hello
to finish my project, i need is the communication protocol to read the Idphone in the siemens xxxx and IMEI

How can i proceed to write a *.map file into this phone (communication protocol ) ??

any help will be apprecied
thank you in advance!

Its send with BFB Commands i guess !

There is a bfb95eg.dll, look at it !

BFB frames are
[ type ][ len ][ chk ][ payload ]

where chk is xor and types are

0x02 - single bytes used for connecting (and data reading?)
0x01 - crc'ed sequence to change interface (speed)
0x05 - unkown (send key-codes?)
0x06 - AT-Command
0x09 - unkown (return code from mobile?)
0x0E - unkown (return code from mobile?)
0x14 - EEPROM block manipulation
0x16 - crc'ed generic data (like OBEX)

payload is mostly
[ subtype ][ data... ][ chk ]

where chk is xor again.

Perhaps someone can fill in the gaps or point to some more info.

Originally posted by tuxhack
BFB frames are
[ type ][ len ][ chk ][ payload ]

where chk is xor and types are

0x02 - single bytes used for connecting (and data reading?)
0x01 - crc'ed sequence to change interface (speed)
0x05 - unkown (send key-codes?)
0x06 - AT-Command
0x09 - unkown (return code from mobile?)
0x0E - unkown (return code from mobile?)
0x14 - EEPROM block manipulation
0x16 - crc'ed generic data (like OBEX)

payload is mostly
[ subtype ][ data... ][ chk ]

where chk is xor again.

Perhaps someone can fill in the gaps or point to some more info.
If You detailed see bfb95eg.dll then see when:
0x05 - BFB command

I starting wrote disassembled bfb95eg.dll functions with my comments in Forum (http://thesig.spils.lv/forum/viewforum.php?f=25)
But in russian language (but aniway asm listing in english) - if more peoples is intresting to help me in this not easy process - i try to wrote in both (russian and english) languages.

Hi TheSig,

Your work is great. I appreciate browsing your site.
Please try to write some key notes in english.

It is possible to access the phone memory directly with the bfb95eg.dll ?

I saw some commands like WPokeMemByte !

But i dont know how !

Originally posted by Warlord711
It is possible to access the phone memory directly with the bfb95eg.dll ?

I saw some commands like WPokeMemByte !

But i dont know how !

1. Need non original cable like this (http://thesig.spils.lv/forum/viewtopic.php?t=32)
2. Open port with bfb95eg.ddl function "WComOpen"
3. Configure library with function "WConfigLibrary(2)"
4. Go to service mode with fuction "WInitServiceMode" (mobile before this is switched off) when starting this function press power on button on mobile (library is send to mobile boot block)
5. Now You allow to start functions like "WPeekMemory" etc...
----------------
Any questions?

That doesnt work !

I want to access the flash mem with bfb95eg.dll !

Is that possible ?

I can do things like Read+Write to EEBlocks or delete+erase them, but i want to access flash memory !

replace "WInitServiceMode" with"WInitBurnInMode" function in point 4

You ever tested Burn-In Mode ?

Phone makes noise, thats all !
I cant access memory !

Try "WAWriteFlashBlock"

You ever managed to access Flash mem with bfb95eg.dll ?

I need to read flash mem, too !
Do you know how much parameters to give to Calls like WAWriteFlashBlock ?

DELPHI syntax:
Function WAWriteFlashBlock(MHandle : TMHandle; Addr : Dword; DataLen : Dword; Data : PChar) : Dword;

Where:
TMHandle is Integer;
Addr is Addres to write
DataLen is a length of block which You want to write
Data is Data block

Note:
Max len of data block is 25 (0x19)

P.S. I not tested this function but i analyse dissasembled code for thois function and give a 99% of correct syntax :)

But i guess you need to put phone in a special "mode" not Service nor Burn-In Test mode !

At this moment I dissasembled and analysed approx 50% of DLL and i see 4 different boot blocks.

I mean You need to switch in Service mode with function WInitServiceMode(MHandle, 2,5)
Where
2 - is mean Do Not Boot DSP

What options are good for WConfigLibrary ?

Please contact me at ICQ: 39447424 please !
There will be more questions and not all fits for this forum ! ;-)

Originally posted by Warlord711
Please contact me at ICQ: 39447424 please !
There will be more questions and not all fits for this forum ! ;-)

Ok. But after 20:00 (my local Time - EET +2)

At least S/ME45 need to be initialized into a special mode.
You don't need an extra cable though. The update soft on Siemens' website is using the datacable and you don't need to switch the mobile off too.

Warlord711 maybe thats a starting point for you: Use a sniffer and update your mobile with Siemens soft. Please post the serial sniffer log I'll be glad to help decoding.

Originally posted by tuxhack
At least S/ME45 need to be initialized into a special mode.
You don't need an extra cable though. The update soft on Siemens' website is using the datacable and you don't need to switch the mobile off too.

Non firmware software (which use bfb95eg.ddl, and if You see questions - it's about bfb95eg.dll) tell You - "Switch Off phone"! And after that tell - "Press power on button short time". it a simulate ignition signal (Power to mobile connector pin 3) IMHO.