 |
|
Document describing protocol used in Nokia phones.
The data provided is for information purposes only.
Some of the frames might be hazardous to your phone. Be careful!!!
We do not take any responsibility or liability for damages, etc.
Last update 26.02.2001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Assembled by
Balazs Nagy (js@lsc.hu)
Alfred R. Nurnberger <arnu@flosys.com>
Hugh Blemings <Hugh.Blemings@vsb.com.au>
Mike Bradley <mike@trumpington.st>
Odinokov Serge <serge@takas.lt>
Pavel Janik <Pavel@Janik.cz>
Paweі Kot <pkot@linuxnews.pl>
Marcin Wiacek (Marcin-Wiacek@TOPNET.PL)
Jens Bennfors <jens.bennfors@ing.hj.se>
Michael Hund <michael@drhund.de>
Jay Bertrand <jay.bertrand@libertysurf.fr>
<arnu@venia.net>
Andrew Kozin
... and other members of gnokii mailing list
and authors of some WWW pages.
Available in
mygnokii (www.marcin-wiacek.topnet.pl)
gnokii (www.gnokii.org)
NOTE: this information isn't (and can't be) complete. If you know anything
about features not listed here or you noticed a bug in this list, please
notify us via e-mail. Thank you.
Frame format for MBUS version 1:
Request from Computer/Answer from Phone:
{ DestDEV, SrcDEV, FrameLength, MsgType, {block}, id, ChkSum }
where DestDEV, SrcDEV: 0x00: phone
0xf8: PC (wakeup msg)
0xe4: PC (normal msg)
FrameLength: length of data frame. Maximal 0x78. Longer
frames are divided into smaller.
MsgType: see List
{block}: main frame
id: request identity number 1..n, incremented after
the request is accepted
ChkSum: XOR on frame's all numbers
Ack from Phone:
{ DestDEV, 0x00, FrameLength, MsgType, {block} , id, ChkSum }
where DestDEV: taken from original request packet
FrameLength: 0x7f, when DestDEV = 0xe4
0x7e, when DestDEV = 0xf8
MsgType: see List. Present only, when DestDEV = 0xf8
{block}: main frame. Present only, when DestDEV = 0xf8
id: request identity number 1..?, corresponding
to the original request packet id
the request is accepted
ChkSum: XOR on frame's all numbers
Ack from Computer:
{ 0x00, SrcDEV, 0x7f, id, ChkSum }
where SrcDEV: taken from response packet
id: request identity number 1..?, corresponding
to the response packet id
the request is accepted
ChkSum: XOR on frame's all numbers
Port settings:
Speed 9600 bps, Bits 8, ParityOdd, Stop Bits 1, DTR and RTS logic 0
Many transmission are made this way:
<computer sends request>
<phone sends ack>
<phone sends response>
<computer sends ack>
Some frames are sent from phone without asking for them
Frame format for FBUS version 1:
{ FrameID, FrameLength, MsgType, {block}, SeqNo, ChkSum }
where FrameID: 0x01 Command frame from computer to Nokia
0x02 ??? - Data call frame from computer to Nokia - ???
0x03 Data call frame from Nokia to computer
0x04 Command frame from Nokia to computer
FrameLength: {block} + 2
MsgType: see List
SeqNum: Sequence number of command in case where direction is
from ME to computer, the sequence number is
counting from 0x30 to 0x37 and resetting back to 0x30.
When direction is from computer to ME,
sequence number counts from 0x08 to 0x0f and resets back to 0x08.
It may not be required to be this way.
Sequence numbers are used in acknowledging commands.
ChkSum1: CRC = 0;
for (i = 0; i < (2 + CMD_LEN); i++)
CRC ^= frame[i];
Frame format for FBUS version 2/Direct IRDA:
{ FrameID, DestDEV, SrcDEV, MsgType, 0x00, FrameLength, {block}, FramesToGo,
SeqNo, PaddingByte?, ChkSum1, ChkSum2 }
where FrameID: 0x1c: IR / FBUS
0x1e: Serial / FBUS
DestDev, SrcDev: 0x00: mobile phone
0x0c: TE (FBUS) [eg. PC]
MsgType: see List
FrameLength: {block} + 2 (+ 1 if PaddingByte exists)
FramesToGo: 0x01 means the last frame
SeqNo: [0xXY]
X: 4: first block
0: continuing block
Y: sequence number
PaddingByte: 0x00 if FrameLength would be an odd number
anyways it doesn't exists
ChkSum1: XOR on frame's odd numbers
ChkSum2?: XOR on frame's even numbers
Frame format for MBUS version 2:
{ FrameID, DestDEV, SrcDEV, MsgType, FrameLengthLO, FrameLengthHI, {block},
SeqNo, ChkSum }
where FrameID: 0x1f: Serial / M2BUS
DestDev, SrcDev: 0x00: mobile phone
0x1d: TE (M2BUS)
0x10: TE (M2BUS) (Service Software ?)
0x04: Carkit?
0x48: DLR3 cable?
0xF8: unknown target?
0xFF: global target?
MsgType: see List
FrameLength: {block}
SeqNo: sequence number
ChkSum: XOR on frame's all numbers
Please note that M2BUS has only one checksum: XOR on frame[FrameID..SeqNo]
Frame format for Infrared:
{ FrameID, DestDEV, SrcDEV, MsgType, FrameLengthLo, FrameLengthHi, {block}}
where FrameID: 0x14
DestDev, SrcDev: 0x00: mobile phone
0x0c: TE [eg. PC]
MsgType: see List
FrameLength: {block}
List format:
hex: Short description
x msg desc { ... }
0xXX -> one byte
0xXXYY -> two bytes (== 0xXX, 0xYY)
where hex: message type
x: s=send (eg. to mobile), r=receive
{ ... }: data after 0x00, 0x01 header
{+... }: raw data (without header)
-------------------------------------------------------------------------------
Nokia 640 and derivatives:
Correct format is MBUS version 1:
List:
0x0f:
r Get serial number {+0x19, 0x03, 0x00, 0x01, 0x0b, 0x00, 0x00}
s Get mem location {+0x2d, 0x03, 0x00, 0x07, 0x1f, 0x7f, 0xf0, 0x00, location?, 0x00, 0x00}
s Get startup logo {+0x60, 0x03, 0x00, 0x07, 0x3A, 0x7f, 0xf0, 0x00, 0x00, 0x00, 0x00}
0x10:
s Set startup logo {+0x08,0x03,0x00,0x07,0x3A,0x7F,0xF0,0x00,0x00,0x00,0x00,0x54, bitmap }
s Set mem location {+0x10,0x08,0x03,0x00,0x07,0x1F,0x7F,0xF0,0x00,
location,0x00,0x00,0x00,0x21,numlen,number,name[starts on 30 byte],0x00,0x05[starts on 46 byte]}
0x19:
s Get RF level {+0x02,0x01,0x07}
s Get battery level {+0x02,0x01,0x00}
0x43:
s Reset {0x00, 0x00}
------------------------------------------------------------------------------
Nokia 2110 and derivatives:
Correct format is MBUS version 1:
List:
0x1f: phonebook
s Get mem location {+0x1a, memtype, location }
where: memtype:
0x03: telephone phonebook
0x04: SIM phonebook
s Set mem location {+0x1b, memtype, location, name, 0x00, number, 0x00 }
where: memtype: see 0x1f/0x1a
0x37: SMS
r SendSMS/GetSMS/DelSMS/{+0x10, code, frame }
SetSMSC/GetSMSC where:
code: 0x08 - SMS send OK
frame:
0x1d 0x24 0x25 (latter 2 in order)
0x0b - SMS get OK
Frame:
memtype, location, unknown1, unknown2, unknown2, 0x00, date(7 bytes) in BCD, msglen, msgtext, recipient,
0x00, smsc, 0x00
Where:
memtype, msglen, msgtext: see 0x38/0x1002 frame
unknown1 - unknown3: see 0x37/0x21
Note: This frame used only, when FrameLength < 0x75
0x0d - SMS delete OK
0x0f - SMS delete failed
0x10 - SMS send failed
frame:
0x1d 0x24 0x25 (latter 2 in order)
0x10 - SMS get failed
0x1a - SMS message received (by phone).
Frame:
memtype, location, unknown1, unknown2, 0x00, date(7 bytes) in BCD, msglen, sender,
0x00, smsc, 0x00
where
memtype: see 0x38/0x1002 frame
unknown1: 0x00 0x00 0x04 more messages?
true:0x00
false:0x04
unknown2: 0x20 0x20 0x20
0x1c - SMSC set OK
0x1d - SMSC set failed
0x2f - SMSC get OK
Frame:
0x00, 0x00, unknown1, unknown2, 0x00, 0x00, unknown3, unknown4, unknown5,
0x00, smsc, 0x00
Where:
unknown1: 0x05 0x08
last memtype location used or number of messages??
unknown2: 0x02 0x00
unread messages indicator??
unknown3: 0xff
validity period?
unknown4: accept reply costs?
no:0x01
yes:0x02
unknown5: status reports
no:0x01
yes:0x02
0x30 - SMSC get failed
r Get SMS part 2 {+0x20, ... continuation of 0x37/0x21 frame }
r Get SMS part 1 {+0x21, 0x0b, memtype, location, unknown1, unknown2, unknown3, 0x00, date(7 bytes) in BCD, msglen, msgtext}
where memtype: see 0x38/0x1002
unknown1:
unread: 0x03
read: 0x01
unknown2: more messages ?
true: 0x00
false: 0x04
this flag seems to be set by locust when a message (e.g. tv) is split across more than 1 sms
unknown3: 0x20
0x38: SMS
s Send SMS message {+0x1000, unknown, pr, 0x00, validity, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
msglen, msgtxt, recipient, 0x00, smsc, 0x00}
where: unknown: 0x11 or 0x91 parameter mask?
(data, data coding, protocol but 0x80?)
pr: 0x00 or protocol id + 0x20
validity: 0x0b: 1 hour
0x47: 6 hours
0xa7: 24 hours
0xad: 1 week
0xff: max.time
msglen: SMS message length
msgtext: message string (unterminated)
recipient: receipient`s number string
smsc: SMS centre number string
Note: Used when FrameLength < 0x75
s Get SMS message {+0x1002, memtype, location }
where: memtype:
0x01: default
0x02: SIM
0x03: phone
s Delete SMS message {+0x1003, memtype, location }
where: memtype: see 0x38/0x1002
s Set SMSC {+0x101b, unknown, pr, 0x00, validity, reply, report, 0x00, smsc, 0x00, 0x00 }
where:
pr: protocol id + 0x20
validity: 0x0b: 1 hour
0x47: 6 hours
0xa7: 24 hours
0xad: 1 week
0xff: max.time
reply: reply via same SMSC:
0x01: no
0x02: yes
report: delivery reports:
0x01: no
0x02: yes
unknown: 0x74, 0x75 parameter mask ??
s Get SMSC {+0x102e, 0x09, 0xe9}
s Send SMS message 2part{+0x20, continuation of 0x38/0x21 frame }
Note: Used when FrameLength >= 0x75
Format the same to 0x38/0x1000 frame
s Send SMS message 1part{+0x21, unknown, pr, 0x00, validity, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
msglen, msgtext }
Note: Used when FrameLength >= 0x75
Format the same to 0x38/0x1000 frame
0xc9: phonebook
r Get mem location {+0a1a, memtype, location, code, {name}, 0x00, {number}, 0x00 }
where: memtype: see 0x1f/0x1a
code:
0x64 - invalid location
0x65 - device failure
0x66 - device not available
0x67 - entry locked
0x68 - communication error
0x69 - update impossible
0x6a - number too long
0x6b - name too long
0x82 - store ok
0x83 - read ok
0x84 - number overflow
name: name string, only present on "read ok" code
number: phone number string, only present on "read ok" code
r Set mem location {+0a1a, memtype, location, code }
where: memtype: see 0x1f/0x1a
code: see "Get mem location"
0xe9:
s Start connection {+0x00 0x02 0x1c 0x00 0x1c}
Note: this is message with SrcDEV = 0xf8 !
ACK frame for it is (DestDEV = 0xf8 too) 0x1c, 0x01, 0x1c
-------------------------------------------------------------------------------
Nokia 3110 and derivatives:
Correct format is FBUS version 1/MBUS version 1 (?):
List:
0x0a:
s Make call {+type of call, type of number?, numlen, number, uk1, uk2, uk3 }
where type of call: see 0x0b
Note: If destination number is "1" - "9",
call for number in corresponding memory location is made.
0x0b:
r Incoming call {+type of call, 0x00, namelen, name }
where type of call:
0x01 Data
0x02 ??
0x03 ??
0x04 ??
0x05 Voice
0x0c:
s Answer incoming call {}
0x0d:
r Incoming call answered{}
from ME
0x0e:
r Call established {+type of call, 0x00, 0x00 }
where type of call: see 0x0b
0x0f:
s Call hang up {}
0x10:
r Call hanged up from ME{}
seq1
0x11:
r CallClosed-by other end{+unknown, reason}
where:
unknown reason
0x65 0x10 Hanged up by other end
0x1c virheellinen numero
0x65 0x1f Number is not in use
0x65 0x4f Check operator services
0x65 0xa6 No destination number (sms sending)
0x65 0xe4 --''--
0x6f 0x6f
0x7d 0x7d
0x7f 0x7f
0x83 0x83
0x12:
r Call hanged up from ME{}
seq2
0x13:
r Power ON seq {}
0x15:
s Initialization {}
0x16:
r Initialization OK {+simstate }
where simstate:
0x01 No SIM present, or waiting for PIN
0x02 SIM present and ready.
0x17:
r Initialization err {+error }
0x20:
s Send DTMF {+length,string}
0x21:
r Send DTMF OK {}
0x22:
r Send DTMF err {+error }
where error:
0x70: invalid location
0x23:
s Send SMS Header {+first octet, PID, DCS, validity(7 bytes), UDL, SMSClen, SMSC, receiverlen, receiver}
0x24:
s Save SMS Header {+memtype,status(2bytes),PID, DCS, validity(7 bytes), UDL, SMSClen, SMSC, receiverlen, receiver, receivertype }
where: memtype:
2=SIM
3=ME
status: see 0x2c
0x25:
s Get SMS message {+memtype, location }
where: memtype - see 0x30
Note: In successful request, phone sends one "SMS Header" and one or more "SMS Data" packets.
In failure, phone sends "Get SMS message err" packet
0x26:
s Delete SMS message {+memtype, location }
where: memtype - see 0x30
0x27:
r SMS Data {+seq,block}
where: seq: starts from 0x01 and is increased by 1 after each block transmitted.
block: Block of User Data (max 55 chars)
s Send/Save SMS Data {+seq,block}
0x28:
r SMS sent OK {+reference?}
0x29:
r SMS sent error {+error1, error2}
0x2a:
r SMS saved OK {+memtype}
where: memtype - memory, where SMS was saved
0x2b:
r SMS saving err {+error}
0x2c:
r SMS Header {+memtype, location, status(2 bytes), PID, DCS, date (7 bytes), UDL, senderlen, sender, SMSClen, SMSC, sendertype}
where:
memtype, PID, DCS, date, UDL, sender, SMSC, sendertype - see 0x30
status: 0701: Saved, not sent
0501: Sent
0304: Received, unread
0204: Unread
0104: Received, read
0x2d:
r Get SMS message err {+error}
0x2e:
r Delere SMS message OK {}
0x2f:
r Delete SMS message err{+error}
0x30:
r SMS message received {+memtype, location, unknown, PID, DCS, date(7 bytes), UDL, senderlen, sender, SMSClen, SMSC, sendertype}
where: memtype:
0x01 Phone Selected
0x02 SIM
0x03 ME
location: Memory location (1...)
unknown: most of time 0x04
PID: Protocol Identifier
DCS: Data Coding Scheme
date: sending date in BCD
UDL: User Data Length
sender: sender number
SMSC: SMSC number
sendertype: type of sender number:
0x31 International without leading '+' ???
0x91 International
0x32:
r Delivery report receiv{+unknown,delivery time(7 bytes),report time(7 bytes),0x00,MR,
destinationlen,destination,SMSClen,SMSC,destinationtype}
0x3c:
s Set SMSC {+bitmask,format,unknown1,validity,reply,reports,unusedlen,unused,SMSClen,SMSC}
where:
bitmask: info, what we change
7 ??
6 reports
5 reply
4 SMSC number
3 unused
2 validity
1 unknown
0 format
format:
0x00 Text
0x22 Fax
0x24 Voice
0x25 ERMES
0x26 Paging
0x2d E-mail
0x31 X.400
validity:
0 to 143 (validity + 1) * 5 minutes (i.e. 5 minutes intervals up to 12 hours)
144 to 167 12 hours + ((validity - 143) * 30 minutes)
168 to 196 (validity - 166) * 1 day
197 to 255 (validity - 192) * 1 week
0x3d:
r Set SMSC OK {}
0x3e:
r Set SMSC err {}
0x3f:
s Get SMSC {}
0x40:
r Get SMSC {+memory,AllSMSphone,unreadSMSphone,AllSMSSIM,unreadSMSSIM,
format,unknown1,validity,reply,reports,unusedlen,unused,SMSClen,SMSC}
where: format,unknown1,validity,reply,reports,unusedlen,unused,SMSClen,SMSC - see 0x3c
memory: selected memory
AllSMSphone: number of all SMS in phone
unreadSMSphone: number of unread SMS in phone
AllSMSSIM: number of all SMS on SIM
unreadSMSSIM: number of unread SMS on SIM
0x42:
s Set mem location {+memtype, location, namelen, name, numlen, number }
where memtype: see 0x43
0x43:
s Get mem location {+memtype, location }
where: memtype:
0x01 Phone Selected
0x02 SIM
0x03 ME
0x04 Own numbers (at SIM)
0x44:
r Set mem location OK {}
0x45:
r Set mem location err {+error }
0x46:
r Get mem location OK {+namelen, name, numlen, number }
0x47:
r Get mem location err {+error }
0x48:
r PIN entered {}
0x49:
r Power OFF seq {}
0x4a:
s Status request {}
0x4b:
r Status request {+status, network, battery }
where status:
0x01 Idle
0x02 Network interworking
0x03 Call open
0x04 No Network Access (Waiting for PIN or
Unaccessable Operator selected)
network and battery - signal level
0x4c:
s Get phone info {}
0x4d:
r Get phone info {+IMEI, 0x00, Code, 0x00, HW, 0x00 }
where IMEI: IMEI Code
CODE: Same as Code in phones back side
HW: hardware version
-------------------------------------------------------------------------------
Nokia 6110 and derivatives (Nokia 6130, 6150, 6190, 5110, 5130, 5150, 5190,
3210, 3310) frames.Correct format is FBUS version 2/Direct IRDA/MBUS version 2:
List:
0x00: Monitoring values
r monitoring value {+0x01, 0x01, block... }
where block: 0x5e, 0x05, 0x7a(?), 0xd0(?), 0x85(?), 0x02, percentHI, percentLO
Battery percent level
0x5e, 0x0c, 0x52(?), 0x4b(?), 0x6f(?), 0x02, voltageHI, voltageLO
Battery standby voltage
............
0x01: Call Information
s Make call { 0x0001, "number", type, block }
where type:
0x01 - data call
0x05 - voice call
block:
data call (non digital lines):
0x02,0x01,0x05,0x81,0x01,0x00,0x00,0x01,0x02,0x0a,
0x07,0xa2,0x88,0x81,0x21,0x15,0x63,0xa8,0x00,0x00
data call (digital lines):
0x02,0x01,0x05,0x81,0x01,0x00,0x00,0x01,0x02,0x0a,
0x07,0xa1,0x88,0x89,0x21,0x15,0x63,0xa0,0x00,0x06,
0x88,0x90,0x21,0x48,0x40,0xbb
voice call:
0x01, 0x01, 0x05, 0x81, 0x01, 0x00, 0x00, 0x01
r Call going msg { 0x0002 }
r Call in progress { 0x0003, seqnr }
r Remote end hang up { 0x0004, seqnr, ?, error (like in netmon in 39) }
r incoming call alert { 0x0005, seqnr, numlen, "number", namelen, "name" }
s Answer call part 2 { 0x0006, seqnr, 0x00 }
r answered call { 0x0007, seqnr }
s Hang up { 0x0008, seqnr, 0x85 }
r terminated call { 0x0009, seqnr }
r call msg { 0x000a, seqnr }
r Send DTMF/voice call { 0x0040}
s Answer call part 1 { 0x0042,0x05,0x01,0x07,0xa2,0x88,0x81,0x21,0x15,0x63,0xa8,0x00,0x00,
0x07,0xa3,0xb8,0x81,0x20,0x15,0x63,0x80 }
s Sent after issuing { 0x0042,0x05,0x81,0x07,0xa1,0x88,0x89,0x21,0x15,0x63,0xa0,0x00,0x06,
data call 0x88,0x90,0x21,0x48,0x40,0xbb,0x07,0xa3,
(digital lines) 0xb8,0x81,0x20,0x15,0x63,0x80 }
s Sent after issuing { 0x0042,0x05,0x01,0x07,0xa2,0xc8,0x81,0x21,0x15,0x63,0xa8,0x00,0x00,
data call 0x07,0xa3,0xb8,0x81,0x20,0x15,0x63,0x80,
(non digital lines) 0x01,0x60 }
s Send DTMF { 0x0050, length, {ascii codes for DTMF}, 0x01 }
Note:
to make data call (non digital lines):
1.send "Make call" for non digital lines
2.send "Sent after issuing data call (non digital lines)"
to make data call (digital lines):
1.send "Answer call part 1"
2.send "Sent after issuing data call (digital lines)"
3.send "Make call" for digital lines
to answer call:
1.send "Answer call part 1"
2.send "Answer call part 2"
0x02: SMS handling
s Send SMS message { 0x0001, 0x02, 0x00 (SEND REQUEST), ... }
r Message sent { 0x0002 }
r Send failed { 0x0003, ?, ?, error (like in netmon in 65)}
s Get SMS message { 0x0007, 0x02, location, 0x01, 0x64 }
s Initiate connection { 0x000d, 0x00, 0x00, 0x02 }
r Initiate ACK { 0x000e, 0x01 }
r SMS message received { 0x0010, ...... } (whole message)
s Set CellBroadcast { 0x0020, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01 }
for enable cell broadcast ?
0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
for disable cell broadcast ?
r Set CellBroadcast OK { 0x0021, 0x01 }
r Read CellBroadcast { 0x0023, ?, ?, ?, channel, ?, message... } ?
s Set SMS center { 0x0030, 0x64, priority, checksum? ,0?, format,
validity, {DefaultRecipient no.}[12],
{SMScenter no.}[12], {SMSC name}, 0x00}
where tel.no.[12]: {len, type, {number(BCD)}}
type: 0x81: normal
0x91: + (international)
0xd0: alphanumeric
format: 0x00: text
0x22: fax
0x24: voice
0x25: ERMES
0x26: paging
0x31: X.400
0x32: email
validity: 0x0b: 1 hour
0x47: 6 hours
0xa7: 24 hours
0xa9: 72 hours
0xad: 1 week
0xff: max.time
r Set SMS center OK { 0x0031 }
r Set SMS center error { 0x0032, reason }
s Get SMS center { 0x0033, 0x64, priority }
r SMS center received { 0x0034, priority, checksum?, format, 0x00?,
validity, {DefaultRecipient no.}[12],
{SMScenter no.}[12], {SMSC name}, 0x00}
tel.no[12]: {len, type, {number(BCD)}}
where priority, checksum, type, validity,
tel.no.[12]: see 0x02/0x0030
r SMS center error recv { 0x0035, reason }
0x03: Phonebook functions
s Get mem location { 0x0001, memtype, location, 0 }
where memory:
0x01: telephone and SIM phonebook (in one)
0x02: telephone phonebook
0x03: SIM phonebook
0x04: SIM fixdialling-phonebook (?)
0x05: Own numbers
0x07: Dialled numbers
0x08: Missed calls
0x09: Received calls
0x0b: voice mailbox (location not important)
r mem location recvd { 0x0002, 0x00,namelen,"name",numlen,"number",groupID, 0x01?, yearLO, yearHI, month, day, hour, minute, sec. }
Note: in 3310 all entries have null name ("feature" of bug ?)
r mem loc error recvd { 0x0003, errtype }
where errtype: 0x7d: invalid memory type
s Set mem location { 0x0004, memtype,location,namelen,"Name",numlen,"number",groupID }
r mem set OK { 0x0005 }
r mem set error { 0x0006, errtype }
where errtype: 0x7d: name is too long
s Mem status request { 0x0007, memtype }
r Mem status recvd { 0x0008, memtype, free, used }
r Mem status error recv { 0x0009, errtype }
where errtype: 0x6f: mem status error
0x7d: invalid memory type
0x8d: waiting for pin
s Get caller group data { 0x0010, groupID }
r Get caller group data { 0x0011, groupID, size, "Name", ringtoneID, graphic_on?1:0, lenHI, lenLO, OTABitmap (72x14 logo) }
r Get call.group error { 0x0012, reason }
where reason: 0x7d: invalid location
s Set caller group data { 0x0013, groupID, size, "Name", ringtoneID, graphic_on?1:0, lenHI, lenLO, OTABitmap (72x14 logo) }
r Set caller group OK { 0x0014 }
r Set call.group error { 0x0015, reason }
where reason: 0x7d: invalid location
s Get speed dial { 0x0016, index(1-9) }
r Get speed dial OK { 0x0017, mem.type, location }
where mem.type: 0x02: ME (== 0 if not stored)
0x03: SIM
location: memory location (== 0 if not stored)
r Get speed dial error { 0x0018 }
s Set speed dial { 0x0019, index(1-9), mem.type, location }
r Set speed dial OK { 0x001a }
r Set speed dial error { 0x001b }
0x04: Phone Status
s Phone status { 0x0001 }
r Phone status { 0x0002, mode, signal str, ???, pwr, batt.level }
where mode: 1: registered within the network
2: call in progress
3: waiting for pin
4: powered off
pwr: 1: AC/DC
2: battery
s Request Phone ID { 0x0003 }
r RequestPhone ID { 0x0004, 0x01, "imei", 0, "model", 0, "prod.code", 0, "HW", 0, "firmware", 0x00, 0x01 }
0x05: Profile settings
s Set profile feature { 0x0010, 1, nr, feature, a, 1 }
where nr: see 0x05/0x0013
feature: see 0x05/0x0014
a: see 0x05/0x0014
r Set profile feat. OK { 0x0011, 1 }
s Get profile feature { 0x0013, 1, nr, feature, 1 }
where nr is profile number (general=0, silent, meeting, outdoor, pager, car, headset=6)
feature: see 0x05/0x0014
r Get profile feature { 0x0014, 1, nr, feature, 4, a, b, c, d, 1 }
Features and answers (in a, b, c, d form):
0x00: keypad notes
(in Nokia 3310 feature 0x00)
xx, 1, 0, 2
xx: 0xff: off
0x00: level 1
0x01: level 2
0x02: level 3
0x01: lights (? only in car profile)
(what number in Nokia 3310 ?)
xx, 0, 0, 1
xx: 0x00: off
0x??: on (maybe 0x01)
0x02: incoming call alert
(in Nokia 3310 feature 0x01)
xx, 1, 0, 7
xx: 1: ringing,
2: beep once,
3: unknown
4: off
5: ring once
6: ascending
7: caller groups (see feature #0x08)
0x03: ringing tone
(in Nokia 3310 feature 0x02)
xx, 0, 0, 0
xx: 0x12: ring ring
0x13: low
etc
0x04: ringing volume
(in Nokia 3310 feature 0x03)
xx, 0, 0, 0
xx: level 1 (0x06) - level 5 (0x0a)
0x05: message alert tone
(in Nokia 3310 feature 0x04)
xx, 1, 0, 4
xx: 0: no tone
1: standard
2: special
3: beep once
4: ascending
0x06: vibration (in Nokia 3310 feature 0x05)
xx: 0: off
1: on
0x07: warning and game tones
(in Nokia 3310 feature 0x06 called warning tones)
xx, 4, 0, 4
xx: 0xff: off
0x04: on
0x07: screen saver - Nokia 3310
xx: 1: on
0: off
0x08: incoming caller groups
(what number in Nokia 3310 ?)
xx, 0, 0, 0
xx: 1: family
2: VIP
4: friends
8: collegues
16: other
0x09: automatic answer
(what number in Nokia 3310 ?)
xx, 0, 0, 1
xx: 0x00: off
0x01: on
s Get welcome message { 0x0016 }
r Get welcome message { 0x0017, no.of blocks, { block } * }
where block: { id, {blockspecific} }
id: 1: startup logo { y, x, picture (coding?) }
2: welcome note { len, "message" }
3: operator msg { len, "message" }
s Set welcome message { 0x0018, no.of blocks, { block } * }
where block: see 0x05/0x0017
r Set welcome OK { 0x0019, 0x01 }
s Get profile name { 0x001a, nr }
where nr: see 0x05/0x0013
r Profile name { 0x001b, 1, 1, 3, flen, nr, len, {text} }
where nr: see 0x05/0x0013
len: text length
flen len + len(nr, len) = len + 2
Note: in Nokia 3310 name is in Unicode
s ??? { 0x001c }
r ??? { 0x001d, 0x93 }
s Set oplogo { 0x0030, location, MCC1, MCC2, MNC, lenhi=0x00, lenlo=0x82, OTABitmap }
r Set oplogo OK { 0x0031 }
r Set oplogo error { 0x0032, reason }
where reason: 0x7d invalid location
s Get oplogo { 0x0033, location }
where location: 1 (doesn't seem to matter)
r Get oplogo { 0x0034, location, MCC1, MCC2, MNC, lenhi=0x00, lenlo=0x82, OTABitmap }
r Get oplogo error { 0x0035, reason }
where reason: 0x7d invalid location
s Set ringtone { 0x0036, location,0x00,0x78, ringtone packed according to SM2.0}
r Set ringtone OK { 0x0037 }
r Set ringtone error { 0x0038, reason }
where reason=0x7d, when not supported location
s Get services settings { 0x0080, setting (2 bytes) }
where: setting: 0x02,0x00=Nokia access number 1
0x02,0x01=Operator access number 1
0x01,0x00=Personal bookmark 1 settings (name only ?)
0x01,0x01=?
0x02,0x02=?
r Get services sett.OK { 0x0081, .... }
r Get services sett.err { 0x0082, 0x7b }
0x06: Calling line restriction/Call forwarding etc
r Get prepaid(?) info { 0x0005, ?,?,?,length,message(packed like in 7bit SMS)}
0x07:
s ??? { 0x0022, ? (1&2 sounds OK) }
r ??? OK { 0x0023, ?,?,? }
r ??? error { 0x0024, reason }
s ??? { 0x0025, ??? }
r ??? OK { 0x0026, ??? }
r ??? error { 0x0027, reason }
0x08: Security codes
s Change code { 0x0004, code, "current", 0x00, "new", 0x00 }
where code: 1: security code (5 chars)
2: PIN (4 chars)
3: PIN2 (4 chars)
4: PUK (8 chars)
5: PUK2 (8 chars)
s Status request { 0x0007, 0x01 }
r pin recvd { 0x0008, accepted }
where accepted: 0x0c (or 0x06): OK
code: waiting for (0x08/0x0004) code
s entering code { 0x000a, code, "code", 0x00 }
where code: see 0x08/0x0004
0x09: SIM login
r login { 0x0080 }
r logout { 0x0081 }
0x0a: Network status
s Key duplication on/off{ 0x0044, on? 0x01: 0x02 }
s get used network { 0x0070 }
r network registration { 0x0071, ?,?,?,length,netstatus,netsel,cellIDH,cellIDL,lacH,lacL,netcode,netcode,netcode }
0x0c: Keys
s Get key assignments { 0x0040, 0x01 }
r Get key assignments { 0x0041, {key '1'}, 0x00, {key '2'} ... {key '0'}, 0,0,0, {symbols}, 0 }
where {key '0'} => ' ', '0'
s Press key { 0x0042, press: 0x01; release: 0x02, button, 0x01 }
where button: 0x01 - 0x09: 1-9
0x0a: 0
0x0b: #
0x0c: *
0x0d: Power
0x0e: Pick up phone
0x0f: Hang
0x10: Volume +
0x11: Volume -
0x17: Up
0x18: Down
0x19: Menu
0x1a: Names
0x1B onwards: don't know but they do produce
a beep and light up the keypad as if
a key had been pressed.
r Press key ack { 0x0043, press/release/error(0x05) }
s ??? { 0x0044 }
r ??? ack { 0x0045, 0x01 }
0x0d: Status
r Display { 0x0050, 0x01, y, x, len, "string"(unicode) }
s Status request { 0x0051 }
r Status { 0x0052, no. of byte pairs, {byte pair} }
where {byte pair}: {cmd, 1:off 2:on}
cmd: 1: call in progress
2: ???
3: have unread sms
4: voice call active
5: fax call active
6: data call active
7: key lock active
8: is SMS storage full
s Display status { 0x0053, 1:on 2:off }
(will send displayed messages with x,y coordinates)
r Display status ack { 0x0054, 1 }
0x11: Phone clock & alarm
s set date and time { 0x0060, 1,1,7,yearh,yearl,month,mday,hour,min,0x00 }
r date and time set { 0x0061 }
s get date and time { 0x0062 }
r date and time recvd { 0x0063,date_set?,time_set?,?,?,yearh,yearl,month,mday,hour,min,second }
where: date_set & time_set==0x01 - set
0x00 - not set, ?,?,yearh,yearl,month,mday,hour,min,second
not available in frame
s set alarm { 0x006b, 1,32,3,0x02(on-off),hour,min,0x00 }
r alarm set { 0x006c }
s get alarm { 0x006d }
r alarm received { 0x006e,?,?,?,?,alrm(==2:on),hour,min }
0x12: Connect to NBS port (61xx only ?)
s Send {+0x0c, 0x01, UDH header, data}
(without 0,1 header -- for oplogo, cli, ringtone etc upload)
where: UDH header = 0x06, 0x05, 0x04,destporth,destportl,srcporth,srcportl
Seems not to work in MBUS!
0x13: Calendar notes
s Write calendar note { 0x0064, 0x01, 0x10, length, type, yearH, yearL, month, day, hour, timezone,
alarm?(alarm yearH, yearL, month, day, hour, timezone): (0,0,0,0,0,0),
textlen, "text" }
r Write cal.note report { 0x0065, return }
where return: 0x01: ok
0x73: failure
0x81: calendar functions busy. Exit Calendar menu and try again
s Calendar notes set { 0x0066... }
r Calendar note recvd { 0x0067, 0x01, ?, length, type, yrH,yrL,mon,day,hr,tz,alrm yrH,yrL,mon,day,hr,tz,textlen, "text" }
r Cal.note recvd error { 0x0067, err }
where err: 0x93: not available
(0x01: OK)
other: error
s Delete cal.note { 0x0068, location }
r Del. cal.note report { 0x0069, err }
where err: 0x01: OK
0x93: cannot delete
0x14: SMS funcs
s Write SMS to SIM { 0x0004, .... }
r SMS message frame rcv { 0x0008,subtype,?,num,?,BCD(smscenter)...} 20->type, 22->status
where type: 0x06: delivery report
status: 0x00: delivered
0x30: pending
0x46: failed
0x09: reading failed
subtype: 0x02: invalid mem type
0x07: empty SMS location
0x0c: no access to memory (no PIN in card, etc.)
s Delete SMS message { 0x000a, 0x02, location }
r Delete OK { 0x000b }
s SMS status request { 0x0036, 0x64 }
r SMS status { 0x0037,?,?,?,?,?,?,msgnumber,unread }
r SMS status error { 0x0038 }
0x40: Security commands
s ??? {+0x00, 0x00, 0x07, 0x11, 0x00, 0x10, 0x00, 0x00}
This frame hangs phone (N3310 4.02). Meaning unknown !
s ???(N6150) { 0x08, 0x00 }
r ???(N6150) { 0x08 }
s Enable extended cmds { 0x64, cmd }
where cmd: 0x00: off
0x01: on
0x03: reset (doesn't ask for PIN again)
0x04: reset (PIN is requested)
In 5110 makes reset without PIN
0x06: CONTACT SERVICE!!! Don't try it!
s Get IMEI { 0x66 }
r Get IMEI { 0x66, 0x01, IMEI, 0x00}
s (ACD Readings)?(N6150 { 0x68 }
r (ACD Readings)?(N6150 { 0x68, ... }
s Get Product Profile
Settings { 0x6a}
r Get Product Profile
Settings { 0x6a, 4bytes with Product Profile Settings }
s Set Product Profile
Settings { 0x6b, 4bytes with Product Profile Settings }
r Set Product Profile
Settings OK ? { 0x6b }
s Get code { 0x6e, code }
where code: see 0x08/0x0004 (only sec.code is allowed)
r Get code { 0x6e, code, allowed, allowed? (sec code (text)) }
where code: see 0x08/0x0004
allowed: 0: no
1: yes
s Start monitoring { 0x70, block }
where block(N6150):
0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xf9,0x76,0x65,0x20,0x00,
0x00,0x00,0x00,0x00,0x18,0x26,0x15,0x7d,0x0a,0x00,
0xf5,0x82,0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf0,0x77,0x80,
0x77,0x80,0xf2,0x82,0x20,0x20,0x20,0x20,0x20,0x20,
0x20,0x20,0x20,0x20
This block enables probably all possible monitorred parameters.
After it phone sends 0x00 message type values
s Break monitoring { 0x71 }
r Break monitoring { 0x71 }
s Reset Permanent
Counters (nm->test36) { 0x74, 0x01, 0x01, 0x0e }
r Reset Permanent
Counters (nm->test36) { 0x74 }
s Call commands { 0x7c, block }
where where: command, (values)
command: 0x01
values: number(ASCII), 0x00 - makes voice call
command: 0x02 - answer call
command: 0x03 - release call
r Call commands { 0x7c, command }
s Netmonitor { 0x7e, field }
where: field: 00: next
F0: reset
F1: off
F2: field test menus
F3: developer menus
s Get simlock info { 0x8a, 0x00}
r Get simlock info { 0x8a, 0x00, ... }
s Set downloaded OpName { 0x8b, 0x00, MCC1, MCC2, MNC, Name, 0x00 }
r SetdownloadedOpNameOK?{ 0x8b, 0x00, 0x01 }
s Get downloaded OpName { 0x8c, 0x00 }
r Get downloaded OpName { 0x8c, 0x00, 0x01, MCC1, MCC2, MNC, Name, 0x00,...}
s Buzzer pitch { 0x8f, volume, hzLO, hzHI }
if volume and hz is 0, it's off
r Buzzer pitch { 0x8f}
s ACD Readings ? { 0x91, parameter?(0x02,0x03,0x04,0x05,0x07) }
r ACD Readings ? { 0x91, parameter?, value? }
s ???(N6150) { 0x98, 0x00 }
r ???(N6150) { 0x98, 0x00, 0x04 }
s Get bin ringtone { 0x9e, location }
where: location=0,1,etc.
r Get bin ringtone { 0x9e, location, error, contents... }
where location=0,1,etc.
error=0x0a, ringtone NOT available
0x00, OK
NOTE: N3310 seems to have different format of frame here
or this is firmware bug
s Set bin ringtone { 0xa0, location, 0x00, contenst... }
where: location=0,1,etc.
r Set bin ringtone { 0xa0, location, error }
where location=0,1,etc.
error=0x0a, ringtone NOT set
0x00, ringtone set OK
NOTE: N3310 seems to have different format of frame here
or this is firmware bug
s Get info about phone { 0xc8, 0x01 }
r Get info about phone { 0xc8, 0x01, 0x00, "V ", "firmware", 0x0a, "firmware date", 0x0a, "model", 0x0a, "(c) NMP.", 0x00 }
s Get MCU SW Checksum { 0xc8, 0x02 }
r Get MCU SW Checksum { 0xc8, 0x02, 0x00, checksum (4 bytes),0x00 }
s DPS External SW { 0xc7, 0x03 }
r DSP External SW { 0xc7, 0x03, 0x00, string,0x00 }
s Get HW { 0xc8, 0x05 }
r Get HW { 0xc8, 0x05, 0x00, HW version (4 bytes), 0x00 }
s Get "Made" Date { 0xc8, 0x05 }
r Get "Made" Date { 0xc8, 0x05, 0x00, date(4 bytes), 0x00 }
s Get DSP Internal SW { 0xc8, 0x09 }
r Get DSP Internal SW { 0xc8, 0x09, 0x00, version (1 bytes), 0x00 }
s Get PCI version { 0xc8, 0x0b }
r Get PCI version { 0xc8, 0x0b, 0x00, version, 0x00 }
s Get system ASIC { 0xc8, 0x0c }
r Get system ASIC { 0xc8, 0x0c, 0x00, string, 0x00 }
s Get COBBA { 0xc8, 0x0d }
r Get COBBA { 0xc8, 0x0d, 0x00, string, 0x00 }
s Get PLUSSA { 0xc8, 0x0e }
r Get PLUSSA { 0xc8, 0x0e, available, 0x00 }
where available: 0x01: not available
s Get CCONT { 0xc8, 0x0f }
r Get CCONT { 0xc8, 0x0f, available, 0x00 }
where available: 0x01: not available
s Get PPM version { 0xc8, 0x10 }
r Get PPM version { 0xc8, 0x10, 0x00, "V ", "firmware", 0x0a, "firmware date", 0x0a, "model", 0x0a, "(c) NMP.", 0x00 }
s Get PPM info { 0xc8, 0x12 }
r Get PPM info { 0xc8, 0x12, 0x00, PPM version ("B", "C", etc.), 0x00 }
s Set HW version { 0xc9, 0x05, version, 0x00 }
s Get Product Code { 0xca, 0x01 }
r Get Product Code { 0xca, 0x01, 0x00, number, 0x00 }
s Get Order Number { 0xca, 0x02 }
r Get Order Number { 0xca, 0x02, 0x00, string, 0x00 }
s Get Prod.Ser.Number { 0xca, 0x03 }
r Get Prod.Ser.Number { 0xca, 0x03, 0x00, number, 0x00 }
s Get Basic Prod.Code { 0xca, 0x04 }
r Get Basic Prod.Code { 0xca, 0x04, 0x00, number, 0x00 }
s Set Product Code { 0xcb, 0x01, product code, 0x00 }
s Set Order Number { 0xcb, 0x02, number, 0x00 }
s Set Prod.Ser.Number { 0xcb, 0x03, number, 0x00 }
s Get (original ?)IMEI { 0xcc, 0x01 }
r Get (original ?)IMEI { 0xcc, 0x01, IMEI, 0x00 }
s Get Manufacture Month { 0xcc, 0x02 }
r Get Manufacture Month { 0xcc, 0x02, 0x00, string, 0x00 }
s Get Purchare date { 0xcc, 0x04 }
r Get Purchare date { 0xcc, 0x04, 0x00, string, 0x00 }
s Set "Made" date { 0xcd, 0x02, string, 0x00 }
s Result of phone tests { 0xcf }
r Result of phone tests { 0xcf, 0xff, results of next tests }
s ??? { 0xd1 }
r ???(N5110) { 0xd1, 0x00, 0x1d, 0x00, 0x01, 0x08, 0x00 }
s LCD Test { 0xd3, value }
where value: 0x03, 0x02 - 1'st test
0x03, 0x01 - 2'nd test
0x02, 0x03 - clears screen
s ACD Readings(N6150)? { 0xd4, 0x02, 0x00, 0x02, 0x00, 0x0e, 0x01}
r ACD Readings(N6150)? { 0xd4, 0x02, 0x00, 0x02, 0x00, 0x0e, 0x01, ?}
0x41: Snake game ?
0x47:
s Get Picture Image { 0x0001, location }
r Get Picture Image when contains sender number
{ 0x0002, location, number(like in SMS), 0x00, len, text, 0x00, width, height, 0x01, bitmap }
NOTE:
Supports only 0x81 and 0x91 coding (NOT alphanumeric numbers!)
in sender without sender number
{ 0x0002, location, 0x00, 0x00, 0x00, len, text, 0x00, width, height, 0x01, bitmap }
s Set Picture Image { 0x0003, frame...}
where frame: see 0x47/0x0002
r Get/Set PictureImageOK{ 0x0004 }
r Set Picture Image err { 0x0005, error? }
where error=0x74 - wrong location ?
0x64:
s Phone ID request { 0x0010 }
r Phone ID recvd { 0x0011, "NOKIA", "imei", 0, "model", 0, "prod.code", 0, "HW", 0, "firmware", magic bytes x 4 ... }
s Accessory connection { 0x0012, 16x0x00, 'NOKIA&NOKIA accessory', 3x0x00 } (45 bytes)
0x7f: Acknowledge(FBUS/IRDA){+type, seq }
Acknowledge(MBUS)...
0xd0:
s Power on message seq1 {+04 }
r Power on message seq1 {+05 }
0xd1:
s Get HW&SW version { 0x0003, 0x00 }
0xd2:
r Get HW&SW version { 0x0003 "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." }
0xda: ? (during playing 2 player snake)
0xf0:
s Send RLP frame {+0x00, 0xd9, ... }
0xf4: Power on message seq 2
-------------------------------------------------------------------------------
Nokia 6168 and derivatives (are there any ? ;-))
Correct format is MBUS version 2:
List:
0x07: Phonebook functions ?
s Set mem location {0x0710, 0x00, memory, 0x00, location, length, number(each byte contains two digits), 0x00, ..., name[23], 0x00 }
where: memory 0x22 - internal phonebook
max. length for name 15
max. length for number 15 bytes (30 digits)
s Get mem location {0x0711, 0x00, memory, 0x00, location }
where: memory 0x22 - internal phonebook
0xd1:
s Get HW&SW version { 0x0003, 0x00 }
0xd2:
r Get HW&SW version { 0x0003 "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." }
0xdd: Phonebook functions ?
r Get mem location {+0x01, 0x00, block, length, number(each byte contains two digits), 0x00, ..., name[23], 0x00 }
where: block: 0x11, 0x00, memory, 0x00, location (bytes like in 0x07/0x0711)
memory 0x22 - internal phonebook
max. length for name 15
max. length for number 15 bytes (30 digits)
-------------------------------------------------------------------------------
Nokia 6210 and derivatives (7110)
Correct format is FBUS version 2/Infrared/MBUS version 2:
List:
0x00: Connect to NBS port ?
r Set ringtone {+0x7c,0x01,0x00,0x0d,0x06[6],0x78,ringtone packed according to SM2.0}
Seems not to work in MBUS!
0x01: Communication Status
? r Call msg { 0x0002 }
? r Call in progress { 0x0003, seqnr }
? r Remote end hang up { 0x0004, seqnr, ?, error (like in netmon in 39) }
? r incoming call alert { 0x0005, seqnr, numlen, "number", namelen, "name" }
? r answered call { 0x0007, seqnr }
? r terminated call { 0x0009, seqnr }
? r call msg { 0x000a, seqnr }
Note: in 6210 4.27 all msg from 0x01 seems to be unavailable
0x02: SMS handling
s Send SMS message { 0x0001, 0x02, 0x00 (SEND REQUEST), ... }
r Message sent { 0x0002 }
r Send failed { 0x0003, ?, ?, error (like in netmon in 65)}
r SMS message received { 0x0010, ...... } (whole message)
s Set CellBroadcast { 0x0020, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01 }
for enable cell broadcast ?
0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
for disable cell broadcast ?
r Set CellBroadcast OK { 0x0021, 0x01 }
r Read CellBroadcast { 0x0023, ?, ?, ?, channel, ?, message... } ?
s Set SMS center { 0x0030, 0x64, priority, checksum?, format,
validity[2], {DefaultRecipient no.}[12],
{SMScenter no.}[12], {SMSC name}, 0x00}
where tel.no.[12]: {len, type, {number(BCD)}}
type: 0x81: normal
0x91: + (international)
0xd0: alphanumeric
format: 0x00: text
0x22: fax
0x24: voice
0x25: ERMES
0x26: paging
0x31: X.400
0x32: email
validity: 0x000b: 1 hour
0x0047: 6 hours
0x00a7: 24 hours
0x00a9: 72 hours
0x00ad: 1 week
0x00ff: max.time
r Set SMS center OK { 0x0031 }
r Set SMS center error { 0x0032, reason }
s Get SMS center { 0x0033, 0x64, priority }
r SMS center received { 0x0034, priority, checksum?, type,
validity[2], {DefaultRecipient no.}[12],
{SMScenter no.}[12], {SMSC name}, 0x00 }
where priority, checksum, type, validity,
tel.no.[12]: see 0x02/0x0030
r SMS center error recv { 0x0035, reason }
0x03: Phonebook functions
s Get memory status { 0x0103, 0x02, memory type }
where: memory type - see 0x03/0x0107
r Get memory status { 0x0104, 0x00, xL, 0x00[2], y1H, y1L, 0x10,
0x00[2], z?, ymaxH, ymaxL, y2H, y2L,
0x0d?, xH?, 0x00[2]? }
where y1: location (lowermost)
y2: no. of locations
ymax: maximum location no.
s Read memory { 0x0107, 0x01, 0x01, 0x00, 0x01, xH, xL,
yH, yL, 0x00, 0x00}
where x: memory type
0x01: (256) Dialled numbers
0x02: (512) Missed calls
0x03: (768) Received calls
0x05: (500) telephone phonebook
0x06: (160) SIM phonebook
0x07: (10/0)
0x08: (1/0)
0x09: (4) voice mailbox
0x0e: (10) speed dials
0x10: (5) caller groups
y: location
r Read memory { 0x0108, 0x00, 0x01,
code,0x00, 0x00, z, xH, xL, yH, yL, 0x00, 0x00, 0x00, no.of blocks, { block } * }
where if code==0x0f && xH==0x34 - phonebook location not found
y: location
z: generic block size
block: {id, 0, 0, blocksize, block no.,
{contents}, 0x00}
id: 0x04 pointer to another memory location { 0xff?, yH, yL, xL,0x00[3] }
0x07 name {len, (unicode)},
0x08 email
0x09 postal
0x0a note {len, (unicode)}
0x0b number {type, 0x00[3], len, (unicode)}
0x0c ringtone {ringtone no., 0, 0}
0x13 date for a called list (DC, RC, etc.)
0x1b caller group graphic {width, height, 0, 0 {bitmap}}
0x1c caller group graphic on? {(1: yes, 0: no), 0, 0}
0x1e caller group number {number, 0, 0}
type: 0x0a: General,
0x03: Mobile (office ?),
0x06: Work,
0x04: Fax,
0x02: Home (mobile ?)
s Set mem location { 0x010b, 0x00, 0x01, 0x01, 0x00, 0x00, z,
xH, xL, yH, yL, 0x00, 0x00, 0x00,
no.of blocks, { block }[no.of blocks] }
r Set mem location { 0x010c, 0?, 1?, code, 0?, 0?, z?, 0?, 0?,
yH, yL, xL }
where code:
0x3d - wrong entry type
0x3e - too much entries
0x0a: Network status
s get used network { 0x0070 }
r get used network { 0x0071, available,?,?,length,netstatus,netsel,cellIDH,
cellIDL,lacH,lacL,MCC+MNC[3],{Opstr}, 4?,
len, xlen(78), ylen(21), 0, {bitmap} }
where {Opstr}: namelen, {operator name(unicode)}
len: {xlen, ylen, 0, {bitmap} + 2
{bitmap}: bitmaplen, 0, 0, {OTA bitmap}
available: 0x02 if the logo following is valid,
0x01 for no operator logo following
s get network status { 0x0081 }
r get network status { 0x0082, network%, 0x14? }
s set operator logo { 0x01a3 0x01, oplogo?, MCC+MNC[3], 0?,4?,len,
xlen(78),ylen(21), 0 (frames?),
{bitmap}*?, 0x00(padding) }
where len, {bitmap}: see 0x0a/0x0071
r set operator logo OK { 0x01a4 }
0x13: Calendar notes
s Add meeting note { 0x0001, body like in subtype 0x001a...}
r Add meeting note { 0x0002, location (2 bytes), status (2 bytes)}
s Add call note { 0x0003, body like in subtype 0x001a...}
r Add call note { 0x0004, location (2 bytes), status (2 bytes)}
s Add birthday note { 0x0005, body like in subtype 0x001a...}
r Add birthday note { 0x0006, location (2 bytes), status (2 bytes)}
s Add reminder note { 0x0007, body like in subtype 0x001a...}
r Add reminder note { 0x0008, location (2 bytes), status (2 bytes)}
s Delete calendar note { 0x000b, location (2 bytes) }
r Delete calendar note { 0x000c, location (2 bytes), ?, ?, ?, ? }
s Get calendar note { 0x0019, location (2 bytes) }
r Calendar note recvd { 0x001a, location (2 bytes), entry type, 0x00, year (2 bytes), Month, Day, block}
where: entry type - 0x01 - Meeting, 0x02 - Call, 0x04 - Birthday, 0x08 - Reminder
block: for Meeting:{hour,minute,alarm (two bytes),recurrance,len,0x00,string(unicode)}
where alarm=Number of minutes before the time of the meeting
that the alarm should be triggered:
For meetings with "No alarm"=0xFFFF (-1).
For "On time"=0x0000
half an hour=0x001E, and so on.
Recurrance=in hours, between future occurances of this meeting.
If there is no repeat, this value is 0x0000
for Call:{Hour,Minute,Alarm (as above),Recurrance (as above),namelen,numberlen,
name(unicode),number(unicode)}
for Reminder:{Recurrance (as above),len,0x00,string(unicode)}
for Birthday:{0x00,0x00,alarm(4 bytes),yearofbirth,alarmtype,len,string(unicode)}
where alarm=32-bit integer that is the number of seconds between the desired
alarm time and 11:59:58pm on the birthday.For "No Alarm", the value is
0x0000FFFF (65535).
YearOfBirth=used instead of the one in the common part of the entry (see above)
but only when reading birthday entries. For storing entries, this field does
not exist.
AlarmType: 0x00 - Tone, 0x01 - Silent
s Get first free pos { 0x0031 }
r Get first free pos { 0x0032, location (2bytes) }
s Get notes info { 0x003a, 0xFF, 0xFE}
r Get notes info { 0x003b, how many notes used (2 bytes), 0x01, 0x07, { two bytes with location for each note} *}
0x14:
s Get Picture Image { 0x0007, location, number[2 bytes], 0x00, 0x64 }
where location: 0x21 (always ?)
r Get Picture Image { 0x0008, 0x07, location, number[2 bytes], 0x07, ??[38],
width, height, lenH, lenL, {bitmap}}
where location: 0x21 (always ?)
s Set Picture Image { 0x0050, 0x07, location, number[2 bytes], 0x07, ??[38],
width, height, lenH, lenL, {bitmap}}
std. size: 72x28
where location: 0x21 (always ?)
r Set Picture Image { 0x0051, location, number[2 bytes], 0x07 }
where location: 0x21 (always ?)
s List Picture Images { 0x0096, location, 0x0f, 0x07 }
where location:
LM tries with 0x09, 0x11, 0x19, 0x21, 0x29, 0x31, 0x39, 0x41, 0x49
Returned value with 0x21
r List Picture Images { 0x0097, number of pictures[2 bytes], number1[2 bytes], number2[2 bytes], ..., }
s Get SMS from folder { 0x0107, folderID, location(2 bytes), 0x01, 0x65, 0x01}
where: folderID - see 0x14/0x017B
r Get SMS from folder { 0x0108, 0x01/0x07(?), folderID, location(2 bytes),
0x00/0x01/0x02(read/unread/default?),sender number ?,...}
where: folderID - see 0x14/0x017B
s Get folder status { 0x016b, folderID, 0x0F, 0x01}
where: folderID - see 0x14/0x017B
r Get folder status { 0x016c, number of entries (2 bytes), entry1number (2 bytes), entry2number(2 bytes), ....}
s Get folder names { 0x017A, 0x00, 0x00}
r Get folder names { 0x017B, number of strings, folderID, name1, 0x00, folderID, name2, 0x00, name3, 0x00,...}
where: folderID=0x08 - Inbox
0x10 - Outbox
0x18 - Archive
0x20 - Templates
0x17:
s Get Battery info { 0x0002 }
r Get Battery info { 0x0003, 0x0b, batt%, 0x14?, 0x01? }
0x1b:
s Get IMEI { 0x0001 }
r Get IMEI { 0x0002, {IMEI(ASCII)}, 0x00 }
s get HW&SW version { 0x0003, 0x01, 0x32 }
r get HW&SW version { 0x0004, "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." 0x00 0xff[14] }
0x1f:
s ??? { 0x0010, 0x02, 0x00, 0xff, 0xff }
r ??? { 0x0011, length, 0x00, {block}[length] }
where block: { unicode letter[2], 0x0000,
0x00, 0x55, ??, ?? }
s Set ringtone { 0x011f, 0x00, location, 0x00, name(Unicode),
ringtone(format the same to 0x40/0x019e and 0x40/0x01a0) }
where: location: 0x87 to 0x8b on N6210
0x74 to ... on N7110
0x39:
s ??? { 0x0101, 0x04, 0x01, 0x01, 0xff, 0x03 }
r ??? { 0x0102, 0x01, 0x02, 0x03, 0x01, 0x01, 0x01, 0x85/0x087 }
0x3f: WAP
s Get WAP bookmark { 0x0006, 0x00, location }
where: location = 0-14
r Get WAP bookmark OK {+0x01, 0x36, 0x00, block }
where block:
0x07,0x00, name_len, name(unicode),
url_len, url(unicode), 0x01,0x80,0x00[7]
r Get WAP bookmark err { +0x01, 0x36, 0x00, 0x08, error }
where error:
0x00 invalid position
0x02 no more bookmark stored
s Set WAP bookmark { 0x0009, 0xff, 0xff, name_len, name(unicode),
url_len, url(unicode), 0x01,0x80,0x00[7] }
Note: bookmark is added to the first free location.
r Set WAP bookmark err {+0x01, 0x36, 0x0b, error }
where error:
0x04 - memory is full
0x01 - we are in the bookmark menu
0x00 - unknown reason for now ;(
r Set WAP bookmark OK {+0x01, 0x36, 0x00, block }
where block:
0x0a, location_of_just_written_bookmark(?),
0x00, next_free_location(?)
s Delete WAP bookmark { 0x000c, 0x00, location }
where: location = 0-14
r Delete WAR bookmark OK{+0x01, 0x36, 0x00, 0x0d }
r Delete WAPbookmark err{+0x01, 0x36, 0x00, 0x0e, 0x02 }
0x40: Security commands
? s ???(N6150) { 0x08, 0x00 }
? r ???(N6150) { 0x08 }
s Enable extended cmds { 0x64, cmd }
where cmd: 0x00: off
0x01: on
0x03: reset (doesn't ask for PIN again)
0x04: reset (PIN is requested)
In 5110 makes reset without PIN
0x06: CONTACT SERVICE!!! Don't try it!
s Get IMEI { 0x66 }
r Get IMEI { 0x66, 0x01, IMEI, 0x00}
s (ACD Readings)?(N6150 { 0x68 }
r (ACD Readings)?(N6150 { 0x68, ... }
s Get Product Profile
Settings { 0x6a}
r Get Product Profile
Settings { 0x6a, 4bytes with Product Profile Settings }
s Set Product Profile
Settings { 0x6b, 4bytes with Product Profile Settings }
r Set Product Profile
Settings OK ? { 0x6b }
s Get code { 0x6e, code }
where code: see 0x08/0x0004 (no allowed code !)
r Get code { 0x6e, code, allowed, allowed? (sec code (text)) }
where code: see 0x08/0x0004
allowed: 0: no
1: yes
? s Reset Permanent
? Counters (nm->test36) { 0x74, 0x01, 0x01, 0x0e }
? r Reset Permanent
? Counters (nm->test36) { 0x74 }
s Call commands { 0x7c, block }
where where: command, (values)
command: 0x01
values: number(ASCII), 0x00 - makes voice call
command: 0x02 - answer call
command: 0x03 - release call
r Call commands { 0x7c, command }
s Netmonitor { 0x7e, field }
where: field: 00: next
F0: reset
F1: off
F2: field test menus
F3: developer menus
s Get simlock info { 0x8a, 0x00}
r Get simlock info { 0x8a, 0x00, ... }
s Buzzer pitch { 0x8f, volume, hzLO, hzHI }
if volume and hz is 0, it's off
r Buzzer pitch { 0x8f}
s ACD Readings ? { 0x91, parameter?(0x02,0x03,0x04,0x05,0x07) }
r ACD Readings ? { 0x91, parameter?, value? }
? s ???(N6150) { 0x98, 0x00 }
? r ???(N6150) { 0x98, 0x00, 0x04 }
s Get bin ringtone { 0x9e, location }
where: location=0,1,etc.
r Get bin ringtone { 0x9e, location, error, contents... }
where location=0,1,etc.
error=0x0a, ringtone NOT available
0x00, OK
NOTE: N3310 seems to have different format of frame here
or this is firmware bug
s Set bin ringtone { 0xa0, location, 0x00, contenst... }
where: location=0,1,etc.
r Set bin ringtone { 0xa0, location, error }
where location=0,1,etc.
error=0x0a, ringtone NOT set
0x00, ringtone set OK
NOTE: N3310 seems to have different format of frame here
or this is firmware bug
s Get info about phone { 0xc8, 0x01 }
r Get info about phone { 0xc8, 0x01, 0x00, "V ", "firmware", 0x0a, "firmware date", 0x0a, "model", 0x0a, "(c) NMP.", 0x00 }
s Get MCU SW Checksum { 0xc8, 0x02 }
r Get MCU SW Checksum { 0xc8, 0x02, 0x00, checksum (4 bytes),0x00 }
s DPS External SW { 0xc7, 0x03 }
r DSP External SW { 0xc7, 0x03, 0x00, string,0x00 }
s Get HW { 0xc8, 0x05 }
r Get HW { 0xc8, 0x05, 0x00, HW version (4 bytes), 0x00 }
s Get "Made" Date { 0xc8, 0x05 }
r Get "Made" Date { 0xc8, 0x05, 0x00, date(4 bytes), 0x00 }
s Get DSP Internal SW { 0xc8, 0x09 }
r Get DSP Internal SW { 0xc8, 0x09, 0x00, version (1 bytes), 0x00 }
s Get PCI version { 0xc8, 0x0b }
r Get PCI version { 0xc8, 0x0b, 0x00, version, 0x00 }
s Get system ASIC { 0xc8, 0x0c }
r Get system ASIC { 0xc8, 0x0c, 0x00, string, 0x00 }
s Get COBBA { 0xc8, 0x0d }
r Get COBBA { 0xc8, 0x0d, 0x00, string, 0x00 }
s Get PLUSSA { 0xc8, 0x0e }
r Get PLUSSA { 0xc8, 0x0e, available, 0x00 }
where available: 0x01: not available
s Get CCONT { 0xc8, 0x0f }
r Get CCONT { 0xc8, 0x0f, available, 0x00 }
where available: 0x01: not available
s Get PPM version { 0xc8, 0x10 }
r Get PPM version { 0xc8, 0x10, 0x00, "V ", "firmware", 0x0a, "firmware date", 0x0a, "model", 0x0a, "(c) NMP.", 0x00 }
s Get PPM info { 0xc8, 0x12 }
r Get PPM info { 0xc8, 0x12, 0x00, PPM version ("B", "C", etc.), 0x00 }
s Set HW version { 0xc9, 0x05, version, 0x00 }
s Get Product Code { 0xca, 0x01 }
r Get Product Code { 0xca, 0x01, 0x00, number, 0x00 }
s Get Order Number { 0xca, 0x02 }
r Get Order Number { 0xca, 0x02, 0x00, string, 0x00 }
s Get Prod.Ser.Number { 0xca, 0x03 }
r Get Prod.Ser.Number { 0xca, 0x03, 0x00, number, 0x00 }
s Get Basic Prod.Code { 0xca, 0x04 }
r Get Basic Prod.Code { 0xca, 0x04, 0x00, number, 0x00 }
s Set Product Code { 0xcb, 0x01, product code, 0x00 }
s Set Order Number { 0xcb, 0x02, number, 0x00 }
s Set Prod.Ser.Number { 0xcb, 0x03, number, 0x00 }
s Get (original ?)IMEI { 0xcc, 0x01 }
r Get (original ?)IMEI { 0xcc, 0x01, IMEI, 0x00 }
s Get Manufacture Month { 0xcc, 0x02 }
r Get Manufacture Month { 0xcc, 0x02, 0x00, string, 0x00 }
s Get Purchare date { 0xcc, 0x04 }
r Get Purchare date { 0xcc, 0x04, 0x00, string, 0x00 }
s Set "Made" date { 0xcd, 0x02, string, 0x00 }
s Result of phone tests { 0xcf }
r Result of phone tests { 0xcf, 0xff, results of next tests }
? s ??? { 0xd1 }
? r ???(N5110) { 0xd1, 0x00, 0x1d, 0x00, 0x01, 0x08, 0x00 }
s LCD Test { 0xd3, value }
where value: 0x03, 0x02 - 1'st test
0x03, 0x01 - 2'nd test
0x02, 0x03 - clears screen
s ACD Readings(N6150)? { 0xd4, 0x02, 0x00, 0x02, 0x00, 0x0e, 0x01}
r ACD Readings(N6150)? { 0xd4, 0x02, 0x00, 0x02, 0x00, 0x0e, 0x01, ?}
r Function of { 0xff, 0x8c }
0x40 msgtype not
supported ?
0x78:
s Status confirm { 0x0201, 0x03 }
r Incoming call seq1 { 0x0102 0x0e 0x03 }
r Incoming call seq2 { 0x0102 0x7e 0x01 }
0x79:
s CarKit enable { 0x0201 0x01 0x62 0x00 }
r CarKit enabled { 0x0201 0x02 0x06 0x00 "V " {version} "\nHFU"
0x00 }
0x7a:
r Set startup logo { 0x01eb, 0x15, 0x00 }
s Set startup logo { 0x01ec, 0x15, 0x00, 0x00, 0x00, 0x04,
0xc0, 0x02, 0x00, height, 0xc0, 0x03, 0x00, width,
0xc0, 0x04, 0x03, 0x00, {bitmap} }
where width, height, {bitmap}: see 0x7a/0x01ed 0x15
r Get startup logo { 0x01ed, 0x15, 0x00, 0x00, 0x00, 0x00, 0x04,
0xc0, 0x02, 0x00, height, 0xc0, 0x03, 0x00, width,
0xc0, 0x04, 0x03, 0x00, {bitmap} }
where height: 60 (0x3c) or 65
width: 96 (0x60)
{bitmap}: like other bitmaps but pixels
placed vertically.
r Get security code { 0x01ed, 0x1c, 0x00, {code(ascii)}, 0x00 }
s Get startup logo { 0x01ee, 0x15,
s Get security code { 0x01ee, 0x1c }
0x7f: Acknowledge(FBUS/IRDA){+type, seq }
Acknowledge(MBUS)...
0xd0:
s Power on message seq1 {+04 }
r Power on message seq1 {+05 }
0xd1:
s Get HW&SW version { 0x0003, 0x00 }
0xd2:
r Get HW&SW version { 0x0003 "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." }
0xf4: Power on message seq 2
-------------------------------------------------------------------------------
TDMA NOKIA 5120 / 5160 / 6120 / 6160
TDMA phones support simultaneously both MBUS protocols,
the old one (version1) and the new (version2). Both protocols can be used
at the same time on the MBUS. The phone will decode both and react accordingly.
Correct format is MBUS version 1:
List:
0x17:
s Release key {+0x00, keynum }
s Press key {+0x01, keynum }
0x19:
0xe9:
s Start connection {+0x01 0x01 0x1c 0x01 0x1c}
(3Com cell modem card)Note: this is message with SrcDEV = 0xf8 !
ACK frame for it is (DestDEV = 0xf8 too) 0x1c, 0x01, 0x1c
s Start connection {+0x00 0x02 0x1d 0x00 0x1d}
Note: this is message with SrcDEV = 0xf8 !
Other frames from 3Com cell modem card:
unknown purpose : 00 E0 00 1D SQ CS
probably request
Alive response from cellmodem
UC_RESERVE_REQ: 00 E0 05 19 00 00 01 01 00 SQ CS
register system state info presentation
UC_RESERVE_REQ: E0 00 01 CD 01 SQ CS
phone tries to register some info from cellmodem
Dialing as cellmodem forces the phone into analoge AMPS mode,
answering a call as cellmodem answers in AMPS mode
This allows transparent transmission of the analoge modem tones since
digital TDMA won't transmit them transparently.
It also switches audio to the XEAR , XMIC pins automatically.
LN_ALIVE_REQ: E0 00 00 1E SQ CS
checks if cellmodem is still present (sent 1 /sec.)
SYS_STATE_IND: FF 02 07 CA 1C Con 02 01 0E 0F 00 SQ CS
sytems state information
Con holds the connection state
00 = idle
01 = ringing
02 = connecting
03 = talk
04 = ringing / alternating with 01
the destignation is the Global object and the source
is subaddress 02 of the Nokia phone.
Correct format is MBUS version 2:
List:
0x40:
s Read phonebook(2way) {+0x00, 0x00, 0x07, 0x11, 0x00, 0x10, 0x00, location }
Note: works also on CDMA 6185
s Read phonebook(1way) { 0x1F, 0x01, 0x04, 0x86, location }
s Write phonebook { 0x1f, 0x01, 0x04, 0x87, number, 0x00, name, 0x00 }
s Enable extended cmds { 0x64, cmd }
where cmd: 0x00: off
0x01: on
0x03: reset (doesn't ask for PIN again)
0x04: reset (PIN is requested)
In 5110 makes reset without PIN
0x06: CONTACT SERVICE!!! Don't try it!
0xd1:
s Registration request? {+0x00, 0xF8, 0x05, 0xE9, 0x00, 0x02, 0x1D, 0x00, 0x1D}
s Get HW&SW version { 0x0003, 0x00 }
s Get phone version? { 0x000D, 0x00, 0x00, 0x02}
s ??? { 0x47, 0x00, 0x00}
s ??? { 0x47, 0x00, 0x05}
s Key release(1way) { 0x50, 0x00, 0x00, KEY }
s Key press { 0x50, 0x00, 0x01, KEY }
dials in digital TDMA default mode ?
s Key release(2way) { 0x51, 0x00, 0x01, KEY }
0xd2:
r Get HW&SW version { 0x0003 "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." }
r Get phone version { 0x000D, "V " "firmware\n" "firmware date\n" }
r Key press {+0x01, 0x00, 0x50, 0x00}
r ??? {+0x01, 0x00, 0x47, 0x00}
-------------------------------------------------------------------------------
Nokia 6185:
Correct format is MBUS version 2:
List:
0x40:
s Read phonebook {+0x00, 0x00, 0x07, 0x11, 0x00, 0x10, 0x00, location }
0xd1:
? s Registration request? {+0x00, 0xF8, 0x05, 0xE9, 0x00, 0x02, 0x1D, 0x00, 0x1D}
s Get HW&SW version { 0x0003, 0x00 }
? s Get phone version? { 0x000D, 0x00, 0x00, 0x02}
? s ??? { 0x47, 0x00, 0x00}
? s ??? { 0x47, 0x00, 0x05}
s Press key { 0x51, 0x00, 0x01, KEY }
dials in digital CDMA default mode?
s Key release { 0x52, 0x00, 0x01, KEY }
0xd2:
r Get HW&SW version { 0x0003 "V " "firmware\n" "firmware date\n"
"model\n" "(c) NMP." }
? r Get phone version { 0x000D, "V " "firmware\n" "firmware date\n"}
? r ??? {+0x01, 0x00, 0x47, 0x00}
-------------------------------------------------------------------------------
Misc (about MBUS version 2):
0x4E commands:
(sent from a 5160i TDMA / 6160i TDMA / 6185 CDMA or 7110 GSM
phone to the uC in the DLR-3 cable)
DLR-3 req:
1F 48 00 4E 00 02 01 XX SQ CS
frame sent from the phone to the DLR-3 cable
(after 15kOhm resistor detected betw. XMIC (3) and DGND (9).)
DSR,DCD,CTS flow control data is coded into the 2nd databyte
XX: bit.0=/CTS
bit.1=/DCD
bit.2=CMD/DATA
bit.3=DSR
bit.4-7=0
0x78 / 0x79 commands:
(used by handsfree carkit) Works also on GSM phones (5110 / 6110 / etc)
These commands are used by the Nokia Carkits to switch the phone audio path to
XMiC and XEAR , turn the phone on/off according to the car ignition, and
control the PA loudspeaker amplifier in the carkit and the car radio mute
output which silences the car radio during a call
mute status tone:
1F 04 00 78 00 04 01 02 0E 00 SQ CS
status indication = disable carkit audio amplifier (no audio / no tone)
mute status tone:
1F 04 00 78 00 04 01 02 0E 03 SQ CS
status indication = enable carkit audio amplifier (audio / tone present)
mute status call:
1F 04 00 78 00 04 01 02 07 00 SQ CS
status indication = disable radio mute output (no call)
mute status call:
1F 04 00 78 00 04 01 02 07 01 SQ CS
status indication = enable radio mute output (call active)
enable ???:
1F 04 00 78 00 04 01 02 08 01 SQ CS
status indication = enable ??? sent to HFU-2 on power on
byte 9 (07,08,0E) seems to be a pointer to a memory location,
byte 10 is the data at this memeory location.
response from HFU:
1F 00 04 78 00 03 02 01 03 SQ CS
response message from HFU-2 (use unknown)
go HF and IGN on:
1F 00 04 79 00 05 02 01 01 63 00 SQ CS
enables carkit mode + turns phone on + req. mute status
go HF and IGN off:
1F 00 04 79 00 05 02 01 01 61 00 SQ CS
enables carkit mode + powers phone off (1 min delay) + req. mute status