Motivation

My phone collection

What this talk is going to be about?

What’s so special about Sony Ericsson?

Usability

The Concept

sedbgmux__1.png
Figure 1. DebugMux Component diagram

Existing Software

The following software is known to "speak" DebugMux protocol:

Those are all proprietary, black-box binaries for MS Windows.

Existing Software

EMBLA Logger
img/EMBLALogger.PNG
DbgMuxLogger
img/DebugMuxLoggerMain.PNG

Existing Software

DbgMuxLogger
img/DebugMuxLoggerConn.PNG

Existing Software

TEMS Investigation
img/TemsInvestigation.jpg

DebugMux Protocol

First steps understanding the protocol (collecting samples)

The output of socat
< 2024/04/26 02:15:11.000903764  length=2 from=16 to=17
 42 42                                            BB
--
< 2024/04/26 02:15:11.000904430  length=7 from=18 to=24
 05 00 01 00 65 69 3e                             ....ei>
--
> 2024/04/26 02:15:11.000906043  length=218 from=63 to=280
 42 42 20 00 00 02 66 e7 b0 7e 16 16 46 33 36 30  BB ...f..~..F360
 37 67 77 33 35 36 33 39 37 30 33 33 33 38 34 38  7gw3563970333848
 35 30 77 b7 42 42 22 00 01 02 69 94 e4 1a 41 43  50w.BB"...i...AC
 43 20 2d 20 50 72 69 6e 74 20 53 65 72 76 65 72  C - Print Server
 20 43 68 61 6e 6e 65 6c 21 1f 42 42 1f 00 02 02   Channel!.BB....
 69 95 e4 17 41 43 43 20 2d 20 49 6e 74 65 72 61  i...ACC - Intera
 63 74 69 76 65 20 44 65 62 75 67 97 2d 42 42 0b  ctive Debug.-BB.
 00 03 02 69 96 e4 03 54 76 70 34 c3 42 42 22 00  ...i...Tvp4.BB".
 04 02 69 97 e4 1a 41 50 50 20 2d 20 50 72 69 6e  ..i...APP - Prin
 74 20 53 65 72 76 65 72 20 43 68 61 6e 6e 65 6c  t Server Channel
 7c 84 42 42 1f 00 05 02 69 98 e4 17 41 50 50 20  |.BB....i...APP
 2d 20 49 6e 74 65 72 61 63 74 69 76 65 20 44 65  - Interactive De
 62 75 67 2c 69 42 42 11 00 06 02 69 99 e4 09 53  bug,iBB....i...S
 44 4b 53 45 52 56 45 52 fb f3                    DKSERVER..

DebugMux Protocol

First steps understanding the protocol (Twitter power)

img/twitter_survey.png
img/twitter_power.png

DebugMux Protocol

DebugMux frame structure
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Marker (\x42\x42)       |          Length (LE)          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|    TxCount    |    RxCount    |    MsgType    |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
|                            MsgData                            |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                               |              FCS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

DebugMux Protocol

Table 1. Known message types
Value Direction Name Description

0x65 ('e')

Enquiry

Enquiry the target info and available DPs

0x66 ('f')

Ident

Target info (model, IMEI)

0x67 ('g')

Ping

Used for connection testing

0x68 ('h')

Pong

Used for connection testing

0x69 ('i')

DPAnnounce

Data Provider availability announce

0x6a ('j')

?

?

Data Provider unavailability announce?

0x6b ('k')

ConnEstablish

Connection establishment command

0x6c ('l')

ConnEstablished

Connection establishment result

0x6d ('m')

ConnTerminate

Connection termination command

0x6e ('n')

ConnTerminated

Connection termination result

0x6f ('o')

←/→

ConnData

Connection data

0x70 ('p')

FlowControl

Connection flow control

0x71 ('q')

←/→

Ack

Acknowledge

DebugMux Protocol

Message flow (part 1)

sedbgmux__2.png
Figure 2. DebugMux mode activation

DebugMux Protocol

Message flow (part 2)

sedbgmux__3.png
Figure 3. Target identification and DP enquiry
sedbgmux__4.png
Figure 4. Link testing (optional)

DebugMux Protocol

Message flow (part 3)

sedbgmux__5.png
Figure 5. DebugMux connection establishment/termination

DebugMux Protocol

Message flow (part 4)

sedbgmux__6.png
Figure 6. DebugMux connection flow

DebugMux Protocol

Message flow (part 5)

sedbgmux__7.png
Figure 7. DebugMux frame counters
sedbgmux__8.png
Figure 8. DebugMux loss recovery

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Available utilities

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

Easy, huh?

$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

On modern distributions you’ll likely get this:

$ pip install --user git+https://gitea.osmocom.org/fixeria/sedbgmux.git
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try 'pacman -S
    python-xyz', where xyz is the package you are trying to
    install.

    If you wish to install a non-Arch-packaged Python package,
    create a virtual environment using 'python -m venv path/to/venv'.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip.

    If you wish to install a non-Arch packaged Python application,
    it may be easiest to use 'pipx install xyz', which will manage a
    virtual environment for you. Make sure you have python-pipx
    installed via pacman.

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Installation from source

The recommended way:

$ virtualenv --system-site-packages myenv
$ source myenv/bin/activate
$ (myenv) pip install git+https://gitea.osmocom.org/fixeria/sedbgmux.git

Packages

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/
Usage: DebugMux mode activation and enquiry
$ sedbgmux-shell.py -p /dev/ttyACM0 # <1>
Welcome to DebugMux client for [Sony] Ericsson phones and modems!
DebugMux ('/dev/ttyACM0')> connect # <2>
DebugMux ('/dev/ttyACM0')> enquiry # <3>
[INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208
[INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1'
[INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp'
[INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER'
  1. -p specifies the modem port (/dev/ttyACM0 by default, 115200 8N1)

  2. DebugMux mode activation (sending AT*EDEBUGMUX command)

  3. Send the Enquiry message

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/
Usage: DP connection establishment
$ sedbgmux-shell.py -p /dev/ttyACM0
Welcome to DebugMux client for [Sony] Ericsson phones and modems!
DebugMux ('/dev/ttyACM0')> connect
DebugMux ('/dev/ttyACM0')> enquiry
[INFO] client.py:185 Identified target: 'Sony Ericsson C510', IMEI=354008032409208
[INFO] client.py:191 Data Provider available (DPRef=0xe494): 'OSEGW! 100 1'
[INFO] client.py:191 Data Provider available (DPRef=0xe495): 'Tvp'
[INFO] client.py:191 Data Provider available (DPRef=0xe496): 'ACC - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe497): 'APP - Print Server Channel'
[INFO] client.py:191 Data Provider available (DPRef=0xe498): 'SDKSERVER'

DebugMux ('/dev/ttyACM0')> establish 0xe496 terminal
[INFO] base.py:78 Establishing connection with DPRef=0xe496
[INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3d00, DPRef=0xe496
[INFO] base.py:94 Connection established: DPRef=0xe496, ConnRef=0x3d00, DataBlockLimit=256
... Hit Ctrl + C to escape and terminate connection
[INFO] base.py:87 Terminating connection ConnRef=0x3d00 with DPRef=0xe496
[INFO] client.py:220 Rx ConnTerminated: ConnRef=0x3d00, DPRef=0xe496
[INFO] base.py:104 Connection terminated: DPRef=0xe496, ConnRef=0x3d00
[INFO] client.py:191 Data Provider available (DPRef=0xe499): 'ACC - Print Server Channel'

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/
Usage: Dump management (part 1)
$ sedbgmux-dump.py
usage: sedbgmux-dump [-h] [-v] [-dm MODULE] command ...
sedbgmux-dump: error: the following arguments are required: command

$ sedbgmux-dump.py list-formats
auto            Automatic dump format detection (by filename)
native          Native binary dump format for this package
socat           ASCII hexdump generated by socat (-x option)
btpcap          PCAP file with Bluetooth RFCOMM packets # <1>
  1. Requires pyshark dependency

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/
Usage: Dump management (part 2)
$ sedbgmux-dump.py parse -dp samples/K850_R1FA035_enquiry.dump
[INFO] dump_native.py:46 Opening dump file samples/K850_R1FA035_enquiry.dump (readonly mode)
Record #0000 @ 1712684215.269243 Tx 42420500010065693e
  DebugMux Tx frame (Ns=001, Nr=000, fcs=0x3e69) Enquiry
Record #0001 @ 1712684215.270970 Rx 42422b00000266e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234ace4
  DebugMux Rx frame (Ns=000, Nr=002, fcs=0xe4ac) Ident e7b07e1621536f6e79204572696373736f6e204b383530333538383734303130333330373234
  Container:
    Magic = b'\xe7\xb0~\x16' (total 4)
    Ident = u'Sony Ericsson K85035887401033072'... (truncated, total 33)
Record #0002 @ 1712684215.271605 Rx 4242150001026994e40d5475726e696e6720546f72736fd19d
  DebugMux Rx frame (Ns=001, Nr=002, fcs=0x9dd1) DPAnnounce 94e40d5475726e696e6720546f72736f
  Container:
    DPRef = 0xE494
    Name = u'Turning Torso' (total 13)
Record #0003 @ 1712684215.271931 Rx 42420b0002026995e403547670b482
  DebugMux Rx frame (Ns=002, Nr=002, fcs=0x82b4) DPAnnounce 95e403547670
  Container:
    DPRef = 0xE495
    Name = u'Tvp' (total 3)
Record #0004 @ 1712684215.272249 Rx 4242220003026996e41a414343202d205072696e7420536572766572204368616e6e656c960b
  DebugMux Rx frame (Ns=003, Nr=002, fcs=0x0b96) DPAnnounce 96e41a414343202d205072696e7420536572766572204368616e6e656c
  Container:
    DPRef = 0xE496
    Name = u'ACC - Print Server Channel' (total 26)
Record #0005 @ 1712684215.272543 Rx 4242220004026997e41a415050202d205072696e7420536572766572204368616e6e656c7c84
  DebugMux Rx frame (Ns=004, Nr=002, fcs=0x847c) DPAnnounce 97e41a415050202d205072696e7420536572766572204368616e6e656c
  Container:
    DPRef = 0xE497
    Name = u'APP - Print Server Channel' (total 26)
Record #0006 @ 1712684215.272810 Rx 4242290005026998e421486f737420496e7465726661636520546573742046696c65205472616e73666572d95e
  DebugMux Rx frame (Ns=005, Nr=002, fcs=0x5ed9) DPAnnounce 98e421486f737420496e7465726661636520546573742046696c65205472616e73666572
  Container:
    DPRef = 0xE498
    Name = u'Host Interface Test File Transfe'... (truncated, total 33)
Record #0007 @ 1712684215.273053 Rx 4242110006026999e40953444b534552564552fbf3
  DebugMux Rx frame (Ns=006, Nr=002, fcs=0xf3fb) DPAnnounce 99e40953444b534552564552
  Container:
    DPRef = 0xE499
    Name = u'SDKSERVER' (total 9)
Record #0008 @ 1712684215.273232 Tx 42420500f1017120fd
  DebugMux Tx frame (Ns=241, Nr=001, fcs=0xfd20) Ack
Record #0009 @ 1712684215.273587 Tx 42420500f10771f0a9
  DebugMux Tx frame (Ns=241, Nr=007, fcs=0xa9f0) Ack

Project Info

Wireshark dissector

Installation
$ cd sedbgmux/
$ cp contrib/sedbgmux.lua ~/.local/lib/wireshark/plugins/
Usage
$ tshark -r samples/k800_tems.pcapng.gz -Y btrfcomm -d "btrfcomm.dlci==4,sedbgmux" | less
  661 380.123302 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 51 (Ns=002, Nr=003) ConnEstablish
  665 380.170103 Sony_2c:45:df (TEMS K800i)localhost () SEDBGMUX 67 (Ns=003, Nr=003) ConnEstablished, FlowControl
  667 380.170103 Sony_2c:45:df (TEMS K800i)localhost () SEDBGMUX 52 (Ns=005, Nr=003) FlowControl
  669 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=006) Ack
  673 380.185703 localhost () → Sony_2c:45:df (TEMS K800i) SPP 49 Sent "AT+CFUN?\r"
  677 380.201303 Sony_2c:45:df (TEMS K800i)localhost () SPP 49 Rcvd "AT+CFUN?\r"
  679 380.216903 Sony_2c:45:df (TEMS K800i)localhost () SPP 52 Rcvd "\r\n+CFUN: 1\r\n"
  681 380.216903 Sony_2c:45:df (TEMS K800i)localhost () SPP 46 Rcvd "\r\nOK\r\n"
  683 382.026506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 64 (Ns=003, Nr=006) ConnData
  687 382.042106 Sony_2c:45:df (TEMS K800i)localhost () SEDBGMUX 49 (Ns=252, Nr=004) Ack
  689 382.042106 Sony_2c:45:df (TEMS K800i)localhost () SEDBGMUX 52 (Ns=006, Nr=004) FlowControl
  691 382.057706 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=007) Ack
  695 382.088906 Sony_2c:45:df (TEMS K800i)localhost () SEDBGMUX 78 (Ns=007, Nr=004) ConnData
  697 382.104506 localhost () → Sony_2c:45:df (TEMS K800i) SEDBGMUX 49 (Ns=241, Nr=008) Ack

Project Info

Wireshark dissector

Frame dissection
SEDbgMux Frame: (Ns=002, Nr=003) ConnEstablish
    Frame Marker: 4242
    Frame Length: 7
    Tx Count: 2
    Rx Count: 3
    Message Type: ConnEstablish (0x6b)
    Message Data: e7b0
        Data Provider Reference: 0xb0e7 (45287)
    Frame Check Sequence: 27468 [valid]
SEDbgMux Frame: (Ns=003, Nr=003) ConnEstablished
    Frame Marker: 4242
    Frame Length: 11
    Tx Count: 3
    Rx Count: 3
    Message Type: ConnEstablished (0x6c)
    Message Data: e7b000940002
        Data Provider Reference: 0xb0e7 (45287)
        Connection Reference: 0x9400 (37888)
    Frame Check Sequence: 61606 [valid]
SEDbgMux Frame: (Ns=004, Nr=003) FlowControl
    Frame Marker: 4242
    Frame Length: 8
    Tx Count: 4
    Rx Count: 3
    Message Type: FlowControl (0x70)
    Message Data: 009402
        Connection Reference: 0x9400 (37888)
        Data Block Limit: 2
    Frame Check Sequence: 12386 [valid]

Project Info

  _____ ______ _____  _           __  __
 / ____|  ____|  __ \| |         |  \/  |
| (___ | |__  | |  | | |__   __ _| \  / |_   ___  __
 \___ \|  __| | |  | | '_ \ / _` | |\/| | | | \ \/ /
 ____) | |____| |__| | |_) | (_| | |  | | |_| |>  <
|_____/|______|_____/|_.__/ \__, |_|  |_|\__,_/_/\_\
                             __/ |
                            |___/

Module Hierarchy

DebugMux DPs

Table 2. DPs with known purpose
Name Mode Description

Tvp

Binary

Test and Verification Protocol

Print Server Channel

ASCII (Rx only)

APP/ACC CPU debug logging

ACC - Print Server Channel

ASCII (Rx only)

ACC (access) CPU debug logging

APP - Print Server Channel

ASCII (Rx only)

APP (application) CPU debug logging

Interactive Debug

ASCII (Rx/Rx)

APP/ACC CPU interactive debug

ACC - Interactive Debug

ASCII (Rx/Tx)

ACC (access) CPU interactive debug

APP - Interactive Debug

ASCII (Rx/Tx)

APP (application) CPU interactive debug

UI Debug - Print Server Channel

ASCII (Rx only)

UI (User Interface) debug logging

AT channel (NUM)

ASCII (Rx/Tx)

AT command interpreter

Table 3. DPs with unknown purpose
Name Description

SDKSERVER

seen mostly on all A2 phones

OSEGW! 100 1

seen on C510 (R1HA035), C905 (R1FA035), F5521gw (R2A07), G705 (R1FA035)

Host Interface Test File Transfer

OBEX? seen on W595 (R3EA037), K850 (R1FA035)

Turning Torso

A skyscraper in Sweden? seen on T700 (R3CA017), K850 (R1FA035)

DebugMux DPs

Print Server Channel

DebugMux DPs

Print Server Channel (example 1)

ENEA boot logging (Ericsson F3607gw)
BuildInfo: Label: <LD_SAGARMATHA_R5A010_R2E_EC08_090818_1737> Variant: <ACCESS_EXPRESS_CARD_CHW>
BuildInfo: Generated: 2009-08-18 17:51 by Off.Bld
Product  : <F3607gw> Version: 0000
HW Setup : NOT SPECIFIED (Id:0x2f0) IRDA: 0033 BT: 0035 RS232: 004A
Vendor   : <Ericsson> PNP: ERI USB: 0BDB BT: 0000
--------------------------------
OS: Physical Memory Configuration:
krn/phys_mem/RAM/1=base:0x48800000 size:0x77f000
krn/phys_mem/TEXT2/1=base:0x48100000 size:0x700000
__RAMLOG_SESSION_START__
WARNING illegal format of parameter, equal sign missing on row:54 (Not counting empty lines)
cpu_hal_920: Detected ARM926 Rev 5
mm: config init (hal version=hal_mmu)
mm: boot heap auto-configured, name:MM-meta-data, boot_base=0x48f56000, boot_size=0x9000
mm: log_mem 0xffff0000->0xffffffff:BOOTROM type:SASE.
mm: log_mem 0x00010000->0x00010fff:COPSROM_DTCM type:SASE.
mm: log_mem 0x48f7f000->0x48f7ffff:COPSROM_DTCM_PHY type:SASE.
mm: log_mem 0x20400000->0x20452fff:DSP_EXTRAM type:SASE.
mm: log_mem 0x20000000->0x2000ffff:DSP_INTDRAM type:SASE.
mm: log_mem 0x00008000->0x00009fff:DTCM type:SASE.
mm: log_mem 0x90000000->0x90ffffff:HAL type:SAS.
mm: log_mem 0xc0000000->0xc0047fff:IO type:SASE.
mm: log_mem 0xa0000000->0xa0003fff:IO_AHB type:SASE.
mm: log_mem 0000000000->0x00005fff:ITCM type:SASE.
mm: log_mem 0x80800000->0x8fffffff:RAM type:SAS.
mm: log_mem 0x48800000->0x48f5efff:RAM_SASE type:SASE.
mm: log_mem 0x4ffff000->0x4fffffff:SEMI_Arbiter type:SASE.
mm: log_mem 0x4fffe000->0x4fffefff:SEMI_Config type:SASE.
mm: log_mem 0x48f80000->0x48ffffff:SHARED_MM_BUFFERS type:SASE.
mm: log_mem 0x48000000->0x480fffff:TEXT type:SASE.
mm: log_mem 0x48100000->0x487fffff:TEXT2 type:SASE.
mm: log_mem 0xc2000000->0xc211ffff:WCDMA_IO type:SASE.
mm: log_mem 0xc3000000->0xc301ffff:WCDMA_MCRAM type:SASE.
mm: log_mem 0xc4000000->0xc43fffff:WCDMA_RAM type:SASE.

DebugMux DPs

Print Server Channel (example 2)

ACC modem starting (Ericsson F3607gw)
### Print Server: Requesting DebugMux channel...
 1190      ### Print Server: Started OK
 1193      GDFS_SRV State 3-Open
1194      [ICC-LD] ICC_Reader_0_Process Started
1194      [ICC-LD] Status Changed: ICC_READER_DEACTIVATED, Reader: 0
1194      ACC HQA process started OK
1194      NS_G23_RLC_UL D: RLC_LLC
1194      NS_G23_RLC_UL D: RLC_GMM_DATA_REQ = 469981056
1194      NS_G23_RLC_UL D: RLC_DATA_REQ = 469981120
1194      NS_G23_RLC_UL D: RLC_UNITDATA_REQ = 469981184
1194      NS_G23_RLC_UL D: RLC_RLC_DATA_REQ = 469981312
1194      NS_G23_RLC_UL D: RLC_RLC_UNITDATA_REQ = 469981376
1194      NS_G23_RLC_UL D: RLC_DATA_RSP = 469981632
1194
NS_G23_RLC_UL D: LLC_RLC
1194      NS_G23_RLC_UL D: RLC_DATA_CNF = 469981696
1194      NS_G23_RLC_UL D: RLC_DATA_IND = 469981760
1194      NS_G23_RLC_UL D: RLC_STATUS_IND = 469981824
1194
NS_G23_RLC_UL D: RR_RLC
1194      NS_G23_RLC_UL D: RR_TBF_ESTABLISH_REQ = 469970880
1194      NS_G23_RLC_UL D: RR_UPLINK_TBF_RELEASE_REQ = 469971008
1194      NS_G23_RLC_UL D: RR_DOWNLINK_TBF_RELEASE_REQ = 469971072
1194      NS_G23_RLC_UL D: RR_TBF_RELEASE_RSP = 469971136
1194      NS_G23_RLC_UL D: RR_DOWNLINK_ACK_NACK_REQ = 469971200

DebugMux DPs

Print Server Channel (example 3)

ACC Location Updating (Sony Ericsson K800)
27299     R:1018 49 5 49 5
27319     DL_DATA_IND = 05 12 06 1b 87 03 90 5f 1c a9 52 6c f6 b9 21 37 7a 56 f9 20 10 94 29 fa f7 38 09 00 00 00 a9 57 56 40 6e a3 9e
27319     MM: Authentication
27319     MM: Net sends CKSN=6
27355     MM: Authentication: SIM_ISO_NORMAL_COMPLETION
27355     MM: Authentication: SIM_AKA_RESPONSE_RES
27355     DL_DATA_REQ = 05 54 70 3a 6f 54 21 04 d9 8f 73 0b
27355     CAS Proxy: <From CAS> RRC_NEW_KEYS_REQ
27355     TASK: Received RRC_NEW_KEYS_REQ from CAS.
27378     DL: Rx ERROR_FRAME 05 T:18
27396     si6:2d061e032352f020154bd8ff2ab4ff97208df400010001
27417     R:1018 49 5 49 5
27437     DL_DATA_IND = 06 35 11
27437     DL_DATA_REQ = 06 32 17 09 33 95 80 07 01 55 94 22 f4
27495     DL_DATA_IND = 05 32 46 82 47 42 40 42 11 65 80 82 49 01 00
27496     MM: dispatch NITZ time info
27496     [ClockBook#105] Created
27500     [ClockBook#105] Goto SetClockBook_BasePage
27501     [ClockBook#105] Goto SetBook_ReceiveNitz_YesNoQuestionNewZone_Page
27503     FS: Partition /ifs set to dirty
27506     FS: Partition /ifs set to clean
27521     [ClockBook#105] Destroyed
27522     *********
27522     [Application session list]
27522       [Session#1 "Standby"] (W1) Books: 1 - [StandbyBook#88]
27523       [Session#14 "Desktop"] (W1) Books: 1 - [MenuBook#103]
27524       (4 window-less sessions ignored)
27524     *********
27535     R:1018 49 4 49 4  1019 46 54 7,
27554     DL_DATA_IND = 05 02 52 f0 20 15 4b 17 05 f4 9b 0a d0 ff
27555     MM: Location Updating Accept
27555     MM: new TMSI = 9b 0a d0 ff

DebugMux DPs

Print Server Channel (example 4)

ACC cell monitoring (Sony Ericsson K800)
37279     CHARGING DATA: Vch 5000, Ich 0, Vbat 4057, Ibat -699, VFET 4150, IFET 0, PDiss 6892, Temp 42+
37494     TL_Counter 6 CDT_Counter 21
37495     MPH Serving
37495       817  -70  41  43     QB=4982
37495     MPH TopList
37495      1018  -63  37  39  65535     =    0x00e00000  0x0a  4783  059  0x0323     2
37495      1019  -64  36  38    147  0x1522  0x00a00000  0x0a  3072  054  0x0336     0
37495       815  -74   x   x      0  0x0000  0x00000060  0x01     0  255  0x0000     0
37495       878  -75  36  38     92     =    0x00e00000  0x0a  4976  014  0x0aeb     0
37495       114  -78  22  24    147     =    0x00e00000  0x0a  4976  043  0x0ae7     0
37495      1016  -79   x   x    100  0x0000  0x00000060  0x01  2392  035  0x0000     0

DebugMux DPs

Print Server Channel (example 5)

ACC GPRS RLC/MAC logging (Sony Ericsson K800)
139144    RLC_UL: P_Q_P G=0, P=1, S=0, C=1, I=0
139144    RLC_UL: ExtendedUplink_TBF == TRUE
139144    RLC_UL: S Ack Est:ed
139144    GMM<-RH_TRIGGER_IND
139144    GMM: READY_TIMER 44
139148    RLC_UL: Put QI =1:
139148    RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1
139148
139148    RLC_UL: P_Q_P G=0, P=2, S=0, C=2, I=0
139148    RLC_UL: QI=0 Last BSN=0
139148    RLC_UL: P_Q_S G=0, P=2, S=1, C=2, I=0
139148    RLC_UL: S Ack Cd
139148    RR: PUA
139148    PUA RlcMac_DL = 47 28 31 04 bf 40 20 03 a8 9b 16 02 1d 2e 2b 2b 2b 2b 2b 2b 2b 2b 2b
139149    RR state 12 ud
139149    MPH_Low SCH 1019 1 MessageOK == FALSE
139149    MPH_PKT_DED_IND
139149    GMM<-RH_TRIGGER_IND
139150    GMM: READY_TIMER 44
139164    RLC_UL: QI=1 Last BSN=3
139164    RLC_UL: P_Q_S G=0, P=2, S=2, C=2, I=0
139173    TFI U, 21, not our
139178    MPH_Low SCH 1019 1 MessageOK == FALSE
139184    TFI U, 22
139184    RR: PUAN
139184    RLC_UL: V(A)=4, V(S)=4
139184    RLC_UL: Freeing QI=0
139184    RLC_UL: P_Q_G G=1, P=2, S=2, C=1, I=0
139184    RLC_UL: PDU: RP:1,PTC:1,Len:8,SAPI:1, UI N(U)=3 E=1 PM=1
139184
139184    RLC_UL: Freeing QI=1
139184    RLC_UL: P_Q_G G=2, P=2, S=2, C=0, I=0
139184    RLC_UL: PDU: RP:1,PTC:1,Len:67,SAPI:1, UI N(U)=4 E=1 PM=1

DebugMux DPs

Interactive Debug (part 1)

Interactive Debug connection establishment
DebugMux ('/dev/ttyACM0')> establish 0x9b42 terminal
[INFO] base.py:78 Establishing connection with DPRef=0x9b42
[INFO] client.py:199 Rx ConnEstablished: ConnRef=0x3200, DPRef=0x9b42
[INFO] base.py:94 Connection established: DPRef=0x9b42, ConnRef=0x3200, DataBlockLimit=300

Welcome to Interactive Debug

[root]

DebugMux DPs

Interactive Debug (part 2)

Interactive Debug directory listing generation
DebugMux ('/dev/ttyACM0')> establish 0x9b42 walker > samples/interactive_debug.list

DebugMux DPs

Interactive Debug (example 1)

Directory listing for ACC - Interactive Debug
Welcome to Interactive Debug

[root] ls
Contents of directory root:
RS232             <DIR>
USB               <DIR>
DebugMux          <DIR>
TupL2             <DIR>
WAS_L2            <DIR>
WAS_RRC           <DIR>
Channels          <DIR>
TaskSupervisor    <DIR>
AT                <DIR>
DSPIF             <DIR>
WCDMA_L1          <DIR>
DHCPC             <DIR>
PD_I2C            <DIR>
LLRS232           <DIR>
ICA               <DIR>
CAS               <DIR>
NTCSD             <DIR>
HCITL             <DIR>
BT                <DIR>
GAS               <DIR>
USBLD             <DIR>
MTP               <DIR>

DebugMux DPs

Interactive Debug (example 2)

Directory listing for ACC - Interactive Debug
[root] cd WAS_RRC
[WAS_RRC] ls
Contents of directory WAS_RRC:
MaxTxPowerComp                       <CMD>
SetHS_DSCH_PhysicalLayerCategory     <CMD>
ToggleAckOnConnSetCmpl               <CMD>
ToggleCipheringCapability            <CMD>
ToggleDetectedCellsHandling          <CMD>
ToggleHSDPA_Capabilties              <CMD>
ToggleHSUPA_Capabilties              <CMD>
ToggleNeedOfCM                       <CMD>
ToggleInterFreqEventsHandling        <CMD>
ToggleResetWandaFlag                 <CMD>
ToggleRFC_2507_Capability            <CMD>
ToggleRRC_CapabilitiesR99_OR_REL5    <CMD>
PrintControl                         <DIR>
RRC_C_PlaneDataCtrl_cap              <DIR>
RRC_ConfigurationCtrl_cap            <DIR>
BLER                                 (u2)

DebugMux DPs

Interactive Debug (example 3)

Directory listing for ACC - Interactive Debug
[root] cd NTCSD
[NTCSD] ls
Contents of directory NTCSD:
L2RCOP                   <DIR>
RLP                      <DIR>
dump                     <CMD>
get_process_name         <CMD>
hangup                   <CMD>
ntcsd_call_statistics    <CMD>

DebugMux DPs

Tvp (Test and Verification Protocol)

Tvp (Test and Verification Protocol)

sedbgmux__9.png
Figure 9. Tvp Component diagram

Tvp (Test and Verification Protocol)

== GetAuthReq (1st step): request sub-system activation

   0d00    022c  0a000101  04 54454d53
   ----    ----  --------  -----------
   Length  ????  ????????  PascalString('TEMS')

== GetAuthAck (2nd step): target sends the challenge

   1b00    9041  0b00000001  0110  3038490bfd6418aa83afcb590a77961a
   1b00    9041  0b00000001  0110  e6df5760450e94467f3ac25a1bf210aa
   1b00    9041  0b00000001  0110  8497e60206c7c2ad7112694af7ab3b02
   1b00    9041  0b00000001  0110  b22ec2e900c6eecbd5286163849a53ea
   ----    ----  ----------  ----  --------------------------------
   Length  ????  ??????????  ????  Challenge (32 chars)

== SetAuthReq (3rd step): host solves the challenge and responds

   1d00    022c  0a01020114  54454d53  7baa687f7a6ba22c6703e954ac2f3347
   1d00    022c  0a01020114  54454d53  075fbea8fcb3c55b970c2e58ee0d7e92
   1d00    022c  0a01020114  54454d53  5406efcba5d87dddf02f33a84e388251
   1d00    022c  0a01020114  54454d53  90b798e9780fd9c8bda8c53e3403c5d9
   ----    ----  ----------  --------  --------------------------------
   Length  ????  ??????????   'TEMS'   Response (32 chars)

== SetAuthAck (4th step): target sends auth result

   0c00    9041  0b01000001  011400
   ----    ----  ----------  ------
   Length  ????  ??????????  ??????

EOF

Project plans

Acknowledgements

Thank you for your attention!