Here's an "Digital-Analogue Converter" that came from a British Sea King helicopter, made by GEC Avionics.
Based on the ambiguous-sounding name I didn't know what to expect inside at first, but quickly realized that there's some encryption involved, from the "key erase" switch.
The the top of the front panel contains a door that opens up to reveal a large slot extending half the length of the unit - this must be where the encryption module used to live. Too bad I won't get to look at the internals of that, but that's to be expected from de-militarized equipment.
Let's open it up and take a look inside:
The connector for the missing crypto module breaks out each connection to discrete wires:
Rather than a uniform arrangement of vertical boards in a backplane,
like in this navigation computer, the construction here is all heterogeneous modules, with a lot of "3D Tetris" going on. Each module plugs into a complicated wiring harness via a D-sub connector on the back, and then locks in with 4 screws on the edges.
One reason for this might be the extra shielding added by the enclosures around each module; electromagnetic separation
between the encrypted and unencrypted sides seems to be a common requirement for equipment like this - you can see a lot of examples at
The Crypto Museum (with excellent internal photos).
The internal wiring is complicated to follow, but there's multiple sets of feed-through capacitors which likely separate the encrypted and unencrypted sides as well; besides conducted emissions, this probably filters the power too to prevent plaintext-dependent current draw leaking out from fast digital transitions (TEMPEST techniques, etc.).
There's lots of feed-through capacitors on the front panel too, for every external signal to/from the connectors, and some mystery relays which might handle audio routing:
The
P.E.C. Control Boards seem to contain some basic glue logic for interfacing an external computer to this encryption unit:
I started tracing out the logic of one card, but it was fairly boring, didn't give any insight into the actual workings. The "P.E.C." in the name probably stands for "Programmer Electronic Control", the GEC/Marconi term for their avionics computers,
as well-documented by Erik Baigar.
The
Power Supply is also pretty straightforward.
It's just a 400 Hz transformer, with a bunch of free-wired rectifier diodes to produce various DC voltages.
There's also a stack of aluminum capacitors in some unusual packages...
...and some metal-can voltage regulators:
The more interesting parts are in the final two modules, though, the Audio and Cyphertext modules. My best guess is that the...
- "Audio Module" processes the unencrypted audio, both incoming (from a microphone) and outgoing (to a speaker)
- "Cyphertext Module" processes the encrypted digital waveforms, turning them to and from audio signals that go over the radio
Audio Module
There's mostly just a bunch of op-amps in here, plus a couple big audio transformers (the red cylinders; potted toroids) and an MD7021 dual transistor array. The MD7021 is probably used as a power driver for outgoing audio through one of the transformers - we'll see a similar circuit used in the Cyphertext Module later. Isolating the audio on its way in and out to external equipment reduces the potential grounding problems a lot, which otherwise would be a serious issue with small signals in an electrically-noisy aircraft environment.
Unless some of the LM741s are being used as comparators, the audio module is likely just a bunch of linear gain and filters; nothing particularly interesting, so I didn't bother tracing the circuitry yet. The digital-to-analog conversion of decrypted audio, and the analog-to-digital conversion of encrypted audio, probably happen within the encryption module and not here. It's possible that the encryption module feeds a
sigma-delta-encoded bitstream to the audio module, which gets low-pass-filtered into the outgoing audio signal, but the more complicated stuff doesn't seem to happen here.
On the bottom are a couple free-form-wired regulators (a positive LM317 and negative LM117), probably to give it filtered local analog supply voltages.
Anyways, the Audio Module is in storage right now but I'm still going to see if I can do a quick trace of the circuitry next time I have access to it, just to make sure it's not doing a janky "op-amps-as-comparators" delta-sig encoding/decoding onboard...
The best circuitry though, of course, is in the
Cyphertext Module.
This module is packed with parts, and actually has 3 boards: 2 stacked on the top side (#1 and #2)...
...and one on the bottom side (#3):
Before diving into the functionality, let's take a quick up-close tour of the circuitry...
The top board has a lot of 4000-series digital logic:
The middle board has a gold-capped ceramic chip that turns out to be an analog switch:
The red box mounted to the chassis is yet another audio transformer, used for input isolation:
The bottom board has some more potted inductors (red cylinders), plus the black boxes which are (film?) capacitors, forming a multi-stage LC filter:
Now, most importantly,
what does it all do??It was a pain to go through this entire module but curiosity wouldn't let me stop, so here's a full schematic: also attached at the end of the post as a PDF.
There's a couple important external signals to discuss: (both using names I gave to them)
"Init" seems to be an initialization or reset pulse, coming from either the P.E.C. Control cards or maybe the crypto module.
"Mode" selects between two major modes of operation in the cyphertext module, for data flowing in both directions. I found a photo of a control panel for this encryption unit:
(Photo by woods-group-devon on eBay)
The switch 2nd from the right, next to "Erase", selects between "FBB" and "Diphase" - I believe this selects the digital encoding method used to send the encrypted digital bitstream over the radio.
I don't know what "FBB" stands for, but "Diphase" seems to be an old name for
Manchester Encoding (there may be some subtle differences, but if so I can't spot them?) which encodes 0 and 1 as rising edges or falling edges, together with the clock signal, so that the clock and data can be transmitted together over a single channel.
Mode = 0 for Diphase mode, and Mode = 1 for FBB mode.
There's a lot happening here, so let's walk through it block by block. Simplest one is...
Encrypted Digital Output Path
This section takes the encrypted digital data from the crypto module, and converts it to an analog waveform suitable to send over the radio.
First, the incoming clock from the crypto module is divided by 4; the clock seems to run at 4x the bit rate, for timing purposes. The incoming data is reclocked at this Clk/4 bit rate by IC16A.
In Diphase mode, the 4070 XOR gate generates the Manchester/Diphase encoding by simply XOR'ing the data with the clock. The encoded digital data is then passed through a series of active filters, which seem to form a many-pole bandpass overall. This now close-enough-to-audio signal, centered around 0V and with the sharp square-wave edges chopped off, passes through the 4053.
In FBB mode, the raw digital data is directly re-clocked (again for some reason?), AC-coupled and given some gain, and passed through the all-passive multi-pole LC filter on the bottom board (#3). The filter seems to be mostly low-pass, with a couple notches formed by the parallel LCs (L4 & 8.1 nF, L5 & 4.7 nF). I have no idea why active filters were fine for the Diphase-encoded signal, but the FBB one needs passive filters. I also don't know what any of the actual filter corner frequencies are, because the capacitors (in the active filters) and the inductors (in the passive filters) weren't marked with values.
Finally, the filtered digital signal, now suitable for radio transmission, is amplified and sent out to the radio through an audio isolation transformer (L1). For amplification, the LM741 at the right uses two discrete transistors (in the MD7021 dual-complementary metal can) to boost its output current capabilities. The discrete output stage architecture used here is interesting; instead of having the op-amp output directly drive the transistor bases (with required biasing, etc.) it uses the op-amp's current draw from the power supply to drive the transistors. I've seen similar schemes in Jim Williams app notes and elsewhere, but never exactly in this form - the weird overlap in voltages, and the operating point implied by the resistor values, both don't make sense to me but I double-checked the continuity & resistances, so apparently I'm just missing something...
When the 741 is driving the output positive, for example, its V+ current draw increases and its V- current draw decreases. This increases the voltage drop across the VCC-side resistor, lowering the NPN's base voltage (and sinking less current from the output through the NPN). This also decreases the voltage drop across the VEE-side resistor, lowering the PNP's base voltage (and sourcing
more current to the output through the PNP).
I thought it was interesting, too, that rather than encoding audio tones over the radio channel either with FSK or PSK, the digital signals just get filtered and then sent on their way. I guess this works as long as the frequencies are in the audio range, and at fixed rates (which makes it easier to filter out noise on the incoming side).
Encrypted Audio Input Path
Encrypted audio enters from the radio via the chassis-mounted transformer, and goes through an amplifier with trimmer-adjustable attenuation and gain adjustable by a cuttable wire link.
It then passes through a 2-pole low-pass filter, which has its corner frequency switched by that ceramic & gold IC on the middle board: 15 kHz in Diphase mode, and 30 kHz in FBB mode. The two diodes that follow clamp the signal's negative excursions to ~0V (the diode connected to gnd compensates for the forward voltage of the clamping diode), and shifts the voltage upwards by ~63 mV. This positive-only signal then goes into a comparator with a fixed 1.1V threshold and some hysteresis, and surprisingly, that's it - it's now a digital bitstream to send to the crypto module.
In FBB mode, the story ends there: the 4053 switch passes the signal along as-is (from the "Audio_Dig" net). In Diphase mode, though, there's a whole lot of extra circuitry involved in Manchester/Diphase decoding. I'm not 100% sure on what everything is doing, but it's all centered around a 4046 PLL, which makes sense - syncing a PLL to the appropriate transitions is one of the ways to recovering the clock from a Manchester-encoded bitstream.
The US patent # 3982195 contains a description of a significantly different, but still informative, Manchester/Diphase decoder using a PLL (the comparator, LPF, and VCO form a PLL's feedback loop). The PLL's oscillator output gets divided by 2 and delayed various amounts, and a set of XOR gates & NOR gate seems to filter out the "appropriate" bitstream transitions (ignoring the extra ones required with sequential 0s or 1s) to create pulses to sync the PLL. In the end, the properly-phased PLL clock is used to latch the input bitstream at specific times, which also makes sense: for example, if a "1" is encoded as a rising edge, you'd want to sample the bitstream (and latch it on the output) after the rising edge, to make the output "1".
There's also a circuit to the left, which I think is to prevent garbage data from being passed on to the crypto module during startup/shutdown/invalid input. There's a slightly confusing circuit involving the phase-detection pulses from the PLL, a little bit of logic, and an LM567 tone decoder (
) - this ensures the digital output is all 0s until it receives phase-detect pulses from the PLL, within a specific frequency range (which probably indicates that the PLL is locked and the decoder is working properly).
Initialization and Self-Test
There's another slightly confusing circuit with multiple analog switches (and a discrete-transistor inverter; not sure why they didn't just use the 4013's ~Q output), which seems to control what happens at reset, and some sort of self-test mode. There's an unusual chip on the bottom board; the 4557 variable-length shift register - it has an internal shift register delay selectable from 1 to 64 bits, with external pins. This is used here as a 34-clock-cycle delay, in what seems to be a "self-test loopback mode", where the crypto module's digital output data is sent back to its digital input.
What seems to happen here is that the "Init" pulse, while high, puts the Ciphertext module into the loopback self-test mode. Then when the "Init" pulse goes low again, the digital data output to the crypto module is latched off (all 0s). What
enables the output, and allows the decoded digital data to be passed onwards to the crypto module, is a specific tone on the audio input from the radio (which probably indicates "start of transmission" or "encrypted transmission to follow"). The LM567 tone decoder detects this tone, and latches the output into its "active" state.
Anyways, hope this was interesting, let me know if you have any extra info about this equipment.
Home
Help
Search
Login
Register
