Scott Buckey mailed me the following on my little challenge to see what you could make out of two scrambled audio messages. Not a 100% score, but good enough if an unknown message went trough the air. And I believe the attack can be optimized some more (giving better audio quality).
It’s a rolling code inversion scrambler that changes inversion point approximately every 3 seconds.
On the recording the first 3 second ‘frame’ is missing, sorry 🙁
[Start of first frame] Cryptomuseum test tape [End of first frame] -Decoded at 3.729Khz
[Start of second frame] of the Icom Analog *broken; ‘Public?’* Scrambler [End of second frame] – Decoded at 4.441Khz
[Start of third frame] by saying some random numbers related to *broken; the ?* radio [End of third frame] – Decoded at 3.940Khz
[Start of forth frame] *broken; Five? or Niner ?* Five Four Seven [End of forth frame] – Decoded at 3.120Khz
[Start of fifth frame] *broken; Five ? or One? * Six *eight A ? *[End of fifth frame] – Decoded at 2.000Khz
[Start of sixth frame] one four six [End of fifth frame] – Decoded at 3.067Khz
[Start of seventh frame] two seven *broken; nine? or five?*[End of seventh frame] – Decoded at 4.352Khz
[Start of eighth frame] *broken; Something? or simply?* like this (bleeps) [End of eighth frame] – Decoded at 4.263Khz
[Start of ninth frame] (Bleeps) *Broken; and? or TION?* [End of Ninth frame] – Decoded at 4.263Khz
[Start of tenth frame] (Bleeps) End of test [End of tenth frame] – Decoded at 3.023Khz
He also mailed me the following audio sample. If you compare it to the original descrambled wav file there still is a big difference, but still I take my hat off for Scott.
Koos thought the first sample was recorded over a trunked network, but that is not the case. The ‘bursts’ in the sample are used for synchronization in the (slow) rolling code.
The reason you hear me count and whistle in the samples is because it is a quick and easy way of testing the effectiveness of analog scramblers. Listening to the whistles in the scrambled output will give you a pretty good idea if the scrambling is static, repetitive and what the possible scrambling technique and change rate is. And it is always interesting to see how many numbers you can identify ‘by ear’ on these kind of systems.
The descrambled audio of the second file can be found here.