Female Speaker: So it's Friday night and Friday nights at Adafruit Industries means it's time to pack and reverse engineer, a random piece of consumer electronics that we find. Tonight, I am going to be taking a part and investigating the inners of this not broken Motorola Talkabout Jazz. It's a little pager modem running at 9.9, sorry 929.665 megahertz. So basically, these aren't really used anymore, but I want to use if there is still stuff being transmitted on that pager network. I don't have a scanner, so I thought maybe I can open up the pager modem and get data straight from the radio. So let's start by opening up the back and let me use my trusty Xcelite Torx's screwdriver. So I took out the other screw layer, and just remove the little battery case. You can use a nice screwdriver to gently try it open. The big secret to taking applied electronics to be really gentle. That stuff will come apart; you just have to go slow, okay.
So we can see here, there is the battery terminals that runs on a single AAA battery, we're just going to remove the battery for now to see the pager modem. Here is a little PSO and then I'll take this out. You can see there is the LCD. This runs on a little battery, its light in still on. I can't see where is the battery; there is a little battery, backup battery. This here is the loop antenna; that's RFN. Then there are two boards here; I'll take these apart carefully as well. So I am being really careful here not to show any pins, just go slowly, there you go. This is the most boring part of reverse engineering; it's taking it apart without breaking it. Okay, come on. Okay, there you go.
Okay, so let's look at what we have here. So now you can see the pager motor, the loop antenna, and there is a whole bunch of analog parts here and passes and you can see a little trim capacitor or a potentiometer, so this is the modem part, this is the RF receiver and it also has the modem on it. You can see little IF crystals that drive the RF decoder chip. Then on this part, you can see there is small chip crystal, another crystal, probably a timer. If you look really closely, you can see that's a 24CO8, that's an, I think 8 megabit I squared C EEPROM, so that's probably storing the unique identifier for this pager. That's probably an LCD driver, pager driver, one of these drives the LCD; usually, there is a specialty chip just for that. The other is they are the brains behind it and this is the PSO. Then there is a little voltage regulation going on here, maybe this is a little boost convertor.
So the interesting stuff -- here is the buttons I will just show the other side, you can see there is a connection, driven connection for the LCD, three buttons. Probably one of the worst interfaces I've even seen; basically, you have to hold one button down for two minutes and then you hold another button. Take another look clear how you can actually use this device from looking at the manual. So let's go back, the interesting thing here is the RF modem. So you can see that the RF comes in here probably. Yeah, here you go, you can see it comes in here. There is probably some amplifiers and filtering before it gets to this chip. So right here, now it's front-wise, so you can see it says STA041 and then the other line, it says 31149 AFN. So TA is probably the manufacturer, the logo from the manufacturer, 041 is the date code. Then we have 31149, that's probably the part number and AFN is usually any digits at the end are package or temperature or maybe another date code or indication of where it was fabbed.
So of course I took this part earlier and I googled TA31149 to get the data sheet. So here is the UTC TA31142 data sheet and it looks about right. There you can see the part, so right number of pins. This is an IF receiver IC, so that makes sense. You just want to make sure because sometimes you may confuse part of the date code or other fab notations with the part number, so try a couple of different things working up the part number in different ways until you get a good hit. So let's look through here. Basically the interesting stuff with these sort of one off chip, these chips are basically designed for one thing, these are probably designed just to drive Motorola Pagers, is on the last page, we can see how this works.
So you can see this has a couple of things going on here. There is a mix, there is an oscillator, there is a little regulator it seems to - it runs on one volt, so you can put in a higher voltage and it has a little op-amp that will do voltage regulation for you if you put a transistor on. There is an amplifier charge/discharge. You know basically here is the thing, I don't know if you know RF, I don't completely understand this but what is really important here is I can see that datas coming in from the antenna and is coming out through FSK. Now FSK stands frequency shift keying and that's -- basically that's how the data comes in over the antenna. So this is actually going to be the data out. You can see there is a comparator, so it's one bit, that means this will be one bit data out. If you do a little bit of research about pager protocols, basically they clock over one bit or two bit serial. So in theory, we should be able to just read the serial data from this chip.
So I am going to put this pack together, and then we turn the power on and probe at the chip and see if in fact there is data for us to read. So I've got that pager back together and I've turned on my trusty Tektronix scope. According to the data sheet, I want to be probing pin 15 FSK out. So looking at the screen while I do that, I connect my probe to that pin and you can see a whole bunch of serial data coming out. Now, it's going pretty fast because I just have done normal trigger, but what I can do is now turn it to run stop and then turn again. See, this is actually a little tough, you have to single sequence. There you go, complete. So you can grab a little bit of data and I can check it out; looks like serial to me. So I have to figure exactly what encoding is this, but it definitely looks like I got data out.
So basically what's interesting about this pager is even though it's not activated, it's cheaper and easier for them to have the RF module always on and looking for messages and then seeing if that message is for the pager sort of like Ethernet Works rather than having a filter at the RF level and somewhere, having it not turn on the radio if it's not activated. So it's interesting that they wanted to make sure that they could -- to have a central control for what pagers were activated and how to send messages themselves, how they did it. So probably my next steps would be -- once you got the baud rate, which I think it's 3200. Then it to computer and just look at what the data is and compare to maybe a white paper on the Flex protocol and see if I can sort of extract messages from this data stream. Then I put it to a flex packet decoder; there are a couple of free ones online. So that's sort of the beginning of how to reverse engineer a pager modem.
Transcription by:
Scribe4you Transcription Services