Sony-Ericsson M600i and Linux

Download

Latest version is m600i-20061210.tar.gz (11.41 KiB).

This is unfinished work - and will likely stay that way. If you want to transfer files, synchronize Calendar, ... the information provided herein is a first step, but not sufficient.

If you have more information, patches, or a complete solution, I'll happily add pointers to them here.

Setup

Linux 2.6.18 recognizes the M600i in phone mode as 3 USB ACM devices (/dev/ttyACM[0-2]). The first one can be used to communicate to the phone over ppp, similar to the method described by Rudolf Koenig [P3NFS].

For analysing the communication between the phone and the windows application, the follwing setup is used:

• VMWare Workstation 5.5.1 running Windows 2000, some version of the PC Communication software and on top of that a developer version of mrouter (Vers. 3.1.0.42, 06.10.2006) [MR] (that part is probably not necessary).
• Usbmon (as of 2.6.18 in-kernel) with increased data buffer length to 1024 bytes (drivers/usb/mon/mon_text.c: DATA_MAX and PRINTF_DFL). Yes, the binary interface would be better, but it's not there yet. Enable CONFIG_DEBUG_FS and CONFIG_USB_MON. Mount debugfs to e.g. /debug. Insmod usbmon. Now the USB traffic can be read from /debug/usbmon/*t.
• After connecting the phone and connecting it to the virtual USB controller in VMWare the communication can be saved in a trace file. As we know, these are PPP packets, so the trace has to be stripped from the USB junk and the IP-communication somehow extracted. This is done with usbmon2pppdump [U2P] which selects all binary data from the trace and creates a file in pppdump format that can be read by wireshark [WS].
• Wireshark's ppp protocol options must be set to 16-bit Checksum.

Development was done on Debian GNU/Linux 3.1 "Sarge". On a different system, the startup script might need some tweaking. You need at least perl, ppp, udev. And you have to adapt the paths to your environment: on my system, the scripts reside in ~/m600i.

Connection Phase 1: PPP

• /etc/ppp/peers/m600i:

  noauth user ppp crtscts lock local proxyarp passive
  ms-dns 169.254.1.68 ipcp-accept-local ipcp-accept-remote
  linkname M600i
  init "/home/ms/m600i/m600i.init 169.254.1.68"
  460800 /dev/M600i 169.254.1.68:169.254.1.7

  Linkname is just for easier reference, the init-script will be described later.

• /etc/udev/rules.d/m600i.rules:

  KERNEL=="ttyACM0", SYSFS{product}=="M600i", SYMLINK="M600i", RUN+="/usr/sbin/pppd call m600i"

With this configuration, the ppp link will be established after connecting the phone. A chat script, as with older devices, is apparently not necessary. Alas, the connection is closed after a few seconds by the phone. After the connection is closed, no new connection can be established. You have to dis- and reconnect the phone.

Nov 12 16:58:21 elrond kernel: usb 1-4.3: new full speed USB device using ohci_hcd and address 12
Nov 12 16:58:21 elrond kernel: usb 1-4.3: configuration #1 chosen from 1 choice
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.1: ttyACM0: USB ACM device
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.3: ttyACM1: USB ACM device
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.5: ttyACM2: USB ACM device
Nov 12 16:58:27 elrond pppd[18284]: pppd 2.4.4 started by root, uid 0
Nov 12 16:58:27 elrond pppd[18284]: Using interface ppp0
Nov 12 16:58:27 elrond pppd[18284]: Connect: ppp0 <--> /dev/ttyACM0
Nov 12 16:58:29 elrond pppd[18284]: local IP address 169.254.1.68
Nov 12 16:58:29 elrond pppd[18284]: remote IP address 169.254.1.7
Nov 12 16:59:00 elrond pppd[18284]: LCP terminated by peer
Nov 12 16:59:00 elrond pppd[18284]: Connect time 0.6 minutes.
Nov 12 16:59:00 elrond pppd[18284]: Sent 182 bytes, received 126 bytes.
Nov 12 16:59:03 elrond pppd[18284]: Connection terminated.
Nov 12 16:59:03 elrond pppd[18284]: Modem hangup

Connection Phase 2: DNS

Immediately after establishing the PPP link, the phone queries by DNS the address of 'wsockhost.mrouter':

16:58:29.846404 IP 169.254.1.1.57149 > 169.254.1.68.domain: 55553+ A? wsockhost.mrouter. (35)
16:58:29.908483 IP 169.254.1.68 > 169.254.1.1: ICMP 169.254.1.68 udp port domain unreachable, length 71
16:58:29.851334 IP 169.254.1.1.57149 > 169.254.1.68.domain: 40091+ AAAA? wsockhost.mrouter. (35)
16:58:29.851342 IP 169.254.1.68 > 169.254.1.1: ICMP 169.254.1.68 udp port domain unreachable, length 71

If there's already a DNS server running on your system, you could configure it to hand out a matching address. mrouterdnsd [DNS] does the same, but doesn't run all the time.

My first try was to run it from /etc/ppp/ip-up.d so it can bind to the right interface. Unfortunately, the phone is sometimes too fast and sends out queries before the daemon is started. Therefore, it is now started with an init-script:

#!/bin/sh
# doing this in .ip-up would be nice (with matching if), but that's too slow
# the deamons are started too late to catch the M600i's queries - and it is
# very quick with disconnecting the link if it gets no answers
/home/ms/m600i/mrouterdnsd --bind=0.0.0.0 --mrouter=$1 --log=/tmp/m600i-mrouterdnsd.log
/home/ms/m600i/mrouter3004 --bind=0.0.0.0 --log=/tmp/m600i-mrouter3004.log

Here you can also see the next phase: port 3004

Connection Phase 3: Port 3004

The phone tries to connect to port 3004 on the host it got in phase2. If it cannot do that, the connection is closed.

First thing is a 4-byte exchange:

Phone -> PC: 00 00 02 00
Phone <- PC: 20 00 02 00

Then, the phone sends some strings in a tagged format:

The list ends with the tag 0x00000000, a length of 0x00000000 and a final 0x0a. The data are strings in UTF-16LE.

I have found these tags:

As long as this connection is not closed, the PPP link stays established. mrouter3004 [3004] implements this protocol.

After unplugging the phone, the running daemons must be stopped, which is done by an ip-down-script:

#!/bin/sh
if [ "$LINKNAME" != "M600i" ]; then exit 0; fi
/home/ms/m600i/mrouter3004 TERM
/home/ms/m600i/mrouterdnsd TERM

Connection Phase 4: Port 3923

The PC application connects the phone on port 3923/tcp (registered at IANA as symb-sb-port: 'Symbian Service Broker'). Besides querying for (at least) version and IMEI, the available services and the ports they are running at can be found there.

Every exchange starts with a 4-byte command, followed by a two-byte length and data:

The phone answers generally with the same command word, but with the second byte set to 0x01. If there was an error, the first byte is apparently set to 0xff.

In some cases, there are strings in UTF-16LE format with a two-byte length header exchanged. In contrast to above, this length is in double-bytes:

I have identified the following commands (data part is shown without the length header):

This protocol is implemented in symb-sb [SB]

SyncML

The phone provices the SyncML service 'com.symbian.syncmlinit'. By sending the right command the phone will connect an SyncML HTTP server.

symb-syncml [SML] mimicks the message of the windows software, but I'm not really sure yet how to proceed from there.

Setting the time

http://plptools.sourceforge.net/plp.html NCP_SET_TIME gives a hint on the command structure: the time is encoded in 8 bytes specified as the number of micro-seconds since 00:00 on 1st January 1 in the home time zone, followed by what might be a country code (in my case 0x31 = 49, the prefix for Germany).

Other stuff

MidpSSH[SSH] SSH client. At one point I had this running over USB (I configured a new internet account without phone number) - but I can't get it to work any more. Perhaps http://gnubox.dnsalias.org/gnubox/ can help.

http://symbianos.org/~malm/SymbianLinuxHowTo.html

References

Interne links sind grün, externe links, die nicht unter meiner Kontrolle stehen, sind zusätzlich gestrichelt unterstrichen. Mallorn CA Zertifikat.

Copyright 2002-2021 Michael Stürmer · <ms@www.mallorn.de> · letzte Änderung am  8.02.2021 20:39.