What this talk is going to be about?
What’s so special about Sony Ericsson?
DB2010/J300
and DB3150/W595
back in the days
DB3150/W595
again in 2019-2021
TEMS Investigation
works
Usability
DP (Data Provider)
- a subsystem/component/process on the target
CA (Client Application)
- an application on the host side
F3607gw
, F5521gw
, EC400
, MD400[g]
)
DPs
and CAs
to communicate with each other
DebugMuxClient
connection
The following software is known to "speak" DebugMux protocol:
Those are all proprietary, black-box binaries for MS Windows.
First steps understanding the protocol (collecting samples)
DebugMuxLogger
and DebugMuxServer
(thanks to gsmforum.ru
)
Free Device Monitoring Studio
(Windows app)
-serial unix:/tmp/qemu.sock,server=on,wait=off
to qemu
socat -x -v $PORT,raw,echo=0,ignoreeof=0,nonblock=1 "unix-connect:/tmp/qemu.sock" 2>&1
< 2024/04/26 02:15:11.000903764 length=2 from=16 to=17
42 42 BB
--
< 2024/04/26 02:15:11.000904430 length=7 from=18 to=24
05 00 01 00 65 69 3e ....ei>
--
> 2024/04/26 02:15:11.000906043 length=218 from=63 to=280
42 42 20 00 00 02 66 e7 b0 7e 16 16 46 33 36 30 BB ...f..~..F360
37 67 77 33 35 36 33 39 37 30 33 33 33 38 34 38 7gw3563970333848
35 30 77 b7 42 42 22 00 01 02 69 94 e4 1a 41 43 50w.BB"...i...AC
43 20 2d 20 50 72 69 6e 74 20 53 65 72 76 65 72 C - Print Server
20 43 68 61 6e 6e 65 6c 21 1f 42 42 1f 00 02 02 Channel!.BB....
69 95 e4 17 41 43 43 20 2d 20 49 6e 74 65 72 61 i...ACC - Intera
63 74 69 76 65 20 44 65 62 75 67 97 2d 42 42 0b ctive Debug.-BB.
00 03 02 69 96 e4 03 54 76 70 34 c3 42 42 22 00 ...i...Tvp4.BB".
04 02 69 97 e4 1a 41 50 50 20 2d 20 50 72 69 6e ..i...APP - Prin
74 20 53 65 72 76 65 72 20 43 68 61 6e 6e 65 6c t Server Channel
7c 84 42 42 1f 00 05 02 69 98 e4 17 41 50 50 20 |.BB....i...APP
2d 20 49 6e 74 65 72 61 63 74 69 76 65 20 44 65 - Interactive De
62 75 67 2c 69 42 42 11 00 06 02 69 99 e4 09 53 bug,iBB....i...S
44 4b 53 45 52 56 45 52 fb f3 DKSERVER..
First steps understanding the protocol (Twitter power)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Marker (\x42\x42) | Length (LE) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TxCount | RxCount | MsgType | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| MsgData |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | FCS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Marker
(0x4242)
@Sec
for finding the CRC function parameters!
Value | Direction | Name | Description |
---|---|---|---|
|
→ |
Enquiry |
Enquiry the target info and available DPs |
|
← |
Ident |
Target info (model, IMEI) |
|
→ |
Ping |
Used for connection testing |
|
← |
Pong |
Used for connection testing |
|
← |
DPAnnounce |
|
|
? |
? |
|
|
→ |
ConnEstablish |
Connection establishment command |
|
← |
ConnEstablished |
Connection establishment result |
|
→ |
ConnTerminate |
Connection termination command |
|
← |
ConnTerminated |
Connection termination result |
|
←/→ |
ConnData |
Connection data |
|
← |
FlowControl |
Connection flow control |
|
←/→ |
Ack |
Acknowledge |
Message flow (part 1)
AT*EDEBUGMUX
command
DCD (Data Carrier Detect)
line
AT*EDEBUGMUX
on other modem ports gives NO CARRIER
+++
/ break yields nothing
DebugMuxServer
;)
Message flow (part 2)
DebugMuxClient
→ DebugMuxServer
)
Payload
is an arbitrary ASCII string to be echoed back
Ping
with malformed Payload
length ;)
Payload
is basically a PascalString
(length-prefixed string like \x04TEST
)
\xff
we can retrieve 255 - 3
bytes
Message flow (part 3)
DPRef
DPRef
values are not fixed and change every power cycle
ConnRef
DPAnnounce
with a different DPRef
, old DPRef
becomes invalid
Message flow (part 4)
DebugMuxServer
→ DebugMuxClient
) flow control mechanism
DebugMuxServer
, to avoid overloading the target (limited CPU/RAM)
ConnData
blocks the DebugMuxClient
can send
DebugMuxClient
decrements its DataBlockCount
when sending a ConnData
block
DataBlockCount
gives quote to DebugMuxClient
as soon as it can handle more blocks
FlowControl
messages shall not be ACKnowledged
Message flow (part 5)
Ns
/Nr
(Tx
/Rx
) counters
Ns
before or after sending a frame?
Ack
is special: does not increment the Ns
of the sender
Ack
is special: does not increment the Nr
of the receiver
Ack
is special: always has Ns=0xf1 (243)
Ack
shall not be ACKnowledged (unlike RLC/MAC in GPRS!)
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
GPL-3.0-or-later
construct
(https://github.com/construct/construct)
pyserial
(https://github.com/pyserial/pyserial)
crcmod
(https://crcmod.sourceforge.net/)
cmd2
(https://github.com/python-cmd2/cmd2)
pyshark
(https://github.com/KimiNewt/pyshark)
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
Available utilities
sedbgmux-shell.py
- interactive shell
pySim-shell
;)
sedbgmux-dump.py
- dump management utility
native
, socat
, btpcap
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
Installation from source
Easy, huh?
$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
Installation from source
On modern distributions you’ll likely get this:
$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try 'pacman -S python-xyz', where xyz is the package you are trying to install. If you wish to install a non-Arch-packaged Python package, create a virtual environment using 'python -m venv path/to/venv'. Then use path/to/venv/bin/python and path/to/venv/bin/pip. If you wish to install a non-Arch packaged Python application, it may be easiest to use 'pipx install xyz', which will manage a virtual environment for you. Make sure you have python-pipx installed via pacman.
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
Installation from source
The recommended way:
$ virtualenv --system-site-packages myenv $ source myenv/bin/activate $ (myenv) pip install git+https://gitea.osmocom.org/fixeria/sedbgmux.git
Packages
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
$ sedbgmux-shell.py -p /dev/ttyACM0 # <1> Welcome to DebugMux client for [Sony] Ericsson phones and modems! DebugMux ('/dev/ttyACM0')> connect # <2> DebugMux ('/dev/ttyACM0')> enquiry # <3> [INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208 [INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1' [INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp' [INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel' [INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel' [INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER'
-p
specifies the modem port (/dev/ttyACM0
by default, 115200 8N1)
DebugMux mode activation (sending AT*EDEBUGMUX
command)
Send the Enquiry
message
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
$ sedbgmux-shell.py -p /dev/ttyACM0 Welcome to DebugMux client for [Sony] Ericsson phones and modems! DebugMux ('/dev/ttyACM0')> connect DebugMux ('/dev/ttyACM0')> enquiry [INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208 [INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1' [INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp' [INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel' [INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel' [INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER' DebugMux ('/dev/ttyACM0')> establish 0xe496 terminal [INFO] base.py:78 Establishing connection with DPRef=0xe496 [INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3d00, DPRef=0xe496 [INFO] base.py:94 Connection established: DPRef=0xe496, ConnRef=0x3d00, DataBlockLimit=256 ... Hit Ctrl + C to escape and terminate connection [INFO] base.py:87 Terminating connection ConnRef=0x3d00 with DPRef=0xe496 [INFO] client.py:220 Rx ConnTerminated: ConnRef=0x3d00, DPRef=0xe496 [INFO] base.py:104 Connection terminated: DPRef=0xe496, ConnRef=0x3d00 [INFO] client.py:191 Data Provider available (DPRef=0xe499): 'ACC - Print Server Channel'
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
$ sedbgmux-dump.py usage: sedbgmux-dump [-h] [-v] [-dm MODULE] command ... sedbgmux-dump: error: the following arguments are required: command $ sedbgmux-dump.py list-formats auto Automatic dump format detection (by filename) native Native binary dump format for this package socat ASCII hexdump generated by socat (-x option) btpcap PCAP file with Bluetooth RFCOMM packets # <1>
Requires pyshark
dependency
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
$ sedbgmux-dump.py parse -dp samples/K850_R1FA035_enquiry.dump [INFO] dump_native.py:46 Opening dump file samples/K850_R1FA035_enquiry.dump (readonly mode) Record #0000 @ 1712684215.269243 Tx 42420500010065693e DebugMux Tx frame (Ns=001, Nr=000, fcs=0x3e69) Enquiry Record #0001 @ 1712684215.270970 Rx 42422b00000266e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234ace4 DebugMux Rx frame (Ns=000, Nr=002, fcs=0xe4ac) Ident e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234 Container: Magic = b'\xe7\xb0~\x16' (total 4) Ident = u'Sony Ericsson K85035887401033072'... (truncated, total 33) Record #0002 @ 1712684215.271605 Rx 4242150001026994e40d5475726e696e6720546f72736fd19d DebugMux Rx frame (Ns=001, Nr=002, fcs=0x9dd1) DPAnnounce 94e40d5475726e696e6720546f72736f Container: DPRef = 0xE494 Name = u'Turning Torso' (total 13) Record #0003 @ 1712684215.271931 Rx 42420b0002026995e403547670b482 DebugMux Rx frame (Ns=002, Nr=002, fcs=0x82b4) DPAnnounce 95e403547670 Container: DPRef = 0xE495 Name = u'Tvp' (total 3) Record #0004 @ 1712684215.272249 Rx 4242220003026996e41a414343202d205072696e7420536572766572204368616e6e656c960b DebugMux Rx frame (Ns=003, Nr=002, fcs=0x0b96) DPAnnounce 96e41a414343202d205072696e7420536572766572204368616e6e656c Container: DPRef = 0xE496 Name = u'ACC - Print Server Channel' (total 26) Record #0005 @ 1712684215.272543 Rx 4242220004026997e41a415050202d205072696e7420536572766572204368616e6e656c7c84 DebugMux Rx frame (Ns=004, Nr=002, fcs=0x847c) DPAnnounce 97e41a415050202d205072696e7420536572766572204368616e6e656c Container: DPRef = 0xE497 Name = u'APP - Print Server Channel' (total 26) Record #0006 @ 1712684215.272810 Rx 4242290005026998e421486f737420496e7465726661636520546573742046696c65205472616e73666572d95e DebugMux Rx frame (Ns=005, Nr=002, fcs=0x5ed9) DPAnnounce 98e421486f737420496e7465726661636520546573742046696c65205472616e73666572 Container: DPRef = 0xE498 Name = u'Host Interface Test File Transfe'... (truncated, total 33) Record #0007 @ 1712684215.273053 Rx 4242110006026999e40953444b534552564552fbf3 DebugMux Rx frame (Ns=006, Nr=002, fcs=0xf3fb) DPAnnounce 99e40953444b534552564552 Container: DPRef = 0xE499 Name = u'SDKSERVER' (total 9) Record #0008 @ 1712684215.273232 Tx 42420500f1017120fd DebugMux Tx frame (Ns=241, Nr=001, fcs=0xfd20) Ack Record #0009 @ 1712684215.273587 Tx 42420500f10771f0a9 DebugMux Tx frame (Ns=241, Nr=007, fcs=0xa9f0) Ack
Wireshark dissector
simtrace.lua
$ cd sedbgmux/ $ cp contrib/sedbgmux.lua ~/.local/lib/wireshark/plugins/
$ tshark -r samples/k800_tems.pcapng.gz -Y btrfcomm -d "btrfcomm.dlci==4,sedbgmux" | less 661 380.123302 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 51 (Ns=002, Nr=003) ConnEstablish 665 380.170103 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 67 (Ns=003, Nr=003) ConnEstablished, FlowControl 667 380.170103 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 52 (Ns=005, Nr=003) FlowControl 669 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=006) Ack 673 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SPP 49 Sent "AT+CFUN?\r" 677 380.201303 Sony_2c:45:df (TEMS K800i) → localhost () SPP 49 Rcvd "AT+CFUN?\r" 679 380.216903 Sony_2c:45:df (TEMS K800i) → localhost () SPP 52 Rcvd "\r\n+CFUN: 1\r\n" 681 380.216903 Sony_2c:45:df (TEMS K800i) → localhost () SPP 46 Rcvd "\r\nOK\r\n" 683 382.026506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 64 (Ns=003, Nr=006) ConnData 687 382.042106 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 49 (Ns=252, Nr=004) Ack 689 382.042106 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 52 (Ns=006, Nr=004) FlowControl 691 382.057706 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=007) Ack 695 382.088906 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 78 (Ns=007, Nr=004) ConnData 697 382.104506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=008) Ack
Wireshark dissector
SEDbgMux Frame: (Ns=002, Nr=003) ConnEstablish Frame Marker: 4242 Frame Length: 7 Tx Count: 2 Rx Count: 3 Message Type: ConnEstablish (0x6b) Message Data: e7b0 Data Provider Reference: 0xb0e7 (45287) Frame Check Sequence: 27468 [valid] SEDbgMux Frame: (Ns=003, Nr=003) ConnEstablished Frame Marker: 4242 Frame Length: 11 Tx Count: 3 Rx Count: 3 Message Type: ConnEstablished (0x6c) Message Data: e7b000940002 Data Provider Reference: 0xb0e7 (45287) Connection Reference: 0x9400 (37888) Frame Check Sequence: 61606 [valid] SEDbgMux Frame: (Ns=004, Nr=003) FlowControl Frame Marker: 4242 Frame Length: 8 Tx Count: 4 Rx Count: 3 Message Type: FlowControl (0x70) Message Data: 009402 Connection Reference: 0x9400 (37888) Data Block Limit: 2 Frame Check Sequence: 12386 [valid]
_____ ______ _____ _ __ __
/ ____| ____| __ \| | | \/ |
| (___ | |__ | | | | |__ __ _| \ / |_ ___ __
\___ \| __| | | | | '_ \ / _` | |\/| | | | \ \/ /
____) | |____| |__| | |_) | (_| | | | | |_| |> <
|_____/|______|_____/|_.__/ \__, |_| |_|\__,_/_/\_\
__/ |
|___/
Module Hierarchy
sedbgmux
proto
- DebugMux protocol definition
peer
- [abstract] peer implementation
client
- client role implementation
ping_pong
- link testing logic
sedbgmux.io
- input/output logic
base
- base/abstract classes
modem
- modem I/O layer (AT commands)
dump_native
, dump_socat
, dump_btpcap
- dump formats
sedbgmux.ch
- connection handlers
base
- base/abstract classes
terminal
- read from stdin
, write to stdout
file_logger
- write received data to a file
udp_proxy
- send/receive data via a UDP socket
walk
recursively list available entries in Interactive Debug
DPs
Name | Mode | Description |
---|---|---|
|
Binary |
Test and Verification Protocol |
|
ASCII (Rx only) |
APP/ACC CPU debug logging |
|
ASCII (Rx only) |
ACC (access) CPU debug logging |
|
ASCII (Rx only) |
APP (application) CPU debug logging |
|
ASCII (Rx/Rx) |
APP/ACC CPU interactive debug |
|
ASCII (Rx/Tx) |
ACC (access) CPU interactive debug |
|
ASCII (Rx/Tx) |
APP (application) CPU interactive debug |
|
ASCII (Rx only) |
UI (User Interface) debug logging |
|
ASCII (Rx/Tx) |
AT command interpreter |
Name | Description |
---|---|
|
seen mostly on all A2 phones |
|
seen on C510 (R1HA035), C905 (R1FA035), F5521gw (R2A07), G705 (R1FA035) |
|
OBEX? seen on W595 (R3EA037), K850 (R1FA035) |
|
A skyscraper in Sweden? seen on T700 (R3CA017), K850 (R1FA035) |
Print Server Channel
VPPFLASH
)
ACC
/ APP
/ UI Debug
variants
ACC
- access (baseband) processor logging
APP
- application processor logging
Print Server Channel (example 1)
BuildInfo: Label: <LD_SAGARMATHA_R5A010_R2E_EC08_090818_1737> Variant: <ACCESS_EXPRESS_CARD_CHW>
BuildInfo: Generated: 2009-08-18 17:51 by Off.Bld
Product : <F3607gw> Version: 0000
HW Setup : NOT SPECIFIED (Id:0x2f0) IRDA: 0033 BT: 0035 RS232: 004A
Vendor : <Ericsson> PNP: ERI USB: 0BDB BT: 0000
--------------------------------
OS: Physical Memory Configuration:
krn/phys_mem/RAM/1=base:0x48800000 size:0x77f000
krn/phys_mem/TEXT2/1=base:0x48100000 size:0x700000
__RAMLOG_SESSION_START__
WARNING illegal format of parameter, equal sign missing on row:54 (Not counting empty lines)
cpu_hal_920: Detected ARM926 Rev 5
mm: config init (hal version=hal_mmu)
mm: boot heap auto-configured, name:MM-meta-data, boot_base=0x48f56000, boot_size=0x9000
mm: log_mem 0xffff0000->0xffffffff:BOOTROM type:SASE.
mm: log_mem 0x00010000->0x00010fff:COPSROM_DTCM type:SASE.
mm: log_mem 0x48f7f000->0x48f7ffff:COPSROM_DTCM_PHY type:SASE.
mm: log_mem 0x20400000->0x20452fff:DSP_EXTRAM type:SASE.
mm: log_mem 0x20000000->0x2000ffff:DSP_INTDRAM type:SASE.
mm: log_mem 0x00008000->0x00009fff:DTCM type:SASE.
mm: log_mem 0x90000000->0x90ffffff:HAL type:SAS.
mm: log_mem 0xc0000000->0xc0047fff:IO type:SASE.
mm: log_mem 0xa0000000->0xa0003fff:IO_AHB type:SASE.
mm: log_mem 0000000000->0x00005fff:ITCM type:SASE.
mm: log_mem 0x80800000->0x8fffffff:RAM type:SAS.
mm: log_mem 0x48800000->0x48f5efff:RAM_SASE type:SASE.
mm: log_mem 0x4ffff000->0x4fffffff:SEMI_Arbiter type:SASE.
mm: log_mem 0x4fffe000->0x4fffefff:SEMI_Config type:SASE.
mm: log_mem 0x48f80000->0x48ffffff:SHARED_MM_BUFFERS type:SASE.
mm: log_mem 0x48000000->0x480fffff:TEXT type:SASE.
mm: log_mem 0x48100000->0x487fffff:TEXT2 type:SASE.
mm: log_mem 0xc2000000->0xc211ffff:WCDMA_IO type:SASE.
mm: log_mem 0xc3000000->0xc301ffff:WCDMA_MCRAM type:SASE.
mm: log_mem 0xc4000000->0xc43fffff:WCDMA_RAM type:SASE.
Print Server Channel (example 2)
### Print Server: Requesting DebugMux channel...
1190 ### Print Server: Started OK
1193 GDFS_SRV State 3-Open
1194 [ICC-LD] ICC_Reader_0_Process Started
1194 [ICC-LD] Status Changed: ICC_READER_DEACTIVATED, Reader: 0
1194 ACC HQA process started OK
1194 NS_G23_RLC_UL D: RLC_LLC
1194 NS_G23_RLC_UL D: RLC_GMM_DATA_REQ = 469981056
1194 NS_G23_RLC_UL D: RLC_DATA_REQ = 469981120
1194 NS_G23_RLC_UL D: RLC_UNITDATA_REQ = 469981184
1194 NS_G23_RLC_UL D: RLC_RLC_DATA_REQ = 469981312
1194 NS_G23_RLC_UL D: RLC_RLC_UNITDATA_REQ = 469981376
1194 NS_G23_RLC_UL D: RLC_DATA_RSP = 469981632
1194
NS_G23_RLC_UL D: LLC_RLC
1194 NS_G23_RLC_UL D: RLC_DATA_CNF = 469981696
1194 NS_G23_RLC_UL D: RLC_DATA_IND = 469981760
1194 NS_G23_RLC_UL D: RLC_STATUS_IND = 469981824
1194
NS_G23_RLC_UL D: RR_RLC
1194 NS_G23_RLC_UL D: RR_TBF_ESTABLISH_REQ = 469970880
1194 NS_G23_RLC_UL D: RR_UPLINK_TBF_RELEASE_REQ = 469971008
1194 NS_G23_RLC_UL D: RR_DOWNLINK_TBF_RELEASE_REQ = 469971072
1194 NS_G23_RLC_UL D: RR_TBF_RELEASE_RSP = 469971136
1194 NS_G23_RLC_UL D: RR_DOWNLINK_ACK_NACK_REQ = 469971200
Print Server Channel (example 3)
27299 R:1018 49 5 49 5
27319 DL_DATA_IND = 05 12 06 1b 87 03 90 5f 1c a9 52 6c f6 b9 21 37 7a 56 f9 20 10 94 29 fa f7 38 09 00 00 00 a9 57 56 40 6e a3 9e
27319 MM: Authentication
27319 MM: Net sends CKSN=6
27355 MM: Authentication: SIM_ISO_NORMAL_COMPLETION
27355 MM: Authentication: SIM_AKA_RESPONSE_RES
27355 DL_DATA_REQ = 05 54 70 3a 6f 54 21 04 d9 8f 73 0b
27355 CAS Proxy: <From CAS> RRC_NEW_KEYS_REQ
27355 TASK: Received RRC_NEW_KEYS_REQ from CAS.
27378 DL: Rx ERROR_FRAME 05 T:18
27396 si6:2d061e032352f020154bd8ff2ab4ff97208df400010001
27417 R:1018 49 5 49 5
27437 DL_DATA_IND = 06 35 11
27437 DL_DATA_REQ = 06 32 17 09 33 95 80 07 01 55 94 22 f4
27495 DL_DATA_IND = 05 32 46 82 47 42 40 42 11 65 80 82 49 01 00
27496 MM: dispatch NITZ time info
27496 [ClockBook#105] Created
27500 [ClockBook#105] Goto SetClockBook_BasePage
27501 [ClockBook#105] Goto SetBook_ReceiveNitz_YesNoQuestionNewZone_Page
27503 FS: Partition /ifs set to dirty
27506 FS: Partition /ifs set to clean
27521 [ClockBook#105] Destroyed
27522 *********
27522 [Application session list]
27522 [Session#1 "Standby"] (W1) Books: 1 - [StandbyBook#88]
27523 [Session#14 "Desktop"] (W1) Books: 1 - [MenuBook#103]
27524 (4 window-less sessions ignored)
27524 *********
27535 R:1018 49 4 49 4 1019 46 54 7,
27554 DL_DATA_IND = 05 02 52 f0 20 15 4b 17 05 f4 9b 0a d0 ff
27555 MM: Location Updating Accept
27555 MM: new TMSI = 9b 0a d0 ff
Print Server Channel (example 4)
37279 CHARGING DATA: Vch 5000, Ich 0, Vbat 4057, Ibat -699, VFET 4150, IFET 0, PDiss 6892, Temp 42+
37494 TL_Counter 6 CDT_Counter 21
37495 MPH Serving
37495 817 -70 41 43 QB=4982
37495 MPH TopList
37495 1018 -63 37 39 65535 = 0x00e00000 0x0a 4783 059 0x0323 2
37495 1019 -64 36 38 147 0x1522 0x00a00000 0x0a 3072 054 0x0336 0
37495 815 -74 x x 0 0x0000 0x00000060 0x01 0 255 0x0000 0
37495 878 -75 36 38 92 = 0x00e00000 0x0a 4976 014 0x0aeb 0
37495 114 -78 22 24 147 = 0x00e00000 0x0a 4976 043 0x0ae7 0
37495 1016 -79 x x 100 0x0000 0x00000060 0x01 2392 035 0x0000 0
Print Server Channel (example 5)
139144 RLC_UL: P_Q_P G=0, P=1, S=0, C=1, I=0
139144 RLC_UL: ExtendedUplink_TBF == TRUE
139144 RLC_UL: S Ack Est:ed
139144 GMM<-RH_TRIGGER_IND
139144 GMM: READY_TIMER 44
139148 RLC_UL: Put QI =1:
139148 RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1
139148
139148 RLC_UL: P_Q_P G=0, P=2, S=0, C=2, I=0
139148 RLC_UL: QI=0 Last BSN=0
139148 RLC_UL: P_Q_S G=0, P=2, S=1, C=2, I=0
139148 RLC_UL: S Ack Cd
139148 RR: PUA
139148 PUA RlcMac_DL = 47 28 31 04 bf 40 20 03 a8 9b 16 02 1d 2e 2b 2b 2b 2b 2b 2b 2b 2b 2b
139149 RR state 12 ud
139149 MPH_Low SCH 1019 1 MessageOK == FALSE
139149 MPH_PKT_DED_IND
139149 GMM<-RH_TRIGGER_IND
139150 GMM: READY_TIMER 44
139164 RLC_UL: QI=1 Last BSN=3
139164 RLC_UL: P_Q_S G=0, P=2, S=2, C=2, I=0
139173 TFI U, 21, not our
139178 MPH_Low SCH 1019 1 MessageOK == FALSE
139184 TFI U, 22
139184 RR: PUAN
139184 RLC_UL: V(A)=4, V(S)=4
139184 RLC_UL: Freeing QI=0
139184 RLC_UL: P_Q_G G=1, P=2, S=2, C=1, I=0
139184 RLC_UL: PDU: RP:1,PTC:1,Len:8,SAPI:1, UI N(U)=3 E=1 PM=1
139184
139184 RLC_UL: Freeing QI=1
139184 RLC_UL: P_Q_G G=2, P=2, S=2, C=0, I=0
139184 RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1
Interactive Debug (part 1)
K610
/R1BA022
, T700
/R3CA017
VPPFLASH
)
F3607gw
, F5521gw
, EC400
, MD400[g]
ACC
/ APP
variants
DebugMux ('/dev/ttyACM0')> establish 0x9b42 terminal
[INFO] base.py:78 Establishing connection with DPRef=0x9b42
[INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3200, DPRef=0x9b42
[INFO] base.py:94 Connection established: DPRef=0x9b42, ConnRef=0x3200, DataBlockLimit=300
Welcome to Interactive Debug
[root]
Interactive Debug (part 2)
DIR
), commands (CMD
), variables (u1
, u2
, u4
, …)
.
- repeat the last command
ls
/ dir
- directory listing
cd
- change directory (CWD displayed in prompt)
r
/ w
- read / write a variable
walker
samples/*.list
DebugMux ('/dev/ttyACM0')> establish 0x9b42 walker > samples/interactive_debug.list
Interactive Debug (example 1)
ACC - Interactive Debug
Welcome to Interactive Debug
[root] ls
Contents of directory root:
RS232 <DIR>
USB <DIR>
DebugMux <DIR>
TupL2 <DIR>
WAS_L2 <DIR>
WAS_RRC <DIR>
Channels <DIR>
TaskSupervisor <DIR>
AT <DIR>
DSPIF <DIR>
WCDMA_L1 <DIR>
DHCPC <DIR>
PD_I2C <DIR>
LLRS232 <DIR>
ICA <DIR>
CAS <DIR>
NTCSD <DIR>
HCITL <DIR>
BT <DIR>
GAS <DIR>
USBLD <DIR>
MTP <DIR>
Interactive Debug (example 2)
ACC - Interactive Debug
[root] cd WAS_RRC
[WAS_RRC] ls
Contents of directory WAS_RRC:
MaxTxPowerComp <CMD>
SetHS_DSCH_PhysicalLayerCategory <CMD>
ToggleAckOnConnSetCmpl <CMD>
ToggleCipheringCapability <CMD>
ToggleDetectedCellsHandling <CMD>
ToggleHSDPA_Capabilties <CMD>
ToggleHSUPA_Capabilties <CMD>
ToggleNeedOfCM <CMD>
ToggleInterFreqEventsHandling <CMD>
ToggleResetWandaFlag <CMD>
ToggleRFC_2507_Capability <CMD>
ToggleRRC_CapabilitiesR99_OR_REL5 <CMD>
PrintControl <DIR>
RRC_C_PlaneDataCtrl_cap <DIR>
RRC_ConfigurationCtrl_cap <DIR>
BLER (u2)
Interactive Debug (example 3)
ACC - Interactive Debug
[root] cd NTCSD
[NTCSD] ls
Contents of directory NTCSD:
L2RCOP <DIR>
RLP <DIR>
dump <CMD>
get_process_name <CMD>
hangup <CMD>
ntcsd_call_statistics <CMD>
Tvp (Test and Verification Protocol)
Print Server
DPs
TEMS Investigation
and TSCom
/TSProbe
/TSTool
LU-CS-EX: 2006-2
Probes
("test points")
Probe
has its own unique 16-bit ID (statically assigned)
Probe
can be activated and deactivated by the host software
Probe
can "emit" some data (UL/DL RR payload, for instance)
Stimuli
) to be executed at a Probe
Probes
belong to sub-systems (PLAT
, TEST
, TEMS
, POCK
, TECH
)
Probes
can be used
samples/k800_tems.pcapng.gz
sedbgmux-dump.py parse -dp -cd samples/k800_tems.pcapng.gz
== GetAuthReq (1st step): request sub-system activation
0d00 022c 0a000101 04 54454d53
---- ---- -------- -----------
Length ???? ???????? PascalString('TEMS')
== GetAuthAck (2nd step): target sends the challenge
1b00 9041 0b00000001 0110 3038490bfd6418aa83afcb590a77961a
1b00 9041 0b00000001 0110 e6df5760450e94467f3ac25a1bf210aa
1b00 9041 0b00000001 0110 8497e60206c7c2ad7112694af7ab3b02
1b00 9041 0b00000001 0110 b22ec2e900c6eecbd5286163849a53ea
---- ---- ---------- ---- --------------------------------
Length ???? ?????????? ???? Challenge (32 chars)
== SetAuthReq (3rd step): host solves the challenge and responds
1d00 022c 0a01020114 54454d53 7baa687f7a6ba22c6703e954ac2f3347
1d00 022c 0a01020114 54454d53 075fbea8fcb3c55b970c2e58ee0d7e92
1d00 022c 0a01020114 54454d53 5406efcba5d87dddf02f33a84e388251
1d00 022c 0a01020114 54454d53 90b798e9780fd9c8bda8c53e3403c5d9
---- ---- ---------- -------- --------------------------------
Length ???? ?????????? 'TEMS' Response (32 chars)
== SetAuthAck (4th step): target sends auth result
0c00 9041 0b01000001 011400
---- ---- ---------- ------
Length ???? ?????????? ??????
Project plans
Find a proper way to escape DebugMux mode
DbgMuxClient: fix/improve ACKnowledgement logic
Acknowledgements
Osmocom
/ @Laf0rge
for hosting the project
@roox
for doing the research together with me and his contributions
@Sec
for helping with reversing the FCS (CRC16) algorithm
Thank you for your attention!