N900 GPS Reverse Engineering

Revision as of 13:46, 15 February 2022

acquire packets like:

strace -p $(pidof location-daemon) -e read=6 2>&1|grep '| 000'

alternatively you can capture them from the network interface, but this will include other modem information:

tcpdump -i phonet0 -s 0 -w phonet.cap

1 Packet Graph
- 1.1 Key
2 Packet Analysis
3 Protocol Details
4 Wireshark

Packet Graph

| 00000  00 92 01 00 00 00 00 xx  05 00 00 00 09 03 00 10
         S------------------- T4  DL S-------------------
| 00010  07 da 07 15 00 xx xx 00  xx xx 00 00 09 02 00 1c
         S------------- TL TS --        S----------------
| 00020  xx xx xx xx xx xx xx xx  00 00 xx xx 00 00 08 8b
         DL---       DL--- TS     S----       S---- ^eph^
| 00030  xx 00 xx xx xx xx xx xx  09 04 00 14 62 7e xx xx
            S- DL TS---    DL MS  S---------- track SS---
| 00040  xx xx 00 xx xx xx 00 xx  00 xx 00 00 09 05 00 74
         DL--- S-    TL    S- DS  S- DS S------------- DL
| 00050  09 00 00 00 00 02 xx xx  00 xx xx xx xx xx 00 00
         DL S---------- T4--- MS  S- TS--- I  TS MI S----
| 00060  00 04 xx xx xx xx xx xx  xx xx 00 00 00 xx xx xx
         S- T4 T3 TS S- TL TS MS  TS MD S------- T4 TS---
| 00070  00 xx xx xx xx xx 00 00  00 xx xx xx 00 03 xx xx
         S- TS--- I  TS MS S-------- T3 MS MS S- DL TS MS
| 00080  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
         TS MD S------- T3 TS MS  S- TS--- MS TS MI S----
| 00090  00 xx xx xx 00 03 xx xx  xx xx 00 00 00 xx xx xx
         S- TS------ S- DL TS MD  TS MS S------- TS SS+TS
| 000a0  00 xx xx xx xx xx 00 00  00 xx xx xx 00 xx xx xx
         S- TL TS MS TS MD S-------- TS------ S- TL TS MI
| 000b0  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
         TS--- S------- TS--- MS  S- TS--- MI TS MS S----
| 000c0  09 08 00 0c xx xx xx xx  xx xx xx xx
         DL----------------------------------

B9 BE 67 48 2D 08 AC 08 CC AF 0A EC 49 B5 C8 08 A8 0C 49 49 95 75 4C E8 8C 84 6B 8E EC 29 78 10 10 44 00 18 EF 8E EC 48 91 10 04 EA 18 EA 8E 8C A7 11 FE

Key

S = Static, unchanging normally
MS = Mostly static, varying in value normally slightly
SS = Sometimes static, completely different values sometimes
I = Incrementing
MI = Incrementing, but not every packet
D = Decrementing
MD = Decrementing, but not every packet
TS = Time-sensitive; changes over (short) durations of time
TL = Time-sensitive, longer duration
T3 = "
T4 = ", overnight
DS = Distance-sensitive; changes over at least 30m distance
DL = Distance-sensitive, like across the world

Packet Analysis

??? = mode: The mode of the fix
??? = fields: A bitfield representing which items of this tuple contain valid data
00 = ISI sequence ID (seems to be always 0 for GPS)
01 = GPS Data Opcode (0x92)
10,11 = time year
12 = time month
13 = time day
15 = time hour
16 = time minute
18,19 = time seconds and milliseconds (in milliseconds)
1a,1b = *probably* ept: Time accuracy, but *always* 0, so no way to verify
20,21,22,23 = latitude / 360 * 256*256*256*256
24,25,26,27 = longitude / 360 * 256*256*256*256
28 =
2b,2c = 0590-12a9 (hex)
2e,2f = eph (cm)
30 =
32,33,,36,37 = altitude; ((p32;33) - (p36;37)) / 2 = meters
(34?,)35 = (double epv: Vertical position accuracy) * 2
3c,3d = track: Direction of motion in hundredths of a degree
3e,3f = epd: Track accuracy (in hundredths?)
42,43 = speed, in centimetres per second
44,45 = eps: speed accuracy, in centimetres per second
46,47 = climb: Current rate of climb in cm/s
48,4a = epc: Climb accuracy, in cm/s

Protocol Details

NOTE: I am counting octets based on zero.

The actual packets are comprised of "sub-packets". The overall packet has a 12 byte header. The number of sub-packets is located at octet 8 (and possibly little-endian extended to octet 11).

Each subpacket has a 4 byte header:

Octet 0 is always 9
Octet 1 is the subpacket type
Octet 2 is always 0
Octet 3 is the length of the subpacket (which includes the subpacket header itself)

Subpacket 2 contains position information:

Octets 0-3 are the latitude
Octets 4-7 are the longitude
Octets 12-15 are "eph" (in centimetres)
Octets 18-23 are the altitude (and accuracy information)

Subpacket 3 contains date and time information:

Octets 0-1 are the year
Octet 2 is the month
Octet 3 is the day of month
Octet 5 is the hour
Octet 6 is the minute
Octets 8-9 are milliseconds (including seconds)
Octets 10-11 are the time accuracy

Subpacket 4 contains information on track, speed, and climb:

Octets 0-1 are track (direction of motion) in cm/sec
Octets 2-3 are the track accuracy
Octets 6-7 are the speed in cm/sec
Octets 8-9 are speed accuracy
Octets 8-11 are climb in cm/sec
Octets 12-13 are climb accuracy

Subpacket 5 contains satellite information:

Octet 0 is the number of sats visible
Beginning with octet 8, there are series of 12-octet info for each sat visible:
- Octet 1 is the PRN
- Octet 2 is 1 if the sat is being used, and 0 otherwise
- Octets 3-4 are the signal strength
- Octets 6-7 are the elevation
- Octets 8-9 are the azimuth

Subpacket 7 contains information on the GSM cellular network:

- Octets 0-1 contain the Mobile Country Code
- Octets 2-3 contain the Mobile Network Code
- Octets 4-5 contain the Location Area Code
- Octets 6-7 contain the Cell ID

Subpacket 8 contains information on the WCDMA cellular network:

- Octets 0-1 contain the Mobile Country Code
- Octets 2-3 contain the Mobile Network Code
- Octets 4-7 contain the UC ID

Wireshark

Sebastian Reichel writes a lowlevel library to access the N900's modem features and a wireshark plugin to analyze the packages. The information from above is currently only included in the Wireshark Plugin:

Luke Dashjr wrote small program in C which show GPS data from phonet modem stack.

gps2.c

Retrieved from "https://wiki.maemo.org/N900_GPS_Reverse_Engineering"

Category: N900 Hardware

Personal tools

Navigation

Views