==Phrack Magazine==

                  Volume Five, Issue Forty-Six, File 8 of 28

****************************************************************************


                     The Wonderful World of Pagers

                            by Erik Bloodaxe

Screaming through the electromagnet swamp we live in are hundreds of
thousands of messages of varying degrees of importance.  Doctors,
police, corporate executives, housewives and drug dealers all find
themselves constantly trapped at the mercy of a teeny little box:
the pager.

Everyone has seen a pager; almost everyone has one.  Over 20 million
pagers are on the streets in the US alone, sorting out their particular
chunk of the radio-spectrum.  Another fifty-thousand more are
put into service each day.

But what the hell are these things really doing?  What more can we
do with them than be reminded to call mom, or to "pick up dry-cleaning?"

Lots.


** PROTOCOLS **

Pagers today use a variety of signalling formats such as POCSAG, FLEX
and GOLAY.  The most common by far is POCSAG (Post Office Standardization
Advisory Group), a standard set by the British Post Office and adopted
world-wide for paging.

POCSAG is transmitted at three transmission rates--512, 1200 and 2400 bps.
Most commercial paging companies today use at least 1200, although many
companies who own their own paging terminals for in-house use transmit
at 512.  Nationwide carriers (SkyTel, PageNet, MobileComm, etc.) send
the majority of their traffic at 2400 to make the maximum use of
their bandwidth.  In other words, the faster they can deliver pages,
the smaller their queue of outgoing pages is.  Although these
carriers have upgraded their equipment in the field to broadcast at
2400 (or plan to do so in the near future), they still send out
some pages at 1200 and 512 to accommodate their customers with older
pagers.  Most 512 and 1200 traffic on the nationwide services is
numeric or tone-only pages.

POCSAG messages are broadcast in batches.  Each batch is comprised of 8
frames, and each frame contains two codewords separated by a
"synchronization" codeword.  A message can have as many codewords
as needed to deliver the page and can stretch through several batches
if needed.  The end of a complete message is indicated by a "next address"
codeword.  Both addressing and user data are sent in the codewords, the
distinction being the least significant bit of the codeword:
0 for address data, and 1 for user-data.

Standard alphanumeric data is sent in a seven-bit format, with each codeword
containing 2 6/7 characters.  A newer 8-bit alphanumeric format is
implemented by some carriers which allow users to send data such as
computer files, graphics in addition to regular alphanumeric messages.
The 8 bit format allows for 2.5 characters per codeword.

Numeric data is 4 bit, allowing up to 5 numbers to be transmitted per
codeword.  Tone and voice pages contain address information only.

(NOTE:  Pager data uses BCH 32,21 for encoding.  I don't imagine
 very many of you will be trying to decode pager data by building your
 own decoders, but for those of you who may, take my interpretation
 of POCSAG framing with a grain of salt, and try to dig up the
 actual POCSAG specs.)

** THE PAGING RECEIVER **

Paging receivers come in hundreds of shapes and sizes, although the vast
majority are manufactured by Motorola.  Numeric pagers comprise over
fifty percent all pagers in use.   Alphanumeric comprises about thirty
percent, with tone and voice pagers making up the remainder.

Pagers are uniquely addressed by a capcode.  The capcode is usually six
to eight digits in length, and will be printed somewhere on the pager
itself.  Many pager companies assign customers PIN numbers, which are
then cross-referenced to a given capcode in databases maintained by
the service provider.  PIN numbers have no other relationship
to the capcode.

Tone pagers are by far the most limited paging devices in use.
When a specified number has been called, an address only message
is broadcast, which causes the intended receiver to beep.  Wow.
Tone pagers usually have 4 capcodes, which can correspond to
different locations to call back.  Voice pagers are similar, except
they allow the calling party to leave a 15 to 30 second message.
The voice message is broadcast immediately after the capcode of the
receiver, which unsquelches the device's audio.

Numeric pagers, although seemingly limited by their lack of display
options have proven otherwise by enterprising users.  Most numeric
data sent is obviously related to phone numbers, but numerous users
have developed codes relating to various actions to be carried out
by the party being paged.  The most prolific users of this have
been the Chinese who have one of the most active paging networks
in the world.  I suppose the next biggest users of code-style numeric
paging would be drug dealers.  (2112 0830 187 -- get to the fucking
drop site by 8:30 or I'll bust a cap in your ass!)  :)

Alphanumeric pagers are most often contacted through a dedicated
service that will manually enter in the message to be sent onto the
paging terminal.  One such service, NDC, offers its phone-answering
and message typing services to various pager companies.  Next time
you are talking to a pager operator, ask him or her if they are at
NDC.  They probably are.

In addition to the capcode, pagers will have an FCC ID number, a serial
number, and most importantly, the frequency that the device has been
crystaled for imprinted on the back of the device.  Although technology
exists that would allow pagers to listen on a number of frequencies
by synthesizing the frequency rather than using a crystal, pager
manufacturers stick to using crystals to "keep the unit cost down."

Pagers may have multiple capcodes by which they can be addressed by.
Multiple capcodes are most often used when a person has subscribed to
various services offered by their provider, or when the subscriber is
part of a group of individuals who will all need to receive the same
page simultaneously (police, EMTs, etc.).

Most low-cost pagers have their capcode stored on the circuit board
in a PAL.  Most paging companies will completely exchange pagers
rather than remove and reprogram the PAL, so I don't think
it's worth it for any experimenter to attempt.  However, like most
Motorola devices, many of their paging products can be reprogrammed
with a special serial cable and software.  Reprogramming software
is usually limited to changing baud rates, and adding capcodes.

Additionally, some units can be reprogrammed over the air by the
service provider.  Using a POCSAG feature known as OTP (over the air
programming) the service provider can instruct the paging receiver to
add capcodes, remove capcodes, or even shut itself down in the case
of non-payment.

** SERVICES **

With the growing popularity of alphanumeric pagers, many service providers
have decided to branch out into the information business.  The most
common of these services is delivery of news headlines.  Other services
include stock quotes, airline flight information, voice mail and
fax reception notification, and email.  Of course, all of these services
are available for a small additional monthly premium.

Email is probably the single coolest thing to have sent to your
alpha pager.  (Unless you subscribe to about a zillion mailing lists)
Companies like SkyTel and Radiomail give the user an email address
that automatically forwards to your paging device.
IE: PIN-NUMBER@skymail.com.  Several packages exist for forwarding
email from a UNIX system by sending stripping down the email to
pertinent info such as FROM and SUBJECT lines, and executing a script
to send the incoming mail out via a pager terminal data port.
One such program is IXOBEEPER, which can be found with an archie
query.

Radiomail's founder, (and rather famous ex-hacker in his own right - go
look at ancient ComputerWorld headlines), Geoff Goodfellow had devised
such a method back in the late 70's.  His program watched for incoming
email, parsed the mail headers, and redirected the FROM and SUBJECT
lines to his alphanumeric pager.  Obviously, not many people had
alphanumeric pagers at all, much less email addresses on ARPANET
back in the 70's, so Geoff's email pager idea didn't see much
wide-spread use until much later.

Two RFC's have been issued recently regarding paging and the Internet.
RFC 1568, the Simple Network Paging Protocol, acts similarly to SMTP.
Upon connecting to the SNPP port the user issues commands such as:

        PAGE followed by pager telephone number
        MESS followed by the alpha or numeric message
        SEND
      & QUIT

RFC 1568 has met with some opposition in the IETF, who don't consider
it worthwhile to implement a new protocol to handle paging, since it
can be handled easily using other methods.

The other RFC, number 1569, suggests that paging be addressed in a rather
unique manner.  Using the domain TPC.INT, which would be reserved for
services that necessitate the direct connection to The Phone Company,
individual pagers would be addressed by their individual phone numbers.
Usernames would be limited to pager-alpha or pager-numeric to represent
the type of pager being addressed.  For example, an alpha-page being sent to
1-800-555-1212 would be sent as pager-alpha@2.1.2.1.5.5.5.0.0.8.1.tcp.int.

** PAGING TERMINAL DATA PORTS **

Many services offer modem connections to pager terminals so that
computer users can send pages from their desks using software packages
like WinBeep, Notify! or Messenger.  All of these services connect to
the pager terminal and speak to it using a protocol known as
IXO.

Upon connection, a pager terminal identifies itself with the following:

ID=

(I bet you always wondered what the hell those systems were)
Paging terminals default to 300 E71, although many larger companies
now have dialups supporting up to 2400.

Many such systems allow you to manually enter in the appropriate information
by typing a capital "M" and a return at the ID= prompt.  The system will then
prompt you for the PIN of the party you wish to page, followed by a prompt
for the message you wish to send, followed by a final prompt asking if you
wish to send more pages.  Not every pager terminal will support a manual
entry, but most do.

All terminals support the IXO protocol.  As there are far too many
site specific examples within the breadth of IXO, we will concentrate on
the most common type of pager services for our examples.

[  Sample IXO transaction of a program sending the message ABC to PIN 123
   gleened from the IXOBeeper Docs                                         ]

Pager Terminal                          YOU
--------------------------------------------------------------
                                        
ID=
                                        PG1
Processing - Please Wait
                                        

ACK 
[p 
                                        123
                                        ABC
                                        17;

ACK 
                                        
EOT 


The checksum data came from:

STX     000 0010
1       011 0001
2       011 0010
3       001 0011
    000 1101
A       100 0001
B       100 0010
C       100 0011
    000 1101
ETX     000 0011
----------------
     1 0111 1011
----------------
     1    7    ;  Get it?  Get an ASCII chart and it will all make sense.


Note:  Everything in the paging blocks, from STX to ETX inclusive are used
       to generate the checksum.  Also, this is binary data, guys...you can't
       just type at the ID= prompt and expect to have it recognized as IXO.
       It wants specific BITS.  Got it?  Just checking...


** PAGER FREQUENCIES - US **

[Frequencies transmitting pager information are extremely easy to
 identify while scanning.   They identify each batch transmission
 with a two-tone signal, followed by bursts of data.  People with
 scanners may tune into some of the following frequencies to
 familiarize themselves with this distinct audio.]

Voice Pager Ranges:      152.01   - 152.21
                         453.025  - 453.125
                         454.025  - 454.65
                         462.75   - 462.925

Other Paging Ranges:      35.02   -  35.68
                          43.20   -  43.68
                         152.51   - 152.84
                         157.77   - 158.07
                         158.49   - 158.64
                         459.025  - 459.625
                         929.0125 - 931.9875

** PAGER FREQUENCIES - WORLD **

Austria         162.050  - 162.075         T,N,A
Australia       148.100  - 166.540         T,N,A
                411.500  - 511.500         T,N,A
Canada          929.025  - 931-975         T,N,A
                138.025  - 173.975         T,N,A
                406.025  - 511.975         T,N,A
China           152.000  - 172.575           N,A
Denmark                    469.750           N,A
Finland                    450.225         T,N,A
                146.275  - 146.325         T,N,A
France          466.025  - 466.075         T,N,A
Germany         465.970  - 466.075         T,N,A
                           173.200         T,N,A
Hong Kong                  172.525           N,A
                           280.0875        T,N,A
Indonesia       151.175  - 153.050             A
Ireland         153.000  - 153.825         T,N,A
Italy                      466.075         T,N,A
                           161.175         T,N
Japan           278.1625 - 283.8875         T,N
Korea           146.320  - 173.320         T,N,A
Malaysia        152.175  - 172.525           N,A,V
                           931.9375          N,A
Netherlands     156.9865 - 164.350         T,N,A
New Zealand     157.925  - 158.050         T,N,A
Norway          148.050  - 169.850         T,N,A
Singapore                  161.450           N,A
                           931.9375          N,A
Sweden                     169.8           T,N,A
Switzerland                149.5           T,N,A
Taiwan                     166.775           N,A
                           280.9375          N,A
Thailand                   450.525           N,A
                172.525  - 173.475           N,A
UK              138.150  - 153.275         T,N,A
                454.675  - 466.075         T,N,A

T = Tone
N = Numeric
A = Alphanumeric
V = Voice


** INTERCEPTION AND THE LAW **

For many years the interception of pages was not considered an
invasion of privacy because of the limited information provided
by the tone-only pagers in use at the time.  In fact, when
Congress passed the Electronic Communications Privacy Act in 1986
tone-only pagers were exempt from its provisions.

According to the ECPA, monitoring of all other types of paging signals,
including voice, is illegal.  But, due to this same law, paging
transmissions are considered to have a reasonable expectation to
privacy, and Law Enforcement officials must obtain a proper court
order to intercept them, or have the consent of the subscriber.

To intercept pages, many LE-types will obtain beepers programmed with
the same capcode as their suspect.  To do this, they must contact
the paging company and obtain the capcode associated with the person
or phone number they are interested in.  However, even enlisting
the assistance of the paging companies often requires following
proper legal procedures (warrants, subpoenas, etc.).

More sophisticated pager-interception devices are sold by a variety
of companies.  SWS Security sells a device called the "Beeper Buster"
for about $4000.00.  This particular device is scheduled as
a Title III device, so any possession of it by someone outside
a law enforcement agency is a federal crime.  Greyson Electronics
sells a package called PageTracker that uses an ICOM R7100
in conjunction with a personal computer to track and decode pager
messages.  (Greyson also sells a similar package to decode
AMPS cellular messages from forward and reverse channels called
"CellScope.")

For the average hacker-type, the most realistic and affordable option
is the Universal M-400 decoder.  This box is about 400 bucks and
will decode POCSAG at 512 and 1200, as well as GOLAY (although I've never
seen a paging service using GOLAY.)  It also decodes CTCSS, DCS, DTMF,
Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX.  It
takes audio input from any scanners external speaker jack, and
is probably the best decoder available to the Hacker/HAM for the price.

Output from the M400 shows the capcode followed by T, N or A (tone, numeric
or alpha) ending with the message sent.  Universal suggests hooking
the input to the decoder directly to the scanner before any de-emphasis
circuitry, to obtain the true signal.  (Many scanners alter the audio
before output for several reasons that aren't really relevant to this
article...they just do. :) )

Obviously, even by viewing the pager data as it streams by is of little
use to anyone without knowing to whom the pager belongs to.  Law Enforcement
can get a subpoena and obtain the information easily, but anyone else
is stuck trying to social engineer the paging company.  One other alternative
works quite well when you already know the individuals pager number,
and need to obtain the capcode (for whatever reason).

Pager companies will buy large blocks in an exchange for their customers.
It is extremely easy to discover the paging company from the phone number
that corresponds to the target pager either through the RBOC or by paging
someone and asking them who their provider is when they return your call.
Once the company is known, the frequencies allocated to that company
are registered with the FCC and are public information.  Many CD-ROMs
are available with the entire FCC Master Frequency Database.
(Percon sells one for 99 bucks that covers the whole country -
716-386-6015)  Libraries and the FCC itself will also have this information
available.

With the frequency set and a decoder running, send a page that will be
incredibly easy to discern from the tidal wave of pages spewing
forth on the frequency.  (6666666666, THIS IS YOUR TEST PAGE, etc...)
It will eventually scroll by, and presto!  How many important people
love to give you their pager number?

** THE FUTURE **

With the advent of new technologies pagers will become even more
present in both our businesses and private lives.  Notebook computers
and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards.
Some of these cards have actual screens that allow for use without the
computer, but most require a program to pull message data out.  These
cards also have somewhat large storage capacity, so the length of
messages have the option of being fairly large, should the service
provider allow them to be.

With the advent of 8-bit alphanumeric services, users with PCMCIA pagers
can expect to receive usable computer data such as spreadsheet
entries, word processing documents, and of course, GIFs.  (Hey, porno
entrepreneurs:  beeper-porn!  Every day, you get a new gif sent to your
pagecard!  Woo Woo.  Sad thing is, it would probably sell.)

A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A
Roaming Computer) was one of the first to allow for such broadcasts.
EMBARC makes use of a proprietary Motorola protocol, rather than
POCSAG, so subscribers must make use of either a Motorola NewsStream
pager (with nifty serial cable) or a newer PCMCIA pager.  Messages are
sent to (and received by) the user through the use of special client
software.

The software dials into the EMBARC message switch accessed through
AT&T's ACCUNET packet-switched network.  The device itself is used
for authentication (most likely its capcode or serial number)
and some oddball protocol is spoken to communicate with the switch.

Once connected, users have the option of sending a page out, or
retrieving pages either too large for the memory of the pager, or
from a list of all messages sent in the last 24 hours, in case the
subscriber had his pager turned off.

Additionally, the devices can be addressed directly via x.400
addresses.  (X.400: The CCITT standard that covers email address
far too long to be worth sending anyone mail to.)  So essentially,
any EMBARC customer can be contacted from the Internet.

MTEL, the parent company of the huge paging service SkyTel, is
implementing what may be the next generation of paging technologies.
This service, NWN, being administrated by MTEL subsidiary Destineer,
is most often called 2-way paging, but is more accurately Narrowband-PCS.

The network allows for the "pager" to be a transceiver.  When a page
arrives, the device receiving the page will automatically send back
an acknowledgment of its completed reception.  Devices may also
send back some kind of "canned response" the user programs.  An example
might be:  "Thanks, I got it!" or "Why on Earth are you eating up my
allocated pages for the month with this crap?"

MTEL's service was awarded a Pioneers Preference by the FCC, which gave them
access to the narrowband PCS spectrum before the auctions.  This is a big
deal, and did not go unnoticed by Microsoft.  They dumped cash into the
network, and said the devices will be supported by Chicago.  (Yeah,
along with every other device on the planet, right?  Plug and Pray!)

The network will be layed out almost identically to MTEL's existing paging
network, using dedicated lines to connect towers in an area to a central
satellite up/downlink.  One key difference will be the addition of
highly somewhat sensitive receivers on the network, to pick up the ACKs
and replies of the customer units, which will probably broadcast at
about 2 or 3 watts.  The most exciting difference will be the
speed at which the network transmits data:  24,000 Kbps.  Twenty-four
thousand.  (I couldn't believe it either.  Not only can you get your
GIFs sent to your pager, but you get them blinding FAST!)  The actual
units themselves will most likely look like existing alphanumeric pagers
with possibly a few more buttons, and of course, PCMCIA units will
be available to integrate with computer applications.

Beyond these advancements, other types of services plan on offering
paging like features.  CDPD, TDMA & CDMA Digital Cellular and ESMR
all plan on providing a "pager-like" option for their customers.
The mere fact that you can walk into a K-Mart and buy a pager
off a rack would indicate to me that pagers are far to ingrained into
our society, and represent a wireless technology that doesn't scare
or confuse the yokels.  Such a technology doesn't ever really go away.


** BIBLIOGRAPHY **

Kneitel, Tom, "The Secret Life of Beepers," _Popular Communications_,
         p. 8, July, 1994.

O'Brien, Michael, "Beep! Beep! Beep!," _Sun Expert_, p. 17, March, 1994.

O'Malley, Chris, "Pagers Grow Up," _Mobile Office_, p. 48, August, 1994.