Tagged: pdw

Lab401: HackRF on Windows YouTube Tutorials

Over on the Lab401 YouTube channel, 'RocketGod' has uploaded three videos that are various tutorials for the HackRF on Windows. The first video covers the basics like installing software and shows how to decode pager signals with PDW.

The second video shows how to decode police transmissions, car key fobs, use rtl_433, and how to use Universal Radio Hacker to capture and analyze signals. 

The third video is not yet released, but is due to premier on YouTube in 10 hours from the time of this post. In that video RocketGod will show how to install and use DragonOS, and how to install and use SDR Trunk which turns the HackRF into a police scanner. Finally, he will demonstrate SDR Angel and show it decoding ADS-B signals from aircraft to show you live flight tracking data.

Part 1 is embedded below, and Part 2 and Part 3 are linked here.

ROCKETGOD's HackRF One guide - part 1/3 Basics, Windows apps, setting up - LAB401

Frugal Radio: Decoding Fire, Ambulance MDT and Hospital Pagers with SDR++ and PDW

On this weeks Frugal Radio YouTube video, Rob explores how to decode Fire, Ambulance and Hospital pager data using SDR++ and PDW. In the video Rob first explains what applications pagers are used for in 2021 and how they're typically received with pager or MDT hardware terminals mounted in fire and ambulance trucks.

He then goes on to show how we can receive and decode these pager messages using an RTL-SDR, SDR++, VB-Cable and the PDW pager decoder. The tutorial shows how to set up SDR++ settings for pager reception, how to install and setup PDW and how to interface the two programs with VB-Cable. Finally Rob explains how to fully understand some of the messages that you might receive.

Decoding Fire & Ambulance MDT data & hospital pages with a $10 SDR Radio

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

RTL-SDR Tutorial: POCSAG Pager Decoding

The RTL-SDR software defined radio combined with SDRSharp, and a POCSAG/Flex capable decoding application can be used to decode pager messages. With this setup you can receive pager messages from all pager users on the system. If you don't know what a pager is, since they are now uncommon, here is a brief explanation from Wikipedia:

A pager is a wireless telecommunications device that receives and displays numeric or text messages, or receives and announces voice messages.

Not many people use pagers these days with mobile phone text messaging being used more, but pagers are still popular with doctors, hospitals in general, some fire and ambulance agencies and various IT companies, as they tend to be more reliable and have greater coverage. 

A Pager
A Pager

Privacy and Security

Obviously a lot of messages sent through pagers are plain text and contain personal data. Especially messages from hospitals. This is a concern as it is a major breach of patient privacy.

Security concerns also stem from the fact that many IT companies set up systems that forward notices of emails being received with the subject line visible, and system messages that contain IP addresses, email addresses and names, database error messages, and URLs.

Previously an art installation in New York was set up with an SDR to try and highlight some of the privacy and security concerns that pager use brings.

We note that in most countries it is perfectly legal to receive pager messages, as they are plain text unencrypted, but it is illegal to share or act on the information received. In some countries it may be illegal to even set up a receiver. Please research and respect your local laws before attempting this project.

Examples

Here YouTube user nerdymark shows 18 minutes of pager decoding using SDRSharp, PDW and an RTL-SDR.

18 Minutes of Pager Traffic 2012 July 12 San Jose rtlsdr sdr# pdw flex

Tutorial

While directed at the RTL-SDR, this tutorial may also be useful for use with other software defined radios such as the Funcube dongle, Airspy and HackRF, or even traditional hardware radios with a discriminator tap.

Since pager signals are usually transmitted at a very strong power, usually almost any antenna will work to receive them, even the stock antenna that comes with the dongle. Pager frequencies differ among different countries. Usually they will be anywhere from 137 - 160 MHz, around ~450 MHz, or around 900 MHz. Check radioreference.com or Google for frequencies in your area, or just search for them manually - they are usually quite easy to spot. Pagers normally use either the POCSAG or FLEX protocols, and the signals will look on a waterfall something like the signal shown below. They also have a distinctive sound when played with NFM mode. A sound sample is also shown below.

POCSAG Waterfall Image
POCSAG Waterfall Image

For this tutorial, you will need to have an RTL-SDR dongle set up and working with SDRSharp. We will assume you have this much done already. If you do not, visit the Buy RTL-SDR page, and then the Quickstart guide. You will also need to have an audio piping method installed and set up. Audio piping will allow the audio from SDRSharp to be passed to a decoding program. You can use either windows stereo mixVB-cable (free) or Virtual Audio Cable (paid with trial version). 

Now, to decode the POCSAG or Flex signals, you need need to download and install a free program called PDW, which can be downloaded from this page, then follow these steps.

  1. Open SDRSharp and set the audio piping method to the one you will use under the Audio Output drop down box and then press Play.
  1. Tune to a pager POCSAG/Flex signal. Set the receive mode to NFM, filter bandwidth to 12500 Hz, filter order to 10, turn squelch OFF and filter audio OFF. Adjust the RF gain settings under the configure menu until good reception is achieved.
  1. Open PDW. You may initially receive some errors upon first opening it, but they can be safely ignored. Go to Options -> Options and Click Enable Pocsag Decoding, and ensure the 512, 1200 and 2400 boxes are all checked. Also, ensure Enable Flex Decoding is enabled and that the 1600, 3200 and 6400 boxes are all checked. Press OK.

PDW Enable POCSAG

  1. Go to Interface -> Setup. Enable the Soundcard checkbox, set the Configuration to Custom, and choose your audio piping method in the Soundcard drop down box. If you only have one audio piping method enabled in the Windows recording properties, it will automatically choose that method. Press OK.

PDW Soundcard Interface Setup

  1. Go to Monitor, and ensure POCSAG/FLEX is ticked.
  1. Now, if everything is set up correctly, the pager audio from SDRSharp should be being sent to PDW. In the top right hand corner of PDW, there should be a volume gauge. You will need to adjust the volume settings in SDRSharp, and/or the Windows volume settings so that the volume meter goes up when a pager signal is sent. The percentage shown below the gauge shows the decode error rate. If you are receiving good signals the error rate should be very low and the percentage should be at or near 100%.

PDW Decoding

Other Decoding Software

MultimonNG is a Linux based decoder which is lightweight enough to run on a Raspberry Pi using rtl_fm.

PagerMon is a app that records and displays all messages from MultimonNG in a nice web page.

Some Tips

  • Pager signals are generally very strong, and so almost any antenna can pick them up - even the stock antenna included with many dongle packages. However, if you live far away from the transmitter a better antenna matched to the pager frequency you want to monitor may be required.
     
  • If reception is very poor, you may get some garbled messages in the PDW window.
     
  • Since pagers can be so strong, you may actually need to reduce the RF gain to clearly discern between a real pager and an image. Reducing the gain may also help decoding if it is so strong that it begins overloading in the RF spectrum.
     
  • Sometimes setting the volume too loud can cause the pager audio signal to become distorted. Make sure you do not have the audio set too loud.

 

If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and physical formats.

The Hobbyist's Guide to the RTL-SDR: Really Cheap Software Defined radio.