Apollo AL-A26 (Pager)

From RECESSIM, A Reverse Engineering Community
Revision as of 00:45, 30 April 2022 by Trevor229 (talk | contribs) (Add discovery of software startup word)
Jump to navigation Jump to search

The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.

Hack the world, hack the planet!


Overview

The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.

It is worth noting however, that there is also a similar model (AF-A26) which is identical, except for supporting the FLEX paging protocol instead.

This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and DAPNET use.

The A26 model line is hand-programmable, not requiring any software to setup basic features (including CAPCODE/RIC, frequency, and baudrate) which make it particularly appealing for amateur use. Do note however, that a 4 digit code can be set to lock the end user out of hand-programming which may be an issue if buying second hand. More information regarding bypassing or reading out this code will be detailed below.

Specifications [1][2]

Physical

  • Weight: 56.6g (without battery)
  • Size (approximate, LxWxH):
    • 82 x 57 x 38 mm (with holster and clip depth included)
    • 79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
    • 80 x 53 x 20 mm (bare pager according to manufacturer specifications)

Technical

  • Power Supply: 1x AA Battery
  • Operational Frequencies:
    • VHF: 138-174 MHz
    • UHF: 408-473 MHz
    • 900: 929-932 MHz
  • Reciever Sensitivity:
    • 512bps - 5µV/M
    • 1200bps - 7µV/M
    • 2400bps - 9µV/M
  • Supported Baudrates:
    • 512/1200/2400 (POCSAG)
    • 1600/3200/6400 (FLEX)
  • Supported Bandwidth: 12.5 or 25 kHz
  • Alert Loudness: 85dB @ 10cm

Paging Features

  • CAPCODE/RIC addresses: 8 for POCSAG, 16 for FLEX
  • Total Message Character Capacity:
    • 262,144 (POCSAG)
    • 32,000 (FLEX)
  • Mail Drop Character Capacity:
    • 239,616 (POCSAG)
    • 27,000 (FLEX)
  • Alerting:
    • 4 Beep alerts w/ LED flash
    • 10 Melodic alerts w/ LED flash
    • Vibration w/ LED flash
    • LED flash only
  • Unread message reminder alert
  • Notification of duplicate message, message recieved with errors, and full message box
  • Up to 10 saved (locked) messages
  • 4 line, 84 character backlit LCD display with optional 2 line zoom with larger characters


Photos


Physical Hardware

  • CPU: GAPOLLO AL-A26-1 (Proprietary/Custom?)
  • RAM: Utron UT62L2568 (256x8bit) Low Power CMOS SRAM[3]
  • ROM: Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM[4]
  • FSK Decoder IC: NPC SM8212B POCSAG decoder for multiframe pagers[5]


Disassembly

  1. Remove battery cover.
  2. Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.
  3. Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.
  4. Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.
  5. Work your way around the right side, making sure it is completely free.
  6. Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.
  7. Work around the left hand side to ensure it is completely free.
  8. Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager.


Warning! The vibration motor is attached to the back and hard-wired to the main board. Take care when removing the back half. You can lay it down flat against the side of the front half where the wires go to the board.



Reassembly

  • First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!


  1. Insert the top edge of the rear half of the pager into the front.
  2. Hinge the rear half downwards in the same way as disassembly.
  3. Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.
  4. Screw in the 2x phillips screws from the recess and near the positive battery terminal.
  5. Replace battery cover.



Software & Programming

The initial start-up password for the software is AC5678 [6]

Programming Interface - Pager

Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF reciever PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.

Pinout of the back programming interface

Programming Interface - Programmer

Unknown at the moment. I do not have access to a unit to peer inside it, though based upon the discovery that the EEPROM is directly connected to the programming pads this leads me to believe the programmer is essentially a USB to I2C adapter of some description. It uses the Prolific PL2303[7] in some form since the software installer automatically installs that driver and leaves it's executable behinnd in the program folder.


Bypassing the hand programming password

The 4 digit password is by default set to 0000, so during normal hand programming you are able to just press the power button and the pager will let you continue with programming. If the pager has a different passcode set though, there are a few options.

Message the seller

If you bought from an online second-hand seller such as eBay, you may want to try contacting the seller to see if they know the passcode. If you bought from the same seller that I did though, their listing may say they do not know it and/or not to ask.

Connect to the software

According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.

Direct EEPROM readout

The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information as well as the hand programming passcode. This chip is a standard I2C EEPROM which can easily be read and written with several different tools. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address 0x37C. The bytes are directly written to memory, so for example if the passcode set is 1234, the bytes read in order will read as 0x01, 0x02, 0x03, 0x04.


Reverse Engineering

Hardware

EEPROM Dumping

The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively.

Software

At the moment, I have only installed and messed with the "ALA-26B 8-Capcode" version[8] of the software provided on the resources page of the manufacturer.

Upon running and completing the installation of the software, files by default are written to C:\Program Files (x86)\Gold Apollo. Within the ALA26B(USB) directory there are the following files:

When running the software and entering the default password, you are normally greeted with an error message saying "The Programmed Board not responding!" if there is no programmer attached. The software will continue to load once the error is acknowledged, and allow you to begin configuring pager settings and save/load .tbl configuration files.

  • ALA26B(USB).exe: The main program
  • csins.dat: The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
  • default.tbl: The default pager configuration settings which are loaded at startup
  • inpout32.dll: Standard Windows driver for hardware access to serial ports
  • pager.dat: Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
  • PL2303_Prolific_DriverInstaller_10311.exe: Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
  • Uninstall.exe: Also self explanitory. Seems to be a standard Windows uninstaller.


Software Startup

Upon startup and entry of the software password, the program looks for a PL2303 Prolific based serial device attached to the computer. If found, the COM port is set in a registry key located in HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM

The software then outputs the following on the serial port before giving the "The Programmed Board not responding!" error:

GoldApollo5R Š

Which is the following in raw serial bytes

47 6f 6c 64 41 70 6f 6c 6c 6f 35 52 03 00 00 00 00 8a

I have tried replaying the same byte sequence in response, as well as sending just "Apollo" with no luck. There is definitely some reply word sent by the programmer itself, similar to the DeLorme TripMate GPS which needs the word "ASTRAL" sent on it's RX pin to enable the GPS.


default.tbl

This file seems to be very similar to the contents of the pager EEPROM when dumped from a working unit. A large portion is ASCII text for the menus which can be customized using the software.



Caveats

  • Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz[9] unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)[10]