• Intro
• Downloads
• Community
• Development
• News
• TALK

N900 GPS Reverse Engineering

Latest revision as of 19:08, 28 February 2025

acquire packets like:

strace -p $(pidof location-daemon) -e read=6 2>&1|grep '| 000'

alternatively you can capture them from the network interface, but this will include other modem information:

tcpdump -i phonet0 -s 0 -w phonet.cap

[edit] Packet Graph

| 00000  00 92 01 00 00 00 00 xx  05 00 00 00 09 03 00 10
         S------------------- T4  DL S-------------------
| 00010  07 da 07 15 00 xx xx 00  xx xx 00 00 09 02 00 1c
         S------------- TL TS --        S----------------
| 00020  xx xx xx xx xx xx xx xx  00 00 xx xx 00 00 08 8b
         DL---       DL--- TS     S----       S---- ^eph^
| 00030  xx 00 xx xx xx xx xx xx  09 04 00 14 62 7e xx xx
            S- DL TS---    DL MS  S---------- track SS---
| 00040  xx xx 00 xx xx xx 00 xx  00 xx 00 00 09 05 00 74
         DL--- S-    TL    S- DS  S- DS S------------- DL
| 00050  09 00 00 00 00 02 xx xx  00 xx xx xx xx xx 00 00
         DL S---------- T4--- MS  S- TS--- I  TS MI S----
| 00060  00 04 xx xx xx xx xx xx  xx xx 00 00 00 xx xx xx
         S- T4 T3 TS S- TL TS MS  TS MD S------- T4 TS---
| 00070  00 xx xx xx xx xx 00 00  00 xx xx xx 00 03 xx xx
         S- TS--- I  TS MS S-------- T3 MS MS S- DL TS MS
| 00080  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
         TS MD S------- T3 TS MS  S- TS--- MS TS MI S----
| 00090  00 xx xx xx 00 03 xx xx  xx xx 00 00 00 xx xx xx
         S- TS------ S- DL TS MD  TS MS S------- TS SS+TS
| 000a0  00 xx xx xx xx xx 00 00  00 xx xx xx 00 xx xx xx
         S- TL TS MS TS MD S-------- TS------ S- TL TS MI
| 000b0  xx xx 00 00 00 xx xx xx  00 xx xx xx xx xx 00 00
         TS--- S------- TS--- MS  S- TS--- MI TS MS S----
| 000c0  09 08 00 0c xx xx xx xx  xx xx xx xx
         DL----------------------------------

B9 BE 67 48 2D 08 AC 08 CC AF 0A EC 49 B5 C8 08 A8 0C 49 49 95 75 4C E8 8C 84 6B 8E EC 29 78 10 10 44 00 18 EF 8E EC 48 91 10 04 EA 18 EA 8E 8C A7 11 FE

[edit] Key

• S = Static, unchanging normally
• MS = Mostly static, varying in value normally slightly
• SS = Sometimes static, completely different values sometimes
• I = Incrementing
• MI = Incrementing, but not every packet
• D = Decrementing
• MD = Decrementing, but not every packet
• TS = Time-sensitive; changes over (short) durations of time
• TL = Time-sensitive, longer duration
• T3 = "
• T4 = ", overnight
• DS = Distance-sensitive; changes over at least 30m distance
• DL = Distance-sensitive, like across the world

[edit] Packet Analysis

• ??? = mode: The mode of the fix
• ??? = fields: A bitfield representing which items of this tuple contain valid data
• 00 = ISI sequence ID (seems to be always 0 for GPS)
• 01 = GPS Data Opcode (0x92)
• 10,11 = time year
• 12 = time month
• 13 = time day
• 15 = time hour
• 16 = time minute
• 18,19 = time seconds and milliseconds (in milliseconds)
• 1a,1b = *probably* ept: Time accuracy, but *always* 0, so no way to verify
• 20,21,22,23 = latitude / 360 * 256*256*256*256
• 24,25,26,27 = longitude / 360 * 256*256*256*256
• 28 =
• 2b,2c = 0590-12a9 (hex)
• 2e,2f = eph (cm)
• 30 =
• 32,33,,36,37 = altitude; ((p32;33) - (p36;37)) / 2 = meters
• (34?,)35 = (double epv: Vertical position accuracy) * 2
• 3c,3d = track: Direction of motion in hundredths of a degree
• 3e,3f = epd: Track accuracy (in hundredths?)
• 42,43 = speed, in centimetres per second
• 44,45 = eps: speed accuracy, in centimetres per second
• 46,47 = climb: Current rate of climb in cm/s
• 48,4a = epc: Climb accuracy, in cm/s

[edit] Protocol Details

NOTE: I am counting octets based on zero.

The actual packets are comprised of "sub-packets". The overall packet has a 12 byte header. The number of sub-packets is located at octet 8 (and possibly little-endian extended to octet 11).

Each subpacket has a 4 byte header:

• Octet 0 is always 9
• Octet 1 is the subpacket type
• Octet 2 is always 0
• Octet 3 is the length of the subpacket (which includes the subpacket header itself)

Subpacket 2 contains position information:

• Octets 0-3 are the latitude
• Octets 4-7 are the longitude
• Octets 12-15 are "eph" (in centimetres)
• Octets 18-23 are the altitude (and accuracy information)

Subpacket 3 contains date and time information:

• Octets 0-1 are the year
• Octet 2 is the month
• Octet 3 is the day of month
• Octet 5 is the hour
• Octet 6 is the minute
• Octets 8-9 are milliseconds (including seconds)
• Octets 10-11 are the time accuracy

Subpacket 4 contains information on track, speed, and climb:

• Octets 0-1 are track (direction of motion) in cm/sec
• Octets 2-3 are the track accuracy
• Octets 6-7 are the speed in cm/sec
• Octets 8-9 are speed accuracy
• Octets 8-11 are climb in cm/sec
• Octets 12-13 are climb accuracy

Subpacket 5 contains satellite information:

• Octet 0 is the number of sats visible
• Beginning with octet 8, there are series of 12-octet info for each sat visible:
  • Octet 1 is the PRN
  • Octet 2 is 1 if the sat is being used, and 0 otherwise
  • Octets 3-4 are the signal strength
  • Octets 6-7 are the elevation
  • Octets 8-9 are the azimuth

Subpacket 7 contains information on the GSM cellular network:

• • Octets 0-1 contain the Mobile Country Code
  • Octets 2-3 contain the Mobile Network Code
  • Octets 4-5 contain the Location Area Code
  • Octets 6-7 contain the Cell ID

Subpacket 8 contains information on the WCDMA cellular network:

• • Octets 0-1 contain the Mobile Country Code
  • Octets 2-3 contain the Mobile Network Code
  • Octets 4-7 contain the UC ID

[edit] Wireshark

Sebastian Reichel writes a lowlevel library to access the N900's modem features and a wireshark plugin to analyze the packages. The information from above is currently only included in the Wireshark Plugin:

• Screenshot
• Plugin

Luke Dashjr wrote small program in C which show GPS data from phonet modem stack.

• gps2.c