Packet anatomy: [payload+0] command 0x00...0x67 : see frame_d1_call_table below [payload+1] return type 0x00 [1b] command [1b] this value 0x01 [1b] command [1b] this value [1b] byte R0 0x02 [1b] command [1b] this value [2b] halfword R0 0x03 [1b] command [1b] this value [string] R0 0x04... sized data block @ R0 [1b] command [1b] this value [data block] R0 [payload+2] parameter type 0x00 just call 0x01 R0 byte [data+0] 0x02 R0 halfword [data+0] 0x03 just call 0x04 R0 byte [data+0], R1 byte [data+1] 0x05 R0 byte [data+0], R1 halfword [data+1] 0x06 R0 byte [data+0], R1 data pointer @ data+1 0x07 R0 halfword [data+0], R1 byte [data+2] 0x08 R0 halfword [data+0], R1 byte [data+2], R2 byte [data+3] 0x09 R0 halfword [data+0], R1 data pointer @ data+2 0x0A R0 AsciiZ string [data+0], R1 byte [data+strlen(R0)+1] 0x0B R0 AsciiZ string [data+0], R1 halfword [data+strlen(R0)+1] 0x0C R0 AsciiZ string [data+0], R1 data pointer @ data+strlen(R0)+1 [payload+3] data frame_d1_call_table: (addresses are for 3310 firmware 5.87) 0x00 version_read+1 0x01 io_write+1 0x02 io_read+1 0x03 fiq8_clear_flags+1 0x04 mcu_reset_dsp+1 0x05 pwron_get_reason+1 0x06 devio_read_keymatrix+1 ; silence? 0x07 init_keypad+1 0x08 reset_counter_get+1 0x09 handle_fiq+1 0x0a handle_irq+1 0x0b devio_update_screen+1 0x0c screen_clear+1 0x0d in_flash_range+1 0x0e loc_2EF5EC+1 0x0f loc_2E41AC+1 0x10 loc_2E40FA+1 0x11 init_os_2+1 0x12 service_IRQ_6+1 0x13 service_IRQ_5+1 0x14 screen_off+1 0x15 write_cobba_1+1 0x16 msnd_irda_send+1 0x17 mdircv_enable+1 0x18 dsp_write_command+1 0x19 ad_read+1 0x1a devio_send_1b+1 (sw reboot) 0x1b get_sw_reboot_reason+1 0x1c playtone+1 0x1d ccont_write+1 0x1e ccont_read+1 0x1f eeprom_write+1 0x20 eeprom_read+1 0x21 enter_lock_5+1 0x22 terminate+1 0x23 ccont_iets+1 0x24 clock_raarheid+1 (doet nix) 0x25 error_fatal+1 0x26 ccont_0702_onoff+1 0x27 ccont_0702_enable+1 0x28 rtc_read_seconds+1 0x29 rtc_set_alarm+1 0x2a rtc_read_alarm+1 0x2b rtc_set_alarm2+1 0x2c ccont_read_11f0+1 0x2d ccont_write_11f0+1 0x2e ccont_write_0fff+1 0x2f ccont_read_0fff+1 0x30 ccont_clear_8c3f+1 0x31 vibro_inner+1 0x32 0 0x33 tone_set_unk+1 0x34 sub_2AE094+1 0x35 sub_2AE0AC+1 0x36 sub_2AE0FC+1 0x37 sub_2AE124+1 0x38 sub_2AE0CC+1 0x39 sub_2AE0E4+1 0x3a sub_2AE4D4+1 0x3b sub_2AE4F0+1 0x3c sub_2AE458+1 0x3d sub_2AE4A8+1 0x3e tone_play+1 0x3f tone_play_2+1 (maakt geen geluid?) 0x40 tone_silence+1 0x41 loc_2ADD96+1 0x42 0 0x43 devio_send_06+1 (reboot) 0x44 devio_get_key+1 0x45 sub_29DA3A+1 0x46 key_pressed+1 0x47 key_released+1 0x48 gsm_get_channel+1 0x49 0 0x4a loc_2D1870+1 (kutbeep) 0x4b 0 0x4c 0 0x4d 0 0x4e 0 0x4f 0 0x50 init_rm_data+1 0x51 sub_2D744A+1 (iets met RM) 0x52 sub_2D741E+1 0x53 sub_2D740A+1 0x54 ad_read_calc_7+1 0x55 ad_read_calc_5+1 0x56 sub_2D73C8+1 0x57 sub_2D713A+1 0x58 sub_2D7038+1 0x59 loc_2D7500+1 0x5a rm_send_43+1 0x5b rm_send_44+1 0x5c sub_2D754A+1 0x5d sub_2D75E0+1 0x5e sub_2D7554+1 0x5f rm_get_voltage+1 0x60 sub_2D75AC+1 0x61 loc_2D759A+1 0x62 battery_get_strength+1 0x63 loc_2D75DC+1 0x64 0 0x65 0 0x66 port20024_read_bit1_2+1 0x67 0
Last updated: 2005-02-21 14:19
This site is the result of a great deal of assembly code reading, research, countless (mostly futile) searches for data sheets, cross-referencing and analysing. If you use this information in any way please mention wumpus <blacksphere@goliath.darktech.org> (and others in the credits section) in the credits of your program/document. And tell me :) If you have more information please contribute. If you just copy this, stick your name on it and call it yours I hope you get your genitals bitten off by a three headed monkey. Have a nice day.
No mobile phones were harmed in the production of this site.