Embed Size (px)
Citation preview
Catch beeper messages @om the
airwuves with t h i ~ device and view
them oa your computer screen.
BY ALAN D, JONES
D ighl pagers, or beepers as they're commonly called, have become exceedingly
popular in the past decade. Pagers of ail Wnds are d l p p d to the belts of mtlllms of people Ma)c and Ws quite likely thaf me of those people is you.
A signal Intended for a digital pag- er consists, amow other ihlngs. of an individual pager address followed by the message to be dlspbyed on the pager. Note that the word "dlglkrl" here refefs to any pager that receiw binary data, Inciudlng both numeric [digits only) and alphanumerlc [full t q pagers, The mcjority of messages in a broadcast wlll be slrnple tele- phone numkrs or dlgR codes, but people w h alphanumerlc pagers are Increaslngb making use of de- tailed fed mesages. often of consid- erable length.
But how do you know If the mes- sages blng transmitted are belng re- ceived c o r m 7 Thsrek no backup message generated by paging ser- vices, ard you therefore hove no way of detennlnlw if you're getting the whole message. M needed Is a way of getting a =and look at o messuge.
The Alphanume& mr h x d w
descrlhd In fhls article, together with a scanner radio and a PC, wIII prmlt you to M e the messages that are transmitted to about 80 or 90 percent of beepers that are commercially avallable, and view them on your computer screen. Mu could, for ex- ample, keep a log on dlsk of all mes- saw iransmWd to your own pager and verlfy thcrt all were received by the beeper. Also, corporotlons could keep time-stamped logs of all mes- sages sent to therr in-house pagers.
Unlts llke the Decoder are quite effective, and for thls reason are even used by law-enforcement ogencla, Wlth such high-tech help the g W guys in blue can keep tabs on the deol tngs of known nefarious charac- ters.
How Pages are Transmitted. Paglng channels can be fwnd scat- tered around the VHF 1152 MHz) and UHF (454 MHz) bands. In most metro- politan areas, a large number of pap ing channels con be found wthh the dedicded paging band from 929 to 932 M U To discover the frequency UW by a speclflc paging servlce, just look at one of their pagers. There wlll almost a m be a stlcker indldng
the reception frequency. Pager signals of the type we are
interested In here are modulated by the " d i m FSK method. This means that Re R f caniw Is slnritched be- tween center frequency +4.5 kHz and center frequency - 4.5 kllr to represent binary "1" and 3," respec- Rvely Blt rates currently range from 300 to 2400 I d s per second.
The most commmty used data for- mat is P O C X .[Post OfRce Ccde Standard Adviswy Group). Thls codlng standard was cl&sed In a mrles of medings of industry r 9 - m hosted by British T e r n In 1978 and 1980. POCSAG is a 32-bbper-word synchronous error-correcting code using a 17-word frame. It Is &cudcast at 512,1200, a d 2400 bits per sec- 5 ond. On mosi paging channels you wlll hear the &ml mitcMng rupidb between d~ffwerd ba rates as various 8 pagers are ddrewd. To learn to rec- 2 ognlze POCSAG by its dlstlnctlve sound, just use fhe search mode on $ your scanner In Ifw -9- to 932-MHz # range.Abut90pemntofthe signals $ y o u h e a r w i l l b e ~ a t o n e o f t h e three standard bit rates (see the H "POCSP6S Messages" bw for more in- formation]. 39
-v
R747K
Riii0K 04
1114148D5
1N4148
-
R146SK
G747pF
H2
+5V
R4200K
+V
7
Ria4.7K
Ri3470K
RiS2ooK I2
~
Ji
~N~L£
I
R1S1OK
" '.'A ,)R19
I
e:I
;
.
1000I
Gi0 ..b.001
Hi R20i00K
...
J2AUXILIARY
R1? SPEAKER2.2K OUTPUT
~v~~8
Fig.i. Here is the schematic for the Alphanumeric Pager Decoder. Many sections ofthe circuit take their power from two pins of a PC serial port, through DB-25-connector SOl. Regulator IC3 also converts that power to a 5 -volt source for use byother parts of the circuit.
(/)
()
'1:etJQ.)ill~'SQ.0
a..h.'
~.<::t:?~
Using Your Scanner. A perfectty de-modulated paging signal should ap-pear on an oscilloscope as a series ofrectangular pulses of varying width(squarewaves), This signal exists atsome point within the circuitry of anyradio receiver. Unfortunately, mostlow- to moderate-cost scanners were
designed specifically to listen to voicetransmissions, As a result, that nice
clean squarewave passes throughseveral stages of !owpass and high-pass audio filtering to optimize thesound quality from the speaker. Theresult isthat the signal available at theexternal speaker or earphone jackbears little resemblance to the origi-nal source.
One of the functions of the De-coder is that of reconstructing theoriginal data waveform from the high-ly distorted waveform available at theaudio output of a typical scanner. Ex-40
amination of the outputs of severalpopular scanners reveals certaincommon characteristics, One ofthese Isthat all DC information islost; ifa long string of 1'sor O'sisencountered(no bit transitions), the output quicklysettles to a center zero point re-gardless of the polarity of the binarydata. Another is that any bit transitioncauses an initial spike of the properpolarity followed by a moderate-to-severe overshoot of the opposite po-larity, The second overshoot (back inthe original direction) is usually well-damped and of much lower ampli-tude, To make matters worse, the
"ringing" frequency is often roughlyequal to half the bit rate of a 1200-bpsdata stream, causing transition-in-duced spikes to sometimes super-pose themseives on the first overshootfrom a previous transition,
The Decoder attempts to recon-
+5V
SO1
I -v
ljO-lC4+ 1
D31N4148
+V"--
+ I 'C61
0611'14148
-:::-
+V +5V
1G81
-
strus:tthe original data by the use of aSchmitt trigger, There are"!wo oppor-tunities for trigger points on the audiowaveform: the Initial spike and the firstovershoot. Which one Isbest dependson whether or not the amplitude ofthe initial spike is significantly higherthan the first overshoot. The generallack of a major second overshoot isthe detail that allows us to get awaywith using the first overshoot Instead ofthe spike, For any particular scanner, .direct experimentation will determinethe best location for the trigger points,
Ifyour scanner has a "discriminator"or raw-data output then you shouidby all means use it with the Decoder.Most do not however, So, as we'll seelater, you will probably have to locatethis unaduiterated signal within the in-ternal circuitry of the scanner. A littlework with a soldering iron can bringout an extra pair of wires (or a jack)
providing the desired output. Be-cause of the audio fiitering,you cannormailydecode 1200-bpsand lowertransmissions,but its pretty hopelessto extract useful data at 2400 bpswithouta direct discriminatoroutput.
Just because you have an accu-rateiy reconstructed binary datastream doesn't mean that the prob-lem of interpreting pager signals issolved.We could try level-translatingthe signal to RS-232voltages andfeeding it Into a serial port, but thefoilowingmust be considered: (1)bitrates may change unexpectedly,and(2) POCSAGis a 32-blt synchronousformat that Is incompatible with thedata input mechanism of the type ofUARTthat is normaily used in PCs.
There is some temptation to solveboth of these difficulties by feedingthe signal to a "handshake" line of theserial port (instead of the normal dataline) and using highiy timing-intensivesoftware to measure individual bittransitions in order to determine thecurrent bit rate and extract the cor-rectly synchronized data words. Infact, there exist products on the mar-ket that do exactiy this, and the Inge-nuity that must have been required towrite such software issomething to beadmired. The disadvantage of thisapproach isthatthe software runningon the PC must perform timing tasks atthe sub-millisecond level ina way thatessentiaily prohibits operation undermultitasking operating systems suchas Microsoft Windows. Such programstend to run under MS-DOSoniy andmust "own" ail the CPUtime inorder tofunction correctly.
The Decoder overcomes this disad-vantage by adding one more pro-cessing step between the recon-structed data stream and the PCserial port. A Microchip PIC16C54 mi-croprocessor is used to reformat thedata into a form that isacceptable toa standard PC UART.In order to retainthe versatility and general ap-plicability of this device for future ap-plications In decoding other digitaldata stream formats, the embeddedsoftware for the PICCPUoperates sim-ply as a constant-rate sampler, con-tinuously taking samples of the stateof the data stream at approximately9600 samples per second. Each timea group of eight samples has beenaccumulated, the group is transmit-ted to the PC serial port as a conven-
tional asynchronous byte, includingstart and stop bits,at 19,200bps. Thisamounts to four sampies per bit at a2400-bps incoming data rate (morefor lowerrates),which isadequate forpurposes of software-based bit syn-chronization.
The workof determining the datarate and subsequentlyconvertingthedata to a usable one-bit-per-data-bitstored format isstillhandled bythe PCitself.Theadvantage of thismethod isthat since data isreceived bythe PCserial port In the standard way, theusual operating-system-supplied se-riaiport device driverscan be used toreceive and initiailybuffer the data.Thisbuffercan be occasionallyreadand analyzed by an application pro-gram that, because ofthe bufferinginthe device driver,can easiiy run in amultitaskingenvironment.
The writingof PC software to bit-
sync, word-sync, error-correct. de-code, and display the data streamfromthisdevice wouldbe a project ofgreater magnitude than the physicalconstruction itself.However, a pro-gram that performs these functionsunder either MicrosoftWindows3.1orMicrosoftWindows95 is available atno charge via the Internet at http://www.cylexinc.com/downioad.htmorfrom ftp.gernsback.com. This pro-gram decodes POCSAGat all threestandard rates; ifyou need to decodeanother coding format you willneedto write your own software for now.Note that any program acceptingdata fromthis device must be capa-ble of accommodating a never-end-ing stream of 19200-baud data andperforming a fair amount of com-putation on that data at real-timespeeds. It is necessary to use a rea-sonably fast PC to run such a pro-
is:I1Jii:::I
~,"'""1;0"0co~IT15$)
g1)(J)
41
gram; we recommend a 33 MHz 486as a minimum.
Circuit Descripti@n. The schematicfor the Decoder is shown in Fig. 1.Basically, the circuit consists of fourblocks: the power supply, input-signalprocessing, Schmitt trigger, and dig-ital sampier/UART.All necessary poweris drawn from the handshake lines of
the serial port itself. The request-to-send line (pin 4 of S01) providesnegative voltage and the data-termi-nal-ready line (pin 20 of S01) providespositive voltage (software must setthese outputs appropriately). Reg-ulator IC3 creates a 5-volt logic supplyfor microcontroller IC1. The RTSline
(negative supply) doubles as a resetcontrol for IC1 when It is set momen-
tarily posiJive, while the data-outputline from the PC serves as a separatenegative supply to produce the nec-essary voltage swing to drive the PC'sdata input at RS-232 levels.
ResistorR19 is a simulated speakerload for the scanner if needed. Com-
ponents R18and C10 form a lowpassfilter to remove the 455-kHz IFcompo-nents (and harmonics) that are oftenpresent at discrimi[1ator outputs. Both
I"
r1-3/8INCHES~
Fig. 2. This is the solder side of theDecolkr circuit board.
~Dj
5Sl.,.~i)
Fig. 3. Here's the component side of the2 board.
A properly assembled Decoder PC board will fit inside a DB-25 connector hood.
C9 and R20 eliminate any undesiredDC components that may exist in the
scanner signal. One section of anLF444CN, IC2-a, issimply a buffer andgain block with two jumper-seiecta-ble gain settings; IC2-c buffers the sig-na! to the auxiliary speaker output.
Section IC2-d and its associated
feedback components form aSchmitt trigger with thresholds of ap-proximately +0.1 and -0.1 voits. Ca-pacitor C5, section IC2-b, and theirassociated resistors are set up tocause LED1to flash on each negativetransition of the Schmitt trigger outputas an aid in setting the scanner out-put-level control. Transistor Q2 con-verts the rail-to-rail swing from IC2-dto !ogic leve!s for input to micro-controller ICt a PIC16C54.
The PiC contains on-chip PROMthat must be programmed with thesmali program whose source codeand compiled hex file can be down-loaded from the Cylex Internet sitementioned earlier, or the Gernsback
FTP.Pre-programmed chips are alsoavailable from a source mentioned in
the Parts List. This program is ciock-rate sensitive and will not work unless
a 4-MHz crystal is used.
Construction. Layout of the circuit isnon-critical. For that reason, any rea-sonable breadboard assembly tech-nique can be used to build theDecoder. The only precautions you'dhave to follow are: (1) Be sure thatcrysta! xrAL1 and its shunt capacitorsC1 and C2 are close to micro-
controller IC1 with short lead lengths.and (2) Keep C8 close to IC3, and C3close to iCi. However, when it comes
to size,building the circuit on a bread-
board is not desirable.
For the most compact assembly,you might want to build the circuit inthe fashion the prototype was as-sembled-on a double-sided
printed-circuit board. That way, theentire circuit will fit inside a plasticD8-25 connector shell. If you'd like toetch your own double-sided PCboard, you can use the solder- andcomponent-side foil patterns shownin Figs. 2 and 3, respectively. Or, youcan order a drilled and etched boardfrom the source mentioned in theParts List.
If you build the Decoder on the cir-cuit board, use the parts-placementdiagram shown in Fig,4 as a guide. Becareful about the sequence in whichyou install the parts. Note that some ofthe discrete components In Fig.4 areshown made up of dashed lines.Those mount on the solder side of the
board directly under ICs. Solder thoseparts in place and clip their leads be-fore you installlCs. Do not use socketsunder the ICs if you plan to enclosethe circuit in the plastic shell; there issimply not enough room.
It is also important to solder allTO-92 parts (Ql, Q2, Q3, and IC3) withtheir plastic cases aUthe way down tothe board, again because of theshortage of room. Jacks J1 and J2and S01 go against the edge of theboard and some of their pins solder toeach side. Besurethat S01 isperfectlystraight against the board edge orthe connector shell will not fit. The LED
should protrude through a hole in theconnector shell drilled or punched toaccommodate it.Also, make sure that
C9 is small enough to fit in the spaceallowed on the board.
Fig. 4. Use this parts-placement diagram as a guide when assembling the Decoder ona PC board. Note that the parts drawn with dashed lines are mounted on thecomponent side of the board.
Keeping all those assembly tips inmind, this is the recommended se-quence to optimize putting togetherthe circuitboard: Solder the two 3.5-mm phono jacksto the board, center-ing them against the edge. Theground lug on each willneed to be .bent about 45 degrees in order totouch the pads on the board. Nextmount the DB-25connectorto theboard using only pins 1 and 13.Tem-porarilyplace the board intoone sideof the plastic shell.Ifthingsdo not lineup properly, reheat the solder jointsand adjust the position of the con-nector.Thensolder the remainingpinsof the DB-25.
Using the plastic shell half con-taining the LEDhoie os a guide, installthe LEDon the solder side of theboard. Besure to get the polaritycor-rect. We stress this because the in-stallation of IC2 later will makedesoldering of the LEDdifficult.InstallCl, C2,C3,Xl,R9.R13,R14,and R16onthe solder side of the board as well.Leave about 1 11'111'1of extra leadlength on C1-C3 and bend theseparts down flat against the board inthe direction away from the crystal.
Installall remaining parts on thecomponent sideofthe board. Besurethat all parts, especially Q1--Q3,and
IC3. are flush against the board. Testthe circuit before installing the plasticshell; the shell isdifficultto take apart.
Checkout and Adjustment. Topower up and testthe circuit,Itisnec-essary to have either the AccuPageRadio Monitor program for the PC(mentioned earlier)or a test programthat sets the COM port as follows:RTS= 0, om = 0 for at least 0.1 sec, fol-lowed by RTS= 1, DTR= 0 indefinitely.Thisresets IC1,then configures thelines to provide power. Start with thedevice connected torhe COM portbut nothing connected to J1 or J2.Measure the voltage (relativeto cir-cuit ground) at IC1pin 14and IC2pin11;these should be + 5 voltsand -6to-11volts respectively.The LEDshouldnot be lit.
Next.tune yourscanner to an activepaging frequency. Usean appropri-ate cable to connect the output ofthe scannerto J1.lfyouare usingthespeaker/earphone output of thescanner, Installa connecting pin toheader H1;remove itifyouare usingadiscriminator output (more on thatlater).Leave the pinon heSJderH2off;it Isneeded onlyin a small percent-age of cases with discriminatorout-puts and almost never with speaker
outputs. If you are using a discrimi-nator output, then the foilowingpara-graph referencing voiume-controlsettingsdoes notapply; youshouldbeable to just plug and go, Ifthe LEDdoes not come on during transmis-sions,then installthe pin on H2.
Set the volume control to its mini-mum position. Connect a smallspeaker or earphone to J2. Be surethat the COMport isset correctlyandthat you check the "Enable" check-boxnear the top of the Accupage Ra-dio Monitor screen. Gradually in-crease the voiume setting until theLEDbegins to glow continuousiydur-ing transmissions;stop at thispoint.Donot change the volume betweentransmissions;you willjust be turningthe control with no reference. Duringa paging transmission,the apparentintensityof the LEDshould appear towaver insyncwiththe sound you hear.but it should not go out except be-tween transmissions.(Ifyou have anoscilloscope, connect one channelto pin 1of IC2and the other to pin9 ofiCi to see how the circuit Isinterpret-ing the analog waveform.)
It Isworth pausing here for a mo-ment to emphasize the importance'of clean reception on the scanner.Moveor re-orientthe antenna as nec-essary!Thesound you hear should beas free as possible from hissor crack-ling noises.The sensitivityand selec-tivityof a wideband receiver Isoftennot as good as that of a single-fre-quency pager receiver, and gettinggood reception issubsequently moredifficult.
Watch the "Signal"indicators nearthe top of the AccuPage RadioMonitorscreen. Thegreen to red ratiocorresponds to the correct to errorsratio. The left Indicator is the one towatch initially;the right indicator al-waysstarts at "100%bad" and repre-sentsa cumulativeweighted averageover the last several seconds of validdata. We are looking for the ieft in-dicator to show mostlygreen. Whiteindicates no valid data at 011.Iftheindicator remains white, and the LEDglows as described, try toggling the"Inverted Data" checkbox. Everyscanner is different and the outputpolarity of yours may be backwardsfromthe program's convention.
Ifyou just can't seem to get anyIndicationOilthe signal indicator,tryIncreasingthe voiume setting by tiny
<"!:<£rafscu
4:
incrementalamounts,beingsure totry both settings of "InvertedData" ateach position, Once the indicatorshowssome green, then keep adjust-ing the volume for best results(mini-mum red),ifyou are getting readingsbut are unabie to reduce the "bad"(red) percentage to a smallvalue,then approach fromthe othef direc-tion, Setthe Inverted Data checkboxto itsopposite setting (totriggeron theovershoot as described earlier)andincrease the volumeto a muchhighersetting,Thendecrease the volumein-crementally, searching for an op-timum setting based on the Signalindicators.
The AccuPage Radio Monitorpro-gram by default logs and displaysallmessages that it decodes. If youwould liketo see onlytext messages,or to filterthe messages so that onlythose for particular pagers are log-ged, select "File/SearchLisffromthemenu bar, A typical paging servicemight easily transmit 100,000pagesper day, and the message log filegenerated by logging allofthem willrapidlygrowto a sizeof manymega-bytes,
Troubleshooting. The followingaresome of the most likelyreasonswhythe device might not workproperiy:
[1)Connector problems at the scan-ner output.
(2) Wrong COM port set up In soft-ware.
(3)"InvertedData" setting isincorrect.(4)Computer istoo slow(usea 486/33
or faster),(5)Weak or noisyradio reception,(6)Wrong settings for pins in H1and
H2.(7) The received signal is not direct
FSK.
(8) Wrong scanner demodulationmode (shouldbe narrowFM),
(9)The received signal isnotPOCSAG(there are other paging formats),
(10)Solderingproblems, wiringerrors,damaged components, etc.
Obtaining Unfiltered ScannerAudio. Everyscanner isdifferentanditwould be difficultto providespecificinstructionsfor tapping Into the un-filtered demodulator output foreverytype of scanner on the market(though we willgive tips forone lateron), Here are some general sugges-tions: .
Firstof all, get a schematic of thescanner! Withoutthis, you stilimighthave success, but Irsgoing to take anoscilloscope and a lot of patience,
Lookfor the audio amplifiercircuit.Thiswillusuallyconsistof two or threestages of amplification,probably witha second-order lowpass filterand asecond-order highpass filter some-where In the chain, Tryto obtain atake-off point at the beginning of theamplifier chain. The signal here willprobably be only a few tenths of avolt, should look like square waves,and Islikelyto have a lot of 910 kHzsuperimposed on it (tV\licethe lowestIF),
Asan alternative (particularlyifyou
don't have a schematic), lookfor theFMdemodulator, In many scanners,this is the popular Motorola MC3361chip, Ifyou find one of these In yourscanner, then pin 9 is the unfiltereddemodulator output, Depending onthe external circuitry,it ispossible thatpin 11isalso a good place to get asignal. Usean oscilloscope ifpossibleto select the "squarest-looking"signal.
In addition to the signal take-offpoint you must of course also bringout th.e scanner's circuit ground.Warning: Insome handheld scannerswe have examined, the "case" side ofthe external speaker jack is notgrounded. Lookon the circuitboards
(Continued on page 60)
Fig. 5. Once the boardfrom the UnidenSC.150 is removed(see text), use thisphotoas a guide to locating the signal-connectionpoint for demodulator output.
