Motorola Talkabout two-way pager - is it possible to run it?

[DVE]

Hi all,

I bought this thing on eBay - Motorola Talkabout T900:





And I became curious if is it possible to test it

According to the seller, it was working in the US Skytel network.

After a short search in Google, I got this:
- The pager is using the ReFLEX 2.6 protocol and is using two different frequencies, 896-909MHz to transmit and 929-942MHz to receive, but the exact frequencies are not known.
- ReFLEX protocol should be compatible with a standard FLEX, at least for downlink, so in theory, it should be possible at least to send a message to the pager. But the capcode and frequency are unknown. Can 021757751 be a capcode? It looks too long, but maybe FLEX capcodes can be longer than POCSAG capcodes?
- Uplink can be more tricky. I was not able to find a full ReFLEX protocol description, but what I see, is that FLEX is a protocol that relies on strict time synchronization, it looks the pager should get downlink frames first and be in sync. Using the menu it is possible to create a message and try to send it, but I getting the error "transmit failed", and according to my SDR, no signal is actually transmitting at all - the pager is waiting for something.

Questions:
- Is two-way paging active somewhere? If yes, it would be nice to have IQ recordings (but I think I'm a bit late
- Maybe somebody knows/remembers the US Skytel paging frequencies
- Any ideas about capcodes in FLEX/ReFLEX protocol? I was able to find this Wayback Machine but it's only a whitepaper for managers and sales guys, mostly no technical details inside.
- Open-source software. I was not able to find any ReFLEX encoders, but FLEX encoders are available for GNU Radio, so maybe it is possible to send a message to the pager, and after some incoming frames pager can be synced and even it will try to transmit as well, but the chance looks low.

Any other advice is appreciated.

 

[chill30240]

OMG!! SouthernBell used to market these back in 2002. My wife got 5 of them. Nifty little communication devices.

 

[DVE]

Yes, it's an old thing I was able to run the Motorola Advisor pager from 1993 and send messages to it using POCSAG protocol (a link if you are interested in technical details), but this two-way paging looks more complicated.

 

[kv5e]

ReFLEX protocol is considerably different from FLEX. The capcode is valid as embossed on the device unless it has been reprogrammed.

ReFLEX is more like trunking than paging. There is a scan list to find the forward channel and then the device has to find a matching SPID (Service Provider Identifier) being transmitted in the control BIW (Block Information Words). Once it has a matching SPID then it affiliates with the system by transmitting a registration request on the reverse channel to the network receivers. The system then transmits a registration grant if there is a home record for the device that permits operation.

ReFLEX at 4 FSK is +- 2400 and +- 800 on the deviation so it is half the deviation of FLEX.

940 MHz channels for the forward channel and 901 MHz for the reverse channel for a ReFLEX system in the US. I don't remember any operational ReFLEX carriers in Europe, although Advantra in Belgium made telemetry subscriber devices at one time.

 

[DVE]

Thanks. I was going to test the FLEX encoder chris007de/flex but it looks, they are not compatible at all.

 

[firebuff17]

Ahhhh the good old days. I remember those. That was my first piece of electronics. Then it was followed by the Motorola startac flip phone!!

 

[kv5e]

Type in SLAYER on the keyboard and see what happens

 

[footage]

posted in error, can't delete, apologies.

 

[DVE]

There is a scan list to find the forward channel and then the device has to find a matching SPID (Service Provider Identifier) being transmitted in the control BIW (Block Information Words). Once it has a matching SPID then it affiliates with the system by transmitting a registration request on the reverse channel to the network receivers.

Is it possible to find the protocol description? I will be curious to send packets using the USRP transmitter and to get a response.

Type in SLAYER on the keyboard and see what happens

It is interesting
I see the "Software version", and what the "Self Test Mode" means?

 

[rescue161]

I still have the pps and the programming cradle for these. I had no idea they were still a thing.

 

[RFI-EMI-GUY]

Theree may be some 3rd party encoder/decoder out there. You might check out Brad Dye's newsletter to see if any products advertised are compatible with ReFlex. Also post any inquiries there if you wish. It is an informal place.

Brad Dye's Paging Information Resource

 

[Firebuff880]

Talk with Spok, last I knew they still supported T900s on their system..

Frequently Asked Questions | Resources | Spok Look under "Two-Way Messaging Device User Guides".

 

[kv5e]

T900 that old probably has its internal TX battery deleted with no overcharge region. T900 has a 50 mAH NiCd internal TX battery that provided the current reservoir for the reverse channel transmissions. That battery would likely need replacing if it was put into service on a commercial network. Later subscriber devices had either a primary Li battery for the transmitter or larger NiMH/supercaps. I don't think that /\/\ has released the ReFLEX 25 protocol into the public domain yet.

It is a very complex protocol for the connection-less model of ReFLEX signalling. The distributed computational model of ReFLEX 25 that went into production utilizes WMTP for the Message Switch Output to Message Switch Home and this had Remote Operation Service Elements which later became RPC in more wider applications. Glenayre authored WMTP and I don't think it is in the public domain either.

 

[DVE]

Many protocols were decoded by enthusiasts, like Iridium or Inmarsat, ReFLEX does not have encryption so it should be doable. But if the operators stopped their service 20 years ago, it is hard to get the signals samples anyway

If the device has lost all settings because of the internal battery, it can also be a problem, true. It looks, running this pager again is too complicated for a hobby-level.

 

[kv5e]

No, settings are kept in flash, only the transmitter operation needs the small rechargeable custom battery. Air interface can be encrypted as the APDU may be encapsulated within any symmetric key cipher if a company desires. The T900 did not support this, but newer devices do. Encryption and OTAR are laid out in FLEXSuite. Encryption can utilize modern Suite B types, not just trivial RC4.

TC-2000A

This is a test device that will transmit/receive ReFLEX and FLEX. This is nearest you can come to sending/receiving messages with a T900 without a lot of custom coding/hardware that would take a lot of time.

For a hint, ReFLEX forward channel is transmitted in frames/cycles just like FLEX, but it can only be transmitted in 2n frames, 2,4,8,16, or 32 a minute. Address vectors and message vectors are present, but there are no multiple phases like FLEX in the higher symbol rates. BIWs have to present that advertise the system, collapse/cluster values for both forward and reverse channels, SPID, aloha boundary and randomization of the reverse cluster transmission scheduling, reverse channel frequency/symbol rate,and many more values. Everything is scheduled except for Aloha reverse channel transmissions. ReFLEX 2.7 provides for roaming and foreground/background scanning much like trunking systems. Devices have a fairly complex behavior for the registration state since this is a connection-less model.

 

[DVE]

My T900 model has a standard AA battery slot, it's not rechargeable. Or is there another lithium battery inside?

As I read from the old talkgroups, Skytel T900 was using the v2.6 ReFLEX50 mode, and was not compatible with other operators, people were complaining about that in 2001 Maybe it was configurable via the pps.

Freeware PDW can decode standard FLEX, and as I've read, can decode some ReFLEX frames, but I have no signals to test anyway. Buying a signal generator for 1100$ is too much to test the old pager (I bought it for 30$), but thanks for help.

 

[kv5e]

The small internal battery is for the transmitter, it gets charged by the AA. If you open it up you will see it.

Have fun...whatever you do! Craig

 

[RFI-EMI-GUY]

Maybe the keyboard and display comms could be hacked and an ISM chip 433 MHz added for short range comms?

 

[DVE]

Reddit user wrote me that this company is still making a two-way paging service: 2way pager, 2 way pager & two-way paging service

I am still thinking, it's just an old and abandoned link. Can somebody in the US check with SDR for a sort of these signals on 929-942MHz band: ReFLEX - Signal Identification Wiki

 

[Polymathic]

I have had both 1-way and 2-way service through MySecretary for years now. They're very helpful and their prices are better than some of the alternatives, in my opinion.

I have tried to talk to American Messaging, the apparent successor to SkyTel, with little success, about activations of some legacy gear. Their prices are also quite high compared to Spok, the successor to Arch Wireless/USA Mobility/<a bunch of other companies they acquired>.