An Intro to Paging Networks and POCSAG/FLEX Interception
by Black Axe
Pagers are very, very common nowadays. Coverage is widespread and cheap, and the technology is accepted by most. Ever wonder, though, what happens on these paging networks? Ever wonder what kind of traffic comes across those pager frequencies? Ever listen to your scanner on a pager frequency in frustration, hearing the data stream across that you just can't interpret? Want to tap your radio, get a decoding program, and see what you've been missing?
Before I begin, let's cover just exactly how those precious few digits make it from the caller's keypad to the display of the pager in question. Or perhaps your monitor...
Let's entertain a hypothetical situation in which I would like to speak with my friend, Dave. First, I pick up my phone and dial Dave's pager number (555-1234). I hear the message "Type in your phone number and hit the pound sign." So I comply, enter 555-4321# and then hang up. Here's where the fun starts.
This is all dependent on the coverage area of the pager. The paging company receives the page when I enter it, and looks up the Channel Access Protocol (CAP) code of the pager it is to be sent to. A CAP code is somewhat akin to an ESN on a cellphone; it identifies each specific pager on a given frequency. The paging company will then send the data up to a satellite (usually), where it is rebroadcast to all towers that serve that particular paging network. (Remember last year, when everyone's pagers stopped working for a few days? It was just such a satellite that went out of orbit.)
The paging towers then transmit the page in all locations that Dave's pager is serviceable in. In this case, let's say that Dave's pager has a coverage area that consists of a chunk of the East Coast, going from Boston down to Washington D.C., and out to Philadelphia. The page intended for him is transmitted all throughout that region. Since a pager is a one-way device, the network has no idea as to where the pager is, what it's doing, etc. so it just transmits each page all over the coverage area, every time.
"So?" you may say, "What's that do for me?" Well, it means two different things. First, pagers can be cloned with no fear of detection because the network just sends out the pages, and any pager with that CAP code on that frequency will beep and receive the data.
Second, it means that one can monitor pagers that are not based in their area. Based on the example of Dave's pager, he might have bought it in New York City. He also could live there. However, because the data is transmitted all over the coverage area, monitoring systems in Boston, Washington D.C., and Philadelphia could all intercept his pages in real time.
Many paging customers are unaware of their paging coverage areas and usually do not denote the NPA (area code) from which the page is being received. This can cause problems for the monitoring individual, who must always remember that 7-digit pages shown on the decoder display are not necessarily for their own NPA.
The Pager Decoding Setup
Maybe you knew this, maybe you didn't.... Paging networks aren't encrypted.
They all transmit data in the clear, generally in one of two formats. The older format is POCSAG; which stands for Post Office Code Standards Advisory Group. POCSAG is easily identified by two separate tones and then a burst of data. POCSAG is fairly easy to decode. FLEX, on the other hand, is a bit more difficult, but not impossible. FLEX signals have only a single tone preceding the data burst.
Here's how to take those annoying signals out of your scanner and onto your monitor. You will need:
1.) A scanner or other receiver with a discriminator output. A discriminator output is a direct connection to the output of the discriminator chip on your scanner. This is accomplished by soldering a single wire to the output pin of the NFM discriminator chip to the inner conductor of a jack installed on the scanner. RCA jacks are commonly used for convenience. A list of scanners and their discriminator chips can be found at www.comtronics.net/scandata.txt. For obvious reasons, the larger and more spacious a scanner is internally, the easier the modification is to perform.
2.) A computer is required to actually interpret and display the pages. Most pager decoding software runs under Windows 95. This includes all software which uses the sound card to decode signals. If you have a data slicer, there are a few programs which will run under DOS.
3.) You will need a Sound Blaster compatible sound card. This will let you snag POCSAG traffic. Or you can build a data slicer and decode FLEX traffic too. Or you can be lazy and buy one from Texas 2-Way for about $80 or so. The Sound Blaster method will obviously tie up your computer while decoding pages. Using the slicer will let you run decoders on an old DOS box and will let you use your better computer for more important stuff.
4.) Antennas, cabling, etc... You will need an RCA cable (preferably shielded) to take the discriminator output either into the sound card or into the slicer. If using a slicer, you will also need the cable to connect your slicer to your computer. As far as antennas go, pager signals are very strong, so you won't need much of an antenna. A rubber ducky with a right-angle adapter, attached right to the back of the radio, will be more than enough. The signals are so damned strong that you might even be able to get away with a paper clip shoved into the antenna jack. Think of what kind of an antenna your pager has; this should give you a good idea of what the requirements are in the antenna department.
Connect your scanner's discriminator output to either your data slicer or your sound card. If using a sound card, be sure to use the line in connection. If using a data slicer, connect that to the correct port on your computer. Tune yourself a nice, strong (they're all strong, really) paging signal.
Where are they? Well, the vast majority of numeric pagers are crystalled between 929 and 932 MHz. Try there. Or if you want to try decoding some alphanumeric pagers, try the VHF range around 158 MHz. There is also some activity in the 460-470 MHz range.
Now what about software, you say?
That is where things start to get somewhat difficult. Motorola developed most paging protocols in use and holds licenses to them. Any software that decodes POCSAG or FLEX is a violation of Motorola's intellectual property rights. So one day, the people at Motorola decided that they didn't want that software floating around. They proceeded to look up everyone who had copies posted on the Web and told them that if they didn't take those specific programs off of the Web, it was court time.
The threatened webmasters removed the offending copies, fearing a lawsuit from Motorola. After this, our good friends from the United States Secret Service arrested Bill Cheek and Keith Knipschild for messing around with decoding hardware and software - the SS appeared to want to make data slicers illegal. Of course, these arrests were ridiculous, but nobody wanted to get busted.... so the vast majority of resources on American websites disappeared. Checking around English or German sites may yield some interesting results.
Now you're ready. Fire up the software. Get that receiver on a nice, hot frequency. Look at all of the pages streaming across the network. Give it a few hours... getting bored yet? Yes? Okay... now that you have a functional decoding setup, let's make use of it.
Know someone's pager that you want to monitor? Here's how to snag them...
First you need the frequency; it's usually inscribed on the back of the pager. Also, you can try to determine what paging company they use, and then social engineer the freq out of the company.
www.perconcorp.com also has a search function where you can locate all of the paging transmitters (and freqs) in your area, listed by who owns 'em. Not bad. So you have the frequency... now what?
Well, wait until you have to actually talk to this person. Get your setup cranking on the frequency that this person's pager is using. Now, page him. Pay close attention to the data coming across the network... see your phone number there? See the CAP code that your phone number is addressed to? That's it.
Some better decoding programs have provisions to log every single page to a certain CAP code to a logfile... this is a good thing. Get a data slicer, set everything up on a dedicated 486, and have fun gathering data.
For updates to this article visit the Phone Punx Network. Mail can be sent to the Phone Punx address and it will find its way to me.