a blog about computers and other funny things
Category: Pager
If for some reason you need to create a bootable DOS or Windows USB Thumb drive, Floppy Disc or CD/DVD, then this site will be useful: https://www.bootdisk.com/bootdisk.htm
On Linux you can use WoeUSB to create the bootable USB device. On Windows people normally use Rufus.
I used a programmer written for Arduino to read the Pager’s EEPROM (thanks Dmitrii for the link)
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0000 C6 72 DE D1 64 4C 00 00 00 00 92 BC 83 3B 92 BC �r��dL �撼�;��
0010 E7 0C 00 00 00 00 70 08 08 08 08 88 88 88 88 B6 � p �爈���
0020 1C 6C 4D 82 6D E2 9C FF FF 00 00 90 09 0B 00 1D lM�m��� ✐
0030 4C 00 80 24 40 89 8F 8B 5E 5F 60 7B 93 7D 7E 20 L �$@���^_`{�}~
0040 FE BE A8 AA FE BE A8 AA B4 B4 B4 B4 B4 B4 B4 B4 ����������������
0050 AA AA CC 00 00 00 00 00 00 00 00 00 04 00 00 00 ���
0060 00 00 00 80 00 29 26 29 4B 4C 41 36 49 54 38 4E ̀ )&)KLA6IT8N
0070 31 4F 42 36 20 41 50 41 47 41 52 20 3F 20 20 44 1OB6 APAGAR ? D
0080 45 53 41 54 49 56 41 44 4F 20 20 20 20 20 20 20 ESATIVADO
0090 20 20 50 49 4C 48 41 20 47 41 53 54 41 20 4D 45 PILHA GASTA ME
00A0 4D 2E 20 43 48 45 49 41 20 20 44 55 50 4C 49 43 M. CHEIA DUPLIC
00B0 41 44 4F 20 20 20 4C 49 47 41 2F 44 45 53 4C 49 ADO LIGA/DESLI
00C0 47 41 20 53 4F 20 54 4F 4D 20 20 20 20 20 20 20 GA SO TOM
00D0 47 52 55 50 4F 20 20 20 20 20 20 20 20 20 43 4F GRUPO CO
00E0 4E 45 43 54 45 4C 20 20 20 20 20 20 41 44 31 42 NECTEL AD1B
00F0 57 48 33 52 50 33 41 44 31 42 57 48 33 52 50 33 WH3RP3AD1BWH3RP3
Pager Password:
MOUSE
This is the command that I used to program Atmega328P with a firmware to hack Motorola Advisor firmware:
$ avrdude -C /etc/avrdude.conf -c usbasp -p atmega328p -U flash:w:"v3/ADVISOR_EEP_ARD328_v3.hex":i -v
avrdude: Version 6.3-20171130
Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
Copyright (c) 2007-2014 Joerg Wunsch
System wide configuration file is "/etc/avrdude.conf"
User configuration file is "/home/alan/.avrduderc"
User configuration file does not exist or is not a regular file, skipping
Using Port : usb
Using Programmer : usbasp
AVR Part : ATmega328P
Chip Erase delay : 9000 us
PAGEL : PD7
BS2 : PC2
RESET disposition : dedicated
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :
Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 65 20 4 0 no 1024 4 0 3600 3600 0xff 0xff
flash 65 6 128 0 yes 32768 128 256 4500 4500 0xff 0xff
lfuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
hfuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
efuse 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
lock 0 0 0 0 no 1 0 0 4500 4500 0x00 0x00
calibration 0 0 0 0 no 1 0 0 0 0 0x00 0x00
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00
Programmer Type : usbasp
Description : USBasp, http://www.fischl.de/usbasp/
avrdude: auto set sck period (because given equals null)
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions
Reading | ################################################## | 100% 0.00s
avrdude: Device signature = 0x1e950f (probably m328p)
avrdude: safemode: lfuse reads as FF
avrdude: safemode: hfuse reads as DA
avrdude: safemode: efuse reads as FD
avrdude: NOTE: "flash" memory has been specified, an erase cycle will be performed
To disable this feature, specify the -D option.
avrdude: erasing chip
avrdude: auto set sck period (because given equals null)
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: reading input file "v3/ADVISOR_EEP_ARD328_v3.hex"
avrdude: writing flash (5732 bytes):
Writing | ################################################## | 100% 3.92s
avrdude: 5732 bytes of flash written
avrdude: verifying flash memory against v3/ADVISOR_EEP_ARD328_v3.hex:
avrdude: load data flash data from input file v3/ADVISOR_EEP_ARD328_v3.hex:
avrdude: input file v3/ADVISOR_EEP_ARD328_v3.hex contains 5732 bytes
avrdude: reading on-chip flash data:
Reading | ################################################## | 100% 2.93s
avrdude: verifying ...
avrdude: 5732 bytes of flash verified
avrdude: safemode: lfuse reads as FF
avrdude: safemode: hfuse reads as DA
avrdude: safemode: efuse reads as FD
avrdude: safemode: Fuses OK (E:FD, H:DA, L:FF)
avrdude done. Thank you.
This are the instructions to wire the Arduino board and the Pager:
By request, I post the Motorola advisor EEPROM editor.
You need an arduino with AtMega328p or any other board with such a processor and 16 MHz quartz.
The program shows the password, the password can be deactivated. You can reset the lock mode and the invalid input attempt counter, you can override the serial number, you can write any data to the specified EEPROM address.
The program has a minimum of checks and warnings, whether there will be a brick, if something is written in the wrong place, I don’t know, it’s not interesting.
The program is written in a different environment than the Arduino. You need an SPI programmer or a utility that can load HEX via Boot. The connection to the pager is 6 wires, it is desirable to run the signal circuits through ~ 1K resistors.
You need to connect the ground and these lines:
Portc.1 (MISO, A1) -> 8 pin U2
Portc.0 (MOSI, A0) -> 7 pin U2
Portc.2 (SCK, A2) -> 6 pin U2
Portc.3 (CS, A3) -> 9 pin U2
Portc.4 (RST, A4) -> 41 pin CPU
Solder the wires to the U2 (Cmos Support) pins, RST is convenient to connect to the R11 resistor, from the processor side.
Terminal set to 57600 8n1/To run the Motorola Advisor Pager programmer I need to follow the instruction, but the extended-ASCII charset wasn’t helping:
1.<8e>âªà®©â¥ ¯¥©¤¦¥à ¨ ᥬ¨â¥ ¯à¨¥¬ãî ¯« âã
2.<90> ᯮïâì ᮡà ë© ¢ ¬¨ èãà (¯® á奬¥) ®â ãáâனá⢠¬¨ªà®á奬ã
98<95>05 ¨«¨ «®£¨çãî ¥©,(¯®å®¦ ®â«¨âãî
¨§ ç¥à®£® ¬ â¥à¨ « ¯«îèªã)
ßÚÄÄÁÄÁÄÁÄÁÄÁÄÁÄÄ¿ß 11
ij ³Ä
ij ³Ä> 9
ij ³Ä> 8
ij 98X05 ³Ä> 7
ij ³Ä> 6
ij ® ³Ä
ÜÀÄÄÂÄÂÄÂÄÂÄÂÄÂÄÄÙÜ
2
3. <87> ¯ãáâ¨âì ä ©« digadv.exe
4. <8f>®á«¥ ¢ë¯®«¥¨ï ¨áâàãªæ¨æ
㪠§ ëå ¢ ä ¨«¥ digadv.exe
§ ¯ãáâ¨âì ä ©« dat2pvd.com
After searching in the Internet I discovered a nice program called “uchardet” that corrected guessed the charset:
$ uchardet INSTR.TXT
IBM866
Next step was to convert it to UTF8:
$ iconv -f IBM866 -t UTF-8//TRANSLIT INSTR.TXT -o INST.TXT
Way better now, at least google translate will help:
1.Откройте пейджер и снемите приемную плату
2.Распоять собранный вами шнур (по схеме) от устройства на микросхему
98Х05 или аналогичную ей,(похожа на отлитую
из черного материала плюшку)
▀┌──┴─┴─┴─┴─┴─┴──┐▀ 11
─│ │─
─│ │─> 9
─│ │─> 8
─│ 98X05 │─> 7
─│ │─> 6
─│ о │─
▄└──┬─┬─┬─┬─┬─┬──┘▄
2
References:
https://stackoverflow.com/questions/805418/how-can-i-find-encoding-of-a-file-via-a-script-on-linux
https://www.tecmint.com/convert-files-to-utf-8-encoding-in-linux/
I’m using MMDVM as Hat/shield on Raspberry Pi 0 W to send POCSAG message to pager.
Frequency is configured to 433.450.000 and after running MMDVMHost I run:
$ sudo RemoteCommand 7642 page 1000001 “Teste”
On computer with a RTLSDR dongle I run the “gqrx” interface and configure to 433.450.000Hz and enable UDP button:
In other terminal I run this command to decode POCSAT:
$ nc -l -u 7355 | sox -t raw -esigned-integer -b16 -r 48000 – -esigned-integer -b16 -r 22050 -t raw – | multimon-ng -t raw -a SCOPE -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha –
When the RemoteCommand above is executed on Raspy board I see it:
POCSAG1200: Address: 1000001 Function: 3 Alpha: Test<NUL>
Source: https://www.ronan.bzh/p/decoding-pocsag-on-ubuntu-with-a-rtl-sdr-dongle/
These are nice references to Motorola Pagers (mainly Motorola Advisor) using POCSAG protocol:
https://goughlui.com/2016/01/15/tech-flashback-motorola-advisor-pocsag-5121200bps-pager/
https://spectrum.ieee.org/the-consumer-electronics-hall-of-fame-motorola-advisor-pager#toggle-gdpr
http://www.hackersrussia.ru/Pagers/pagers.php
https://blog.thelifeofkenneth.com/2012/02/sniffing-pager-network-traffic-hardware.html?m=1
https://mysku.club/blog/diy/88396.html
https://github.com/unsynchronized/gr-mixalot
https://www.qsl.net/n9zia/wireless/pager/index.html
https://www.qsl.net/kb9mwr/projects/pager/plan.html
http://fringe.davesource.com/Fringe/Hacking/Phreaking/Pagers/Protocols/protocol.html
http://karbofos-zone.narod.ru/pagers-m.html
http://allpager.narod.ru/programmators/
http://jelmerbruijn.nl/pocsag-encoder/
While searching for ways to transmit Pager messages I found this nice post:
https://debugger.medium.com/howto-using-a-pager-in-the-21st-century-6a57454ecde8
There are many ways to transmit to pager using the POCSAG protocol, but I decided to buy a MMDVM Raspberry Pi Hat board: https://aliexpress.com/item/32915442246.html
I bought the model “MMDVM OLED CASE” without the “Raspi 0 W” because I already have one! Then I spent around U$ 30,00 with free shipping, very good!
When it arrived I mounted it over my Raspi board running Raspbian 11.
Basically I cloned and compiled the MMDVMHost and its dependencies like WiringPi and “ArduiPi OLED”.
After compiling and installing I moved the file MMDVM.ini to /etc/ and edited it to enable POCSAG protocol and “Remote Control”.
Unfortunately while running the “RemoteCommand 7642 page 1000001 Ola Mundo” it was returning this error message:
“Received a NAK to the SET_FREQ command from the modem”
It was fixed changing RXFrequency, TXFrequency and POCSAG Frequency to 433450000.
Unfortunately many forums has this issue but nobody explain the root cause, some report the issue was caused by incompatible MMDVM_HS firmware version, duplex config enable for this board that doesn’t support duplex, etc. The only place where I found the right root cause was here:
https://github.com/juribeparada/MMDVM_HS/issues/74
Because of it I spent time testing many configurations, updating firmware, etc. At least I’m now using a more updated firmware, from MMDVM_HS_Hat-v1.4.17 to MMDVM_HS_Hat-v1.5.2
Alan C. Assis 