An Intro to Paging Networks and POCSAG/FLEX interception by Black Axe as appeared in Phone Punx Magazine Issue Two http://fly.to/ppn Pagers are very, very common nowadays. Coverage is widespread and cheap, and the technology is accepted and understood by most. Ever wonder, though, what happens on these paging networks? Ever wonder what kind of traffic comes across those pager frequencies? Ever listen to your scanner on a pager frequency in frustration, hearing the data stream across that you just can't interpret? Want to tap your radio, get a decoding program, and see what you've been missing? Before I begin, let's cover just exactly how those precious few digits make it from the caller's keypad to the display of the pager in question (or, perhaps, your monitor). Let's look at this in the perspective of a drug dealer with a pager (Joe), and a confused old lady paging him (Ethel). First, Ethel picks up her phone, and dials Joe's pager number (555-1234). Ethel hears the message "type in your phone # and hit #, so she complies and enters 555-6969#, and then hangs up. Here's where the fun starts. This is all dependent on the coverage area of the pager. The paging company receives the page from Ethel, and looks up the capcode of the pager it is to be sent to. A capcode is somewhat akin to an ESN on a cellphone; it identifies each specific pager on a given frequency. The paging company will then send the data up to a satellite (usually), where it is rebroadcasted to all towers that serve that particular paging network. Remember last year, when everyone's pagers stopped working for a few days? It was the satellite that we are now discussing that went out of orbit. The paging towers then transmit the page in all locations that Joe's pager is serviceable in. In this case, let's say that Joe's pager has a coverage area that consists of a chunk of the East Coast, going from Boston down to Washington DC, and out to Philadelphia. The page intended for Joe is transmitted all throughout that region. Since a pager is a one-way device, the network has no idea as to where the pager is, what it's doing, etc., so it just transmits each page all over the coverage area, every time. "So?", you may say, "what's that do for me?" Well, it means two different things: first, that pagers can be cloned with no fear of detection, because the network just sends out the pages, and any pager with that code on that frequency will beep and receive the data. Second, it means that one can monitor pagers that are not based in their area. Based on the example of Joe's pager, Joe might have bought his pager in New York City. He also could live there. However, because the data is transmitted all over the coverage area, monitoring systems in Boston, Washington DC, and Philadelphia could all intercept Joe's pages in real time. Many paging customers are unaware of their paging coverage areas, and usually do not denote the NPA (area code) from which the page is being received. This can cause problems for the monitoring individual, who must always remember that 7-digit pages shown on the decoder display are not necessarily for their own NPA. The Pager Decoding Setup Paging networks aren't encrypted. They all transmit data in the clear, generally in one of two formats. The older format is POCSAG; which stands for Post Office Code Standards Advisory Group. POCSAG is easily identified by two separate tones, and then a burst of data. POCSAG is fairly easy to decode. FLEX, on the other hand, is a bit more difficult, but not impossible. FLEX signals have only a single tone preceding the data burst. Here's how to take those annoying signals out of your scanner and onto your monitor. You will need: 1. A scanner or other receiver with a discriminator output. Info on this mod is available on the net and it's fairly easy to perform. This will enable you to get a clean audio signal out of the scanner, as opposed to the amplified crap out of the speaker or headphone jack. 2. A computer. 3. You will need a Soundblaster compatible soundcard. This will let you snag POCSAG traffic. Or, you can build a data slicer and decode FLEX traffic too. Or you can be lazy and buy one from Texas 2-Way for about $80 or so. The Soundblaster method will obviously tie up your computer decoding pages. Using the slicer will let you run decoders on an old DOS box and will let you use your better computer for more important stuff. 4. Antennas, cabling, etc. You will need an RCA cable (preferably shielded) to take the discriminator output either into the soundcard or into the slicer. If using a slicer, you will also need the cable to connect your slicer to your computer. As far as antennas go, pager signals are VERY strong, so you won't need much of an antenna, I generally use a rubber ducky with a right angle adapter, attached right to the back of the radio, works fine. The signals are so damned strong that you might even be able to get away with a paper clip shoved into the antenna jack. Hook all of this stuff together, it should be obvious as to how it is assembled. Tune yourself a nice, strong (they're all strong, really) paging signal. Where are they? Well, the vast majority of numeric pagers are crystalled between 929 and 932mHz; try there. Or if you want to try decoding some alphanumeric pagers, try 158.1mHz. Now, what about software, you say? That is where things start to get kinda hairy. See, Motorola developed most of this stuff, and holds licenses to it. Any software that decodes POCSAG is some sort of copyright violation or something or other, hell, I don't know. So one day, the morons at Mot decided that they didn't want that software floating around. So they looked up everyone who had copies posted on the Web and told em that if they didn't knock it off, it was court time. The threatened webmasters removed the offending copies, fearing a lawsuit from the well-heeled Motorola with their gangs of lawyers. Ouch. After this, our good friends from the United States Secret Service arrested Bill Cheek and Keith Knipschild for messing around with decoding hardware and software - the SS appeared to want to make data slicers illegal. Of course, these arrests were ridiculous, but nobody wanted to get busted, so the vast majority of resources on American websites disappeared. Checking around English or German sites may yield some interesting results. Now you're ready. Fire up the software. Get that receiver on a nice, hot frequency. Look at all of the pages streaming across the network. Give it a few hours. Getting bored yet? Okay, now that you have a functional decoding setup, let's make use of it. Know someone's pager that you want to monitor? Here's how to snag em. First you need the frequency; it's usually inscribed on the back of the pager. Also, you can try to determine what paging company they use and then social engineer the freq out of the company. www.perconcorp.com also has a search function where you can locate all of the paging transmitters (and freqs) in your area, listed by who owns em. Not bad. So you have the frequency, now what? Well, wait until you have to actually talk to this person. Get your setup cranking on the frequency that this person's pager is using. Now, page him. Pay close attention to the data coming across the network. See your phone number there? See the capcode that your phone number is addressed to? That's it. Some better decoding programs have provisions to log every single page to a certain capcode to a logfile, this is a good thing. Get a data slicer, set everything up on a dedicated 486, and have fun gathering data.