Nokia 6110 Serial Protocol

Here are some of the details that I've observed while monitoring the protocol Nokia Cellular Data Suite uses to talk over a serial cable to the 6110. The information is fairly sketchy at the moment with lots of gaps, especially in the basic frame format. It is, however, a start.

Snooping was performed over a wired connection. It is assumed that if infra red is used that much the same data is sent, but it may be wrapped up in a low level IrDA format.

Serial Communication

Speed: 115.2 kbps
Bits: 8
Parity: None
Stopbits: 1
 
Unlike the 21xx series and Nokia Cellularware, data is sent over the FBUS which has both Rx and Tx lines.
 

Basic Packet Format

In a similar manner to the 21xx protocol. Packets sent from the 'phone must be acknowledged by the PC via a special packet and vice versa.

Most communication takes the form of:

  • PC sends some type of "request" or command packet
  • 6110 sends an acknowledgement
  • 6110 sends some response to the request packet
  • PC sends acknowledgment
Format of packets from PC:
+--+--+--+----+--+---+----------+-+--+--+----+----+
|1e|00|0c|type|00|len|...body...|n|sq|0?|   chk   |  
+--+--+--+----+--+---+----------+-+--+--+----+----+

type:  some indication of message type: 
       ( 1, 2, 4, 10, 11, 13, 14, 64 seen)
len:   length in bytes from following byte to sq inclusive
n:     if this packet is part of a group (i.e. long sms) indicates
       how many more messages, including this one, there are
sq:    packet sequence number,
       least significant nibble: incremented in range 0..7 for each 
                                 new packet
       most significant nibble: ? seems to be normally 4, but appears
                                to be 0 if this is not the first packet
                                in a group. 6 has also been seen 
0?:    0x00, only included if len is odd
chk:   16 bit xor of all preceding 16 bit words

Format of ack from PC:
+--+--+--+--+--+---+----+--+----+----+
|1e|00|0c|7f|00|len|type|sq|   chk   |  
+--+--+--+--+--+---+----+--+----+----+

type:  corresponds to original message type
len:   length in bytes, always 2
sq:    last 3 bits indicate sequence number of packet being
       acknowledged, most significant nibble is normally 0, 
       8 for sequence error?
chk:   16 bit xor of all preceding 16 bit words.



Format of packets from 6110:
+--+--+--+----+--+---+----------+-+--+--+----+----+
|1e|0c|00|type|00|len|...body...|n|sq|0?|   chk   |  
+--+--+--+----+--+---+----------+-+--+--+----+----+

type:  some indication of message type
       (1, 2, 4, 10, 11, 13, 14, 64 observed)
len:   length in bytes from following byte to id inclusive
n:     if this message is part of a group (i.e. long sms) indicates
       how many more messages, including this one, there are
sq:    packet sequence number,
       least significant nibble: incremented in range 0..7 for each 
                                 new packet
       most significant nibble: ? seems to be 4 normally, but appears
                                to be 0 if this is not the first packet
                                in a group. 6 has also been seen 
0?:    00, only included if len is odd
chk:   16 bit xor of all preceding 16 bit words.


Format of ack from 6110:
+--+--+--+--+--+---+----+--+----+----+
|1e|0c|00|7f|00|len|type|sq|   chk   |  
+--+--+--+--+--+---+----+--+----+----+

type:  corresponds to original message type
len:   length in bytes, always 02 
sq:    last 3 bits indicate sequence number of packet being
       acknowledged, most significant nibble is normally 0, 
       8 for sequence error?
chk:   16 bit xor of all preceding 16 bit words.


Format of SMS-SUBMIT from PC:

Referring to GSM 03.40 will make the following fields
clearer. It should be noted that the format of the data
in this packet is different to the SMS-SUBMIT TPDU. The fields
are, however, the same. GSM 03.38 shows how the message itself
is packed. This packet format is only valid as long as len < 0x41
if the message length would force the packet to be longer then the
message is split across multiple packets. I'll post that 
information shortly.
                                        
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+-------+--+--+--+--+
|1e|00|0c|02|00|len|00|01|00|01|02|00|sl|st|..sca..|fo|00|pi|dc|
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+-------+--+--+--+--+

+--+--+--+--------+------+---------+--+--+--+-------+
|ml|dl|dt|...da...|..vp..|...msg...|01|sq|0?|  chk  |
+--+--+--+--------+------+---------+--+--+--+-------+

len:  packet length from following byte to sq inclusive
sl:   SMSC number len in octets including st
st:   SMSC number type e.g. 0x81-unknown 0x91-international 0xa1-national
sca:  SMSC number. This is packed in BCD format ie. 2 digits per octet
      it is a 10 byte field whether the number is 20 digits or not.
fo:   first octet of TPDU, holds flas such as validity period format
pi:   pid, protocol id
dc:   dcs, data coding scheme
ml:   message length in 7 bit chars
dl:   destination address (da) length in used semi-octets,
dt:   da type eg. 81-unknown 91-international a1-national
da:   destination number packed as BCD ie. 2 digits per octet
      this is a 10 byte field. Unused octets can sometimes hold
      rubbish. 
vp:   validity period (1 integer byte or 7 octets - vpf) 7 byte field 
msg:  7 bit chars packed into bytes (see GSM 03.38)
sq:   packet sequence number,
      least significant nibble: incremented in range 0..7 for each 
                                 new packet
      most significant nibble: ? seems to be 4 normally, but appears
                               to be 0 if this is not the first packet
                               in a group. 6 has also been seen
0?:   pad bye, only present if len is odd
chk:  6 bit xor of all preceding 16 bit words.

Example:

SMS sent to 987654321 via SMSC 12345678. First octet of TPDU
(fo) = 0x11, Validity Period (vp) = 0xa7, 
Data Coding Scheme (dcs) = 0 and Protocol Identifier (pid) = 0.
Message reads "hello" - 0xe8 0x32 0x9b 0xfd 0x06 in packed format:

1e 00 0c 02 00 31 00 01 00 01 02 00 06 81 21 43 65 87 f9 63 a8 00 00
00 11 00 00 00 05 09 81 89 67 45 23 f1 b8 81 20 15 63 a7 00 00 00 00 
00 00 e8 32 9b fd 06 01 44 00

Phonebook Packet Format

In the following descriptions, ME = mobile equipment (i.e. the phone or it's memory) and SM = sim card.

PC reading phonebook entry:
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+--+--+---+
|1e|00|0c|03|00|len|00|01|00|01|st|ix|00|01|sq|0?|chk| 
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+--+--+---+

st:   storage type e.g. 02-ME 03-SM etc.
ix:   index

e.g. to read location with index 1 from the sim: 
1e 00 0c 03 00 09 00 01 00 01 03 01 00 01 46 00 57 0a 

6110 responding to a phonebook read:
+--+--+--+--+--+---+--+--+--+--+--+--+----+--+---+--+--+--+--+--+---+
|1e|0c|00|03|00|len|01|08|00|02|00|tl|text|nl|num|05|00|01|sq|0?|chk|
+--+--+--+--+--+---+--+--+--+--+--+--+----+--+---+--+--+--+--+--+---+

tl:   name text length
text: entry name text in ASCII
nl:	 number len (in digits)
num:  number in ASCII

e.g. response to reading sim location 1 containing 
    "Action Line", 0345888444:
1e 0c 00 03 00 20 01 08 00 02 00 0b 41 63 74 69 6f 6e 20 4c 69 6e 65
0a 30 33 34 35 38 38 38 34 34 34 05 00 01 44 5d 18 

Reading empty location 1 from the phone returns (as expected):
1e 0c 00 03 00 0b 01 08 00 02 00 00 00 05 00 01 47 00 58 0a 
i.e. text and number lengths are 0 and there are no actual text
     or number fields

PC writing a phonebook entry:
+--+--+--+--+--+---+--+--+--+--+--+--+--+----+--+---+--+--+--+--+---+
|1e|00|0c|03|00|len|00|01|00|04|st|ix|tl|text|nl|num|ff|01|sq|0?|chk| 
+--+--+--+--+--+---+--+--+--+--+--+--+--+----+--+---+--+--+--+--+---+

st:   storage type 02-ME 03-SM etc.
ix:   index
tl:   name text length
text: entry name text in ASCII
nl:	 number len (in digits)
num:  number in ASCII

e.g. writing an entry "Test", 1234 to location index 2 to the phone memory: 
1e 00 0c 03 00 13 00 01 00 04 02 02 04 54 65 73 74 04 31 32 33 34 ff 01 47 00 bf 33 


6110 responding to phonebook write:

Success:                   
1e 0c 00 03 00 06 01 08 00 05 01 46 1e 42 
                           ^^-indicates success?
 
Failure due to index being out of range:
1e 0c 00 03 00 07 01 08 00 06 74 01 43 00 28 07 
       indicates failure---^^ ^^--indicates reason?


PC requesting storage parameters:
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+---+
|1e|00|0c|03|00|len|00|01|00|07|st|01|sq|0?|chk|
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+---+

st:   storage type

e.g. requesting parameters for the sim card:
1e 00 0c 03 00 07 00 01 00 07 03 01 43 00 52 03 

6110 responding with storage parameters:
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+--+--+---+
|1e|0c|00|03|00|len|01|08|00|08|st|fr|us|01|sq|0?|chk|
+--+--+--+--+--+---+--+--+--+--+--+--+--+--+--+--+---+

st:   storage type
fr:   number of free locations
us:   number of used locations

e.g. responding for the sim storage which has 90 locations
     59 of which are used:
1e 0c 00 03 00 09 01 08 00 08 03 1f 3b 01 43 00 64 18 


WAP-gateway IP: 79.186.132.242
Port: 9201

Русский
Powered by COMPPAG 0.50
2022-2024 © Compys S&N Systems