The Bear Net “Pirate”

The “Bear Net” of Russian Long Range Aviation has been relatively busy during the last few months, no doubt some of this due to the exercises playing out in Northern Europe by Western countries and NATO. They also tend to increase activity around the same time as USSTRATCOM have their Global Thunder exercises, one of which kicked off on the 29th October and lasted for just over one week.

Three Russian missions took place within the last two weeks, all of which travelled through the same airspace as the area covered by Exercise Trident Juncture 2019 (TRJE18) off the North coast of Norway. One flight was of a single Tu-142M, RF-34063//Red 56, that made a low pass near participating ships. I was unable to follow this flight so not received by me, the likely callsign on the CW frequencies for this was LNA1. This was intercepted being called by IWV4 on 8112 kHz at approximately the same time as the pass was being made. Images of the pass were caught by AFP correspondent P. Deshayes who was on one of the ships.

One of the other missions was of more interest than normal. The “Bear Net” is always an interesting thing to follow on HF, but when extras are produced it makes them even more fascinating. In this case it wasn’t so much what the Russian did, but what happened late on in the mission that wasn’t them.

Stepping back, we’ll go to the beginning of the day – 31st October 2018. The net was still on the autumn frequencies with ground station CW first being picked by myself sending “W” markers at 0920z on 8162 kHz. I quite often put one of the receivers on the current season ground station frequency to get any alert of possible flights heading out thanks to the markers sent every 20 minutes at H+00, H+20 and H+40. With this 0920z interception I started recording the frequency and I switched all radios to the other known frequencies – 9027 kHz for Air CW and 8033 kHz for Simplex USB voice comms – and got set up to start recording these should anything happen.

The 0940z W marker came, but interestingly when I went through the recordings later on I was able to hear a very faint G marker in the background. This had at least two operators carrying out the task as there were two distinct methods of sending. One would use the standard G every two seconds, whilst the other sent as double G’s and slightly quicker. The marker also started approximately 10 seconds earlier than the W and – guessing as it was stepped on by the W – looks to have lasted the two minutes too. You could hear it in the background between the odd W space.

At 0949z 8033 kHz became active and I started up recording on multiple SDR’s whilst using my Icom IC-R8500 as the live radio. By this time, I had also observed callsigns associated with QRA flights on my SBS so was pretty certain something was heading towards the UK.

With a few more USB calls following, but no CW traffic except for the markers I was certain the aircraft involved were Tu-160’s as they don’t use CW.

My Russian is still pretty basic (if that) so I totally rely on recordings to go through it all in slow time. I had been able to work out live that there was at least the usual STUPEN callsign along with TABLITSA; but I was also hearing another one that when going through the recordings I worked out to be KONUS – this one I hadn’t heard of before.

Going through the recordings, this mission certainly helped my knowledge of Russian numbers, or rather the methodology of how the messages are sent, as there were plenty of messages involved. The two aircraft callsigns were 16115 and 16116. These callsigns carry on in sequence to those that were used on a mission a few days earlier on the 28th with 16111, 16112 and 16114 being used by Tu-160’s and 50606 by an accompanying A-50.

In general 16115 was much harder to understand than 16116. 16116 said it all much slower and louder. STUPEN was very clear at the beginning, but faded towards the end, whilst TABLITSA may of well have been in my room, she was that loud.

Here then is the first part of my USB log:

8033 – Bear Net

0941z 16116 calls STUPEN
274 443 624

0949z 16116 calls STUPEN
458 842 156 816 443 896

0959z 16116 calls STUPEN [replies, 16116 faint]
KONUS calls 16116 and tells him to pass the message to him

1000z [16116] 303 847 023 534 734 619 822 332
[with wrong read back of group three, corrected by 16116]

1002z 16115 call KONUS
138 534 005 964 312 147 443 896

1010z 16115 call KONUS
741 534 724 619 822 180 443 594

1020z 16116 calls STUPEN
478 815 023 534 071 955 117 957 084 305

1028z 16115 calls TABLITSA, then straight away calls STUPEN
138 1?5 [error?] 138 534 540 115 ??? 251 660 033 084 316
[garbled with a possible error]

1036z 16116 calls STUPEN and TABLITSA, STUPEN replies
303 815 023 534 671 612 842 768 084 544

1039z 16115 calls TABLITSA and STUPEN, STUPEN replies
741 534 671 619 246 768 023 084 544

1048z 16115 calls STUPEN
138 534 491 236 896 443 084 635

1050z 16116 calls STUPEN
478 815 023 534 635 233 107 219 084 615

The recording below contains the 1048z and 1050z messages

1112z 16116 calls STUPEN
452 635 084 125
[repeats third number twice]

1129z STUPEN calls 16116 twice – no answer

1132z STUPEN calls 16116 twice – no answer

1133z STUPEN send message
BLIND 553 028 533 ??1

1141z 16115 calls STUPEN
741 534 360 810 719 980 447 023 038 914

1144z 16116 calls STUPEN
303 875 023 534 106 673 980 719 038 914

1148z 16115 calls STUPEN
138 537 023 534 674 400 388 521 038 496

1159z 16115 calls STUPEN
741 537 023 534 940 441 388 441 038 896

1201z 16116 calls STUPEN
478 816 023 534 717 355 637 321 038 496

1210z 16115 calls STUPEN
138 537 023 534 600 902 955 462 038 844

1213z 16116 calls STUPEN
303 815 023 534 186 117 388 117 038 896

1217z 16115 calls STUPEN
741 537 023 534 981 980 356 789 905 149

1306z 16115 calls STUPEN
138 537 023 534 540 288 810 236 905 206

1318z 16115 calls STUPEN
352 315 544 243 942

1320z 16115 calls STUPEN
[4 calls, no answer]

1322z 16115 calls STUPEN
741 537 023 534 724 284 312 816 315 555

1325z 16116 calls STUPEN
457 187 905 844

1351z 16116 calls STUPEN
457 187 315 715

Then comes the interesting part of this…… the arrival on frequency of the “Pirate”.

At 1427z an open mike became present on the frequency, in AM mode. This was fairly brief, and at 1429z the Pirate started.

Mike Delta Kilo Romeo, Mike Delta Kilo Romeo
Mike Delta Kilo Romeo, Mike Delta Kilo Romeo Standby
Mike Kilo Delta Romeo, Mike Kilo Delta Romeo, Mike Kilo Delta Romeo Standby

Note his own error or change with the callsign

MDKR//MKDR

Image of carrier wave and transmissions of MDKR//MKDR. The Pirate is using AM mode, but as the recording was in USB only that half was captured.

This was followed at 1431z
Mike Kilo Delta Romeo
56822166095499102

The audio for the above is here:

At 1439z he was back but very faint, almost like it was a recording or live transmission of a Numbers Station. Shortly after this 16116 tries to call STUPEN and KONUS, getting stepped on by the Pirate who sends yet another attempt at an EAM/Numbers Station.

C78AAA5ACBCEA77D76FF33EAFAE63CF5A7AAAAFAF555A85CDBEEBBA5D6DFCCA – or something like that! It was hard to work out some of the digits due to the lack of phonetics. Each time I listen to it I get a different result!

Fake EAM/Number station message

The audio is below.

At 1446z, 16116 calls STUPEN, KONUS and TABLITSA but gets no response back.

The Pirate then attempts to jam the frequency again. First of all with an extract from a selcall system used by the Russian Ministry of Foreign Affairs given the name “Mazielka”, designated X06 in the Enigma Control list. See the end of the blog for analysis on this.

This was followed by a continuous tone at 1090 Hz for approximately 35 seconds. These are the last transmissions by the Pirate.

Again at 1459z, 16116 tries the ground stations until TABLITSA finally acknowledges his presence and a message is sent. 16116 is barely readable with me by this time, though TABLITSA was ridiculously loud.

1459z 16116 calls STUPEN
calls TABLITSA
calls STUPEN
calls TABLITSA answers [very strong]
452 730 969 463

1506z 16115 calls TABLITSA
590 375 143 986 196 233

1531z 16116 [very faint] calls TABLITSA
452 859 143 168

This was the end of all contacts on USB, with the last W marker coming it at 1520z (though these then did start up again at 1640z, though much weaker).

From various OSINT feeds, the approximate route of the Tu-160’s took them out over the Barents Sea having departed Olen’ya air base in the Murmansk Oblast and heading north before turning west once out over the sea. At some stage they were intercepted by Norwegian Air Force F-16’s and were escorted to abeam Bergen/NE of the Faroe Islands before turning for home. The Russian Air Force have stated that the flight lasted for ten hours which ties in with the seven hours or so of HF traffic, with the remaining 3 hours probably within range of Russian VHF communications.

Olen’ya is a common forward operating base for LRA missions, being one of the remaining Arctic Control Group (OGA) airfields available. The base itself hosts Tu-22M-3R Backfire-C of the Russian navy. These are Tu-22M3’s that have been converted for a navy reconnaissance role though it is unknown just how many are airworthy. The base has over 30 Tu-22’s in permanent storage.

Twitter feed for записки охотника (Hunter Notes) has a rough plan of the route flown, along with his intercept of the messages sent – he has few of the earlier ones, and there’s a couple of differences between his and mine.

So, who is this Pirate? It isn’t the first time he’s been around. He was also heard in September.

On this occasion he was a little bit more direct.

Russians we are watching you
Russians we know where you are
Russians, turn around and abort your mission

And later

We will blow you out of the sky
The Russians. We have you under observations [sic], stand down

Despite having what is clearly a South East England accent, he signed off using something along the lines of:
This is the United States BC36

No doubt he is trying to gain some sort of attention, and in a way he is succeeding – me writing this blog is proof of that. But what else is he trying to achieve? Is he hoping the Russians respond? I doubt they will. Apart from anything, I expect the radio operators, having had to listen to all the noise on HF for every flight, have learnt to ignore any calls which aren’t specific to their mission.

My initial thoughts were that he isn’t a radio amateur and hasn’t worked in any other field that involves speaking on the radio. His use of poor phonetics made me wonder this. However, with access to a transceiver and associated antenna this may not be the case – and amateur radio operators tend to make up their own phonetics rather than standard ones, and he may just not know them.

That said, he must have some interest in military aviation and possibly a member of a military aviation forum. These tend to have thousands of members that have not been vetted in any way or form and quite often have threads that give notice of flights are on their way, be it with an alert of a QRA launch or actual comms received on Bear net frequencies.

Twitter, of course, is another example of information being out there for anyone to then take action on.

One thing is for sure, if caught he will find himself in trouble with UK authorities with the possibility of a two year prison sentence and a heavy fine. He will most definitely lose his radio licence should he actually have one, and have all equipment confiscated.

Lets see if he turns up again in another LRA mission.

Analysis of the Mazielka (X06) transmission

It was obvious straight away that this was a recording of X06 – in this case the sub-variant X06b.

However there was something odd about it.

X06 is a selcall system used by the the Russian Ministry of Foreign Affairs to alert outstations of an upcoming message, normally on another frequency.

The system sends out 6 tones, each lasting 333 milliseconds, making each call 2 seconds long. Each tone represents numbers 1 to 6 making a total of 720 different selcall combinations available for use.

The tones are sent on slightly different frequencies:
1 – 840 Hz
2 – 870 Hz
3 – 900 Hz
4 – 930 Hz
5 – 970 Hz
6 – 1015 Hz

The image below is taken from a X06 call I intercepted in November 2017 and decoded using go2Monitor. This shows a selcall of 116611. In this case the tones, which are still 333 ms long, sound longer but this is because the digits join on the same tone.

Whilst you can use a decoder, for X06 it is easy enough to decode using other means, such as Adobe Audition or Signals Analyzer. With these you can measure the tone frequencies and lengths.

In Adobe Audition the Pirate transmission is shown below

Pirate_003Pirate_003a

What is unusual is that the tones are off by 60 Hz. Whilst 1 should be at 840 Hz, here it is at approximately 900 Hz, and 6 is at 1075 Hz rather than 1015 Hz. Whether this is because the Pirate was transmitting in AM rather than USB I’m not sure. Maybe it is something to do with his original recordings. My recording is below

It is likely the long tone sent after the selcall here is the usual long tone that is sent before the standard ones. This is sent at 1090 Hz.

Pirate_004Pirate_004a

Looking at it using Signals Analyzer (SA) you can see that it is definitely X06. With SA you can measure more accurately the frequency and length of each tone.

X06_005

Here you can see the two tones (actually 6). The total time for the selcall is 2.040 seconds with 1 marked at 896 Hz and 6 at 1074 Hz

X06_006

Measuring the length of an individual tone (though actually 3 joined together) gives a length just over 1 second or 3 tones at 333 ms each

X06_007

Finally, measuring the space between each call gives us 1.312 seconds which is the correct spacing for X06

The sub-variant of X06b is designated due to its format of six tones sounding like two. It is thought this is a test transmission.

Finally, just to confirm my theory, I ran a looped sound file through go2Monitor with the result confirming the selcall as 111666

X06_004

Advertisements

SDR Console V3 analyser

The shack, finally operational after a few months off.

With the rebuild of my shack complete I’ve been able to start testing out all my radios, new connections etc.

The Mini-Circuits components all come well packaged in anti-static bags

A whole bundle of new cables from Mini-Circuits arrived last of all and have helped tidy up the back of the radio 19″ rack considerably. I’ve previously installed quite a few Mini-Circuits components, including 0.141″ diameter Hand-Flex interconnect cables, and so it was more of these that I opted for. The bonus with these cables is that they are hand formable meaning you can shape and bend them into pretty much any area that you want to. The 141 series (which I use) are capable of a 8mm bend radius, whilst the thinner 086 series can be bent to 6mm.

Being able to manipulate the cables certainly helps in tight spaces, and when you don’t want them to hang down

Previously I used hand-made cables with RG58U coax, but in order to have a 19″ rack that can slide out from under the desk, the cables needed to be longer than actually required. Because of this the cables would drop down into all the others attached to the PC and in some cases cause a little interference. With the Hand-Flex cables I’ve been able to use the same length of coax to allow me to move out the rack, but be able to bend them up and out of the way of the PC cables.

They’re also very good for the radios on the rack, being able to bend them and hold in place around the radios and other cables. They are near lossless too with a quoted insertion loss of 0.01 dB in the HF band to 0.55 dB at 18GHz. I normally run tests of the Mini-Circuit components when I receive them and find that the figures quoted are near spot on. I highly recommend these cables if you’re looking to upgrade your systems, and are available from the Mini-Circuits website, along with lots of other goodies that will tempt you.

Measurement of insertion loss of the Mini-Circuits ZF3RSC-542B-S+ Power Splitter/Combiner I also purchased as part of my plans for satellite communication monitoring. This is connected to the AirSpy SDR and takes feeds from two SatCom connections (currently deactivated) and a WinRadio AX-71C Discone Antenna. Mini-Circuits quote an insertion loss of around 19.5dB at 130 MHz which is confirmed here with a signal generated at -20dB being less than 1dB out at -40.48dB when passed through the combiner.

This image shows how the cables can be held in place without cable ties

The radio setup now includes two new SDR’s – an AirSpy HF+ and a standard AirSpy with the HF+ replacing the Enablia TitanPro. I’ve also reinstated my WinRadio G31DDC which had been in storage for a year or so. I really do like the TitanPro, and have put it into storage for the time being. The recording capabilities in particular are great with it being able to select 40 frequencies at once spread over numerous bandwidths, but I have had issues with the power supply – one being it caused interference. I attempted to make one of my own but it has a 6v(+/-1v)/2.5 Amp current requirement and no matter how many different methods of building my own supply using a 12v feed downgrading to 5, 6 or 7 volts, it just wouldn’t work in a stable manner. In the end it was easier to remove it and slot the G31DDC back in its place.

As it is, I’d forgotten how good the G31DDC is and I don’t really feel like I’m missing much thanks to the ability to use the other SDR’s with SDR Console V3 and it’s SDR Analyser.

The three 19″ racking units from Penn Elcom, along with all the shelves, have been very useful and certainly makes things easier when it comes to changing radios and connections over. I can just disconnect a few things and slide the whole unit out. I also obtained a 19″ Project box from them which I used as my main 12v switch unit. This is connected to two regulated desktop power supplies that act as master switches.

Although the SDR Console website page for the Analyser states it isn’t available yet, this is incorrect and it is downloaded with the latest version of the main programme.

If you’re a current user of V2 or have been in the past then you won’t notice much difference. You can have up to 24 parallel demodulators operating within the SDR’s bandwidth that you have chosen, all of which can run independent of each other in receive and record. You can also run each demodulator through a decoder such as MultiPSK independently and decode these in parallel with each other. This capability has taken that step towards those of the TitanPro, especially when being used with the Elad FDM-S2 that can provide a Maximum DDC bandwidth of 6144kHz’s.

Unfortunately, whilst you can schedule recordings of IQ data, you still can’t do this for individual channel recordings. This is a real shame as it would be a fantastic addition to the capabilities of SDR Console.

Getting back to the analyser though this does, in theory, cancel out the lack of channel recording scheduling.

When you record IQ data it is saved as WAV files, split into multiple ones depending on how long a recording you make . All of these files can be individually played back through the incorporated SDR Console player but even better is the use of the File Analyser.

With this you get a visual “image” of the complete recording, whereby after opening the analyser you get it to combine all the files into one XML file. For the image below I used the FDM-S2 with a selected bandwith of 768kHz centred on 4425kHz, hoping to catch calls to Russian Naval base Severomorsk in CW(RJD99) from ships operating in the region. I set the scheduler up to record from 0000z to 0700z which worked perfectly, giving me 78 files totalling 78GB – obviously, the bigger the bandwidth, the larger the total file size.

After clicking on New in the analyser and browsing to the relevant folder the WAV files are saved in, the analyser finds the first one and gives this as an option to open – it automatically adds the remaining WAV files and starts the process. This can take quite some time to extract, around 45 minutes for the example shown. But you only need to do this once because once it has finished you can save it as an XML file and open it at any time – in this case it was a 28MB XML file.

A note here – do not then delete the WAV files as the analyser still needs them.

As you can see, I was successful in locating calls to RJD99, and I have highlighted some of the others that I took a look at – this is just a screenshot of two hours out of the seven recorded.

All you then need to do is find any signal of interest, and after clicking on select and start in the top ribbon, click on the signal. This will then start playing the file from that location in the main SDR Console window. You don’t need to stay on that frequency, you can use the Console as if you were listening live and move around the frequency range you dictated in the bandwidth of the recording.

And, as it is basically a live screen you can do additional things such as record and use decoding software.

RJI92 calling RJD99 on 4416 kHz during playback of the Analyser

When using the Analyser I run this through a separate PC meaning SDR Console itself can carry on working on the main radio control PC. This is also handy if you’re away but have time to go through the IQ data using a laptop. Just copy over the original WAV files to a portable hard drive/memory stick and carry on as described above.

There are numerous other functions available for you to use with the main part of SDR Console, some I still haven’t had the chance to play with completely. I’m still exploring things such as the Signal History function which can store up to 48 hours of data. Here you can export data in CSV format to third-party programs such as QtiPlot. Signal history can also be used within the Analyser

This is useful as it can give you a quick overview into single frequency use, signal strengths, fading and such like. Definitely something I need to spend more time on.

It’s been a long time coming, but Version 3 of SDR Console has been well worth the wait. If you want to record and quickly analyse IQ data then I can’t think of anything else that does the job so well.

Coming up next…….

I’ve started using Harvester Signals Intelligence Software – Version 6 by SigintSystems and I’ll be running a series of blogs covering my progress with this excellent software as I learn how to use it to its full capabilities.

Roland Proesch Radio Monitoring books 2017

Roland Proesch has announced that his latest books on Radio monitoring are now available at his website

Whilst Signal Analysis for Radio Monitoring remains a 2015 edition, the other three – Technical Handbook for Radio Monitoring HF, Technical Handbook for Radio Monitoring VHF/UHF and Frequency Handbook for Radio Monitoring HF – have all been updated to 2017.

There is also a new title – Technical Handbook for Satellite Monitoring – which is over 400 pages long and is aimed at those that are interested in satellite communication. The book is the usual high standard with figures and tables on satellite systems and the waveforms they use.

Because of the new title, all satellite information (nearly 100 pages) has been removed from the VHF/UHF book, but these have been replaced by new modes such as Radar, C4FM, DVB-T etc.

At the moment, there are no PDF examples available, but going to my previous blog at the last release can provide that information for now. I’ll update when they do become available.

I highly recommend these books and they are very well priced at 49Euros each plus postage. There’s also the usual bundle price discount if you want more than one – further information on the website.

But, if you don’t want to pay the postage and are heading to the HAM RADIO 2017 exhibition in Friedrichshafen, Germany on the 14 – 16th July, then Roland will have a stand there (A1-213). I’m sure he’ll be pleased to see you there – I wish I could attend, but I’ll probably have to wait the 5 years or so until I move to Bavaria myself.

The opening times and price list for tickets to the exhibition can be found here

TitanSDR Pro demonstration

After receiving quite a few requests on information about the Enablia TitanSDR and it’s capabilities, I decided it would be good a good idea to create a demonstration video that would hopefully show just how good an SDR it is. The video is at the end of this blog.

I think that a lot of people can’t understand just why the two versions are the price they are, especially when it seems that a new dongle SDR is being evolved every day at a ridiculously cheap price. Yes, they are expensive but when you compare the price of these SDR’s to a top end desktop receiver, such as the Icom IC-R8500 for example, then it is fairly comparable.

But you must consider the fact that the Titan is really more than one receiver. The Pro version is 40 receivers, the standard is eight. You can’t record independently using the Icom, you need some additional software or a digital voice recorder plugged in to the receiver; and even then you can only record the one frequency – the Pro can record 40 frequencies, the standard can record eight.

The TitanSDR Pro can monitor up to 40 frequencies at the same time. Here, 10 frequencies are being monitored, mainly Oceanic ones.

The TitanSDR Pro can monitor up to 40 frequencies at the same time. Here, 10 frequencies are being monitored, mainly Oceanic ones.

Then, you can’t really record any bandwidth to play back using the Icom, but both versions of the Titan can record up to three separate bandwidths. These can then be played back, either through the SDR itself, or on another PC using the supplied USB dongle that carries a second version of the software – and if you did this you could be listening to, or recording, further frequencies or bandwidths. And all these separate bandwidth recordings can, of course, be played back multiple times, with multiple recordings being made within them; or data can be decoded; or signals analysed – what ever you require from an SDR.

This image shows the Titan monitoring 12 frequencies, 6 of which are decoding ALE using PC-ALE. This can take place in the background, while listening to the other frequencies on the SDR.

This image shows the Titan monitoring 12 frequencies, 6 of which are decoding ALE using PC-ALE. This can take place in the background, while listening to the other frequencies on the SDR.

But, of course, this is just standard for any SDR isn’t it?? But is it?? Can you think of another SDR that has the capability to monitor/record 40 frequencies at once? I can’t.

The nearest SDR I found to the Titan in quality of not only recording capabilities but in quality of filters etc. meant that I would need to buy around 13 SDR’s of this model and spend over €30,000. Yet, just one of this model costs pretty much the same price as the Titan. Now, with that knowledge, the price of the TitanSDR’s really doesn’t seem that bad after all.

Don’t forget, the TitanSDR is a Military spec. SDR, designed originally for agencies to monitor multiple frequencies for analysis and data collecting. It already has top specifications but Enablia are still willing to listen to the users and add requested features if they can. They have already done this with quite a few ideas that myself and other users have suggested.

You'd think that the Titan would be a CPU guzzler wouldn't you? Well it isn't. Here the SDR is running 31 frequencies, multiple decodings using MultiPSK, and PC-ALE. The CPU is running at only 27%, and that was it's max reading.

You’d think that the Titan would be a CPU guzzler wouldn’t you? Well it isn’t. Here the SDR is running 31 frequencies, whilst making multiple decodings using MultiPSK and PC-ALE. The CPU is running at only 27%, and that was it’s max reading.