Difference between revisions of "Apollo AL-A26 (Pager)"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
(Created page with "The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without s...")
 
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.
 
The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.
  
[[File:Hacktheplanet_pager.jpg|thumb]]
+
[[File:Hacktheplanet_pager.jpg|thumb|Hack the world, hack the planet!]]
 
<br />
 
<br />
  
Line 7: Line 7:
 
The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.  
 
The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.  
  
It is worth noting however, that there is also a similar model (AF-A26) which is identical, except for supporting the FLEX paging protocol instead.  
+
It is worth noting however, that there is also a similar model (AF-A26) which is identical, but supporting the FLEX paging protocol instead.  
  
 
This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and [https://hampager.de/dokuwiki/doku.php DAPNET] use.  
 
This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and [https://hampager.de/dokuwiki/doku.php DAPNET] use.  
Line 17: Line 17:
  
 
===Physical===
 
===Physical===
 +
 
*'''Weight:''' 56.6g (without battery)
 
*'''Weight:''' 56.6g (without battery)
 
*'''Size (approximate, LxWxH):'''
 
*'''Size (approximate, LxWxH):'''
Line 22: Line 23:
 
**79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
 
**79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
 
**80 x 53 x 20 mm (bare pager according to manufacturer specifications)
 
**80 x 53 x 20 mm (bare pager according to manufacturer specifications)
 +
 
===Technical===
 
===Technical===
 +
 
*'''Power Supply:''' 1x AA Battery
 
*'''Power Supply:''' 1x AA Battery
 
*'''Operational Frequencies:'''
 
*'''Operational Frequencies:'''
Line 37: Line 40:
 
*'''Supported Bandwidth:''' 12.5 or 25 kHz
 
*'''Supported Bandwidth:''' 12.5 or 25 kHz
 
*'''Alert Loudness:''' 85dB @ 10cm
 
*'''Alert Loudness:''' 85dB @ 10cm
 +
 
===Paging Features===
 
===Paging Features===
 +
 
*'''CAPCODE/RIC addresses:''' 8 for POCSAG, 16 for FLEX
 
*'''CAPCODE/RIC addresses:''' 8 for POCSAG, 16 for FLEX
 
*'''Total Message Character Capacity:'''
 
*'''Total Message Character Capacity:'''
Line 59: Line 64:
 
==Photos==
 
==Photos==
 
<gallery>
 
<gallery>
File:Front_pager.jpg|thumb|Front of the AL-A26
+
File:Front pager.jpg|Front of the AL-A26
File:Back_pager.jpg|thumb|Back of the AL-A26
+
File:Back pager.jpg|Back of the AL-A26
File:RF_board_back.jpg|thumb|RF reciever board from the back. (UHF version)
+
File:RF board back pager.jpg|RF reciever board from the back. (UHF version)
File:RF_board_front.jpg|thumb|RF reciever board from the front. (UHF version)
+
File:RF board front pager.jpg|RF reciever board from the front. (UHF version)
File:Mainboard_back_pager.jpg|thumb|Main board from the back.
+
File:Mainboard back pager.jpg|Main board from the back.
File:Mainboard_front_pager.jpg|thumb|Main board from the front.
+
File:Mainboard front pager.jpg|Main board from the front.
 
</gallery>
 
</gallery>
  
Line 71: Line 76:
 
==Physical Hardware==
 
==Physical Hardware==
  
*'''CPU:''' GAPOLLO AL-A26-1 (Proprietary/Custom?)
+
*'''CPU:''' GAPOLLO ALA26-1 (Proprietary/Custom?)
 
*'''RAM:''' Utron UT62L2568 (256x8bit) Low Power CMOS SRAM<ref>https://www.semiee.com/file/EOL/UTRON%20-UT62L2568BS-55L.pdf</ref>
 
*'''RAM:''' Utron UT62L2568 (256x8bit) Low Power CMOS SRAM<ref>https://www.semiee.com/file/EOL/UTRON%20-UT62L2568BS-55L.pdf</ref>
 
*'''ROM:''' Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM<ref>https://pdf1.alldatasheet.com/datasheet-pdf/view/57364/CATALYST/24WC16.html</ref>
 
*'''ROM:''' Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM<ref>https://pdf1.alldatasheet.com/datasheet-pdf/view/57364/CATALYST/24WC16.html</ref>
 +
**Note: I have a second unit now and this one has a chip marked '''L16 5M52W'''. Reads out the same way apparently...
 
*'''FSK Decoder IC:''' NPC SM8212B POCSAG decoder for multiframe pagers<ref>https://www.semiee.com/file/EOL2/NPC-SM8212BM.pdf</ref>
 
*'''FSK Decoder IC:''' NPC SM8212B POCSAG decoder for multiframe pagers<ref>https://www.semiee.com/file/EOL2/NPC-SM8212BM.pdf</ref>
  
Line 80: Line 86:
 
==Disassembly==
 
==Disassembly==
  
# Remove battery cover.
+
#Remove battery cover.
# Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.
+
#Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.
# Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.
+
#Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.
# Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.
+
#Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.
# Work your way around the right side, making sure it is completely free.
+
#Work your way around the right side, making sure it is completely free.
# Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.
+
#Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.
# Work around the left hand side to ensure it is completely free.
+
#Work around the left hand side to ensure it is completely free.
# Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager.
+
#Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager.
 +
 
 +
 
 +
'''<u>Do note that the first time you disassemble your pager, you will have to use a concerning amount of force to separate the halves.</u>'''
 +
 
 +
'''This is due to sticky foam pads holding the receiver board to the back case. You may remove these when you fully open the unit and it will function fine, however you are probably opening yourself up to the RX board possibly becoming unplugged should you drop the pager at all. Use your own descretion here.'''
  
  
Line 94: Line 105:
  
 
<gallery>
 
<gallery>
File:Screw_locations_pager.jpg|thumb|Screw locations
+
File:Screw locations pager.jpg|Screw locations
File:Insert_spudger_right_side_pager.jpg|thumb|Spudger inbetween case halves
+
File:Insert spudger right side pager.jpg|Spudger inbetween case halves
File:Right_side_unsnapped_pager.jpg|thumb|Right side unsnapped
+
File:Right side unsnapped pager.jpg|Right side unsnapped
File:Left_side_spudger_insert_pager.jpg|thumb|Spudger under left side
+
File:Left side spudger insert pager.jpg|Spudger under left side
File:Completely_free_back_pager.jpg|thumb|Left side unsnapped and back half free. Hinge upward as shown.
+
File:Completely free back pager.jpg|Left side unsnapped and back half free. Hinge upward as shown.
File:Back_cover_laying_flat_pager.jpg|thumb|Rear cover laying flat
+
File:Sticky pads.jpg|The aforementioned sticky pads that hold the RX board in place.
 +
File:Back laid flat pager.jpg|Rear cover laying flat
 
</gallery>
 
</gallery>
 
<br />
 
<br />
  
 
==Reassembly==
 
==Reassembly==
* First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!
 
  
 +
*First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!
  
# Insert the top edge of the rear half of the pager into the front.
+
 
# Hinge the rear half downwards in the same way as disassembly.
+
#Insert the top edge of the rear half of the pager into the front.
# Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.
+
#Hinge the rear half downwards in the same way as disassembly.
# Screw in the 2x phillips screws from the recess and near the positive battery terminal.
+
#Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.
# Replace battery cover.
+
#Screw in the 2x phillips screws from the recess and near the positive battery terminal.
 +
#Replace battery cover.
  
  
 
<gallery>
 
<gallery>
File:Align_top_tabs_pager.jpg|thumb|Re-inserting the top half tabs
+
File:Align top tabs pager.jpg|Re-inserting the top half tabs
File:Top_edge_flush_reassembly_pager.jpg|thumb|Fully inserted tabs aligned and ready to hinge down
+
File:Top edge flush reassembly pager.jpg|Fully inserted tabs aligned and ready to hinge down
File:Not_fully_snapped_left_pager.jpg|thumb|Incorrect/not snapped in negative side
+
File:Not fully snapped left pager.jpg|Incorrect/not snapped in negative side
File:Correctly_snapped_left_pager.jpg|thumb|Correct/snapped in negative side
+
File:Correctly snapped left pager.jpg|Correct/snapped in negative side
 
</gallery>
 
</gallery>
 
<br />
 
<br />
  
 
==Software & Programming==
 
==Software & Programming==
The initial start-up password for the software is '''AC5678''' <ref>https://www.apollopagers.com/support/</ref>
+
The initial start-up password for the software is '''AC5678''' <ref>https://www.apollopagers.com/support/</ref>. Not necessarily related to programming per se, but holding down the triangular power/function button on startup will initiate a lamp/motor/RAM test mode. You can step through the various tests with the buttons, but the battery will need to be pulled to reset it.
 +
 
 +
===Hand Programming===
 +
 
 +
====Password Menu====
 +
 
 +
Hold down the center oval shaped button and insert the battery. Keep holding it until this screen appears. Should take approximately 6 seconds.
 +
 
 +
Hoping for the best, press the triangular power/function button. If the password is set to the default (0000) then you should see the frequency screen appear. If not, then your password is incorrect. Head on down to section 9, [https://wiki.recessim.com/view/Apollo_AL-A26_(Pager)#Bypassing_the_hand_programming_password Bypassing the hand programming password.]
 +
 
 +
====Frequency Menu====
 +
 
 +
Use the up/down/left/right buttons to enter your desired RX frequency here. Do keep in mind the common caveat of these being set to 25kHz channel spacing, so select your frequency accordingly. If an invalid frequency is entered (for example, the default DAPNET frequency of 439.9875) while the pager is in 25kHz spacing mode, it will not accept the frequency change and will beep once and reboot to the normal pager interface.
 +
 
 +
====RIC/CAPCODE Menus====
 +
 
 +
The next menu items after frequency are the RIC/CAPCODE settings. These can be enabled and disabled while retaining their values and function bits. More on the function bits below.
 +
 
 +
=====Function Bits=====
 +
 
 +
Still a WIP to make these fully understandable. More to come.
 +
 
 +
<pre>
 +
The AAAA 4 position means different Function bit Features,
 +
A = Alpha Numeric
 +
I = IDEO
 +
N = Standard Numeric
 +
P = PRC  Numeric
 +
- = Off
 +
T= Tone Only
 +
</pre>
 +
 
 +
====Baud====
 +
 
 +
Options are 512, 1200, and 2400 for the POCSAG version. Make sure it is set to 1200 for DAPNET use.
 +
 
 +
====Contrast====
 +
 
 +
Set the overall LCD contrast here. Seems to default to 4 and that should be good for most cases.
 +
 
 +
====Modify Password====
 +
 
 +
Here you can enter a new passcode for the pager which will take effect on next reboot. Be sure to remember this value if you change it from 0000 as it will be needed to access the programming interface again!
 +
 
 +
====Pass!====
 +
 
 +
Assuming everything you entered is valid and to the pager's liking, you should finish with this screen after hitting the triangular power/function button. The pager will now reboot to the main interface and your settings will be active.
 +
 
 +
 
 +
 
 +
 
 +
<gallery>
 +
File:Pass word prompt.jpg|Passcode prompt
 +
File:Frequency menu.jpg|Frequency setting
 +
File:Capcode menu.jpg|RIC/CAPCODE setting
 +
File:Baud menu.jpg|Baudrate setting
 +
File:Contrast menu.jpg|Contrast setting
 +
File:Modify password menu.jpg|Modify password setting
 +
File:Pass screen.jpg|Pass! screen
 +
</gallery>
 +
 
 +
==Physical Interfaces==
  
 
===Programming Interface - Pager===
 
===Programming Interface - Pager===
Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF reciever PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.  
+
Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF receiver PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.  
  
[[File:Programming_interface_pinout_pager.jog|thumb|Pinout of the back programming interface]]
+
[[File:Programming_interface_pinout_pager.png|thumb|Pinout of the back programming interface]]
  
 
===Programming Interface - Programmer===
 
===Programming Interface - Programmer===
Line 144: Line 218:
 
According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.
 
According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.
  
===Direct EEPROM readout===
+
===Direct EEPROM readout?===
The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information as well as the hand programming passcode. This chip is a standard I2C EEPROM which can easily be read and written with several different tools. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address '''0x37C.''' The bytes are directly written to memory, so for example if the passcode set is '''1234''', the bytes read in order will read as '''0x01, 0x02, 0x03, 0x04.'''
+
The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information. It may or may not contain the passcode, this is still unknown at this time. This chip is a standard I2C EEPROM which can easily be read and written with several different tools.
  
 
<br />
 
<br />
Line 154: Line 228:
  
 
=====EEPROM Dumping=====
 
=====EEPROM Dumping=====
The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively.
+
The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively. A CH341A programmer has also been used successfully to dump the contents.
  
 
===Software===
 
===Software===
Line 166: Line 240:
 
*'''csins.dat:''' The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
 
*'''csins.dat:''' The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
 
*'''default.tbl:''' The default pager configuration settings which are loaded at startup
 
*'''default.tbl:''' The default pager configuration settings which are loaded at startup
 +
**<u>You can find the hand programming passcode in this file. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address '''0x37C.''' The bytes are directly written to memory, so for example if the passcode set is '''1234''', the bytes read in order will read as '''0x01, 0x02, 0x03, 0x04.'''</u>
 
*'''inpout32.dll:''' Standard Windows driver for hardware access to serial ports
 
*'''inpout32.dll:''' Standard Windows driver for hardware access to serial ports
 
*'''pager.dat:''' Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
 
*'''pager.dat:''' Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
 
*'''PL2303_Prolific_DriverInstaller_10311.exe:''' Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
 
*'''PL2303_Prolific_DriverInstaller_10311.exe:''' Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
 
*'''Uninstall.exe:''' Also self explanitory. Seems to be a standard Windows uninstaller.
 
*'''Uninstall.exe:''' Also self explanitory. Seems to be a standard Windows uninstaller.
 +
 +
 +
====Software Startup====
 +
Upon startup and entry of the software password, the program looks for a PL2303 Prolific based serial device attached to the computer. If found, the COM port is set in a registry key located in '''HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM,''' though it seems to want it on COM1?
 +
 +
The software then outputs the following on the serial port (9600 8N1) before giving the "The Programmed Board not responding!" error:
 +
<pre>GoldApollo5R Š</pre>
 +
Which is the following in raw serial bytes
 +
<pre>47 6f 6c 64 41 70 6f 6c 6c 6f 35 52 03 00 00 00 00 8a</pre>
 +
 +
I have tried replaying the same byte sequence in response, as well as sending just "Apollo" with no luck. My assumption is there must be some reply word sent by the programmer itself, similar to the [http://n3ujj.com/TripMate_Self_Start_Modification.html DeLorme TripMate GPS which needs the word "ASTRAL" sent on it's RX pin to enable the GPS.]
  
  
Line 180: Line 266:
  
 
==Caveats==
 
==Caveats==
*Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz<ref>https://hampager.de/dokuwiki/doku.php?id=dapnetfrq</ref> unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)<ref>https://www.iaru-r1.org/wiki/Amateur_satellites#:~:text=2%20meter%20band-,70%20cm%20band,maximum%20bandwidth%20is%20100%20kHz</ref>
+
 
 +
*Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz<ref>https://hampager.de/dokuwiki/doku.php?id=dapnetfrq</ref> unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)<ref>https://www.iaru-r1.org/wiki/UHF</ref>
 +
*Currently, we do not know how to reset the hand programming password without a programmer. The passcode is clearly visible in the .tbl files, but not in any EEPROM dumps done thus far.
 +
 
 
<br />
 
<br />
 
==References==
 
 
<references />
 
<references />

Latest revision as of 06:14, 9 March 2023

The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.

Hack the world, hack the planet!


Overview

The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.

It is worth noting however, that there is also a similar model (AF-A26) which is identical, but supporting the FLEX paging protocol instead.

This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and DAPNET use.

The A26 model line is hand-programmable, not requiring any software to setup basic features (including CAPCODE/RIC, frequency, and baudrate) which make it particularly appealing for amateur use. Do note however, that a 4 digit code can be set to lock the end user out of hand-programming which may be an issue if buying second hand. More information regarding bypassing or reading out this code will be detailed below.

Specifications [1][2]

Physical

  • Weight: 56.6g (without battery)
  • Size (approximate, LxWxH):
    • 82 x 57 x 38 mm (with holster and clip depth included)
    • 79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
    • 80 x 53 x 20 mm (bare pager according to manufacturer specifications)

Technical

  • Power Supply: 1x AA Battery
  • Operational Frequencies:
    • VHF: 138-174 MHz
    • UHF: 408-473 MHz
    • 900: 929-932 MHz
  • Reciever Sensitivity:
    • 512bps - 5µV/M
    • 1200bps - 7µV/M
    • 2400bps - 9µV/M
  • Supported Baudrates:
    • 512/1200/2400 (POCSAG)
    • 1600/3200/6400 (FLEX)
  • Supported Bandwidth: 12.5 or 25 kHz
  • Alert Loudness: 85dB @ 10cm

Paging Features

  • CAPCODE/RIC addresses: 8 for POCSAG, 16 for FLEX
  • Total Message Character Capacity:
    • 262,144 (POCSAG)
    • 32,000 (FLEX)
  • Mail Drop Character Capacity:
    • 239,616 (POCSAG)
    • 27,000 (FLEX)
  • Alerting:
    • 4 Beep alerts w/ LED flash
    • 10 Melodic alerts w/ LED flash
    • Vibration w/ LED flash
    • LED flash only
  • Unread message reminder alert
  • Notification of duplicate message, message recieved with errors, and full message box
  • Up to 10 saved (locked) messages
  • 4 line, 84 character backlit LCD display with optional 2 line zoom with larger characters


Photos


Physical Hardware

  • CPU: GAPOLLO ALA26-1 (Proprietary/Custom?)
  • RAM: Utron UT62L2568 (256x8bit) Low Power CMOS SRAM[3]
  • ROM: Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM[4]
    • Note: I have a second unit now and this one has a chip marked L16 5M52W. Reads out the same way apparently...
  • FSK Decoder IC: NPC SM8212B POCSAG decoder for multiframe pagers[5]


Disassembly

  1. Remove battery cover.
  2. Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.
  3. Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.
  4. Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.
  5. Work your way around the right side, making sure it is completely free.
  6. Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.
  7. Work around the left hand side to ensure it is completely free.
  8. Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager.


Do note that the first time you disassemble your pager, you will have to use a concerning amount of force to separate the halves.

This is due to sticky foam pads holding the receiver board to the back case. You may remove these when you fully open the unit and it will function fine, however you are probably opening yourself up to the RX board possibly becoming unplugged should you drop the pager at all. Use your own descretion here.


Warning! The vibration motor is attached to the back and hard-wired to the main board. Take care when removing the back half. You can lay it down flat against the side of the front half where the wires go to the board.



Reassembly

  • First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!


  1. Insert the top edge of the rear half of the pager into the front.
  2. Hinge the rear half downwards in the same way as disassembly.
  3. Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.
  4. Screw in the 2x phillips screws from the recess and near the positive battery terminal.
  5. Replace battery cover.



Software & Programming

The initial start-up password for the software is AC5678 [6]. Not necessarily related to programming per se, but holding down the triangular power/function button on startup will initiate a lamp/motor/RAM test mode. You can step through the various tests with the buttons, but the battery will need to be pulled to reset it.

Hand Programming

Password Menu

Hold down the center oval shaped button and insert the battery. Keep holding it until this screen appears. Should take approximately 6 seconds.

Hoping for the best, press the triangular power/function button. If the password is set to the default (0000) then you should see the frequency screen appear. If not, then your password is incorrect. Head on down to section 9, Bypassing the hand programming password.

Frequency Menu

Use the up/down/left/right buttons to enter your desired RX frequency here. Do keep in mind the common caveat of these being set to 25kHz channel spacing, so select your frequency accordingly. If an invalid frequency is entered (for example, the default DAPNET frequency of 439.9875) while the pager is in 25kHz spacing mode, it will not accept the frequency change and will beep once and reboot to the normal pager interface.

RIC/CAPCODE Menus

The next menu items after frequency are the RIC/CAPCODE settings. These can be enabled and disabled while retaining their values and function bits. More on the function bits below.

Function Bits

Still a WIP to make these fully understandable. More to come.

The AAAA 4 position means different Function bit Features,
 A = Alpha Numeric
 I = IDEO
 N = Standard Numeric
 P = PRC  Numeric
 - = Off
 T= Tone Only

Baud

Options are 512, 1200, and 2400 for the POCSAG version. Make sure it is set to 1200 for DAPNET use.

Contrast

Set the overall LCD contrast here. Seems to default to 4 and that should be good for most cases.

Modify Password

Here you can enter a new passcode for the pager which will take effect on next reboot. Be sure to remember this value if you change it from 0000 as it will be needed to access the programming interface again!

Pass!

Assuming everything you entered is valid and to the pager's liking, you should finish with this screen after hitting the triangular power/function button. The pager will now reboot to the main interface and your settings will be active.



Physical Interfaces

Programming Interface - Pager

Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF receiver PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.

Pinout of the back programming interface

Programming Interface - Programmer

Unknown at the moment. I do not have access to a unit to peer inside it, though based upon the discovery that the EEPROM is directly connected to the programming pads this leads me to believe the programmer is essentially a USB to I2C adapter of some description. It uses the Prolific PL2303[7] in some form since the software installer automatically installs that driver and leaves it's executable behinnd in the program folder.


Bypassing the hand programming password

The 4 digit password is by default set to 0000, so during normal hand programming you are able to just press the power button and the pager will let you continue with programming. If the pager has a different passcode set though, there are a few options.

Message the seller

If you bought from an online second-hand seller such as eBay, you may want to try contacting the seller to see if they know the passcode. If you bought from the same seller that I did though, their listing may say they do not know it and/or not to ask.

Connect to the software

According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.

Direct EEPROM readout?

The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information. It may or may not contain the passcode, this is still unknown at this time. This chip is a standard I2C EEPROM which can easily be read and written with several different tools.


Reverse Engineering

Hardware

EEPROM Dumping

The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively. A CH341A programmer has also been used successfully to dump the contents.

Software

At the moment, I have only installed and messed with the "ALA-26B 8-Capcode" version[8] of the software provided on the resources page of the manufacturer.

Upon running and completing the installation of the software, files by default are written to C:\Program Files (x86)\Gold Apollo. Within the ALA26B(USB) directory there are the following files:

When running the software and entering the default password, you are normally greeted with an error message saying "The Programmed Board not responding!" if there is no programmer attached. The software will continue to load once the error is acknowledged, and allow you to begin configuring pager settings and save/load .tbl configuration files.

  • ALA26B(USB).exe: The main program
  • csins.dat: The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
  • default.tbl: The default pager configuration settings which are loaded at startup
    • You can find the hand programming passcode in this file. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address 0x37C. The bytes are directly written to memory, so for example if the passcode set is 1234, the bytes read in order will read as 0x01, 0x02, 0x03, 0x04.
  • inpout32.dll: Standard Windows driver for hardware access to serial ports
  • pager.dat: Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
  • PL2303_Prolific_DriverInstaller_10311.exe: Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
  • Uninstall.exe: Also self explanitory. Seems to be a standard Windows uninstaller.


Software Startup

Upon startup and entry of the software password, the program looks for a PL2303 Prolific based serial device attached to the computer. If found, the COM port is set in a registry key located in HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM, though it seems to want it on COM1?

The software then outputs the following on the serial port (9600 8N1) before giving the "The Programmed Board not responding!" error:

GoldApollo5R Š

Which is the following in raw serial bytes

47 6f 6c 64 41 70 6f 6c 6c 6f 35 52 03 00 00 00 00 8a

I have tried replaying the same byte sequence in response, as well as sending just "Apollo" with no luck. My assumption is there must be some reply word sent by the programmer itself, similar to the DeLorme TripMate GPS which needs the word "ASTRAL" sent on it's RX pin to enable the GPS.


default.tbl

This file seems to be very similar to the contents of the pager EEPROM when dumped from a working unit. A large portion is ASCII text for the menus which can be customized using the software.



Caveats

  • Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz[9] unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)[10]
  • Currently, we do not know how to reset the hand programming password without a programmer. The passcode is clearly visible in the .tbl files, but not in any EEPROM dumps done thus far.