BFB Protocol

Used for serial cable connection to Siemens Mobile Equipment

(0) Disclaimer

It is possible to harm your mobile phone.
Use the information in this document at your own risk.

(1) Preface

This document is a result of many hours of studying the
Siemens Mobile Equipment BFB protocol
by the author, in an attempt to implement a way to access
Flex.Mem. Like all tools, this document
was born out of frustration with the lack of documention
available on the subject.

Though every attempt has been made to ensure the correctness
of this document, the author cannot make any guarantees as
to its accuracy.

(2) Transport encapsulation

[ type ][ len ][ chk ][ payload ]

Types are

Len is from 1 to max 32 for a max MTU of 35 bytes.

[Chk] equals to [type]XOR[len].

(3) OBEX encapsulation (transport type = 0x16)

[ cmd ][ chk ] for cmd 0x01

[ cmd ][ chk ][ seq ][ len16 ][ data… ][ crc16 ] for cmd 0x02 and 0x03.

Chk is ~cmd (bitwise not cmd)

Seq is 1 byte. TA increments, ME replies.

Len is 2 bytes in network byte order.

Data is an OBEX frame.

Crc16 is 2 bytes CCITT-CRC16 in network byte order. Rendered over the the whole packet except for cmd and chk.

(4) Conclusion

This seems to cover all the bits.
My test-implementation works great – YMMV.