Archive for March, 2008

Treo SMS receipts (solved)

March 16, 2008 Leave a comment

Treo SMS receipts are a missing option from the 2.12 ROW ROM when using T-Mobile.
I’d like the option of having them but here’s why we don’t get to :

a) nexter.prc calls CarrierCustomisation.lib to get the options list.
(PmCarrierCustomisation.prc) CarrierCustomisation.prc lives in ROM, on a even a soft-reset it extracts and overwrites any existing CarrierProfiles2 (CarrierDB ver 561 in the case of the 2.12ROW) and NetworkProfiles2 from itself. These two files then live in RAM.
CarrierProfiles2 stores settings keyed on MNC,MCC pairs :
234,10 = O2
234,15 = Vodafone
234,30 = T-Mobile
234,31 = T-Mobile (also)
234,33 = Orange
The options follow as a comma separated list. For CarrierDB ver 561, T-Mobiles entries are as follows :

234,30,1,,>j,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,?bgl,?bgl,,0,:gkg,:gkg,,0,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_
234,31,1,,8c,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,8bde,8bde,,0,,,,,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,9$%(@DC4tplw<3t?E$,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_

d) One of the comma separated options above is spoiling our fun. But which one ?
Based on the fact we know field 19 is very probably ““, we’re looking at an encrypted string. It’s not an XOR, and though I know it’s a substitution cipher it’s not a straightforward one as different characters are being encoded to the same crypt-character.
This may not matter though as we could just take the CarrierProfiles2 file from a CarrierDB where SMS-Receipts are enabled for T-Mobile and compare and replace the values.
There are 72 values, though many are empty, a comparison of working CarrierDBs should reveal what field contains our grail.
Comparison of CarrierDB 292 and 561 shows fields 21, 64 and 72 are different.
Comparison of CarrierDB 292 and 549 shows fields 21, 64 and 72 are different.
234,30 and 234,31 are resource indexes 41 and 42 in CarrierProfiles2.
Modifying values in CarrierProfiles2.pdb makes no difference, perhaps they are cached on boot somewhere ?
Solution : Copy working CarrierCustomisation.prc version 549 into RAM, it survives resets and will extract a good CarrierProfiles2 into RAM. Use Resco Explorer or similar to copy from SD Card to RAM, Filez will not work properly.
Now that the RAM copy will extract a version of CarrierProfiles2 after each reset, we can edit the MNC/MCC keyed lists in it and see if there are other useful things we can enable.

Interesting links :
CarrierCustomization.prc containing CarrierProfiles2 version 549.

Tags: , ,