Motivation

What this talk is going to be about?

Sharing knowledge about undocumented, vendor specific, ad-hoc protocol
Sharing knowledge on protocol analysis, reverse engineering, and the tooling
Obtaining baseband logging from old Sony Ericsson phones and Ericsson modems

What’s so special about Sony Ericsson?

I am a big fan of the good old Sony Ericsson phones
- Owned DB2010/J300 and DB3150/W595 back in the days
- Used DB3150/W595 again in 2019-2021
- Collecting (more than 35 phones in collection)
I am curious to understand how TEMS Investigation works
I like exploring weird binary protocols ;)
I also like hidden menus and stuff like that

Usability

Unlikely will be useful in 2024
Ericsson’s baseband stopped at UMTS (no LTE)
Mostly archaeological interest
- May still be useful for debugging the Osmocom RAN/CNI

The Concept

Figure 1. DebugMux Component diagram

DP (Data Provider) - a subsystem/component/process on the target
CA (Client Application) - an application on the host side
DebugMux - a vendor specific interface/protocol
- exposed by Sony Ericsson phones (A1 DB2xxx, A2 DB3xxxx)
- exposed by Ericsson modems (F3607gw, F5521gw, EC400, MD400[g])
- provides means for DPs and CAs to communicate with each other
- various transport layers: USB, BT, IrDA (modem mode)
- only one DebugMuxClient connection
- multiple one-to-one DP connections in parallel

Existing Software

The following software is known to "speak" DebugMux protocol:

"DbgMuxLogger" by Ericsson Mobile Platforms AB
"DbgMuxServer" by Ericsson Mobile Platforms AB
"EMBLA Logger" by Ericsson AB
"TEMS Investigation" by Ericsson/Ascom/Infovista
"TSCom/TSProbe/TSTool" by Ericsson Mobile Platforms AB (?)

Those are all proprietary, black-box binaries for MS Windows.

Existing Software

EMBLA Logger

DbgMuxLogger

Existing Software

DbgMuxLogger

Existing Software

TEMS Investigation

DebugMux Protocol

First steps understanding the protocol (collecting samples)

Finding a software that speaks DebugMux
- I found DebugMuxLogger and DebugMuxServer (thanks to gsmforum.ru)
Setting up a QEMU VM with a Windows XP guest
Sniffing the serial communication
- I tried Free Device Monitoring Studio (Windows app)
- A better way using qemu & socat:
  - pass -serial unix:/tmp/qemu.sock,server=on,wait=off to qemu
  - run socat -x -v $PORT,raw,echo=0,ignoreeof=0,nonblock=1 "unix-connect:/tmp/qemu.sock" 2>&1

The output of socat

< 2024/04/26 02:15:11.000903764  length=2 from=16 to=17
 42 42                                            BB
--
< 2024/04/26 02:15:11.000904430  length=7 from=18 to=24
 05 00 01 00 65 69 3e                             ....ei>
--
> 2024/04/26 02:15:11.000906043  length=218 from=63 to=280
 42 42 20 00 00 02 66 e7 b0 7e 16 16 46 33 36 30  BB ...f..~..F360
 37 67 77 33 35 36 33 39 37 30 33 33 33 38 34 38  7gw3563970333848
 35 30 77 b7 42 42 22 00 01 02 69 94 e4 1a 41 43  50w.BB"...i...AC
 43 20 2d 20 50 72 69 6e 74 20 53 65 72 76 65 72  C - Print Server
 20 43 68 61 6e 6e 65 6c 21 1f 42 42 1f 00 02 02   Channel!.BB....
 69 95 e4 17 41 43 43 20 2d 20 49 6e 74 65 72 61  i...ACC - Intera
 63 74 69 76 65 20 44 65 62 75 67 97 2d 42 42 0b  ctive Debug.-BB.
 00 03 02 69 96 e4 03 54 76 70 34 c3 42 42 22 00  ...i...Tvp4.BB".
 04 02 69 97 e4 1a 41 50 50 20 2d 20 50 72 69 6e  ..i...APP - Prin
 74 20 53 65 72 76 65 72 20 43 68 61 6e 6e 65 6c  t Server Channel
 7c 84 42 42 1f 00 05 02 69 98 e4 17 41 50 50 20  |.BB....i...APP
 2d 20 49 6e 74 65 72 61 63 74 69 76 65 20 44 65  - Interactive De
 62 75 67 2c 69 42 42 11 00 06 02 69 99 e4 09 53  bug,iBB....i...S
 44 4b 53 45 52 56 45 52 fb f3                    DKSERVER..

DebugMux Protocol

First steps understanding the protocol (Twitter power)

DebugMux Protocol

DebugMux frame structure

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Marker (\x42\x42)       |          Length (LE)          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    TxCount    |    RxCount    |    MsgType    |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
|                            MsgData                            |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                               |              FCS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

HDLC-like frames, but not HDLC
- the same frame format for all kind of messages
- no start/stop flags, but only the start Marker (0x4242)
  - 0x4242 needs not to be escaped within the frame
- Rx/Tx counters for loss detection
- FCS is CRC16 (poly 0x11021, bit reverse algorithm)
  - kudos to @Sec for finding the CRC function parameters!

DebugMux Protocol

Table 1. Known message types
Value	Direction	Name	Description
`0x65 ('e')`	→	Enquiry	Enquiry the target info and available DPs
`0x66 ('f')`	←	Ident	Target info (model, IMEI)
`0x67 ('g')`	→	Ping	Used for connection testing
`0x68 ('h')`	←	Pong	Used for connection testing
`0x69 ('i')`	←	DPAnnounce	`Data Provider` availability announce
`0x6a ('j')`	?	?	`Data Provider` unavailability announce?
`0x6b ('k')`	→	ConnEstablish	Connection establishment command
`0x6c ('l')`	←	ConnEstablished	Connection establishment result
`0x6d ('m')`	→	ConnTerminate	Connection termination command
`0x6e ('n')`	←	ConnTerminated	Connection termination result
`0x6f ('o')`	←/→	ConnData	Connection data
`0x70 ('p')`	←	FlowControl	Connection flow control
`0x71 ('q')`	←/→	Ack	Acknowledge

DebugMux Protocol

Message flow (part 1)

Figure 2. DebugMux mode activation

DebugMux mode is activated by sending a special AT*EDEBUGMUX command
- The modem switches to binary mode and asserts DCD (Data Carrier Detect) line
- Only one client connection; sending AT*EDEBUGMUX on other modem ports gives NO CARRIER
It’s yet unknown how to deactivate DebugMux mode
- Ericsson’s DbgMuxLogger software is capable of doing this somehow
- Sending +++ / break yields nothing
- Workaround: crash DebugMuxServer ;)
  - this usually transfers control back to the AT interpreter
  - … but may cause the target to reboot in some cases
- Alternatively, reset the transport layer (re-plug USB, reconnect BT/IrDA)

DebugMux Protocol

Message flow (part 2)

Figure 3. Target identification and DP enquiry

Figure 4. Link testing (optional)

Ping is unidirectional (DebugMuxClient → DebugMuxServer)
- The Payload is an arbitrary ASCII string to be echoed back
- BUG: can dump target’s memory by sending a Ping with malformed Payload length ;)
  - The Payload is basically a PascalString (length-prefixed string like \x04TEST)
  - By sending \xff we can retrieve 255 - 3 bytes

DebugMux Protocol

Message flow (part 3)

Figure 5. DebugMux connection establishment/termination

Each DP has its own unique DPRef
- DPRef values are not fixed and change every power cycle
Each connection has its own ConnRef
Multiple one-to-one connections can be established with DPs
Only one connection can be established with a single DP
- A DP becomes unavailable after connection establishment
- A DP becomes available again after connection termination
  - DPAnnounce with a different DPRef, old DPRef becomes invalid

DebugMux Protocol

Message flow (part 4)

Figure 6. DebugMux connection flow

Unidirectional (DebugMuxServer → DebugMuxClient) flow control mechanism
- Only used by the DebugMuxServer, to avoid overloading the target (limited CPU/RAM)
- Limits the number of ConnData blocks the DebugMuxClient can send
  - DebugMuxClient decrements its DataBlockCount when sending a ConnData block
  - DataBlockCount gives quote to DebugMuxClient as soon as it can handle more blocks
- FlowControl messages shall not be ACKnowledged

DebugMux Protocol

Message flow (part 5)

Figure 7. DebugMux frame counters

Every DebugMux frame has Ns/Nr (Tx/Rx) counters
- These counters do not necessarily start from 0
- Increment Ns before or after sending a frame?

Figure 8. DebugMux loss recovery

Bidirectional ACKnowledgement mechanism
- Ack is special: does not increment the Ns of the sender
- Ack is special: does not increment the Nr of the receiver
- Ack is special: always has Ns=0xf1 (243)
- Ack shall not be ACKnowledged (unlike RLC/MAC in GPRS!)

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

https://gitea.osmocom.org/fixeria/sedbgmux
https://github.com/axilirator/sedbgmux [archived on Sep 22, 2022, outdated]
License: GPL-3.0-or-later
Python 3.7+, dependencies:
- construct (https://github.com/construct/construct)
- pyserial (https://github.com/pyserial/pyserial)
- crcmod (https://crcmod.sourceforge.net/)
- cmd2 (https://github.com/python-cmd2/cmd2)
- [optional] pyshark (https://github.com/KimiNewt/pyshark)

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Available utilities

sedbgmux-shell.py - interactive shell
- activate the DebugMux mode
- identify the target device
- establish connections with DPs
- heavily inspired by pySim-shell ;)
sedbgmux-dump.py - dump management utility
- analyze DebugMux frame captures
- convert between various dump formats
- supported formats: native, socat, btpcap

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

Easy, huh?

$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

On modern distributions you’ll likely get this:

$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try 'pacman -S
    python-xyz', where xyz is the package you are trying to
    install.

    If you wish to install a non-Arch-packaged Python package,
    create a virtual environment using 'python -m venv path/to/venv'.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip.

    If you wish to install a non-Arch packaged Python application,
    it may be easiest to use 'pipx install xyz', which will manage a
    virtual environment for you. Make sure you have python-pipx
    installed via pacman.

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

The recommended way:

$ virtualenv --system-site-packages myenv
$ source myenv/bin/activate
$ (myenv) pip install git+https://gitea.osmocom.org/fixeria/sedbgmux.git

Packages

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Usage: DebugMux mode activation and enquiry

$ sedbgmux-shell.py -p /dev/ttyACM0 # <1>
Welcome to DebugMux client for [Sony] Ericsson phones and modems!
DebugMux ('/dev/ttyACM0')> connect # <2>
DebugMux ('/dev/ttyACM0')> enquiry # <3>
[INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208
[INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1'
[INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp'
[INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER'

-p specifies the modem port (/dev/ttyACM0 by default, 115200 8N1)
DebugMux mode activation (sending AT*EDEBUGMUX command)
Send the Enquiry message

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Usage: DP connection establishment

$ sedbgmux-shell.py -p /dev/ttyACM0
Welcome to DebugMux client for [Sony] Ericsson phones and modems!
DebugMux ('/dev/ttyACM0')> connect
DebugMux ('/dev/ttyACM0')> enquiry
[INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208
[INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1'
[INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp'
[INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER'

DebugMux ('/dev/ttyACM0')> establish 0xe496 terminal
[INFO] base.py:78 Establishing connection with DPRef=0xe496
[INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3d00, DPRef=0xe496
[INFO] base.py:94 Connection established: DPRef=0xe496, ConnRef=0x3d00, DataBlockLimit=256
... Hit Ctrl + C to escape and terminate connection
[INFO] base.py:87 Terminating connection ConnRef=0x3d00 with DPRef=0xe496
[INFO] client.py:220 Rx ConnTerminated: ConnRef=0x3d00, DPRef=0xe496
[INFO] base.py:104 Connection terminated: DPRef=0xe496, ConnRef=0x3d00
[INFO] client.py:191 Data Provider available (DPRef=0xe499): 'ACC - Print Server Channel'

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Usage: Dump management (part 1)

$ sedbgmux-dump.py
usage: sedbgmux-dump [-h] [-v] [-dm MODULE] command ...
sedbgmux-dump: error: the following arguments are required: command

$ sedbgmux-dump.py list-formats
auto            Automatic dump format detection (by filename)
native          Native binary dump format for this package
socat           ASCII hexdump generated by socat (-x option)
btpcap          PCAP file with Bluetooth RFCOMM packets # <1>

Requires pyshark dependency

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Usage: Dump management (part 2)

$ sedbgmux-dump.py parse -dp samples/K850_R1FA035_enquiry.dump
[INFO] dump_native.py:46 Opening dump file samples/K850_R1FA035_enquiry.dump (readonly mode)
Record #0000 @ 1712684215.269243 Tx 42420500010065693e
  DebugMux Tx frame (Ns=001, Nr=000, fcs=0x3e69) Enquiry
Record #0001 @ 1712684215.270970 Rx 42422b00000266e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234ace4
  DebugMux Rx frame (Ns=000, Nr=002, fcs=0xe4ac) Ident e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234
  Container:
    Magic = b'\xe7\xb0~\x16' (total 4)
    Ident = u'Sony Ericsson K85035887401033072'... (truncated, total 33)
Record #0002 @ 1712684215.271605 Rx 4242150001026994e40d5475726e696e6720546f72736fd19d
  DebugMux Rx frame (Ns=001, Nr=002, fcs=0x9dd1) DPAnnounce 94e40d5475726e696e6720546f72736f
  Container:
    DPRef = 0xE494
    Name = u'Turning Torso' (total 13)
Record #0003 @ 1712684215.271931 Rx 42420b0002026995e403547670b482
  DebugMux Rx frame (Ns=002, Nr=002, fcs=0x82b4) DPAnnounce 95e403547670
  Container:
    DPRef = 0xE495
    Name = u'Tvp' (total 3)
Record #0004 @ 1712684215.272249 Rx 4242220003026996e41a414343202d205072696e7420536572766572204368616e6e656c960b
  DebugMux Rx frame (Ns=003, Nr=002, fcs=0x0b96) DPAnnounce 96e41a414343202d205072696e7420536572766572204368616e6e656c
  Container:
    DPRef = 0xE496
    Name = u'ACC - Print Server Channel' (total 26)
Record #0005 @ 1712684215.272543 Rx 4242220004026997e41a415050202d205072696e7420536572766572204368616e6e656c7c84
  DebugMux Rx frame (Ns=004, Nr=002, fcs=0x847c) DPAnnounce 97e41a415050202d205072696e7420536572766572204368616e6e656c
  Container:
    DPRef = 0xE497
    Name = u'APP - Print Server Channel' (total 26)
Record #0006 @ 1712684215.272810 Rx 4242290005026998e421486f737420496e7465726661636520546573742046696c65205472616e73666572d95e
  DebugMux Rx frame (Ns=005, Nr=002, fcs=0x5ed9) DPAnnounce 98e421486f737420496e7465726661636520546573742046696c65205472616e73666572
  Container:
    DPRef = 0xE498
    Name = u'Host Interface Test File Transfe'... (truncated, total 33)
Record #0007 @ 1712684215.273053 Rx 4242110006026999e40953444b534552564552fbf3
  DebugMux Rx frame (Ns=006, Nr=002, fcs=0xf3fb) DPAnnounce 99e40953444b534552564552
  Container:
    DPRef = 0xE499
    Name = u'SDKSERVER' (total 9)
Record #0008 @ 1712684215.273232 Tx 42420500f1017120fd
  DebugMux Tx frame (Ns=241, Nr=001, fcs=0xfd20) Ack
Record #0009 @ 1712684215.273587 Tx 42420500f10771f0a9
  DebugMux Tx frame (Ns=241, Nr=007, fcs=0xa9f0) Ack

Project Info

Wireshark dissector

My very first time writing LUA code
Inspired by @Hoernchen’s simtrace.lua
Easy to use/modify

Installation

$ cd sedbgmux/
$ cp contrib/sedbgmux.lua ~/.local/lib/wireshark/plugins/

Usage

$ tshark -r samples/k800_tems.pcapng.gz -Y btrfcomm -d "btrfcomm.dlci==4,sedbgmux" | less
  661 380.123302 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 51 (Ns=002, Nr=003) ConnEstablish
  665 380.170103 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 67 (Ns=003, Nr=003) ConnEstablished, FlowControl
  667 380.170103 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 52 (Ns=005, Nr=003) FlowControl
  669 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=006) Ack
  673 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SPP 49 Sent "AT+CFUN?\r"
  677 380.201303 Sony_2c:45:df (TEMS K800i) → localhost () SPP 49 Rcvd "AT+CFUN?\r"
  679 380.216903 Sony_2c:45:df (TEMS K800i) → localhost () SPP 52 Rcvd "\r\n+CFUN: 1\r\n"
  681 380.216903 Sony_2c:45:df (TEMS K800i) → localhost () SPP 46 Rcvd "\r\nOK\r\n"
  683 382.026506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 64 (Ns=003, Nr=006) ConnData
  687 382.042106 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 49 (Ns=252, Nr=004) Ack
  689 382.042106 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 52 (Ns=006, Nr=004) FlowControl
  691 382.057706 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=007) Ack
  695 382.088906 Sony_2c:45:df (TEMS K800i) → localhost () SEDBGMUX 78 (Ns=007, Nr=004) ConnData
  697 382.104506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=008) Ack

Project Info

Wireshark dissector

Frame dissection

SEDbgMux Frame: (Ns=002, Nr=003) ConnEstablish
    Frame Marker: 4242
    Frame Length: 7
    Tx Count: 2
    Rx Count: 3
    Message Type: ConnEstablish (0x6b)
    Message Data: e7b0
        Data Provider Reference: 0xb0e7 (45287)
    Frame Check Sequence: 27468 [valid]
SEDbgMux Frame: (Ns=003, Nr=003) ConnEstablished
    Frame Marker: 4242
    Frame Length: 11
    Tx Count: 3
    Rx Count: 3
    Message Type: ConnEstablished (0x6c)
    Message Data: e7b000940002
        Data Provider Reference: 0xb0e7 (45287)
        Connection Reference: 0x9400 (37888)
    Frame Check Sequence: 61606 [valid]
SEDbgMux Frame: (Ns=004, Nr=003) FlowControl
    Frame Marker: 4242
    Frame Length: 8
    Tx Count: 4
    Rx Count: 3
    Message Type: FlowControl (0x70)
    Message Data: 009402
        Connection Reference: 0x9400 (37888)
        Data Block Limit: 2
    Frame Check Sequence: 12386 [valid]

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Module Hierarchy

sedbgmux
- proto - DebugMux protocol definition
- peer - [abstract] peer implementation
- client - client role implementation
- ping_pong - link testing logic
sedbgmux.io - input/output logic
- base - base/abstract classes
- modem - modem I/O layer (AT commands)
- dump_native, dump_socat, dump_btpcap - dump formats
sedbgmux.ch - connection handlers
- base - base/abstract classes
- terminal - read from stdin, write to stdout
- file_logger - write received data to a file
- udp_proxy - send/receive data via a UDP socket
- walk recursively list available entries in Interactive Debug DPs

DebugMux DPs

Table 2. DPs with known purpose
Name	Mode	Description
`Tvp`	Binary	Test and Verification Protocol
`Print Server Channel`	ASCII (Rx only)	APP/ACC CPU debug logging
`ACC - Print Server Channel`	ASCII (Rx only)	ACC (access) CPU debug logging
`APP - Print Server Channel`	ASCII (Rx only)	APP (application) CPU debug logging
`Interactive Debug`	ASCII (Rx/Rx)	APP/ACC CPU interactive debug
`ACC - Interactive Debug`	ASCII (Rx/Tx)	ACC (access) CPU interactive debug
`APP - Interactive Debug`	ASCII (Rx/Tx)	APP (application) CPU interactive debug
`UI Debug - Print Server Channel`	ASCII (Rx only)	UI (User Interface) debug logging
`AT channel (NUM)`	ASCII (Rx/Tx)	AT command interpreter

Table 3. DPs with unknown purpose
Name	Description
`SDKSERVER`	seen mostly on all A2 phones
`OSEGW! 100 1`	seen on C510 (R1HA035), C905 (R1FA035), F5521gw (R2A07), G705 (R1FA035)
`Host Interface Test File Transfer`	OBEX? seen on W595 (R3EA037), K850 (R1FA035)
`Turning Torso`	A skyscraper in Sweden? seen on T700 (R3CA017), K850 (R1FA035)

DebugMux DPs

Print Server Channel

Available on most targets (at least one such DP)
- Also available via the service cable UART (5V to VPPFLASH)
Optionally ACC / APP / UI Debug variants
- ACC - access (baseband) processor logging
- APP - application processor logging
Mostly ASCII, but may occasionally contain binary data

DebugMux DPs

Print Server Channel (example 1)

ENEA boot logging (Ericsson F3607gw)

BuildInfo: Label: <LD_SAGARMATHA_R5A010_R2E_EC08_090818_1737> Variant: <ACCESS_EXPRESS_CARD_CHW>
BuildInfo: Generated: 2009-08-18 17:51 by Off.Bld
Product  : <F3607gw> Version: 0000
HW Setup : NOT SPECIFIED (Id:0x2f0) IRDA: 0033 BT: 0035 RS232: 004A
Vendor   : <Ericsson> PNP: ERI USB: 0BDB BT: 0000
--------------------------------
OS: Physical Memory Configuration:
krn/phys_mem/RAM/1=base:0x48800000 size:0x77f000
krn/phys_mem/TEXT2/1=base:0x48100000 size:0x700000
__RAMLOG_SESSION_START__
WARNING illegal format of parameter, equal sign missing on row:54 (Not counting empty lines)
cpu_hal_920: Detected ARM926 Rev 5
mm: config init (hal version=hal_mmu)
mm: boot heap auto-configured, name:MM-meta-data, boot_base=0x48f56000, boot_size=0x9000
mm: log_mem 0xffff0000->0xffffffff:BOOTROM type:SASE.
mm: log_mem 0x00010000->0x00010fff:COPSROM_DTCM type:SASE.
mm: log_mem 0x48f7f000->0x48f7ffff:COPSROM_DTCM_PHY type:SASE.
mm: log_mem 0x20400000->0x20452fff:DSP_EXTRAM type:SASE.
mm: log_mem 0x20000000->0x2000ffff:DSP_INTDRAM type:SASE.
mm: log_mem 0x00008000->0x00009fff:DTCM type:SASE.
mm: log_mem 0x90000000->0x90ffffff:HAL type:SAS.
mm: log_mem 0xc0000000->0xc0047fff:IO type:SASE.
mm: log_mem 0xa0000000->0xa0003fff:IO_AHB type:SASE.
mm: log_mem 0000000000->0x00005fff:ITCM type:SASE.
mm: log_mem 0x80800000->0x8fffffff:RAM type:SAS.
mm: log_mem 0x48800000->0x48f5efff:RAM_SASE type:SASE.
mm: log_mem 0x4ffff000->0x4fffffff:SEMI_Arbiter type:SASE.
mm: log_mem 0x4fffe000->0x4fffefff:SEMI_Config type:SASE.
mm: log_mem 0x48f80000->0x48ffffff:SHARED_MM_BUFFERS type:SASE.
mm: log_mem 0x48000000->0x480fffff:TEXT type:SASE.
mm: log_mem 0x48100000->0x487fffff:TEXT2 type:SASE.
mm: log_mem 0xc2000000->0xc211ffff:WCDMA_IO type:SASE.
mm: log_mem 0xc3000000->0xc301ffff:WCDMA_MCRAM type:SASE.
mm: log_mem 0xc4000000->0xc43fffff:WCDMA_RAM type:SASE.

DebugMux DPs

Print Server Channel (example 2)

ACC modem starting (Ericsson F3607gw)

### Print Server: Requesting DebugMux channel...
 1190      ### Print Server: Started OK
 1193      GDFS_SRV State 3-Open
1194      [ICC-LD] ICC_Reader_0_Process Started
1194      [ICC-LD] Status Changed: ICC_READER_DEACTIVATED, Reader: 0
1194      ACC HQA process started OK
1194      NS_G23_RLC_UL D: RLC_LLC
1194      NS_G23_RLC_UL D: RLC_GMM_DATA_REQ = 469981056
1194      NS_G23_RLC_UL D: RLC_DATA_REQ = 469981120
1194      NS_G23_RLC_UL D: RLC_UNITDATA_REQ = 469981184
1194      NS_G23_RLC_UL D: RLC_RLC_DATA_REQ = 469981312
1194      NS_G23_RLC_UL D: RLC_RLC_UNITDATA_REQ = 469981376
1194      NS_G23_RLC_UL D: RLC_DATA_RSP = 469981632
1194
NS_G23_RLC_UL D: LLC_RLC
1194      NS_G23_RLC_UL D: RLC_DATA_CNF = 469981696
1194      NS_G23_RLC_UL D: RLC_DATA_IND = 469981760
1194      NS_G23_RLC_UL D: RLC_STATUS_IND = 469981824
1194
NS_G23_RLC_UL D: RR_RLC
1194      NS_G23_RLC_UL D: RR_TBF_ESTABLISH_REQ = 469970880
1194      NS_G23_RLC_UL D: RR_UPLINK_TBF_RELEASE_REQ = 469971008
1194      NS_G23_RLC_UL D: RR_DOWNLINK_TBF_RELEASE_REQ = 469971072
1194      NS_G23_RLC_UL D: RR_TBF_RELEASE_RSP = 469971136
1194      NS_G23_RLC_UL D: RR_DOWNLINK_ACK_NACK_REQ = 469971200

DebugMux DPs

Print Server Channel (example 3)

ACC Location Updating (Sony Ericsson K800)

27299     R:1018 49 5 49 5
27319     DL_DATA_IND = 05 12 06 1b 87 03 90 5f 1c a9 52 6c f6 b9 21 37 7a 56 f9 20 10 94 29 fa f7 38 09 00 00 00 a9 57 56 40 6e a3 9e
27319     MM: Authentication
27319     MM: Net sends CKSN=6
27355     MM: Authentication: SIM_ISO_NORMAL_COMPLETION
27355     MM: Authentication: SIM_AKA_RESPONSE_RES
27355     DL_DATA_REQ = 05 54 70 3a 6f 54 21 04 d9 8f 73 0b
27355     CAS Proxy: <From CAS> RRC_NEW_KEYS_REQ
27355     TASK: Received RRC_NEW_KEYS_REQ from CAS.
27378     DL: Rx ERROR_FRAME 05 T:18
27396     si6:2d061e032352f020154bd8ff2ab4ff97208df400010001
27417     R:1018 49 5 49 5
27437     DL_DATA_IND = 06 35 11
27437     DL_DATA_REQ = 06 32 17 09 33 95 80 07 01 55 94 22 f4
27495     DL_DATA_IND = 05 32 46 82 47 42 40 42 11 65 80 82 49 01 00
27496     MM: dispatch NITZ time info
27496     [ClockBook#105] Created
27500     [ClockBook#105] Goto SetClockBook_BasePage
27501     [ClockBook#105] Goto SetBook_ReceiveNitz_YesNoQuestionNewZone_Page
27503     FS: Partition /ifs set to dirty
27506     FS: Partition /ifs set to clean
27521     [ClockBook#105] Destroyed
27522     *********
27522     [Application session list]
27522       [Session#1 "Standby"] (W1) Books: 1 - [StandbyBook#88]
27523       [Session#14 "Desktop"] (W1) Books: 1 - [MenuBook#103]
27524       (4 window-less sessions ignored)
27524     *********
27535     R:1018 49 4 49 4  1019 46 54 7,
27554     DL_DATA_IND = 05 02 52 f0 20 15 4b 17 05 f4 9b 0a d0 ff
27555     MM: Location Updating Accept
27555     MM: new TMSI = 9b 0a d0 ff

DebugMux DPs

Print Server Channel (example 4)

ACC cell monitoring (Sony Ericsson K800)

37279     CHARGING DATA: Vch 5000, Ich 0, Vbat 4057, Ibat -699, VFET 4150, IFET 0, PDiss 6892, Temp 42+
37494     TL_Counter 6 CDT_Counter 21
37495     MPH Serving
37495       817  -70  41  43     QB=4982
37495     MPH TopList
37495      1018  -63  37  39  65535     =    0x00e00000  0x0a  4783  059  0x0323     2
37495      1019  -64  36  38    147  0x1522  0x00a00000  0x0a  3072  054  0x0336     0
37495       815  -74   x   x      0  0x0000  0x00000060  0x01     0  255  0x0000     0
37495       878  -75  36  38     92     =    0x00e00000  0x0a  4976  014  0x0aeb     0
37495       114  -78  22  24    147     =    0x00e00000  0x0a  4976  043  0x0ae7     0
37495      1016  -79   x   x    100  0x0000  0x00000060  0x01  2392  035  0x0000     0

DebugMux DPs

Print Server Channel (example 5)

ACC GPRS RLC/MAC logging (Sony Ericsson K800)

139144    RLC_UL: P_Q_P G=0, P=1, S=0, C=1, I=0
139144    RLC_UL: ExtendedUplink_TBF == TRUE
139144    RLC_UL: S Ack Est:ed
139144    GMM<-RH_TRIGGER_IND
139144    GMM: READY_TIMER 44
139148    RLC_UL: Put QI =1:
139148    RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1
139148
139148    RLC_UL: P_Q_P G=0, P=2, S=0, C=2, I=0
139148    RLC_UL: QI=0 Last BSN=0
139148    RLC_UL: P_Q_S G=0, P=2, S=1, C=2, I=0
139148    RLC_UL: S Ack Cd
139148    RR: PUA
139148    PUA RlcMac_DL = 47 28 31 04 bf 40 20 03 a8 9b 16 02 1d 2e 2b 2b 2b 2b 2b 2b 2b 2b 2b
139149    RR state 12 ud
139149    MPH_Low SCH 1019 1 MessageOK == FALSE
139149    MPH_PKT_DED_IND
139149    GMM<-RH_TRIGGER_IND
139150    GMM: READY_TIMER 44
139164    RLC_UL: QI=1 Last BSN=3
139164    RLC_UL: P_Q_S G=0, P=2, S=2, C=2, I=0
139173    TFI U, 21, not our
139178    MPH_Low SCH 1019 1 MessageOK == FALSE
139184    TFI U, 22
139184    RR: PUAN
139184    RLC_UL: V(A)=4, V(S)=4
139184    RLC_UL: Freeing QI=0
139184    RLC_UL: P_Q_G G=1, P=2, S=2, C=1, I=0
139184    RLC_UL: PDU: RP:1,PTC:1,Len:8,SAPI:1, UI N(U)=3 E=1 PM=1
139184
139184    RLC_UL: Freeing QI=1
139184    RLC_UL: P_Q_G G=2, P=2, S=2, C=0, I=0
139184    RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1

DebugMux DPs

Interactive Debug (part 1)

Available on Sony Ericsson phones with development firmware builds
- K610/R1BA022, T700/R3CA017
- Also available via the service cable UART (5V to VPPFLASH)
Available on all Ericsson modems we checked so far
- F3607gw, F5521gw, EC400, MD400[g]
Optionally ACC / APP variants

Interactive Debug connection establishment

DebugMux ('/dev/ttyACM0')> establish 0x9b42 terminal
[INFO] base.py:78 Establishing connection with DPRef=0x9b42
[INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3200, DPRef=0x9b42
[INFO] base.py:94 Connection established: DPRef=0x9b42, ConnRef=0x3200, DataBlockLimit=300

Welcome to Interactive Debug

[root]

DebugMux DPs

Interactive Debug (part 2)

Lots of hidden parameters organized in form of a virtual filesystem
- Directories (DIR), commands (CMD), variables (u1, u2, u4, …)
Interactive command prompt with UNIX-like commands
- . - repeat the last command
- ls / dir - directory listing
- cd - change directory (CWD displayed in prompt)
- r / w - read / write a variable
- Tab-completion
We can generate directory listings using a special handler walker
- Some listings can be found in the repository: samples/*.list
- Contributions are welcome!

Interactive Debug directory listing generation

DebugMux ('/dev/ttyACM0')> establish 0x9b42 walker > samples/interactive_debug.list

DebugMux DPs

Interactive Debug (example 1)

Directory listing for ACC - Interactive Debug

Welcome to Interactive Debug

[root] ls
Contents of directory root:
RS232             <DIR>
USB               <DIR>
DebugMux          <DIR>
TupL2             <DIR>
WAS_L2            <DIR>
WAS_RRC           <DIR>
Channels          <DIR>
TaskSupervisor    <DIR>
AT                <DIR>
DSPIF             <DIR>
WCDMA_L1          <DIR>
DHCPC             <DIR>
PD_I2C            <DIR>
LLRS232           <DIR>
ICA               <DIR>
CAS               <DIR>
NTCSD             <DIR>
HCITL             <DIR>
BT                <DIR>
GAS               <DIR>
USBLD             <DIR>
MTP               <DIR>

DebugMux DPs

Interactive Debug (example 2)

Directory listing for ACC - Interactive Debug

[root] cd WAS_RRC
[WAS_RRC] ls
Contents of directory WAS_RRC:
MaxTxPowerComp                       <CMD>
SetHS_DSCH_PhysicalLayerCategory     <CMD>
ToggleAckOnConnSetCmpl               <CMD>
ToggleCipheringCapability            <CMD>
ToggleDetectedCellsHandling          <CMD>
ToggleHSDPA_Capabilties              <CMD>
ToggleHSUPA_Capabilties              <CMD>
ToggleNeedOfCM                       <CMD>
ToggleInterFreqEventsHandling        <CMD>
ToggleResetWandaFlag                 <CMD>
ToggleRFC_2507_Capability            <CMD>
ToggleRRC_CapabilitiesR99_OR_REL5    <CMD>
PrintControl                         <DIR>
RRC_C_PlaneDataCtrl_cap              <DIR>
RRC_ConfigurationCtrl_cap            <DIR>
BLER                                 (u2)

DebugMux DPs

Interactive Debug (example 3)

Directory listing for ACC - Interactive Debug

[root] cd NTCSD
[NTCSD] ls
Contents of directory NTCSD:
L2RCOP                   <DIR>
RLP                      <DIR>
dump                     <CMD>
get_process_name         <CMD>
hangup                   <CMD>
ntcsd_call_statistics    <CMD>

DebugMux DPs

Tvp (Test and Verification Protocol)

Another vendor specific (EMP?), proprietary, binary protocol
Much, much more powerful and efficient alternative to Print Server DPs
Used by TEMS Investigation and TSCom/TSProbe/TSTool
Some info can be fond in Master’s Thesis by Joakim Persson
- "Requirements for an Interactive Logging Framework", LU-CS-EX: 2006-2
- Ericsson apparently contracted a third-party company to develop Tvp for them
Deep "rabbit hole" deserving its own talk
Currently Work-in-Progress!

Tvp (Test and Verification Protocol)

Figure 9. Tvp Component diagram

Various parts of the firmware contain Probes ("test points")
- Each Probe has its own unique 16-bit ID (statically assigned)
- A Probe can be activated and deactivated by the host software
- A Probe can "emit" some data (UL/DL RR payload, for instance)
- The host software can inject code (Stimuli) to be executed at a Probe
Probes belong to sub-systems (PLAT, TEST, TEMS, POCK, TECH)
- Sub-systems require authentication before Probes can be used

Tvp (Test and Verification Protocol)

The protocol is still to be analyzed
- see samples/k800_tems.pcapng.gz
- sedbgmux-dump.py parse -dp -cd samples/k800_tems.pcapng.gz
WIP code for:
- Authentication for A1 platform (based on magic tables)
  - The A2 platform uses more complex PKI based authentication
- Target information enquiry

== GetAuthReq (1st step): request sub-system activation

   0d00    022c  0a000101  04 54454d53
   ----    ----  --------  -----------
   Length  ????  ????????  PascalString('TEMS')

== GetAuthAck (2nd step): target sends the challenge

   1b00    9041  0b00000001  0110  3038490bfd6418aa83afcb590a77961a
   1b00    9041  0b00000001  0110  e6df5760450e94467f3ac25a1bf210aa
   1b00    9041  0b00000001  0110  8497e60206c7c2ad7112694af7ab3b02
   1b00    9041  0b00000001  0110  b22ec2e900c6eecbd5286163849a53ea
   ----    ----  ----------  ----  --------------------------------
   Length  ????  ??????????  ????  Challenge (32 chars)

== SetAuthReq (3rd step): host solves the challenge and responds

   1d00    022c  0a01020114  54454d53  7baa687f7a6ba22c6703e954ac2f3347
   1d00    022c  0a01020114  54454d53  075fbea8fcb3c55b970c2e58ee0d7e92
   1d00    022c  0a01020114  54454d53  5406efcba5d87dddf02f33a84e388251
   1d00    022c  0a01020114  54454d53  90b798e9780fd9c8bda8c53e3403c5d9
   ----    ----  ----------  --------  --------------------------------
   Length  ????  ??????????   'TEMS'   Response (32 chars)

== SetAuthAck (4th step): target sends auth result

   0c00    9041  0b01000001  011400
   ----    ----  ----------  ------
   Length  ????  ??????????  ??????

EOF

Project plans

Fix bugs / add missing features
- #2 Find a proper way to escape DebugMux mode
- #3 DbgMuxClient: fix/improve ACKnowledgement logic
Play with other DPs, investigate the purpose of unknown ones
Implement the Tvp protocol and client
- … so that we can finally have GSMTAP traces!
Contributions are welcome!

Acknowledgements

Osmocom / @Laf0rge for hosting the project
@roox for doing the research together with me and his contributions
@Sec for helping with reversing the FCS (CRC16) algorithm

Thank you for your attention!