An Intro to Paging Networks and POCSAG/FLEX interception
by Black Axe
as appeared in Phone Punx Magazine Issue Two
http://fly.to/ppn


       
    Pagers are very, very common nowadays. Coverage is widespread and cheap, and the 
technology is accepted and understood by most. Ever wonder, though, what happens on these 
paging networks? Ever wonder what kind of traffic comes across those pager frequencies? 
Ever listen to your scanner on a pager frequency in frustration, hearing the data stream 
across that you just can't interpret?  Want to tap your radio, get a decoding program, and 
see what you've been missing?

    Before I begin, let's cover just exactly how those precious few digits make it from 
the caller's keypad to the display of the pager in question (or, perhaps, your monitor). 
Let's look at this in the perspective of a drug dealer with a pager (Joe), and a confused 
old lady paging him (Ethel).

    First, Ethel picks up her phone, and dials Joe's pager number (555-1234).
    Ethel hears the message "type in your phone # and hit #, so she complies and enters
    555-6969#, and then hangs up.

    Here's where the fun starts. This is all dependent on the coverage area of the 
    pager. The paging company receives the page from Ethel, and looks up the capcode of 
    the pager it is to be sent to. A capcode is somewhat akin to an ESN on a cellphone;
    it identifies each specific pager on a given frequency. The paging company will then 
    send the data up to a satellite (usually), where it is rebroadcasted to all towers 
    that serve that particular paging network. Remember last year, when everyone's pagers 
    stopped working for a few days? It was the satellite that we are now discussing that 
    went out of orbit. The paging towers then transmit the page in all locations that 
    Joe's pager is serviceable in. In this case, let's say that Joe's pager has a coverage 
    area that consists of a chunk of the East Coast, going from Boston down to Washington 
    DC, and out to Philadelphia. The page intended for Joe is transmitted all throughout 
    that region. Since a pager is a one-way device, the network has no idea as to where the 
    pager is, what it's doing, etc., so it just transmits each page all over the coverage 
    area, every time. "So?", you may say, "what's that do for me?" Well, it means two 
    different things: first, that pagers can be cloned with no fear of detection, because 
    the network just sends out the pages, and any pager with that code on that frequency 
    will beep and receive the data. Second, it means that one can monitor pagers that are not                                  
    based in their area. Based on the example of Joe's pager, Joe might have bought his 
    pager in New York City. He also could live there. However, because the data is 
    transmitted all over the coverage area, monitoring systems in Boston, Washington DC, and
    Philadelphia could all intercept Joe's pages in real time. Many paging customers are 
    unaware of their paging coverage areas, and usually do not denote the NPA (area code) 
    from which the page is being received. This can cause problems for the monitoring 
    individual, who must always remember that 7-digit pages shown on the decoder display 
    are not necessarily for their own NPA.

The Pager Decoding Setup

    Paging networks aren't encrypted. They all transmit data in the clear, generally in one 
of two formats. The older format is POCSAG; which stands for Post Office Code Standards 
Advisory Group. POCSAG is easily identified by two separate tones, and then a burst of data.
POCSAG is fairly easy to decode. FLEX, on the other hand, is a bit more difficult, but not
impossible. FLEX signals have only a single tone preceding the data burst. Here's how to 
take those annoying signals out of your scanner and onto your monitor. You will need:

   1. A scanner or other receiver with a discriminator output. Info on this mod is available 
      on the net and it's fairly easy to perform. This will enable you to get a clean audio
      signal out of the scanner, as opposed to the amplified crap out of the speaker or 
      headphone jack.
 
   2. A computer. 

   3. You will need a Soundblaster compatible soundcard. This will let you snag POCSAG 
      traffic. Or, you can build a data slicer and decode FLEX traffic too. Or you can be 
      lazy and buy one from Texas 2-Way for about $80 or so. The Soundblaster method will
      obviously tie up your computer decoding pages. Using the slicer will let you run 
      decoders on an old DOS box and will let you use your better computer for more 
      important stuff.

   4. Antennas, cabling, etc. You will need an RCA cable (preferably shielded) to take the
      discriminator output either into the soundcard or into the slicer. If using a slicer, 
      you will also need the cable to connect your slicer to your computer. As far as antennas
      go, pager signals are VERY strong, so you won't need much of an antenna, I generally 
      use a rubber ducky with a right angle adapter, attached right to the back of the radio,
      works fine. The signals are so damned strong that you might even be able to get away 
      with a paper clip shoved into the antenna jack.

   
    Hook all of this stuff together, it should be obvious as to how it is assembled. Tune
yourself a nice, strong (they're all strong, really) paging signal. Where are they? Well, the
vast majority of numeric pagers are crystalled between 929 and 932mHz; try there. Or if you 
want to try decoding some alphanumeric pagers, try 158.1mHz. Now, what about software, you 
say?  That is where things start to get kinda hairy. See, Motorola developed most of this 
stuff, and holds licenses to it. Any software that decodes POCSAG is some sort of copyright 
violation or something or other, hell, I don't know. So one day, the morons at Mot decided 
that they didn't want that software floating around. So they looked up everyone who had copies
posted on the Web and told em that if they didn't knock it off, it was court time. The 
threatened webmasters removed the offending copies, fearing a lawsuit from the well-heeled
Motorola with their gangs of lawyers. Ouch. After this, our good friends from the United 
States Secret Service arrested Bill Cheek and Keith Knipschild for messing around with 
decoding hardware and software - the SS appeared to want to make data slicers illegal. Of 
course, these arrests were ridiculous, but nobody wanted to get busted, so the vast majority 
of resources on American websites disappeared. Checking around English or German sites may
yield some interesting results.

    Now you're ready. Fire up the software. Get that receiver on a nice, hot frequency. Look 
at all of the pages streaming across the network. Give it a few hours. Getting bored yet? 
Okay, now that you have a functional decoding setup, let's make use of it. Know someone's 
pager that you want to monitor? Here's how to snag em. First you need the frequency; it's
usually inscribed on the back of the pager. Also, you can try to determine what paging company
they use and then social engineer the freq out of the company. www.perconcorp.com also has a
search function where you can locate all of the paging transmitters (and freqs) in your area,
listed by who owns em. Not bad. So you have the frequency, now what? Well, wait until you 
have to actually talk to this person. Get your setup cranking on the frequency that this
person's pager is using. Now, page him. Pay close attention to the data coming across the
network. See your phone number there? See the capcode that your phone number is addressed to?
That's it. Some better decoding programs have provisions to log every single page to a certain
capcode to a logfile, this is a good thing. Get a data slicer, set everything up on a 
dedicated 486, and have fun gathering data.