Table of Contents
Introduction
This article describes the protocol of data exchange that is the modification of the well-known OBEX protocol used in the GSM Samsung phones from the SHP family. The described modification of this protocol lets you write data to the phone and also get and save them.
Samsung Corporation made the new line of phones from SHP family and implemented the support of OBEX protocol in them that had not been used in the phones of this company before. They tried to use the common OBEX protocol but did not succeed. This problem was solved by means of sniffing the Samsung PC Studio 3.0 utility. The obtained results are given in the main part of the article.
This article will be useful for those who develop utilities for writing/reading information from the phones. The described protocol modification will solve the problem of communicating with the device.
First we consider three main types of the protocol commands. Then we pay our attention to the sequence of the commands sent to connect with the device, read data and finish the session. Then I will give some examples for the main commands. At the end of the article, some summary will be given.
Main Protocol Commands Format
All protocol commands can be divided into 2 types:
- AKN-packages. They are packages to confirm the data receiving and request the next part of the extended package.
- Data packages. They are initialization, acquiring, closing etc. There can be Request and Answer packages.
AKN package is one block with 3 bytes length: 0x83 0x00 0x03.
Request package has the following structure:
Size (bytes) | Meaning
| Description
|
1
| Package ID
| 0x80
| Select the answering device, obtain the properties and establish connection
|
0x81
| Finish the connection session
|
0x82
| Write an object
|
0x83
| Read an object
|
0x84
| Reserved
|
0?85
| Select the default directory on the receiving side
|
0?FF
| Cancel current operation
|
2
| Package size
| The size of the whole package (from the zero byte and to the end)
|
…
| Data blocks
| Some number of data blocks that depends on the context of the command containing them. Format:
Size (bytes) | Meaning
| Description
| 1
| Type
| Set the type of the data in the block
| 2
| Size
| The size of the whole data block (from the zero byte and to the end)
| N-3
| Data
| Some data depending on the type specified by the first byte
|
|
The description of the Answer packages is given in the table below.
Size (bytes) | Value
| Description
|
1
| Package ID
| 0x90
| Successful but not completed (received package is a part of the extended package)
|
0xA0
| Successful and completed
|
0xC3
| Access denied
|
0xC4
| Not found
|
0xC9
| Conflict
|
2
| Package size
| The size of the whole package (from the zero byte and to the end)
|
…
| Data blocks
| Some number of data blocks that depends on the context of the command containing them. Format:
Size (bytes)
| Meaning
| Description
| 1
| Type
| Set the type of the data in the block
| 2
| Size
| The size of the whole data block (from the zero byte and to the end)
| N-3
| Data
| Some data depending on the type specified by the first byte
|
|
The Sequence of Commands
As any standard communication protocol modified OBEX consists of the sequence of requests and answers. In general, the communication session can be divided into 3 phases:
- Initialization
- Acquiring data
- Closing the session
Table with the session description is given below:
Request | 41 54 2B 53 59 4E 43 4D 4C 3D 4D 4F 42 45 58 53 54 41 52 54 0D 0A
| AT+SYNCML=MOBEXS
|
Answer
| 41 54 2B 53 59 4E 43 4D 4C 3D 4D 4F 42 45 58 53 54 41 52 54 0D 4F 4B 0D 0A
| AT+SYNCML=MOBEXS TART.OK..
|
Request
| 80 00 0F 11 00 FF FF 46 00 08 4D 4F 42 45 58
| ?.... F..MOBEX
|
Answer
| A0 00 14 12 00 05 78 CB 00 00 00 01 4A 00 08 4D 4F 42 45 58
| ?.....x-....J..M OBEX
|
Request
| A series of requests and answers for acquiring data Note: if the first byte of the package is equal to 0x90 then it is so-called extended package and then the sending of AKN-package (0x83 0x00 0x03) is required, after it the device will give us the other parts of the package.
|
Answer
|
Request
| 81 00 08 CB 00 00 00 01
| ?..-....
|
Answer
| A0 00 03
| ?..
|
| Initialization phase
|
| Acquiring phase
|
| Closing phase
|
Commands Examples
Let’s consider some examples of the data acquisition. They will be the examples of working with the file system.
Obtaining the list of subfolders of the folder(m-obex/fs/folder_listing)
Request
83 00 29 CB 00 00 00 01 42 00 1C 6D 2D 6F 62 65 ?.)E....B..m-obe
78 2F 66 73 2F 66 6F 6C 64 65 72 5F 6C 69 73 74 x/fs/folder_list
69 6E 67 00 01 00 05 2F 00 ing..../.
Size (byte)
| Value
| Description
|
1
| 0x83
| Reading
|
2
| 0x00 0x29
| Package size
|
1
| 0xCB
| Data block type
|
4
| 0x00 0x00 0x00 0x01
| Reserved
|
1
| 0x42
| Data block type (text)
|
2
| 0x00 0x1C
| Block size
|
N-3
| m-obex/fs/folder_listing
| Block data (command name)
|
1
| 0x01
| Block type (list)
|
2
| 0x00 0x05
| Block size
|
N-3
| 0x2F 0x00
| Block data Note: “/” for the root, “/<directory name>” for the other folders
|
Answer
A0 00 FC 42 00 1B 6D 2D 6F 62 65 78 2F 66 73 2F .uB..m-obex/fs/
66 6F 6C 64 65 72 5F 6C 69 73 74 69 6E 67 C3 00 folder_listingA.
00 00 D6 49 00 D9 41 75 64 69 6F 2C 30 2C 31 31 ..OI.UAudio,0,11
31 30 30 31 30 31 30 2C 32 30 30 34 3A 30 33 3A 1001010,2004:03:
30 31 20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E 47 01 01:03:00\r\nG
72 61 70 68 69 63 73 2C 30 2C 31 31 31 30 30 31 raphics,0,111001
30 31 30 2C 32 30 30 34 3A 30 33 3A 30 31 20 30 010,2004:03:01 0
31 3A 30 33 3A 30 30 5C 72 5C 6E 56 69 64 65 6F 1:03:00\r\nVideo
2C 30 2C 31 31 31 30 30 31 30 31 30 2C 32 30 30 ,0,111001010,200
34 3A 30 33 3A 30 31 20 30 31 3A 30 33 3A 30 30 4:03:01 01:03:00
5C 72 5C 6E 4D 75 73 69 63 2C 30 2C 31 31 31 30 \r\nMusic,0,1110
30 31 30 31 30 2C 32 30 30 34 3A 30 33 3A 30 31 01010,2004:03:01
20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E 4F 74 68 01:03:00\r\nOth
65 72 20 46 69 6C 65 73 2C 30 2C 31 er Files,0,1
31 31 30 30 31 30 31 30 2C 32 30 30 34 3A 30 33 11001010,2004:03
3A 30 31 20 30 31 3A 30 33 3A 30 30 5C 72 5C 6E :01 01:03:00\r\n
Size
| Value
| Description
|
1
| 0xA0
| Successful operation
|
2
| 0x00 0x0F
| Package size
|
1
| 0x42
| Block type
|
2
| 0x00 0x1C
| Block size
|
N-3
| m-obex/fs/folder_listing(0x00)
| Block data
|
1
| 0xCB
| Block type
|
4
| 0x00 0x00 0x00 0xD6
| Reserved
|
1
| 0x49
| Block type
|
2
| 0x00 0xD9
| Block size
|
N-3
| <DATA>
| Block data Note: the list items are separated with the pair of symbols “\r\n”
|
Each element of the list is the folder description: [Name][Size(always 0)][Attributes][Modified][Created].
So in the example of these two commands, you can see the general structure of the package in the modified OBEX protocol.
In conclusion, I want to mention that the records in the phone book as well as the calendar are represented in VCard as it was in the previous versions of the OBEX protocols.
References
More Apriorit programming experience can be learned from the articles at the official Apriorit site.
ApriorIT is a software research and development company specializing in cybersecurity and data management technology engineering. We work for a broad range of clients from Fortune 500 technology leaders to small innovative startups building unique solutions.
As Apriorit offers integrated research&development services for the software projects in such areas as endpoint security, network security, data security, embedded Systems, and virtualization, we have strong kernel and driver development skills, huge system programming expertise, and are reals fans of research projects.
Our specialty is reverse engineering, we apply it for security testing and security-related projects.
A separate department of Apriorit works on large-scale business SaaS solutions, handling tasks from business analysis, data architecture design, and web development to performance optimization and DevOps.
Official site: https://www.apriorit.com
Clutch profile: https://clutch.co/profile/apriorit
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.