So far I've uncover that the following: 1) At offset 0x3a, the byte value 0x1e refers to the number of bytes in the message plus the length marker itself. 2)At offset 0x66, the 7 byte value (b093 420c b31b df) refers to the time the sms is sent. I think that the format is in little Endian, so correct value is 0xdf1bb30c93bo. I've read the for Nokia phones, this time is the number of microseconds since 0 AD. I've not verify this.
My questions are: 1) Has anyone figured out the exact format structure used in these files? 2) I understand there also an Index file which stores data about SMS. I would like to know where there a structured format for each entry.
My aim here is extract important information (such as the timestamp, sender, receiver and message) from N97 phones.
i think that this files contains unix time stamp. i can help you reversing it, but, i think that reversing of index will be bit tough, because, when i tried to rce this, it lookd like random....or something like that. few nights ago, i have tried to send sms and it stucked in outbox i wasn't able to delete it untill i deleted its context, then went to outbox and seen this sms "present" so, to add sms we must figure how to reverse index in first place, then how to do more.
N9 | N900 | E7 | N97 mini my dArt _________________ wook!
Hi Wook, Thanks for the response. I agree with you that the index file is tough to reverse engineer..But base on my observation, some parts of the entries in the index file is related to the individual sms files stored in ~\Private\1000484b/Mail2/00001001_S.
My work involves more on digital forensics stuff.So, I'm focussing my effort on this kind of files because when an sms is deleted, I can do an acquisition of the deleted data and perform some extraction on get the timestamp,msg, etc.
I've notice that the first 32 Bytes of these files differ when: 1) Message length is different. 2) whether the sms is sent or received.
There's so many variables. If only there's was to know the structure of these binary data through some documentation.
Ok, got it partly. Can't figure out how to tell the exact position of the timestamp, but its format is actually little-endian counting in microseconds from January 1, 0 AD; takes 7 bytes in total. I'm quite sure about that, tested on several messages and got true dates.
Although, as I already said, I dont' know how to tell the exact position, it's useful to know that for all dates after Nov 27, 2006, this timestamp starts (i.e. "ends" for little-endian) with 0xE1.
PS. To convert Symbian timestamp to Unix timestamp, you need to do the following simple calculation: unix_timestamp = (symbian_timestamp/1000000 - 62167233600), correct me if I'm wrong.