Author: Jeff Wise

Two weeks ago, I wrote a couple of posts about the strange reboot of MH370’s satcom system that occurred shortly after the plane disappeared from primary radar, and asked if anyone could come up with a reasonable explanation. I drew attention in particular to the left AC bus, which the satcom equipment is connected to. This bus can be electrically isolated using controls located in the cockpit, and this appears to be the only way to recycle the satcom without leaving the flight deck. I suggested that there might be some other piece of equipment that the perpetrator wanted to turn off and on again by using the left AC bus, thereby causing the satcom to be recycled as an unintended side effect.

The readers rose to the occasion. Gysbreght pointed out that paragraph 1.11.2 of Factual Information states that “The SSCVR [Solid State Cockpit Voice Recorder] operates any time power is available on the Left AC transfer bus. This bus is not powered from batteries or the Ram Air Turbine (RAT).”

This is an incredibly interesting observation. Reader Oz fleshed out Gysbreght’s insight, writing to me via email:

We could isolate the Left Main AC by selecting the generator control switch to OFF and the Bus Tie switches to OFF; SATCOM is now dead.  What else happens……….the Backup generator kicks in automatically to supply the Left Transfer bus. Here’s what’s so spine chilling; if you now simply reach up and select the Backup Generator switch to OFF………..you now lose Left transfer as well.  The CVR is gone!  I couldn’t believe how easy the CVR was to isolate!
To recap;
Left Gen Control to OFF
Bus Ties to OFF (Isolate)
Left Backup Gen to OFF.
I now firmly believe your mystery reboot was Left AC power being switched back ON……….. after something that had occurred that the perp or perps didn’t want any possible evidence of on the CVR……whatever was being hidden was done by around 1822; AC back to normal.

Gysbreght notes that the Factual Information also identifies the location of the CVR as Electronic Equipment Rack, E7, in the aft cabin above the ceiling, and suggests: “Later [the perp] could have opened Electronic Equipment Rack E7, physically pulled the SSCVR power supply plug from its socket, and then gone back to the MEC to restore power to the Left AC bus.”

Oz has his own theory: “If you are thinking why the hell you would turn Left AC/Left transfer back on? Flight deck temperature control comes from these…”

There’s a precedent for a suicidal airline pilot depowering the black boxes before flying a plane into the ocean: the pilot of Silkair Flight 185 appears to have done just that before pointing the nose down and crashing in December, 1997. It’s easy to imagine Zaharie reading the accident reports and realizing he should also figure out a way to disable the CVR before implementing his suicide plan. When the moment came, near IGARI, one can imagine the veteran 777 pilot suddenly flipping various switches while the baffled newbie, Fariq, looked on.

It’s certainly an intriguing scenario, but it is not without its flaws. As Gysbreght notes, “I would expect the Captain to know that the CVR only retains the last two hours and overwrites older recordings.” So if Zaharie planned to commit suicide by flying the plane for hours into the remotest reaches of the southern ocean, he wouldn’t have needed to turn the CVR off: the portion between 17:07 and 18:25 would have been erased anyway. This is not in insurmountable problem, however. Maybe he orginally intended to crash right away, a la Silkair, but then lost his nerve.

I’m not quite ready to declare, as Gysbreght has, “Case closed,” but I have to admit that the CVR idea is fascinating. Great work, Gysbreght and Oz!

The discussion prompted by last week’s blog post raised some interesting issues that I think are worth discussing in further detail.

First, I wrote last week that “At 18:22, MH370 vanished from primary radar coverage over the Malacca Strait. Three minutes later—about the amount of time it takes the Satellite Data Unit (SDU) to reboot—the satcom system connected with Inmarsat satellite 3F-1 over the Indian Ocean and inititated a logon at 18:25:27.”

Commenter LouVilla earlier today laid out the issue with more clarity, writing:

MH370 flew out of radar range @18:22.12 UTC. All of a sudden @18:25.27 UTC, the AES sent an Login-Request to the satellite. This are 03:15 Minutes between this two events. When the AES is without power supply for a while and reboots after power is available again the AES needs approximately 02:40 Minutes to sent an Login Request (ATSB Report Page 33). 03:15 minus ~ 02:40 = ~ 35 seconds. So, the perpetrator must activated the left bus again at around 18:22.47 UTC, 35 seconds after MH370 flew out of radar range.

The close sequence of these events does, in my mind, raise the possiblity that they are connected. How would a perpetrator know that he has left radar coverage? Among the possibilites would be a) some kind of radar-energy detector (like that used by automobile speed-trap radar detectors) brought on board by the perpetrators, or b)  prior scouting by allied agents. This latter idea would be far fetched for a suicidal pilot but quite feasible for, say, Russia, which spends quite a lot of time probing the radar coverage of its NATO neighbors.

Of course the timing might just be a coincidence.

A second point I’d like to address is the idea that Zaharie or Fariq might have de-powered the satcom by isolating the left AC bus. One problem with this scenario, as I’ve previously mentioned, is that it would be difficult for a pilot to know just what else they would be taking off line in isolating the left AC bus. I later realized that I had underestimated the problem.

Continue reading The Mysterious Reboot, Part 2

In yesterday’s post I argued that the reboot of MH370’s satellite communications system at 18:25 is a key piece of evidence about what happened to the missing plane. In fact, I would go so far as to say that we should discount any scenario which cannot explain the reboot.

That being the case, I thought it would be a good idea to clarify what we do know about rebooting the satcom and discuss the implications. Right up front I’d like to emphasize that I am by no means an electronics expert and I welcome any corrections or clarifications.

First, some basic background for those who might be new to the discussion. Flight MH370 took off from Kuala Lumpur International airport at 16:42 UTC on 3/7/14 bound for Beijing. At 17:07:29, the plane sent an ACARS report via its satcom. At 17:20:36, five seconds after passing waypoint IGARI and a minute after the last radio transmission, the transponder shut off. For the next hour, MH370 was electronically dark. The next ACARS transmission, scheduled for 17:37, did not take place. At 18:03 Inmarsat attempted to forward an ACARS text message and received no response, suggesting that the satcom system was turned off or otherwise out of service. At 18:22, MH370 vanished from primary radar coverage over the Malacca Strait. Three minutes later—about the amount of time it takes the Satellite Data Unit (SDU) to reboot—the satcom system connected with Inmarsat satellite 3F-1 over the Indian Ocean and inititated a logon at 18:25:27.

The question is, by what mechanisms could MH370’s satcom have become inactive, then active again?

Continue reading The Mysterious Reboot

Until fairly recently, the default assumption about MH370 is that, based on the interpretation of satcom signals recorded by Inmarsat, the plane made a final turn to the left sometime after 18:25 UTC and flew south on autopilot before running out of fuel. This default scenario, sometimes referred to as the “ghost ship” scenario, was endorsed by both the ATSB and the Independent Group.

However, if the plane flew south in this manner and ran out of fuel, it would have been found by now, as Brock McEwen explained here recently. It was not found. Therefore the default scenario is incorrect: the plane did not make a final turn and fly straight to the south without human intervention.

At this point, only three possible scenarios still make sense for MH370:

1. As was first mooted in the June ATSB report, the plane lingered near Sumatra before flying straight or took a curving path to the south. In either case, the plane wound up intersecting the 7th arc somewhere north of Broken Ridge, beyond the current search area.
2. The plane flew straight south after a final major turn, then was hand-flown by a conscious pilot on a long glide that took it far from the 7th arc, beyond the current search area.
3. The plane did not go south at all. If this is the case, then the satellite communications system must have been compromised by hijackers who either flew the plane north to Kazakhstan or China (if only the BFO values were spoofed) or somewhere else within a huge circle encompassed by the 7th ping ring (if both BTO and BFO values were spoofed).

Each of these options has unpalatable aspects, but they’re all we’ve got.

I would argue that these unpleasant choices can be further subdivided into two categories: inside the cockpit, or outside the cockpit. By “inside the cockpit,” I mean that the airplane was controlled from the flight deck, presumably by either the captain or the first officer; by “outside the cockpit,” I mean that hijackers managed to seize control of the plane either by accessing the E/E bay or hacking in through the inflight entertainment system. The reason I feel we can make this assertion is that only one minute elapsed between the captain calmly saying “Good night Malaysia 370” and the diversion at IGARI. It’s scarcely imaginable that hijackers would have time to breach the fortified cockpit door, overcome the flight crew, and reprogram the flight management system in such a short time. So whoever took the plane had to be either on one side of the door or the other.

The first two of our three options would fall under the category of “inside the cockpit.” They present a number of difficulties: Continue reading Only Three Options Remain for MH370’s Fate

Here’s a video that niftily recapitulates 15 months of search activity into two minutes. It was produced by commenter @orion, aka Dustin Thomas.

 

by Sabine Lechtenfeld

Note: On the comment thread for “Northern Routes and Burst Frequency Offset for MH370” last week Sabine (posting under the handle @littlefoot) made a very cogent observation about the use of speculative scenarios in cases like the disappearance of MH370. She’s given me permission to reprint it here.  — JW

Note #2: Language of paragraph 3 modified per Sabine’s request –JW

Getting into a potential perp’s (or group of perps’) mind is a very worthwhile exercise. And that approach has been sorely lacking in the official search. One can argue that this is not their business; it’s the criminal investigation’s job. But even if we would have an ounce of trust in the handling of the case by the Malaysian authorities (I don’t), this argument is very flawed.

Most people agree by now that we’re looking at a crime rather than an accident or disaster (although some argue it might’ve been a combination of both: a hijack gone wrong which leads to a runaway plane).

If the evidence gathered in a preliminary investigation leads to a criminal investigation, a competent handling demands the construction of several possible scenarios featuring plausible perps who might’ve had a valid motive. The next question is how those perps could have tried to achieve their goals. Then you can revisit the available data (radar tracks, handshakes, performance limits, fuel supply, credible eyewitness accounts if there are any) and try to determine if there are any scenarios which fit the known data. If there are no plausible scenarios which fit the available data then you have to question the validity of those data. Fuel-and performance-limits are pretty unassailable. Radar tracks are already in a weaker category and need to be carefully looked at. And Victor and others have shown that the sat data most likely can be manipulated–which doesn’t mean of course that it actually happened. But such a scenario needs to be checked.

The current search has it mostly backwards. The available data were used to determine where it was physically possible for the plane to come down. That was combined with a few assumptions which are very debatable: the plane was flown solely by autopilot and came finally down because the fuel ran out. The question of who were the perps, what could’ve been their motives and how would they most likely have tried to achieve their goals was totally left out, thus leading to an impossibly large search area. And this area isn’t even especially compatible with any logical scenarios. Nor was it ever backed up by a scrap of physical evidence.

In this sense the investigation was indeed deeply flawed to begin with. I don’t blame the investigators that they had a preference for a Southern scenario–the sat data seemed to hint into that direction. But their “destination-SIO-with-autopilot-at-cruising-speed/height-terminated-by-fuel-exhaustion” scenario doesn’t make sense if we assume this was an accident. And it doesn’t make a lot of sense if we assume that we’re dealing with a crime.

The backward method–the place where the plane came down will eventually lead us to the wreckage which will then tell us what actually happened–is only practical if there is enough physical evidence to lead the investigators to a relatively narrow area of impact. As the sole approach it simply doesn’t work with MH370. There isn’t even enough evidence that the plane really crashed. Even the satellite data taken at face value only allow that conclusion if coupled with a set of unproven assumptions. So far the physical evidence doesn’t support these assumptions: no ELT signals, no wreckage and not a scrap of drifting debris after more than a year of searching in the designated areas.

by Victor Iannello

Note: Ever since the idea of spoofing was first discussed, one of the main issues has been how falsified BFO values might have been calculated. Most of assumed that the values were arbitrarily selected to suggest a flight in a generally southward direction. Here, Victor Iannello presents an ingenious suggestion: that hijackers might have altered a single parameter in the Satellite Data Unit frequency precompensation algorithm. — JW

Notice: The views expressed here are solely mine and do not representthe views of the Independent Group (IG), Jeff Wise, or any other group or individual. — VI

Summary

In previous work, paths were reconstructed for MH370 using the available radar and satellite data. Paths to the north of Malaysia were studied bymatching the measured Burst Timing Offset (BTO) data, but relaxing the constraint of matching theBurst Frequency Offset (BFO), which is appropriate if the BFOdata waseithercorrupted or misinterpreted. It was found that there are paths to the north that end at airports that could be reached with the fuel that was loaded onto MH370.In this work, the conventional interpretation of the BFO is challenged. In particular, the possibility that the operation of the SATCOM was deliberately modified so that a northern path would have the BFO signature of a southern path is studied. Some of the findings are:

• The Honeywell Thales MCS-6000 SATCOM used by MH370 hasafrequencycorrection algorithm withthe capability to correct for the Doppler shift caused by inclination of thesatellite. This is known to the official investigation team butis not generally known by independent researchers.
• The value of inclination for the Inmarsat I3F1 satellite that was broadcast by the Ground Earth Station (GES) at Perth, Australia, to be used by SATCOMs logged into the satellite, was zero. The true inclination of the satellite was around 1.65⁰. The two parameters that describe the satellite inclination, the inclination angle and the time of the ascending node, are stored in the System Table of the SATCOM in non-volatile memory, and are used by the frequency compensation algorithm.
• If an individual obtained unauthorized access to the non-volatile memory of the SATCOM, the value of the inclination used by the frequency correction algorithm could be changed from 0 to 3.3⁰, or about twice the true inclination of the satellite. With this change, the BFO signature of a northern path that satisfied the BTO data would resemble the BFO signature of a southern path that satisfied the BTO data.
• The apparent turn to the south between 18:28 and 18:40 UTC that is suggested by the measured BFO data might have been caused by a change to the inclination parameters stored in the SATCOM’s System Table during that time interval.
• The calculated values of BFO for northern paths with the inclination parameter changed to 3.3⁰match the measured BFO values with an RMS error less than 3.8 Hz. This is true for Mach numbers between 0.65 and 0.85 at FL350, with little variationin errorseen in this speed range.
• At each log-on, the inclination parameters would be reset to zero. Therefore, the BFO data associated with the log-ons at 18:25 and 00:19 UTC should be evaluated with inclination parameters set to zero. The BFO data at times between these log-ons should be evaluated with the possibility that a change was made.
• The BFO value at 00:19 matches an aircraft along the northern part of the 7tharc on the ground and stationary once the BFO is adjusted for the log-on offset seen at 16:00 UTC. This suggests that if MH370flew north, it might havesuccessfully landed.
• Researchers have identified security vulnerabilities in other SATCOMs, including backdoors and access to memory, although the MCS-6000 has not been specifically studied. The possibility of “spoofing” the BFO to disguise location has been considered before.

Read the whole report here.

Note: This paper was prepared by noteworthy independent MH370 investigator Brock McEwen, who set out to answer the timely question: has the soon-to-be-concluded search of 60,000 square kilometers of seabed in the southern Indian Ocean falsified the flight scenario proposed by the Australia Transport Safety Board and endorsed by unaffiliated researchers belonging to the Independent Group? Through extensive modeling, McEwen calculates that the search has covered more than 99 percent of the potential endpoints predicted by ATSB and IG flightpath scenarios. He concludes that “if both the Inmarsat signal data and its interpretation by search officials is valid, then the search should have turned up wreckage by now. This offers strong circumstantial evidence that either the Inmarsat data or its interpretation is invalid. Accordingly – unless search officials know something we don’t – the announced decision to spend another year searching around the improbable edges of a discredited theory (while this paper does not address surface debris, its absence likewise serves as strong Bayesian counter-evidence) is an extremely poor one.” — Jeff Wise

Executive Summary
This paper stochastically models MH370 end-of flight dynamics, and finds no evidence to support last month’s announced continuation of status quo search strategies. This finding is consistent with a documented pattern of decisions by MH370 search leaders which make no sense. A rigorous, independent audit of both the Inmarsat data’s entire chain of custody and MH370 search leadership is recommended.

Introduction
In a joint statement issued April 16, 2015, Malaysian Transport Minister Liow Tiong Lai, Australian Deputy Prime Minister Warren Truss and Chinese Transport Minister Yang Chuantang indicated the search for Malaysian Airlines Flight 370 (MH370) would continue to focus on the deep-sea search in the Southern Indian Ocean (SIO):

“Should the aircraft not be found within the current search area, ministers agreed to extend the search by an additional 60,000 square kilometres to bring the search area to 120,000 square kilometres and thereby cover the entire highest probability area identified by expert analysis,” they said in a joint statement. “Ministers recognise the additional search area may take up to a year to complete given the adverse weather conditions in the upcoming winter months.”

In committing to this extension – described graphically as a modest search zone expansion in all four directions – search leaders implicitly assume that

1. the Inmarsat data is sufficiently accurate and precise to permit interpretation by investigators AND
2. the conclusion they drew (flight to fuel exhaustion, followed by pilotless spiral to impact) is correct, YET
3. the wreckage this conclusion predicts remains outside the areas already searched by side-scan

This paper tests this hypothesis, via stochastic simulation of plausible post-fuel exhaustion flight paths.

You can read the full paper here.

 

by Victor Iannello

[Notice: The views expressed here are solely mine and do not represent the views of the Independent Group, Jeff Wise, or any other group or individual.]

Summary

Paths were reconstructed for MH370 using the available radar and satellite data. Paths to the north of Malaysia were studied by relaxing the constraint of matching the Burst Frequency Offset (BFO), which is appropriate if the BFO data was either corrupted or misinterpreted. The choice of paths was constrained by matching the Burst Timing Offset (BTO) data. Three airports were identified that are located near the 7th arc, as defined by the last BTO data point at 00:19 UTC: Kyzlorda, Almaty, and Kuqa Qiuci. The viability of each airport was determined based on fuel requirements. A fuel flow model was developed by reverse engineering performance data at Long Range Cruise (LRC) and Holding speeds, and then extrapolating the data to other speeds and temperatures.

The fuel flow model coupled with the path reconstruction model predicts that a flight ending at Kyzylorda is unlikely due to the high speeds and unfavorable headwinds. A flight ending at Almaty was deemed viable even when considering the uncertainty in the fuel consumption model. Alternatively, Boraldai Airport, which is close to Almaty Airport, is also viable. Finally, a flight ending at Kuqa Qiuci is considered possible, although the fuel margin is small. The paths to the airports are shown in Figure 1.

The possibility that the plane reached a runway at Yubileyniy was also considered. As Yubileyniy is 237 km (128 nm) beyond Kyzylorda, a landing there is predicted to be very unlikely.

Continue reading Guest Post: Northern Routes for MH370 Ending at Airports