A multinational burger chain has a restaurant nearby. One day I went there and ordered a take-away burger that was not readily available. (Exceptional circumstances; Ludum Dare was underway and I really needed fast food.) The clerk gave me a device that looked like a thick coaster, and told me I could fetch the burger from the counter when the coaster starts blinking its lights and make noises.
Of course, this device deserved a second look! (We can forget about the burger now) The device looked like a futuristic coaster with red LEDs all around it. I've blurred the text on top of it for dramatic effect.
![[Image: Photo of a saucer-shaped device sitting on the edge of a table, with red LEDs all around it. It has a label sticker with a logo that is redacted from the photo.]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JHOtlv6HSzj1z5HA_fwgFBEEx0XQf5MREvwSGkISqXJ6Bhh1AULH47ZqEWhKFj3iyNnZA8GUeZ5kdo1F2HmwmEaGeli4l8HrpmIgTWmaonctxIE5n2RI5G1FLIQAq_0Q8byB4Wezm0fN/s1600/IMG_7613.JPG)
Several people in the restaurant were waiting for orders with their similar devices, which suggested to me this could be a pager system of some sort. Turning the receiver over, we see stickers with interesting information, including a UHF carrier frequency.
![[Image: Photo of a smaller sticker on the bottom of the device, reading 'BASE ID:070 FRQ:450.2500MHZ'.]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWDQ85x9aniHY1V9NZdfuA5Fdh9CoEBb_iBzLPrbfuVhjAYMyChxT30P43i2jGQ4xH4uIlg0NJ3glojOKq1q-ex36lYXgqqxSVUFJh8v2-hFCfY2okAatNLxE56IdvmEYZgxdw2Zinp7To/s1600/IMG_7611.JPG)
For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr). Luckily this was one of those days! I couldn't help but tune in to 450.2500 MHz and see what's going on there.
![[Image: Photo of a very small radio hotglued inside a Hello Kitty branded tin.]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN7plvn8aUJuzM0mFtcvg0bdkeNaolna8ZErsv1ZDNbvknRt7jB1WmNLrQEM-rUkvsa0WGb3XHqKIzmmMw1XaV6ocZ8ojyW0KDaE0PVnxI5pdDgjBy8tOkCpItg9LthnUHm4OaNYWPBIgn/s1600/kitty.jpg)
And indeed, just before a pager went off somewhere, this burst could be heard on the frequency (FM demodulated audio):
Googling the device's model number, I found out it's using POCSAG, a common asynchronous pager protocol at 2400 bits per second. The modulation is binary FSK, which means we should be able to directly read the data from the above demodulated waveform, even by visual inspection if necessary. And here's the data.
... 10101010101010101010101010101010 preamble for bit sync 10101010101010101010101010101010 10101010101010101010101010101010 01111100110100100001010111011000 sync codeword 00101010101110101011001001001000 pager address 01111010100010011100000110010111 idle 01111010100010011100000110010111 01111010100010011100000110010111 01111010100010011100000110010111 ...
There's no actual message being paged, just an 18-bit device address. It's preceded by a preamble of alternating 1's and 0's that the receiver can grab onto, and a fixed synchronization codeword that tells where the data begins. It's followed by numerous repetitions of the idle codeword.
The next question is inevitable. How much havoc would ensue if someone were to loop through all 262,144 possible addresses and send a message like this? I'll leave it as hypothetical.