A multinational burger chain has a restaurant nearby. One day I went there and ordered a take-away burger that was not readily available. (Exceptional circumstances; Ludum Dare was underway and I really needed fast food.) The clerk gave me a device that looked like a thick coaster, and told me I could fetch the burger from the counter when the coaster starts blinking its lights and make noises.
Of course, this device deserved a second look! (We can forget about the burger now) The device looked like a futuristic coaster with red LEDs all around it. I've blurred the text on top of it for dramatic effect.
Several people in the restaurant were waiting for orders with their similar devices, which suggested to me this could be a pager system of some sort. Turning the receiver over, we see stickers with interesting information, including a UHF carrier frequency.
For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr). Luckily this was one of those days! I couldn't help but tune in to 450.2500 MHz and see what's going on there.
And indeed, just before a pager went off somewhere, this burst could be heard on the frequency (FM demodulated audio):
Googling the device's model number, I found out it's using POCSAG, a common asynchronous pager protocol at 2400 bits per second. The modulation is binary FSK, which means we should be able to directly read the data from the above demodulated waveform, even by visual inspection if necessary. And here's the data.
... 10101010101010101010101010101010 preamble for bit sync 10101010101010101010101010101010 10101010101010101010101010101010 01111100110100100001010111011000 sync codeword 00101010101110101011001001001000 pager address 01111010100010011100000110010111 idle 01111010100010011100000110010111 01111010100010011100000110010111 01111010100010011100000110010111 ...
There's no actual message being paged, just an 18-bit device address. It's preceded by a preamble of alternating 1's and 0's that the receiver can grab onto, and a fixed synchronization codeword that tells where the data begins. It's followed by numerous repetitions of the idle codeword.
The next question is inevitable. How much havoc would ensue if someone were to loop through all 262,144 possible addresses and send a message like this? I'll leave it as hypothetical.
Next up: broadcast these everywhere 24/7.
ReplyDeleteDidn't know they have those in Finland. ;-) I got one last year in Australia when buying coffee at a beach cafe.
ReplyDeleteI recently visited Helsinki to visit my partner's parents, and we saw them there.
DeleteDo the math.
ReplyDeleteAt 2400 bps/18 bits you could do about 133.3 addresses per second, with no repeats and no synchs.
At that rate it would take over 404.5 days --more than a year to cycle through every possible code.
Years ago, I recall seeing plans for brute force automobile keyfob cracker. It could spew every combination in about 10 minutes. For some stupid reason, automobile manufacturers didn't think anyone would try something like that...
Yes, surely a more feasible approach would be to record all the actual addresses used on the air first.
Delete@Jake Brodsky I suspect that some young engineer at one of the car manufacturers has come up with a highly secure central locking system but was mysteriously re-assigned to designing mudflaps or cupholders for the rest of his career. Whenever a car gets stolen, the owner buys another car, often the same model that just got stolen. There is a strong disincentive to make good immobilisers.
DeleteI did the math though - it takes 32 bits to transmit one address codeword, and at 2400 bps you can send 75 addresses per second. Accounting for synchronization after every 16 addresses, that's 75 * (16/17) = 71. For 2^18 = 262,144 total addresses that means 262,144 / 71 = 3692 seconds = 1 hour 2 minutes to scan through all addresses.
DeleteThis is of course assuming that the 2-bit internal function code is the same for all devices (0b10 = 0x02). To scan all the functions as well, it would take four times that long.
If you were devious a more efficient approach would be to sit in a car outside the venue with a yagi pointed at the bistro and snarf out all the POCSAG codes in use.
DeleteSlightly more beneficial: figure out your own coaster's address and page it when you feel you've waited long enough for a table.
DeleteNo. We've had these in Australia - they are only used to signify, usually in a pub bistro/cafe context when you meal is ready.
DeleteThe active state of the buzzer is physically unrelated to process of perparing your food, or even in your incorrect example, the physical occupation states of a table. Simply put, the buzzer doesn't empty tables or cook food, it's just a digital equivalent of somebody yelling from the counter "Order 17? Works burger with extra beetroot", if your buzzer is going off, the cook isn't just going to hand you a plate of half cooked food.
Cool! Here's the transmitting software and hardware we did earlier for ham use, we have the 200W transmitter set up in 144.975 MHz in Espoo currently. Only ran it at 512 bit/s, but it should certainly go faster.
ReplyDeletePOCSAG encoder and modem
Blog post about prototype
POCSAG encoder module on CPAN
>For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr)
ReplyDeleteDo you also carry a notebook with you or how do you use the rtl-sdr dongle? And which software and OS do you use?
"For this kind of situations I often carry my RTL2832U-based television receiver dongle with me (the so-called rtl-sdr)"
DeleteI got a good laugh from that too:) Anyway, keep up the great blog.
Often I would also have my notebook. But it also works on some Android devices - see SDR Touch.
DeleteDo you have any recommendations for any specific RTL2832U-based device? I would like to have one but there is a shitloads of those available on ebay..
DeleteIt is 2021 now, a check on google shows you can get them from walmart via their mail service. About $16.00 american.
Deleteposts like these are why I have this blog in my rss reader. awesome!
ReplyDeleteI've actually tried this once just to see if it can be done. The person at the cashier was confused why my beeper was beeping when my food clearly wasn't ready!
ReplyDeleteWhat did you use for an antenna?
ReplyDeleteI used a VHF antenna off an old railway radio actually. But once you're inside the restaurant, the RTL's own DVB antenna should be fine too.
DeleteWhat software was used to decode the POCSAG/ binary FSK?
ReplyDeleteI wrote it myself.
DeleteCould you please post the code? Thanks!
DeleteThere are only a few dozen pagers in a typical restaurant. Leave a laptop in your bag decoding the signals for the duration of your meal and you'd collect enough of them to cause some trouble. I never tried decoding, but I can pick up the pager signals from the burger shop down the street from the discone scanner antenna on my house.
ReplyDeleteI expect the novelty of watching poor saps walk up the the counter to collect their food that isn't ready yet would wear off quickly but it would be fun to try.
what kind of books do you recommend to be able to decode radio signals? I have been playing around with rtl-sdr for a while listening on different signals. But i don't have the fundamental knowledge on how radio communication works and how i should be able to write my own code for this particular field. Thank you for a wonderful site and talks!
ReplyDeleteI think I started by reading the technical specifications of the various protocols I wanted to decode. An important guide along the way was The Scientist and Engineer's Guide to Digital Signal Processing. Also, navigating Wikipedia articles about modulation methods and studying for a ham license helped.
DeleteHi! Complete noob on radio. Your blog has some of the nicest reverse engineering i've seen on the radio-side, and you got me curious to get myself a RTL-SDR. HackRF seems to be released to the general public pretty soon and when it is i will for sure get one, but until then i want to get my hands dirty. Can you advice on what dongle to get? On the topic of antennas i see a lot of the dongles comes with telescope-antennas. How are these simple antennas able to read all these frequencies? I was under the impression that antennas are measured and cut according to divisions by 2, making the best antenna for 27mhz 4.5 meters, 2.25 meters and so on.., or does is this only important when sending a signal? Last question: Are you married?
ReplyDeleteGet one with RTL2832U.
DeleteA non-optimal length antenna will still work, as a general principle, it'll just be less efficient. So less signal recieved / transmitted compared to an optimal one.
DeleteI dunno if Oona's married, but have you tried asking Jeri Ellsworth? You're behind me (and a million other geeks) in the queue.
> The next question is inevitable. How much havoc would ensue if someone were to loop through all 262,144 possible addresses and send a message like this? I'll leave it as hypothetical.
ReplyDeleteHahaha! I like the way you think!
Hi Oona - if you (or anyone else) wants to *transmit* POCSAG signals over a short distance (however far 100mW will go at UHF) this can be done using an Arduino and RF22 shield... A ham in Belgium has already written most of the code, I have posted on my blog how to get 1200 and 2400 bps transmissions as well as 512 bps..
ReplyDeletehttp://ratcotel.net/?p=376
It's even easier than this. Record all of the signals to a laptop, then simply play them back thru the transmitter audio in. No pocsag software required.
ReplyDelete