Apollo AL-A26 (Pager)

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search

The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.

Hack the world, hack the planet!


Overview

The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.

It is worth noting however, that there is also a similar model (AF-A26) which is identical, but supporting the FLEX paging protocol instead.

This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and DAPNET use.

The A26 model line is hand-programmable, not requiring any software to setup basic features (including CAPCODE/RIC, frequency, and baudrate) which make it particularly appealing for amateur use. Do note however, that a 4 digit code can be set to lock the end user out of hand-programming which may be an issue if buying second hand. More information regarding bypassing or reading out this code will be detailed below.

Specifications [1][2]

Physical

  • Weight: 56.6g (without battery)
  • Size (approximate, LxWxH):
    • 82 x 57 x 38 mm (with holster and clip depth included)
    • 79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
    • 80 x 53 x 20 mm (bare pager according to manufacturer specifications)

Technical

  • Power Supply: 1x AA Battery
  • Operational Frequencies:
    • VHF: 138-174 MHz
    • UHF: 408-473 MHz
    • 900: 929-932 MHz
  • Reciever Sensitivity:
    • 512bps - 5µV/M
    • 1200bps - 7µV/M
    • 2400bps - 9µV/M
  • Supported Baudrates:
    • 512/1200/2400 (POCSAG)
    • 1600/3200/6400 (FLEX)
  • Supported Bandwidth: 12.5 or 25 kHz
  • Alert Loudness: 85dB @ 10cm

Paging Features

  • CAPCODE/RIC addresses: 8 for POCSAG, 16 for FLEX
  • Total Message Character Capacity:
    • 262,144 (POCSAG)
    • 32,000 (FLEX)
  • Mail Drop Character Capacity:
    • 239,616 (POCSAG)
    • 27,000 (FLEX)
  • Alerting:
    • 4 Beep alerts w/ LED flash
    • 10 Melodic alerts w/ LED flash
    • Vibration w/ LED flash
    • LED flash only
  • Unread message reminder alert
  • Notification of duplicate message, message recieved with errors, and full message box
  • Up to 10 saved (locked) messages
  • 4 line, 84 character backlit LCD display with optional 2 line zoom with larger characters


Photos


Physical Hardware

  • CPU: GAPOLLO ALA26-1 (Proprietary/Custom?)
  • RAM: Utron UT62L2568 (256x8bit) Low Power CMOS SRAM[3]
  • ROM: Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM[4]
    • Note: I have a second unit now and this one has a chip marked L16 5M52W. Reads out the same way apparently...
  • FSK Decoder IC: NPC SM8212B POCSAG decoder for multiframe pagers[5]


Disassembly

  1. Remove battery cover.
  2. Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.
  3. Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.
  4. Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.
  5. Work your way around the right side, making sure it is completely free.
  6. Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.
  7. Work around the left hand side to ensure it is completely free.
  8. Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager.


Do note that the first time you disassemble your pager, you will have to use a concerning amount of force to separate the halves.

This is due to sticky foam pads holding the receiver board to the back case. You may remove these when you fully open the unit and it will function fine, however you are probably opening yourself up to the RX board possibly becoming unplugged should you drop the pager at all. Use your own descretion here.


Warning! The vibration motor is attached to the back and hard-wired to the main board. Take care when removing the back half. You can lay it down flat against the side of the front half where the wires go to the board.



Reassembly

  • First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!


  1. Insert the top edge of the rear half of the pager into the front.
  2. Hinge the rear half downwards in the same way as disassembly.
  3. Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.
  4. Screw in the 2x phillips screws from the recess and near the positive battery terminal.
  5. Replace battery cover.



Software & Programming

The initial start-up password for the software is AC5678 [6]. Not necessarily related to programming per se, but holding down the triangular power/function button on startup will initiate a lamp/motor/RAM test mode. You can step through the various tests with the buttons, but the battery will need to be pulled to reset it.

Hand Programming

Password Menu

Hold down the center oval shaped button and insert the battery. Keep holding it until this screen appears. Should take approximately 6 seconds.

Hoping for the best, press the triangular power/function button. If the password is set to the default (0000) then you should see the frequency screen appear. If not, then your password is incorrect. Head on down to section 9, Bypassing the hand programming password.

Frequency Menu

Use the up/down/left/right buttons to enter your desired RX frequency here. Do keep in mind the common caveat of these being set to 25kHz channel spacing, so select your frequency accordingly. If an invalid frequency is entered (for example, the default DAPNET frequency of 439.9875) while the pager is in 25kHz spacing mode, it will not accept the frequency change and will beep once and reboot to the normal pager interface.

RIC/CAPCODE Menus

The next menu items after frequency are the RIC/CAPCODE settings. These can be enabled and disabled while retaining their values and function bits. More on the function bits below.

Function Bits

Still a WIP to make these fully understandable. More to come.

The AAAA 4 position means different Function bit Features,
 A = Alpha Numeric
 I = IDEO
 N = Standard Numeric
 P = PRC  Numeric
 - = Off
 T= Tone Only

Baud

Options are 512, 1200, and 2400 for the POCSAG version. Make sure it is set to 1200 for DAPNET use.

Contrast

Set the overall LCD contrast here. Seems to default to 4 and that should be good for most cases.

Modify Password

Here you can enter a new passcode for the pager which will take effect on next reboot. Be sure to remember this value if you change it from 0000 as it will be needed to access the programming interface again!

Pass!

Assuming everything you entered is valid and to the pager's liking, you should finish with this screen after hitting the triangular power/function button. The pager will now reboot to the main interface and your settings will be active.



Physical Interfaces

Programming Interface - Pager

Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF receiver PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.

Pinout of the back programming interface

Programming Interface - Programmer

Unknown at the moment. I do not have access to a unit to peer inside it, though based upon the discovery that the EEPROM is directly connected to the programming pads this leads me to believe the programmer is essentially a USB to I2C adapter of some description. It uses the Prolific PL2303[7] in some form since the software installer automatically installs that driver and leaves it's executable behinnd in the program folder.


Bypassing the hand programming password

The 4 digit password is by default set to 0000, so during normal hand programming you are able to just press the power button and the pager will let you continue with programming. If the pager has a different passcode set though, there are a few options.

Message the seller

If you bought from an online second-hand seller such as eBay, you may want to try contacting the seller to see if they know the passcode. If you bought from the same seller that I did though, their listing may say they do not know it and/or not to ask.

Connect to the software

According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.

Direct EEPROM readout?

The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information. It may or may not contain the passcode, this is still unknown at this time. This chip is a standard I2C EEPROM which can easily be read and written with several different tools.


Reverse Engineering

Hardware

EEPROM Dumping

The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively. A CH341A programmer has also been used successfully to dump the contents.

Software

At the moment, I have only installed and messed with the "ALA-26B 8-Capcode" version[8] of the software provided on the resources page of the manufacturer.

Upon running and completing the installation of the software, files by default are written to C:\Program Files (x86)\Gold Apollo. Within the ALA26B(USB) directory there are the following files:

When running the software and entering the default password, you are normally greeted with an error message saying "The Programmed Board not responding!" if there is no programmer attached. The software will continue to load once the error is acknowledged, and allow you to begin configuring pager settings and save/load .tbl configuration files.

  • ALA26B(USB).exe: The main program
  • csins.dat: The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
  • default.tbl: The default pager configuration settings which are loaded at startup
    • You can find the hand programming passcode in this file. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address 0x37C. The bytes are directly written to memory, so for example if the passcode set is 1234, the bytes read in order will read as 0x01, 0x02, 0x03, 0x04.
  • inpout32.dll: Standard Windows driver for hardware access to serial ports
  • pager.dat: Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
  • PL2303_Prolific_DriverInstaller_10311.exe: Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
  • Uninstall.exe: Also self explanitory. Seems to be a standard Windows uninstaller.


Software Startup

Upon startup and entry of the software password, the program looks for a PL2303 Prolific based serial device attached to the computer. If found, the COM port is set in a registry key located in HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM, though it seems to want it on COM1?

The software then outputs the following on the serial port (9600 8N1) before giving the "The Programmed Board not responding!" error:

GoldApollo5R Š

Which is the following in raw serial bytes

47 6f 6c 64 41 70 6f 6c 6c 6f 35 52 03 00 00 00 00 8a

I have tried replaying the same byte sequence in response, as well as sending just "Apollo" with no luck. My assumption is there must be some reply word sent by the programmer itself, similar to the DeLorme TripMate GPS which needs the word "ASTRAL" sent on it's RX pin to enable the GPS.


default.tbl

This file seems to be very similar to the contents of the pager EEPROM when dumped from a working unit. A large portion is ASCII text for the menus which can be customized using the software.



Caveats

  • Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz[9] unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)[10]
  • Currently, we do not know how to reset the hand programming password without a programmer. The passcode is clearly visible in the .tbl files, but not in any EEPROM dumps done thus far.