Project Blacksphere Intro Hardware Nokia OS FBUS Pkt types (auto) Pkt types (ddi) Pkt types (local) Service (0x40) Pkt types (special) Debug tracing Tasks Software Glossary of Terms Todo Credits Forum Guestbook

Service (0x40)

The various subtypes of packet type 0x40 are:
Type Size Description
01 Unk. msg_loc_dsp_mem_read
02 Unk. msg_loc_dsp_mem_write
03 Unk. msg_loc_bit_write
04 Unk. msg_loc_dsp_test_mode +0 1b 0x10/0x00
05 Unk. msg_loc_rx_calibration
07 Unk. msg_loc_frame_set
08 Unk. msg_loc_frame_set_stop
09 Unk. msg_loc_ext_audio_loop
0C Unk. msg_loc_read_rx_burst
0F Unk. msg_loc_rssi_read
19 Unk. pcic_rx_filter_calibrate RX Filter Calbration (manual/automatic)
1A Unk. pcic_rx_am_supression RX AM Supression (manual/automatic)
64 Unk. msg_loc_ms_mode Extended commands enable
0x01 enable extended commands
0x02 enable service mode
0x03 reset phone
65 Unk. msg_loc_factory_set Reset phone settings
66 Unk. msg_loc_serial_number_read Get IMEI
68 Unk. msg_loc_adconv_read Read all 8 A/D converters
6A Unk. msg_loc_pp_read Get product profile
6B Unk. msg_loc_pp_write Set product profile
6E Unk. msg_loc_ui_code_read Read security code
6F Unk. msg_loc_ui_code_write Write security code
70 Unk. msg_loc_event_trace_activate Event tracing (called debug tracing on this site) is enabled by this command. See the Debug Tracing section.
71 Unk. msg_loc_event_trace_deactivate Debug tracing is disabled again with this command.
72 Unk. SIM read 0x1B IMSI read
0x1C SIM ID read
73 Unk. msg_loc_get_PPC_data_counts +0x00 1b 0x03
74 Unk. msg_loc_reset_PPC_counters +0x00 1b 0x03
75 Unk. msg_loc_set_PPC_counters +0x00 1b 0x03 [Ignored]
76 Unk. MDI send
77 Unk. msg_loc_rf_rx_control
78 Unk. msg_loc_rf_tx_control
79 Unk. msg_loc_rf_tx_pwr_set
7A Unk. msg_loc_ad_ref_write
7C Unk. msg_loc_call Dial commands 0x01 Dial voice 0x02 Answer call 0x03 Cancel call
7D Unk. msg_loc_display_contrast
7E Unk. msg_loc_ft_display_read a.k.a. Netmonitor Display Read
7F Unk. msg_loc_tx_pwr_ramp_set
80 Unk. msg_loc_internal_aud_loop (1b param) 1/2/4/5/6/7/8
81 Unk. Open simlock
82 Unk. Set simlock info
84 Unk. msg_loc_ui_settings_write
85 Unk. msg_loc_ui_settings_read
86 Unk. msg_loc_ui_graph_disp_msg_write
87 Unk. msg_loc_ui_graph_disp_msg_read
88 Unk. msg_loc_nsps_read
89 Unk. msg_loc_nsps_write
8A Unk. msg_loc_sim_lock_state_read
8B Unk. msg_loc_plmn_name_write
8C Unk. msg_loc_plmn_name_read
8D Unk. msg_loc_cs_status_get Channel select status get (return 1b)
0x8C Idle
0x94 In Call
8E Unk. msg_loc_charging_state Charge control:
0x00 stop charging
0x01 enable charging?
0x02 discharge accu
0x03 ?
0x04 ?
8F Unk. msg_loc_buzzer_test Play tone 1b Volume 2b Frequency (Hz)
91 Unk. msg_loc_ad_scaled_value_read Get scaled A/D converter value (1b id)
92 Unk. msg_loc_sleep
93 Unk. msg_loc_ad_ref_read
94 Unk. msg_loc_ir_test
95 Unk. msg_loc_pwm_write Set value of CCont register 0x01 (PWM/charging speed)
96 Unk. msg_loc_tx_iq_set Tunes the TX I and Q branch DC offset, amplitude difference and phase difference
1b param1 1b param2
Create 256 bytes and send to DSP
97 Unk. msg_loc_ad_value_read
98 Unk. msg_loc_band_select 0/1
9A Unk. msg_loc_auxout_write
9C Unk. msg_loc_cobba_txc_compensation
9E Unk. msg_loc_ringing_tone_read
A0 Unk. msg_loc_ringing_tone_write
A1 Unk. msg_loc_vibra_test
A2 Unk. msg_loc_sleep_clock_ratio_get Measure relative speed of sleep clock (_io[0x04],_io[0x05])
A3 Unk. msg_loc_vibra_control
A4 Unk. msg_loc_tx_compensation_control
A5 Unk. msg_loc_ota_data_read
A6 Unk. msg_loc_ota_data_write
AA Unk. msg_loc_ibi_write
AC Unk. Dump screen Copy screen image. Parameter: 1b 0..5 (blocks of 84 bytes)
AE Unk. msg_loc_t9_dictionary 0x00 msg_loc_t9_dictionary_param_read
0x01 msg_loc_t9_dictionary_param_write
0x02 msg_loc_t9_dictionary_package_read
0x03 msg_loc_t9_dictionary_package_write
0x04 msg_loc_t9_dictionary_size_read
AF Unk. msg_loc_cli_ringing_tone 0x00 msg_loc_cli_ringing_tone_package_read
0x01 msg_loc_cli_ringing_tone_package_write
0x02 msg_loc_cli_ringing_tone_size_read
B0 Unk. msg_loc_itc_control 0x01 lights
0x00 forced off
0x01 forced on
0x02 normal (turned on on keypress, disabled on timer)
0x02
0x00 stop sound
0x01 make sound
0x03 get sim card presence
0x04 keypad
B1 Unk. msg_loc_saw_filter_id
B4 Unk. sec_loc_sec_ms_id
B6 Unk. sec_loc_sec_ser_num_prg
B8 Unk. sec_loc_sec_flash_auth_id_prg
BA Unk. sec_loc_sec_sim_lock_prg
C8 Unk. msg_loc_version_read 0x02 get MCU checksum
0x03 get external DSP SW
0x09 get internal DSP SW
0x0C get ASIC
0x0D get Cobba
0x10 get MCU version
0x12 get language pack (TXT)
C9 Unk. msg_loc_version_write
CA Unk. msg_loc_prod_info_read 0x01 Get product code 0x02 Get order number 0x03 Get product serial number 0x04 Get basic product code
CB Unk. msg_loc_prod_info_write
CC Unk. msg_loc_warr_info_read 0x01 get original IMEI 0x02 get manufacture month 0x04 get purchase date
CD Unk. msg_loc_warr_info_write 0x01 Set original IMEI
CE Unk. msg_loc_self_test_run
CF Unk. msg_loc_self_test_result_read
D0 Unk. msg_loc_self_test_info
D1 Unk. msg_loc_self_test_preset_read
D2 Unk. msg_loc_self_test_preset_write
D3 Unk. msg_loc_ui_test
D4 Unk. msg_loc_memory_read Read EEPROM +0x09 1b Type
0x01 0x100..0x121 EEPROM
0x02 I/O (0x20008, 0x2002E)
0x03 0x100..0x121 ROM(read only)
0x05 EEPROM file 0xXXXXYYYY (X=file, Y=offset)
+0x0A 4b Address
+0x0E 1b Size (max 0x70)
D5 Unk. msg_loc_memory_write
E8 Unk. Same as C8

Last updated: 2005-02-21 14:19

This site is the result of a great deal of assembly code reading, research, countless (mostly futile) searches for data sheets, cross-referencing and analysing. If you use this information in any way please mention wumpus <blacksphere@goliath.darktech.org> (and others in the credits section) in the credits of your program/document. And tell me :) If you have more information please contribute. If you just copy this, stick your name on it and call it yours I hope you get your genitals bitten off by a three headed monkey. Have a nice day.

No mobile phones were harmed in the production of this site.