We love pager hacks. One of our earliest head-slappers was completely reverse-engineering a restaurant pager’s protocol, only to find out that it was industry-standard POCSAG. Doh!
[Corn] apparently scratches the same itch, but in the Netherlands where the FLEX protocol is more common. In addition to walking us through all of the details of the FLEX system, he bought a FLEX pager, gutted it, and soldered on an ATMega328 board and an ESP8266. The former does the FLEX decoding, and the latter posts whatever it hears on his local network.
These days, we’re sure that you could do the same thing with a Raspberry Pi and SDR, but we love the old-school approach of buying a pager and tapping into its signals. And it makes a better stand-alone device with a lot lower power budget. If you find yourself in possession of some old POCSAG pagers, you should check out [Corn]’s previous work: an OpenWRT router that sends pages.
One time at a garage sale there were endless pagers, a dollar each. I assumed they were low end superregenerative pagers, from the price and quantity. So I only bought 2 or 3. A disappointment when I got home, they were superhet. I should have bought more, at a dollar a steal of a price for receiver in that frequency range. This was about 20 years ago, maybe a bit less.
Micheal
I love garage sales, I got 3 multimeters that retail for $70 each at one recently. I paid $10 for the lot ($3.3333 each). And now the idea of paying a repeating decimal price is messing with my head…
You could go bang on the guy’s door, long into the night, demanding your penny back. Or that he accepts two more pennies from you. If it’s causing you sleepless nights, why not him?
Actually you payed $3.33 for two of them. The third, with the slightly nicer display, was $3.34. Feel better now?
So if restaurant pagers are POCSAG “The next question is inevitable. How much havoc would ensue if someone were to loop through all 262,144 possible addresses and send a message like this? I’ll leave it as hypothetical.”
(From http://www.windytan.com/2013/09/the-burger-pager.html)
If you see a people with SDR dongles in your coffee shop, don’t be surprised at what’s next…
Depending on the pager manufacturer, there may also be an all-call code which is normally used to help staff find stray pagers at the end of the night. Not-so hypothetically.
There exists POCSAG decoder software that takes an audio signal into your sound card, from any basic FM scanner. You could read the encoding key from the header, by firing up any wav file analysis tool. POC32, I think it was named, but I’m sure there will be lots more options these days. – Live stock quotes, galore!
I’m amazed POCSAG, and pagers at all, are still going. SMS surely superceded them 20-odd years ago. I suppose one advantage they have is only needing a little bit of the frequency spectrum, and they’d be a handy fallback in the dubious circumstance that an EMP bomb destroys all electronics from the mid-1990s onward.
I half remember hearing about paging being switched off years ago. I suppose this is only a short range license-free thing in a cafe, probably sold as such to the restaurant / queueing trade. Hence the design that’d be impractical for discreetly keeping in your pocket.
Not that many users left now though but they’re still popular with hospitals. The long battery life is where they win over SMS.
For me they win on tracking, it’s a pure receiver and there is not the constant tracking 86400/1440/24/7.
(it’s appropriate to go down to the second I think).
I used to work for a company that made very odd FLEX pagers well after you’d’ve thought they were gone. The big advantage for us was that many different devices could listen to the same address, and because it’s unidirectional that was just fine. They’re not really doing any more development, but they’re still paying USA Mobility for the privilege of sending pages.
It turns out that there’s probably going to still be FLEX transmitters on top of all the hospitals for the predictable future. Both battery life and the narrowband FSK signal means it’s a lot easier to penetrate buildings.
No kidding. There’s a hospital near me that transmits Flex as it’s in house communication. The scary part is that the local fire and police also use the same transmitter and frequency, all of them, hospital included, transmit everything in plain text.
Names, addresses, medical records, current treatments, phone numbers, email addresses, suspect descriptions, licence plate numbers. He’ll I’ve even seen social security numbers complete with birthdates and full names being transmitted.
Maybe they can’t encode the signals, but if so they need to either stop transmitting sensitive info or switch to a different system.
FLEX supports an encrypted channel. I’ve only very rarely seen it used, though.
FLEX supports 4-bit BCD, beacon, binary of any width from 1 to 16 bits, 7-bit alphanumeric, and 7-bit encrypted channels. Whether the carrier will let you send any given one of them was a point of contention.
There is such a thing as group-SMS though.
Over the company’s active lifetime, I think they’d sold roughly 2-3M devices listening to approximately 15 different pager addresses? Pretty certain bulk MMS doesn’t scale that well.
Because pagers are unidirectional, there’s no ability to keep track of devices, and costs are just proportionate to bandwidth of transmission. It’s incrementally free to have more listeners, which isn’t true with the cellular infrastructure.
Does anybody know any hack with ERMES pagers (failed european competition attempt to POCSAG)?
https://en.wikipedia.org/wiki/ERMES
Is there any possibility to contact the [Corn]/Jelmer Bruijn? I cannot find any Email address, Twitter handle etc. :(
Hello! Any idea on how to send flex messages using rpitx? or some other software?