Sunday, February 5, 2012
Sniffing Pager Network Traffic - The Hardware
I never had a pager of my own. I was born just late enough (1989) that society still remembered how to plan social engagements ahead of time long enough to allow me to live without until cell phones became a viable option for teenagers back in the early-to-mid 2000s. Meanwhile, I was born early enough that I was very much aware of the wonder of the pager network, was very much fascinated by it, and was endlessly appreciative of the decade head-start that pagers gave public school districts to slowly come to terms with the idea that teenagers possibly have other things to communicate about other than drug dealing. The only person I knew with a pager was my father for work, and however unfortunate it usually was when his pager went off, it was usually followed the next day by fascinating stories about how one of his file servers blew up or he managed to fix some show-stopping problem on the other side of the world.
Pager systems are, at the core, a fairly simple network. Telecomms install hugely powerful transmitters through "service regions," which blast out every page at blazing speeds like 1600 or 6400 baud. Every now and then pagers would raise sticky questions about "reasonable expectation of privacy" with regards to listening to other people's pages, since the pager networks are based on the early 20th century optimism that everyone on an electronics network are inherently nice people, so there is no form of encryption or privacy, other than pagers only displaying their own pages.
I like to think of myself as an inherently nice person, but the temptation of sniffing the pager network to get a tantalizing peek into the lives of people significantly more interesting than myself has always been appealing. Pager data is usually transmitted using the fairly simple FSK (frequency shift keying) method, where the frequency of a signal is selectively changed either above or below a fixed center to indicate either a one or a zero (or a predefined set of ones and zeros, for more sophisticated systems).
In the ideal world, to protect the honor of my amateur radio license, I would home-brew my own 465MHz FSK receiver to sniff these signals, then it would simply be a matter of reading patents and graduate theses to down-convert the coded signals back into numeric or alphanumeric pages. Alas, we live in something far from a perfect world, and I have been in a rocky long-term relationship with analog electronics fraught with anguish and despair, so this was a project I never considered too seriously until I could find some sort of reasonable solution to the RF front-end issue.
Silicon Valley Electronics Flea Market this summer and stumbled upon Paul Rako with an entire card table full of pagers which he was selling for something trivial like $1 a piece. He was marketing them as "the hippest timepieces on the block," which seemed to not be nearly as effective as the fact that they have vibrator motors in them, which everyone was actually interested in (he could have probably done a better job if he just sold the toothbrush to go with it). In any case, I was likely the only person digging through the pile actually looking for a working pager, and with the deliberateness of pure ignorance I very carefully selected a Motorola Advisor II which still had its very hip belt clip and looked to be in reasonably good condition. One T6H torx screwdriver later, and I had this minimalistic piece of communication technology open.
The easiest way to decode this data stream which I now have access to is to feed it into a serial port and decode it with PDW. Would you believe that I'm just fresh out of actual serial ports? In the next article in this series, should I find more time to work on this project, I'll write some microcontroller code to capture this data stream and feed it into a computer via something a little more common such as USB. It should be some interesting code to get it to synchronize to an unclocked stream such as this.
Hopefully once I get that built, I'll be able to monitor pages going out in Northern California, which rumor has it still consists of some fairly interesting snippets of emergency response logistics and sports scores (because we can all tell I'm totally spending today watching some big-to-do sports game instead of writing a blog post...).
Aw shucks, while I've got this pager open, we may as well just do a full tear down, right?
A couple useful links on sniffing pagers are the two videos AdaFruit put together on the subject (, ) and the thesis on the subject by McCulley.
Posted by Kenneth Finnegan at 12:00 PM