PDA

View Full Version : fbus frames



NOKMASTERgsm
09-04-2006, 07:44 AM
hi, anyone knows creating write sec. code tru fbus frames?

i have a sample here..

1E001023001A000801020023000000000000000A313233343500000000000147395B

when u send this fbus frame to phone your security code will set into 12345, i tried to change the 3132333435 into 3939393939 but no reaction?

anyone can explain?

br,

Al
09-04-2006, 09:02 AM
hi, anyone knows creating write sec. code tru fbus frames?

i have a sample here..

1E001023001A000801020023000000000000000A313233343500000000000147395B

when u send this fbus frame to phone your security code will set into 12345, i tried to change the 3132333435 into 3939393939 but no reaction?

anyone can explain?

br,
Have you changed checksum in FBUS frame after changing data??

NOKMASTERgsm
09-04-2006, 09:17 AM
Have you changed checksum in FBUS frame after changing data??

what do u mean?

the last 4 bytes?

Al
09-04-2006, 09:35 AM
FBUS frame:

<1 byte FrameID><1 byte destination><1 byte source><1 byte cmd><2 bytes data length (= n + 2 )><n bytes data><1 byte frame to go><1 byte sequence number><2 bytes checksum>

Where:
FrameID: 0x1E - FBUS, 0x1F - MBUS etc...
destionation, source: 0x00 - PC, 0x10 - Phone

Checksum: XOR all words in sequence, starting from FrameID

NOKMASTERgsm
09-04-2006, 09:53 AM
FBUS frame:

<1 byte FrameID><1 byte destination><1 byte source><1 byte cmd><2 bytes data length (= n + 2 )><n bytes data><1 byte frame to go><1 byte sequence number><2 bytes checksum>

Where:
FrameID: 0x1E - FBUS, 0x1F - MBUS etc...
destionation, source: 0x00 - PC, 0x10 - Phone

Checksum: XOR all words in sequence, starting from FrameID

1E001023001A000801020023000000000000000A3132333435 00000000000147395B

this one is ok when u are trying to set the security code of the phone into 12345

then 0147395B this is the last 4 bytes/chksum?

what if, if ive changed into e.g 61458 what is the correct chksum?

Al
09-04-2006, 10:11 AM
1E001023001A000801020023000000000000000A3132333435 00000000000147395B

this one is ok when u are trying to set the security code of the phone into 12345

then 0147395B this is the last 4 bytes/chksum?

what if, if ive changed into e.g 61458 what is the correct chksum?
1E00 xor 1023 xor 001A xor 0008 xor 0102 xor 0023 xor 0000 xor 0000 xor 0000 xor 000A xor 3132 xor 3334 xor 3500 xor 0000 xor 0000 xor 0147 = 395B

for another security code you can calculate by yourself usin this algo.

for 61458 checksum (last 2 bytes) will be: 3459

NOKMASTERgsm
09-04-2006, 10:23 AM
@Al

it works... how did u know the checksum? what is the algo?

br,

[ExiTuS]
09-04-2006, 03:12 PM
frame for sec.code 12345:
1E00 xor 1023 xor 001A xor 0008 xor 0102 xor 0023 xor 0000 xor 0000 xor 0000 xor 000A xor 3132 xor 3334 xor 3500 xor 0000 xor 0000 xor 0147 = 395B

change these bytes to your fav code and recalc with xor.
1E00 xor 1023 xor 001A xor 0008 xor 0102 xor 0023 xor 0000 xor 0000 xor 0000 xor 000A xor 3631 xor 3435 xor 3800 xor 0000 xor 0000 xor 0147 = 3459

note: try windows calculator :-D

greetings from germany
[ExiTuS], NokiaPort.de

NOKMASTERgsm
10-04-2006, 02:25 AM
@[ExiTuS]

you repeat the post of AI :-P

indear
10-04-2006, 05:28 AM
@[ExiTuS]

you repeat the post of AI :-P
:-?
You only need the post of Al for obtain the algo, split fbus frame (w/o checksum data..) in groups of two bytes and XOR all groups
frame size must be even, add 00h if size is odd



fbus_frame[frame_length] = 0;
fbus_frame[frame_length+1] = 0;

for (i=0; i<frame_length; i+=2)
{
fbus_frame[frame_length] ^= fbus_frame[i];
fbus_frame[frame_length+1] ^= fbus_frame[i+1];
}

NOKMASTERgsm
10-04-2006, 10:05 AM
Thanks to all. i understand now :)

btw, how to read sec. code? tru fbus?

br.
:)

NOKMASTERgsm
12-04-2006, 09:54 AM
anyone have an idea how to read sec. code on dct4? now i can write sec. code.. :)

mestrini
12-04-2006, 12:07 PM
anyone have an idea how to read sec. code on dct4? now i can write sec. code.. :)

why not use a port monitor and check the messages sent by the sw to read security code?

NOKMASTERgsm
12-04-2006, 12:52 PM
why not use a port monitor and check the messages sent by the sw to read security code?

i get this fbus frame.. but still can't read


1e0010230014000d1004002300000000000000000000000a01461f51

NOKMASTERgsm
13-04-2006, 12:25 PM
anyone knows to read sec. code on dct4 asic2?