Missing support for NMEA NavTex messages (alerts)

[mgrouch]

Specs are here:

https://www.pentestpartners.com/security-blog/hacking-navtex-maritime-warning-messages/

Example:

Source messages look like this:

    $CRNRX,007,001,00,TD02,1,135600,27,06,2001,241,3,A,==========================*09
    $CRNRX,007,002,00,,,,,,,,,,========^0D^0AISSUED ON SATURDAY 06 JANUARY 2001.*29
    $CRNRX,007,003,00,,,,,,,,,,^0D^0AINSHORE WATERS FORECAST TO 12 MILES^0D^0AOFF*0D
    $CRNRX,007,004,00,,,,,,,,,,SHORE FROM 1700 UTC TO 0500 UTC.^0D^0A^0D^0ANORT*70
    $CRNRX,007,005,00,,,,,,,,,,H FORELAND TO SELSEY BILL.^0D^0A12 HOURS FOREC*16
    $CRNRX,007,006,00,,,,,,,,,,AST:^0D^0A^0ASHOWERY WINDS, STRONGEST IN NORTH.^0D*15
    $CRNRX,007,007,00,,,,,,,,,,^0A^0A*79

The syntax is as follows:

$CRNRX <number of lines in message>,<message identifier (B1B2B3B4)>,<line number>, <frequency>, <day of month>,<month>,<year>,<time in UTC>,<error rate> then a 2 byte XOR checksum

Preceded by ZCZC and terminated with NNNN

The Message Identifier is made up of

    B1: transmitter identity
    B2: subject indicator
    B3&B4: serial number of the subject indicator

Thanks

[mariokonrad]

This doesn't look right. The NRX sentences do not fit the format. According to the format, the fields are

1. number of messages
2. message identifier
3. line number
4. etc.

Considering the first sentence: $CRNRX,007,001,00,TD02,1,...., it would suggest

1. number of messages
2. line number
3. ?
4. etc.

[mgrouch]

Hmm,

From: https://usermanual.wiki/Morcom/AE1800/html

Received NAVTEX Sentence Format 
The first line of a NAVTEX message text will be output in the following format: 
$CRNRX,XXX,XXX,XX,aaXX,X,,,,,X.X,X.X,A,c-----c*hh<CR> <LF> 
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ 
 
① Number of sentences 001 – 999 
②  Sentence number 001 – 999 
③  Sequential message number 00 – 99 (used to uniquely identify messages of same ID) 
④  NAVTEX message ID characters (B1, B2, B3, B4) 
⑤ Frequency index: 0= not received over air, 1= 490 kHz, 2 = 518 kHz, 3 = 4209.5 kHz 
⑥  Null fields (UTC, day, month and year data characters not available. See
 NOTE 1.
) 
⑦  Total number of characters in this series of NRX sentences 
⑧  Total number of bad characters 
⑨ Status indication: 
 ･  Status “ A”= reception of NAVTEX message in correct format 
 ･  Status “ V”= reception of NAVTEX message in incorrect format 
⑩ Message body (first line of message text characters). A forced carriage return () on 
screen will be replaced with an underscore ( _ ) (hex 5F ) when it is output. See 
NOTE 2
 for information on the output format for undefined ASCII characters (IEC 
61162–1, paragraph 5.1.3) 
 
The data characters in fields  ④,  ⑤,  ⑥,  ⑦,  ⑧ and ⑨  are output in the first message 
line only; they are null fields in the subsequent message lines, as shown below. 
 
$CRNRX,XXX,XXX,XX,,,,,,,,,,c-----c*hh <CR> <LF> 
 
NOTES: 
1:   The equipment does not have a built–in realtime clock (RTC) and does not interface with 
a GPS sensor. Therefore, the UTC, day, month and year data characters are output as 
null fields. To check message aging, an internal time reference derived from the CPU 
clock (24.00 MHz) by frequency division is used. 
2:   Undefined characters used in a displayed/stored NAVTEX message are communicated to 
the INS port in hexadecimal form using code delimiter (
^
, hex 5E) as follows: 
 ･ *1
Comma
 ( , ):     
^2C
 
 ･ *2
Error character asterisk
 
( * ): 
^2A
 
 ･ 
Carriage return
 <CR > 
and line feed
 < LF >:   
^0D ^0A
 
 *1: 
To discriminate from field delimiter
 
 *2: 
To discriminate from checksum field delimiter
 
 
An example INS output of a NAVTEX message is given below. 
 
(
continued on next page
) 
AE–1800 Instruction Manual 
Installation 
7.4.1. Received NAVTEX Sentence Format (
continued –2/2
) 
 
An example 518 kHz NAVTEX message text is given below. 
 
IB45 
260909 UTC MAR 07 
WWJP83 RJTD 260600 
VITAL WARNING FOR YOKOHAMA NAVTEX AREA 
260600UTC ISSUED AT 260900UTC 
COLD FRONT FROM 48N 157E TO 42N 156E 36N 
151E 30N 147E 25N 140E 
GALE WARNING WESTERN SEA OFF SANRIKU 
WITH MAX WINDS 35 KNOTS 
WARNING(NEAR GALE) EASTERN SEA OFF 
SANRIKU, NORTHERN SEA OFF KANTO, 
SOUTHERN SEA OFF KANTO, EASTERN SEA OFF 
TOKAI 
NEXT WARNING WILL BE ISSUED BEFORE 
261500UTC 
= 
 
NNNN 
 
 
The INS port output from the above message consists of 11 NRM sentences, numbered 
001 through 011, (message ID = IB45, *1total characters=426 with no corrupt 
characters) as follows: 
 
$CRNRX , 011 ,001 ,15 ,IB45,2,,,,,426,0,A,IB45^0D^0A260909 UTC  MAR  07^0D^0AWWJP83 *02 
$CRNRX ,011,002 ,15 ,,,,,,,,,,RJTD 260600^0D^0AVITAL WARNING FOR YOKOHAMA NAVTEX*03 
$CRNRX ,011,003 ,15 ,,,,,,,,,, AREA^0D^0A260600UTC  ISSUED  AT  260900UTC^0D^0ACOLD*69 
$CRNRX ,011,004 ,15 ,,,,,,,,,, FRONT  FROM 48N 157E T O  42N 156E  36N^0D^0A 151E  30*1F 
$CRNRX ,011,005 ,15 ,,,,,,,,,,N 147E 25N 140E^0D^0AGALE  WARNING WESTERN  SEA  OFF *70 
$CRNRX ,011,006 ,15 ,,,,,,,,,,SANRIKU ^0D^0AWITH  MAX  WINDS 35  KNOTS^0D^0AWARNING*0E 
$CRNRX ,011,007 ,15 ,,,,,,,,,,(NEAR GALE)  EASTERN  SEA  OFF ^0D^0ASANRIKU^2C  NORTH*0E 
$CRNRX ,011,008 ,15 ,,,,,,,,,,ERN  SEA  OFF  KANTO^2C^0D^0ASOUTHERN SEA OFF  KANTO*16 
$CRNRX ,011,009 ,15 ,,,,,,,,,,^2C  EASTERN  SEA  OFF ^0D^0ATOKAI^0D^0ANEXT  WARNING *10 
$CRNRX ,011,010 ,15 ,,,,,,,,,,WILL BE ISSUED  BEFORE ^0D^0A261500UTC^0D^0A =^0D^0A*07 
$CRNRX ,011,011 ,15 ,,,,,,,,,,^0D^0ANNNN^0D^0A *41 
 
*1: 
Total characters include carriage return (CR) and line feed (LF) codes.
 
 
 
 
 
 
 
 
 
 
 
 
 
AE–1800 Instruction Manual 
Installation 
7.4.2.  Controlling Receiver Operation via INS (RS–422) Port 
 
To externally control receiver operation via the RS–422 port, the equipment supports 
the following command sentence (IEC 61162–1 format). Up to 10 commands will be 
stacked and executed sequentially. Using the transmitter mask and message mask, the 
user can select the station IDs and message types for message storage in the 
non–volatile memory, for message output to the RS–422 port (INS port) or to the 
RS–232C port (printer port). Message types A, B, D and L, however, cannot be rejected. 
Previous selection/rejection settings manually entered via the keypad will be changed 
accordingly. 
 
$--NRM,X,X,hhhhhhhh,hhhhhhhh*hh <CR> <LF> 
 ① ② ③ ④ ⑤ ⑥ 
 
①  Device identifier (e.g. IN=INS device, AI=AIS) 
②  Function code: 0 to 9 
  0 = request messages, 1 = set/report storage mask, 2= set/report printer mask 
  3 = set/report INS mask, 4 to 9 = reserved 
③  Frequency index: 1 to 9 
  1= 490 kHz, 2 = 518 kHz, 3 =4209.5 kHz, 4 to 9=  reserved 
  CAUTION: If the index for the second receiver that is not currently 
selected is specified, the command will be ignored. 
④  Transmitter ID mask in hex (32 bits in total) 
  LSB = station A, bit 1 = station B, bit 25 =   station Z,    bits 26 to 32 = reserved 
  To select a station, its corresponding bit should be set to “ 1.” To reject a station, its 
corresponding bit should be set to “0.” 
     For example, to select only stations E, J, M and T for storage, or output to the INS or 
printer port, set the transmitter ID masks as follows: 
 
00081210 hex 
 0 0 0 8 1 2 1 0 (hex) 
 0000 0000  0000 1000  0001  0010  0001 0000 (binary) 
  ZY  XWVU TSRQ PONM LKJI HGFE DCBA (station) 
 
⑤  Message type mask in hex (32 bits in total): 
  LSB = type A, bit 1= type B,  bit 25 = type Z,    bits 26 to 32 = reserved 
 
 To select message types only A, B, D, F and L for storage or output to the INS or 
printer port, set the message ID masks as follows: 
 0000082B hex 
 0 0 0 0 0 8 2 B (hex) 
 0000 0000  0000 0000  0000  1000 0 010 10 11 (binary) 
  ZY  XWVU TSRQ  PONM LKJI HGFE  DCBA (type) 
 
 
NOTE: Message types A, B, D and L must always be selected due to the relevant IMO 
resolution, and their corresponding bits cannot be set to “0.” 
 
⑥  Checksum in hex 
  The checksum value must be calculated by the user. 
 
The current settings can be checked by a query command described in next paragraph. 
AE–1800 Instruction Manual 
Installation 
7.4.3.  Checking Current Settings via INS (RS–422) Port 
 
The equipment accepts the following query command sentence via the RS–422 port 
(INS port), and reports to the user the current B1B2 mask settings, indicating the 
status of message storage in the non–volatile memory, and message output to the INS 
port and the RS–232C port (printer port) for all frequencies. 
 
$ - - CRQ,NRM*hh<CR><LF> 
 ① ② 
 
①  Device identifier (e.g. IN=INS device, AI=AIS) 
 
② Checksum in hex 
 
 
Example: Device identifier = IN (INS device), checksum= 3A hex 
 
$ INCRQ,NRM*3A<CR><LF> 
 
 
A total of nine output sentences will then be sent back to the INS device like the 
examples below. 
 
 
$CRNRM,1,1,03FFFFFF,02200EBF*32: Settings for 490 kHz, to non–volatile memory 
$CRNRM,2,1,03FFFFFF,02200EBF*31:  Settings for 490 kHz, to printer port 
$CRNRM,3,1,03FFFFFF,02200EBF*30:  Settings for 490 kHz, to INS port 
$CRNRM,1,2,03FFFFFF,02200EBF*31:  Settings for 518 kHz, to non–volatile memory 
$CRNRM,2,2,03FFFFFF,02200EBF*32:  Settings for 518 kHz, to printer port 
$CRNRM,3,2,03FFFFFF,02200EBF*33:  Settings for 518 kHz, to INS port 
$CRNRM,1,3,03FFFFFF,02200EBF*30:  Settings for 4209.5 kHz, to non–volatile memory 
$CRNRM,2,3,03FFFFFF,02200EBF*33:  Settings for 4209.5 kHz, to printer port 
$CRNRM,3,3,03FFFFFF,02200EBF*32:  Settings for 4209.5 kHz, to INS port 
 
NOTE: The above examples represent the default mask settings. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
AE–1800 Instruction Manual 
Installation 
7.4.4.  Alarm Output Sentence Formats 
 
7.4.4.1.  Output Format for Alarm Being Activated 
 
An alarm output sentence like the example below will be output to the RS–422 (INS) 
port when the equipment receives an alarm NAVTEX message or if the equipment 
develops a failure or malfunction. The output will be repeatedly available at 30–second 
intervals until the alarm condition is acknowledged and reset manually by pressing 
twice*1 on the equipment or until the appropriate acknowledgement command 
(paragraph 7.4.5) is fed via the port from the INS terminal. 
 
$CRALR,,003,A,V,NAVTEX:Search and Rescue information*72<CR><LF> 
  ① ② ③ ④ ⑤ 
 
NOTE: The equipment does not use UTC as the time source, and therefore sends a null field 
in place of the time–of–alarm–condition–change field. 
 
① Local alarm number: 
  001 = Navigational warning (type–A message) 
  002 = Meteorological warning ( type–B message) 
  003 = SAR, piracy, armed robbery information (type–D message) 
 004 = Receiver malfunction 
  005 = Self–diagnostic test failure 
 006 = General failure 
② Alarm conditions: 
  A= threshold exceeded ( i.e. alarm condition exists ) 
  V= threshold not exceeded (i.e.  alarm condition is non–existent ) 
③  Alarm acknowledgement status 
 A= acknowledged 
 V= unacknowledged 
④  Alarm description text 
⑤ Checksum 
  03 = Navigational warning 
  0F = Meteorological warning 
  72 = SAR, piracy and armed robbery information 
 
The other alarm output sentences are as follows: 
 
$CRALR,,001,A,V,NAVTEX:Navigational warning*03<CR><LF> 
$CRALR,,002,A,V,NAVTEX:Meteorological warning*0F<CR><LF> 
*1: 
Pressing the key once silences the audible indication alone, allowing the output sentence to 
continue every 30 seconds.    A second keypress resets all the currently active alarms.
 
 
7.4.4.2.  Output Format for Alarm Being Acknowledged 
When active alarms are acknowledged, the following sentences will be output once: 
 
$CRALR,,001,V,A,NAVTEX:Navigational warning*03<CR><LF> 
$CRALR,,002,V,A,NAVTEX:Meteorological warning*0F<CR><LF> 
$CRALR,,003,V,A,NAVTEX:Search and Rescue information*72<CR><LF> 
 
AE–1800 Instruction Manual 
Installation 
7.4.4.3.  Output Format After Alarm Being Acknowledged 
Within one minute after the issuance of the above sentences or after the key is 
pressed twice, the following outputs will be repeated at one–minute intervals. This 
condition will continue until another alarm message is received. 
 
$CRALR,,001,V,V,NAVTEX:Navigational warning*14<CR><LF> 
$CRALR,,002,V,V,NAVTEX:Meteorological warning*18<CR><LF> 
$CRALR,,003,V,V,NAVTEX:Search and Rescue information*65<CR><LF> 
 
7.4.5. Alarm Acknowledgement 
The following command format is supported to acknowledge and reset the current 
alarm condition via the RS–422 (INS) port: 
$– –ACK,003*hh<CR><LF> 
 ① ② ③ 
 
①  Device identifier (e.g. IN=INS device, AI=AIS) 
② Local alarm number 
 001 = Navigational warning 
 002 = Meteorological warning 
  003 = Search and rescue (SAR) information 
③ Checksum: 
  If the device identifier is IN (INS device), for example, the above command format 
for each alarm is as follows: 
 $INACK,001*53<CR><LF> :    to acknowledge Navigational warning 
 $INACK,002*50<CR><LF> :    to acknowledge Meteorological warning 
 $INACK,003*51<CR><LF> :    to acknowledge SAR information 
 
7.4.6.  Proprietary Sentence (Switching 2nd Receiver Frequency) 
The following command (I E C 61162–1 proprietary format sentence) is used to 
externally switch the second receiver frequency between 490 kHz and 4209.5 kHz: 
 
$PJMCR, 0, 1 *hh <CR> <LF> 
  ① ② ③ 
① Receiver index: 
  0 = Second receiver 
  1 to 9 = Reserved 
②  Receive frequency index: 
  1 = 490 kHz 
  2 = Not assigned 
  3 = 4209.5 kHz 
③ Checksum: 
  See the examples below. 
 
Examples: 
To switch the frequency, an INS device should send the following command sentences to 
the equipment via the RS–422 port: 
･  Switching to 490 kHz:      $PJMCR,0,1*47<CR><LF> 
･  Switching to 4209.5 kHz:    $PJMCR,0,3*45<CR><LF> 
AE–1800 Instruction Manual l