It’s Friday night at Adafruit, usually that means we take apart something… Here’s part I of reverse engineering a pager (m4v).
NOTE: Oops, I was tired. There’s a mistake in the video! The chip is a TA31149 4-FSK (not 31142 2-FSK), and I printed out the wrong datasheet. Still, its pretty much the same idea/chip, just follow the ‘31149 datasheet for the correct pinouts, there are -two- serial lines for 2 bits of serial data. Sorry about that!
Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7:30pm ET! To join, head over to YouTube and check out the show’s live chat and our Discord!
Python for Microcontrollers – Adafruit Daily — Python on Microcontrollers Newsletter: A New Arduino MicroPython Package Manager, How-Tos and Much More! #CircuitPython #Python #micropython @ThePSF @Raspberry_Pi
EYE on NPI – Adafruit Daily — EYE on NPI Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey
You do realize all you had to do was order the SERVICE MANUAL for
that pager from Motorola. In it, are tons of information on the
board layout, voltage levels, theory of operation, the RF alignment
procedures, etc.
I can’t believe you designed Wave Bubble, and yet seem a bit
uncomfortable with a simple RF device like a pager (a very low
end one at that).
What would be a cool project is to try and construct a real time
GSM encryption cracking receiver as an adjunct to Wave Bubble. A
Yin & Yang so to speak. One to deny, One to encourage.
I searched and short of a commercial equipment (translation –
for sale only to law enforcement), there are no homebrew hacks
floating around that claim to crack the A5/1 (or whatever the
current version is) encryption scheme on cellular commo.
How about it ? your next project perhaps ? I’d be happy to
donate my time/equipment (RF signal generators, test equipment,
etc).
I stumbled across your website & book-marked it. You rock !!
This is a 10-minute demonstration on how to do a quick “reverse engineer” of a product.
Service manuals can be annoyingly expensive (if they’re even available, this is an ancient numeric pager), whereas it only takes a few minutes to pop it open and learn something. Its not like there’d be anything in the service manual that isn’t also in the datahseets
And I -do- understand how pagers work (in general) but if I explained it I’d probably get something slightly wrong which means someone would just post something like “I can’t believe you didn’t understand how the filter works DUH”
However, it sounds like you’re excited to build this GSM cracker, I wish you luck!
Limor,
thanks for taking the time to post this.
I’m looking forward to the follow up to this. I’m working on a serial interface to a piece of equipment and I’d love to see how you figure out the communication. I could use some help.
Many of your tutorials have inspired me to take a step further. Thanks!
Nice vid! Like scienkoptic said, I’m looking forward to see how you reverse engineer the protocol once you capture some data.
Bart Mancuso seemed to miss the point, the old adage “teach a person to fish…” comes to mind. What’s the point of learning how to reverse engineer something by ordering the service manual? When bunnie hacked the xbox, do you think he just called microsoft and asked them to send him a copy of the service manual?
Anyhoo thanks ladyada, keep these late night hacks coming!
I am curious to see if the data stream is encrypted in anyway since I have that same pager or at least a very similar Motorola version. I remember seeing it a few weeks ago when I was going through my junk drawer of parts a few weeks ago. Funny how cell phones have totally killed the pager industry.
Nice vid ! There’s no better way to learn than getting one’s hands dirty so I think ladyada’s approach is completely justified.
As for the continuous data stream, I think that’s the way all RF modems work. There is a constant background RF noise in the atmosphere that the modem will pick up as FSK modulation … It’s up to one of the chips on the other board to detect pulse trains that fit a particular encoding and make sense of it.
Have done this myself after being inspired by a project called the Purple Pager back in the late 90s which did exactly the same thing. Here in the UK the common protocol seems to be POCSAG rather than flex and there is plenty of source code around, such as OpenPoc (which I just found.)
I wanted to revisit this recently and use an Arduino to provide a self contained decoder with RS232 out but haven’t had time. The video has motivated me to try and find the time! I like the idea of Friday evening being a hacking evening, might have to try that!
Thanks for doing these videos, always enjoy them a lot.
thomas, sounds great! i did find an AVR POCSAG decoder out there, you could adapt it to the arduino wouldnt tons of difficulty. a lot of people don’t have raw serial ports anymore so it would be handy
Hey I’m glad to see someone do this! I have been hoarding old pagers for a while with the same intentions. I have been using a data slicer connected to the FM discriminator tap on scanners and commercial radios to decode POCSAG, Motorola trunking data, and other stuff. I always wanted to have an all-in-one box with a pager and data slicer combined. If it was self-contained with an AVR and a decent sized screen then even better!
You do realize all you had to do was order the SERVICE MANUAL for
that pager from Motorola. In it, are tons of information on the
board layout, voltage levels, theory of operation, the RF alignment
procedures, etc.
I can’t believe you designed Wave Bubble, and yet seem a bit
uncomfortable with a simple RF device like a pager (a very low
end one at that).
What would be a cool project is to try and construct a real time
GSM encryption cracking receiver as an adjunct to Wave Bubble. A
Yin & Yang so to speak. One to deny, One to encourage.
I searched and short of a commercial equipment (translation –
for sale only to law enforcement), there are no homebrew hacks
floating around that claim to crack the A5/1 (or whatever the
current version is) encryption scheme on cellular commo.
How about it ? your next project perhaps ? I’d be happy to
donate my time/equipment (RF signal generators, test equipment,
etc).
I stumbled across your website & book-marked it. You rock !!
This is a 10-minute demonstration on how to do a quick “reverse engineer” of a product.
Service manuals can be annoyingly expensive (if they’re even available, this is an ancient numeric pager), whereas it only takes a few minutes to pop it open and learn something. Its not like there’d be anything in the service manual that isn’t also in the datahseets
And I -do- understand how pagers work (in general) but if I explained it I’d probably get something slightly wrong which means someone would just post something like “I can’t believe you didn’t understand how the filter works DUH”
However, it sounds like you’re excited to build this GSM cracker, I wish you luck!
Limor,
thanks for taking the time to post this.
I’m looking forward to the follow up to this. I’m working on a serial interface to a piece of equipment and I’d love to see how you figure out the communication. I could use some help.
Many of your tutorials have inspired me to take a step further. Thanks!
Nice vid! Like scienkoptic said, I’m looking forward to see how you reverse engineer the protocol once you capture some data.
Bart Mancuso seemed to miss the point, the old adage “teach a person to fish…” comes to mind. What’s the point of learning how to reverse engineer something by ordering the service manual? When bunnie hacked the xbox, do you think he just called microsoft and asked them to send him a copy of the service manual?
Anyhoo thanks ladyada, keep these late night hacks coming!
thanks guys! you’ll probably dig the next video (coming soon)
Neat stuff. I wonder if the serial communication is encrypted? wouldn’t it have to be for privacy reasons?
Great vid! Inspires me to look for my old pager right now…
I think this qualifies as a “Citizen Engineer” episode!
I am curious to see if the data stream is encrypted in anyway since I have that same pager or at least a very similar Motorola version. I remember seeing it a few weeks ago when I was going through my junk drawer of parts a few weeks ago. Funny how cell phones have totally killed the pager industry.
Hello,
Awesome video, thank’s you sharing your knowledge 😉
@Alan, yes, it could be an “Citizen Engineer”
I’m waiting for part II
its not encrypted…stay tuned for part 2!
Nice vid ! There’s no better way to learn than getting one’s hands dirty so I think ladyada’s approach is completely justified.
As for the continuous data stream, I think that’s the way all RF modems work. There is a constant background RF noise in the atmosphere that the modem will pick up as FSK modulation … It’s up to one of the chips on the other board to detect pulse trains that fit a particular encoding and make sense of it.
You might be interested in this:
http://www.gsm-antennes.nl/PDW/
Flex decoder
I believe if you google, you will find others.
yup, we used PDW. i wish one of them was open source tho!
Have done this myself after being inspired by a project called the Purple Pager back in the late 90s which did exactly the same thing. Here in the UK the common protocol seems to be POCSAG rather than flex and there is plenty of source code around, such as OpenPoc (which I just found.)
I wanted to revisit this recently and use an Arduino to provide a self contained decoder with RS232 out but haven’t had time. The video has motivated me to try and find the time! I like the idea of Friday evening being a hacking evening, might have to try that!
Thanks for doing these videos, always enjoy them a lot.
thomas, sounds great! i did find an AVR POCSAG decoder out there, you could adapt it to the arduino wouldnt tons of difficulty. a lot of people don’t have raw serial ports anymore so it would be handy
Hey I’m glad to see someone do this! I have been hoarding old pagers for a while with the same intentions. I have been using a data slicer connected to the FM discriminator tap on scanners and commercial radios to decode POCSAG, Motorola trunking data, and other stuff. I always wanted to have an all-in-one box with a pager and data slicer combined. If it was self-contained with an AVR and a decent sized screen then even better!
inspired by this I tried to hack a pager I bought, I described my findings here,
http://codinglab.blogspot.com/2009/05/hacking-pager-part-1.html
I am trying to figure out what is the protocol of the signal I am receiving, any help?
Thanks
P.D: I hope is OK to post a link to my blog!