Editing N900 GPS Reverse Engineering

Warning: You are not logged in. Your IP address will be recorded in this page's edit history.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
-
acquire packets like:
 
-
strace -p $(pidof location-daemon) -e read=6 2>&1|grep '| 000'
 
-
 
-
alternatively you can capture them from the network interface, but this will include other modem information:
 
-
tcpdump -i phonet0 -s 0 -w phonet.cap
 
-
 
-
== Packet Graph ==
 
-
 
  | 00000  00 92 01 00 00 00 00 xx  05 00 00 00 09 03 00 10
  | 00000  00 92 01 00 00 00 00 xx  05 00 00 00 09 03 00 10
-
           S------------------- T4  DL S-------------------
+
           S------------------- DL S----------------------
  | 00010  07 da 07 15 00 xx xx 00  xx xx 00 00 09 02 00 1c
  | 00010  07 da 07 15 00 xx xx 00  xx xx 00 00 09 02 00 1c
           S------------- TL TS --        S----------------
           S------------- TL TS --        S----------------
Line 16: Line 8:
             S- DL TS---    DL MS  S---------- track SS---
             S- DL TS---    DL MS  S---------- track SS---
  | 00040  xx xx 00 xx xx xx 00 xx  00 xx 00 00 09 05 00 74
  | 00040  xx xx 00 xx xx xx 00 xx  00 xx 00 00 09 05 00 74
-
           DL--- S-    TL    S- DS  S- DS S------------- DL
+
           DL--- S-    TL    S- DS  S- DS S----------------
  | 00050  09 00 00 00 00 02 xx xx  00 xx xx xx xx xx 00 00
  | 00050  09 00 00 00 00 02 xx xx  00 xx xx xx xx xx 00 00
-
           DL S---------- T4--- MS  S- TS--- I  TS MI S----
+
           S---------------- DL MS  S- TS--- I  TS MI S----
  | 00060  00 04 xx xx xx xx xx xx  xx xx 00 00 00 xx xx xx
  | 00060  00 04 xx xx xx xx xx xx  xx xx 00 00 00 xx xx xx
-
           S- T4 T3 TS S- TL TS MS  TS MD S------- T4 TS---
+
           S---- T3 TS S- TL TS MS  TS MD S------- DL TS---
  | 00070  00 xx xx xx xx xx 00 00  00 xx xx xx 00 03 xx xx
  | 00070  00 xx xx xx xx xx 00 00  00 xx xx xx 00 03 xx xx
-
           S- TS--- I  TS MS S-------- T3 MS MS S- DL TS MS
+
           S- TS--- I  TS MS S-------- T3 MS MS S---- TS MS
  | 00080  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
  | 00080  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
           TS MD S------- T3 TS MS  S- TS--- MS TS MI S----
           TS MD S------- T3 TS MS  S- TS--- MS TS MI S----
  | 00090  00 xx xx xx 00 03 xx xx  xx xx 00 00 00 xx xx xx
  | 00090  00 xx xx xx 00 03 xx xx  xx xx 00 00 00 xx xx xx
-
           S- TS------ S- DL TS MD  TS MS S------- TS SS+TS
+
           S- TS------ S---- TS MD  TS MS S------- TS SS+TS
  | 000a0  00 xx xx xx xx xx 00 00  00 xx xx xx 00 xx xx xx
  | 000a0  00 xx xx xx xx xx 00 00  00 xx xx xx 00 xx xx xx
           S- TL TS MS TS MD S-------- TS------ S- TL TS MI
           S- TL TS MS TS MD S-------- TS------ S- TL TS MI
Line 32: Line 24:
           TS--- S------- TS--- MS  S- TS--- MI TS MS S----
           TS--- S------- TS--- MS  S- TS--- MI TS MS S----
  | 000c0  09 08 00 0c xx xx xx xx  xx xx xx xx
  | 000c0  09 08 00 0c xx xx xx xx  xx xx xx xx
-
           DL----------------------------------
+
           S---------- DL----------------------
-
B9 BE 67 48 2D 08 AC 08 CC AF 0A EC 49 B5 C8 08 A8 0C 49 49 95 75 4C E8 8C 84 6B 8E EC 29 78 10 10 44 00 18 EF 8E EC 48 91 10 04 EA 18 EA 8E 8C A7 11 FE
 
-
 
-
=== Key ===
 
*S = Static, unchanging normally
*S = Static, unchanging normally
*MS = Mostly static, varying in value normally slightly
*MS = Mostly static, varying in value normally slightly
Line 47: Line 36:
*TL = Time-sensitive, longer duration
*TL = Time-sensitive, longer duration
*T3 = "
*T3 = "
-
*T4 = ", overnight
 
*DS = Distance-sensitive; changes over at least 30m distance
*DS = Distance-sensitive; changes over at least 30m distance
-
*DL = Distance-sensitive, like across the world
+
*DL = Distance-sensitive, like across the world; TEMP; *or* T4
-
== Packet Analysis ==
+
*19,1a = 0000-e678 (hex)
-
*??? = mode: The mode of the fix
+
*20 =  
-
*??? = fields: A bitfield representing which items of this tuple contain valid data
+
*22,23 =  
-
*00 = ISI sequence ID (seems to be always 0 for GPS)
+
-
*01 = GPS Data Opcode (0x92)
+
-
*10,11 = time year
+
-
*12 = time month
+
-
*13 = time day
+
-
*15 = time hour
+
-
*16 = time minute
+
-
*18,19 = time seconds and milliseconds (in milliseconds)
+
-
*1a,1b = *probably* ept: Time accuracy, but *always* 0, so no way to verify
+
-
*20,21,22,23 = latitude / 360 * 256*256*256*256
+
-
*24,25,26,27 = longitude / 360 * 256*256*256*256
+
*28 =
*28 =
*2b,2c = 0590-12a9 (hex)
*2b,2c = 0590-12a9 (hex)
*2e,2f = eph (cm)
*2e,2f = eph (cm)
*30 =
*30 =
-
*32,33,,36,37 = altitude; ((p32;33) - (p36;37)) / 2 = meters
+
*35 =  
-
*(34?,)35 = (double epv: Vertical position accuracy) * 2
+
*3c,3d = track: Direction of motion in hundredths of a degree
*3c,3d = track: Direction of motion in hundredths of a degree
*3e,3f = epd: Track accuracy (in hundredths?)
*3e,3f = epd: Track accuracy (in hundredths?)
-
*42,43 = speed, in centimetres per second
+
*43 =
-
*44,45 = eps: speed accuracy, in centimetres per second
+
*45 =
-
*46,47 = climb: Current rate of climb in cm/s
+
-
*48,4a = epc: Climb accuracy, in cm/s
+
-
 
+
-
== Protocol Details ==
+
-
 
+
-
NOTE: I am counting octets based on zero.
+
-
 
+
-
The actual packets are comprised of "sub-packets".
+
-
The overall packet has a 12 byte header.
+
-
The number of sub-packets is located at octet 8 (and possibly little-endian extended to octet 11).
+
-
 
+
-
Each subpacket has a 4 byte header:
+
-
* Octet 0 is always 9
+
-
* Octet 1 is the subpacket type
+
-
* Octet 2 is always 0
+
-
* Octet 3 is the length of the subpacket (which includes the subpacket header itself)
+
-
 
+
-
Subpacket 2 contains position information:
+
-
* Octets 0-3 are the latitude
+
-
* Octets 4-7 are the longitude
+
-
* Octets 12-15 are "eph" (in centimetres)
+
-
* Octets 18-23 are the altitude (and accuracy information)
+
-
 
+
-
Subpacket 3 contains date and time information:
+
-
* Octets 0-1 are the year
+
-
* Octet 2 is the month
+
-
* Octet 3 is the day of month
+
-
* Octet 5 is the hour
+
-
* Octet 6 is the minute
+
-
* Octets 8-9 are milliseconds (including seconds)
+
-
* Octets 10-11 are the time accuracy
+
-
 
+
-
Subpacket 4 contains information on track, speed, and climb:
+
-
* Octets 0-1 are track (direction of motion) in cm/sec
+
-
* Octets 2-3 are the track accuracy
+
-
* Octets 6-7 are the speed in cm/sec
+
-
* Octets 8-9 are speed accuracy
+
-
* Octets 8-11 are climb in cm/sec
+
-
* Octets 12-13 are climb accuracy
+
-
 
+
-
Subpacket 5 contains satellite information:
+
-
* Octet 0 is the number of sats visible
+
-
* Beginning with octet 8, there are series of 12-octet info for each sat visible:
+
-
** Octet 1 is the PRN
+
-
** Octet 2 is 1 if the sat is being used, and 0 otherwise
+
-
** Octets 3-4 are the signal strength
+
-
** Octets 6-7 are the elevation
+
-
** Octets 8-9 are the azimuth
+
-
 
+
-
Subpacket 7 contains information on the GSM cellular network:
+
-
** Octets 0-1 contain the Mobile Country Code
+
-
** Octets 2-3 contain the Mobile Network Code
+
-
** Octets 4-5 contain the Location Area Code
+
-
** Octets 6-7 contain the Cell ID
+
-
 
+
-
Subpacket 8 contains information on the WCDMA cellular network:
+
-
** Octets 0-1 contain the Mobile Country Code
+
-
** Octets 2-3 contain the Mobile Network Code
+
-
** Octets 4-7 contain the UC ID
+
-
 
+
-
== Wireshark ==
+
-
 
+
-
[[User:sre|Sebastian Reichel]] writes a lowlevel library to access the N900's modem features and a wireshark plugin to analyze the packages. The information from above is currently only included in the Wireshark Plugin:
+
-
 
+
-
* [http://elektranox.org/n900/images/wireshark/04.png Screenshot]
+
-
* [https://git.ring0.de/isi-wireshark-plugin/ Plugin]
+
-
 
+
-
[http://maemo.org/profile/view/luke-jr Luke Dashjr] wrote small program in C which show GPS data from phonet modem stack.
+
-
 
+
-
* [http://luke.dashjr.org/tmp/code/gps2.c gps2.c]
+
-
 
+
-
[[Category:N900 Hardware]]
+

Learn more about Contributing to the wiki.


Please note that all contributions to maemo.org wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see maemo.org wiki:Copyrights for details). Do not submit copyrighted work without permission!


Cancel | Editing help (opens in new window)
Retrieved from "https://wiki.maemo.org/N900_GPS_Reverse_Engineering"