Could someone explain me those modem commands?

[NTxC]

Hello,
I've been wondering about the exact function of the modem commands beginning with 02 04 D2 05.

For example, if I send 02 04 D2 05 00 23 F2 03 to my Sagem phone, it responds with 02 25 D2 05 01 <firmware version>

Could you please explain what are the 02 04 D2 05 commands for? I've seen more of those, some give unpredictable results. Is there any guide about them?

Cheers,
NT

[latigido]

@NTxC
02 04 D2 05 00 23 F2 03

02 - cmd begining
04 - cmd size
D2 05 - fixed
00 - request (01 - answer)
23 - cmd (behind smd could be found many parametes and data)
F2 - check sum
03 - cmd end.

The best site about these specific Sagem cmd`s and AT cmd`s used in Sagem phones (autor Hannes) was closed long ago.

[jahmann]

Hello, is there any way to have this commands listing ?
I'm trying to send the command correponding to "silent mode", like when you press "*" for 2 second.
Have you got an idea to do this in a other way ?
thanks.

I have found this commands for the moment (i'm using sgm_cmd.exe)
commande 23 = Get info. example : 02 04 D2 05 00 23 XX 03
commande 89 = Reset : ex : 02 04 D2 05 00 89 XX 03
commande 56 = Test ring : ex : 02 06 D2 05 00 56 01 02 XX 03 (ring n°1, volume 2)

[jahmann]

It cost me some € to get this file so let me share it with you for free
for my pb I think will look at 0x69 0x6a
__________________________________________________ ___________________________
Undocumented data-cable commands
for Sagem 9xx series mobile phones

Warning / Disclaimer:

Using the undocumented commands can result in permanent damage to your phone. If you decide to try the commands, you do so at your own risk. Sagem phones are known to be quite sensitive regarding hacking attempts, and will lock themselves very quickly. Sagem is a registered trademark of SAGEM SA.

Contents:

* Basic command structure
* Basic response structure
* Reading / Writing the eeprom
* Reading / Writing the flash
* Reading / Writing the ram
* Get phone information
* Enter service mode on phone
* Misc. Commands
* Credits


Basic Command Structure

All commands follow the same basic structure: (hex representation)

02 LL D2 05 00 CC [PP] CC 03

* 02 : Start code
* LL : Length of the whole command string - 4
* D2 : constant string
* 05 : constant string
* 00 : this is a command
* CC : Command code
* PP : Parameters for the command (if available)
* CC : Checksum of the whole command string
* 03 : End code

Each command must begin with the start code (02), followed by the total length of the command string - 4 and the two-byte constant (D2 05). The (00)-byte signals that this string is a command (Response strings have a (01) here). The command code (CC) determines which command is to be issued. Depending on which command is issued, parameters of variable length can be passed along with the command. The checksum (CC) is calculated by XOR-ing all bytes except the checksum byte and the end code (03).

Basic Response Structure

Responses from the phone have a structure similar to the command structure: (hex representation)

02 LL D2 05 01 RR [VV] CC 03

* 02 : Start code
* LL : Length of the whole response string - 4
* D2 : constant string
* 05 : constant string
* 01 : this is a response
* RR : Response code
* VV : Value of the return (if available)
* CC : Checksum of the whole command string
* 03 : End code

As with command codes, each response begins with the start code (02), followed by the total length of the response string - 4 and the two-byte constant (D2 05). The (01)-byte signals that this string is a response. The response code (RR) determines the type of the response, and is dependent on the command issued. Most response types also return a value (VV) of variable length, for example the requested prom field. The checksum (CC) is calculated by XOR-ing all bytes except the checksum byte and the end code (03).

Reading / writing the EEPROM

The eeproms contained in Sagem phones are divided into several logical fields. The internal structure of how fields are stored is quite complicated, and altough the fields are numbered, they are not stored sequentially. Fields 0 to 999 can be accessed with these commands.

Code 0x44: read prom

Command Syntax:

02 06 D2 05 00 44 [A1] [A2] [CC] 03

With

* A1 : High Byte of the prom field number to read.
* A2 : Low Byte of the prom field number to read.
* CC : The checksum calculated as mentioned above.

Response from phone:

02 [LL] D2 05 01 3B [DD] [MM] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* DD : The data content of the field. Length varies depending on which field was read.
* MM : "Magic Byte", required to write the field.
* CC : Checksum, calculated as mentioned above.


Code 0x45: write prom

Command Syntax:

02 [LL] D2 05 00 45 [A1] [A2] [DD] [MM] [CC] 03

With

* LL : the length of the command calculated as mentioned above.
* A1 : High Byte of the prom field number to read.
* A2 : Low Byte of the prom field number to read.
* DD : The data to write in the field. The length must match the length of the field, i.e. you can't change the length of a field.
* MM : "Magic Byte", required to write the field. This byte must be taken from reading the field.
* CC : Checksum, calculated as mentioned above.

Response from phone:

02 [LL] D2 05 01 44 [A1] [A2] [DD] [MM] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* A1 : High-byte of the written field's number.
* A2 : Low-byte of the written field's number.
* DD : The data content of the field. Length varies with the written field.
* MM : "Magic Byte".
* CC : Checksum, calculated as mentioned above.



Reading / writing the Flash

Field numbers in the range 1024 to 16383 are referred to as "flash" in the sagem menus.

Code 0x7C: read flash

Command Syntax:

02 06 D2 05 00 7C [A1] [A2] [CC] 03

With

* A1 : High Byte of the flash field number to read.
* A2 : Low Byte of the flash field number to read.
* CC : The checksum calculated as mentioned above.

Response from phone:

02 [LL] D2 05 01 76 [DD] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* DD : The data content of the flash field. Length varies depending on which field was read.
* CC : Checksum, calculated as mentioned above.


Code 0x7D: write flash

Command Syntax:

02 [LL] D2 05 00 7D [A1] [A2] [NN] [DD] [CC] 03

With

* LL : Length of the command string calculated as mentioned above.
* A1 : High Byte of the flash field number to write.
* A2 : Low Byte of the flash field number to write.
* NN : Number of bytes to write. This allows you to replace existing fields with new fields of different length.
* DD : Data to write.
* CC : The checksum calculated as mentioned above.

Response from phone:

02 [LL] D2 05 01 77 [A1] [A2] [NN] [DD] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* A1 : The high-byte of the flash field number that was written.
* A2 : The low-byte of the flash field number that was written.
* NN : The number of bytes that were written.
* DD : The data that was written. Length varies depending on which field was read.
* CC : Checksum, calculated as mentioned above.



Reading / writing the RAM

Code 0x15: read ram

Command Syntax:

02 09 D2 05 00 15 [A1] [A2] [A3] [A4] [NN] [CC] 03

With

* A1 .. A4 : address to read; 4 bytes, high byte first.
* NN : Number of bytes to read, max. 246.
* CC : The checksum calculated as mentioned above.

Response from phone:

02 [LL] D2 05 01 2E [DD] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* DD : The data read from the ram. Length varies depending on how many bytes were requested.
* CC : Checksum, calculated as mentioned above.


Code 0x16: write ram

Command Syntax:

02 09 D2 05 00 16 [A1] [A2] [A3] [A4] [DD] [CC] 03

With

* A1 .. A4 : address to write; 4 bytes, high byte first.
* DD : Value to write at address. This is limited to 1 byte.
* CC : The checksum calculated as mentioned above.

Response from phone:

02 09 D2 05 01 40 [A1] [A2] [A3] [A4] [DD] [CC] 03

With

* A1 .. A4 : address to write; 4 bytes, high byte first.
* DD : The data written to the ram.
* CC : Checksum, calculated as mentioned above.



Get phone information

This command returns an ascii string containing information about the phone's firmware revision and the date of production.

Code 0x23: get phone information string

Command Syntax:

02 04 D2 05 00 23 F2 03


Response from phone:

02 [LL] D2 05 01 35 [DD] [CC] 03

With

* LL : the length of the response string calculated as mentioned above.
* DD : The ascii string containing the information.
* CC : Checksum, calculated as mentioned above.



Enter service mode on phone

This command will enable the service mode on the phone.

Code 0x52: enter service mode

Command Syntax:

02 04 D2 05 00 52 [CC] 03


Response from phone:

02 04 D2 05 01 4C 9C 03



Misc. Commands

The following list contains all possible command codes that do not return an error message when sent without parameters. They all are valid commands, but most of them have unknown effects on the phone, so please do not try them unless you are sure you know what you are doing. Even if an obvious effect is described here, there might be hidden side-effects that can damage your phone. You have been warned...

The output strings are responses I got from my phone. Your phone might produce different outputs.
Possible command codes without parameters:

* Code 0x4a: ??? (Output: 0F 1F / 0F 30)
* Code 0x4c: ??? (Something happens with the receiver level indicator)
* Code 0x4e: ??? (Output: 00)
* Code 0x4F: ???
* Code 0x50: ??? (No answer)
* Code 0x51: ???
* Code 0x53: ??? (Reset)
* Code 0x55: ???
* Code 0x57: ???
* Code 0x58: ???
* Code 0x59: ???
* Code 0x5B: ???
* Code 0x63: ??? (Output: 01 D6 / 01 FF)
* Code 0x66: ??? (Output: 01 D5 / 01 E1)
* Code 0x67: ??? (Attention: prom fields are changed, phone will be "simlocked" afterwards!)
* Code 0x68: ??? (Output: 00 01 / 01 02)
* Code 0x69: ??? (Vibra alarm is activated)
* Code 0x6A: ??? (Vibra alarm is turned off)
* Code 0x6D: ??? (Output: 1305012300; [No, this is not the simlock code :-])
* Code 0x73: ???
* Code 0x74: ???
* Code 0x75: ???
* Code 0x78: ??? (Output )
* Code 0x79: ??? (long output)
* Code 0x85: ??? (Output: 00)
* Code 0x88: ??? (Output: 01 69 C3 ...)
* Code 0x89: Reset phone



Credits

Thanks go out to the people in the Sagem MC939 Forum, especially Maddde and Team 939 (Anonymous Coward & OverFloh). They made valuable fun*****tal discoveries and found out how to read ram and prom. Good work!

Last updated: 04.07.2000 by Hannes