Click for homepage
DSP-9000
EDT voice scrambler

DSP-9000 is an Enhanced Domain Transform (EDT) voice scrambler, 1 developed around 1993 by Technical Communications Corporation (TCC) in Concord (MA, USA). As the device works within the 3 kHz audio passband, it is suitable for communication over HF, VHF and UHF radio networks.

The device is housed in a green rugged die-cast aluminium enclosure that measures 280 x 215 x 88 mm and weights 2.7 kg. All connections and controls are at the front panel, with a hinged keypad covering the Liquid Crystal Display (LCD).

The device is available in a number of variants, such as a base station, a handset and as an embeddable module, and could be modified for a wide variety of military HF transceivers. The device shown here is the base station variant, which in this case is suitable for connection to the Transworld RT-7000 HF transceiver.
  
DSP-9000 with open control panel

DSP-9000 units were typically used in South-American countries, but also in (neutral) Austria. In 2007, 2009 and 2013 it was announced that Afganistan's military had placed large orders for DSP-9000 equipment for its radio networks. The order consisted of handsets and implant boards, that would be supplied through Datron World Communications Inc., which also supplied the radio equipment itself to the Afgan forces [1][2]. The DSP-9000 was still available for sale in 2022 [1].

  1. Although on its website, TCC promotes the DSP-9000 as a voice encryption device, it is in fact a voice scrambler, albeit a sophisticated one.

DSP-9000 with closed control panel
DSP-9000 with open control panel
Front view
Front panel
Collapsable keypad
Connections
Selectors
Model and serial number
A
×
A
1 / 8
DSP-9000 with closed control panel
A
2 / 8
DSP-9000 with open control panel
A
3 / 8
Front view
A
4 / 8
Front panel
A
5 / 8
Collapsable keypad
A
6 / 8
Connections
A
7 / 8
Selectors
A
8 / 8
Model and serial number

Features
The image below provides an overview of the controls and connections at the front panel of the DSP-9000. At the top left is a regular US/NATO receptacle for connection of a handset, headset or other type of microphone/speaker combination. To its right is a 19-pin receptacle that carries the red and black interfaces plus the interface for an (optional) remove control unit. It should be connected to the external military transceiver, which in this case was a Transworld RF-7000.

Click to see more

At the right are two rotary MODE selectors. The upper one acts as the power switch. It has four positions and selects between PLAIN, Secure (CIPH) and Command (CMD) modes. The other one has three positions, one of which (SYNC) is momentary. It is used to synchronise the equipment at the beginning of a transmission. At the centre are the Liquid Crystal Display (LCD), which can be covered by a hinged 24-button keypad. To the left of the LCD is a 9-pin D-sub socket for connection of a key loader. Above the socket is an LED indicator for the audio level.

Versions
  • DSP-9000 Base
    Base station (shown here)
  • DSP-9000 HS
    Handset
  • DSP-9000
    Implant board
Algorithm
TCC is particularly vague about the exact technology it uses for securing speech. In the brochure it is claimed that the device features an Enhanced Domain Transform (EDT) algorithm, controlled by a highly non-linear digital key stream generator [A]. Each group of devices has a fixed internal System Key, which is different for each customer. In addition, TCC also offers tools for algorithm customisation, suggesting that the customer has some control over the algorithm. Unfortunately, the manufacturer does not explain what EDT is and gives no details about the key generator.

Although the device is digitally controlled — the key stream is generated digitally, and processing is done in the digital domain — the nature of the device is analogue. Voice data is digitised and then transformed using three different DSP-based techniques, after which it is converted back to the analogue domain (audio). The resulting signal has the same 3 kHz bandwidth as the orginal voice signal which means that it can be transmitted over existing narrow-band radio channels.

The 6 patent applications listed at the back of the device are not very helpful either. They all refer to older techniques of which it is doubtful that they are used in the DSP-9000. Furthermore, one of them (3,691,414) is clearly a misprint as it refers to an unrelated subject. The last one is from 1981 and describes a two-dimensional scrambler that operates in the frequency and time domain (F/T). This technology is also used by other manufacturers and is known to be vulnerable.

As with any voice scrambler, the fact that the keystream is highly non-linear and that digital processing techniques are used in the scrambling process, doesn't mean that it is secure.

PLEASE HELP — If anyone has further information about the processing techniques and/or the key generator used in the DSP-9000, we would be delighted to hear from you. We would also like to know whether (and if so, how) this device has been broken.  Contact us

Interior
The interior of the device can be accessed by loosening the four long bolts at the corners of the rear panel, after which the case shell can be removed. This reveals the interior, which consists of a front panel and one or two printed circuit boards (PCBs) that are plugged into the front panel. It is currently unknown whether the second board is mission or optional (e.g. for duplex operation).

The board is built around a Motorola DSP56001 digital signal processor (DSP) with 8KB of static RAM (SRAM) and firmware in three EPROMs. In addition there is a custom chip made by Actel, which is actually a one-time programmable (OTP) Field Programmable Gate Array (FPGA). The unit is controlled by a Z80 microprocessor with 32KB SRAM and firmware in a single EPROM. As timing is critical, a highly accurate 4 MHz temperature compensated crystal oscillator (TCXO) is present.

The cryptographic keys for the internal key generator, and several other parameters are kept in SRAM memory and are retained by a lithium battery that is located at one of the corners of the board (the part with the yellow label). Next to this backup battery is a so-called tamper switch, which ensures that the keys are purged as soon as the case is opened.

Restoration
At present we are unable to test this device as we have insufficient information about the connections at the front panel. Furthermore, we do not know whether or not a second PCB is required in the upper slot of the front panel PCB. Any further information would be appreciated.

Enclosure removed
DSP-9000 interior
Main board slotted into the front panel PCB
Min board and front panel
Main board
Motorola DSP 56001
Backup battery and tamper switch
Analogue interface
B
×
B
1 / 8
Enclosure removed
B
2 / 8
DSP-9000 interior
B
3 / 8
Main board slotted into the front panel PCB
B
4 / 8
Min board and front panel
B
5 / 8
Main board
B
6 / 8
Motorola DSP 56001
B
7 / 8
Backup battery and tamper switch
B
8 / 8
Analogue interface

Events
  • 1992
    First development of DSP-9000
  • 1993
    Introduction of DSP-9000 line
  • 2007
    Embedded in radio equipment for Afgan forces
  • 2009
    $10 million order for Afgan forces
  • 2013
    Order for DSP-9000 equipment for Afgan forces
Connections
Handset
The DSP-9000 has a standard 6-pin socket, located at the top left of the front panel, for connection of a handset or headset. It is wired to the American U-229 standard.

  1. GND
  2. Speaker
  3. PTT
  4. Microphone
  5. Unused
  6. Unknown
Radio
Also at the left of the front panel is a 19-pin receptacle for connection of the radio equipment. It contains the wiring for the red interface (unencrypted) and the black interface (encrypted). This receptacle also allows the connection of a remote control unit. The wiring is currently unknown.

  1. ?
Key fill
To the left of the display, behind the hinged keyboard, is a 9-pin female DE-9S receptacle for connection of a proprietary key fill device. The wiring of this connector is currently unknown.

  1. ?
  2. ?
  3. ?
  4. ?
  5. ?
  6. ?
  7. ?
  8. ?
  9. ?
Specifications
  • Device
    Voice scrambler
  • Model
    DSP-9000
  • Manufacturer
    TCC
  • Years
    1992 - 2022+ 
  • Country
    USA
  • Users
    Argentina, Austria, Afganistan
  • Scrambling
    Enhanced Domain Transform (EDT)
  • Response
    200 - 2800 Hz (400 to 2500 Hz minimum)
  • Key types
    Local key, Network key, System key, Initialization Vector (IV)
  • Key space
    1.54 1099 (~ 329 bits)
  • Including IV
    1.01 10104 (~ 346 bits)
  • Key storage
    Two EEPROM banks of 400 keys each
  • Key fill
    SmartModule
  • Reference
    TCXO crystal oscillator
  • Data mode
    1200 baud
  • Sync
    In-band frequency shift keying (FSK) 74-bit sync burst
  • Temperature
    -20°C to +60°C
  • Storage
    -40°C to +85°C
Key types
  • Local keys
    EEPROM
  • Network key
    EEPROM
  • System key
    EPROM
  • IV
    Generated automatically at each PTT-press
Enhanced Domain Transform   EDT
  • Cryptographically controlled
  • Three distinct DSP-based audio manipulations
  • Retains 3 kHz bandwidth
Related patents
  1. US Patent 3,610,828, Privacy Communication System
    Alfred L. Girard for TCC. Filed 23 May 1967.

  2. US Patent 3,691,464, Asynchronous swept frequency communication system 1
    David S. Dayton for TCC. Filed 25 November 1968.

  3. US Patent 3,723,878, Voice Privacy Device
    Charles K. Miller for TCC. Filed 30 July 1970.

  4. US Patent 4,195,202, Voice privacy system with amplitude masking
    Arnold M. McCalmont for TCC. Filed 3 January 1978.

  5. US Patent 4,276,652, Secure communication system with improved frequency-hopping arrangement
    Arnold M. McCalmont for TCC. Filed 2 October 1978.

  6. US Patent 4,392,021, Secure facsimile transmission system using time-delay modulation
    Matthew W. Slate for TCC. Filed 28 July 1980.

  7. US Patent 4,433,211, Privacy communication system employing time/frequency transformation
    Arnold M. McCalmont for TCC. Filed 4 November 1981.
  1. On the rear of the device, this patent is listed as 3,691,414 but this is probably a misprint as it refers to a Siemens patent for a stepper motor.

Documentation
  1. DSP-9000 Brochure
    802-26203 Rev. C. TCC, 213.

  2. DSP-9000 Technical specifications
    802-26204 Rev. C. TCC, 2013.
References
  1. TCC website, DSP 9000 Secure Radio Encryption
    Visited 4 AUgust 2022.

  2. UPI, TCC radio encryption for Afganistan
    Defense News, 11 October 2013.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Thursday 04 August 2022. Last changed: Monday, 06 March 2023 - 09:01 CET.
Click for homepage