linux software programming for pirelli/arcor twintel, need help for crc

legolas_vef

Neuer User
Mitglied seit
21 Apr 2007
Beiträge
5
Punkte für Reaktionen
0
Punkte
0
Hello,

I'm a french guy who's making a linux software for the pirelli dl-p10. I used a usb sniffer on windows XP, and then make my own code for linux using libusb.

My code is now ok for configuring, enter the code (0000), and getting the firmware version from the phone. After this, I can do exactly the same thing that the DL-P10 Utility from Windows, (get images list for example), but for doing myself (command in the order the user want) I need one octet I can't understand. Everything else is ok...
When I give a wrong byte, phone's response is one error.

It's maybe a crc of the command, I give you some examples and maybe someone will have one idee.
The byte I don't understand is at 0x90, juste before the last '02 02':

00000000: 02 02 14 10 10 03 00 61 00 00 00 00 00 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 35 c7 be 51
00000090: 64 02 02

00000000: 02 02 14 10 10 04 00 61 01 00 00 00 00 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 34 c6 be 51
00000090: 62 02 02

00000000: 02 02 14 10 10 07 00 61 01 00 00 00 03 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 31 c3 be 51
00000090: 62 02 02
00000000: 02 02 14 10 10 3d 00 61 01 00 00 00 06 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 2e 8d be 51
00000090: 0c 02 02


00000000: 02 02 14 10 10 3f 00 61 01 00 00 00 08 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 2c 8b be 51
00000090: 04 02 02


00000000: 02 02 14 10 10 5a 00 64 00 00 00 00 00 00 00 00
00000010: 00 00 00 00 06 00 00 00 2f 67 61 6c 6c 65 72 79
00000020: 2f 69 6d 67 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000090: 00 70 00 74 00 69 00 74 00 2e 00 6a 00 70 00 67
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 2f f9 bc 95
000000c0: 96 02 02

Thank you for helping me, with that programm we will more understand the phone, put the firmware with linux boxes et maybe get/put some things else that images and waves ?
 
Can you supply a short description of the other octets, then I might guess what the missing one is about.

I wrote TC300EX software, which can decode/encode TC-300 firmware including lots of CRC checks.

Edit: The CRCs within firmware/filesystem are all 16bit = 2 octets.

oerx
 
Zuletzt bearbeitet:
Hello,

at 0x00 : 02 02 14 10 10 is always the same header to send queries.

at 0x05 : the number of request supplied, after the password verified. getting the firmware was 01, the second command was 02, the first command retrieving the list 03, etc.... doing nothing, a new command for to ping is send every second, this byte +1 every time.
at 0x06 : 0. (We can imagine the number of request is a 2-byes int ?)

at 0x07: 61 00 or 61 01. the command itself. 61 if for list, 0 is the first time to have number of files, and 1 the next times for each name of element.
(examples of other commands: "66 ff" getting firmware, "68 ff" is the ping)

at 0x0c : when getting list, the number of the element name asked. 00 for the first list command, after : 00 for the first element, 01 for the second, etc..

at 0x10: the name of the path asked. : /gallery/img (also seen /gallery/sound )

at 0x8c: if i is the number of the command from beginning (at 0x05), this byte value is : 0x38-i

at 0x8d: with same value i: 0xca-i

at 0x8e and 0x8f : "be 51" is always the same for "/gallery/img" ; its "bc 43" for "/gallery/sound"

at 0x90 : ???

at 0x91 : "02 02" the same end for every command.

Sometimes, a byte of value "10" is inserted at 0x0c and every bytes after is 1 position after.
Sometimes the command is longer, but it's not common at all.

If you want I can give the responses format from the phone. I hope this problem will be easy for you ;)

PS: I didn't make a site yet for this, waiting it works. I will give you when I will of course, and will put yours in my links.
 
Thanks! Can you supply a few more examples (maybe 6) with the ping (which only increments the 0x05,0x06 counter as far as I understand)?
 
Yes

The send of the ping have not unknown byte : it's understood by the phone every time, and its respond clear also.

It's the ping after the phon configured and the code entered:

the command offset is now 0x13,
send
00000000: 02 02 14 10 10 13 00 68 ff ec ff 97 10 10 02 02
receive
00000000: 02 14 10 10 00 13 00 68 6b 02
send
00000000: 02 02 14 10 10 14 00 68 ff eb ff 97 10 10 02 02
receive
02 14 10 10 00 14 00 68 6c 02

etc..

With the offset now "7a":
send
02 02 14 10 10 7a 00 68 ff 85 ff 97 10 10 02 02
receive
02 14 10 10 00 7a 00 68 10 02 02
send
02 02 14 10 10 7b 00 68 ff 84 ff 97 10 10 02 02
receive
02 14 10 10 00 7b 00 68 03 02

The ping is clear: head, number of command, "68 ff", 0xffff - offset (two bytes int, "ec ff" in the first example), '97 10 10 02 02' for the end
 
'97 10 10 02 02' for the end
I would think that the green bytes 97 10 are similar to
at 0x8e and 0x8f : "be 51" is always the same for "/gallery/img" ; its "bc 43" for "/gallery/sound"
and that the red byte 10 is similar to
Based on this we could think that the byte is a CRC which looks fixed in the ping-examples because
Code:
02 02 14 10 10 [COLOR="Blue"]13 00[/COLOR] 68 ff [COLOR="Blue"]ec ff[/COLOR] [COLOR="SeaGreen"]97 10[/COLOR] [COLOR="Red"]10[/COLOR] 02 02
02 02 14 10 10 [COLOR="Blue"]14 00[/COLOR] 68 ff [COLOR="Blue"]eb ff[/COLOR] [COLOR="SeaGreen"]97 10[/COLOR] [COLOR="Red"]10[/COLOR] 02 02
the blue bytes e.g. 14 00 and eb ff are both in- and de-cremented so the CRC stays the same.

Do you have example of commands which have only very little differences? Like retrieving almost identical files from file-list or similar?

Edit: And can you post example of same command like 6101 with same element and only different counter-values? Then "CRC" should be same.

Edit 2: Of course it's also possible that the green bytes and the second blue bytes are some sort of CRC themself as well (of the command+counter and of the params of the command, or maybe not)...
 
Zuletzt bearbeitet:
Edit: And can you post example of same command like 6101 with same element and only different counter-values? Then "CRC" should be same.

First I tried to retrieve two times the same file, with command "61 01", the same number file "0", the good unknow crc at 0x90 wich is correct the first time. Unfortunatly, it's not the second time :

usb_bulk_write: 0x93 octets écrits
0x00: 02 02 14 10 10 04 00 61 01 00 00 00 00 00 00 00 a
0x10: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00 /gallery/img
0x20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x80: 00 00 00 00 00 00 00 00 00 00 00 00 34 c6 be 51 4 Q
0x90: 62 02 02 b 4 Q
usb_bulk_read: 0x3a octets lus
0x00: 02 14 10 10 00 04 00 61 00 00 00 00 65 00 6c 00 a e l
0x10: 6f 00 2e 00 6a 00 70 00 67 00 00 00 00 00 00 00 o . j p g
0x20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x30: 00 00 00 00 00 00 00 00 40 02 @
usb_bulk_write: 0x93 octets écrits
0x00: 02 02 14 10 10 05 00 61 01 00 00 00 00 00 00 00 a
0x10: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00 /gallery/img
0x20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x80: 00 00 00 00 00 00 00 00 00 00 00 00 33 c5 be 51 3 Q
0x90: 62 02 02 b 3 Q
usb_bulk_read: 0x7 octets lus
0x00: 02 14 10 10 3e 2e 02 >. ·êKο
Erreur réponse liste

In the first answer, we see the filename 'elo.jpg' of the first file, each char coded in two bytes.
The second answer is the generic error response from the phone: '02 14 10 10 3e 2e 02', which I know by heart now ;)

Now I will see in my sniff logs: same retrieve of file (ie file number 0 here), offset of command different:

first list after initilaization: command offset is 04:
00000000: 02 02 14 10 10 04 00 61 01 00 00 00 00 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 34 c6 be 51
00000090: 62 02 02

command number now 0x47:
00000000: 02 02 14 10 10 47 00 61 01 00 00 00 00 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 34 83 be 51
00000090: 64 02 02

command number is now 0x78:
00000000: 02 02 14 10 10 78 00 61 01 00 00 00 00 00 00 00
00000010: 2f 67 61 6c 6c 65 72 79 2f 69 6d 67 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 34 52 be 51
00000090: 8a 02 02

In fact, I thinf the blue number "34" is computed with the file-number, not with the command-number : it increments inside one list querie, with the number of file asked.
 
Ok. So this is not correct in general:
the blue bytes e.g. 14 00 and eb ff are both in- and de-cremented so the CRC stays the same.
And
at 0x8c: if i is the number of the command from beginning (at 0x05), this byte value is : 0x38-i
at 0x8d: with same value i: 0xca-i
looks not valid as well.

Have to think more about it :)
 
updated:
at 0x8c : 0x35 - (number of file retrieved) - (command type 00 or 01 at 0x06)
"number of file retrived" is found at 0x0c
EDIT: false. I think about parity...

at 0x8d: 0xca-i
i is command offset found at 0x05
 
Zuletzt bearbeitet:
language translation and .art images...

hello,

I am looking for some explanations on how to translate the tc300/pirelli firmware into french and flemmich.
Also looking for a way to change(edit) the images in the firmware, these images are .art files.

I have tried many editors (even alchemy) and i didn't find and editor art capable.

Thanks,

Olivier
 
Hi,

is this software available for download somewhere?

Thanks in advance,

Hans-Christian Armingeon
 
I meant, is the linux software from legolas_vef anywhere available.
 
ask in the french forums at freephonie.org

but rather nothing available, the protocol of the proprietary window$ utility hasnt been reverse engineered yet.
 
there's a config file parameter TtyAlwaysOn=0 in the main ini file, maybe setting =1 activates a terminal service on the usbserial connection :) could somebody check it? just add the usb vid:pid 0489:e000 to the kernel supplied linux silabs usbserial driver code and attach a terminal to /dev/ttyUSB0 and see if there's some output.

kann mal jemand probieren TtyAlwaysOn=1 zu setzen in der firmware im hauptinifile?
ich glaube dann läuft ein terminaldienst auf dem TC300/Twintel usbserialport und wir können endlich eigene utility software schreiben :)

danke. ich kann grad nicht sonst muss ich wap/mms/mail konfig wieder eingeben :/
 
Zuletzt bearbeitet:
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.