Sunday, February 5, 2012

Sniffing Pager Network Traffic - The Hardware

You remember pagers?  Those hip little devices clipped to people's belts in the 90s which were on the frontier of today's always-plugged-in culture.  Originally they were only smart enough to start beeping when you were needed on the job, but over time more sophisticated pager networks were built allowing for numerical pages, text pages, and eventually binary pages (just in time for email and cell phones to plunge the entire system into almost complete irrelevance).

I never had a pager of my own.  I was born just late enough (1989) that society still remembered how to plan social engagements ahead of time long enough to allow me to live without until cell phones became a viable option for teenagers back in the early-to-mid 2000s.  Meanwhile, I was born early enough that I was very much aware of the wonder of the pager network, was very much fascinated by it, and was endlessly appreciative of the decade head-start that pagers gave public school districts to slowly come to terms with the idea that teenagers possibly have other things to communicate about other than drug dealing.  The only person I knew with a pager was my father for work, and however unfortunate it usually was when his pager went off, it was usually followed the next day by fascinating stories about how one of his file servers blew up or he managed to fix some show-stopping problem on the other side of the world.

Pager systems are, at the core, a fairly simple network.  Telecomms install hugely powerful transmitters through "service regions," which blast out every page at blazing speeds like 1600 or 6400 baud.  Every now and then pagers would raise sticky questions about "reasonable expectation of privacy" with regards to listening to other people's pages, since the pager networks are based on the early 20th century optimism that everyone on an electronics network are inherently nice people, so there is no form of encryption or privacy, other than pagers only displaying their own pages.

I like to think of myself as an inherently nice person, but the temptation of sniffing the pager network to get a tantalizing peek into the lives of people significantly more interesting than myself has always been appealing.  Pager data is usually transmitted using the fairly simple FSK (frequency shift keying) method, where the frequency of a signal is selectively changed either above or below a fixed center to indicate either a one or a zero (or a predefined set of ones and zeros, for more sophisticated systems).

In the ideal world, to protect the honor of my amateur radio license, I would home-brew my own 465MHz FSK receiver to sniff these signals, then it would simply be a matter of reading patents and graduate theses to down-convert the coded signals back into numeric or alphanumeric pages.  Alas, we live in something far from a perfect world, and I have been in a rocky long-term relationship with analog electronics fraught with anguish and despair, so this was a project I never considered too seriously until I could find some sort of reasonable solution to the RF front-end issue.
Imagine my pleasure when I was wandering around the Silicon Valley Electronics Flea Market this summer and stumbled upon Paul Rako with an entire card table full of pagers which he was selling for something trivial like $1 a piece.  He was marketing them as "the hippest timepieces on the block," which seemed to not be nearly as effective as the fact that they have vibrator motors in them, which everyone was actually interested in (he could have probably done a better job if he just sold the toothbrush to go with it).  In any case, I was likely the only person digging through the pile actually looking for a working pager, and with the deliberateness of pure ignorance I very carefully selected a Motorola Advisor II which still had its very hip belt clip and looked to be in reasonably good condition.  One T6H torx screwdriver later, and I had this minimalistic piece of communication technology open.
Initially my optimism was not particularly high; I was expecting the contemporary basic peripherals all leading into one mysterious epoxy blob, so I was pleasantly surprised when I discovered that the pager not only had a separate RF daughterboard, but was kind enough to use discrete components and make no effort to conceal their identities.  A little poking around between the circuit boards and Google and I found that this pager uses the Toshiba TA31142 FM detector specifically designed for pagers.  What luck that the datasheet was even kind enough to indicate which pin the finally demodulated FSK data was outputted on (the red emphasis in the figure above is my own).  This means that with some tricky soldering, I can take advantage of the fact that Motorola put all this effort into building a good FSK quadrature detector, and I can spend my time in the much more interesting and pleasant digital electronics land.
 Tapping pin 15 on the detector gives us a 3V serial signal running at 6400 baud.  Ground is pin 19 on the IC, but I opted to tap the more convenient ground plane circled on the left.
White wire for the FSK data, black for ground.  I used 32 gauge wire-wrap wire, which I then fed out a hole I drilled in the case so I could button the whole affair back up.
For those who are curious, the signals aren't typical RS-232 style serial, but are synchronous with a single start bit.
A complete packet (with 10ms per horz div)
A closeup of the start bit at 1ms per div, showing the 4 ms and change between the start bit and the actual pager data.

The easiest way to decode this data stream which I now have access to is to feed it into a serial port and decode it with PDW.  Would you believe that I'm just fresh out of actual serial ports?  In the next article in this series, should I find more time to work on this project, I'll write some microcontroller code to capture this data stream and feed it into a computer via something a little more common such as USB.  It should be some interesting code to get it to synchronize to an unclocked stream such as this.

Hopefully once I get that built, I'll be able to monitor pages going out in Northern California, which rumor has it still consists of some fairly interesting snippets of emergency response logistics and sports scores (because we can all tell I'm totally spending today watching some big-to-do sports game instead of writing a blog post...).



Aw shucks, while I've got this pager open, we may as well just do a full tear down, right?
This is the back of the RF board.  You can see the two crystals for the RF and IF oscillators, and the 14 pin socket at the bottom for connecting back to the main processor board.  The bar at the top is the loop antenna
Front of the main processor board.  LCD, buttons, and a battery clip.
Back of the main processor board.  The two gold circles on the bottom right are actually an ICSP header, which you can access from outside the case with a pair of vampire taps to reprogram the pager with a new subscription ID.
I've spent much too much time working with this material at my last job.  This is gap filler, which in addition to giving devices a much more solid and balanced feel, act as a non-conductive heat spreader in challenging thermal environments common for consumer electronics.

A couple useful links on sniffing pagers are the two videos AdaFruit put together on the subject ([1], [2]) and the thesis on the subject by McCulley.

1 comment:

  1. Hi i tried decoding a pager too a while ago but got stuck at decoding the info, I'm looking forward to your next post.

    Here is mine on the subject.

    http://codinglab.blogspot.com/2009_05_01_archive.html

    ReplyDelete