Click for homepage
EMU
Burst
Nokia
Philips
NSA
  
SBT →
  
UA-8295
Short-Burst Message Terminal

UA-8295 was an Electronic Message Unit (EMU) 1 with built-in encryption, developed by Nokia in Finland and marketed from 1984 onwards by Philips Usfa in Eindhoven (Netherlands). It can be used with telephone and radio equipment, and is based on the Nokia DA-8520 message terminal; in the Finnish Army known as the Sanomalaite m/90 (SANLA). The intial version uses DES, but some versions use an encryption algorithm developed by the US National Security Agency (NSA).

The device is housed in a ruggedized die-cast aluminium enclosure that measures 297 x 222 x 72 mm and weights 3 kg. The user interface consists of a 55 rubber keys and a 32-character red LED display that can be covered with a lid.

The unit is powered by four 1.5V D-type cells or by an external 10 to 30V DC source, such as the battery of a vehicle. It can be connected directly to the voice circuit of a (military) radio, but can also be used via an analogue (POTS) telephone line by using an optional acoustic modem. It can also be interfaced to a computer and a printer.
  

The UA-8295/00 was originally developed in 1983 by Nokia in Finland as the DA-8520 message terminal. It was used by the Finnish National Forces under the name Sanomalaite m/90 (SANLA) 2 as part of an integrated messaging and command system. Messages were encrypted with the Data Encryption Standard (DES) – in OFB mode – which was considered strong at the time. In fact it was so strong, that the NSA didn't want it to be available to the rest of the world. They asked Philips Usfa to adopt the device and re-release it under the Philips brand, with an alternative NSA-developed algorithm, that appeared stronger, but could in reality be broken by the NSA [4].

In 1984, Philips launched the device as the UA-8295/00, which was in fact nothing more than a rebatched Nokia DA-8520 (SANLA) with the original DES algorithm. It is known that this version was supplied to France. 3 In 1985, the device was supplied to other customers under same model number (UA-8295/00), but with the NSA-developed SBT algorithm, which is a typical example of a government-created backdoor. Interestingly, the NSA firmware has the same version number (E22444) and date (30 Oct 1984) as the original Nokia firmware, and has exactly the same size.

UA-8295/00 was suitable for all Latin-based languages and was also sold by MEL in the UK as the BA-1402, but it is unknown whether it was the DES or the (weakened) SBT variant. A special version for Saudi Arabia, with a dot-matrix display, followed in 1986 as the UA-8295/06 [F].

 More about the weakened SBT algorithm

  1. Also known as a Short-Burst Message Terminal, or Short-Burst Terminal (SBT).
  2. The Finnish word Sanomalaite means Messenger.
  3. Most likely to the French Foreign Legion [1].

PLEASE HELP — Crypto Museum are still looking for the original service documentation and circuit diagrams of the Philips UA-8295, the Nokia DA-8250 or the MEL BA-1402. Please help us expand this page.  Contact us
UA-8295 in cavas bag
Canvas carrying case with Philips UA-8295
Philips UA-8295/00 in canvas carrying case
UA-8295/00 with open lid
Battery compartment
UA-8295/00 seen from the rear right
Radio cable
UA-8295 short-burst terminal with PRC-77 radio
A
×
A
1 / 8
UA-8295 in cavas bag
A
2 / 8
Canvas carrying case with Philips UA-8295
A
3 / 8
Philips UA-8295/00 in canvas carrying case
A
4 / 8
UA-8295/00 with open lid
A
5 / 8
Battery compartment
A
6 / 8
UA-8295/00 seen from the rear right
A
7 / 8
Radio cable
A
8 / 8
UA-8295 short-burst terminal with PRC-77 radio

Features
The image below provides a quick overview of the controls and connections of the device. For user interaction there is a 55-button rubber keyboard and a red 32-character LED display. In the image below, the display is covered by a protective metal panel. Behind the display is a hinged metal lid – retained by two spring-loaded clips – that gives access to the battery compartment. The unit can be switched ON and OFF by means of the ON/OFF button in the upper right corner.


All connections are at the rear. There are two large spring-loaded wire terminals that allow the device to be powered by an external DC power source such as the battery of a car or a truck. In addition, there are three NF7 sockets for connection of a computer (RS422), a serial printer (RS232) and/or a (military) radio with a regular U-229 handset connection, such as the PRC-77.

When the device is in use, most of the power is consumed by the LED display, which is why it enters sleep mode when no key has been pressed for several seconds. The display has three brightness levels that can be cycled with the BRIGHT-button on the keyboard:

  • Low
    50 mA
    Suitable for operation in absolute darkness
  • Normal
    140 mA
    Normal operation during the day (default)
  • High
    320 mA
    Operation in bright sunlight
The table above shows the battery current for each of the brightness settings. In all cases, the hinged lid above the display should be tilted in such a way that it blocks direct sunlight. It also prevents the display being visible to the enemy, which might reveal the operator's position.

Versions
  • UA-8295/00
    Standard version with DES and 32 character LED display
  • UA-8295/00
    Same version but with NSA-developed SBT Algorithm 1
  • UA-8295/06
    Arabic version with 329 x 20 pixel dot-matrix display (LCD)
  1. Note that this variant had the same model number. Furthermore, the firmware of the weakened version had the same version number, date and checksum as the original Nokia firmware.

Features
  • Burst transmission for ECCM
  • RS-422 interface to computer for Command & Control applications
  • RS-232 interface to printer
  • Automatic encryption/decryption of the text
  • Customisable encryption algorithm
  • KEY-entry via keyboard
  • Built-in real-time clock (RTC)
  • Automatic acknowledgment of message (ACK)
  • Built-in radio data modem (1100-2300 Hz)
  • 128.78.7 BCH error correction
  • Free-format and fixed-format messages
  • Fully immersible
Front view
Rear side with connections
UA-8295/00 seen from the rear right
Startup message
Hello world
Encrypted message
UA-8295 in canvas case, with radio cable and instruction manual
UA-8295 short-burst terminal with PRC-77 radio
B
×
B
1 / 8
Front view
B
2 / 8
Rear side with connections
B
3 / 8
UA-8295/00 seen from the rear right
B
4 / 8
Startup message
B
5 / 8
Hello world
B
6 / 8
Encrypted message
B
7 / 8
UA-8295 in canvas case, with radio cable and instruction manual
B
8 / 8
UA-8295 short-burst terminal with PRC-77 radio

NSA intervention
In 1984, the US National Security Agency (NSA) approached Philips Usfa in The Netherlands, with the request to add the Nokia DA-8520 to its product portfolio and supply it worldwide under the Philips brand to NATO and non-NATO military users. NATO customers would get the original version of the firmware from Nokia, which was based on the (strong) DES encryption algorithm.

Non-NATO customers however, would receive a version which appeared to be identical — it had the same model number — but which contained an alternative version of the firmware that had been developed by the NSA. The SBT-algorithm used in this version, is a block cipher – like DES – but has been manipulated in such a way that it can be broken with relative ease by the NSA [4].

For the user it is almost impossible to determine which version of the firmware is present in the device, as they both show the same version number on startup and carry the same date code. In addition, the NSA-developed replacement firmware has exactly the same size as the original Nokia firmware. Even for an experienced engineer it would be very difficult to tell the difference.

The device featured here came with the original (DES) firmware from Nokia, whilst the EPROMs with the NSA-developed drop-in replacement firmware (SBT) were recently obtained from an anonymous source. A full analysis of the NSA-developed SBT algorithm is currently underway.

 Analysis of the NSA-developed SBT algorithm




Interior
The interior of the device can be accessed by removing 10 inbus bolts from the bottom side of the case, after which the two case shells can be separated. The upper case shell holds the battery compartment, the display and the keyboard, whilst the PSU, the CPU and the radio modem reside in the bottom half of the case. Be careful, as the two halfs are interconnected by two flatcables.

The opened device is shown in the image above. The PSU is fitted in the rear right corner of the bottom half. It converts the battery voltage (4.8-6V) and the external DC voltage (10-30V), to stable internal +5, +6 and -6 voltages for the logic, the analog parts and the serial interfaces.

At the heart of the device are the logic circuits, built around two Intel 80C31 microcontrollers: one for the user interface and one for the radio modem. This part is shown in the image on the right. At the far right is the main 80C31 micro­controller and an NSC810 Timer & I/O expander.
  

The latter forms the interface to the keyboard and the 32-character LED display that reside in the upper case shell. At the centre is the main memory, which consists of a TC5565 SRAM (8KB) and three 27C64 EPROMs of 8KB each. The EPROMs hold the firmware and a short-form user guide.

The two EPROMs closest to the front edge of the case hold the actual firmware (version E22444), which takes little over 12KB. The third EPROM holds the texts for the on-display user guide.

To the left of the EPROMs is the second 80C31 micro­controller, which is used solely for control of the built-in Audio Frequency-Shift Keying (AFSK) radio modem shown in the image on the right. It is also known as the I/O Processor (IOP). The firmware for this micro­controller (version IOP 444) is stored in a separate 8KB EPROM (IC3), located further towards the rear of the board.
  

The AFSK modem allows the device to send and receive messages at a speed of 150 or 600 baud, 1 over narrowband (short-wave) radio channels, using in-band audio tones in the 1100-2300 Hz range. As a result, it communicates via regular voice channels and requires no modification of the radio equipment. The UA-8295/00 can be used with virtually any existing military radio set.

  1. Bits per second, or bps.

Interior
Interior Keyboard and display PCBs
Main board and PSU
Audio interface (modem)
PSU
CPU with PIOs, EPROMs and RAM
Battery compartment
C
×
C
1 / 7
Interior
C
2 / 7
Interior Keyboard and display PCBs
C
3 / 7
Main board and PSU
C
4 / 7
Audio interface (modem)
C
5 / 7
PSU
C
6 / 7
CPU with PIOs, EPROMs and RAM
C
7 / 7
Battery compartment

Restoration
When we received our UA-8295/00 in January 2022, it was in good cosmetic condition. Almost 40 years after the device was made, it was still in working condition, but suffered from a few minor issues. In a previous life, the rechargeable NiCd batteries had been leaking, which had caused severe damage to the battery compartment. Luckily, the previous owner had already removed the leaking batteries, but the contact strips and the aluminium casing were corroded.

The battery compartment was thoroughly cleaned and the contact strips were reworked, so that it is at least possible to power the unit by four D-cells again in the future. In addition, the rubber strip – on the inside of the battery lid – was replaced by a more durable one made from neoprene.

One of the spring-loaded power terminals at the rear of the device was blocked, but this was easily fixed with a little force and a drop of penetrating oil. Next, the interior of the device was inspected. It is always important to do this before powering the device after so many years of shelf storage. No leaking or shorted capacitors were found inside the device, but one of the leads to the battery compartment had a badly corroded endpoint. After replacing the nut and the revet, the unit was powered by applying 12V to the power terminals at the rear. It worked first time.

Whilst the unit was open, we took the opportunity to make dumps of the four EPROMs and store their contents for later reference. Labels at the bottom of the EPROMs confirmed that they contain version E22 of the original Nokia DA-8520 firmware, released on 30 October 1984. It is unlikely that the EPROMs were ever replaced during the device's lifetime, as they were still bound to their sockets by means of the original black nylon strings. All EPROMs are of the type 27C64 (8KB).

Problems
  • Battery compartment badly corroded
  • One power terminal blocked by corrosion
Fixed
  • Exterior cleaned
  • Battery compartment cleaned
  • Rubber strip in battery lid replaced
  • Power terminal repaired
  • One battery wire connection replaced
  • Dual-version EPROMs added
Modification
As there are two versions of the firmware with identical version numbers – the original one from Nokia and the drop-in replacement of the NSA – we wanted a means to toggle between them, so that the differences in behaviour can be observed without continuously swapping the EPROMs.


In the original design, the firmware is held in two 2764 EPROMs of 8KB each. By using double-size 27128 EPROMs of 16KB, each one can hold both firmware images, each in its own 8KB bank, as shown above. They have the same 28-pin enclosure and pin layout, with the only difference being the extra address line (A13) at pin 26 of the 27128 [d]. On the 2764 this pin is unused [c].

By connecting a 4k7 pull-up resistor from this pin to the +5V rail and a microswitch to ground, it can be used to toggle between the two images.

The practical implementation of this solution is shown in the image on the right. As we didn't want to make any modifications to the device that could not be reversed, we inserted an extra IC socket in between the existing IC socket that is already present on the board, and the 27128. From this extra socket, pin 26 has been cut off and a pull-up resistor was soldered between the remains of this pin and the +5V rail at pin 28.
  

Next, a wire was soldered to pin 26 (of the intermediate sockets) and guided to the vacant space in the rear left corner of the die-cast aluminium enclosure. In this corner is a seemingly unused screw, that can be loosened to equalise the air pressure inside the case with the world outside.

In the vacant corner, a small PCB was fitted, carrying a raised microswitch that is mounted in such a way that its actuation arm an interacts with the end of the pressure equalisation screw.

If the screw is turned all the way in – as it would normally be – it closes the switch, causing the lower memory bank to be selected. In our case, the lower bank holds the firmware image with the NSA algorithm (SBT). As soon as the screw is loosened a bit, the switch is opened and the upper memory bank is selected, which in our case holds the original Nokia firmware with DES.
  

When the case is closed, the pressure equalisation screw remains accessible from the rear. It is normally covered by the leftmost battery compartment lock, but by releasing the lock, the screw becomes visible. We are now able to demonstrate both versions of the firmware – or in fact both encryption algorithms – with just the flick of a screw. This modification is non-destructive.

Damaged battery compartment
Damage caused by leaking batteries
Battery compartment
EPROMs
Labels at the bottom of the EPROMs
Two replacements ROMs as supplied by the NSA
Two replacement ROMs
Two EPROMs with both firmware images in modified IC sockets, plus additional wiring.
Battery compartment lock in the rear left corner
Pressure equalising screw hidden behind the lock
Pressure equalising screw seen from the inside
Microswitch fitted behind the pressure equalising screw
D
×
D
1 / 12
Damaged battery compartment
D
2 / 12
Damage caused by leaking batteries
D
3 / 12
Battery compartment
D
4 / 12
EPROMs
D
5 / 12
Labels at the bottom of the EPROMs
D
6 / 12
Two replacements ROMs as supplied by the NSA
D
7 / 12
Two replacement ROMs
D
8 / 12
Two EPROMs with both firmware images in modified IC sockets, plus additional wiring.
D
9 / 12
Battery compartment lock in the rear left corner
D
10 / 12
Pressure equalising screw hidden behind the lock
D
11 / 12
Pressure equalising screw seen from the inside
D
12 / 12
Microswitch fitted behind the pressure equalising screw

Connections
Power
The UA-8295 can be powered by four 1.5V D-size battery cells, or by four 1.2V rechargeable NiCd cells. In addition it can be powered by any 10 to 30V DC source, such as the battery of a car or truck. In the latter case, the power source should be connected to the two spring-loaded terminals at the rear. Note that the + and - terminals may be swapped.   

Computer   RS422
  1. ?
  2. ?
  3. ?
  4. ?
  5. ?
  6. ?
  7. ?
Printer   RS232
  1. ?
  2. ?
  3. ?
  4. ?
  5. ?
  6. ?
  7. ?
Radio   AFSK
At the rear of the device, the rightmost socket is for connection of an external radio set (trans­ceiver), such as the PRC-77 or similar. In most cases, such radios are equipped with one or two U-229 sockets for connection of a handset. The UA-8295/xx can be connected to one of these sockets. Below is the pinout when looking into the radio socket of the UA-8295. It was measured at Crypto Museum from the supplied U-229 cable. On this cable, pins B, C and G are not wired.

  1. GND
    Ground, common
  2. ?
  3. ?
  4. MIC
    Microphone
  5. PTT
    Push-to-Talk
  6. SPK
    Speaker
  7. ?
Specifications
UA-8295/00   DES
  • Device
    Encrypted short-burst message terminal
  • Purpose
    Secure battlefield message exchange
  • Manufacturer
    Nokia
  • Reseller
    Philips Usfa
  • Model
    UA-8295/00
  • Year
    1984
  • Users
    France, Saudi Arabia
  • Encryption
    DES in OFB mode
  • Display
    32 characters LED
  • Keyboard
    55 buttons (silicone rubber)
  • Memory
    TX: 2000 + 250 characters
    RX: 2000 characters, or 8 messages
  • Firmware
    Version: E22 (28 Dec 1983 + 30 Oct 1984)
  • Interfaces
    Radio - Voice grade (150 and 600 baud)
    Printer - RS232 (50-1200 baud)
    Computer - RS422 (110-1200 baud)
  • Modem
    AFSK 1100-2300 Hz
  • Power
    10 - 30V DC
  • Batteries
    4 x 1.5V D-size cell (24h)
    4 x 1.2V NiCd rechargeable cells
  • Mains
    Adapter (option)
  • Dimensions
    297 x 222 x 72 mm
  • Weight
    3 kg
UA-8295/00   SBT
Same as UA-8295/00, but with the following differences:

UA-8295/06
Same as UA-8295/00, but with the following differences:

  • Model
    UA-8295/06
  • Year
    1986
  • Encryption
    NSA-developed SBT algorithm
  • Display
    329 x 20 pixel dot-matrix display (LCD)
    78 characters in Arabic
    80 characters in Latin
Accessories
  • Canvas carrying bag
  • Short-form instructions
  • UA-8295 operating instructions
  • Radio connection cable
  • Computer connection cable
  • Printer connection cable
  • 4 x 1.2V rechargeable NiCd D-cell
Nomenclature
  • UA-8295 (Philips)
  • Short Burst Message Terminal
  • Short Burst Terminal (SBT)
  • SBT
  • DA-8520 (Nokia)
  • BA-1402 (MEL)
Datasheets
  1. NSC810 RAM I/O Timer
    National Semiconductor. Undated.

  2. Intel 80C31 CMOS 8-bit microcontroller
    Intel Corporation. October 1995.

  3. 2764 EPROM
    ST Microelectronics, November 2000.

  4. 27128 EPROM
    ST Microelectronics, March 1995.

  5. TC5565 8KB static RAM (SRAM)
    Toshiba, undated.
Download
Documentation
  1. UA 8295 and UA 8296 Short Burst Terminals, Brochure
    Philips Usfa BV. Document No. 20.0058/E/0984, 1984. 8 pages.

  2. Secure Communication, UA-8295 burst encoder, brochure
    Philips Usfa BV. 1986. 6 pages.

  3. Short-Burst Message Terminal Type UA-8295/00, User's Manual
    Philips Usfa, August 1984.

  4. Short-Burst Message Terminal Type UA-8295/00, System description
    Philips Usfa, May 1984.

  5. Terminal de Transmission de Message de Patrouille, UA-8295/00
    September 1984. System description (French).

  6. Short-Burst Message Terminal Type UA-8295/06, User's Manual
    12 November 1985. 1

  7. UA-8295/00 instruction card
    Plastic card 230 x 110 mm. Supplied with device.
  1. We have not published this manual, as it contains hand-written notes and names of living persons.

References
  1. Reinhard Glogowski, Personal correspondence
    January 2022.

  2. Wikipedia, Sanomalaite M/90
    Retrieved July 2017.

  3. Wikipedia, Intel 8051
    Retrieved January 2022.

  4. Cees Jansen, The algorithm of the UA-8295 and UA-8296
    28 May 2021.

  5. Roland Proesch, Nokia Adaptive MSG Terminal M/90
    Technical Handbook for Radio Monitoring HF Volume II: Edition 2019. Page 103.

  6. Jane's Military Communications 1986, UA-8295 Short Burst Terminal
    ISBN 0-7106-0824-1. p. 445.

  7. Jane's Military Communications 1988, BA-1402 Burst Mesage Terminal
    ISBN 0-7106-0526-X. p. 433.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Tuesday 04 January 2022. Last changed: Tuesday, 02 April 2024 - 12:55 CET.
Click for homepage