Login


    Help: Extract SMS data from N97

Answers from ask guru form, almost FAQ

Postby filamai » 22 Mar 2011, 06:25


Hi,

I've been trying to understand the binary data format of the SMS data stored in the phone. These files are located in C:\Private\1000484b/Mail2/00001001_S directory.


I did some experiments to uncover the format of the data. Below is an example one such file:
filamai@redmine:tmp-10/Private/1000484b/Mail2/00001001_S/d$ xxd 0010001d

0000000: 683c 0010 683c 0010 0000 0000 4b8e 8d00 h<..h<......K...
0000010: 0870 0f00 10da 0400 0000 1e3a 0010 6300 .p.........:..c.
0000020: 0010 0000 0000 1f3a 0010 0000 0000 6600 .......:......f.
0000030: 0010 0000 0000 253a 0010 1e43 6174 6368 ......%:...Catch
0000040: 5468 6550 6174 7465 6e0e 2029 3418 0010 ThePatten. )4...
0000050: 2505 0100 0100 0000 0200 0100 0000 0000 %...............
0000060: 0000 0000 0000 b093 420c b31b df00 2039 ........B..... 9
0000070: 3632 3339 3539 3124 6969 6969 2070 7070 6239591$AAAA BBB
0000080: 6416 0000 0000 0200 0000 0203 e907 0001 d...............
0000090: 0000 0016 0000 0063 8887 0bb3 1bdf 0002 .......c........
00000a0: 912c 2b36 3539 3631 3937 3737 3715 0081 .,+6596197777...
00000b0: 2039 3632 3939 3939 3100 00a0 b009 0000 96299991.......
00000c0: 0000 0002 0000 0000 0000 0000 0000 0000 ................
00000d0: 0400 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 0000 0000 edb0 1f10 ed04 1300 0000 ................
0000100: 0000 0002 0000 0000 0000 0000 0080 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0081 0000 0000 0000 0081 0000 0081 ................
0000130: 0000 0000 0000 0002 0000 0000 0000 0000 ................
0000140: 0000 0000 0200 0000 0080 0200 00e0 0100 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 000a b000 2042 0000 ............B..
00001a0: 0000 0002 0000 0002 0000 0000 0000 ..............

So far I've uncover that the following:
1) At offset 0x3a, the byte value 0x1e refers to the number of bytes in the message plus the length marker itself.
2)At offset 0x66, the 7 byte value (b093 420c b31b df) refers to the time the sms is sent. I think that the format is in little Endian, so correct value is 0xdf1bb30c93bo. I've read the for Nokia phones, this time is the number of microseconds since 0 AD. I've not verify this.

My questions are:
1) Has anyone figured out the exact format structure used in these files?
2) I understand there also an Index file which stores data about SMS. I would like to know where there a structured format for each entry.

My aim here is extract important information (such as the timestamp, sender, receiver and message) from N97 phones.

Any comments would be much appreciated.


Rookie
Rookie

Posts: 2

Joined: 26 Aug 2010, 18:20

Phone model: N97

Postby wook » 22 Mar 2011, 10:28


i think that this files contains unix time stamp.
i can help you reversing it, but, i think that reversing of index will be bit tough, because, when i tried to rce this, it lookd like random....or something like that.
few nights ago, i have tried to send sms and it stucked in outbox i wasn't able to delete it untill i deleted its context, then went to outbox and seen this sms "present" so, to add sms we must figure how to reverse index in first place, then how to do more.

Nice topic ;)
N9 | N900 | E7 | N97 mini
my dArt
_________________
Image
wook!
.: [ VIP ]:.
.: [ VIP ]:.

Posts: 11893

Joined: 01 Apr 2008, 13:31

Location: rajvoSa.ba

Phone model: N9, E7 & C6-01, N97 mini, 6630

Firmware: 1.2,PR2.1,PR 1.1,v12.0.110,6.03.40



Postby filamai » 23 Mar 2011, 11:07


Hi Wook,
Thanks for the response. I agree with you that the index file is tough to reverse engineer..But base on my observation, some parts of the entries in the index file is related to the individual sms files stored in ~\Private\1000484b/Mail2/00001001_S.

My work involves more on digital forensics stuff.So, I'm focussing my effort on this kind of files because when an sms is deleted, I can do an acquisition of the deleted data and perform some extraction on get the timestamp,msg, etc.

I've notice that the first 32 Bytes of these files differ when:
1) Message length is different.
2) whether the sms is sent or received.

There's so many variables. If only there's was to know the structure of these binary data through some documentation.
Rookie
Rookie

Posts: 2

Joined: 26 Aug 2010, 18:20

Phone model: N97

Postby wook » 23 Mar 2011, 11:29


:) nice to have you here:)
i will do some research on this, but i can't promisse you anything.
N9 | N900 | E7 | N97 mini
my dArt
_________________
Image
wook!
.: [ VIP ]:.
.: [ VIP ]:.

Posts: 11893

Joined: 01 Apr 2008, 13:31

Location: rajvoSa.ba

Phone model: N9, E7 & C6-01, N97 mini, 6630

Firmware: 1.2,PR2.1,PR 1.1,v12.0.110,6.03.40



Postby whoIS » 24 Aug 2011, 13:18


Hi All,

I'm also trying to reverse SMS format. All my messages were lost.
And I try to extract them from the image of the flash drive.

For now I cannot understand how Cyrrilic messages are encoded, and in what is the format of the date.

Does anybody has an idea of how it could be encoded?

Regards
Rookie
Rookie

Posts: 1

Joined: 24 Aug 2011, 12:49

Phone model: Nokia 5230

Postby vzakharov » 05 Jan 2012, 08:49


The Cyrillic encoding is 8859-5 (Windows codepage 28595).

As for the timestamp, haven't figured out yet, but it's definitely not 0x66 (at least in my case), in some files I have message text on this position.
Rookie
Rookie

Posts: 3

Joined: 05 Jan 2012, 08:45

Postby vzakharov » 05 Jan 2012, 09:12


Ok, got it partly. Can't figure out how to tell the exact position of the timestamp, but its format is actually little-endian counting in microseconds from January 1, 0 AD; takes 7 bytes in total. I'm quite sure about that, tested on several messages and got true dates.

Although, as I already said, I dont' know how to tell the exact position, it's useful to know that for all dates after Nov 27, 2006, this timestamp starts (i.e. "ends" for little-endian) with 0xE1.

PS. To convert Symbian timestamp to Unix timestamp, you need to do the following simple calculation: unix_timestamp = (symbian_timestamp/1000000 - 62167233600), correct me if I'm wrong.
Rookie
Rookie

Posts: 3

Joined: 05 Jan 2012, 08:45

Postby vzakharov » 05 Jan 2012, 09:15


Oops. Everything I've written above relates to Nokia 5800, so maybe it's of no use to you, but anyway
Rookie
Rookie

Posts: 3

Joined: 05 Jan 2012, 08:45

Return to Ask guru

Who is online

Users browsing this forum: No registered users and 3 guests

User Menu

Online Friends

Birthdays