[How to] Read BB5 pm

[fr3nsis]

example : we would to read field 308

Note: i'm using usb frame , for fbus you can add checksum bytes (2) to the end , change 1B -> 1E
For save times i will use same sequence bytes on all frames
Good explanation about building fbus frame is here

-> 1B 00 10 23 00 06 00 0D 03 0E 01 34

01 34 = hex(308)

<- 1B 10 00 23 00 0A 0D 29 03 0F 00 01 03 04 00 04

00 04 = now we know that 308 field has 0004h sub_fields

now can start us cycle (0 to 4h)

sub_ field 0

-> 1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 00 00 00
<-1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 00 01

00 01h = len of sub_field data

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 00 00 00 00 00 00 00 00 00 00 01
<-1B 10 00 23 00 16 0D 29 05 05 00 01 00 00 00 00 00 00 00 10 00 00 00 01 01 00 00 00

00 01 h = len
01=data

so atm us pm is

[308]
0=01

sub_ field 1

-> 1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 01 00 00
<-1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 10 00

10 00h = len of sub_field data

because len is very big we can split reading process for example reading FF bytes to the time:

you can calculate how times are needed like this: 1000h / FF = 10h=16dec

we read firts ff bytes

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 01 00 00 00 00 00 00 00 00 00 FF
<-1B 10 00 23 01 12 0D 29 05 05 00 01 00 00 00 00 00 00 01 0C 00 00 00 FF ...................

now we read ff + ff bytes
->1B 00 10 23 00 12 00 0D 05 04 01 34 00 01 00 00 00 00 00 FF 00 00 00 FF
<-1B 10 00 23 01 12 0D 29 05 05 00 01 00 00 00 00 00 00 01 0C 00 00 00 FF ...................

now we read ff + ff +ff bytes

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 01 00 00 00 00 01 FE 00 00 00 FF
<-1B 10 00 23 01 12 0D 29 05 05 00 01 00 00 00 00 00 00 01 0C 00 00 00 FF ...................

after 16 times we have < FF bytes to reading

1000h mod FF = 10h
->1B 00 10 23 00 12 00 0D 05 04 01 34 00 01 00 00 00 00 0F F0 00 00 00 10
<-1B 10 00 23 00 22 0D 29 05 05 00 01 00 00 00 00 00 00 00 1C 00 00 00 10 .................

now us pm is:

[308]
0=01
1=...........................


sub_ field 2

->1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 02 00 00
<-1B 10 00 23 00 06 0D 29 04 0D 11 00

11 00 = sub_field 2 don't exist

sub_ field 3

->1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 03 00 00->1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 00 01

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 03 00 00 00 00 00 00 00 00 00 01
<-1B 10 00 23 00 16 0D 29 05 05 00 01 00 00 00 00 00 00 00 10 00 00 00 01 03 00 00 00

[308]
0=01
1=...........................
3=01

sub_ field 4

->1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 04 00 00->1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 00 01

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 04 00 00 00 00 00 00 00 00 00 01
<-1B 10 00 23 00 16 0D 29 05 05 00 01 00 00 00 00 00 00 00 10 00 00 00 01 07 00 00 00
[308]
0=01
1=...........................
3=01
4=07

us field is now complete ( 4 sub_field readed)



can be same errors , i'm not a guru , i'm not a programmer ... but i like read and know

next step: write pm

please don't ask for source....you can meke it yourself

[mustipusti]

nice thank you

[dhiet]

hi,
Thanks, its good knowledge for the beginer like me

My question is if i want to read pm via ufs, what should i do:

I already do this step

1. make init ufs ------>already done
2. make boot ufs ------>already done
3. make fbus ufs ------>already done
4. make sincronize(55 55 55 55 55 55) ------>already done

what next step?

br,
dhiet

[fr3nsis]

there is an "error" but i cant edit post

here modified post

sub_ field 3

->1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 03 00 00
<-1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 00 01

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 03 00 00 00 00 00 00 00 00 00 01
<-1B 10 00 23 00 16 0D 29 05 05 00 01 00 00 00 00 00 00 00 10 00 00 00 01 03 00 00 00

[308]
0=01
1=...........................
3=03

sub_ field 4

->1B 00 10 23 00 0A 00 0D 04 0C 01 34 00 04 00 00
<-1B 10 00 23 00 0E 0D 29 04 0D 00 01 06 08 00 00 00 00 00 01

->1B 00 10 23 00 12 00 0D 05 04 01 34 00 04 00 00 00 00 00 00 00 00 00 01
<-1B 10 00 23 00 16 0D 29 05 05 00 01 00 00 00 00 00 00 00 10 00 00 00 01 07 00 00 00

[308]
0=01
1=...........................
3=03
4=07

[fr3nsis]

Video test application (Read&Write PM)

http://www.mediafire.com/?ygznnyqznym

i have done ... now it's your time

[fasternaiger]

i want to know ,, how to read the pm by usb

[costel_mcb]

Quote:

Originally Posted by fr3nsis

Video test application (Read&Write PM)

http://www.mediafire.com/?ygznnyqznym

i have done ... now it's your time

can you tell us how to write?

[fr3nsis]

Quote:

Originally Posted by costel_mcb

can you tell us how to write?

is very simple ...just sniff 2-3 frame and you know how to work

[Arjun mishra]

thanks for share !!!!!!!!!!!!!!!!

[angel25dz]

thanks for helping us ............ read pm done in my soft

[angel25dz]

in comparing PM's readed via my soft (using this methode) and others readed by MX-Key i found a difference in some fields !!

here is the log for the same phone :

My soft

Code:

Field [1] Keys: 25
     Key: 0 :  114 Bytes
     Key: 1 :  4 Bytes
     Key: 2 :  98 Bytes
     Key: 4 :  110 Bytes
     Key: 5 :  4 Bytes
     Key: 6 :  98 Bytes
     Key: 8 :  110 Bytes
     Key: 13 :  98 Bytes
     Key: 15 :  4 Bytes
     Key: 16 :  98 Bytes
     Key: 18 :  98 Bytes
     Key: 20 :  98 Bytes
     Key: 22 :  16 Bytes
     Key: 23 :  4 Bytes
     Key: 24 :  84 Bytes

Field [2] Keys: 2
     Key: 0 :  440 Bytes

Field [4] Keys: 5
     Key: 3 :  10 Bytes
     Key: 4 :  8 Bytes

Field [8] Keys: 9
     Key: 0 :  12 Bytes
     Key: 1 :  12 Bytes
     Key: 2 :  128 Bytes
     Key: 3 :  128 Bytes
     Key: 6 :  4 Bytes
     Key: 7 :  8 Bytes
     Key: 8 :  8 Bytes

Mx-Key :

Code:

Section: 1 - got 24 key(s)
 - key: 0, readed 114 bytes
 - key: 1, readed 4 bytes
 - key: 2, readed 98 bytes
 - key: 4, readed 110 bytes
 - key: 5, readed 4 bytes
 - key: 6, readed 98 bytes
 - key: 8, readed 110 bytes
 - key: 13, readed 98 bytes
 - key: 15, readed 4 bytes
 - key: 16, readed 98 bytes
 - key: 18, readed 98 bytes
 - key: 20, readed 98 bytes
 - key: 22, readed 16 bytes
 - key: 23, readed 4 bytes
 - key: 24, readed 84 bytes
 - key: 25, readed 4 bytes
 - key: 26, readed 110 bytes
 - key: 27, readed 4 bytes
 - key: 28, readed 98 bytes
 - key: 29, readed 10 bytes
 - key: 31, readed 98 bytes
 - key: 33, readed 36 bytes
 - key: 34, readed 80 bytes
 - key: 44, readed 182 bytes
Section: 2 - got 1 key(s)
 - key: 0, readed 440 bytes
Section: 4 - got 4 key(s)
 - key: 3, readed 10 bytes
 - key: 4, readed 8 bytes
 - key: 5, readed 8 bytes
 - key: 9, readed 5 bytes
Section: 8 - got 8 key(s)
 - key: 0, readed 12 bytes
 - key: 1, readed 12 bytes
 - key: 2, readed 128 bytes
 - key: 3, readed 128 bytes
 - key: 6, readed 4 bytes
 - key: 7, readed 8 bytes
 - key: 8, readed 8 bytes
 - key: 9, readed 16 bytes

I take the field (section) 04 as example to explain the error :
my soft :
send: 1B 00 10 23 00 06 00 0D 03 0E 00 04
recieve :1B 10 00 23 00 0A 0D 2A 03 0F 00 01 03 04 00 04

MX-Key:
send: 1B 00 10 23 00 06 00 08 67 0E 00 04
recieve:1B 10 00 23 00 0A 08 2A 67 0F 00 01 03 04 00 04

04:using this methode I got 0,1,2,3,4 subfields with 03 empty (fake) subfields (0,1,2) But Mx-Key got 04 real subfields so I concluse: 04 is the number of the real keys (not empty data) and before to read them (0,1,2,3,4) we must use another command to get their real positions (3,4,5,9) !!
after a few sniff I got It

using my example : (section 04) here is the correct way to read subfields :

01/:
>>> 1B 00 10 23 00 06 00 0D 03 0E 00 04
<<< 1B 10 00 23 00 0A 0D 2A 03 0F 00 01 03 04 00 04

02/ get the real first position of subfields :
>>> 1B 00 10 23 00 0A 00 08 68 0A 00 04 FF FF 00 00

<<< 1B 10 00 23 00 0A 08 2A 68 0B 00 01 03 04 00 03
03 is the first subfield to read and 04 is field number (section)

03/ get the next real postion after 03
>>> 1B 00 10 23 00 0A 00 08 68 0A 00 04 00 03 00 00
<<< 1B 10 00 23 00 0A 08 2A 69 0B 00 01 03 04 00 04
04 is the seconde subfield

04/
>>> 1B 00 10 23 00 0A 00 08 68 0A 00 04 00 04 00 00
<<< 1B 10 00 23 00 0A 08 2A 6A 0B 00 01 03 04 00 05

05 is the third subfield

05/
>>> 1B 00 10 23 00 0A 00 08 68 0A 00 04 00 05 00 00
<<< 1B 10 00 23 00 0A 08 2A 6B 0B 00 01 03 04 00 09

09 is the last real subfield (4th)
now we have 4 subfields to read 3 4 5 9 and we can read them using fr3nsis method

./wbr

[fr3nsis]

yes but with my old codes you can read good subfield , see my first post:
after send first command you know that fields are 4
send command for read 0 subfield , len <> 0 -> ok 0 exist with data ....
send command for read 1 subfield , len <> 0 -> ok 1 exist with data ....
send command for read 2 subfield , len = 0 -> 2 dont exist jump it
send command for read 3 subfield , len <> 0 -> ok 3 exist with data ....

at the end you have
[308]
0=
1=
3=
4=

so 4 subfield ....

[angel25dz]

Quote:

Originally Posted by fr3nsis

yes but with my old codes you can read good subfield , see my first post:
after send first command you know that fields are 4
send command for read 0 subfield , len <> 0 -> ok 0 exist with data ....
send command for read 1 subfield , len <> 0 -> ok 1 exist with data ....
send command for read 2 subfield , len = 0 -> 2 dont exist jump it
send command for read 3 subfield , len <> 0 -> ok 3 exist with data ....

at the end you have
[308]
0=
1=
3=
4=

so 4 subfield ....

yes that work with this condition (i don't coded this jump for this reason i have the errors)

[sementes]

Code:

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

        'When Tx button clicked
        'Clear buffer
        rxBuff = ""

        'If port is closed, then open it
        If SerialPort1.IsOpen = False Then SerialPort1.Open()

        ListBox1.Items.Clear()

        'Write this data to port
        'SerialPort1.Write(ComboBox1.Text & vbCr)
        SerialPort1.Write(Chr(&H1B) + Chr(&H0) + Chr(&H10) + Chr(&H23) + Chr(&H0) + Chr(&H6) + Chr(&H0) + Chr(&HD) + Chr(&H3) + Chr(&HE) + Chr(&H0) + Chr(&H4))


        'Pause for 800ms
        System.Threading.Thread.Sleep(800)

        'If the port is open, then close it
        If SerialPort1.IsOpen = True Then SerialPort1.Close()

        'If the buffer is still empty then no data. End sub
        If rxBuff = "" Then

            MessageBox.Show("NADA FOI RECEBIDO", "SEM DADOS", MessageBoxButtons.OK, MessageBoxIcon.Warning, MessageBoxDefaultButton.Button1)

        End If

        'Else display the recieved data in the RichTextBox
        ListBox1.Items.Add(rxBuff)

    End Sub

i nothing in the listbox where is the error ??
Im using vb.net and usb cable .
Thanks

[fr3nsis]

you cant use serial port ...you must open usb connection

ps:it's not necessary to read FF bytes to the time ...you can read more