Sep 16, 2013

The burger pager

A multinational burger chain has a restaurant nearby. One day I (exceptionally) went there and ordered a take-away burger that was not readily available. The clerk gave me a device that looked like a thick coaster, and told me I could fetch the burger from the counter when the coaster starts blinking its lights and make noises.

Of course, this device deserved a second look! (We can forget about the burger now) The device looked like a futuristic coaster with red LEDs all around it. I've blurred the text on top of it for dramatic effect.

Several people in the restaurant were waiting for orders with their similar devices, which suggested to me this could be a pager system of some sort. Turning the receiver over, we see stickers with interesting information, including a UHF carrier frequency.

For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr). Luckily this was one of those days! I couldn't help but tune in to 450.2500 MHz and see what's going on there.

And indeed, just before a pager went off somewhere, this burst could be heard on the frequency (FM demodulated audio):

Googling the device's model number, I found out it's using POCSAG, a common asynchronous pager protocol at 2400 bits per second. The modulation is binary FSK, which means we should be able to directly read the data from the above demodulated waveform, even by visual inspection if necessary. And here's the data.

There's no actual message being paged, just an 18-bit device address. It's preceded by a preamble of alternating 1's and 0's that the receiver can grab onto, and a fixed synchronization codeword that tells where the data begins. It's followed by numerous repetitions of the idle codeword.

The next question is inevitable. How much havoc would ensue if someone were to loop through all 262,144 possible addresses and send a message like this? I'll leave it as hypothetical.

26 comments:

  1. Didn't know they have those in Finland. ;-) I got one last year in Australia when buying coffee at a beach cafe.

    ReplyDelete
    Replies
    1. I recently visited Helsinki to visit my partner's parents, and we saw them there.

      Delete
  2. Do the math.

    At 2400 bps/18 bits you could do about 133.3 addresses per second, with no repeats and no synchs.

    At that rate it would take over 404.5 days --more than a year to cycle through every possible code.

    Years ago, I recall seeing plans for brute force automobile keyfob cracker. It could spew every combination in about 10 minutes. For some stupid reason, automobile manufacturers didn't think anyone would try something like that...

    ReplyDelete
    Replies
    1. Yes, surely a more feasible approach would be to record all the actual addresses used on the air first.

      Delete
    2. @Jake Brodsky I suspect that some young engineer at one of the car manufacturers has come up with a highly secure central locking system but was mysteriously re-assigned to designing mudflaps or cupholders for the rest of his career. Whenever a car gets stolen, the owner buys another car, often the same model that just got stolen. There is a strong disincentive to make good immobilisers.

      Delete
    3. I did the math though - it takes 32 bits to transmit one address codeword, and at 2400 bps you can send 75 addresses per second. Accounting for synchronization after every 16 addresses, that's 75 * (16/17) = 71. For 2^18 = 262,144 total addresses that means 262,144 / 71 = 3692 seconds = 1 hour 2 minutes to scan through all addresses.

      This is of course assuming that the 2-bit internal function code is the same for all devices (0b10 = 0x02). To scan all the functions as well, it would take four times that long.

      Delete
    4. If you were devious a more efficient approach would be to sit in a car outside the venue with a yagi pointed at the bistro and snarf out all the POCSAG codes in use.

      Delete
    5. Slightly more beneficial: figure out your own coaster's address and page it when you feel you've waited long enough for a table.

      Delete
    6. No. We've had these in Australia - they are only used to signify, usually in a pub bistro/cafe context when you meal is ready.

      The active state of the buzzer is physically unrelated to process of perparing your food, or even in your incorrect example, the physical occupation states of a table. Simply put, the buzzer doesn't empty tables or cook food, it's just a digital equivalent of somebody yelling from the counter "Order 17? Works burger with extra beetroot", if your buzzer is going off, the cook isn't just going to hand you a plate of half cooked food.

      Delete
  3. Cool! Here's the transmitting software and hardware we did earlier for ham use, we have the 200W transmitter set up in 144.975 MHz in Espoo currently. Only ran it at 512 bit/s, but it should certainly go faster.

    POCSAG encoder and modem

    Blog post about prototype

    POCSAG encoder module on CPAN

    ReplyDelete
  4. >For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr)

    Do you also carry a notebook with you or how do you use the rtl-sdr dongle? And which software and OS do you use?

    ReplyDelete
    Replies
    1. "For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr)"

      I got a good laugh from that too:) Anyway, keep up the great blog.

      Delete
    2. Often I would also have my notebook. But it also works on some Android devices - see SDR Touch.

      Delete
    3. Do you have any recommendations for any specific RTL2832U-based device? I would like to have one but there is a shitloads of those available on ebay..

      Delete
  5. posts like these are why I have this blog in my rss reader. awesome!

    ReplyDelete
  6. I've actually tried this once just to see if it can be done. The person at the cashier was confused why my beeper was beeping when my food clearly wasn't ready!

    ReplyDelete
  7. What did you use for an antenna?

    ReplyDelete
    Replies
    1. I used a VHF antenna off an old railway radio actually. But once you're inside the restaurant, the RTL's own DVB antenna should be fine too.

      Delete
  8. Just last Sunday I was thinking of ding the exact same thing, but I foolishly left my dongle at home.

    ReplyDelete
  9. What software was used to decode the POCSAG/ binary FSK?

    ReplyDelete
  10. There are only a few dozen pagers in a typical restaurant. Leave a laptop in your bag decoding the signals for the duration of your meal and you'd collect enough of them to cause some trouble. I never tried decoding, but I can pick up the pager signals from the burger shop down the street from the discone scanner antenna on my house.

    I expect the novelty of watching poor saps walk up the the counter to collect their food that isn't ready yet would wear off quickly but it would be fun to try.

    ReplyDelete
  11. what kind of books do you recommend to be able to decode radio signals? I have been playing around with rtl-sdr for a while listening on different signals. But i don't have the fundamental knowledge on how radio communication works and how i should be able to write my own code for this particular field. Thank you for a wonderful site and talks!

    ReplyDelete
    Replies
    1. I think I started by reading the technical specifications of the various protocols I wanted to decode. An important guide along the way was The Scientist and Engineer's Guide to Digital Signal Processing. Also, navigating Wikipedia articles about modulation methods and studying for a ham license helped.

      Delete
  12. Hi! Complete noob on radio. Your blog has some of the nicest reverse engineering i've seen on the radio-side, and you got me curious to get myself a RTL-SDR. HackRF seems to be released to the general public pretty soon and when it is i will for sure get one, but until then i want to get my hands dirty. Can you advice on what dongle to get? On the topic of antennas i see a lot of the dongles comes with telescope-antennas. How are these simple antennas able to read all these frequencies? I was under the impression that antennas are measured and cut according to divisions by 2, making the best antenna for 27mhz 4.5 meters, 2.25 meters and so on.., or does is this only important when sending a signal? Last question: Are you married?

    ReplyDelete

To prevent spam, comments will only appear after moderation.