N900 GPS Reverse Engineering

acquire packets like: 

strace -p $(pidof location-daemon) -e read=6 2>&1|grep '| 000'

alternatively you can capture them from the network interface, but this will include other modem information: 

tcpdump -i phonet0 -s 0 -w phonet.cap

عملية تصحيح النظر بالليزر هو اجراء جراحى نقوم به لتحسين وتصحيح النظر مما يقلل من استخدام المريض للنظارات او العدسات اللاصقه 

عملية تصحيح طول النظر بالليزر

Packet Analysis

  • ??? = mode: The mode of the fix
  • ??? = fields: A bitfield representing which items of this tuple contain valid data
  • 00 = ISI sequence ID (seems to be always 0 for GPS)
  • 01 = GPS Data Opcode (0x92)
  • 10,11 = time year
  • 12 = time month
  • 13 = time day
  • 15 = time hour
  • 16 = time minute
  • 18,19 = time seconds and milliseconds (in milliseconds)
  • 1a,1b = *probably* ept: Time accuracy, but *always* 0, so no way to verify
  • 20,21,22,23 = latitude / 360 * 256*256*256*256
  • 24,25,26,27 = longitude / 360 * 256*256*256*256
  • 28 =
  • 2b,2c = 0590-12a9 (hex)
  • 2e,2f = eph (cm)
  • 30 =
  • 32,33,,36,37 = altitude; ((p32;33) - (p36;37)) / 2 = meters
  • (34?,)35 = (double epv: Vertical position accuracy) * 2
  • 3c,3d = track: Direction of motion in hundredths of a degree
  • 3e,3f = epd: Track accuracy (in hundredths?)
  • 42,43 = speed, in centimetres per second
  • 44,45 = eps: speed accuracy, in centimetres per second
  • 46,47 = climb: Current rate of climb in cm/s
  • 48,4a = epc: Climb accuracy, in cm/s

Protocol Details

NOTE: I am counting octets based on zero.

The actual packets are comprised of "sub-packets". The overall packet has a 12 byte header. The number of sub-packets is located at octet 8 (and possibly little-endian extended to octet 11).

Each subpacket has a 4 byte header:

  • Octet 0 is always 9
  • Octet 1 is the subpacket type
  • Octet 2 is always 0
  • Octet 3 is the length of the subpacket (which includes the subpacket header itself)

Subpacket 2 contains position information:

  • Octets 0-3 are the latitude
  • Octets 4-7 are the longitude
  • Octets 12-15 are "eph" (in centimetres)
  • Octets 18-23 are the altitude (and accuracy information)

Subpacket 3 contains date and time information:

  • Octets 0-1 are the year
  • Octet 2 is the month
  • Octet 3 is the day of month
  • Octet 5 is the hour
  • Octet 6 is the minute
  • Octets 8-9 are milliseconds (including seconds)
  • Octets 10-11 are the time accuracy

Subpacket 4 contains information on track, speed, and climb:

  • Octets 0-1 are track (direction of motion) in cm/sec
  • Octets 2-3 are the track accuracy
  • Octets 6-7 are the speed in cm/sec
  • Octets 8-9 are speed accuracy
  • Octets 8-11 are climb in cm/sec
  • Octets 12-13 are climb accuracy

Subpacket 5 contains satellite information:

  • Octet 0 is the number of sats visible
  • Beginning with octet 8, there are series of 12-octet info for each sat visible:
    • Octet 1 is the PRN
    • Octet 2 is 1 if the sat is being used, and 0 otherwise
    • Octets 3-4 are the signal strength
    • Octets 6-7 are the elevation
    • Octets 8-9 are the azimuth

Subpacket 7 contains information on the GSM cellular network:

    • Octets 0-1 contain the Mobile Country Code
    • Octets 2-3 contain the Mobile Network Code
    • Octets 4-5 contain the Location Area Code
    • Octets 6-7 contain the Cell ID

Subpacket 8 contains information on the WCDMA cellular network:

    • Octets 0-1 contain the Mobile Country Code
    • Octets 2-3 contain the Mobile Network Code
    • Octets 4-7 contain the UC ID

Wireshark

Sebastian Reichel writes a lowlevel library to access the N900's modem features and a wireshark plugin to analyze the packages. The information from above is currently only included in the Wireshark Plugin:

Luke Dashjr wrote small program in C which show GPS data from phonet modem stack.

Retrieved from "http://bugs.maemo.org/N900_GPS_Reverse_Engineering"