Reverse engineering a pager – part I


It’s Friday night at Adafruit, usually that means we take apart something… Here’s part I of reverse engineering a pager (m4v).

NOTE: Oops, I was tired. There’s a mistake in the video! The chip is a TA31149 4-FSK (not 31142 2-FSK), and I printed out the wrong datasheet. Still, its pretty much the same idea/chip, just follow the ‘31149 datasheet for the correct pinouts, there are -two- serial lines for 2 bits of serial data. Sorry about that!

Here is the manual for the pager (I couldn’t figure out how to turn the damn thing on), the datasheet for the TA31142 (2-FSK decoder used in other pagers, note the front page pinout is completely wrong) and TA31149 (4-FSK decoder used in the pager) a nifty little text file and a thesis with details of the FLEX protocols


Adafruit publishes a wide range of writing and video content, including interviews and reporting on the maker market and the wider technology world. Our standards page is intended as a guide to best practices that Adafruit uses, as well as an outline of the ethical standards Adafruit aspires to. While Adafruit is not an independent journalistic institution, Adafruit strives to be a fair, informative, and positive voice within the community – check it out here: adafruit.com/editorialstandards

Join Adafruit on Mastodon

Adafruit is on Mastodon, join in! adafruit.com/mastodon

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Join over 36,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


Maker Business — “Packaging” chips in the US

Wearables — Enclosures help fight body humidity in costumes

Electronics — Transformers: More than meets the eye!

Python for Microcontrollers — Python on Microcontrollers Newsletter: Silicon Labs introduces CircuitPython support, and more! #CircuitPython #Python #micropython @ThePSF @Raspberry_Pi

Adafruit IoT Monthly — Guardian Robot, Weather-wise Umbrella Stand, and more!

Microsoft MakeCode — MakeCode Thank You!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — #NewProds 7/19/23 Feat. Adafruit Matrix Portal S3 CircuitPython Powered Internet Display!

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



17 Comments

  1. Bart Mancuso

    You do realize all you had to do was order the SERVICE MANUAL for
    that pager from Motorola. In it, are tons of information on the
    board layout, voltage levels, theory of operation, the RF alignment
    procedures, etc.

    I can’t believe you designed Wave Bubble, and yet seem a bit
    uncomfortable with a simple RF device like a pager (a very low
    end one at that).

    What would be a cool project is to try and construct a real time
    GSM encryption cracking receiver as an adjunct to Wave Bubble. A
    Yin & Yang so to speak. One to deny, One to encourage.

    I searched and short of a commercial equipment (translation –
    for sale only to law enforcement), there are no homebrew hacks
    floating around that claim to crack the A5/1 (or whatever the
    current version is) encryption scheme on cellular commo.

    How about it ? your next project perhaps ? I’d be happy to
    donate my time/equipment (RF signal generators, test equipment,
    etc).

    I stumbled across your website & book-marked it. You rock !!

  2. This is a 10-minute demonstration on how to do a quick “reverse engineer” of a product.
    Service manuals can be annoyingly expensive (if they’re even available, this is an ancient numeric pager), whereas it only takes a few minutes to pop it open and learn something. Its not like there’d be anything in the service manual that isn’t also in the datahseets

    And I -do- understand how pagers work (in general) but if I explained it I’d probably get something slightly wrong which means someone would just post something like “I can’t believe you didn’t understand how the filter works DUH”

    However, it sounds like you’re excited to build this GSM cracker, I wish you luck!

  3. Limor,
    thanks for taking the time to post this.
    I’m looking forward to the follow up to this. I’m working on a serial interface to a piece of equipment and I’d love to see how you figure out the communication. I could use some help.

    Many of your tutorials have inspired me to take a step further. Thanks!

  4. Nice vid! Like scienkoptic said, I’m looking forward to see how you reverse engineer the protocol once you capture some data.

    Bart Mancuso seemed to miss the point, the old adage “teach a person to fish…” comes to mind. What’s the point of learning how to reverse engineer something by ordering the service manual? When bunnie hacked the xbox, do you think he just called microsoft and asked them to send him a copy of the service manual?

    Anyhoo thanks ladyada, keep these late night hacks coming!

  5. thanks guys! you’ll probably dig the next video (coming soon)

  6. Neat stuff. I wonder if the serial communication is encrypted? wouldn’t it have to be for privacy reasons?

  7. Great vid! Inspires me to look for my old pager right now…

    I think this qualifies as a “Citizen Engineer” episode!

  8. I am curious to see if the data stream is encrypted in anyway since I have that same pager or at least a very similar Motorola version. I remember seeing it a few weeks ago when I was going through my junk drawer of parts a few weeks ago. Funny how cell phones have totally killed the pager industry.

  9. Hello,

    Awesome video, thank’s you sharing your knowledge 😉

    @Alan, yes, it could be an “Citizen Engineer”

    I’m waiting for part II

  10. its not encrypted…stay tuned for part 2!

  11. Nice vid ! There’s no better way to learn than getting one’s hands dirty so I think ladyada’s approach is completely justified.

    As for the continuous data stream, I think that’s the way all RF modems work. There is a constant background RF noise in the atmosphere that the modem will pick up as FSK modulation … It’s up to one of the chips on the other board to detect pulse trains that fit a particular encoding and make sense of it.

  12. You might be interested in this:

    http://www.gsm-antennes.nl/PDW/

    Flex decoder

    I believe if you google, you will find others.

  13. yup, we used PDW. i wish one of them was open source tho!

  14. Have done this myself after being inspired by a project called the Purple Pager back in the late 90s which did exactly the same thing. Here in the UK the common protocol seems to be POCSAG rather than flex and there is plenty of source code around, such as OpenPoc (which I just found.)

    I wanted to revisit this recently and use an Arduino to provide a self contained decoder with RS232 out but haven’t had time. The video has motivated me to try and find the time! I like the idea of Friday evening being a hacking evening, might have to try that!

    Thanks for doing these videos, always enjoy them a lot.

  15. thomas, sounds great! i did find an AVR POCSAG decoder out there, you could adapt it to the arduino wouldnt tons of difficulty. a lot of people don’t have raw serial ports anymore so it would be handy

  16. Hey I’m glad to see someone do this! I have been hoarding old pagers for a while with the same intentions. I have been using a data slicer connected to the FM discriminator tap on scanners and commercial radios to decode POCSAG, Motorola trunking data, and other stuff. I always wanted to have an all-in-one box with a pager and data slicer combined. If it was self-contained with an AVR and a decent sized screen then even better!

  17. inspired by this I tried to hack a pager I bought, I described my findings here,

    http://codinglab.blogspot.com/2009/05/hacking-pager-part-1.html

    I am trying to figure out what is the protocol of the signal I am receiving, any help?

    Thanks

    P.D: I hope is OK to post a link to my blog!

Sorry, the comment form is closed at this time.