|
|
|
|
EMU Burst Nokia Philips NSA SBT →
The device is housed in a ruggedized die-cast aluminium enclosure
that measures 297 x 222 x 72 mm and weights 3 kg. The user interface consists
of a 55 rubber keys and a 32-character red LED display that can be
covered with a lid.
The unit is powered by four 1.5V D-type cells or by an external 10 to 30V DC
source, such as the battery of a vehicle. It can be connected
directly to the voice circuit of a (military) radio,
but can also be used via an analogue (POTS) telephone line
by using an optional acoustic modem.
It can also be interfaced to a computer and a printer.
|
|
|
The UA-8295/00 was originally developed in 1983 by Nokia in Finland as the
DA-8520 message terminal. It was used by the
Finnish National Forces
under the name Sanomalaite m/90 (SANLA) 2
as part of an integrated messaging and command system.
Messages were encrypted with the
Data Encryption Standard (DES) – in OFB mode – which was considered strong at the time. In fact it was so strong, that the NSA didn't
want it to be available to the rest of the world. They asked
Philips Usfa to adopt the device and re-release it under the
Philips brand,
with an alternative NSA-developed algorithm, that appeared stronger,
but could in reality be broken by the NSA [4].
In 1984, Philips launched the device as the UA-8295/00, which was in fact
nothing more than a rebatched Nokia DA-8520 (SANLA)
with the original DES algorithm.
It is known that this version was supplied to France. 3
In 1985, the device was supplied to other customers under same
model number (UA-8295/00), but with the NSA-developed
SBT algorithm, which is a typical example of a
government-created backdoor.
Interestingly, the NSA firmware has the same version number
(E22444) and date (30 Oct 1984) as the original Nokia firmware,
and has exactly the same size.
UA-8295/00 was suitable for all Latin-based languages and was
also sold by MEL in the UK as the BA-1402, but it is unknown
whether it was the DES or the (weakened) SBT variant.
A special version for Saudi Arabia, with a dot-matrix display,
followed in 1986 as the UA-8295/06 [F].
➤ More about the weakened SBT algorithm
|
|
-
Also known as a Short-Burst Message Terminal, or Short-Burst Terminal
(SBT).
-
The Finnish word Sanomalaite means Messenger.
-
Most likely to the French Foreign Legion [1].
|
PLEASE HELP —
Crypto Museum are still looking for the original service
documentation and circuit diagrams of the Philips UA-8295,
the Nokia DA-8250 or the MEL BA-1402. Please help us expand this page.
➤ Contact us
The image below provides a quick overview of the controls and connections
of the device. For user interaction there is a 55-button rubber
keyboard and a red 32-character LED display. In the image below, the
display is covered by a protective metal panel. Behind the display is a
hinged metal lid – retained by two spring-loaded clips – that gives access
to the battery compartment. The unit can be switched ON and OFF by means
of the ON/OFF button in the upper right corner.
All connections are at the rear. There are two large spring-loaded
wire terminals that allow the device to be powered by an external
DC power source such as the battery of a car or a truck.
In addition, there are three NF7 sockets for connection of a
computer (RS422), a serial printer (RS232) and/or a (military)
radio with a regular U-229 handset connection,
such as the PRC-77.
When the device is in use, most of the power is consumed by the LED
display, which is why it enters sleep mode when no key has been pressed
for several seconds.
The display has three brightness levels
that can be cycled with the BRIGHT-button on the keyboard:
|
Low 50 mA Suitable for operation in absolute darkness Normal 140 mA Normal operation during the day (default) High 320 mA Operation in bright sunlight
|
The table above shows the battery current for each of the brightness settings.
In all cases, the hinged lid above the display should be tilted in such a
way that it blocks direct sunlight. It also prevents the display being visible
to the enemy, which might reveal the operator's position.
|
UA-8295/00 Standard version with DES and 32 character LED display UA-8295/00 Same version but with NSA-developed SBT Algorithm 1 UA-8295/06 Arabic version with 329 x 20 pixel dot-matrix display (LCD)
|
-
Note that this variant had the same model number. Furthermore,
the firmware of the weakened version had the same version number, date
and checksum as the original Nokia firmware.
|
- Burst transmission for ECCM
- RS-422 interface to computer for Command & Control applications
- RS-232 interface to printer
- Automatic encryption/decryption of the text
- Customisable encryption algorithm
- KEY-entry via keyboard
- Built-in real-time clock (RTC)
- Automatic acknowledgment of message (ACK)
- Built-in radio data modem (1100-2300 Hz)
- 128.78.7 BCH error correction
- Free-format and fixed-format messages
- Fully immersible
|
In 1984, the US National Security Agency (NSA)
approached Philips Usfa in The Netherlands, with the request to
add the Nokia DA-8520 to its product portfolio and supply
it worldwide under the Philips brand to NATO and non-NATO military users.
NATO customers would get the original version of the firmware from
Nokia,
which was based on the (strong) DES encryption algorithm.
Non-NATO customers however, would receive a version which appeared to be
identical — it had the same model number — but which contained an
alternative version of the firmware that had been developed by the NSA.
The SBT-algorithm used in this version, is a block cipher – like DES –
but has been manipulated in such a way that it can be broken with relative
ease by the NSA [4].
For the user it is almost impossible to determine
which version of the firmware is present in the device, as they
both show the same version number on startup and carry the same date code.
In addition, the NSA-developed replacement firmware has exactly
the same size as the original Nokia firmware. Even for an experienced
engineer it would be very difficult to tell the difference.
The device featured here came with the original (DES) firmware from
Nokia,
whilst the EPROMs with the NSA-developed drop-in replacement firmware
(SBT) were recently obtained from an anonymous source.
A full analysis of the NSA-developed SBT algorithm
is currently underway.
➤ Analysis of the NSA-developed SBT algorithm
|
The interior of the device can be accessed by removing 10 inbus bolts from
the bottom side of the case, after which the two case shells can be
separated. The upper case shell holds the battery compartment, the display
and the keyboard, whilst the PSU, the CPU and the radio modem reside in
the bottom half of the case.
Be careful, as the two halfs are interconnected by two flatcables.
|
The opened device is shown in the image above. The PSU is fitted in the
rear right corner of the bottom half.
It converts the battery voltage
(4.8-6V) and the external DC voltage (10-30V), to stable internal +5, +6
and -6 voltages for the logic, the analog parts and the serial interfaces.
At the heart of the device are the logic circuits, built around two
Intel 80C31 microcontrollers:
one for the user interface and one for the radio modem.
This part is shown in the image on the right. At the far right is the main
80C31 microcontroller and an
NSC810 Timer & I/O expander.
|
|
|
The latter forms the interface to the keyboard and the 32-character LED
display that reside in the upper case shell. At the centre is the main
memory, which consists of a TC5565 SRAM (8KB) and three 27C64 EPROMs of
8KB each. The EPROMs hold the firmware
and a short-form user guide.
|
The two EPROMs closest to the front edge of the case hold the actual firmware
(version E22444), which takes little over 12KB. The third EPROM holds the texts
for the on-display user guide.
To the left of the EPROMs is the second 80C31 microcontroller, which is
used solely for control of the built-in
Audio Frequency-Shift Keying (AFSK)
radio modem shown in the image on the right.
It is also known as the I/O Processor (IOP).
The firmware for this
microcontroller (version IOP 444) is stored in a separate 8KB
EPROM (IC3), located further towards the rear of the board.
|
|
|
The AFSK modem allows the device to send and receive messages at a speed
of 150 or 600 baud, 1 over narrowband (short-wave) radio channels, using
in-band audio tones in the 1100-2300 Hz range. As a result, it communicates
via regular voice channels and requires no modification of the radio
equipment. The UA-8295/00 can be used with virtually any existing
military radio set.
|
|
When we received our UA-8295/00 in January 2022, it was in good cosmetic
condition. Almost 40 years after the device was made, it was still in working
condition, but suffered from a few minor issues. In a previous life, the
rechargeable NiCd batteries had been leaking, which had caused
severe damage to the battery compartment.
Luckily, the previous owner had already removed
the leaking batteries, but the contact strips and the aluminium casing
were corroded.
The battery compartment was thoroughly cleaned
and the contact strips were
reworked, so that it is at least possible to power the unit by four D-cells
again in the future. In addition, the rubber strip
– on the inside of the battery lid – was replaced by a more durable one made
from neoprene.
One of the spring-loaded power terminals at the rear of the device was
blocked, but this was easily fixed with a little force and a drop of
penetrating oil. Next, the interior of the device was inspected. It is always
important to do this before powering the device after so many years of
shelf storage. No leaking or shorted capacitors were found inside the device,
but one of the leads to the battery compartment had a badly corroded
endpoint. After replacing the nut and the revet,
the unit was powered by applying 12V to
the power terminals at the rear. It worked first time.
Whilst the unit was open, we took the opportunity to make dumps of
the four EPROMs and store their contents for later reference.
Labels at the bottom of the EPROMs
confirmed that they contain version
E22 of the original Nokia DA-8520 firmware, released on 30 October 1984.
It is unlikely that the EPROMs were ever replaced during the device's
lifetime, as they were still bound to their sockets by means of the original
black nylon strings. All EPROMs are of the type 27C64 (8KB).
|
Battery compartment badly corroded One power terminal blocked by corrosion
|
- Exterior cleaned
- Battery compartment cleaned
- Rubber strip in battery lid replaced
- Power terminal repaired
- One battery wire connection replaced
- Dual-version EPROMs added
|
As there are two versions of the firmware with identical version numbers –
the original one from Nokia and the drop-in replacement of the NSA –
we wanted a means to toggle between them, so that the differences
in behaviour can be observed without continuously swapping the EPROMs.
In the original design, the firmware is held in two
2764 EPROMs of 8KB each.
By using double-size 27128 EPROMs of 16KB,
each one can hold both firmware images, each in its own 8KB bank,
as shown above. They have the same
28-pin enclosure and pin layout, with the only difference being the extra
address line (A13) at pin 26 of the 27128 [d].
On the 2764 this pin is unused [c].
|
By connecting a 4k7 pull-up resistor from this pin to the +5V rail and
a microswitch to ground, it can be used to toggle between the
two images.
The practical implementation of this solution is shown in the image on
the right. As we didn't want to make any modifications to the device that
could not be reversed, we inserted an extra IC socket in between the
existing IC socket that is already present on the board,
and the 27128. From this extra socket, pin 26 has been cut off
and a pull-up resistor was soldered between the remains of this pin and
the +5V rail at pin 28.
|
|
|
Next, a wire was soldered to pin 26 (of the intermediate sockets)
and guided to the
vacant space in the rear left corner
of the die-cast aluminium enclosure. In this
corner is a seemingly unused screw, that can be loosened to equalise the
air pressure inside the case with the world outside.
|
In the vacant corner, a small PCB was fitted, carrying a raised microswitch
that is mounted in such a way that its actuation arm an interacts with the
end of the pressure equalisation screw.
If the screw is turned all the way in – as it would normally be –
it closes the switch, causing the lower memory bank to be selected.
In our case, the lower bank holds the firmware image with the
NSA algorithm (SBT).
As soon as the screw is loosened a bit, the switch is opened and the upper
memory bank is selected, which in our case holds the original Nokia firmware
with DES.
|
|
|
When the case is closed, the pressure equalisation screw remains accessible
from the rear. It is normally covered by the
leftmost battery compartment lock, but
by releasing the lock, the screw becomes visible.
We are now able to demonstrate both versions of the firmware – or in fact
both encryption algorithms – with just the flick of a screw.
This modification is non-destructive.
|
The UA-8295 can be powered by four 1.5V D-size battery cells, or
by four 1.2V rechargeable NiCd cells. In addition it can be powered
by any 10 to 30V DC source, such as the battery of a car or truck.
In the latter case, the power source should be connected to the two
spring-loaded terminals at the rear. Note that the + and -
terminals may be swapped.
|
|
|
At the rear of the device, the rightmost socket is for connection of an
external radio set (transceiver), such as the PRC-77
or similar. In most cases, such radios are equipped with one or two
U-229 sockets for connection of a handset.
The UA-8295/xx can be connected to one of these sockets.
Below is the pinout when looking into the radio socket of the UA-8295.
It was measured at Crypto Museum from the
supplied U-229 cable. On this cable, pins
B, C and G are not wired.
|
GND Ground, common - ?
- ?
MIC Microphone PTT Push-to-Talk SPK Speaker - ?
|
|
Device Encrypted short-burst message terminal Purpose Secure battlefield message exchange Manufacturer Nokia Reseller Philips Usfa Model UA-8295/00 Year 1984 Users France, Saudi Arabia Encryption DES in OFB mode Display 32 characters LED Keyboard 55 buttons (silicone rubber) Memory TX: 2000 + 250 characters RX: 2000 characters, or 8 messages Firmware Version: E22 (28 Dec 1983 + 30 Oct 1984) Interfaces Radio - Voice grade (150 and 600 baud) Printer - RS232 (50-1200 baud) Computer - RS422 (110-1200 baud) Modem AFSK 1100-2300 Hz Power 10 - 30V DC Batteries 4 x 1.5V D-size cell (24h) 4 x 1.2V NiCd rechargeable cells Mains Adapter (option) Dimensions 297 x 222 x 72 mm Weight 3 kg
|
Same as UA-8295/00, but with the following differences:
|
Same as UA-8295/00, but with the following differences:
|
Model UA-8295/06 Year 1986 Encryption NSA-developed SBT algorithm Display 329 x 20 pixel dot-matrix display (LCD) 78 characters in Arabic 80 characters in Latin
|
- Canvas carrying bag
- Short-form instructions
- UA-8295 operating instructions
- Radio connection cable
- Computer connection cable
- Printer connection cable
- 4 x 1.2V rechargeable NiCd D-cell
|
- UA-8295 (Philips)
- Short Burst Message Terminal
- Short Burst Terminal (SBT)
- SBT
- DA-8520 (Nokia)
- BA-1402 (MEL)
|
- UA 8295 and UA 8296 Short Burst Terminals, Brochure
Philips Usfa BV. Document No. 20.0058/E/0984, 1984. 8 pages.
- Secure Communication, UA-8295 burst encoder, brochure
Philips Usfa BV. 1986. 6 pages.
- Short-Burst Message Terminal Type UA-8295/00, User's Manual
Philips Usfa, August 1984.
- Short-Burst Message Terminal Type UA-8295/00, System description
Philips Usfa, May 1984.
- Terminal de Transmission de Message de Patrouille, UA-8295/00
September 1984. System description (French).
- Short-Burst Message Terminal Type UA-8295/06, User's Manual
12 November 1985. 1
- UA-8295/00 instruction card
Plastic card 230 x 110 mm. Supplied with device.
|
-
We have not published this manual, as it contains hand-written notes
and names of living persons.
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Tuesday 04 January 2022. Last changed: Tuesday, 02 April 2024 - 12:55 CET.
|
|
|
|
|