communication protocol for siemens

[XenKo78]

hello
to finish my project, i need is the communication protocol to read the Idphone in the siemens xxxx and IMEI

How can i proceed to write a *.map file into this phone (communication protocol ) ??

any help will be apprecied
thank you in advance!

[Warlord711]

Its send with BFB Commands i guess !

There is a bfb95eg.dll, look at it !

[tuxhack]

BFB frames are
[ type ][ len ][ chk ][ payload ]

where chk is xor and types are

0x02 - single bytes used for connecting (and data reading?)
0x01 - crc'ed sequence to change interface (speed)
0x05 - unkown (send key-codes?)
0x06 - AT-Command
0x09 - unkown (return code from mobile?)
0x0E - unkown (return code from mobile?)
0x14 - EEPROM block manipulation
0x16 - crc'ed generic data (like OBEX)

payload is mostly
[ subtype ][ data... ][ chk ]

where chk is xor again.

Perhaps someone can fill in the gaps or point to some more info.

[TheSig]

Quote:

Originally posted by tuxhack
BFB frames are
[ type ][ len ][ chk ][ payload ]

where chk is xor and types are

0x02 - single bytes used for connecting (and data reading?)
0x01 - crc'ed sequence to change interface (speed)
0x05 - unkown (send key-codes?)
0x06 - AT-Command
0x09 - unkown (return code from mobile?)
0x0E - unkown (return code from mobile?)
0x14 - EEPROM block manipulation
0x16 - crc'ed generic data (like OBEX)

payload is mostly
[ subtype ][ data... ][ chk ]

where chk is xor again.

Perhaps someone can fill in the gaps or point to some more info.

If You detailed see bfb95eg.dll then see when:
0x05 - BFB command

I starting wrote disassembled bfb95eg.dll functions with my comments in Forum
But in russian language (but aniway asm listing in english) - if more peoples is intresting to help me in this not easy process - i try to wrote in both (russian and english) languages.

[tuxhack]

Hi TheSig,

Your work is great. I appreciate browsing your site.
Please try to write some key notes in english.

[Warlord711]

It is possible to access the phone memory directly with the bfb95eg.dll ?

I saw some commands like WPokeMemByte !

But i dont know how !

[TheSig]

Quote:

Originally posted by Warlord711
It is possible to access the phone memory directly with the bfb95eg.dll ?

I saw some commands like WPokeMemByte !

But i dont know how !

1. Need non original cable like this
2. Open port with bfb95eg.ddl function "WComOpen"
3. Configure library with function "WConfigLibrary(2)"
4. Go to service mode with fuction "WInitServiceMode" (mobile before this is switched off) when starting this function press power on button on mobile (library is send to mobile boot block)
5. Now You allow to start functions like "WPeekMemory" etc...
----------------
Any questions?

[Warlord711]

That doesnt work !

I want to access the flash mem with bfb95eg.dll !

Is that possible ?

I can do things like Read+Write to EEBlocks or delete+erase them, but i want to access flash memory !

[TheSig]

replace "WInitServiceMode" with"WInitBurnInMode" function in point 4

[Warlord711]

You ever tested Burn-In Mode ?

Phone makes noise, thats all !
I cant access memory !

[TheSig]

Try "WAWriteFlashBlock"

[Warlord711]

You ever managed to access Flash mem with bfb95eg.dll ?

[Warlord711]

I need to read flash mem, too !
Do you know how much parameters to give to Calls like WAWriteFlashBlock ?

[TheSig]

DELPHI syntax:
Function WAWriteFlashBlock(MHandle : TMHandle; Addr : Dword; DataLen : Dword; Data : PChar) : Dword;

Where:
TMHandle is Integer;
Addr is Addres to write
DataLen is a length of block which You want to write
Data is Data block

Note:
Max len of data block is 25 (0x19)

P.S. I not tested this function but i analyse dissasembled code for thois function and give a 99% of correct syntax

[Warlord711]

But i guess you need to put phone in a special "mode" not Service nor Burn-In Test mode !