Restaurant Pager Replay

​You've probably seen these devices. The pager is a small plastic box that the hostess hands to you when she takes your name. You are then free to roam about within the immediate vicinity of the restaurant. Eventually, the pager lights up or vibrates, signaling that your table is ready. You take the pager back to the hostess and are led to your table.

You can reverse engineer and activate any these pager systems using a bladeRF nuand SDR. This video will show you how.

Software Designed Radio
(Please email:  for any questions or comments)

If you are interested into exploring the world of RF communications, SDR is a very inexpensive way to experience it.

You will need:

  1. An sdr receiver: RTL-SDR
  2. Computer: Raspberrypi

Set up:

  1. Purchase a Raspberry Pi
  2. Purchase a rtl-sdr
  3. Setup the Raspberry Pi
  4. Install RTL_SDR software
  5. Install SDR Gqrx software

Helpful Links:

  1. wiki
  2. rtl-sdr

Quick Summary:

  1. sudo apt-get update
  2. sudo apt-get upgrade -y
  3. sudo apt-get install xrdp
  4. got to preferences>interfaces to and enable ssl and vnc (and give name)
  5. Install RTL_SDR and Gqrx​

Screen Shots:

Pager Decoding:

  1. Info on how to use your SDR to decode pager signals is available here
  2. I create a script to easily decode a pager signal given a specific POCSAG frequency
  3. Adding this line to your crontab (crontab -e) will start the script every hour
    1. 0 * * * * /home/pi/ 123.456 &

If you want to send the data to another machine using TCP (ie listening on port 10001):

  1. echo 'got it' > /dev/tcp/
  2. rtl_fm -f 123.45M -s 22050 -g 20 | multimon-ng -t raw -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -a FLEX /dev/stdin > /dev/tcp/

(you can set up NiFi to receive the TCP data using ListenTCP processor) 

(be sure port is set to 10001)

To open up port 10001 via the firewall on

  1. firewall-cmd --permanent --add-port=10001/tcp
  2. firewall-cmd --reload

To use GQRX:

  1. Open GQRX and tune to the POCSAG freq (narrow FM)
  2. Click the UDP button on GQRX GUI
  3. Copy and paste this on the command line:

nc -l -u 7355 | sox -r 48000 -t raw -b 16 -c 1 -e signed-integer /dev/stdin -r 22050 -t raw -b 16 -c 1 -e signed-integer - | multimon-ng -t raw -c -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -a FLEX -a SCOPE -f alpha /dev/stdin

Audacity audio tool

Installing Audacity (audio analyzer) on Pi:

  1. Info on how to install Audacity on your Raspberry Pi is available here
  2. You can analyze Wireless Remotes
  3. You can analyze FSK signals

Wireless Doorbell Replay Attack

You can reverse engineer and control any wireless doorbell using a bladeRF nuand SDR

.... The ONE silver lining for all of your software needs!