Tagged: POCSAG

RPiTX v2 Released: Easily Record and Replay with RTL-SDR and a Raspberry Pi

RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.

Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.

The RPiTX V2 GUI
The RPiTX V2 GUI
Painting an Image on a SDR Waterfall Display with RPiTX v2
Painting an Image on a SDR Waterfall Display with RPiTX v2

The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.

Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.

The RPiTX V2 RTL-SDR Menu
The RPiTX V2 RTL-SDR Menu
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.

Forwarding Pager Messages Received with an RTL-SDR to Email

Over on YouTube Jack Riley has created a video that documents his system which uses an RTL-SDR to receive POCSAG pager messages and forward messages sent to specific pager addresses to an email address. He uses his RTL-SDR on a Raspberry Pi, together with rtl_fm and multimon-ng to receive and decode the pager messages.

Then using a custom program that is available on his website he filters messages for a particular 'capcode' which indicates the address of a particular pager. When a pager message to the specified capcode address is received, the program turns the message into an email which is instantly sent out.

This is a nice way to forward pager messages on to a more modern device such as a smart phone.

Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.

Hacker Warehouse Demonstrates Pager Decoding with an RTL-SDR

Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.

Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.

In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.

Decoding Pager Data with RTLSDR - Tradecraft

Art Installation Eavesdrops on Hospital Pagers with a HackRF

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

For a long time now it has been known that pager data is sent in the clear and in plain text over a strong and easily received RF signal. The signal can easily be intercepted with a standard scanner radio or more recently with an SDR such as the RTL-SDR. Software such as PDW can then be used to decode the signal into plain text. We have a tutorial on this available here.

In these more modern days of cell phones and secure text messaging very few people still use pagers. But one heavy user of pagers is the medical community who still prefer them as they are already widely implemented in hospitals and are very reliable. The lower frequencies and high transmission powers used by pager systems allows for better reception especially in areas prone to poor cellphone reception such as in big buildings like hospitals with many walls underground areas. They are also very reliable as they receive messages instantly, whereas text messages can be delayed in times of high network traffic which is obviously a problem when a doctor is needed urgently. Finally, another advantage is that most pagers only receive, so there are no local transmissions that could interfere with sensitive medical machines. A major downside however is that pager use means that a lot of very private patient data can be easily intercepted by anyone anywhere in the same city as the hospital.

Back in October artist and programmer Brannon Dorsey displayed an art installation at the Radical Networks conference in Brooklyn which he calls Holypager. The idea is to bring attention to the breach of privacy. The installation simply prints out the pager messages as they are sent in real time, accumulating patient data that any visitor can pick up and read. He doesn't mention it on his page, but in one of the photos we see a HackRF One, antenna and Raspberry Pi hiding underneath the installation which is how the pager messages are received. A simple RTL-SDR could also be used as the receiver. Brannon writes:

Holypager is an art installation that intercepts all POCSAG pager messages in the city it resides and forwards them to one (holy) pager. The installation anonymizes all messages and forwards them randomly to one of three pagers on display. Each message is also printed on a contiguous role of receipt paper amassing a large pile of captured pages for gallery goers to peruse.

Pagers use an outdated protocol that requires all messages to be broadcast unencrypted to each pager in the area. It is the role of the individual pager to filter and display only the messages intended for its specific address. The pagers below have been reprogrammed to ignore this filter and receive every message in the city in real time. Today, these devices are primarily used in hospitals to communicate highly sensitive information between doctors and hospital staff.

Given the severity of the HIPPA Privacy Act, one would assume that appropriate measures would be taken to prevent this information from being publicly accessible to the general public. This project serves as a reminder that as the complexity and proliferation of digital systems increase the cultural and technological literacy needed to understand the safe and appropriate use of these systems often do not.

Holypager

[Also seen on Hackaday and Motherboard]

PagerMon: A browser based app for displaying pager messages from multimon-ng

Thank you to Dave for submitting information about his new pager message display software called PagerMon. PagerMon is a web browser based tool for displaying POCSAG pager messages decoded by multimon-ng. It is based around nodejs and uses a sqlite database for storing the messages. Multimon-ng is an RTL-SDR compatible digital mode decoder which can decode multiple protocols including POCSAG pagers.

PagerMon and the features and future features are listed below:

PagerMon is an API driven client/server framework for parsing and displaying pager messages from multimon-ng.

It is built around POCSAG messages, but should easily support other message types as required.

The UI is built around a Node/Express/Angular/Bootstrap stack, while the client scripts are Node scripts that receive piped input.

Features

  • Capcode aliasing with colors and FontAwesome icons
  • API driven extensible architecture
  • Single user, multiple API keys
  • SQLite database backing
  • Configurable via UI
  • Pagination and searching
  • Filtering by capcode or agency
  • Duplicate message filtering
  • Keyword highlighting
  • WebSockets support – messages are delivered to clients in near realtime
  • Pretty HTML5
  • May or may not contain cute puppies

Planned Features

  • Multi-user support
  • Other database support (MongoDB and DynamoDB planned)
  • Horizontal scaling
  • Enhanced message filtering
  • Bootstrap 4 + Angular 2 support
  • Enhanced alias control
  • Graphing
  • Push notifications
  • Non-sucky documentation

The GitHub readme has a getting started section which shows how to set up the server and get it running on your local machine.

PagerMon displaying POCSAG messages
PagerMon displaying POCSAG messages

Listening in on Burger Pagers with the RTL-SDR

Oona has written on her blog www.windytan.com about how she used an RTL-SDR to listen in on those wireless devices that are given out at some restaurants and cafes to notify you when your food is ready.

While at a local burger chain she found a label on the back of the device given to her which specified the radio frequency used by the device. By tuning to that frequency with her RTL-SDR, she discovered that the device uses the POCSAG protocol, which is the same protocol that is used by pagers. She then decoded the data packet and found that it contains the device address, which is used to notify the correct device.

burgerPagerpocsagBurger

Decoding Pagers on the Raspberry Pi with RTL-SDR

Hackaday has brought to attention a tutorial written on the Raspberry Pi forums by Sonny_Jim showing how to decode pager transmissions on the Raspberry Pi. In the tutorial he also shows how to set up a web server to be able to view the decoded transmissions in a web browser.

He uses a RTL-SDR and Raspberry Pi and pipes the output of rtl_fm into the multimonNG software to decode the messages.

RTL-SDR Tutorial: POCSAG Pager Decoding

The RTL-SDR software defined radio combined with SDRSharp, and a POCSAG/Flex capable decoding application can be used to decode pager messages. With this setup you can receive pager messages from all pager users on the system. If you don't know what a pager is, since they are now uncommon, here is a brief explanation from Wikipedia:

A pager is a wireless telecommunications device that receives and displays numeric or text messages, or receives and announces voice messages.

Not many people use pagers these days with mobile phone text messaging being used more, but pagers are still popular with doctors, hospitals in general, some fire and ambulance agencies and various IT companies, as they tend to be more reliable and have greater coverage. 

A Pager
A Pager

Privacy and Security

Obviously a lot of messages sent through pagers are plain text and contain personal data. Especially messages from hospitals. This is a concern as it is a major breach of patient privacy.

Security concerns also stem from the fact that many IT companies set up systems that forward notices of emails being received with the subject line visible, and system messages that contain IP addresses, email addresses and names, database error messages, and URLs.

Previously an art installation in New York was set up with an SDR to try and highlight some of the privacy and security concerns that pager use brings.

We note that in most countries it is perfectly legal to receive pager messages, as they are plain text unencrypted, but it is illegal to share or act on the information received. In some countries it may be illegal to even set up a receiver. Please research and respect your local laws before attempting this project.

Examples

Here YouTube user nerdymark shows 18 minutes of pager decoding using SDRSharp, PDW and an RTL-SDR.

18 Minutes of Pager Traffic 2012 July 12 San Jose rtlsdr sdr# pdw flex

Tutorial

While directed at the RTL-SDR, this tutorial may also be useful for use with other software defined radios such as the Funcube dongle, Airspy and HackRF, or even traditional hardware radios with a discriminator tap.

Since pager signals are usually transmitted at a very strong power, usually almost any antenna will work to receive them, even the stock antenna that comes with the dongle. Pager frequencies differ among different countries. Usually they will be anywhere from 137 - 160 MHz, around ~450 MHz, or around 900 MHz. Check radioreference.com or Google for frequencies in your area, or just search for them manually - they are usually quite easy to spot. Pagers normally use either the POCSAG or FLEX protocols, and the signals will look on a waterfall something like the signal shown below. They also have a distinctive sound when played with NFM mode. A sound sample is also shown below.

POCSAG Waterfall Image
POCSAG Waterfall Image

For this tutorial, you will need to have an RTL-SDR dongle set up and working with SDRSharp. We will assume you have this much done already. If you do not, visit the Buy RTL-SDR page, and then the Quickstart guide. You will also need to have an audio piping method installed and set up. Audio piping will allow the audio from SDRSharp to be passed to a decoding program. You can use either windows stereo mixVB-cable (free) or Virtual Audio Cable (paid with trial version). 

Now, to decode the POCSAG or Flex signals, you need need to download and install a free program called PDW, which can be downloaded from this page, then follow these steps.

  1. Open SDRSharp and set the audio piping method to the one you will use under the Audio Output drop down box and then press Play.
  1. Tune to a pager POCSAG/Flex signal. Set the receive mode to NFM, filter bandwidth to 12500 Hz, filter order to 10, turn squelch OFF and filter audio OFF. Adjust the RF gain settings under the configure menu until good reception is achieved.
  1. Open PDW. You may initially receive some errors upon first opening it, but they can be safely ignored. Go to Options -> Options and Click Enable Pocsag Decoding, and ensure the 512, 1200 and 2400 boxes are all checked. Also, ensure Enable Flex Decoding is enabled and that the 1600, 3200 and 6400 boxes are all checked. Press OK.

PDW Enable POCSAG

  1. Go to Interface -> Setup. Enable the Soundcard checkbox, set the Configuration to Custom, and choose your audio piping method in the Soundcard drop down box. If you only have one audio piping method enabled in the Windows recording properties, it will automatically choose that method. Press OK.

PDW Soundcard Interface Setup

  1. Go to Monitor, and ensure POCSAG/FLEX is ticked.
  1. Now, if everything is set up correctly, the pager audio from SDRSharp should be being sent to PDW. In the top right hand corner of PDW, there should be a volume gauge. You will need to adjust the volume settings in SDRSharp, and/or the Windows volume settings so that the volume meter goes up when a pager signal is sent. The percentage shown below the gauge shows the decode error rate. If you are receiving good signals the error rate should be very low and the percentage should be at or near 100%.

PDW Decoding

Other Decoding Software

MultimonNG is a Linux based decoder which is lightweight enough to run on a Raspberry Pi using rtl_fm.

PagerMon is a app that records and displays all messages from MultimonNG in a nice web page.

Some Tips

  • Pager signals are generally very strong, and so almost any antenna can pick them up - even the stock antenna included with many dongle packages. However, if you live far away from the transmitter a better antenna matched to the pager frequency you want to monitor may be required.
     
  • If reception is very poor, you may get some garbled messages in the PDW window.
     
  • Since pagers can be so strong, you may actually need to reduce the RF gain to clearly discern between a real pager and an image. Reducing the gain may also help decoding if it is so strong that it begins overloading in the RF spectrum.
     
  • Sometimes setting the volume too loud can cause the pager audio signal to become distorted. Make sure you do not have the audio set too loud.

 

If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and physical formats.

The Hobbyist's Guide to the RTL-SDR: Really Cheap Software Defined radio.