How to decode Motorola pager passwords
Jack Ryan
Pager Passwords. This has been verified to work with pretty much all
motorola pagers on the market, including 1.5 and 2-way pagers.
First.. plaintext pager passwords can only contain A->Z, 0->9 and " "
(space)for characters. The plaintext passwords are always encoded as
10 characters even if there are less than 10 characters in the
plaintext password. Basically there is some sort of lookup table
contained in the PPS (pager programming software) which either encodes
or decodes the password. The lookup table is included further down in
this posting. Conveniently, when a pager's programming is read using
the PPS, all the passwords come out (assuming you know the pager's
download password if it has one) in the encoded form. You can either
sniff the passwords out of the programming read as it's happening or
you can save the freshly read pager configuration to a file and then
import it into a hex editor as a Motorola S19 file. A favorite
program of mine for hex editing, which will import Motorola S19 files,
is called "Hex Workshop". Finding the passwords is easy. If you are
using Hex Workshop, you simply "import" the saved file (codeplug) and
search for a string of letters and numbers. You will see them looking
something like this "NEJF1K54H5" or something like "OJ Y2VPSQV" (note
the space in the second example). The two encoded passwords listed
above decode to "ADVELITERF" and "N500OTAPAS". Passwords are located
in different places for different pager models but in the Advisor
Golds and Elites the OTA and Download passwords are stored near the
top of the file with the Secure password stored towards the lower
middle of the file. Beware of the first three characters in the
string because they are not related. The best thing to do is find the
end of the first string of A->Z and 0->9 characters and count
backwards by 20. Grab the next 10 characters forward and decode them..
this is the OTA password. grab the next 10 characters and decode
them.. this is the Download password. Further down standing out like
a sore thumb is the Secure password. Decode it and you'll have it.
It'd be nice if you post what you find. Passwords have their place
but many people are legitimately trying to gain access to pagers which
they own and don't have the passwords. By the way, even if there is
no download password set, the last known download password is still
encoded. It's a matter of a bit set in the pager to tell it to use
the password or not. I'm sure there's a lot that I'm not explaining
properly, and I'm kind of in a hurry so feel free to email me with
questions at "jackr...@yahoo.com". I can also decode passwords for
you if you have the stored codeplug file and can send it to me.
Now for the decoding table.. How to use it is this.. there will be 11
columns. the first column is the decoded letter or number of the
particular encoded character you are trying to find. The next 10
columns are the encoded characters that you must search and match
depending on what position in the encoded password you are trying to
find. An example is included below for clarity.
D 0 1 2 3 4 5 6 7 8 9 D 0 1 2 3 4 5 6 7 8 9
A N 1 O B 6 C P 2 Q D S F 8 G T 4 U H 9 I V
B 6 C P 2 Q D 7 E R 3 T 4 U H 9 I V 5 W J 0
C P 2 Q D 7 E R 3 S F U H 9 I V 5 W J 0 K X
D 7 E R 3 S F 8 G T 4 V 5 W J 0 K X Y L Z
E R 3 S F 8 G T 4 U H W J 0 K X Y L Z M A
F 8 G T 4 U H 9 I V 5 X Y L Z M A N 1 O B
G T 4 U H 9 I V 5 W J Y L Z M A N 1 O B 6 C
H 9 I V 5 W J 0 K X Z M A N 1 O B 6 C P 2
I V 5 W J 0 K X Y L 0 K X Y L Z M A N 1
J 0 K X Y L Z M A N 1 O B 6 C P 2 Q D 7 E
K X Y L Z M A N 1 O 2 Q D 7 E R 3 S F 8 G
L Z M A N 1 O B 6 C P 3 S F 8 G T 4 U H 9 I
M A N 1 O B 6 C P 2 Q 4 U H 9 I V 5 W J 0 K
N 1 O B 6 C P 2 Q D 7 5 W J 0 K X Y L Z M
O B 6 C P 2 Q D 7 E R 6 C P 2 Q D 7 E R 3 S
P 2 Q D 7 E R 3 S F 8 7 E R 3 S F 8 G T 4 U
Q D 7 E R 3 S F 8 G T 8 G T 4 U H 9 I V 5 W
R 3 S F 8 G T 4 U H 9 9 I V 5 W J 0 K X Y
Y L Z M A N 1 O B 6
Lets say for example we have "4IS28U5OB6". The first character in the
the string is a "4", so search down the "0" column until you find "4"
and look at the D column for that row. It comes out to be a "T" so
your first decoded character is a "T". Next is "I".. search the "1"
column for "I" which decodes to a "H". Next is "S", search "2" column
to find "E". Search "3" column for "2" to find "B".. search "4"
column for "8" to find "E".. and so on and so on. The decoded string
comes out to "THEBEST " which is a very common PageNet password.
Any trailing spaces get dropped so the final password is "THEBEST".
It also turns out that the PPS software stores it's service center
passwords the same way. It takes a bit of searching through the PPS
execuatable files which support service center but it's the exact same
thing. They usually stand out like a sore thumb.
I hope this helps some people figure out what the passwords are that
they need. Also be careful of "O" (Oh) and "0" (zero) as they look
very similar.
Enjoy!
Jack
Craigge
Rocket
Cell-Page.Com
This system will only work if you know the pager password?
I tried a Motorola Express Xtra from our store stock, I already know the
password, just to try if I can find it in Hex Workshop.
Example One
1. I read the Pager
2. typed in pager password
3. saved the file
4. Hex Workshop I went to file, Import, the saved file
5. look at the right side of hex and found the password
Example Two without password:
1. I read the Pager
2. asked for password? I Cancel
3. saved the file
4. Hex Workshop I went to file, Import, the saved file
5. look at the right side of hex and could not find the password?
This will only work if you know the pager password? or am
I missing a step?
Thanks
How can I sniff the password out?
Jack Ryan
In example two, you didn't actually read the pager. The pager wont
allow a read till you enter the right password. That's where this
system falls short. Knowning how to decode the passwords only helps
if you can read the pager or have a codeplug of that pager stored to
disk.
Jack
P.S. sorry I haven't been around. Work got busy again.