De-scrambling Midian TVS-2 rolling code?

[Fried]

Greetings all!

I work for a two-way radio company in Johannesburg, South Africa.
We have a big customer who uses the Midian TVS-2 Micro and Icom voice scrambling product in Icom F110's and Motorola GM350's.
See:
http://www.midians.com/html/products.asp?cat=Rolling+Code+Voice+Scramblers

We experience problems with units randomly muting, where switching the mobile off & on resets the muting.
These scramblers can be remotely stunned (OTA), and they claim that their units are being hacked/phreaked. Sometimes the entire fleet mutes simultaneously (although this is still to be witnessed by our staff)

I know they have a rather pissed-off ex-employee who may be doing something, and am wondering if anyone is aware of any de-scrambling/hacking/phreaking method/device for the Midian scramblers?

/out[/url]

 

[SAR923]

I would suggest that you contact Midian and ask them the question. If you can establish your business relationship and need to know with them, I'm sure they would be glad to help. Posting anything about defeating encryption methods is of questionable legality in the US and, even if it wasn't, it would only give more information to the person you think is causing your problem.

 

[Fried]

even if it wasn't, it would only give more information to the person you think is causing your problem.

Good point....

I'll get onto Midian - in the meantime, if anyone does know of any leads in this arena, please PM me...

regards

Chris

 

[RayAir]

Midian Tvs-2

I hate to say this, but Midian TVS-2 scramblers are not to good. You would think with 6-12 hops per second (each hop being a few hundred cycles in length) that your comms would be secure from determined listeners? WRONG! I had purchased a Ericsson Monogram with the TVS-2 installed for test purposes about a year ago. I was able to crack it in real time. I then got in touch with the company (Midian) and their engineer, Barry Bine, sent me a TVS audio sample. The sample he sent me took me a little longer to crack. I was able to get 4 words by just running it through a fixed inversion hardware device. The rest was recovered by using signal analysis software. The file Midian sent me was the TVS-2 in advanced mode (13-25 hops per second). If this customer who bought these modules has the units programmed in standard mode, you will be pleased to know they are breakable in real time with the Ramsey SS-70. However if they are programmed in advanced mode, you are generally SOL unless you spend a few hundred bucks on some software. The Ramsey SS-70 will also crack Transcrypt's 410 Medium security scrambler (hops once per second).

 

[RayAir]

On a further note. I believe hopping scramblers spend too much time on one inversion frequency and they tend to hop around one point and stay there. For instance, the Ramsey unit inverts around 3000hz. To recover a signal that has been inverted one need not have the exact frequency used to recover it. Close enough, is good enough. The recovered voice may not sound like the speaker, but you can clearly hear what is being said. For example if a scrambler hopped like this - 3000hz - 3300hz- 2900hz- 2800hz-3300hz-3600hz, a unit that inverts around 3000hz would be able to descramble that without ever changing the inversion frequency on the descrambler.

 

[RayAir]

Midian's Downgrades Tvs-2 Security

The TVS-2 is flawed. It is based on older technology. It may have been a good scrambler in the 80's, but today is much different. The TVS-2 in standard mode "hops" inversion freq's 6-12 times per second and can be decoded with a Ramsey SS-70 fixed inversion unit. The TVS-2 in advanced mode hops 13-25 times per second and you can still get a couple words with the SS-70. My guess is the hops are not great enough and centered around 3.3khz.

MIDIANS NEW TVS-2 (4-LEVELS OF SECURITY)
L4 DOUBLE HOP MODE: 13-25 hops per second (TRUE SECURITY: Medium+/High )
L3 DEFAULT MODE: 6-12 hops per second (TRUE SECURITY: MEDIUM )
L2 1.2-2.4 hops per second (TRUE SECURITY:LOW)
L1 .6-1.2 hops per second (TRUE SECURITY: VERY LOW,might as well stick with fixed inversion scramblers, they are cheaper)

I can't think why they would do this, unless they want to start selling scramblers to Libya or North Korea. They needed to improve the TVS-2. Advanced double hop mode should be the standard if users want any security and even then I would be hesitant to transmit sensitive comms. Midian's should make a digital AES unit. They are also developing a FFT scrambler which is similar to the Codan SAFE scrambler, aka "Sailor Cry". These seem to have fallen out of fashion so we'll see if they sell.

 

[SCPD]

Just wanted to say that many years ago I used a simple Don Nobles inversion descrambler to decode an audio sample of the TVS-2 from a cassette they sent me. Note that I said "many years ago". I called them and they said they would check it out but it sounds like the same old story just another year. Obviously a defective product. I would certainly recommend any product from Transcrypt International. They make everything from simple inversion to digital encryption. Quality stuff.

 

[RayAir]

Just wanted to say that many years ago I used a simple Don Nobles inversion descrambler to decode an audio sample of the TVS-2 from a cassette they sent me. Note that I said "many years ago". I called them and they said they would check it out but it sounds like the same old story just another year. Obviously a defective product. I would certainly recommend any product from Transcrypt International. They make everything from simple inversion to digital encryption. Quality stuff.

TVS-2 is a joke, except in double hop mode. In double hop a fixed inversion decoder such as a Ramsey SS-70 can only pull a few words. The Transcrypt 410 is no more secure than voice inversion and the 430 is shaky against skilled fixed inversion attacks. I own 4 radios with 430's in them. Midians (TVS-2 makers) Engineers got pissed after they sent me a sample of their TVS-2 scrambled audio and I sent it back to them in the clear.