Jan Kratochvil
Projects Products GIT Resume Contact

 

MMS Center Debugging

Here you can find description of very simple but technically interesting hack. You can provide your own MMS Center (MMS=Multimedia Messaging Service) in GSM network instead of the operator's one.

There is only a limitation of a bearer data service - MMS is usually run over GPRS (General Packet Radio Service) channels while you cannot behave as GPRS callee in GSM network. Fortunately MMS can be run also over CSD (Circuit Switched Data - up to 14400bps) or HSCSD (High Speed CSD - up to 57600bps) services. GPRS is usually known as always-online while CSD/HSCSD you must dial some destination number. GPRS vs. CSD have usually also different GSM operator tariffication but it should not matter much for the short data messages.

I did not provite a completely mine MMS center. I was involved in pilot MMS Center project where some compatibility issues of MMS message format between MMS phone and MMS center had to be solved. As I did not have technical access to the MMS center itself I setup two mobile phones (Nokia Communicators) to setup sniffing tunnel. One of the phones were setup in answer mode to simulate the MMS center while the other one called to the real official (and buggy) MMS center accessible as regular service provided by the GSM operator.

MMS Sniffing Diagram

 

MMS Sniffing Mobiles Setup
Answer side pppd(8) command
pppd /dev/ttyS5 19200 modem lock crtscts connect "chat -vf /etc/ppp/answer-T68i.chat" \
		noauth debug nodefaultroute 192.168.192.67:192.168.192.68 default-asyncmap
	
Answer side /etc/ppp/answer-T68i.chat file
TIMEOUT 3 "" "ATZ" "OK-ATZ-OK" "" ABORT "BUSY" ABORT "NO CARRIER"
ABORT "NO DIAL TONE" ABORT "ERROR" ABORT "VOICE" REPORT CONNECT ""
ATL2 OK-ATL2-OK
AT+CBST=7,0,1;+DS=3,0,1300,32;+CR=1;+DR=1 OK
""
TIMEOUT 300
RING \d\d\d\d\d\dATA
CONNECT "" ^M ""
	
Dial side pppd(8) command
pppd /dev/ttyS4 19200 modem lock nocrtscts xonxoff connect "chat -vf /etc/ppp/mmsgate.chat" \
		noauth debug nodefaultroute
	
Answer side /etc/ppp/mmsgate.chat file
TIMEOUT 3 "" "ATZ" "OK-ATZ-OK" "" ABORT "BUSY" ABORT "NO CARRIER"
ABORT "NO DIAL TONE" ABORT "ERROR" ABORT "VOICE" REPORT CONNECT ""
#AT+CBST=7,0,1;+DS=3,0,1300,32;+CR=1;+DR=1 OK
ATD+420602900666
TIMEOUT 90 CONNECT "" ^M ""
	

Some decoded data illustration

MMS Message Encapsulation
	Message-Type: m-retrieve-conf (0x84)
	Transaction-ID: PVve-6DaCUEAAC5qAAAAAQAAAEoAAAAA
	MMS-Version: 1.0
	Date: Aug 15, 2002 19:25:20.000000000
	From: +4206CENSORED/TYPE=PLMN
	Subject: testidD
	To: +4206CENSORED/TYPE=PLMN
	Message-Class: Informational (0x82)
	Delivery-Report: No (0x81)
	Content Type: application/vnd.wap.multipart.related (0x33)
		Type: application/smil
		Start: AAAA
	Multipart body
		Part: 1
			Content Type: application/smil
				Charset: us-ascii (0x0003)
			Headers
				Content-Location: AAAA
			Data in this part
		Part: 2
			Content Type: image/gif (0x1d)
			Headers
				Content-Location: postcard.gif
			Data in this part

Sony Ericsson T68i MMS definition file URL decoded out of the data stream above: http://wap.sonyericssonmobile.com/UAprof/T68R201.xml

Completed Subtasks

 


EOF