Happy Halloween from Adafruit! Check out some scary #electronichalloween posts, the frightening Halloween section and spooky videos!

May 9, 2009 AT 12:08 am

Reverse engineering a pager – part I


It’s Friday night at Adafruit, usually that means we take apart something… Here’s part I of reverse engineering a pager (m4v).

NOTE: Oops, I was tired. There’s a mistake in the video! The chip is a TA31149 4-FSK (not 31142 2-FSK), and I printed out the wrong datasheet. Still, its pretty much the same idea/chip, just follow the ‘31149 datasheet for the correct pinouts, there are -two- serial lines for 2 bits of serial data. Sorry about that!

Here is the manual for the pager (I couldn’t figure out how to turn the damn thing on), the datasheet for the TA31142 (2-FSK decoder used in other pagers, note the front page pinout is completely wrong) and TA31149 (4-FSK decoder used in the pager) a nifty little text file and a thesis with details of the FLEX protocols


Check out all the Circuit Playground Episodes! Our new kid’s show and subscribe!

Have an amazing project to share? Join the SHOW-AND-TELL every Wednesday night at 7:30pm ET on Google+ Hangouts.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Learn resistor values with Mho’s Resistance or get the best electronics calculator for engineers “Circuit Playground”Adafruit’s Apps!



17 Comments

  1. Bart Mancuso

    You do realize all you had to do was order the SERVICE MANUAL for
    that pager from Motorola. In it, are tons of information on the
    board layout, voltage levels, theory of operation, the RF alignment
    procedures, etc.

    I can’t believe you designed Wave Bubble, and yet seem a bit
    uncomfortable with a simple RF device like a pager (a very low
    end one at that).

    What would be a cool project is to try and construct a real time
    GSM encryption cracking receiver as an adjunct to Wave Bubble. A
    Yin & Yang so to speak. One to deny, One to encourage.

    I searched and short of a commercial equipment (translation –
    for sale only to law enforcement), there are no homebrew hacks
    floating around that claim to crack the A5/1 (or whatever the
    current version is) encryption scheme on cellular commo.

    How about it ? your next project perhaps ? I’d be happy to
    donate my time/equipment (RF signal generators, test equipment,
    etc).

    I stumbled across your website & book-marked it. You rock !!

  2. This is a 10-minute demonstration on how to do a quick “reverse engineer” of a product.
    Service manuals can be annoyingly expensive (if they’re even available, this is an ancient numeric pager), whereas it only takes a few minutes to pop it open and learn something. Its not like there’d be anything in the service manual that isn’t also in the datahseets

    And I -do- understand how pagers work (in general) but if I explained it I’d probably get something slightly wrong which means someone would just post something like “I can’t believe you didn’t understand how the filter works DUH”

    However, it sounds like you’re excited to build this GSM cracker, I wish you luck!

  3. Limor,
    thanks for taking the time to post this.
    I’m looking forward to the follow up to this. I’m working on a serial interface to a piece of equipment and I’d love to see how you figure out the communication. I could use some help.

    Many of your tutorials have inspired me to take a step further. Thanks!

  4. Nice vid! Like scienkoptic said, I’m looking forward to see how you reverse engineer the protocol once you capture some data.

    Bart Mancuso seemed to miss the point, the old adage “teach a person to fish…” comes to mind. What’s the point of learning how to reverse engineer something by ordering the service manual? When bunnie hacked the xbox, do you think he just called microsoft and asked them to send him a copy of the service manual?

    Anyhoo thanks ladyada, keep these late night hacks coming!

  5. thanks guys! you’ll probably dig the next video (coming soon)

  6. Neat stuff. I wonder if the serial communication is encrypted? wouldn’t it have to be for privacy reasons?

  7. Great vid! Inspires me to look for my old pager right now…

    I think this qualifies as a “Citizen Engineer” episode!

  8. I am curious to see if the data stream is encrypted in anyway since I have that same pager or at least a very similar Motorola version. I remember seeing it a few weeks ago when I was going through my junk drawer of parts a few weeks ago. Funny how cell phones have totally killed the pager industry.

  9. Hello,

    Awesome video, thank’s you sharing your knowledge ;-)

    @Alan, yes, it could be an “Citizen Engineer”

    I’m waiting for part II

  10. its not encrypted…stay tuned for part 2!

  11. Nice vid ! There’s no better way to learn than getting one’s hands dirty so I think ladyada’s approach is completely justified.

    As for the continuous data stream, I think that’s the way all RF modems work. There is a constant background RF noise in the atmosphere that the modem will pick up as FSK modulation … It’s up to one of the chips on the other board to detect pulse trains that fit a particular encoding and make sense of it.

  12. You might be interested in this:

    http://www.gsm-antennes.nl/PDW/

    Flex decoder

    I believe if you google, you will find others.

  13. yup, we used PDW. i wish one of them was open source tho!

  14. Have done this myself after being inspired by a project called the Purple Pager back in the late 90s which did exactly the same thing. Here in the UK the common protocol seems to be POCSAG rather than flex and there is plenty of source code around, such as OpenPoc (which I just found.)

    I wanted to revisit this recently and use an Arduino to provide a self contained decoder with RS232 out but haven’t had time. The video has motivated me to try and find the time! I like the idea of Friday evening being a hacking evening, might have to try that!

    Thanks for doing these videos, always enjoy them a lot.

  15. thomas, sounds great! i did find an AVR POCSAG decoder out there, you could adapt it to the arduino wouldnt tons of difficulty. a lot of people don’t have raw serial ports anymore so it would be handy

  16. Hey I’m glad to see someone do this! I have been hoarding old pagers for a while with the same intentions. I have been using a data slicer connected to the FM discriminator tap on scanners and commercial radios to decode POCSAG, Motorola trunking data, and other stuff. I always wanted to have an all-in-one box with a pager and data slicer combined. If it was self-contained with an AVR and a decent sized screen then even better!

  17. inspired by this I tried to hack a pager I bought, I described my findings here,

    http://codinglab.blogspot.com/2009/05/hacking-pager-part-1.html

    I am trying to figure out what is the protocol of the signal I am receiving, any help?

    Thanks

    P.D: I hope is OK to post a link to my blog!

Sorry, the comment form is closed at this time.