Project Blacksphere

Project Blacksphere Intro Hardware Nokia OS FBUS Pkt types (auto) Pkt types (ddi) Pkt types (local) Service (0x40) Pkt types (special) Debug tracing Tasks Software Glossary of Terms Todo Credits Forum Guestbook

Debug tracing

N*kia used a simple remote logging facility for debugging their DCT3 firmwares remotely, but forgot(?) to remove this when going into production. Hence, you can enable it with a simple *BUS command.

With debug tracing, you can trace the execution of the firmware almost everywhere, providing enormous amounts of information to the reverse engineer.

Enabling Debug Trace Mode

Warning: Enabling all debug type bits makes the phone extremely slow, and creates a flood of packets that makes *BUS communication impossible until a hard reset (remove battery and charger).

Gammu style (payload starts with destination subsystem byte):

/* debug enable packet */
unsigned char 	reqEnable[] = {
  0x00, 0x01, 0x70,
  /* Debug bits
     byte[bit>>3]&(1<<(7-(bit&7)))
  */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x40 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x80 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0xC0 */
  /* Debug verbose bits 
     byte[bit>>3]&(1<<(7-(bit&7)))
  */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x40 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x80 */
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0xC0 */
}; 

/* Bit is debug trace type in 0x00..0xFF, verbose is 1(on) or 0(off) */
#define ENABLE_BIT(bit,verbose) reqEnable[3 + (bit>>3)] |= 1<<(7-(bit&7)); \
    if(verbose){ reqEnable[3 + 32 + (bit>>3)] |= 1<<(7-(bit&7)); }

Disabling Debug Trace Mode

Disables all debug tracing and returns phone to normal mode.

Gammu style (payload starts with destination subsystem byte):

/* debug disable packet */
unsigned char 	reqDisable[] = {0x01, 0x01, 0x71};

Debug packet anatomy

Debug packets are sent to the origin of the debug enable packet. Do not acknowledge debug packets, this is not needed and will cause feedback loops (debugging FBUS code :-).

Only debug packets whose types are enabled in the map (ENABLE_BIT) will be sent to the host. The verboseness of the debug parameters depends on the verbose setting.

Packet type 0x00
Packet payload:
0x00 (1b) Debug type 
0x01 (1b) Debug subtype
0x02 (2b) timestamp
0x04 (1b) debug seq nr
0x05 (1b) length of debug packet
0x06 .... Optional debug parameters, depending on type and subtype

Debug packet types

There are a lot of different debug statements, identified by the Debug type and Debug subtype. Some of them are listed here.

Last updated: 2005-02-21 14:19

This site is the result of a great deal of assembly code reading, research, countless (mostly futile) searches for data sheets, cross-referencing and analysing. If you use this information in any way please mention wumpus <blacksphere@goliath.darktech.org> (and others in the credits section) in the credits of your program/document. And tell me :) If you have more information please contribute. If you just copy this, stick your name on it and call it yours I hope you get your genitals bitten off by a three headed monkey. Have a nice day.

No mobile phones were harmed in the production of this site.