Retro engineering on a pager, Tatoo Hack

This hack, backward me in 1996/1998 during my college years, the pager system was at its peak, there was 3 commercial services and networks here, in France:

  • TamTam, the Cegetel/SFR paging services, stopped in 1999, using ERMES protocol.
  • KOBBY, from Bouygue Telecom, stopped during 2005, using ERMES/FLEX protocol.
  • TATOO, from FT/Orange, using POCSAG, the only still functioning, right now, since 2000, exploited by a Deutsch company, E-Message.

The Kobby and TamTam use VHF frequency band (Update 18/03/14 – 169,425-169,800 Mhz), and the TATOO receiver use UHF band (466.025 MHz – 466.05 MHz – 466.075 MHz – 466.175 MHz – 466.20625 MHz – 466.23125 MHz.). POCSAG protocol is basically easy to decode, with software like POC32 or PDW

« POCSAG is an asynchronous protocol used to transmit data to pagers. The name comes from Post Office Code Standardization Advisory Group, this being the British Post Office which used to run nearly all telecommunications in Britain before privatization. The modulation used is FSK with a ±4.5 kHz shift on the carrier. The high frequency represents a 0 and the low frequency a 1. Often single transmission channels contain blocks of data at more than one of the rates. »  wikipedia

Bellow is a dessication of a MOTOROLA MEMO Pager Receiver (Tatoo, commercial name).

_tatoodissoc2

The pager is composed of two circuits,  a board with a displaying circuit for the lcd, a vibrator, a piezzo buzzer, a backup batterie for the RTC, and a MC68HC68 microcontroler, he probably contain the program to decode/translate the signal and pager ARP address.

_displaypart2

The another board is dedicated to RF reception, you can see a antenna, simple loop of metal, probably a narrow rf input filter, and a strange unidentified IC « 99Z32″, maybe a RF IC Receiver …

_rfpart

Now the goal is to identified the pin’s function on the connector. I have already put my Rigol probe on the Pin 4,  and i can see a low/high signal (see bellow). I’ll will try to translate this signal for PDW or POC32 software soon. Any help is welcome.

POCSAG_signal

 Update 26/04

I started to listening the signal (blue) from my UBC 785 on 466.20625 Mhz, in parallel with the signal from the pager (yellow), it seem to be a inverted signal.

NewFile1outfromscan_outfrompager

After feed the signal through a Max232, but no good result with the decoder software! *sic*, maybe need a little amplification before …

reforeafte

 

4 commentaires

  1. LeFauve

    Very interesting article!
    Do you think you’ll be able to do something useful with the tatoo?
    This made me dig out my old tamtam :o)
    I think I’ll have a look inside, even if I’m far from being able to do anything useful with it (yet).
    Tell me if you’re interested in pictures from its inside.

  2. j3tstream

    thx for your comment LeFauve, i think the best way is to give « more power » to the signal, the TAMTAM use VHF 169,4-169,8125 MHz frequency, in ERMES protocol, seem to be more complex! any pics of your pager are welcome :)

  3. Vincent

    Bonsoir,

    Félicitations pour votre hack :)

    Se hack date en effet des années 90 (bien connu dans le milieu des amateurs radio..).

    Sur le mien, le démodulateur FSK est un CI Philips UAA2080T, le décodage des trames pocsag se faisant à partir de la pin 27 (testé avec Multimon-NG et deux autres logiciels de décodage positif).

    http://www.alldatasheet.fr/datasheet-pdf/pdf/19816/PHILIPS/UAA2080T.html

    Pour information en Allemagne, il existe un (petit) réseau pager radioamateur, fonctionnant sur la fréquence UHF : 439.9875 MHz FMN en FSK 1200 Bauds.

    Une vidéo d »un collègue radioamateur F4GMU :
    http://www.youtube.com/watch?v=vAHhysBQ3-Q
    Attention l »émission sur 466 MHz est strictement interdit (même pour un radioamateur).

Poster un commentaire

Vous devriez utiliser le HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>