FLEX Pager Protocol in Depth

We love pager hacks. One of our earliest head-slappers was completely reverse-engineering a restaurant pager’s protocol, only to find out that it was industry-standard POCSAG. Doh!

[Corn] apparently scratches the same itch, but in the Netherlands where the FLEX protocol is more common. In addition to walking us through all of the details of the FLEX system, he bought a FLEX pager, gutted it, and soldered on an ATMega328 board and an ESP8266. The former does the FLEX decoding, and the latter posts whatever it hears on his local network.

These days, we’re sure that you could do the same thing with a Raspberry Pi and SDR, but we love the old-school approach of buying a pager and tapping into its signals. And it makes a better stand-alone device with a lot lower power budget. If you find yourself in possession of some old POCSAG pagers, you should check out [Corn]’s previous work: an OpenWRT router that sends pages.

17 thoughts on “FLEX Pager Protocol in Depth

  1. One time at a garage sale there were endless pagers, a dollar each. I assumed they were low end superregenerative pagers, from the price and quantity. So I only bought 2 or 3. A disappointment when I got home, they were superhet. I should have bought more, at a dollar a steal of a price for receiver in that frequency range. This was about 20 years ago, maybe a bit less.

    Micheal

    1. I love garage sales, I got 3 multimeters that retail for $70 each at one recently. I paid $10 for the lot ($3.3333 each). And now the idea of paying a repeating decimal price is messing with my head…

      1. You could go bang on the guy’s door, long into the night, demanding your penny back. Or that he accepts two more pennies from you. If it’s causing you sleepless nights, why not him?

  2. There exists POCSAG decoder software that takes an audio signal into your sound card, from any basic FM scanner. You could read the encoding key from the header, by firing up any wav file analysis tool. POC32, I think it was named, but I’m sure there will be lots more options these days. – Live stock quotes, galore!

    1. I’m amazed POCSAG, and pagers at all, are still going. SMS surely superceded them 20-odd years ago. I suppose one advantage they have is only needing a little bit of the frequency spectrum, and they’d be a handy fallback in the dubious circumstance that an EMP bomb destroys all electronics from the mid-1990s onward.

      I half remember hearing about paging being switched off years ago. I suppose this is only a short range license-free thing in a cafe, probably sold as such to the restaurant / queueing trade. Hence the design that’d be impractical for discreetly keeping in your pocket.

      1. I used to work for a company that made very odd FLEX pagers well after you’d’ve thought they were gone. The big advantage for us was that many different devices could listen to the same address, and because it’s unidirectional that was just fine. They’re not really doing any more development, but they’re still paying USA Mobility for the privilege of sending pages.

        It turns out that there’s probably going to still be FLEX transmitters on top of all the hospitals for the predictable future. Both battery life and the narrowband FSK signal means it’s a lot easier to penetrate buildings.

        1. No kidding. There’s a hospital near me that transmits Flex as it’s in house communication. The scary part is that the local fire and police also use the same transmitter and frequency, all of them, hospital included, transmit everything in plain text.

          Names, addresses, medical records, current treatments, phone numbers, email addresses, suspect descriptions, licence plate numbers. He’ll I’ve even seen social security numbers complete with birthdates and full names being transmitted.

          Maybe they can’t encode the signals, but if so they need to either stop transmitting sensitive info or switch to a different system.

          1. FLEX supports an encrypted channel. I’ve only very rarely seen it used, though.

            FLEX supports 4-bit BCD, beacon, binary of any width from 1 to 16 bits, 7-bit alphanumeric, and 7-bit encrypted channels. Whether the carrier will let you send any given one of them was a point of contention.

          1. Over the company’s active lifetime, I think they’d sold roughly 2-3M devices listening to approximately 15 different pager addresses? Pretty certain bulk MMS doesn’t scale that well.

            Because pagers are unidirectional, there’s no ability to keep track of devices, and costs are just proportionate to bandwidth of transmission. It’s incrementally free to have more listeners, which isn’t true with the cellular infrastructure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s