Click for homepage
USA
TCC
Scrambler
  
DSP-9000
EDT voice scrambler

DSP-9000 is an Enhanced Domain Transform (EDT) voice scrambler, 1 developed around 1991 by Technical Communications Corporation (TCC) in Concord (MA, USA). It's improved minia­turised version of its predecessor – CSD-909 – built with DSP technology. As the device works within the 3 kHz audio passband, it is suitable for communication over HF, VHF and UHF radio networks.

The device is housed in a green rugged die-cast aluminium enclosure that measures 280 x 215 x 88 mm and weights 2.7 kg. All connections and controls are at the front panel, with a hinged keypad covering the Liquid Crystal Display (LCD).

The device is available in a number of variants, such as a base station, a handset and as an embeddable module, and could be modified for a wide variety of military HF transceivers. The device shown here is the base station variant, which in this case is suitable for connection to the Transworld RT-7000 HF transceiver.
  

DSP-9000 units were typically used in South-American countries, but also in (neutral) Austria. In 2007, 2009 and 2013 it was announced that Afganistan's military had placed large orders for DSP-9000 equipment for its radio networks. The order consisted of handsets and implant boards, that would be supplied through Datron World Communications Inc., which also supplied the radio equipment itself to the Afgan forces [1][2]. The DSP-9000 was still available for sale in 2024 [1].

  1. Although on its website, TCC promotes the DSP-9000 as a voice encryption device, it is in fact a voice scrambler, albeit a sophisticated one.

DSP-9000 with closed control panel
DSP-9000 with open control panel
Front view
Front panel
Collapsable keypad
Connections
Selectors
Model and serial number
A
×
A
1 / 8
DSP-9000 with closed control panel
A
2 / 8
DSP-9000 with open control panel
A
3 / 8
Front view
A
4 / 8
Front panel
A
5 / 8
Collapsable keypad
A
6 / 8
Connections
A
7 / 8
Selectors
A
8 / 8
Model and serial number

PLEASE HELP — We are still looking for user manuals and technical manuals of his device. If anyone has further information about this device, or has documentation that is not listed here, or wants to share stories about the use of the device, please contact us.
Models
Model P/N Description Price 1
DSP-9000 HD 401-24259 Base/mobile version, with radio connector at the front 11,287
DSP-9000 RC 401-24259-06 Same, but with radio connector at the rear 2 11,287
DSP-9000 HS ? Handset version 6,745
DSP-9000 IB ? Implant board (embeddable version) ?
  1. Prices in US$, taken from Datron GSA pricelist, March 2019.
  2. The serial number label identifies it as DSP-9000 HD, but it is in reality a DSP-9000 RC.

DSP-9000 HD
The image below provides an overview of the controls and connections at the front panel of the DSP-9000. At the top left is a regular US/NATO receptacle for connection of a handset, headset or other type of microphone/speaker combination. To its right is a 19-pin receptacle that carries the red and black interfaces plus the interface for an (optional) remote control unit. It should be connected to the external military transceiver, which in this case was a Transworld RF-7000.


At the right are two rotary MODE selectors. The upper one acts as the power switch. It has four positions and selects between PLAIN, Secure (CIPH) and Command (CMD) modes. The other one has three positions, one of which (SYNC) is momentary. It is used to synchronise the equipment at the beginning of a transmission. At the centre are the Liquid Crystal Display (LCD), which can be covered by a hinged 24-button keypad. To the left of the LCD is a 9-pin DE-9 socket for connection of a key loader. Above the socket is an LED indicator for the audio level.

DSP-9000 RC
The DSP-9000 RC model uses the same chassis as the DSP-9000 HD. The major difference is the lack of a RADIO connector at the front panel and the addition of a remote control head at the rear. It make the RC model 5 cm longer and provides the RADIO connector at the rear. Further­more, two LEDs have been added to the front panel: one for PLAIN and one for CIPHER mode.


The image above shows the DSP-9000 RC with its hinged keypad open and a regular H-250/U handset connected to the U-229 audio connector at the front. A SmartModule (SM) is installed in the 9-pin DE-9 socket to the left of the Liquid Crystal Display (LCD). The SM can be used to transfer up to 200 keys and other configuration parameters to and from other DSP-9000 units.


Algorithm
TCC is particularly vague about the exact technology it uses for securing speech. In the brochure it is claimed that the device features an Enhanced Domain Transform (EDT) algorithm, controlled by a highly non-linear digital key stream generator [A]. Each group of devices has a fixed internal System Key, which is different for each customer. In addition, TCC also offers tools for algorithm customisation, suggesting that the customer has some control over the algorithm. Unfortunately, the manufacturer does not explain what EDT is and gives no details about the key generator.

Although the device is digitally controlled — the key stream is generated digitally, and processing is done in the digital domain — the nature of the device is analogue. Voice data is digitised and then transformed using three different DSP-based techniques, after which it is converted back to the analogue domain (audio). The resulting signal has the same 3 kHz bandwidth as the orginal voice signal which means that it can be transmitted over existing narrow-band radio channels.

The 6 patent applications listed at the back of the device are not very helpful either. They all refer to older techniques of which it is doubtful that they are used in the DSP-9000. Furthermore, one of them (3,691,414) is clearly a misprint as it refers to an unrelated subject. The last one is from 1981 and describes a two-dimensional scrambler that operates in the frequency and time domain (F/T). This technology is also used by other manufacturers and is known to be vulnerable. As with any voice scrambler, the fact that the keystream is highly non-linear and that digital processing techniques are used in the scrambling/descrambling process, doesn't mean that it is secure.

How it works
Although the manufacturer does not explain how the scrambling algorithms works, some of its characteristics have meanwhile come to light. The algorithm of the DSP-9000 is virtually identical to that of the earlier CMOS based CSD-909. Although it operates solely in the analogue domain, it does have a unique property to complicate waveform analysis. The description below comes from a former expert [3] who worked with the DSP-9000 for many years and recalls the following:

Original signal shown in 3D (time, frequency, and amplitude). Each frequency band (I-VIII) is represented by a colour.

The audio frequency band is split into 8 sub-bands of 300 Hz each (I-VIII), with a guard band at either side (for simplicity not shown here). Each sub-band is then trans­posed to a 300 Hz baseband — as shown in the example below for sub-band III — after which it is sampled:

Example of how band III is transposed to the base band and then sampled.

The samples are then stored in a memory buffer in a pseudo random pattern that transposes their place in the sub-band order (i.e. the frequency domain), as well as their place in time (i.e. the time domain). In addition, some samples are stored in forward order, whilst others are reversed [3]. The pseudo random order changes continuously under control of an internal key generator (the algorithm) that is seeded with an initialization vector (IV) at the start of each transmission. The algorithm also determines how many samples are combined into a 'frame'.

Shuffling in the time domain occurs at sub-syllabic intervals to avoid recognition of (part of) words. Shuffling in the frequency domain occurs per frame in intervals of more than one second. When combining these two techniques, it becomes virtually impossible to recognise a cadance in the cipher stream, regardless of whether sentences are spoken slowly or at a higher rate.

Example of how the signal might be scrambled in the frequency and time domain (F/T). The numbers refer to the place in the frequency and time domain of the original signal.

The diagram above shows what the 2-dimensionally transposed signal may look like. Once the samples of a given interval are stored in memory, they are read out at 8× the speed in order to reconstruct the 3 kHz bandwidth of the original signal. The diagram below shows how the signal in band III — created from the samples in memory — has changed from its original shape.

Example of the new contents of band III are created from the samples in memory.


Initialization vector   IV
At the beginning of each transmission – i.e. when pressing the push-to talk (PTT) switch – an initialisation vector is sent to the DSP-9000 at the receiving end, so that both devices are synchronised and produce the same key stream. The descrambling process is just the reverse of the scrambling process described above.

Typical sound
When observing the output from a DSP-9000 device, it becomes clear that most of the energy of the signal is located in a 300 Hz segment just below 3 kHz. This is what produces the typical sound transmitted by a DSP-9000.


Block Diagram
The diagram below shows roughtly how the signal is sampled (ADC), after which the eight sub-bands are filtered, mixed (i.e. transposed), filtered again and stored in memory. The samples are then shuffled under control of a key generator (KG). Next, the samples are taken from memory, mixed (i.e. transposed to the destination sub-band), filtered, combined and converted back into and analogue signal (DAC), Note this is not built with discrete electronics as in the CSD-909 pre­decessor, but rather with firmware in a Motorola DSP56001 Digital Signal Processor (DSP).


The mixing stages — both in the input and in the output circuits — are each fed with a different fixed frequency f1 to f7, except for the baseband itself (I). In the input circuit this converts each of the sub-bands to the 300 Hz baseband. In the output circuit it transposes the individual audio channels back to the original sub-band. The mixer frequencies are assigned as follows (f):

f1 f2 f3 f4 f5 f6 f7
400 Hz 800 Hz 1200 Hz 1600 Hz 2000 Hz 2400 Hz 2800 Hz
Parts
DSP-9000 scrambler
Smart module
H-250/U Handset
Radio cable
Remote control head
Operating instructions
Scrambler   DSP-9000
The heart of the system is the actual DSP-9000 voice scrambler. The basic DSP-9000 HD model has all controls and #conn) at the front panel. It can be wired to a (military) radio set.

The DSP-9000 RC model shown in the image on the right, has the same controls, but has the RADIO connector at the rear. It allows the unit to be wired to a remote control unit, a (military) radio or an analog telephone system. It was supplied with a long break-out cable.

  

Smart module (key fill device)
The DSP-9000 comes with a so-called Smart­Module, which is housed in a 9-pin DE-9 plug. It is used for transporting and loading up to 200 Local Keys or other DSP-9000 configuration data. It is also known as a key transfer device.

The Smart­Module should be connected to the DE-9 socket at the front panel of the DSP-9000. Note that the keyboard must be opened before the module can be installed. It can be removed once the keys have been transferred.

  

Handset   H-250/U
The DSP-9000 HD and RC models can be used with virtually any regular handset with U-229 connector. Such handsets usually have a dynamic microphone.

It is also possible to use handsets with a carbon or an electret microphone, but this requires the microphone bias feature to be enabled first. This is done from the device's menu.

 Pinout of the handset connector

  

Radio cable
The DSP-9000 can be connected to most types of (military) radio by means of a suitable radio cable. Such cables are usually customised for a particular radio type. The cable shown in the image on the right is a universal one that can be made to work with virtually any type of radio or (analog) telephone set.

The cable should be connected to the RADIO connector at the front panel of the DSP-9000 HD or, in case of the DSP-9000 RC, at the rear.

 Pinout of the radio connector

  

Remote control head
In case the DSP-9000 is remote controlled, the device was usually supplied with a remote control head that is bolted-on at the rear. In that case the RADIO connector is missing from the front panel and is located on the add-on.

The image on the right shows the rear of a DSP-9000 RC, of which the remote control head has been separated.

 Pinout of the radio connector

  

Operating instructions
The device was supplied with a 71 page user manual in which the operation and the key loading procedure is fully explained. A quick reference guide was provided with the manual, along with installation instructions.

 User manual (English)
 User manual (French)
 Quick reference card
 Installation guide
  

Front panel
DSP-9000 RC with open keypad
Smart module
Key fill connection
Smart module installed
Smart module installed
H-250/U handset
DSP-9000/RC with H-250 handset
Handset connected toDSP-9000
Radio cable
Rear view
Radio connector at the rear of the DSP-9000/RC
Remote Control head at the rear end of the DSP-9000
Remote control head seen from the inside
User's manual
B
×
B
1 / 15
Front panel
B
2 / 15
DSP-9000 RC with open keypad
B
3 / 15
Smart module
B
4 / 15
Key fill connection
B
5 / 15
Smart module installed
B
6 / 15
Smart module installed
B
7 / 15
H-250/U handset
B
8 / 15
DSP-9000/RC with H-250 handset
B
9 / 15
Handset connected toDSP-9000
B
10 / 15
Radio cable
B
11 / 15
Rear view
B
12 / 15
Radio connector at the rear of the DSP-9000/RC
B
13 / 15
Remote Control head at the rear end of the DSP-9000
B
14 / 15
Remote control head seen from the inside
B
15 / 15
User's manual


Interior
The interior of the device can be accessed by loosening the four long bolts at the corners of the rear panel, after which the case shell can be removed. This reveals the interior, which consists of a front panel and one or two printed circuit boards (PCBs) that are plugged into the front panel. It is currently unknown whether the second board is missing or optional (e.g. for duplex operation).

The board is built around a Motorola DSP56001 digital signal processor (DSP) with 8KB of static RAM (SRAM) and firmware in three EPROMs. In addition there is a custom chip made by Actel, which is actually a one-time programmable (OTP) Field Programmable Gate Array (FPGA). The unit is controlled by a Z80 microprocessor with 32KB SRAM and firmware in a single EPROM. As timing is critical, a highly accurate 4 MHz temperature compensated crystal oscillator (TCXO) is present.

The cryptographic keys for the internal key generator, and several other parameters are kept in SRAM memory and are retained by a lithium battery that is located at one of the corners of the board (the part with the yellow label). Next to this backup battery is a so-called tamper switch, which ensures that the keys are purged as soon as the case is opened.

Restoration
At present we are unable to test this device as we have insufficient information about the connections at the front panel. Furthermore, we do not know whether or not a second PCB is required in the upper slot of the front panel PCB. Any further information would be appreciated.

Enclosure removed
DSP-9000 interior
Main board slotted into the front panel PCB
Min board and front panel
Main board
Motorola DSP 56001
Backup battery and tamper switch
Analogue interface
C
×
C
1 / 8
Enclosure removed
C
2 / 8
DSP-9000 interior
C
3 / 8
Main board slotted into the front panel PCB
C
4 / 8
Min board and front panel
C
5 / 8
Main board
C
6 / 8
Motorola DSP 56001
C
7 / 8
Backup battery and tamper switch
C
8 / 8
Analogue interface

Events
  • 1991
    First development of DSP-9000
  • 1993
    Introduction of DSP-9000 line
  • 2007
    Embedded in radio equipment for Afgan forces
  • 2009
    $10 million order for Afgan forces
  • 2013
    Order for DSP-9000 equipment for Afgan forces
Connections
Handset
The DSP-9000 has a standard 6-pin socket, located at the top left of the front panel, for connection of a handset or headset. It is wired to the American U-229 standard.

  1. GND
  2. Speaker
  3. PTT
  4. Microphone
  5. Unused
  6. ?
Radio connector/cable
At the left of the front panel (or at the centre of the rear)) is a 19-pin receptacle for connection of the radio equipment. It carries the wiring for the red interface (unencrypted) and for the black interface (encrypted), plus wiring for the connection of a remote control unit (RC). 1 The table below shows the pinout of this receptacle. Note that there are four pairs of twisted wires for the balanced in- and outputs. Each pair has a coloured wire (...H...) and a white wire (...L...). In case of a single-ended connection, the white wire of each pair (...L...) should be connected to ground. The shield of the interconnection cable (white/black wire) should also be connected to ground.

Pin Name Description Colour
A.
B.
SHI
SLI
Speaker H (in)
Speaker L (in)
green
white
C. C/P Select Cipher/Plain grey
D.
E.
MHI
MLI
Microphone H (in)
Microphone L (in)
red
white
F. SELCAL Selective call (out) violet
G.
H.
SHO
SLO
Speaker H (out)
Speaker L (out)
blue
white
J. DPI Data PTT (in) - option green
K.
L.
MHO
MLO
Microphone H (out)
Microphone L (out)
yellow
white
M. SYNC Remote sync init (in) yellow
N. PWR Power +9 to +32V (in) orange 2
P. PO PTT (out) red
R. GND Ground brown 2
S. spare unused blue
T. PI PTT (in) white
U. V/D Voice/Data brown
V. GND Ground black 2
  1. The DSP-9000-RC came with a pre-wired break-out cable of which the table shows the wire colours.
  2.  
    = Thicker wire

Smart module
To the left of the display, behind the hinged keyboard, is a 9-pin female DE-9S receptacle for connection of a proprietary smart module or a special purpose key loading device. The wiring of this connector is currently unknown.

  1. ?
  2. ?
  3. ?
  4. ?
  5. ?
  6. ?
  7. ?
  8. ?
  9. ?
Specifications
  • Device
    Voice scrambler
  • Purpose
    Voice privacy
  • Model
    DSP-9000
  • Years
    1991 - 2024+ 
  • Country
    USA
  • Manufacturer
    TCC
  • Users
    Argentina, Austria, Afganistan
  • Scrambling
    Enhanced Domain Transform (EDT)
  • Response
    200 - 2800 Hz (400 to 2500 Hz minimum)
  • Key types
    Local key, Network key, System key, Initialization Vector (IV)
  • Key space
    1.54 1099 (~ 329 bits)
  • Including IV
    1.01 10104 (~ 346 bits)
  • Key storage
    Two EEPROM banks of 400 keys each
  • FILL
    Smart Module 2K-W
  • Reference
    TCXO crystal oscillator
  • Data
    1200 baud
  • Sync
    In-band frequency shift keying (FSK) 74-bit sync burst
  • Power
    9 to 32V DC
  • Consumption
    1W (half-duplex), 2W (full-duplex)
  • Temperature
    -20°C to +60°C
  • Storage
    -40°C to +85°C
Smart module
  • Device
    Key storage/transfer device
  • Purpose
    Transfer keys to/from another DSP-9000
  • Name
    BAC Smart Module 2K-W
  • Designator
    401-24265-03 Rev. A
  • HSN code
    85437090000
Key types
  • Local keys
    EEPROM
  • Network key
    EEPROM
  • System key
    EPROM
  • IV
    Generated automatically at each PTT-press
Enhanced Domain Transform   EDT
  • Cryptographically controlled
  • Three distinct DSP-based audio manipulations
  • Retains 3 kHz bandwidth
Interoperability
  • HSE-6000
    Secure radio handset
  • CSD-3324
    Secure telephone
Known part numbers
  • 415-26533-01
    DSP-9000 RB 20 foot radio cable with power leg
  • 415-24420
    DSP-9000 RC interface cable
  • 411-26534
    DSP-9000 RB radio cable connector
  • 401-24259-06
    DSP-9000 RB/RC military voice encryptor
  • 401-25470
    DSP-9000 HS ruggedised handset encryptor
  • 401-26531
    DSP-9000 PWS AC/DC 12V/DC
  • 401-24422-02
    DSP-9000 dual rack mount RC assembly 17"
  • 401-24390-01
    DSP-9000 RC trunk mount
  • 401-26010-23
    HSE-6000 seal voice encryptor w/o mic bias
  • 401-26458-02
    Helmet interface caable set hi-gain EU, NATO
  • 415-26449-01
    HSE intercom (ICS) cable
  • 415-26052
    HSE to Smart Module cable
  • 411-26013
    HSE-6000 removable battery
  • 545-26227(-01)
    HSE-6000 vest mount pouch
  • 401-24265-03
    Smart Module 2K-W key fill device
  • 545-25486
    HSE-6000/9000 EPROM burner
  • 401-25593-04
    HSE-6000/9000 crypto management system
Related patents
  1. US Patent 3,610,828
    Privacy Communication System

    Alfred L. Girard for TCC. Filed 23 May 1967.

  2. US Patent 3,691,464
    Asynchronous swept frequency communication system 1

    David S. Dayton for TCC. Filed 25 November 1968.

  3. US Patent 3,723,878
    Voice Privacy Device

    Charles K. Miller for TCC. Filed 30 July 1970.

  4. US Patent 4,195,202
    Voice privacy system with amplitude masking

    Arnold M. McCalmont for TCC. Filed 3 January 1978.

  5. US Patent 4,276,652
    Secure communication system with improved frequency-hopping arrangement

    Arnold M. McCalmont for TCC. Filed 2 October 1978.

  6. US Patent 4,392,021
    Secure facsimile transmission system using time-delay modulation

    Matthew W. Slate for TCC. Filed 28 July 1980.

  7. US Patent 4,433,211
    Privacy communication system employing time/frequency transformation

    Arnold M. McCalmont for TCC. Filed 4 November 1981.
  1. On the rear of the device, this patent is listed as 3,691,414 but this is probably a misprint as it refers to a Siemens patent for a stepper motor.

Datasheets
  1. DSP56001 Digital Signa Processor
    Motorola, Inc., 1992. Rev. 3, 4 May 1998.

  2. Z80 Microprocessors - User Manual
    UM008011-0816. Zilog. Rev. 11, August 2016.

  3. TP3076 Programmable CODEC/Filter
    DS009758. National Semiconductor, April 1994.

  4. 75T204 Low-power DTMF Receiver
    TDK, April 2000.
Documentation
  1. DSP-9000 Brochure
    802-26203 Rev. C. TCC, 2013.

  2. DSP-9000 Technical specifications
    802-26204 Rev. C. TCC, 2013.

  3. DSP-9000 RC Installation instructions
    540-00876 Rev. A. TCC, 29 July 1991.

  4. DSP-9000 RC Operator's Card
    542-24412, Rev. A. TCC, August 1991.

  5. DSP-9000 RC, User's Manual (English)
    539-24412 Rev. A. TCC, August 1991.

  6. DSP-9000, Manuel D'Utilisation (French)
    539-24259-02 Rev. A. TCC, September 1993.
References
  1. TCC website, DSP 9000 Secure Radio Encryption
    Visited 4 August 2022, 5 May 2024.

  2. UPI, TCC radio encryption for Afganistan
    Defense News, 11 October 2013.

  3. Anonymous former expert of DSP-9000
    Personal correspondence, 5 May 2024.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Thursday 04 August 2022. Last changed: Thursday, 30 May 2024 - 11:35 CET.
Click for homepage