absolutely no difference over using an expensive one such as those in the WinRadio range. In all honesty, I don’t think I’ll be holding on to the WinRadio for much longer – I’m more likely to get another RSPdx to cover this area of my monitoring.
On its own, as an SDR, the RSPdx is worth the money I’d say. I like it just as much as I do the AirSpy HF+ Discovery – the only real difference I can see between these two SDRs is the max bandwidth available.
In early November, whilst working on an article for Jane’s, I noticed a Link-11 SLEW signal on 4510 kHz (CF) that was slowly growing in reception strength. I’d been monitoring frequencies used by the Northern Fleet of the Russian navy around this one and had already spotted that Link-11 CLEW was being used on a nearby frequency, though this remained at a constant signal strength at my location. The fact that the Link-11 SLEW was getting stronger made me stop what I was doing and start concentrating on this instead.
Link-11 SLEW (Single-Tone Link-11 waveform) ,or STANAG 5511, is a NATO Standard for tactical data exchange used between multiple platforms, be it on Land, Sea or Air. Its main function is the exchange of radar information, and in HF this is particularly useful for platforms that are beyond line of sight of each other and therefore cannot use the UHF version of Link-11.
With propagation being the way it is, in theory radar data could be exchanged between platforms that are hundreds to thousands of miles apart, therefore providing a wider picture of operations to other mobile platforms and fixed land bases. This data can also be forwarded on using ground stations that receive the data and then re-transmit on another frequency and/or frequency band. However, the approximate range of an individual broadcast on HF is reported to be 300nm.
As well as radar information, electronic warfare (EW) and command data can also be transmitted, but despite the capability to transmit radar data, it is not used for ATC purposes. In the UK, Link-11 is used by both the RAF (in E-3 AWAC’s and Tactical Air Control Centres) and the Royal Navy. Primarily it is used for sharing of Maritime data. Maritime Patrol Aircraft (MPA’s) such as USN P-8’s and Canadian CP-140’s use Link-11 both as receivers and transmitters of data, so when the RAF start using their P-8’s operationally in 2020 expect this to be added to the UK list. Whilst it is a secure data system, certain parameters can be extracted for network analysis and it can be subjected to Electronic Countermeasures (ECM).
Link-11 data is correlated against any tracks already present on a receivers radar picture. If a track is there it is ignored, whilst any that are missing are added but with a different symbol to show it is not being tracked by their own equipment. As this shared data is normally beyond the range of a ships own radar systems, this can provide an early warning of possible offensive aircraft, missiles or ships that would not normally be available.
I started up go2MONITOR and linked it to my WinRadio G31 Excalibur. Using a centre frequency of 4510 kHz I ran an emission search and selected the Link-11 SLEW modulation that it found at this frequency.
It immediately started decoding as much as it could, and I noticed that three Address ID’s were in the network.
As the signal was strong, and it is normally maritime radar data that is being transmitted, I decided to have a quick look on AIS to see if there was anything showing nearby. Using AISLive I spotted that Norwegian navy Fridtjof Nansen class FFGHM Thor Heyerdahl was 18.5 nm SW of my location, just to the west of the island Ailsa Craig. Whilst it was using an incorrect name for AIS identification, its ITU callsign of LABH gave me the correct ID. This appeared to be the likely candidate for the strong Link-11 signal.
It wasn’t the best day and it was pretty murky out to sea with visibility being around 5nm – I certainly couldn’t see the Isle of Arran 11.5 nm away. I kept an eye on the AIS track for Thor Heyerdahl but it didn’t appear to be moving.
Whilst my own gear doesn’t allow me to carry out any Direction Finding (DF) I elected to utilise SDR.hu and KiwiSDR’s to see if I could get a good TDoA fix on a potential transmitter site – TDoA = Time Difference Of Arrival, also known as multilateration or MLAT. Whilst not 100% accurate, TDoA is surprisingly good and will sometimes get you to within a few kilometres of a transmission site with a strong signal.
One of my thoughts was that the signal was emanating from the UK Defence High Frequency Communications Service (DHFCS) site at either St. Eval in Cornwall or Inskip in Lancashire. With this in mind I picked relevant KiwiSDR’s that surrounded these two sites and my area and ran a TDoA.
As expected, the result showed the probable transmitter site as just over 58 kilometres from St. Eval, though the overall shape and “hot area” of the TDoA map also covered Inskip, running along the West coast of England, Wales and Scotland. It peaked exactly in line to where the Norwegian navy ship and I were located! With the fact that there were signals being received from three different sources it is highly likely this has averaged out to this plot.
Just after 10am the weather cleared allowing me to see a US Navy Arleigh Burke class DDGHM between myself and Arran. This added an extra ship to the equation, and also tied in with the TDoA hot spot. Things were getting even more interesting!
Thor Heyerdahl still hadn’t moved according to AISLive but the Arleigh Burke was clearly heading in to the Royal Navy base at Faslane. With my Bearcat UBC-800T scanning the maritime frequencies it wasn’t long before “Warship 101” called up for Clyde pilot information along with an estimate for Ashton Buoy of 1300z. Warship 101 tied up with Arleigh Burke USS Gridley.
As USS Gridley progressed towards Faslane, the signal started to get weaker. Ashton Buoy is where most ships inbound for Faslane meet the pilot and tugs, taking up to another 30 minutes to get from there to alongside at the base – a journey of about 8.5nm.
At 1328z the Link-11 SLEW signal ended which coincided with the time that USS Gridley approached alongside at Faslane. It would be at about this time that most of the radar systems used on the ship would have been powered down so data was no longer available for transmission, therefore the Link-11 network was not required any further and it was disconnected.
So, was this Link-11 SLEW connected to USS Gridley? And was the ship also the NCS of the network? I think the answer is yes to both, and I’ll explain a couple of things that leads me to this conclusion. But first…………….
Link-11 SLEW Technical details
Using Upper Side Band (USB) in HF, a single waveform is generated in a PSK-8 modulated, 1800 Hz tone. The symbol rate is 2400 Bd and the user data rate is 1800 bps. Link-11 SLEW is an improved version of the older Link-11 CLEW modulation and due to enhanced error detection and correction is a more robust method of sending data. This makes it more likely that transmissions are received correctly the first time. Moreover, an adaptive system is used to counter any multipath signals the receiving unit may experience due to HF propagation.
The waveform transmission consists of an acquisition preamble followed by two or more fields, each of which is followed by a reinsertion probe. The field after the preamble is a header field containing information that is used by the CDS (Combat Data System) and an encryptor. If a network Participating Unit (PU) has any data, for instance track data, this follows the reinsertion probe. Finally, an end-of-message (EOM) is sent followed by a reinsertion probe.
The header is made up of 33 data bits and 12 error detection bits (CRC – Cyclic Redundancy Check). The 45 bit sequence is encoded with a 1/2 rate error correction code therefore giving a 90 bit field. The header contains information on the transmission type used, Picket/Participating Unit (PU) address, KG-40 Message Indicator, the NCS/Picket designation and a spare field.
Broken down, each piece of information is made up as follows:
The transmission type indicates the format of the transmission – 0 for a NCS (Network Control) Interrogation Message (NCS IM); 1 for a NCS Interrogation with Message (NCS IWM) or a Picket reply.
The address contains either the address of the next Picket or that of the Picket that initiated the call.
The KG-40 Message Indicator (MI) contains a number sequence generated by a KG-40AR cryptographic device. Synchronization is achieved when the receiver acquires the correct MI. For a NCS IM this will be made up of zeros as no message or data is actually sent.
The NCS/Picketdesignation identifies whether the current transmission originates from the NCS or PU: 0 = NCS; 1 = PU
Following on from the header, the SLEW data field consists of 48 information data bits along with 12 error detection and correction bits, themselves encoded with 2/3 rate error correction. This creates a 90 bit data field.
The EOM indicates the end of the transmission and is also a 90 bit field. There are no error detection or correction bits. Depending on the unit that is transmitting, a different sequence is sent – NCS = 0’s; PU = 1’s
There is a specific order of transmissions which takes place for data to be exchanged.
Ordinarily the NCS sends data that creates the network, synchronizing things such as platform clocks etc. Each PU is called by the NCS and any data that a PU has is then sent, or the NCS sends data, or both. This is a very simple explanation of how data is exchanged but if you monitor a SLEW network you’ll see the exchanges take place rapidly. Except for the message itself which is encrypted, go2MONITOR will decode all the relevant information for you for analysis. This means that you don’t need to look at each raw data burst as sent to calculate whether it was a PU reply or NCS IWM, the decoder will do this for you.
At this point I need to say that Link-11 decoding is only available in the Mil version of go2MONITOR so doesn’t come as standard. Should you be interested in Link-11 decoding yourself then you would need to go for the full go2MONITOR package to enable this.
As previously mentioned, the data itself is encrypted but it is possible to try to calculate who is who within the network, and the analysis of the header information in particular will give you a good clue if you already know of potential PU’s that could be on the frequency.
In this case we already have four possible PU’s:
St. Eval transmitter site
Inskip transmitter site
It later transpired that Thor Heyerdahl had gone into Belfast Harbour for repairs so this practically cancelled out this ship as the NCS though it could still be a PU. Moreover, Thor Heyerdahl and USS Gridley were part of the same NATO squadron at that time which meant it was highly likely they were on the same network. This left us with three choices for the NCS, but still four for the network.
Here, I’d cancel out Inskip completely as both the NCS and a PU as the TDoA appeared to give a stronger indication to St. Eval – that left us with three in the network.
The pure fact that the strength of the major signal increased as USS Gridley got closer to my location, then slowly faded as she went further away added to my theory of her being the NCS. This was practically confirmed when the signal stopped on arrival to Faslane. Throughout the monitoring period he other signals on the frequency remained at the same strength.
Based on this, this meant that the strong signal was USS Gridley using ID Address 2_o.
Let’s take a look at one the previous screenshots, but this time with annotations explaining a number of points.
Firstly, we need to look for the NCS. The easiest way to do this is to look at the NCS/Picket Designation and find transmissions that are a zero, combined with a Message Type that indicates it is a NCS IWM. Here, there is just one transmission and that emanates from Address ID 2_o – the long one that includes a data message.
We next need to find NCS/Picket Designation transmissions that still have a zero – therefore coming from the NCS – but that have a Message Type that show it to be a NCS IM. These are calls from the NCS to any PU’s that are on the network looking to see if they have any “traffic” or messages.
Because of this there should be numerous messages of this type, and if you notice none have an ID address of 2_o. However, all of these messages are actually coming from 2_o as the ID address shown in a NCS IM is that of the PU being called rather than who it is from.
Any reply messages from PU’s will show as a NCS IWM/PU Reply transmission, but importantly the NCS/PU designation will be a one – showing it isn’t the NCS. Here there is one data reply from 71_o. You’ll notice that in the “reflection” there isn’t any transmission, unlike the ones from 2_o.
Moreover, though not shown here as the messages were off screen and not captured in the screen grab, you can see that one of the PU’s sent another reply message. As I was able to look at the complete message history I was able to see that this was also from 71_o – and 2_o either replied to this or sent further data.
There are two fainter transmissions which were not captured by go2MONITOR. These were from a PU, and must have been 30_o as there are no transmissions at all in the sequence that are from this ID address.
We now have a quandry. Who was 30_o and who was 71_o?
Data is definitely being sent by 71_o so to me this is more likely to be a ship rather than a transmitter site – but – a strong TDoA signal pointing at St. Eval makes it look like 71_o is this location instead.
Now though, we need to think outside the box a bit and realise that I’m looking at two different sources of radio reception. The TDoA receivers I selected were nowhere near my location as I’d selected KiwiSDR’s that surrounded St. Eval. This meant the signal that was weak with me could have been strong with these, therefore giving the result above.
If I base the fact that I think USS Gridley is 2_o due to strength, then I must presume the same with 71_o and call this as Thor Heyerdahl as this is the second strongest signal. I can also say that having gone through the four and a half hours of Link-11 SLEW transmissions available that 30_o never sent a single data transmission – or rather, not one that was received by me.
Here then is my conclusion:
USS Gridley = 2_o and the NCS
Thor Heyerdahl = 71_o
St. Eval transmitter site = 30_o
Of course, we’ll never really know, but I hope this shows some of the extra things you can do with go2MONITOR and that it isn’t just a decoder. It really can add further interest to your radio monitoring if you’re an amateur; and if you’re a professional with a full plethora of gear, direction finders, receiver networks etc. then you really can start getting some interesting results in SIGINT gathering with this software – and highly likely be able to pinpoint exactly who was who in this scenario.
Now, how do I get some Direction Finders set up near me….Hmmmmmm??
If you follow me on Twitter you’ll see that in the last month or so I’ve been sending out images of classification and decoder software go2MONITOR working with a number of my SDR’s.
go2MONITOR is part of the go2SIGNALS range of software solutions created by PROCITEC GmbH operating from Pforzheim in Germany, themselves part of the PLATH group. PLATH Group is the leading European-based solution provider for communication intelligence and electronic warfare (EW) with worldwide government customers. The group covers all aspects of signal interception and analysis split between a number of companies such as PROCITEC. EW, COMINT/SIGINT, Jamming and Decoding are just a small part of what the group specialises in.
go2MONITOR is advanced high-performance, automatic HF, VHF and UHF monitoring software capable of recording, SDR control, wideband and narrowband classification and multichannel signal decoding.
It isn’t for the faint hearted, but once you get used to using it, it really does make gathering information on networks extremely easy. And it decodes many modes other software can’t.
In a series of blogs I’m going to show you the capabilities of this amazing software, though I must stress now, it is aimed at Professional SIGINT gathering and it comes with a Professional price tag.
Saying that, it doesn’t mean it isn’t available to the non-professional. It is open to all and to cover this it comes in various versions starting with the Standard package progressing to a full Military package – which gives you the full range of HF, VHF and UHF classification and modem recognition decoders available, including PMR and SAT (Inmarsat AERO). The Standard version isn’t to be sniffed at, it still gives you an amazing range of decoders, though you could easily argue that many of these are available in other free – or near to free – decoding software like MultiPSK or Sorcerer. A full list of decoders available can be found here. Note, this list is broken down into the various packages and not all are available with the Standard option. Confirm what belongs to what if you’re thinking of purchasing.
So what’s the difference in what go2MONITOR can do with other software available? That’s the idea of these blogs, to answer just that question. It will take quite a few blogs – mainly because there isn’t just one answer.
Here then, is a brief overview of what can be done, what SDR’s it works with – in fact, not just SDR’s but all receivers that can produce a recording – and any other things I can think of.
As, I’ve said then, it can decode pretty much any data signal out there. Obviously, some signals are encrypted so it wouldn’t fully decode unless you had the key, but you can get the encrypted messages. It can also classify voice signals, not just data. So, if you wanted to hunt out various voice networks, go2MONITOR can assist you in doing this.
Here is where it excels. Classification – and doing it very quickly.
Imagine being on your SDR (SDR1) and you can see a whole load of data signals on the waterfall/spectrum and you quickly want to know what they all are. With go2MONITOR operating another SDR (SDR2) you can dial in the centre frequency of the bandwidth shown on SDR1 into the go2MONITOR/SDR2 combo, click one button – Find Emissions – and within seconds the whole bandwidth has been analysed and every signal classified.
I’ll go back a step though here. You don’t need two SDR’s. One will do. SDR1 – as long as it is a compatible SDR – can be controlled through a GUI by go2MONITOR. The software includes a waterfall/spectrum display. Like all SDR software, these displays are fully adaptable to how you like to see the signals.
Either way, you now have a list of every emission that go2MONITOR has received within that bandwidth. This list includes Modulation type, Frequency, Bandwidth, Symbol (Baud) rate and SNR. It also shows which SDR you have used for interception (useful if you’re using go2MONITOR with more than SDR at the same time, but also with other advanced features such as network control), and it also shows if the frequency is already stored within the frequency database – yes, you can create this too; or import ready made databases in a CSV format.
Already then, you have built up a picture of what these signals are. One thing to note. If the signal type is not one of those included within the package you have, it will be classed as unknown. Example – a STANAG 4285 will show as unknown in the Standard and PMR/SAT package, but will be classified correctly in the MIL package.
OK, those of us that are looking at SDR’s all the time can pretty much tell what the signals are just by looking at them, so there’s no great advantage here is there? Except, now go2MONITOR has logged these in its database which can be searched through at a later date – handy if you’re looking for potential schedules for example.
However, the next step is where things get interesting. By putting one of these emissions into a “Channel” you can carry out an advanced classification, recognition and decode. You have multiple choices here, but I generally start off with a Classification. Whilst the software has already decided what the emission type is, by doing this it double checks just this one channel and produces a choice of decoders that it is likely to be.
By using STANAG 4285 as an example, it will put this into the list of choices, but it may put other PSK signals there too. By clicking on another button, this puts the channel into Recognition mode and it reduces the hundreds of decoders down to just those in the classification list produced. The software then calculates which is the best decoder and starts to decode the signal.
If you think about STANAG 4285 in other software, you generally have to try all the various potential Baud rates – is it Long Interleaving? is it Short? etc etc. Well go2MONITOR does this automatically. It checks the alphabet and protocol and will decode it if known. More often than not it can’t calculate the alphabet, but every now and again it does and it will produce encrypted data – don’t forget, if it’s encrypted it won’t decrypt it without the correct key.
This further Recognition and Decoding is also stored in the database for later analysis, along with a recorded wav file for playback and deeper signal analysis.
Seriously, it is harder describing it in text than it is doing it so I’ve created a video that’s at the end of this blog.
I mentioned previously that the software works with receivers that aren’t SDR’s. That’s because, as long as you can create a wav file recording – Narrowband as it’s known in go2MONITOR – it can be analysed. There are things missing, the actual frequency for instance (though this can be typed into a text box so that you can then have the right information – this i’ll show in a later blog). Time stamps aren’t naturally there but again you can add these by telling the software to use the time the recording was started.
I’ve used recordings made on my Icom IC-R8500 as an example of this but it is literally the bandwidth of the mode used by the receiver that is shown on the go2MONITOR spectrogram.
You don’t actually need to own a receiver of your own. Use an online SDR such as a KiwiSDR, record the IQ as a wav file and play it back through go2MONITOR for analysis. I’m doing just that for a Jane’s Intelligence Review magazine article.
If you use SDRConsole, then you may have also tried the File Analyser function that I blogged about in August last year. The File Analyser in SDRC is excellent, there’s no doubt about it, but it has one drawback. Once you’ve carried out your recording you have to create a run through of the recording, making an XML file that effectively joins all the wav files up. If you’ve made a wide and long IQ recording this can take quite some time. With most of my overnight recordings – normally 7 hours long, with a 768 kHz bandwidth – this takes around 45 minutes to complete.
With go2MONITOR you can also record the bandwidth IQ data. With this you can do two things. Firstly you can run it through as a normal playback, classifying and decoding as you go. Secondly though, you can open the Results window which gives you a time based view of the whole recording allowing you to immediately see any transmissions. Unlike SDRC Analyser, the signals have already been classified, and more importantly, this is done straight away without any need to create an XML file first. The Results window will be covered in greater detail in a blog of its own.
However, there are no decodings here. With just an IQ recording you need to play it back and run an emission search etc. There are some basic automation tasks available, such as setting up an emissions search every 10 seconds.
But, if you have the Automated Monitoring and Tasking package, you can also have the software automatically record, recognise and decode a single emission type – or all emissions types within the bandwidth, a set frequency, between two frequencies or any other parameters you may wish to set up.
The list of SDR’s that can be used with go2MONITOR is pretty good, though due to the target audience, many of them are high end, “government/military” receivers. But, it does work with Perseus, SDRplay RSP1 & RSP2, RFSpace NetSDR and SDR-14, and of course AirSpy R2 – and now the AirSpy HF+ and AirSpy HF+ Discovery.
Supported receiver list:
Max. Rx bandwidth
Grintek GRX Lan
IZT R3xxx series
Up to 3 channels spectrum
IZT R4000 (SignalSuite)
1 channel only
Limited USB 3.0 compatibility
narda® NRA-3000 RX
narda® NRA-6000 RX
narda® IDA 2
VITA 49 support. Only 1 MHz and no receiver control at LINUX
PLATH SIR 2110
LINUX recommended. External receiver control only
PLATH SIR 2115
External receiver control only
PLATH SIR 5110
16×768 kHz subbands External receiver control only
PLATH SIR 5115
40×768 kHz subbands External receiver control only
No gain control available
R&S EM100 / PR100
External receiver control only
Experimental support. Continuous signal up to 2.4 MHz
SDRplay RSP1 & RSP2
Up to 2 channels + spectrum
Generic VITA 49 receiver support
Max. receiver bandwidth
Can be configured in a wide range for different receiver types
Other generic “Winrad ExtIO” supported receivers
Max. receiver bandwidth
As you can see, there is a huge difference in bandwidth capabilities for each receiver. I use my WinRadio G31DDC quite often with go2MONITOR, but the AirSpy HF+ Discovery (not listed as i’ve only just got it working) isn’t much worse with it’s full 610 kHz bandwidth.
When you think that the G31 has a much better operational bandwidth than 800 kHz when you use it on its own, it’s obvious which is better value if you were buying an SDR solely for using it with go2MONITOR. It is this kind of thing that many Government agencies are looking at when it comes to funding operations aimed at large scale monitoring.
That then is a very basic overview of go2MONITOR. The quick video and images have hopefully shown you a little of what is possible.
Outside of a Professional SIGINT operation, why would an amateur radio monitor need something like go2MONITOR? And would they pay the price?
I think they would. After all, most of us have spent a fair amount on radio monitoring over the years, so why not on software that would make their monitoring not only quicker and easier, but potentially open up new areas of monitoring.
Many of us specialise in certain monitoring areas – Russian military, particular the Navy and Strategic aviation for me for example. With go2MONITOR I have already used it to hunt out potential Russian Northern Fleet frequencies by running an automated 10 second CW emission scan overnight within a bandwidth block. By doing this, and then analysing data found in the results window, I was able to target certain frequencies to see what activity there was on subsequent nights.
Whilst there are other decoders available – some of which are plugins in software such as SDR#; some of which are free – it is the quickness and ease with which it can be done that makes go2MONITOR attractive. The big question is, would you pay for this?
Sunday the 6th of October 2019 sees the start of Exercise Joint Warrior 192.
Taking part primarily to the North West of Britain, mainly off the coast of Scotland, the exercise brings together a number of navies and ground forces for two weeks of training.
Despite media headlines such as “Joint Warrior 19(2) features 17 countries, 75 aircraft, 50 naval vessels and 12,000 troops” this isn’t the JW of old. It is one of the smallest, if not the smallest, in participant numbers since the exercises started and the headlines are completely incorrect – in fact most of the headlines use stock Royal Navy media notices that cover all JW exercises.
In reality, JW 192 has 16 ships, will not really go over 30 aircraft at any one time and feature nowhere near 12,000 troops. Rumours have it that the exercise would have been cancelled had not the French elements insisted on it taking place. Unfortunately, media outlets have misinterpreted some of the RN notices as ships from other countries – such as Japan – participating, when in fact the countries have sent a number of officers to observe or be trained in the handling of exercises.
This JW has coincided with other NATO exercises – Dynamic Mariner/Flotex-19 for example -which are taking place in far sunnier climes, so the draw of the rough seas and bad weather of Western Scotland was not so great on this occasion. And with NATO forces spread out on real world tasks, the number of ships, aircraft and personnel required to cover all of these exercises is low.
The weather has already taken its toll with some of the first few days activities cancelled due to high sea states. Whilst you could argue that surely they should be able to “fight” no matter what the weather, in reality in the real world, operations do get delayed because of this. For exercises though, safety must come first. However, MPA activity is taking place with at least three flights up at the time of writing on Monday 7th October.
One saving grace for the number of ships and personnel that are taking part is the fact that Exercise Griffin Strike is shoehorned into JW192. Griffin Strike is a training exercise for the Combined Joint Expeditionary Force (CJEF) involving the UK and France and which is due to become fully implemented in 2020. Griffin Strike will contain the Amphibious part of JW192.
There are no visiting fighter aircraft from other countries, but there are the usual Maritime Patrol Aircraft (MPA) consisting of 2 x US Navy P-8’s, 2 x Canadian CP-140’s and 2 x French Navy Atlantique ATL2’s. These are operating out of Prestwick again, likely doing the usual 4 hours “on-station” missions. This means that there will likely only ever be two or three airborne at any one time with a 1 hour or so transit each end of the flight. Callsigns so far have been OCTOPUS** and SUNFISH**(FNY), DINKUM** (RCAF), GROMMET** and DRAGON** (USN).
Also out of Prestwick will be mixed Royal Navy and Royal Air Force Hawks, along with Cobham Aviation Dassault Falcon 20’s acting as enemy aircraft. For information on how the Falcon 20’s operate read my previous blog on monitoring Joint Warrior.
There will be other aircraft movements of course, with RAF Typhoons playing their part. Also expected are E3’s of both the RAF and NATO fleets, RAF Sentinel and Rivet Joint aircraft providing ISTAR support and Air to Air refuelling from RAF Voyagers and C130’s. I would also expect F-35’s from 617 Sqn at Marham to be involved in some form, though I can’t confirm this for sure. These will all be operating from their home bases.
The aviation side of the exercise is capped off with plenty of helicopters operating from both land and sea, with Chinooks operating from Lossiemouth and most ships providing one or two various types. I was able to watch one Chinook, ONSLAUGHT01, practising a deck landing on RFA Lyme Bay (using callsign 4QW) to the front of my house in the Firth of Clyde. Lyme Bay later tweeted the event.
The most disappointing aspect of the exercise is the maritime part. The ships are sparse in numbers in comparison to previous exercises, with a light participation by the Royal Navy. The RN is providing Amphibious Assault Ship HMS Albion, possibly using her Landing Craft Utility (LCU) Mk.10 class vessels operated by the Royal Marines. Albion is the current RN flagship. Also taking part is Duke (Type 23) class FFGHM HMS Sutherland and a small number of Minesweepers and Minehunters.
**Edit: RFA Lyme Bay is now also confirmed as part of the exercise. RFA Argus and RFA Tidesurge are also now confirmed.
France has also sent a Amphibious Assault Ship in the form of FS Tonnerre, a Mistral class LHDM. Tonnerre can embark 450 fully kitted troops and 60 armoured vehicles or 13 main battle tanks, along with Landing craft and up to 16 helicopters. No helicopters were observed on deck as she arrived at the Greenock area on Friday 4th October 2019 – it is not known whether they, if any, were on the hanger deck. The same goes for APC’s/MBT’s on the lower decks.
Modified Georges Leygues class FFGHM FS La-Motte-Picquet arrived into Glasgow on the afternoon of 2nd October along with Éridan (Tripartite) class minehunter FS Cephee going into Faslane earlier in the morning.
The German Navy has sent a single ship – the Berlin (Type 702) class replenishment ship FGS Berlin – whilst the US Navy, who normally send a number of frigates and cruisers, have only sent Military Sealift Command Lewis and Clark class dry cargo/ammunition ship USNS William McLean.
Finally, Danish Navy Iver Huitfeldt class FFGHM HDMS Iver Huitfeldt is also participating, but due to other tasks is heading straight to the exercise area rather than going to Faslane for the pre-exercise briefings.
For submarine participants, Norwegian Type 210 (Ula) class SSK Utsira is one of the MPA targets. She arrived earlier in the week and departed on Sunday 6th October as the exercise began.
Also, an Astute class SSN of the Royal Navy departed Faslane on friday 4th. Though not confirmed, again it is highly likely to be taking part in some form or other.
As well as areas in and around Scotland, it is highly likely there will be the usual missions around the Spadeadam Electronic Warfare Tactics range and possibly areas out over the North Sea. GPS jamming also normally takes place as part of the exercise, normally out in danger areas situated to the NW, over the sea.
There should be Maritime Gunnery firing off the west coast of Scotland. Timings and areas are normally reported via the Royal Navy’s Gunfacts service either by a recorded telephone message and on NAVTEX at 0620 and 1820 UTC. Coastguards also broadcast the details at 0710, 0810, 1910 and 2010 UTC. If you happen to be in the area where gunnery is taking place then the duty broadcast ship sends out details at 0800 and 1400 local, or 1 hour before firing, by making a call on Maritime channel 16 and then the appropriate broadcast frequency for the area.
The navy also provides SUBFACTS warnings on submarine operations on the same telephone hotline and NAVTEX.
NOTAMs will also be available that provide warnings on most of the activities taking place. A good place to look for these is on the NATS AIS NOTAM page.
The amount of frequencies used for the exercise is huge, and near impossible to list. However, there is a list of VHF/UHF and HF frequencies on my Monitoring Joint Warrior Exercises blog from 2014. Despite being 5 years old, the HF freqs tend to be the same especially those used by the MPA’s when communicating with Northwood (Callsign MKL).
Noticeable so far has been the fact that the P8’s and CP140’s have both been out on their frequencies by 1.5 to 2.0 kHz when calling MKL on 6697 kHz (primary freq) and 4620 kHz.
The VHF/UHF frequencies won’t have changed that much either, but as most of the exercise is at sea, and generally out of range of most of us, it is hard to gather them all. Certainly the standard Swanwick Mil, A2A and TAD’s will be used, so if you have these you’re bound to get something.
Murmansk-BN has been operationally active from at least 2014 when the 475th Independent EW Centre of the Russian navy set up a complex in the Crimea south of Sevastopol. The system has a primary role of eliminating, or trying to eliminate, High Frequency (HF) broadcasts from NATO forces – in particular the HF Global Communications System of the United States (HFGCS).
HFGCS operates on well known HF frequencies with regular broadcasts of Emergency Action Messages (EAM’s) and other operational messages, phone patches etc. as required. To this date though, I am unaware of any reports that HFGCS has been interfered with by jamming. This in itself isn’t surprising. HF is a difficult thing to jam due to the very nature of using the ionosphere to carry the broadcasts. Throw in multiple frequencies in use at the same time, the same message being broadcast on numerous occasions, propagation and all other things related to HF reception means the message is likely to get through regardless of the attempts made to jam.
The Murmansk-BN complex is a fully mobile system and comprises of groups of up to four extendable antenna masts – two of which each on a dedicated Kamaz or Ural truck, which then tows a further antenna on a trailer. The masts extend to 32 metres in height. Each full Murmansk-BN complex normally has four of these antenna groups, making 16 antennas in total.
Further to that there are numerous support vehicles including a Kamaz 6350 Command vehicle and a Kamaz 6350 generator vehicle per four antenna group. Other vehicles include fuel bowsers and troop transport. Not always four antennas are used per group.
Murmansk-BN is in operation with units of both the Russian army and the navy – for the army with the 15th EW brigade in Tambov, 16th EW Brigade in Kursk, 18th EW Brigade in Yekaterinburg and 19th EW Brigade in Rassvet – for the navy with 186th Independent EW Centre of the Northern Fleet in Severomorsk, the 471st and 474th Independent EW Centres of the Pacific Fleet in Petropavlovsk-Kamchatsky and Shtykovo respectively, the previously mentioned 475th Independent EW Centre of the Black Sea Fleet in Sevastopol and the 841st Independent EW Centre of the Baltic Fleet in Yantarnyy.
It is highly likely that the 17th EW Brigade at Khabarovsk also has Murmansk-BN in operation but a this time I haven’t been able to locate any of the systems.
One aspect about the system is its use of analogue receivers rather than Software Defined Radio (SDR) technology – Icom IC-R8500 receivers have been noted in all the video footage available so far. This isn’t unusual for Russian EW systems – the AOR 5000 receiver is used in R330ZH Zhitel which is a mobile system primarily used in the jamming of satellite and cellular phone communication systems operated in the 100 to 2,000 MHz range. The AOR 5000 has multiple versions available, one of which has the cellular bands (824 to 849 MHz and 869 to 894 MHz) unblocked. Zhitel was used in the Crimean conflict with the high likelihood that the AOR 5000 was used to jam or intercept mobile phone communications. Recent reports have shown that Zhitel is still in use in the occupied Luhansk region.
I use an R8500 myself and it is an excellent receiver. I normally use it in conjunction with my SDR’s that provide me with a wider view of the HF bands so that I can search out signals. From the videos available online, the Russian military don’t do this but instead slow scan manually through the bands or scroll through frequencies saved to the receivers memory bank.
The receiver is linked to a PC using software that shows a visual spectrum taken from the audio output from the R8500, but this is limited to the mode in use. Video footage shows the likely use of AM mode to give as wide a visual spectrum as possible but this would be limited to the R8500’s 12 kHz maximum bandwidth. More on the software later.
The slow scan/memory scan method is not the best and would likely mean that any interception would be caught mid-way through a message. It is also time consuming. I am highly surprised there isn’t some sort of auto-scan software included. For instance I personally use df8ry’s CSVUserListBrowserto control not only my R8500 but most of my SDR’s. This can scan through stored frequencies on the Icom at a slow 1 second pace, but its better than sitting there turning a knob continuously for hours.
As the Icom is a receiver only, it needs to be linked to a transceiver using its CI-V remote jack point that then sends out the jamming signal – whether this then means another Icom transceiver is located within the command vehicle is unknown as, whilst confirmed from commentary and interviews with Russian personnel in the videos I found, there is no visual confirmation of what is used as the transmitter.
Each antenna group can operate individually or as multiples. Reports also state that the complexes can be integrated into the Russian EW command and control system.
The software in use cannot be identified. It appears to operate like an automatic signals classifier, such asgo2MONITOR by Procitec, but it is hard to assess whether it has this capability. It would be unusual not to have a classification capability, even if it meant manual selection of a signal.
There are a number of different screens, some tabulated, that control different functions, or provide different data.
One screen shows spectrum information split into four panels. The top panel shows the selected frequency, and what looks like audio taken from the Icom in AM-Wide mode – this differs from cuts to the Icom itself which shows it is in AM mode. If in AM-Wide it would mean the maximum audio spectrum available would be 12 kHz as this is all that the Icom can manage in this mode below 30 MHz, whilst AM would only produce a 5.5 kHz wide spectrum. However, using either of these modes would make it possible to visually obtain a signal from this.
What is interesting here though is that in the video, the top panel appears to show a bandwidth spread of 30 kHz with an area of 6 kHz in a lighter colour, possibly depicting the true area that a signal can be classified or monitored. 30 kHz is not a selectable bandwidth for the R8500 in any mode, with the maximum possible being 15 kHz above 30 MHz in WFM mode. Also of note is the noise floor indication which appears to be between -40dB and -50dB.
It could well be that this panel does not actually show a signal from the Icom, but could be the panel that shows the transmitter that produces the jamming signal.
The next two panels appear to show the signal with sensitivity information from the incoming audio. The final panel is unknown as it is not shown in any video close-up.
Another screen shows interface information to the bottom left. This has a number of tabs that control some the external elements that assist in the suppression of a signal. Connection status is shown by a green or red button.
Firstly, one tab shows the connection to a Protek KS-100M navigation device which is a GPS unit. This is connected to an antenna mounted to the top of the command vehicle and provides an accurate position for probable signal reception direction finding/triangulation purposes when connected to the other command vehicles KS-100M’s.
To the left of the KS-100 tab are two unknown connections marked as ГТ-11and ГТ-11.1 (GT-11 and GT-11.1). ГТ in the Russian military is normally an abbreviation for rehepatop which translate to generator. In another part of one of the videos it shows the ГТ-11.1 title again, this time with four green boxes, each with what appears to be a tick box. Two of these appear to be connected as there is a joining line between them.
The final tab is unknown but marked as ГТ-205-ОПМ (GT-205-OPM) which if using the standard abbreviation format would also be related to a generator. However, the generator shown in the video appears to be named as an AD-100-T400-1R. Alternatively, you could break down the OPM part into two which would give supply (OP)/ engine (M).
What doesn’t quite tie up is that each four antenna group only has one generator, so does this section actually have something to do with the four antennas themselves and whether they have power going to them?
Above the four tabs is a box that is titled Information about current IRI. Below this is information on the signal being suppressed: Frequency – 9 961 02 kHz Type of target – unclassified Bandwidth – 3.36 kHz Duration – 16 msec Strength – 16 dB Bearing – 179 7 (1) – 0
This box is likely associated with the KS-100M tab.
The large window to the right shows what I thought at first was historic signal information in the selected bandwidth. However, looking closer I wonder if this is the case as the “signals” are too regular – they are evenly spaced. In other shots there are up to 20 signals shown. My thoughts are that these are connected to the KS-100M and are signal strengths of GLONASS GPS satellites. But again, without clearer screenshots or a confirmed ID on the software in use, this can only be guessed at.
There are numerous other tabs and screens available, but these are unreadable in the videos found.
The various units I have listed above. The sites used so far, despite Murmansk-BN being fully mobile, have been very close to the units home base. Despite the area required for a full complex deployment being large, they can be difficult to spot, but once you know the locations used – or the area – then it makes checking on them relatively easy.
The 15th EW Brigade at Tambov has not been observed on Google Earth (GE) as deployed as yet but the vehicles can be seen at their HQ at 52.666385N 41.537552E
The 15th EW HQ is situated in a large area of military ranges with plenty of surrounding free land available. It is presumed that this area will be used when setting up the complex. There is also an area to the NW that previously contained numerous antennas, but is now disused.
The 16th EW Brigade at Kursk uses a military training group for its deployment site. Only two antenna groups have been observed since first deployment in April 2015.
The 18th EW Brigade at Yekaterinburg is a very active unit with just two Murmansk-BN antenna groups in use at any one time according to GE imagery. Moreover, it seems to be a unit that likes to train in setting up the complex as it is quite often observed in different states. The Murmansk-Bn is spread over two sites – a permanent one (site one below) and a secondary site located in a field about 1.6km away (site two). In some imagery of site two only one antenna is up in two “groups” and quite often the site is empty.
The continuous erecting and disassembling of the complex’s could hint at the unit being involved in training. As shown in the image below it also tends to use truck mounted antennas at site two. There are no trailer mounted antennas visible, whilst they are in use at site one. However, the fact that there are six truck mounted here points to the 18th EW having a full compliment of Murmansk-BN equipment, despite only using two groups at the same time.
The 18th EW was also used in one of the videos. Comparing the video to GE imagery I was able to identify various features that confirmed that site two was used for the filming.
The 19th EW Brigade at Rassvet, near Rostov-on-Don, has had Murmansk-BN since at least 19/6/2016 when equipment first appeared in GE imagery at the HQ. Since then it would appear that it has not been deployed as the vehicles have stayed in a parked up state in all imagery from that date. The number of vehicles indicates only two groups have been allocated to the Brigade so far.
On the Russian navy side of things, the 186th Independent EW centre is based near Taybola at 68.515306N 33.290056E on the old airfield for the town. Taybola used to be a Soviet R-14 (SS-5 ‘Skean’) intermediate-range ballistic missile (IRBM) base with at least two silo complexes, a rail head, and the airfield.
The latest imagery on GE has just two Murmansk-BN groups set up at the northern end of the runway and old dispersal, but older imagery has a further group half way down the runway to the south.
The 471st Independent EW centre at Petropavlovsk-Kamchatsky, has a full complement of four Murmansk-BN antenna groups though it has had differing numbers in use since the system first arrived from at least 15/8/15. The latest imagery on GE below, dated from 3/11/18, shows just about a full complex in use. The NW group has one antenna missing.
The 474th Independent EW Centre at Shtykovo, is also sited at a disused airfield. It has had three antenna groups in place at least once, but the latest GE imagery has just two in use.
The actual location of the 474th HQ is unknown and there no immediately close active military bases. There are numerous bases at a distance away, with a potential SIGINT site 12km to the SW. Analysis of these don’t provide any other Murmansk-BN vehicles.
The 475th Independent EW Centre is probably the most well known of the Murmansk-BN deployments. It is located to the south of Sevastopol in the Crimea at a coastal base and has been widely exposed on social media and articles since it became active. First shown in GE imagery dated 15/11/14 with one group, it has expanded to a full four group complex.
It was news about the deployment of Murmansk-BN to the 841st Independent EW Centre at Yantarnyy in the Kaliningrad Oblast that drew my attention to the system. It is known that the 841st has a full compliment of four antenna groups but it is unusual to see all deployed. The image below, dated 11/9/17 is one of those times that it is fully active.
The news I mention was reference the “new” deployment of Murmansk-BN to the Kaliningrad region, yet what is strange is that from GE analysis it is obvious the system has been in use there since at least 11/4/16 – so why this sudden hype? My only thought is that there was a major NATO exercise on in the region at the time which included USAF B-52’s carrying out Global Power missions from the US to Europe.
Was this news a counter to the US stating that Russian forces could interfere with their operations?
From all accounts, and from reported loggings of HFGCS messages since the Murmansk-BN system has been available for use, there has been zero suppression of any HFGCS frequencies that I’m aware of.
This then, with the fact that most units have not fully deployed their systems, makes me wonder whether Murmansk-BN is not quite so good as expected and claimed.
Here are the videos used for analysis:
This is the longer of the two videos and actually contains the second one.
The “Bear Net” of Russian Long Range Aviation has been relatively busy during the last few months, no doubt some of this due to the exercises playing out in Northern Europe by Western countries and NATO. They also tend to increase activity around the same time as USSTRATCOM have their Global Thunder exercises, one of which kicked off on the 29th October and lasted for just over one week.
Three Russian missions took place within the last two weeks, all of which travelled through the same airspace as the area covered by Exercise Trident Juncture 2019 (TRJE18) off the North coast of Norway. One flight was of a single Tu-142M, RF-34063//Red 56, that made a low pass near participating ships. I was unable to follow this flight so not received by me, the likely callsign on the CW frequencies for this was LNA1. This was intercepted being called by IWV4 on 8112 kHz at approximately the same time as the pass was being made. Images of the pass were caught by AFP correspondent P. Deshayes who was on one of the ships.
One of the other missions was of more interest than normal. The “Bear Net” is always an interesting thing to follow on HF, but when extras are produced it makes them even more fascinating. In this case it wasn’t so much what the Russian did, but what happened late on in the mission that wasn’t them.
Stepping back, we’ll go to the beginning of the day – 31st October 2018. The net was still on the autumn frequencies with ground station CW first being picked by myself sending “W” markers at 0920z on 8162 kHz. I quite often put one of the receivers on the current season ground station frequency to get any alert of possible flights heading out thanks to the markers sent every 20 minutes at H+00, H+20 and H+40. With this 0920z interception I started recording the frequency and I switched all radios to the other known frequencies – 9027 kHz for Air CW and 8033 kHz for Simplex USB voice comms – and got set up to start recording these should anything happen.
The 0940z W marker came, but interestingly when I went through the recordings later on I was able to hear a very faint G marker in the background. This had at least two operators carrying out the task as there were two distinct methods of sending. One would use the standard G every two seconds, whilst the other sent as double G’s and slightly quicker. The marker also started approximately 10 seconds earlier than the W and – guessing as it was stepped on by the W – looks to have lasted the two minutes too. You could hear it in the background between the odd W space.
At 0949z 8033 kHz became active and I started up recording on multiple SDR’s whilst using my Icom IC-R8500 as the live radio. By this time, I had also observed callsigns associated with QRA flights on my SBS so was pretty certain something was heading towards the UK.
With a few more USB calls following, but no CW traffic except for the markers I was certain the aircraft involved were Tu-160’s as they don’t use CW.
My Russian is still pretty basic (if that) so I totally rely on recordings to go through it all in slow time. I had been able to work out live that there was at least the usual STUPEN callsign along with TABLITSA; but I was also hearing another one that when going through the recordings I worked out to be KONUS – this one I hadn’t heard of before.
Going through the recordings, this mission certainly helped my knowledge of Russian numbers, or rather the methodology of how the messages are sent, as there were plenty of messages involved. The two aircraft callsigns were 16115 and 16116. These callsigns carry on in sequence to those that were used on a mission a few days earlier on the 28th with 16111, 16112 and 16114 being used by Tu-160’s and 50606 by an accompanying A-50.
In general 16115 was much harder to understand than 16116. 16116 said it all much slower and louder. STUPEN was very clear at the beginning, but faded towards the end, whilst TABLITSA may of well have been in my room, she was that loud.
Here then is the first part of my USB log:
8033 – Bear Net
0941z 16116 calls STUPEN
274 443 624
0949z 16116 calls STUPEN
458 842 156 816 443 896
0959z 16116 calls STUPEN [replies, 16116 faint]
KONUS calls 16116 and tells him to pass the message to him
1000z  303 847 023 534 734 619 822 332
[with wrong read back of group three, corrected by 16116]
Then comes the interesting part of this…… the arrival on frequency of the “Pirate”.
At 1427z an open mike became present on the frequency, in AM mode. This was fairly brief, and at 1429z the Pirate started.
Mike Delta Kilo Romeo, Mike Delta Kilo Romeo
Mike Delta Kilo Romeo, Mike Delta Kilo Romeo Standby
Mike Kilo Delta Romeo, Mike Kilo Delta Romeo, Mike Kilo Delta Romeo Standby
Note his own error or change with the callsign
Image of carrier wave and transmissions of MDKR//MKDR. The Pirate is using AM mode, but as the recording was in USB only that half was captured.
This was followed at 1431z Mike Kilo Delta Romeo
The audio for the above is here:
At 1439z he was back but very faint, almost like it was a recording or live transmission of a Numbers Station. Shortly after this 16116 tries to call STUPEN and KONUS, getting stepped on by the Pirate who sends yet another attempt at an EAM/Numbers Station.
C78AAA5ACBCEA77D76FF33EAFAE63CF5A7AAAAFAF555A85CDBEEBBA5D6DFCCA – or something like that! It was hard to work out some of the digits due to the lack of phonetics. Each time I listen to it I get a different result!
Fake EAM/Number station message
The audio is below.
At 1446z, 16116 calls STUPEN, KONUS and TABLITSA but gets no response back.
The Pirate then attempts to jam the frequency again. First of all with an extract from a selcall system used by the Russian Ministry of Foreign Affairs given the name “Mazielka”, designated X06 in the Enigma Control list. See the end of the blog for analysis on this.
This was followed by a continuous tone at 1090 Hz for approximately 35 seconds. These are the last transmissions by the Pirate.
Again at 1459z, 16116 tries the ground stations until TABLITSA finally acknowledges his presence and a message is sent. 16116 is barely readable with me by this time, though TABLITSA was ridiculously loud.
This was the end of all contacts on USB, with the last W marker coming it at 1520z (though these then did start up again at 1640z, though much weaker).
From various OSINT feeds, the approximate route of the Tu-160’s took them out over the Barents Sea having departed Olen’ya air base in the Murmansk Oblast and heading north before turning west once out over the sea. At some stage they were intercepted by Norwegian Air Force F-16’s and were escorted to abeam Bergen/NE of the Faroe Islands before turning for home. The Russian Air Force have stated that the flight lasted for ten hours which ties in with the seven hours or so of HF traffic, with the remaining 3 hours probably within range of Russian VHF communications.
Olen’ya is a common forward operating base for LRA missions, being one of the remaining Arctic Control Group (OGA) airfields available. The base itself hosts Tu-22M-3R Backfire-C of the Russian navy. These are Tu-22M3’s that have been converted for a navy reconnaissance role though it is unknown just how many are airworthy. The base has over 30 Tu-22’s in permanent storage.
Twitter feed for записки охотника (Hunter Notes) has a rough plan of the route flown, along with his intercept of the messages sent – he has few of the earlier ones, and there’s a couple of differences between his and mine.
So, who is this Pirate? It isn’t the first time he’s been around. He was also heard in September.
On this occasion he was a little bit more direct.
Russians we are watching you
Russians we know where you are
Russians, turn around and abort your mission
We will blow you out of the sky The Russians. We have you under observations [sic], stand down
Despite having what is clearly a South East England accent, he signed off using something along the lines of: This is the United States BC36
No doubt he is trying to gain some sort of attention, and in a way he is succeeding – me writing this blog is proof of that. But what else is he trying to achieve? Is he hoping the Russians respond? I doubt they will. Apart from anything, I expect the radio operators, having had to listen to all the noise on HF for every flight, have learnt to ignore any calls which aren’t specific to their mission.
My initial thoughts were that he isn’t a radio amateur and hasn’t worked in any other field that involves speaking on the radio. His use of poor phonetics made me wonder this. However, with access to a transceiver and associated antenna this may not be the case – and amateur radio operators tend to make up their own phonetics rather than standard ones, and he may just not know them.
That said, he must have some interest in military aviation and possibly a member of a military aviation forum. These tend to have thousands of members that have not been vetted in any way or form and quite often have threads that give notice of flights are on their way, be it with an alert of a QRA launch or actual comms received on Bear net frequencies.
Twitter, of course, is another example of information being out there for anyone to then take action on.
One thing is for sure, if caught he will find himself in trouble with UK authorities with the possibility of a two year prison sentence and a heavy fine. He will most definitely lose his radio licence should he actually have one, and have all equipment confiscated.
Lets see if he turns up again in another LRA mission.
Analysis of the Mazielka (X06) transmission
It was obvious straight away that this was a recording of X06 – in this case the sub-variant X06b.
However there was something odd about it.
X06 is a selcall system used by the the Russian Ministry of Foreign Affairs to alert outstations of an upcoming message, normally on another frequency.
The system sends out 6 tones, each lasting 333 milliseconds, making each call 2 seconds long. Each tone represents numbers 1 to 6 making a total of 720 different selcall combinations available for use.
The tones are sent on slightly different frequencies:
1 – 840 Hz
2 – 870 Hz
3 – 900 Hz
4 – 930 Hz
5 – 970 Hz
6 – 1015 Hz
The image below is taken from a X06 call I intercepted in November 2017 and decoded using go2Monitor. This shows a selcall of 116611. In this case the tones, which are still 333 ms long, sound longer but this is because the digits join on the same tone.
Whilst you can use a decoder, for X06 it is easy enough to decode using other means, such as Adobe Audition or Signals Analyzer. With these you can measure the tone frequencies and lengths.
In Adobe Audition the Pirate transmission is shown below
What is unusual is that the tones are off by 60 Hz. Whilst 1 should be at 840 Hz, here it is at approximately 900 Hz, and 6 is at 1075 Hz rather than 1015 Hz. Whether this is because the Pirate was transmitting in AM rather than USB I’m not sure. Maybe it is something to do with his original recordings. My recording is below
It is likely the long tone sent after the selcall here is the usual long tone that is sent before the standard ones. This is sent at 1090 Hz.
Looking at it using Signals Analyzer (SA) you can see that it is definitely X06. With SA you can measure more accurately the frequency and length of each tone.
Here you can see the two tones (actually 6). The total time for the selcall is 2.040 seconds with 1 marked at 896 Hz and 6 at 1074 Hz
Measuring the length of an individual tone (though actually 3 joined together) gives a length just over 1 second or 3 tones at 333 ms each
Finally, measuring the space between each call gives us 1.312 seconds which is the correct spacing for X06
The sub-variant of X06b is designated due to its format of six tones sounding like two. It is thought this is a test transmission.
Finally, just to confirm my theory, I ran a looped sound file through go2Monitor with the result confirming the selcall as 111666
The shack, finally operational after a few months off.
With the rebuild of my shack complete I’ve been able to start testing out all my radios, new connections etc.
The Mini-Circuits components all come well packaged in anti-static bags
A whole bundle of new cables from Mini-Circuits arrived last of all and have helped tidy up the back of the radio 19″ rack considerably. I’ve previously installed quite a few Mini-Circuits components, including 0.141″ diameter Hand-Flex interconnect cables, and so it was more of these that I opted for. The bonus with these cables is that they are hand formable meaning you can shape and bend them into pretty much any area that you want to. The 141 series (which I use) are capable of a 8mm bend radius, whilst the thinner 086 series can be bent to 6mm.
Being able to manipulate the cables certainly helps in tight spaces, and when you don’t want them to hang down
Previously I used hand-made cables with RG58U coax, but in order to have a 19″ rack that can slide out from under the desk, the cables needed to be longer than actually required. Because of this the cables would drop down into all the others attached to the PC and in some cases cause a little interference. With the Hand-Flex cables I’ve been able to use the same length of coax to allow me to move out the rack, but be able to bend them up and out of the way of the PC cables.
They’re also very good for the radios on the rack, being able to bend them and hold in place around the radios and other cables. They are near lossless too with a quoted insertion loss of 0.01 dB in the HF band to 0.55 dB at 18GHz. I normally run tests of the Mini-Circuit components when I receive them and find that the figures quoted are near spot on. I highly recommend these cables if you’re looking to upgrade your systems, and are available from the Mini-Circuits website, along with lots of other goodies that will tempt you.
Measurement of insertion loss of the Mini-Circuits ZF3RSC-542B-S+ Power Splitter/Combiner I also purchased as part of my plans for satellite communication monitoring. This is connected to the AirSpy SDR and takes feeds from two SatCom connections (currently deactivated) and a WinRadio AX-71C Discone Antenna. Mini-Circuits quote an insertion loss of around 19.5dB at 130 MHz which is confirmed here with a signal generated at -20dB being less than 1dB out at -40.48dB when passed through the combiner.
This image shows how the cables can be held in place without cable ties
The radio setup now includes two new SDR’s – an AirSpy HF+ and a standard AirSpy with the HF+ replacing the Enablia TitanPro. I’ve also reinstated my WinRadio G31DDC which had been in storage for a year or so. I really do like the TitanPro, and have put it into storage for the time being. The recording capabilities in particular are great with it being able to select 40 frequencies at once spread over numerous bandwidths, but I have had issues with the power supply – one being it caused interference. I attempted to make one of my own but it has a 6v(+/-1v)/2.5 Amp current requirement and no matter how many different methods of building my own supply using a 12v feed downgrading to 5, 6 or 7 volts, it just wouldn’t work in a stable manner. In the end it was easier to remove it and slot the G31DDC back in its place.
As it is, I’d forgotten how good the G31DDC is and I don’t really feel like I’m missing much thanks to the ability to use the other SDR’s with SDR Console V3 and it’s SDR Analyser.
The three 19″ racking units from Penn Elcom, along with all the shelves, have been very useful and certainly makes things easier when it comes to changing radios and connections over. I can just disconnect a few things and slide the whole unit out. I also obtained a 19″ Project box from them which I used as my main 12v switch unit. This is connected to two regulated desktop power supplies that act as master switches.
Although the SDR Console website page for the Analyser states it isn’t available yet, this is incorrect and it is downloaded with the latest version of the main programme.
If you’re a current user of V2 or have been in the past then you won’t notice much difference. You can have up to 24 parallel demodulators operating within the SDR’s bandwidth that you have chosen, all of which can run independent of each other in receive and record. You can also run each demodulator through a decoder such as MultiPSK independently and decode these in parallel with each other. This capability has taken that step towards those of the TitanPro, especially when being used with the Elad FDM-S2 that can provide a Maximum DDC bandwidth of 6144kHz’s.
Unfortunately, whilst you can schedule recordings of IQ data, you still can’t do this for individual channel recordings. This is a real shame as it would be a fantastic addition to the capabilities of SDR Console.
Getting back to the analyser though this does, in theory, cancel out the lack of channel recording scheduling.
When you record IQ data it is saved as WAV files, split into multiple ones depending on how long a recording you make . All of these files can be individually played back through the incorporated SDR Console player but even better is the use of the File Analyser.
With this you get a visual “image” of the complete recording, whereby after opening the analyser you get it to combine all the files into one XML file. For the image below I used the FDM-S2 with a selected bandwith of 768kHz centred on 4425kHz, hoping to catch calls to Russian Naval base Severomorsk in CW(RJD99) from ships operating in the region. I set the scheduler up to record from 0000z to 0700z which worked perfectly, giving me 78 files totalling 78GB – obviously, the bigger the bandwidth, the larger the total file size.
After clicking on New in the analyser and browsing to the relevant folder the WAV files are saved in, the analyser finds the first one and gives this as an option to open – it automatically adds the remaining WAV files and starts the process. This can take quite some time to extract, around 45 minutes for the example shown. But you only need to do this once because once it has finished you can save it as an XML file and open it at any time – in this case it was a 28MB XML file.
A note here – do not then delete the WAV files as the analyser still needs them.
As you can see, I was successful in locating calls to RJD99, and I have highlighted some of the others that I took a look at – this is just a screenshot of two hours out of the seven recorded.
All you then need to do is find any signal of interest, and after clicking on select and start in the top ribbon, click on the signal. This will then start playing the file from that location in the main SDR Console window. You don’t need to stay on that frequency, you can use the Console as if you were listening live and move around the frequency range you dictated in the bandwidth of the recording.
And, as it is basically a live screen you can do additional things such as record and use decoding software.
RJI92 calling RJD99 on 4416 kHz during playback of the Analyser
When using the Analyser I run this through a separate PC meaning SDR Console itself can carry on working on the main radio control PC. This is also handy if you’re away but have time to go through the IQ data using a laptop. Just copy over the original WAV files to a portable hard drive/memory stick and carry on as described above.
There are numerous other functions available for you to use with the main part of SDR Console, some I still haven’t had the chance to play with completely. I’m still exploring things such as the Signal History function which can store up to 48 hours of data. Here you can export data in CSV format to third-party programs such as QtiPlot. Signal history can also be used within the Analyser
This is useful as it can give you a quick overview into single frequency use, signal strengths, fading and such like. Definitely something I need to spend more time on.
It’s been a long time coming, but Version 3 of SDR Console has been well worth the wait.