Wednesday, 22 January 2014

Ericsson PTF-118 pager teardown

A recent ebay score was a job lot of 5 Ericsson pagers for the grand total of £10. The 'buy it now' temptation was too great and before I'd had a chance to look into the feasibility of getting these 90's era devices to do anything fun it was too late, I'd clicked the button.

Between committing to buy and the devices arriving, I'd managed to at least figure out that there are plenty of warning pages on ebay explaining that BT pagers will no longer work. Looking back, the seller had cunningly covered the blatant BT logo on the top right of the box with convenient positioning:



This wasn't actually an issue since I wasn't buying them to use as intended anyway. The plan was to see if it was possible to siphon off all pager traffic, not just the pages intended for the device, similar to what Adafruit did a while ago.

So working on the assumption that there won't be any pager traffic to pick up now anyway (that assumption could be wrong of course) it was time to rip one of them apart and see how feasible it would be to reprogram or otherwise hack them.

The back side of the pager isn't very interesting.


The TSOP chip near the bottom of the image is a CY62256VLL-70ZI 256k RAM chip. The more interesting chip however is the 24LC16B which is a 16K I2C serial EEPROM. The contents don't seem immediately interesting, apart from the ID that starts at offset 6, or NA1100319G in this case. This is the pager's unique ID and would have been registered against the allocated phone number. Presumably changing this value would have allowed you to clone a pager, i.e. have multiple pagers receive the same message.

000: e7 17 02 03 db db 4e 41  31 31 30 30 33 31 39 47  |......NA1100319G|
010: 20 20 20 20 20 20 2e c0  c0 08 08 00 00 00 00 00  |      ..........|
020: 1a 1c 55 00 00 00 00 00  00 00 00 00 12 24 36 49  |..U..........$6I|
030: 5b 6d 7f 91 a3 b5 c8 da  ec fe ff b1 5a 0f 0c e3  |[m..........Z...|
040: 10 00 00 83 00 20 00 00  00 00 00 00 00 00 ff ff  |..... ..........|
050: c1 ff c1 c1 c1 c1 e1 c1  1c 32 01 00 01 01 ff 01  |.........2......|
060: ff ff 01 01 01 01 00 00  00 00 e0 80 7e fc c2 42  |............~..B|
070: 02 62 06 02 c0 80 20 60  a0 a0 20 e0 c0 00 20 e0  |.b.... `.. ... .|
080: 60 20 00 00 e0 f0 00 80  f0 00 00 00 fc 80 c6 7e  |` .............~|
090: c2 c2 3e 62 00 3e c0 00  30 e0 60 f0 80 00 60 c0  |..>b.>..0.`...`.|
0a0: e0 20 00 e0 00 00 e0 c0  10 20 00 60 e0 00 c6 fc  |. ....... .`....|
0b0: e0 e0 00 60 00 00 00 00  00 00 00 00 00 00 00 00  |...`............|
0c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0d0: 00 00 3f 3f 20 3f 20 20  20 20 20 20 0e 11 00 00  |..?? ?      ....|
0e0: 00 00 3f 00 3f 3f 00 00  00 00 00 00 0e 08 0f 0f  |..?.??..........|
0f0: 08 0b 09 08 0c 08 00 00  09 0f 06 08 0f 0f 00 0d  |................|
100: 0c 0c 0b 09 00 0f 10 20  0f 18 01 03 00 01 08 00  |....... ........|
110: 0b 0f 00 00 0f 07 0c 0c  00 00 0f 0f 09 08 00 04  |................|
120: 0f 0f 08 08 0f 0e 00 0c  07 00 08 0f 0c 08 08 00  |................|
130: 07 0f 08 01 0f 0f 00 04  00 00 00 00 00 00 00 00  |................|
140: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
150: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
160: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
170: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
180: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
190: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1b0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1d0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1e0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
1f0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
200: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
210: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
220: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
230: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
240: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
250: 00 00 00 00 00 00 00 00  0c 14 0e 0f 00 00 1f c4  |................|
260: 2f c4 3b c4 2f c4 3b c4  43 c4 3b c8 2f c4 3b c4  |/.;./.;.C.;./.;.|
270: 43 d0 3b c8 2f c4 3b c4  3b c4 2f c4 33 c4 2f c4  |C.;./.;.;./.3./.|
280: 27 c8 1f c4 27 c4 2f c8  27 c8 1f c8 00 00 00 00  |'...'./.'.......|
290: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 5b c3  |..............[.|
2a0: 53 c3 5b c3 47 c3 37 c3  47 c3 2b c6 5b c3 53 c3  |S.[.G.7.G.+.[.S.|
2b0: 5b c3 47 c3 37 c3 47 c3  2b c6 5b c3 63 c3 67 c3  |[.G.7.G.+.[.c.g.|
2c0: 63 c3 67 c3 5b c3 63 c3  5b c3 63 c3 53 c3 5b c3  |c.g.[.c.[.c.S.[.|
2d0: 53 c3 5b c3 4b c3 5b c6  00 00 00 00 00 00 3b 88  |S.[.K.[.......;.|
2e0: 33 88 27 84 2f 84 33 88  27 84 2f 84 33 88 2f 84  |3.'./.3.'./.3./.|
2f0: 27 84 1f 88 3b 84 3b 84  33 84 33 84 27 84 2f 84  |'...;.;.3.3.'./.|
300: 33 88 27 84 2f 84 33 88  2f 84 27 84 1f 88 00 00  |3.'./.3./.'.....|
310: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 c4  |..............G.|
320: 43 c4 47 c4 43 c4 47 c4  33 c4 3f c4 37 c4 2b cc  |C.G.C.G.3.?.7.+.|
330: 07 c4 17 c4 2b c4 33 cc  17 c4 27 c4 33 c4 37 cc  |....+.3...'.3.7.|
340: 17 c4 47 c4 43 c4 47 c4  43 c4 47 c4 33 c4 3f c4  |..G.C.G.C.G.3.?.|
350: 37 c4 2b cc 07 c4 17 c4  2b c4 33 cc 00 00 37 c2  |7.+.....+.3...7.|
360: 3f c2 37 c2 3f c4 37 c2  3f c2 37 c2 3f c4 37 c2  |?.7.?.7.?.7.?.7.|
370: 3f c2 37 c2 3f c4 37 c2  3f c2 37 c2 3f c4 37 c2  |?.7.?.7.?.7.?.7.|
380: 3f c2 37 c2 3f c8 00 00  00 00 00 00 00 00 00 00  |?.7.?...........|
390: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 63 84  |..............c.|
3a0: 54 75 57 65 54 68 46 72  53 61 53 75 2a 55 55 55  |TuWeThFrSaSu*UUU|
3b0: 13 88 00 00 01 2c 01 2c  01 2c 00 00 00 00 00 00  |.....,.,.,......|
3c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
3d0: 00 00 00 c8 81 12 34 56  78 9a bc de 12 00 99 88  |......4Vx.......|
3e0: 0a 00 05 3f 3f 3f 3f 3f  3f 3f 3f 3f 3f 3f 3f 3f  |...?????????????|
3f0: 3f 3f 3f 3f 81 24 40 5b  5c 5d 5e 5f 60 7b 7c 7d  |????.$@[\]^_`{|}|
400: 7e 7f 20 00 00 00 00 00  04 02 4d 89 00 00 00 16  |~. .......M.....|
410: 24 01 00 88 00 00 00 00  00 24 02 00 88 03 00 00  |$........$......|
420: 00 00 24 03 00 88 04 00  00 00 00 24 04 00 00 00  |..$........$....|
430: 00 00 00 00 24 05 00 00  00 00 00 00 00 24 06 00  |....$........$..|
440: 00 00 00 00 00 00 24 07  00 00 00 00 00 00 00 24  |......$........$|
450: 08 00 00 00 00 00 00 00  24 09 00 00 00 00 00 00  |........$.......|
460: 00 24 0a 00 00 00 00 00  00 00 24 0b 00 00 00 00  |.$........$.....|
470: 00 00 00 24 0c 00 00 00  00 00 00 00 24 0d 00 00  |...$........$...|
480: 00 00 00 00 00 24 0e 00  00 00 00 00 00 00 24 0f  |.....$........$.|
490: 00 00 00 00 00 00 00 24  10 80 14 9a 28 fa 20 8d  |.......$....(. .|
4a0: 00 00 0e 10 11 00 00 00  00 00 00 00 01 24 8f 18  |.............$..|
4b0: 15 62 00 00 56 ff ff 00  e5 32 03 59 1c 80 05 00  |.b..V....2.Y....|
4c0: 0b 54 01 14 ce 00 9f d8  04 4c 5b 36 27 13 00 50  |.T.......L[6'..P|
4d0: 65 72 73 6f 6e 61 6c 20  20 20 20 20 20 20 20 20  |ersonal         |
4e0: 4e 65 77 73 20 20 20 20  20 20 20 20 20 20 20 20  |News            |
4f0: 20 46 6f 6f 74 62 61 6c  6c 20 20 20 20 20 20 20  | Football       |
500: 20 20 4d 75 73 69 63 20  20 20 20 20 20 20 20 20  |  Music         |
510: 20 20 20 43 41 50 43 4f  44 45 2d 35 20 20 20 20  |   CAPCODE-5    |
520: 20 20 20 20 43 41 50 43  4f 44 45 2d 36 20 20 20  |    CAPCODE-6   |
530: 20 20 20 20 20 43 41 50  43 4f 44 45 2d 37 20 20  |     CAPCODE-7  |
540: 20 20 20 20 20 20 43 41  50 43 4f 44 45 2d 38 20  |      CAPCODE-8 |
550: 20 20 20 20 20 20 20 43  41 50 43 4f 44 45 2d 39  |       CAPCODE-9|
560: 20 20 20 20 20 20 20 20  43 41 50 43 4f 44 45 2d  |        CAPCODE-|
570: 31 30 20 20 20 20 20 20  20 43 41 50 43 4f 44 45  |10       CAPCODE|
580: 2d 31 31 20 20 20 20 20  20 20 43 41 50 43 4f 44  |-11       CAPCOD|
590: 45 2d 31 32 20 20 20 20  20 20 20 43 41 50 43 4f  |E-12       CAPCO|
5a0: 44 45 2d 31 33 20 20 20  20 20 20 20 43 41 50 43  |DE-13       CAPC|
5b0: 4f 44 45 2d 31 34 20 20  20 20 20 20 20 43 41 50  |ODE-14       CAP|
5c0: 43 4f 44 45 2d 31 35 20  20 20 20 20 20 20 43 41  |CODE-15       CA|
5d0: 50 43 4f 44 45 2d 31 36  20 20 20 20 20 20 20 53  |PCODE-16       S|
5e0: 79 73 74 65 6d 20 63 61  70 20 20 20 20 20 20 20  |ystem cap       |
5f0: 43 61 6e 6e 65 64 2d 31  20 20 20 20 20 20 20 20  |Canned-1        |
600: 20 20 20 20 20 20 43 61  6e 6e 65 64 2d 32 20 20  |      Canned-2  |
610: 20 20 20 20 20 20 20 20  20 20 20 20 43 61 6e 6e  |            Cann|
620: 65 64 2d 33 20 20 20 20  20 20 20 20 20 20 20 20  |ed-3            |
630: 20 20 43 61 6e 6e 65 64  2d 34 20 20 20 20 20 20  |  Canned-4      |
640: 20 20 20 20 20 20 20 20  43 61 6e 6e 65 64 2d 35  |        Canned-5|
650: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 43 61  |              Ca|
660: 6e 6e 65 64 2d 36 20 20  20 20 20 20 20 20 20 20  |nned-6          |
670: 20 20 20 20 43 61 6e 6e  65 64 2d 37 20 20 20 20  |    Canned-7    |
680: 20 20 20 20 20 20 20 20  20 20 43 61 6e 6e 65 64  |          Canned|
690: 2d 38 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |-8              |
6a0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
6b0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
6c0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
6d0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
6e0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
6f0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
700: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
710: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
720: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
730: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
740: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
750: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
760: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
770: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
780: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
790: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7a0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7b0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7c0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7d0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7e0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
7f0: 20 20 20 20 20 20 20 20  20 20 20 20 20 20 00 00  |              ..|

The front side holds the more interesting parts:


The main chip in the center is branded "Alcatel 2840 9826 Ericsson HELLA V01 FLXA-NAB I815507 AK". Unfortunately I've not been able to find any information on this chip, it was probably a custom chip made for Ericsson.

The TSOP32 chip at the top is a M27W201 2 Mbit EPROM which handily is supported by the Minipro TL866CS. After desoldering and dropping it in the reader, the sad reality began to set in that the instruction set seemed very alien and the likelihood of being able to disassemble it was beginning to shrink. 

From looking at the entropy it is clear where the instructions probably sit (around the 0.6 mark), but it is an instruction set architecture (ISA) I'm not familiar with.


The only interesting string in the whole dump is "HELLA AN1 S/W 01 V0108 DATED 98/08/14.1756.Copyright (c) 1997-8 Ericsson Radio Systems B.V.". This, unsurprisingly, has no useful google hits. 

Assuming the ISA was known, the plan would be to find the code that must cross-check the incoming pager ID against the actual pager ID and nop it out. This would in theory allow the device to show all pages, not just the ones intended for it. 

The radio side hasn't been investigated thoroughly yet, that might be covered in a later post. 

11 comments:

  1. Hi, Did you find any more info on these pagers? postmaster@datasilo.co.uk

    Thanks

    ReplyDelete
    Replies
    1. Unfortunately not, the lack of documentation for the processor makes things tricky. Did you have anything in particular you wanted to find out?

      Delete
  2. Do you still have a copy of the EPROM dump? I'd like to take a look at it as I have just acquired a bunch of PTF-128s, which seem to be identical to the PTF-118 on the inside.

    ReplyDelete
    Replies
    1. I've uploaded the dump to expirebox: http://expirebox.com/download/50d2ab88c1a843ad85620863731ee3ef.html - the link will expire in a couple of days. Please post an update if you do a diff.

      Delete
    2. So this is rather late as I shelved the project for a while, but I'm taking another look and finally got around to taking a rom dump: http://expirebox.com/download/aff2304bbfd18a2c627a7080e1d4a1d8.html

      I noticed something a bit odd in your image when diffing against mine - the first ~0x27D0 bytes all have 5th bit set as if they've been OR'd with 0x20

      Cheers,
      Mike

      Delete
  3. Hi, I was wondering if the pager(s) came with a manual? If so...would you be so kind as to scan it or take some pictures please?

    Thanks,
    Simon

    ReplyDelete
    Replies
    1. Here you go - you can download it from this link for the next couple of days: http://expirebox.com/download/0a6d0f53e19fbcd68cc49ff17ea7f735.html

      Delete
    2. No worries, let us know if you do anything interesting with the pager.

      Delete
    3. Hi again - sorry to be a pain, but I think pages 6 and 7 are missing from the scan; ironically the only two pages I needed for the on/off information!

      My aim is similar to yours, in that I'm trying to reverse engineer the radio portion of the device but so that I can find a way to send Flex messages to it. I'll be posting updates on my site (http://www.lazyengineer.com/) if you fancy checking it out - I'll be sure to link to this page when I post my findings!

      Delete
    4. Oops - here you go. http://expirebox.com/download/f4c388a0c8a49086806d1e5f6a7453c2.html

      Delete