The Empty Field That Wasn’t: GPS Broadcasts a Numbers Station

并非空置的领域：GPS 正在广播“数字电台”信号

SUBFRAME 4 The Empty Field That Wasn’t: GPS, OTAD and Two Decades of Encrypted Broadcasts. What 12 million GPS special messages reveal about military rekeying on a public channel. STEVEN J. MURDOCH, UNIVERSITY COLLEGE LONDON. 子帧 4：并非空置的领域——GPS、OTAD 与二十年的加密广播。1200 万条 GPS 特殊消息揭示了公共频道上的军事密钥更新。伦敦大学学院，Steven J. Murdoch。

Cold War shortwave numbers stations broadcast strings of digits to anonymous listeners, content that’s meaningless to anyone without a matching one-time pad. They still operate today. As it turns out, GPS broadcasts in much the same way. Buried in every L1 C/A navigation message is Subframe 4, Page 17—a 176-bit field that IS-GPS-200 reserves for “special messages with the specific contents at the discretion of the Operating Command.” Every satellite broadcasts it. Every receiver decodes the subframe that contains it. And for nearly two decades, no one has publicly explained what it contains. 冷战时期的短波“数字电台”向匿名听众广播一串串数字，这些内容对于没有匹配一次性密码本的人来说毫无意义。这些电台至今仍在运行。事实证明，GPS 的广播方式与之如出一辙。在每一个 L1 C/A 导航消息中，都隐藏着子帧 4 的第 17 页——这是一个 176 位的字段，IS-GPS-200 将其保留用于“由操作指挥部自行决定具体内容的特殊消息”。每颗卫星都在广播它，每个接收机都在解码包含它的子帧。然而近二十年来，从未有人公开解释过其中包含的内容。

We analyzed 12.16 million observations in this field from 2007 through early 2026. The content is not text. It is encrypted material consistent with the military’s Over-the-Air Distribution (OTAD) global rekeying network. For 19 years, every operational GPS satellite has been a numbers station—broadcasting ciphertext on a public channel, to billions of receivers, in plain sight. If you build receivers, write firmware, run signal monitoring, or care about the gap between civil and military signal transparency, this is your field too. You just have not been reading it. 我们分析了 2007 年至 2026 年初该字段的 1216 万次观测数据。其内容并非文本，而是与军方“空中分发”（OTAD）全球密钥更新网络相符的加密材料。十九年来，每一颗在轨运行的 GPS 卫星实际上都是一个数字电台——在公共频道上，在数十亿接收机的眼皮底下，明目张胆地广播着密文。如果你从事接收机制造、固件编写、信号监测，或者关注民用与军用信号透明度之间的鸿沟，那么这个领域也与你有关。只是你一直没有去解读它。

176 Bits, Eight Words, One Forgotten Page. The L1 C/A signal carries 50 bits per second. Every bit must earn its place. The Legacy Navigation message organizes those bits into 1,500-bit frames, each frame into five 300-bit subframes, each subframe into ten 30-bit words. Subframes 1 to 3 carry the heavy work—clock corrections, ephemeris, the data your receiver needs every few seconds. Subframes 4 and 5 multiplex 25 rotating pages. A receiver sees Page 17 of Subframe 4 every 12.5 minutes. Across 32 satellites, that is roughly 3,700 special-message payloads per day, fleet-wide. 176 位、八个字、一个被遗忘的页面。L1 C/A 信号的传输速率为每秒 50 位。每一位都必须物尽其用。传统的导航消息将这些位组织成 1500 位的帧，每帧分为五个 300 位的子帧，每个子帧又分为十个 30 位的字。子帧 1 到 3 承担着繁重的工作——时钟校正、星历数据，即你的接收机每隔几秒就需要用到的数据。子帧 4 和 5 则复用了 25 个轮换页面。接收机每 12.5 分钟会接收到一次子帧 4 的第 17 页。对于 32 颗卫星而言，这意味着整个卫星群每天大约会发送 3700 条特殊消息载荷。

Mining 19 Years of Navbits. The corpus comes from the GFZ Potsdam open archive GNSS recordings collected from a wide network of ground stations, dating back to 2007. After extraction, the numbers settle: 12.16 million observations of Subframe 4, Page 17, drawn from every operational PRN, spanning 19 years, yielding 3,994 unique 176-bit messages. Initial Python implementations needed hours to process a single year. To make iterative analysis practical, we wrote a Julia pipeline: NetCDF source files are converted to Apache Arrow, then thread-parallel bit extraction is performed into a DuckDB database. The full 19-year corpus extracts in seconds on a laptop. 挖掘 19 年的导航位数据。该语料库来自波茨坦地学研究中心（GFZ Potsdam）的 GNSS 开放存档，记录了自 2007 年以来从广泛的地面站网络收集的数据。提取后，数据量定格在：来自每个在轨 PRN（伪随机噪声码）、跨越 19 年的 1216 万次子帧 4 第 17 页观测记录，共产生了 3994 条唯一的 176 位消息。最初的 Python 实现处理一年数据需要数小时。为了使迭代分析切实可行，我们编写了一个 Julia 流水线：将 NetCDF 源文件转换为 Apache Arrow 格式，然后进行线程并行位提取并存入 DuckDB 数据库。现在，在笔记本电脑上只需几秒钟即可提取完整的 19 年语料库。

It Is Not Text. It Never Was. The first thing a researcher tries in an unknown field is the obvious one: maybe it is text in a different encoding. We computed the frequency of each of the 45 alphabet symbols defined by IS-GPS-200 across all 12.16 million observations. In English, frequencies have a fingerprint—E and T are common, J and Z are rare, spaces and full stops are more common than digits. In a random or encrypted stream, the distribution is flat. Our analysis confirmed the latter: the data is high-entropy, consistent with ciphertext. 它不是文本，也从未是文本。研究人员面对未知字段时首先会尝试最显而易见的方法：也许它是某种不同编码的文本。我们计算了 IS-GPS-200 定义的 45 个字母符号在所有 1216 万次观测中的频率。在英语中，字母频率具有特定的指纹特征——E 和 T 很常见，J 和 Z 很罕见，空格和句号比数字更常见。而在随机或加密流中，分布是平坦的。我们的分析证实了后者：该数据具有高熵值，符合密文特征。