92
edits
Changes
Jump to navigation
Jump to search
m
* First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!
==References==
→Software Startup
The Apollo Pilot AL-A26 is an alphanumeric paging reciever that supports POCSAG messaging. It can easily be reprogrammed for use on amateur radio frequencies with or without software.
[[File:Hacktheplanet_pager.jpg|thumb|Hack the world, hack the planet!]]
<br />
The Apollo Pilot A26 (Model number AL-A26) is an alphanumeric POCSAG-enabled paging reciever manufactured by Apollo Digital Paging Company Inc. It can be found on second-hand auction sites such as eBay inexpensively.
It is worth noting however, that there is also a similar model (AF-A26) which is identical, except for but supporting the FLEX paging protocol instead.
This wiki will focus on the POCSAG model as it's utility pertains to amateur radio and [https://hampager.de/dokuwiki/doku.php DAPNET] use.
===Physical===
*'''Weight:''' 56.6g (without battery)
*'''Size (approximate, LxWxH):'''
**79 x 51 x 28 mm (bare pager itself, width measured to edge of battery compartment hump)
**80 x 53 x 20 mm (bare pager according to manufacturer specifications)
===Technical===
*'''Power Supply:''' 1x AA Battery
*'''Operational Frequencies:'''
*'''Supported Bandwidth:''' 12.5 or 25 kHz
*'''Alert Loudness:''' 85dB @ 10cm
===Paging Features===
*'''CAPCODE/RIC addresses:''' 8 for POCSAG, 16 for FLEX
*'''Total Message Character Capacity:'''
==Photos==
<gallery>
File:Front_pagerFront pager.jpg|thumb|Front of the AL-A26File:Back_pagerBack pager.jpg|thumb|Back of the AL-A26File:RF_board_backRF board back pager.jpg|thumb|RF reciever board from the back. (UHF version)File:RF_board_frontRF board front pager.jpg|thumb|RF reciever board from the front. (UHF version)File:Mainboard_back_pagerMainboard back pager.jpg|thumb|Main board from the back.File:Mainboard_front_pagerMainboard front pager.jpg|thumb|Main board from the front.
</gallery>
==Physical Hardware==
*'''CPU:''' GAPOLLO AL-A26ALA26-1 (Proprietary/Custom?)
*'''RAM:''' Utron UT62L2568 (256x8bit) Low Power CMOS SRAM<ref>https://www.semiee.com/file/EOL/UTRON%20-UT62L2568BS-55L.pdf</ref>
*'''ROM:''' Catalyst 24WC16J (16kB, 2048x8bit) I2C EEPROM<ref>https://pdf1.alldatasheet.com/datasheet-pdf/view/57364/CATALYST/24WC16.html</ref>
**Note: I have a second unit now and this one has a chip marked '''L16 5M52W'''. Reads out the same way apparently...
*'''FSK Decoder IC:''' NPC SM8212B POCSAG decoder for multiframe pagers<ref>https://www.semiee.com/file/EOL2/NPC-SM8212BM.pdf</ref>
==Disassembly==
# Remove battery cover.# Unscrew 2x phillips screws, located in left side recess and near the top of the positive battery contact.# Using a spudger, insert the tip into the edge of the back case where the positive battery contact is located.# Pry upward with a bit of a clockwise twisting motion. The right half of the pager should begin to unsnap.# Work your way around the right side, making sure it is completely free.# Move over to the left hand side and insert your spudger at the edge of the case seam near the negative battery terminal. Repeat the same prying action.# Work around the left hand side to ensure it is completely free.# Now that the pager case is unsnapped, hinge the back half upward along the top and pull the back half off of the rest of the pager. '''<u>Do note that the first time you disassemble your pager, you will have to use a concerning amount of force to separate the halves.</u>''' '''This is due to sticky foam pads holding the receiver board to the back case. You may remove these when you fully open the unit and it will function fine, however you are probably opening yourself up to the RX board possibly becoming unplugged should you drop the pager at all. Use your own descretion here.'''
<gallery>
File:Screw_locations_pagerScrew locations pager.jpg|thumb|Screw locationsFile:Insert_spudger_right_side_pagerInsert spudger right side pager.jpg|thumb|Spudger inbetween case halvesFile:Right_side_unsnapped_pagerRight side unsnapped pager.jpg|thumb|Right side unsnappedFile:Left_side_spudger_insert_pagerLeft side spudger insert pager.jpg|thumb|Spudger under left sideFile:Completely_free_back_pagerCompletely free back pager.jpg|thumb|Left side unsnapped and back half free. Hinge upward as shown.File:Back_cover_laying_flat_pagerSticky pads.jpg|thumbThe aforementioned sticky pads that hold the RX board in place.File:Back laid flat pager.jpg|Rear cover laying flat
</gallery>
<br />
==Reassembly==
*First thing's first, wipe down the LCD and inside of the clear window with a soft cloth to remove any fingerprints or debris before reassembly. Last thing you want to see is a speck of something on the inside of your screen after you just reassembled the whole thing!
# Insert the top edge of the rear half of the pager into the front.# Hinge the rear half downwards in the same way as disassembly.# Make sure the halves are aligned and press down on each side until they snap back together. The side near the negative battery terminal and power button may take some more force to snap shut than the positive side. It helps to push inward towards the positive terminal.# Screw in the 2x phillips screws from the recess and near the positive battery terminal.# Replace battery cover.
<gallery>
File:Align_top_tabs_pagerAlign top tabs pager.jpg|thumb|Re-inserting the top half tabsFile:Top_edge_flush_reassembly_pagerTop edge flush reassembly pager.jpg|thumb|Fully inserted tabs aligned and ready to hinge downFile:Not_fully_snapped_left_pagerNot fully snapped left pager.jpg|thumb|Incorrect/not snapped in negative sideFile:Correctly_snapped_left_pagerCorrectly snapped left pager.jpg|thumb|Correct/snapped in negative side
</gallery>
<br />
==Software & Programming==
The initial start-up password for the software is '''AC5678''' <ref>https://www.apollopagers.com/support/</ref>. Not necessarily related to programming per se, but holding down the triangular power/function button on startup will initiate a lamp/motor/RAM test mode. You can step through the various tests with the buttons, but the battery will need to be pulled to reset it. ===Hand Programming=== ====Password Menu==== Hold down the center oval shaped button and insert the battery. Keep holding it until this screen appears. Should take approximately 6 seconds. Hoping for the best, press the triangular power/function button. If the password is set to the default (0000) then you should see the frequency screen appear. If not, then your password is incorrect. Head on down to section 9, [https://wiki.recessim.com/view/Apollo_AL-A26_(Pager)#Bypassing_the_hand_programming_password Bypassing the hand programming password.] ====Frequency Menu==== Use the up/down/left/right buttons to enter your desired RX frequency here. Do keep in mind the common caveat of these being set to 25kHz channel spacing, so select your frequency accordingly. If an invalid frequency is entered (for example, the default DAPNET frequency of 439.9875) while the pager is in 25kHz spacing mode, it will not accept the frequency change and will beep once and reboot to the normal pager interface. ====RIC/CAPCODE Menus==== The next menu items after frequency are the RIC/CAPCODE settings. These can be enabled and disabled while retaining their values and function bits. More on the function bits below. =====Function Bits===== Still a WIP to make these fully understandable. More to come. <pre>The AAAA 4 position means different Function bit Features, A = Alpha Numeric I = IDEO N = Standard Numeric P = PRC Numeric - = Off T= Tone Only</pre> ====Baud==== Options are 512, 1200, and 2400 for the POCSAG version. Make sure it is set to 1200 for DAPNET use. ====Contrast==== Set the overall LCD contrast here. Seems to default to 4 and that should be good for most cases. ====Modify Password==== Here you can enter a new passcode for the pager which will take effect on next reboot. Be sure to remember this value if you change it from 0000 as it will be needed to access the programming interface again! ====Pass!==== Assuming everything you entered is valid and to the pager's liking, you should finish with this screen after hitting the triangular power/function button. The pager will now reboot to the main interface and your settings will be active. <gallery>File:Pass word prompt.jpg|Passcode promptFile:Frequency menu.jpg|Frequency settingFile:Capcode menu.jpg|RIC/CAPCODE settingFile:Baud menu.jpg|Baudrate settingFile:Contrast menu.jpg|Contrast settingFile:Modify password menu.jpg|Modify password settingFile:Pass screen.jpg|Pass! screen</gallery> ==Physical Interfaces==
===Programming Interface - Pager===
Peel back the lefthand sticker to reveal three holes that expose three gold pads on the RF reciever receiver PCB. These pads directly connect to the EEPROM SCL and SDA lines as well as common ground in that order from left to right.
[[File:Programming_interface_pinout_pager.jogpng|thumb|Pinout of the back programming interface]]
===Programming Interface - Programmer===
According to the manual for the programming software made by the manufacturer, the passcode is only used to lock out hand programming of the pager. This in theory means that if one has access to a pager, interface, and the software, it may be freely reprogrammed without needing anything other than the software password.
===Direct EEPROM readout?===The main EEPROM, a CAT24WC16, which is located on the top right of the board contains configuration information as well as . It may or may not contain the hand programming passcode, this is still unknown at this time. This chip is a standard I2C EEPROM which can easily be read and written with several different tools. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address '''0x37C.''' The bytes are directly written to memory, so for example if the passcode set is '''1234''', the bytes read in order will read as '''0x01, 0x02, 0x03, 0x04.'''
<br />
=====EEPROM Dumping=====
The 24WC16J EEPROM is a standard I2C memory device. As such, it's contents can easily be read out using any I2C capable debug device or microcontroller such as the Bus Pirate or Arduino respectively. A CH341A programmer has also been used successfully to dump the contents.
===Software===
*'''csins.dat:''' The same exact installer of the program (setup.exe) but renamed with a .dat file extension (For uninstallation purposes?). File hashes match.
*'''default.tbl:''' The default pager configuration settings which are loaded at startup
**<u>You can find the hand programming passcode in this file. The passcode is not encrypted or obscured in any context. The passcode is 4 bytes long and begins at hex address '''0x37C.''' The bytes are directly written to memory, so for example if the passcode set is '''1234''', the bytes read in order will read as '''0x01, 0x02, 0x03, 0x04.'''</u>
*'''inpout32.dll:''' Standard Windows driver for hardware access to serial ports
*'''pager.dat:''' Unknown purpose. Apparently contains the software password AC5678 somewhere within. When removed or renamed and attempting to enter the password to unlock the software, it reports "No password table!Program will be end!". Same file hash as the pager.dat included with setup.exe.
*'''PL2303_Prolific_DriverInstaller_10311.exe:''' Self explanitory. Appears to be a normal installer. Unknown if modified in any way, most likely not.
*'''Uninstall.exe:''' Also self explanitory. Seems to be a standard Windows uninstaller.
====Software Startup====
Upon startup and entry of the software password, the program looks for a PL2303 Prolific based serial device attached to the computer. If found, the COM port is set in a registry key located in '''HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM,''' though it seems to want it on COM1?
The software then outputs the following on the serial port (9600 8N1) before giving the "The Programmed Board not responding!" error:
<pre>GoldApollo5R </pre>
Which is the following in raw serial bytes
<pre>47 6f 6c 64 41 70 6f 6c 6c 6f 35 52 03 00 00 00 00 8a</pre>
I have tried replaying the same byte sequence in response, as well as sending just "Apollo" with no luck. My assumption is there must be some reply word sent by the programmer itself, similar to the [http://n3ujj.com/TripMate_Self_Start_Modification.html DeLorme TripMate GPS which needs the word "ASTRAL" sent on it's RX pin to enable the GPS.]
==Caveats==
*Channel spacing seems to commonly be set to 25 kHz, making the common DAPNET frequency of 439.9875 MHz<ref>https://hampager.de/dokuwiki/doku.php?id=dapnetfrq</ref> unable to be set without an error message. The pager can be set to use 12.5 kHz channel spacing, but requires the programming software to accomplish. The easiest solution without software access is to choose a different frequency while minding the amateur satellite band (435 - 438 MHz)<ref>https://www.iaru-r1.org/wiki/Amateur_satellites#:~:text=2%20meter%20band-,70%20cm%20band,maximum%20bandwidth%20is%20100%20kHzUHF</ref>*Currently, we do not know how to reset the hand programming password without a programmer. The passcode is clearly visible in the .tbl files, but not in any EEPROM dumps done thus far.
<br />
<references />
