Open in app

Sign in

Write

Sign in

Investigation of the Exploding Pager Devices Incident in Lebanon: Hardware Analysis and Operational Review of the Motorola Advisor Pager / Teletrim / LX2

Alican Kiraz
13 min readSep 24, 2024

Firstly, based on the information I gathered following my initial research after hearing about the incident, I will present the following article, which I wrote within 12 hours, and translated into English as the first step.

Explosion and Combustion

Firstly, lithium-ion batteries used in today’s portable personal devices always attract people’s attention. Videos of sudden explosions or devices catching fire often lead to paranoia. Before diving into this topic, we should first understand the following: What is the difference between an explosion and combustion?

Source : https://www.nenvitech.com/news/the-fire-triangle-vs-the-explosion-pentagon/

An explosion is a sudden and rapid release of energy, which typically manifests as high pressure and temperature, and the resulting damage occurs in this manner.

Combustion, or catching fire, on the other hand, is the process where a substance reacts with oxygen, releasing heat and light. It generally provides a slower and more controlled energy release. While it produces heat and light, it does not cause a sudden increase in pressure or generate shockwaves.

Lithium-ion Batteries

Now, let’s refocus on lithium-ion batteries. Lithium-ion batteries are widely used due to their high energy density and long lifespan. However, under certain conditions, they carry the risk of combustion or, in very rare cases, explosion. This typically results from a process commonly known as thermal runaway.

Thermal runaway occurs when the internal temperature of the battery rises uncontrollably and enters a self-sustaining cycle. Initially, an internal or external factor increases the battery’s temperature. The high temperature triggers exothermic chemical reactions within the battery. The heat generated by these reactions further raises the temperature, leading to even more reactions. This cycle continues, potentially causing the battery to catch fire or explode.

Another issue arises during overcharging and discharging. Charging the battery beyond its nominal voltage can cause the electrolyte to degrade and produce gas. The gas creates pressure, leading to the battery swelling and potentially causing a minor explosion.

In the incident we are examining, however, there’s an interesting twist: These devices run on AA 1.5V or AAA batteries!

Motorola Advisor Pager & Motorola Teletrim & LX2

Motorola Teletrim is actually a numeric pager that was widely used in the 1990s. This device allowed users to receive short text or numeric messages. In a time when cell phones were not yet widespread, pagers were an essential communication tool. They are still used in some third-world countries today.

Source: Motorola Manual

Let’s take a look at the device’s features:

  • Dimensions: Approximately 7 cm x 5 cm x 1.5 cm.
  • Weight: Around 80 grams, including the battery.
  • Battery Type: Single AAA alkaline battery.
  • Display Type: LCD screen.
  • Character Capacity: Can display approximately 12 digits in a single line.
  • Backlight: Available in some models.
  • Vibration Alert: For use in quiet environments.
  • Audio Alert: Options for different tones and sound levels.
  • Versatile Models: Available in VHF or 900 MHz FLEX; VHF wideband and narrowband, UHF wideband or narrowband, and 900 MHz POCSAG models.

Now things are starting to become clearer in our minds; how does a device with no explosive components other than an AAA or 1.5V AA alkaline battery explode?

Plastic Explosives

Plastic explosives are moldable and flexible explosives obtained by mixing high explosives with plasticizers. Due to these properties, they can be used in various shapes and on different surfaces. They have even been used in many assassination attempts, sometimes hidden inside a radio or even a toy bear.

Plastic explosives have a dough-like structure to ensure easy transportation and high operational applicability. Additionally, they do not explode when exposed to fire!

As the primary explosive material, powerful explosives like RDX (Cyclotrimethylenetrinitramine) or PETN (Pentaerythritol tetranitrate) are typically used. Oils, waxes, or synthetic polymers are mixed to give the explosive powder a flexible and plastic form. These are known as plasticizers and binders. Under normal conditions, plastic explosives are quite stable. They are relatively insensitive to impact, friction, or fire. This makes them extremely safe for transportation and storage. A detonator or blasting cap is used to initiate the explosion. Let’s pause here!

Mobile phones, smart devices, smart watches, normal alarm clocks have always used disruptors as triggers. In this case, the most powerful part of the pager was used… The vibration and sound module!

The vibration modules found in pagers generally operate between 3.0–5.3V. Additionally, it is known that electric C4 detonators require 0.5A to function. A type of current regulator and electric blasting cap modification made in the devices could potentially trigger this explosion!

Getting to Know MOSSAD and Unit 8200

On the other hand, as we learned from the case of stolen certificates used in the Stuxnet incident, Unit 8200 often leverages Mossad’s capabilities in many situations.

We can recall the situation regarding the stolen digital certificates in Stuxnet from the following section of my previous article;

Given the secure nature of these environments, the likelihood of such a breach occurring is quite small. The second clue is that the two companies whose certificates were stolen, Realtek and JMicron, were located in the same building within the Hsinchu Science and Industrial Park. This coincidence suggests the possibility of a physical operation. Considering physical operations, Israel’s MOSSAD, known for its expertise in such missions, is a likely suspect behind this operation.

Therefore, in the current scenario, we can also conclude that the devices might have been modified along the supply chain and had explosives placed inside.

Evidence

As seen in the explosion videos, there are no flames. There’s only a significant gas release and a forceful impact. In the first video, the impact is so strong that the person falls to the ground, and the papers from their bag are propelled almost 1.5 meters forward.

Source: News

The second image gives us the main clue. In the first video above, we see that the explosion occurs inside the bag, as the other papers and items inside are scattered around. Therefore, we cannot tell if it exploded on its own. However, in the second video below, we see the person looking at the device. This indicates that the explosive material placed in the device detonates after receiving a call.

Simultaneous and collective explosions suggest that a common message triggers these explosions. Therefore, we currently have the following conclusions:

  • The devices cannot explode without external intervention, as they operate only with a single AA 1.5V or AAA battery. There are no other explosive or flammable substances inside without intervention. This means that explosive material was placed inside the devices, or if the batteries were supplied with the product, the explosive could have been embedded in the battery itself!
  • The device was modified to explode with a specific message. Most likely, the vibration or sound modules were tampered with, and an explosive material placed inside was detonated via an additional electronic trigger.

I hope this has cleared up any questions you may have had. It’s important to remember that we must not lose our interdisciplinary approach. Not everything in electronic devices is purely hardware, nor is it solely software. We should avoid falling into tunnel vision.

I have completed the preparations to examine the Motorola Advisor Pager model and am starting the analysis. I have also obtained secure versions of the Motorola LX2 and Motorola Teletrim, which I am confident have not been physically tampered with. Currently, the entire community is basing the assumption that all devices are the same on a single image of a back cover from a Gold Apollo device, which bears the manufacturer’s information. However, I still want to examine all four mentioned models. I will soon provide a detailed review of those as well.

As I mentioned in my previous post, I am almost certain that the devices exploded due to physical modification rather than a software issue under specific conditions. However, since there is no such thing as being 100% certain, I have taken comprehensive precautions. After conducting a physical inspection of these other devices, I have taken the following precautions to ensure safety during operational testing:

Possible Sub-GHz Heartbeat Signal Trigger

Source: https://www.linkedin.com/pulse/improvised-explosive-device-ied-endro?utm_source=share&utm_medium=member_ios&utm_campaign=share_via

The device we have operates in the VHF band, specifically within the 148–150 MHz range of Sub-GHz signals. Therefore, using a Yagi antenna and a modified Chinese-manufactured jammer, I will create a counter frequency to jam signals in the 100 MHz — 150 MHz range. To ensure the jammer is working properly, I will double-check by using a Flipper Zero with the MAYHEM module connected to the CC1020, monitoring the 27–300 MHz band.

Unexpected Hardware Conditions

For any potential temperature changes in the device, I will be conducting an examination using my highly professional thermal imaging equipment. This will allow me to detect even the slightest sudden heating or fluctuations. (For example, I captured an image of the MAYHEM module while it was operating.)

Source: https://www.tindie.com/products/eried/mayhem-v2-for-flipper-all-in-1-espcamsdnrfcc/

I must emphasize again that I believe these devices have been modified to include an explosive material and a triggering detonator mechanism. Therefore, the points that will draw my attention and that I will carefully focus on are:

  • Where the explosive has been added in the device; it is most likely placed between the motherboard and the screen, where it could create the greatest shrapnel effect during tests.
  • Where the triggering module could be connected; although detonators are analog, I suspect that an electronic circuit module with a microcontroller has been added to trigger the detonator at a specific call or time.
  • If any modifications were made to the device, how much effort this would require; I will examine how complex it is to open and close the device. Since thousands of devices are affected, I will check whether the device can be easily disassembled and reassembled.
Source: https://www.scribd.com/document/220414765/Mosfet-Short-1

Hardware Analysis and Operational Examination

First, I applied all the precautions mentioned above. Then, from the information on the back of the device, I saw that its frequency was 148.0375 MHz. I connected the CC1020 to the Flipper Zero and spent some time adjusting it to scan that frequency range. The CC1020 gave me some trouble, and it was a bit stressful to determine whether it was working or not. Even though I was fairly confident that it wouldn’t be a major issue, it still made me a bit anxious.

The battery compartment is designed to work with AAA batteries and leaves no gaps when the cover is closed. After that, I began to lift the side clips of the device, allowing me to separate the back section.

When the device came apart, the blue piece, which was upside down, startled me for a moment. However, when I flipped it over, I realized it was just a soft part meant to hold the screen in place. At that point, a few signals flashed in my mind!

Because there was actually a part in the device that, from an electronic standpoint, served no real purpose but took up quite a bit of space relative to the device. And it was positioned very close to making direct contact with the vibration motor of the device!

To give you a better sense of the size, I placed it next to a 1 TL coin for scale. Then, my attention went back to the vibration motor. I removed the vibration motor and examined it. I discovered that it was a Namiki brand motor and operated at 1.5V.

https://www.precisionmicrodrives.com/eccentric-rotating-mass-vibration-motors-erms

It immediately occurred to me that this motor has a design almost identical to the detonators used to ignite plastic explosives.

https://www.researchgate.net/figure/Schematic-of-a-hot-wire-detonator-with-typical-dimensions-and-materials-based-on-1_fig1_255995341
https://cat-uxo.com/explosive-hazards/ied/improvised-detonator-explosive

Although I was excited about this discovery, I decided to park the topic here for now. So, how much plastic explosive could actually fit inside the device? The interior of the device is surprisingly spacious! There is even room beneath the radio card and the motherboard!

When the curved structure on the back cover and the pressure cushion inside the device are removed, it becomes clear that about half a handful of explosive material could fit in. Still, I’m continuing the process and checking other parts. Upon investigation, I found that the radio card on top is a sensitive 4051 model radio card. I separated it from the motherboard for a more detailed examination.

My mind is still excitedly fixated on the vibration motor, and in my excitement, my hand trembled a bit, so I didn’t take a clear picture. But let me describe the details for you:

  • On the left side, there’s actually an antenna with a band around it. Inside, there’s a ferrite rod. Next to it are inductors and capacitors.
  • After some research, I discovered that the blue parts are IF crystals coated with a blue layer, used to ensure high-frequency signal performance.
  • I also learned that this IF crystal at the bottom operates at a frequency of 17.9 MHz.
  • The first crystal, however, is different, and I found that it adjusts the frequency by rotating variable inductor slugs.

Now, I’m starting to focus on the motherboard.

Seeing the traces of the vibration module on the motherboard got me excited again. The two golden contact slots on the chip in the lower-left corner can directly connect with the interaction springs on the outer back cover. This allows the device to be easily opened and closed without any soldering!

In other words, when these devices are taken from somewhere, there’s no need for a factory setup — just adding a trigger next to the vibration motor, or removing the motor and replacing it with a detonator, along with about 5 grams of plastic explosives inside, could easily be done even while standing!

On the motherboard, there is also a backlight inverter transformer, ceramic-packaged ICs, and an LCD controller.

And there’s another empty space at the front as well!
In fact, around 40% of the device’s interior is unused! This alone could make it a potential target for tampering after thorough research.

Lastly, during my motherboard inspection, I found a small backup battery located under a green rubber cover at the top of the board. This ensures that the clock and messages stored in RAM are preserved when the main battery runs out. They could have tampered with this as well, allowing the device to be detonated even without the main battery!

Now, let’s get back to the main point: the vibration motor…

The primer key detonates with 1.5V through direct contact with the internal circuit via a cable… Due to the dangerous nature of these steps, I’m censoring them… Since the primer key is not sold separately in Turkey and cannot be easily extracted from a bullet, I’ve provided these details. FYI.

I reassembled the device parts and then performed manual frequency transmission tests using the Flipper with PagerSOG. I discovered that the event was triggered by a sequence of consecutive messages sent in rapid succession.

Now, let’s look at how the event actually happened;”

First Output of My Analysis:

  • The device was opened, and an explosive material (most likely a plastic explosive resistant to impact, water, and harsh conditions) was added. Shrapnel fragments were then placed in the empty spaces next to the front keypad and between the circuit board gaps.
  • As a trigger, a pyrotechnic shock tube detonator, which doesn’t require electrical activation, was likely placed, utilizing the oscillating part in front of the vibration motor.
  • Subsequently, a large number of requests were sent to the broadcast frequency of the targeted pagers, effectively a form of brute force.
  • As a result, the moving part in front of the motor was made to oscillate excessively, causing the shock tube to interact and detonate the device.

Second Output of My Analysis:

  • The device was opened, and an explosive material (most likely a plastic explosive resistant to impact, water, and harsh conditions) was added. Shrapnel fragments were placed in the empty spaces next to the front keypad and between the circuit board gaps.
  • As a trigger, the vibration motor was removed and replaced with an electric shock tube, which was used to cause the explosion.

Closing:

First of all, I would like to thank you for your support, encouragement, and the messages requesting that I pay attention to certain details. I hope this will be helpful to those, like me, who are interested in electronics and cybersecurity. This analysis is entirely for academic purposes and does not directly or indirectly address any country, politics, or norms.

Kind regards…

Lebanon
Explosion
Pager
Forensics
Analysis

--

--

Alican Kiraz

Written by Alican Kiraz

848 Followers

Head of Cyber Defense Center | CSIE | CSAE | CCISO | CASP+ | OSCP | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ and more...

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams