Diensteanbieter: Michael Stürmer · <ms@www.mallorn.de> π

Sony-Ericsson M600i and Linux

Download

Latest version is m600i-20061210.tar.gz (11.41 KiB).

This is unfinished work - and will likely stay that way. If you want to transfer files, synchronize Calendar, ... the information provided herein is a first step, but not sufficient.

If you have more information, patches, or a complete solution, I'll happily add pointers to them here.

Setup

Linux 2.6.18 recognizes the M600i in phone mode as 3 USB ACM devices (/dev/ttyACM[0-2]). The first one can be used to communicate to the phone over ppp, similar to the method described by Rudolf Koenig [P3NFS].

For analysing the communication between the phone and the windows application, the follwing setup is used:

Development was done on Debian GNU/Linux 3.1 "Sarge". On a different system, the startup script might need some tweaking. You need at least perl, ppp, udev. And you have to adapt the paths to your environment: on my system, the scripts reside in ~/m600i.

Connection Phase 1: PPP

With this configuration, the ppp link will be established after connecting the phone. A chat script, as with older devices, is apparently not necessary. Alas, the connection is closed after a few seconds by the phone. After the connection is closed, no new connection can be established. You have to dis- and reconnect the phone.

Nov 12 16:58:21 elrond kernel: usb 1-4.3: new full speed USB device using ohci_hcd and address 12
Nov 12 16:58:21 elrond kernel: usb 1-4.3: configuration #1 chosen from 1 choice
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.1: ttyACM0: USB ACM device
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.3: ttyACM1: USB ACM device
Nov 12 16:58:21 elrond kernel: cdc_acm 1-4.3:1.5: ttyACM2: USB ACM device
Nov 12 16:58:27 elrond pppd[18284]: pppd 2.4.4 started by root, uid 0
Nov 12 16:58:27 elrond pppd[18284]: Using interface ppp0
Nov 12 16:58:27 elrond pppd[18284]: Connect: ppp0 <--> /dev/ttyACM0
Nov 12 16:58:29 elrond pppd[18284]: local IP address 169.254.1.68
Nov 12 16:58:29 elrond pppd[18284]: remote IP address 169.254.1.7
Nov 12 16:59:00 elrond pppd[18284]: LCP terminated by peer
Nov 12 16:59:00 elrond pppd[18284]: Connect time 0.6 minutes.
Nov 12 16:59:00 elrond pppd[18284]: Sent 182 bytes, received 126 bytes.
Nov 12 16:59:03 elrond pppd[18284]: Connection terminated.
Nov 12 16:59:03 elrond pppd[18284]: Modem hangup

Connection Phase 2: DNS

Immediately after establishing the PPP link, the phone queries by DNS the address of 'wsockhost.mrouter':

16:58:29.846404 IP 169.254.1.1.57149 > 169.254.1.68.domain: 55553+ A? wsockhost.mrouter. (35)
16:58:29.908483 IP 169.254.1.68 > 169.254.1.1: ICMP 169.254.1.68 udp port domain unreachable, length 71
16:58:29.851334 IP 169.254.1.1.57149 > 169.254.1.68.domain: 40091+ AAAA? wsockhost.mrouter. (35)
16:58:29.851342 IP 169.254.1.68 > 169.254.1.1: ICMP 169.254.1.68 udp port domain unreachable, length 71

If there's already a DNS server running on your system, you could configure it to hand out a matching address. mrouterdnsd [DNS] does the same, but doesn't run all the time.

My first try was to run it from /etc/ppp/ip-up.d so it can bind to the right interface. Unfortunately, the phone is sometimes too fast and sends out queries before the daemon is started. Therefore, it is now started with an init-script:

#!/bin/sh
# doing this in .ip-up would be nice (with matching if), but that's too slow
# the deamons are started too late to catch the M600i's queries - and it is
# very quick with disconnecting the link if it gets no answers
/home/ms/m600i/mrouterdnsd --bind=0.0.0.0 --mrouter=$1 --log=/tmp/m600i-mrouterdnsd.log
/home/ms/m600i/mrouter3004 --bind=0.0.0.0 --log=/tmp/m600i-mrouter3004.log

Here you can also see the next phase: port 3004

Connection Phase 3: Port 3004

The phone tries to connect to port 3004 on the host it got in phase2. If it cannot do that, the connection is closed.

First thing is a 4-byte exchange:

Phone -> PC: 00 00 02 00
Phone <- PC: 20 00 02 00

Then, the phone sends some strings in a tagged format:

012345678...
TagLength in BytesData
01000000 1e000000 33...

The list ends with the tag 0x00000000, a length of 0x00000000 and a final 0x0a. The data are strings in UTF-16LE.

I have found these tags:

0x00EOF
0x01IMEI
0x02?
0x03Vendor?
0x04?
0x10Interface?
0x11Bluetooth device name
0x21Operating system?

As long as this connection is not closed, the PPP link stays established. mrouter3004 [3004] implements this protocol.

After unplugging the phone, the running daemons must be stopped, which is done by an ip-down-script:

#!/bin/sh
if [ "$LINKNAME" != "M600i" ]; then exit 0; fi
/home/ms/m600i/mrouter3004 TERM
/home/ms/m600i/mrouterdnsd TERM

Connection Phase 4: Port 3923

The PC application connects the phone on port 3923/tcp (registered at IANA as symb-sb-port: 'Symbian Service Broker'). Besides querying for (at least) version and IMEI, the available services and the ports they are running at can be found there.

Every exchange starts with a 4-byte command, followed by a two-byte length and data:

0123456...
CommandLength in BytesData
00000000 0200 00...

The phone answers generally with the same command word, but with the second byte set to 0x01. If there was an error, the first byte is apparently set to 0xff.

In some cases, there are strings in UTF-16LE format with a two-byte length header exchanged. In contrast to above, this length is in double-bytes:

0123...
Length in CharactersString
0400 3800...

I have identified the following commands (data part is shown without the length header):

0x00exchange Version?
PC -> Phone: 0x00
PC <- Phone: 0x00
0x04get services
PC <- Phone:
012345..34353637...
#items Length in CharactersString Length in CharactersString
0400 0f00 6300... 1a00 6300...
0x05get service version?
PC -> Phone:
0123...
Length in CharactersString
0f00 6300...
PC <- Phone: 0x01 0x00 0x00 0x00
0x06get service port
PC -> Phone:
0123...3233
Length in CharactersStringLF?
0f00 6300... 0a00

Yes, there's an additional 0x0a 0x00 at the end that doesn't count to the string length, but to the data length header.

PC <- Phone: 0x41 0x83 => Port 33601
0x07get IMEI
PC <- Phone:
0123...32...
Length in CharactersStringsome more garbage
0f00 3300.........

This protocol is implemented in symb-sb [SB]

SyncML

The phone provices the SyncML service 'com.symbian.syncmlinit'. By sending the right command the phone will connect an SyncML HTTP server.

symb-syncml [SML] mimicks the message of the windows software, but I'm not really sure yet how to proceed from there.

Setting the time

http://plptools.sourceforge.net/plp.html NCP_SET_TIME gives a hint on the command structure: the time is encoded in 8 bytes specified as the number of micro-seconds since 00:00 on 1st January 1 in the home time zone, followed by what might be a country code (in my case 0x31 = 49, the prefix for Germany).

Other stuff

MidpSSH[SSH] SSH client. At one point I had this running over USB (I configured a new internet account without phone number) - but I can't get it to work any more. Perhaps http://gnubox.dnsalias.org/gnubox/ can help.

http://symbianos.org/~malm/SymbianLinuxHowTo.html

References

[P3NFS]p3nfsd package, Rudolf Koenig, http://www.koeniglich.de/p3nfs.html
[MR]m-Router, Intuwave Developer Resource Centre, http://developer.intuwave.com/Downloads/m-Router [link is no longer valid, see http://www.aikon.ch/vb/archive/index.php/t-18685.html]
[U2P]usbmon2pppdump, Michael Stürmer, http://mallorn.de/m600i.html
[WS]Wireshark, Gerald Combs, http://www.wireshark.org/
[DNS]mrouterdnsd, Michael Stürmer, http://mallorn.de/m600i.html
[3004]mrouter3004, Michael Stürmer, http://mallorn.de/m600i.html
[SB]symb-sb, Michael Stürmer, http://mallorn.de/m600i.html
[SML]symb-syncml, Michael Stürmer, http://mallorn.de/m600i.html
[SSH]MidpSSH, Karl von Randow, http://www.xk72.com/midpssh/

Interne links sind grün, externe links, die nicht unter meiner Kontrolle stehen, sind zusätzlich gestrichelt unterstrichen. Mallorn CA Zertifikat.

Copyright 2002-2021 Michael Stürmer · <ms@www.mallorn.de> · letzte Änderung am  8.02.2021 20:39.