priyom.org

Message Metadata

This page describes metadata elements that appear in, and are common to, various historical and current Russian intelligence or diplomatic digital, MFSK, RTTY and morse modes that encode messages based on 5-figure or 5-letter groups.

5-group header

The 5-group header is the first, outermost common metadata element. It is pervasive among the various modes and the most obvious and recognizable, with its 5 successive 5-figure groups carrying unencrypted, easily decodable information. It is usually sent as a preamble.

Message type Link ID Unknown Message date and serial number Group count
11166 60157 13579 08001 00049
111 66 Constant for a given schedule. Sometimes 00000 for unscheduled transmissions. Random-looking group, usually different for each message. Sometimes 00000 or known constant value. 08 001 0004 9
Always 111 Two identical digits, see values below Day of month Serial number, incrementing with each message within the schedule, from 001 Number of 5FG or 5LG in the following message, not including this header Usually 9, occasionally 1 or 3, purpose unknown
Known message type values
11100 Sometimes used, possibly related to irregular scheduling
11144 Appeared in the past
11166 Usual type with F06
11177 Usual type with F01 and some other modes
11199 Two-way link QSL

Based on the distribution of values and on header format variants, we believe that the 5-digit link ID might require further subdivision or interpretation.

Link ID
60157
6 0 157
Any 0-9 value.
0 might be more common.
Special meaning suspected, but unknown.
Almost always 0.
Special meaning possible.
3-digit, maybe "actual" link ID part,
seemingly numbered and assigned starting from 000,
and rarely above 250.

In a few instances it was observed that the first digit of a link ID changed: the second digit and last 3-digit part remained the same, and it is believed that the transmissions indeed happened on the same link between the same endpoints. This would support the above theory. For more information and reference, the comprehensive N&O profile on the topic contains an interesting database of link IDs gathered over the years.

The group count field can be greater by 1 than the number of groups in the payload, depending on how it is defined and counted. In formats that include an 00000 outro group, the group count simply matches the payload including that one outro group. However in operation modes that for example use operator chat for coordination, or a special encapsulation layer like F06a, and that don't include a 00000 outro group, the group count field is superior by 1 to the number of groups. One explanation for this would be that the group count always accounts for one possible outro group, whether it is actually present or not in that particular operation mode.

Serial-GC postamble

The serial-GC postamble is the second common metadata element. It is a small discrete group tucked at the end of messages, containing two unencrypted fields. It is normally followed by one 00000 outro group (or sometimes several for padding).

Postamble Outro
01047 00000
01 047  
Serial number Group count

The serial number follows the same behavior as in the 5-group header. The group count is the number of 5-figure groups inside the message preceding the postamble, and not including itself or the outro. The 5-group header, whether present or not, is not part of the message itself, so it is never included in the postamble group count. The serial-GC postamble uses only 3 digits for the group count, contrary to the 5-header group which uses 4 digits, and in rare messages containing more than 999 groups, it has been observed that the postamble group count wraps around, dropping the thousands digit.

The serial-GC postamble appears in messages sent by F01 and F06. It is also at least reminiscent, if not an analog, of the postamble of their E06, G06, S06 and M14 counterpart stations.

Triple timestamp

The triple timestamp is the third and deepest known common metadata element. It resides inside the encrypted data of the message. This part (at least) of the message is only encrypted with a key that gets reused message after message, producing visibly similar 5-figure groups across messages within schedules where this header appears. This allowed us to figure out its existence and contents.

This header comprises the first 12 5-figure groups of the message. It appears that the same cleartext 20 digits, containing the timestamp of the message, are simply repeated 3 times in succession.

  First copy Second copy Third copy
Encrypted 47749 49093 92903 40530 04816 33608 57196 63673 42964 90189 70902 82228
Cleartext 30261 00026 05174 00000 30261 00026 05174 00000 30261 00026 05174 00000
  15-digit timestamp,
see below
Almost always the same value,
assumed to be 00000.
Occasionally 12345 instead.
Timestamp 00000 or 12345 Timestamp 00000 or 12345

The message timestamp encodes on 15 digits the date and possibly the time of the writing of the message, following a XX-YY-HH-ZZ-dd-mm-yy-w format, where the meaning of XX, YY and ZZ fields are still uncertain: it could be SS:MM:HH ZZ dd-mm-yy w, or XX:YY HH:MM dd-mm-yy w.

15-digit message timestamp
30 26 10 00 26 05 17 4
00-59 value,
possibly seconds
00-59 value,
possibly minutes
Hours,
usually ranging between 09 and 16
Almost always the same value,
assumed to be 00.
Occasionally different, within a big range.
Alternate possibility for minutes.
Day of month Month Year Day of week

The triple timestamp has been seen in several F01 and F06 schedules, and even in the E06 ID 832 replacement of F06 ID 50046.

Layering

Each of the metadata elements described above may or may not be present in a transmission. It depends on the habits and characteristics of the mode used, and can even depend on the particular schedule. When several of these elements are present, they naturally layer on top of one another: from outermost to innermost, 5-group header, serial-GC postamble and triple timestamp. The message date and serial number are the same in the different metadata elements, however the group counts slightly differ.

The payload of a 5-group header is a message which may or may not feature a serial-GC postamble. When both are present, the payload of the serial-GC postamble is only the inner message. So the group count in the 5-group header is always greater than the one in the serial-GC postamble, by a couple groups, to account for the serial-GC postamble and outro groups.

Example

Example F06 message featuring all of 5-group header, serial-GC postamble and triple timestamp:

11166 70147 63294 26057 00509
52605 93102 97678 58128 38271 73989 80470 94306 44065 67310
85734 84902 91173 41859 43065 66564 60299 57864 93228 08612
85432 55311 16512 34995 23980 50211 42834 10893 26924 13369
24193 96424 67191 83939 98695 78643 06343 90805 71813 58085
17286 38424 35603 51866 49878 13945 98213 73551 57048 00000
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×