Friday, May 22, 2009

POCSAG and FLEX pager reception and decoding

Browsing the 900Mhz band last week, I came across the distinct sound of pager protocols on a handful of frequencies. Years ago I began listening to pagers on the 138Mhz band as my scanner at the time only reached the 500Mhz band as it’s highest frequency. With my ICOM-R7000, I am able to easily browse through the entire 900Mhz band where I have found most of the pager frequencies are located.

The two main protocols used by pagers are POCSAG and FLEX. Both protocols support tone only, numeric and alphanumeric pages at various bit rates. POCSAG uses FSK modulation with a +- 4.5Khz change of the carrier frequency. A +4.5Khz tone is a 0 and a -4.5Khz is a 1. Bit rates of 512 ,1200, and 2400 bits per second are supported. FLEX is another protocol which is newer and also uses FSK modulation. Bit rates are available at 1600, 3200, and 6400 bits per second. A key note to make about both of these protocols is the fact that their data is transmitted in clear text.

The only requirements to decode pager transmissions is a scanner / receiver capable of receiving FM on pager frequencies, ( the low 900Mhz band seems to be the most active) and software that is capable of decoding pager transmissions. The software I use is called PDW, and is freely available. It is capable of receiving both POCSAG and FLEX transmissions in all bit rates including a handful of other protocols.

For an antenna I’m using an outdoor wide-band antenna that has coverage in the 900Mhz band. I’m also utilizing a mini-circuits ZRL-2400LN wide band low noise preamp to help pull in any distant signals, even though it really isn’t necessary as these pager transmissions are fairly strong.

There are several interface methods available; the first is connecting your scanners audio output directly to the input of your sound card. The second involves taking he discriminator output of your scanner and connecting it directly to your soundcards input. The last method involves making an FSK to rs232 level decoder that takes the scanners audio output or discriminator output and converting it to serial data. I have actually had really good results with using the discriminator output of the R7000 and tying it to my sound card.


The ICOM-R7000 does not have a discriminator output, but it is an easy modification to add. The R7000 actually has a ‘spare’ rca connector on the back that can be used for any additional mods you wish to add, and tapping into the discriminator is an easy operation to do. There are instructions all over the place to do this so I won’t describe it here. The discriminator output is key since it provides access to the FSK pager audio before it is passed through filters on the scanner that usually destroy the signal.

I am passing this discriminator output directly to my soundcard line input and have had excellent results. Many people mention that this won’t work for the higher bit rates, but I am successfully decoding FLEX pages even at 6400 bps using this method. I used to use the audio output form my old scanner to my sound cards input with poor results. At best I was able to decode POCSAG at 512 bps. I would still like to make a 2 level or 4 level FSK converter, but I really find it isn’t necessary.

Finding the pager frequencies is fairly easy. There are many lists available around that I found from some searches, although I found many of them to be old and out of date. I had my best results by simply searching around and hearing them. This is better to perform during the day as I found pager transmissions are much more active than at night. I usually start right at 900Mhz and begin tuning up 5Khz at a time. Pagers are easy to find as the tone has a very distinctive sound. Several passes over the band may be required as some of the frequencies will be idle when no transmissions are present. I found the following frequencies to be very active by me:

940.870, 929.295, 929.620, 929.720, 931.340, 929.670, 929.545, 929.845, 931.345, and 929.495.

This may be different in your area, but most of these I believe are nationwide pager networks. Here are some of my results:

( I removed actual names and modified phone numbers as I have no interest in displaying real personal information. )

0389996 00:08:13 20-05-09 FLEX-A ALPHA 6400 MSN 019 hello Message from NOC PCB. 1510016
1424219 00:09:31 20-05-09 FLEX-A ALPHA 6400 THIS IS A TEST PERIODIC PAGE SEQUENTIAL NUMBER 7829
0769357 00:09:33 20-05-09 FLEX-C ALPHA 6400 0769357 00:09:46 20-05-09 FLEX-C ALPHA 6401 es 40 pts, 6 rebs, 4 ast vs. Carmelo Anthony's 39 pts, 6 reb, 4 ast...010243590 00:09:48 20-05-09 FLEX-A ALPHA 6400 801221234545020519203005192245005
010243590 00:10:03 20-05-09 FLEX-A ALPHA 6400 902051234545990519203005192245015
0186743 00:10:03 20-05-09 FLEX-C ALPHA 6400 MONTGOMERY, NJ (SOMERSET) *2ND ALARM* 16 HAMPTON CT. 2ND ALARM REQ ON ARRIVAL FOR THE F/I DWG W/POSS ENTRAP. NJ2
011156517 00:10:22 20-05-09 FLEX-A StNUM 6400 281 555-9405
011319993 00:10:22 20-05-09 FLEX-A StNUM 6400 213 555-4758
0000001 00:10:22 20-05-09 FLEX-A ALPHA 6400 MSN 030 hello Message from NOC PCB. 1111111111
010239056 00:11:39 20-05-09 FLEX-C ALPHA 6400 38767:Host:png,pBg_fcsw_4.png.com Event:nodedown [nvasp] [58]
010248578 00:14:13 20-05-09 FLEX-C ALPHA 6400 Feeder 07Q85 opened 05/20/09-00:03. 3 of the 24 feeders are out of service at FLUSHING NETWORK . [57]
0186742 00:41:01 20-05-09 FLEX-A ALPHA 3201 DV. BULK OF FIRE K/D. CO'S GOING INT FOR SEARCH & O/H. NJ2
0186743
002816630 00:41:37 20-05-09 FLEX-A SH/TONE 3200 520
003951995 00:44:05 20-05-09 FLEX-A ALPHA 3201 MSGW02MOM" CPU is running at 5.50 percent This event was generated by the script: "Exchange ... [88]
003435545 00:48:11 20-05-09 FLEX-A ALPHA 3200 HARD WATER IN CONDENSATE. CALL THE POWERHOUSE 3-7038. PAMS_24.Unack HARD WATER IN CONDENSATE *ALM* High [78]
003951995 00:43:11 20-05-09 FLEX-A ALPHA 3200 Store timed out at the 30 seconds threshold Exchange Server:"MOBMSPF05" MDB:"SG1 (MOBMSPF05)\SG1_Priv1_(MOBMSPF05)" Mailbo
003951995 00:43:22 20-05-09 FLEX-A ALPHA 3201 x:"MOBMSPF05MOM" CPU is running at 2.97 percent This event was generated by the script: ... [82]
002116131 00:07:43 20-05-09 FLEX-C ALPHA 6400 PATIENT - EMERGENCY
SAME
HER EYE WAS OPERATED ON LAST MONTH AND SHE HAS
EXTREME PAIN NOW


The message displayed in PDW consists of the pagers cap code (unique address), time, date, protocol, page type, bit rate, and finally the message. The cap code is the unique id set to each pager. All pagers on a certain frequency receive all pages on that frequency, but they only display pages where its cap code matches the code in the messages. I am seeing pages from a local hospital, sports scores, news, tower information transmissions, business nagios server alerts, other miscellaneous data, and of course pager numbers. It’s quite interesting to see how much information is easily received and decoded.

8 comments:

  1. Fantastic work. I had always assumed that such transmissions were cleartext based on the simplicity of the transmission and receive systems. I wonder how much of the system bandwidth is consumed by system messages rather than "payload" messages.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. very cool! i am interested in trying this out but am unsure of exactly what sort of scanner i need. can you point me in the right direction by recommending a cheap scanner that will get the job done? i searched ebay but quickly discovered that searches for "scanner" are pretty useless, and without knowing a whole lot about this i am unable to further narrow the search. thanks

    ReplyDelete
  4. Hi, your description is great, especially for the newcomer.
    Here is a POCSAG decoder, built into the backshell of a DB9 socket.
    This may be useful to someone wanting to get into pager decoding.
    www.scannerantennasplitter.com/fsk_page01.htm

    ReplyDelete
  5. software radio is your buddy

    ReplyDelete
  6. The FM demodulated output of an FSK signal should be a rectangular waveform. The "9600baud packet" output of an Icom PCR1000 scanner is theoretically the raw discriminator output of the scanner. I plug this into my laptop soundcard's microphone-in port (as my laptop doesn't have a line-in port) via a Radioshack 1:1 audio isolation transformer (to block the DC voltage output from the mic-in port that usually powers a microphone, but could probably screw up the electronics in the radio if connected to the radio's discriminator). Unfortunately I'm getting a series of exponentially decaying pulses (each one I assume corresponding to an edge of the FSK's rectangular waveform). At first I assumed this was the effect of either the audio isolation transformer, or the mic-in port's DC blocking stage. But since this waveform is 6400baud (decoding highest speed FLEX mode) it should be switching fast enough that there should NOT be any exponentially decaying pulses, but rather an almost perfect rectangular wave. I'm beginning to think that the "9600baud packet" output of the Icom radio is NOT in fact the discriminator's output, but rather the derivative of the discriminator's output (converting rectangular waves into pulses). Either something is wrong with my Icom radio, or it is a cheaply made device that the engineers didn't properly design, and ended up producing a device who's supposed discriminator output is in fact the DERIVATIVE of the discriminator output. I hope that's not the case, and that it's my exact setup that's causing the problem, but I don't have an oscilloscope with DC-coupling to test it with (a soundcard is basically an oscilloscope with only AC-coupling available).

    ReplyDelete
  7. i just ordered a pcr1000 to decode flex. i also thought the (9600 packet out ) was a discriminator out. what have you found out? ptim15@hotmail.com

    ReplyDelete
    Replies
    1. I'm thinking that it's probably a problem with an impedance mismatch between the 9600 baud output and the audio isolation transformer. Though the transformer has an impedance of 500ohms, which is quite high, it's possible that the 9600baud output has a much higher impedance, maybe a few thousand ohms. If so, then the results I'm seeing could be the result of this mismatch. If you look at the hookup diagram for the radio, the 9600baud output is supposed to go to the "data input" port of an external modem or TNC (a type of hardware decoder for 9600baud packet). As such, if the data input port on the modem or TNC was many megaohms, (if it was a TTL device that was voltage sensitive, not current sensitive, and therefore didn't require current to drive it as audio equipment does) then it would work fine with that TNC or modem hardware. If this is the problem, then an impediance matching circuit may be required between the 9600baud discriminator output from the PCR1000 radio and the soundcard input (or between the radio and the isolation transformer that connects to the soundcard input as in my setup).

      Delete