2 Document describing protocol used in Nokia phones.
4 The data provided is for information purposes only.
5 Some of the frames might be hazardous to your phone. Be careful!!!
6 We do not take any responsibility or liability for damages, etc.
9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
11 Balazs Nagy (js@lsc.hu)
12 Alfred R. Nurnberger <arnu@flosys.com>
13 Hugh Blemings <Hugh.Blemings@vsb.com.au>
14 Mike Bradley <mike@trumpington.st>
15 Odinokov Serge <serge@takas.lt>
16 Pavel Janik <Pavel@Janik.cz>
17 Pawe³ Kot <pkot@linuxnews.pl>
18 Marcin Wiacek (Marcin-Wiacek@TOPNET.PL)
19 Jens Bennfors <jens.bennfors@ing.hj.se>
20 Michael Hund <michael@drhund.de>
21 Jay Bertrand <jay.bertrand@libertysurf.fr>
24 Pavel Machek <pavel@ucw.cz>
25 Diego Betancor <dbetancor@duocom.net>
26 ... and other members of gnokii mailing list
27 and authors of some WWW pages.
29 NOTE: this information isn't (and can't be) complete. If you know anything
30 about features not listed here or you noticed a bug in this list, please
31 notify us via e-mail. Thank you.
33 Frame format for MBUS version 1:
35 Request from Computer/Answer from Phone:
37 { DestDEV, SrcDEV, FrameLength, MsgType, {block}, id, ChkSum }
39 where DestDEV, SrcDEV: 0x00: phone
42 FrameLength: length of data frame. Maximal 0x78. Longer
43 frames are divided into smaller.
46 id: request identity number 1..n, incremented after
47 the request is accepted
48 ChkSum: XOR on frame's all numbers
52 { DestDEV, 0x00, FrameLength, MsgType, {block} , id, ChkSum }
54 where DestDEV: taken from original request packet
55 FrameLength: 0x7f, when DestDEV = 0xe4
56 0x7e, when DestDEV = 0xf8
57 MsgType: see List. Present only, when DestDEV = 0xf8
58 {block}: main frame. Present only, when DestDEV = 0xf8
59 id: request identity number 1..?, corresponding
60 to the original request packet id
61 the request is accepted
62 ChkSum: XOR on frame's all numbers
64 Update: description above according to the
65 http://www.gadgets.demon.co.uk/nokia21xx/protocol.html.
67 Pavel Machek <pavel@ucw.cz> wrote:
68 0x7e is actually registration acknowledge. Both have nothing to do
69 with DestDEV, except that special device needs to be used for
74 { 0x00, SrcDEV, 0x7f, id, ChkSum }
76 where SrcDEV: taken from response packet
77 id: request identity number 1..?, corresponding
78 to the response packet id
79 the request is accepted
80 ChkSum: XOR on frame's all numbers
83 Speed 9600 bps, Bits 8, ParityOdd, Stop Bits 1, DTR and RTS logic 0
85 In the MBUS bus, the phone has only one connector for transmition and
88 Because of this characteristics of the phone connector, every time that the
89 PC writes into the phone it is writing as well into its own Rx. So every
90 time the PC sends info into the phone it finds that same information in its
91 own Rx buffers, like a mirror copy. This should be discarded.
93 The communications is made like an old cb radio, only one
94 talking at a time. Many transmission are made this way:
96 <computer sends request>
98 <phone sends response>
101 Some frames are sent from phone without asking for them
103 You have to implement collision protocol. IE. you should listen for
104 what you are transmitting, and if it does not come back, you have
107 You should wait for bus to be free for 3 miliseconds before normal
108 message, and for 2.5 miliseconds before acknowledge. You should wait
109 for acknowledge for 200 miliseconds, then retransmit.
111 Frame format for FBUS version 1:
113 { FrameID, FrameLength, MsgType, {block}, SeqNo, ChkSum }
115 where FrameID: 0x01 Command frame from computer to Nokia
116 0x02 ??? - Data call frame from computer to Nokia - ???
117 0x03 Data call frame from Nokia to computer
118 0x04 Command frame from Nokia to computer
119 FrameLength: {block} + 2
121 SeqNum: Sequence number of command in case where direction is
122 from ME to computer, the sequence number is
123 counting from 0x30 to 0x37 and resetting back to 0x30.
124 When direction is from computer to ME,
125 sequence number counts from 0x08 to 0x0f and resets back to 0x08.
126 It may not be required to be this way.
127 Sequence numbers are used in acknowledging commands.
129 for (i = 0; i < (2 + CMD_LEN); i++)
132 Frame format for FBUS version 2/Direct IRDA:
134 { FrameID, DestDEV, SrcDEV, MsgType, 0x00, FrameLength, {block}, FramesToGo,
135 SeqNo, PaddingByte?, ChkSum1, ChkSum2 }
137 where FrameID: 0x1c: IR / FBUS
139 DestDev, SrcDev: 0x00: mobile phone
140 0x0c: TE (FBUS) [eg. PC]
142 FrameLength: {block} + 2 (+ 1 if PaddingByte exists)
143 FramesToGo: 0x01 means the last frame
148 PaddingByte: 0x00 if FrameLength would be an odd number
149 anyways it doesn't exists
150 ChkSum1: XOR on frame's odd numbers
151 ChkSum2?: XOR on frame's even numbers
153 Frame format for MBUS version 2:
155 { FrameID, DestDEV, SrcDEV, MsgType, FrameLengthLO, FrameLengthHI, {block},
158 where FrameID: 0x1f: Serial / M2BUS
159 DestDev, SrcDev: 0x00: mobile phone
161 0x10: TE (M2BUS) (Service Software ?)
164 0xF8: unknown target?
168 SeqNo: sequence number
169 ChkSum: XOR on frame's all numbers
171 Please note that M2BUS has only one checksum: XOR on frame[FrameID..SeqNo]
175 { FrameID, DestDEV, SrcDEV, 0x7f, Id_SeqNo, ChkSum }
177 where Id_SeqNo: Is the sequence number that you are
178 acknowleging (from the other part).
180 Frame format for Infrared:
182 { FrameID, DestDEV, SrcDEV, MsgType, FrameLengthLo, FrameLengthHi, {block}}
185 DestDev, SrcDev: 0x00: mobile phone
192 hex: Short description
195 0xXXYY -> two bytes (== 0xXX, 0xYY)
197 where hex: message type
198 x: s=send (eg. to mobile), r=receive
199 { ... }: data after 0x00, 0x01 header
200 {+... }: raw data (without header)
202 -------------------------------------------------------------------------------
204 Misc (about MBUS version 2):
207 (sent from a 5160i TDMA / 6160i TDMA / 6185 CDMA or 7110 GSM
208 phone to the uC in the DLR-3 cable)
210 1F 48 00 4E 00 02 01 XX SQ CS
211 frame sent from the phone to the DLR-3 cable
212 (after 15kOhm resistor detected betw. XMIC (3) and DGND (9).)
213 DSR,DCD,CTS flow control data is coded into the 2nd databyte
220 0x78 / 0x79 commands:
221 (used by handsfree carkit) Works also on GSM phones (5110 / 6110 / etc)
222 These commands are used by the Nokia Carkits to switch the phone audio path to
223 XMiC and XEAR , turn the phone on/off according to the car ignition, and
224 control the PA loudspeaker amplifier in the carkit and the car radio mute
225 output which silences the car radio during a call
227 1F 04 00 78 00 04 01 02 0E 00 SQ CS
228 status indication = disable carkit audio amplifier (no audio / no tone)
230 1F 04 00 78 00 04 01 02 0E 03 SQ CS
231 status indication = enable carkit audio amplifier (audio / tone present)
233 1F 04 00 78 00 04 01 02 07 00 SQ CS
234 status indication = disable radio mute output (no call)
236 1F 04 00 78 00 04 01 02 07 01 SQ CS
237 status indication = enable radio mute output (call active)
239 1F 04 00 78 00 04 01 02 08 01 SQ CS
240 status indication = enable ??? sent to HFU-2 on power on
241 byte 9 (07,08,0E) seems to be a pointer to a memory location,
242 byte 10 is the data at this memeory location.
244 1F 00 04 78 00 03 02 01 03 SQ CS
245 response message from HFU-2 (use unknown)
247 1F 00 04 79 00 05 02 01 01 63 00 SQ CS
248 enables carkit mode + turns phone on + req. mute status
250 1F 00 04 79 00 05 02 01 01 61 00 SQ CS
251 enables carkit mode + powers phone off (1 min delay) + req. mute status
253 1F 00 04 79 00 05 02 01 01 23 00 SQ CS
254 enables carkit mode + external handset lifted (OFF-Hook)
256 1F 00 04 79 00 05 02 01 01 63 00 SQ CS
257 enables carkit mode + external handset put back (ON-Hook)
258 Ignition and Hook are coded into one byte
259 bit.0 = 0:on power on 1:when in operation
260 bit.1 = IGNITION STATUS
261 bit.2 = x can be 1 or 0
265 bit.6 = Hook (inverted)
268 1F 00 04 79 00 12 02 01 02 06 00 56 20 30 36 2E 30 30 0A 48 46 55 32 00 SQ CS
270 1F 04 00 DA 00 02 00 02 SQ CS
271 function unknown - sent from Nokia phone to HFU-2mute output (call active )
275 1F 00 1D D0 00 01 04 SQ CS
276 sent by the Service Software or HFU-2 on startup
278 1F 1D 00 D0 00 01 05 SQ CS
279 response from phone to above frame