2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [29]
Radio Frequency Scanner - A programmable radio is the key component to intercepting pager transmissions. The device can be any programmable radio that has the capability of monitoring the frequencies that are used for pager transmissions. Radio scanners, also known as police scanners, make an excellent choice as they cover most frequencies used by pager systems and often come with line-level out or signal discriminators that make accessing the raw signal stream transmission significantly easier. With that said, any radio with an earphone or line-out jack that covers the appropriate frequencies can be used in a pinch with a little dedication and patience.
Data Slicer - Data slicers act as the decoder and interpreter of pager transmissions and come in a dizzying array of capabilities and functions. The purpose of the data slicer is to take the received radio transmission, interpret the FSK modulation, and convert it to 0s and 1s so it can be converted back to plain text. Data slicers can be obtained in either hardware or software based formats. Hardware data slicers can be purchased or built for very low cost. Hardware data slicers typically come in one of two formats, either two level or four level modulation decoding. The difference between them will allow you to decode different protocols and at different speeds. A software data slicer can also be used. Software data slicers work in much the same way as hardware data slicers. Software data slicers utilize the line-in jack of a sound card to collect and decode the radio transmissions. While software data slicers have the same capabilities as hardware ones, they are often harder to configure and more prone to error and distortion than their hardware brethren. The majority of pager transmissions that are alphanumeric are typically transmitted at 9600 baud. A hardware four level data slicer is required to consistently decode transmissions at these speeds. Many free software data slicers exist including "Paging Decoder for Windows (PDW)," available at http://www.gsm-antennes.nl/PDW/pdw.php?lang=eng and "Multimon" for Linux, formerly available at http://nathan.chantrell.net/old-stuff/radio/radio-scanning/pocsag-pager-decoding . (Searching for “Multimon Linux” will uncover other sites.) Both applications allow you to use a hardware data slicer or a sound card as input devices.
Decoding Software - The decoding software receives the decoded radio transmission and converts it back into text. The primary difference between the decoding software applications is the number and complexity of paging protocols that they support. The two applications mentioned above are both excellent for decoding POCSAG and FLEX transmissions as well as numerous others protocols. Both the applications are capable of decoding and interpreting pager transmissions. There are numerous other good decoding software applications that only work with the hardware data slicers including "WinFlex" and "Pocflex" available at http://homepages.ihug.co.nz/~Sbarnes/pocsag . "Paging Decoder for Windows (PDW)" is by far the most current and supported pager transmission decoding application available and it's free!
The Test
As an example setup for this experiment, a Uniden BC898T programmable scanner was used along with a two level data slicer designed by L0pht Heavy Industries in the early 90s. These were used with Paging Decoder for Windows (PDW) version 3.1. The scanner has a 1/8" line-out jack on the front side as does the RS-232 connected data slicer. Application setup is extremely simple. Simply select the hardware interface and the type of pager protocol to decode. By default, the PDW 3.1 will default to using a hardware data slicer on com1 and will decode POCSAG and FLEX at the highest speed supported by the data slicer.
Pager transmissions have a very distinctive sound and are easily found by scanning up and down the various frequency ranges. For this experiment, the focus was on low