Details of the N900 Cellular Services Daemon
 

This thread is intended to document as much as is known (or can be figured out through reverse engineering) of the Cellular Services Daemon on the N900.

The Cellular Services Daemon is a daemon that handles most of the communication with the N900 Cellular Modem. It interfaces with other parts of the system over dbus and sends ISI messages to the N900 Cellular Modem via a kernel driver.

The following packages are involved in the working of the Cellular Services Daemon:
csd-base (Cellular Services Daemon)
libisi1 (base library for sending ISI messages to the N900 Cellular Modem)
libisi-glib0 (library for allowing libisi to work with glib)
libtelcommon0 (common utility library used for routing ISI packets)
libcsnet0 (Cellular Services Daemon network service plugin, handles network related things like cell tower change, 2g/3g switch, signal strength, connect/disconnect from cell network, change to a different cell network and date/time info sent by the network)
libsim0 (Cellular Services Daemon SIM plugin, handles talking to the SIM and retrieving info including IMSI, SIM-based operator name, home network and sim status)
libcscall2 (library for handling phone call stuff)
csd-call (Cellular Services Daemon call plugin, handles making and receiving phone calls and related activity)
csd-gprs (Cellular Services Daemon GPRS plugin, handles data transfer via 2G/3G networks)
libphinfo0 (library for retrieving phone information)
csd-info (Cellular Services Daemon info plugin, handles phone information like IMEI, serial number, product code, hardware version and cellular modem software version)
libsms0 (library for handling SMS messages)
libsms-utils0 (library for decoding/encoding SMS messages and doing other SMS related utility tasks)
csd-sms (Cellular Services Daemon SMS plugin, handles SMS messages including Cell Broadcast SMS messages)
libss1 (library for handling supplementary services)
csd-ss (Cellular Services Daemon supplementary services plugin, handles things like call diversion and call barring)
libsimpb0 (Cellular Services Daemon sim phone book plugin, handles talking to the phone book on the SIM)

Next post I will make will talk about the dbus interfaces exposed by the cellular services daemon and its plugins and link to all the known details of those interfaces.

Re: Details of the N900 Cellular Services Daemon
 

The following known dbus interfaces are exposed by the Cellular Services Daemon (others may be exposed but nothing is known about them at this point)
com.nokia.csd.Call:
com.nokia.csd.Call is used to interact with/manage phone calls (dial a call, hang up a call, get call status, get notified about calls etc) The known details of com.nokia.csd.Call can be found in this file this file and this file

com.nokia.phone.net:
com.nokia.phone.net is used for cellular network status (e.g. current cell tower, current operator, 3G vs 2G vs both etc as well as status changes related to the network). The known details of com.nokia.phone.net can be found in this file and this file

com.nokia.csd.GPRS:
com.nokia.csd.GPRS is used for stuff related to cellular internet connectivity (both 2G and 3G) including setting up the connection, disconnecting and being notified of a connection) The known details of com.nokia.csd.GPRS can be found in this file this file and this file

com.nokia.csd.SMS:
com.nokia.csd.SMS is used for stuff related to sending and receiving SMS messages including Cell Broadcast SMS messages. The known details of com.nokia.csd.SMS can be found in this file

com.nokia.csd.SS:
com.nokia.csd.SS is used to interact with "supplementary services" such as call diversion. The known details of com.nokia.csd.SS can be found in this file and this file

com.nokia.phone.SIM:
com.nokia.phone.SIM is used to interact with the SIM card including the SIM phone book. The known details of com.nokia.csd.SIM can be found in this file

com.nokia.csd.Info


com.nokia.csd.Info is used to obtain certain information about the phone such as the version of the modem firmware and various hardware IDs. The known details of com.nokia.csd.Info can be found in this file

The details of these dbus interfaces came from the following sources:
the libcsnet-dev package in the maemo SDK repositories (contains full documentation for com.nokia.phone.net)
the csd-gprs package in the maemo repositories (contains full documentation for com.nokia.csd.GPRS although you cant normally get it because of docpurge and need to manually retrieve the deb file and pull the contents)
dbus introspection on various interfaces
open source code of maemo software (such as bluez)
reverse engineering of maemo software (using dbus-monitor, IDA pro and other things)

Re: Details of the N900 Cellular Services Daemon
 

Do you think we'll have the chance to tap into the baseband through this? Or maybe preventing certain types of SMS to be received?

Re: Details of the N900 Cellular Services Daemon
 

as far as i know you can't prevent receiving anything. but you can intercept and block received sms/call, and we have such software.

Re: Details of the N900 Cellular Services Daemon
 

So no chance of at least creating a routine that will notify upon silent SMS?

Re: Details of the N900 Cellular Services Daemon
 

if we'll have all daemon interfaces reverse-engineered, then we can rewrite the whole daemon and do anything we want. so… such possibility exists for sure.

Re: Details of the N900 Cellular Services Daemon
 

What would be the reason for this, finding out if some trojan sends SMS'es to pay-numbers? (do such things exist?)

Re: Details of the N900 Cellular Services Daemon
 

It exists and is even bundled with N900's software. It's called "cherry" - see e.g. http://wiki.maemo.org/N900_The_Perfect_Setup#Cherry .

Re: Details of the N900 Cellular Services Daemon
 

Well my reasoning was more to screw silent SMS tracking up. I'm sick of being treated as a criminal and want to fight back. I don't care if this results in people using the N900 to escape government surveillance, but I think we deserve to get off the grid.

That's why I suggested this.

Re: Details of the N900 Cellular Services Daemon
 

Frankly, no one need to use SMS to track you. It can be done via basic keep-alives TX/RX with cell tower ;)

Re: Details of the N900 Cellular Services Daemon
 

Exactly. I have never hard of silent SMS'es used for spying/tracking on people...

Re: Details of the N900 Cellular Services Daemon
 

Silent SMS are the means used by both telephone network and police to track people. By the way, does N900 currently support Flash SMS?
Best wishes.

Re: Details of the N900 Cellular Services Daemon
 

Thanks... was searching for it, but got a phone call distracting me.

Here's a working link:

http://en.wikipedia.org/wiki/Short_M...ice#Silent_SMS

That's exactly what 'silent SMS' stands for. Keep Alive pings. I want those exposed as silent SMS for tracking vary a little in their byte output from normal keep alive pings.

Even normal keep alive pings don't come as often as 'silent SMS' So any indication would be nice to at least know you're beeing tracked.

That's all I was asking for, if it's possible.

Cheers

Re: Details of the N900 Cellular Services Daemon
 

actually, it's a feature of modem hardware, AFAIR. hw can choose to answer to some sms without even notifying the device.

Re: Details of the N900 Cellular Services Daemon
 

That's what I'm asking. Does this go deep enough into the Baseband to keep track of what's happening on the old HW platform the N900 uses, or is it not going deep enough and we don't have a chance to see what's going on without open Baseband HW.

Re: Details of the N900 Cellular Services Daemon
 

No, this does not go that deep. It's about daemon that works as a middleware between modem and higher level software, not about the modem itself.

Re: Details of the N900 Cellular Services Daemon
 

Thank you for clarifying :-)

Re: Details of the N900 Cellular Services Daemon
 

Quite a few ex-Nokians that worked on the N900 can be found on LinkedIn. A quick search yields some interesting results. Maybe some of these people will be willing help.

Re: Details of the N900 Cellular Services Daemon
 

I would comment that attempts to avoid tracking are quite futile.
As Estel pointed out, there are "keep-alives".. those are actually called Location Updates (although their resolution is quite limited); there are data network versions called Routing Area Updates.
There are *many* other ways to know where your cell phone is, and it is a must. Else, the telco network wouldn't be able to ring your phone when a call comes in, or do other stuff.
I've also heard of methods called Geo-Location Tagging (probably won't appear on google) which is quite accurate.
SMS is only on the circuit switched network; the packet switched network, if your turn on your data connection, would open another circuit from your phone to the telco network, providing one more circuit that can be tracked from the operator network.

You can go look up signalling that happens between the phone & operator network under GSM, GPRS, 3G (HSPA), etc signalling.

The only way to be sure you are not tracked is to turn off your phone.

kh

Re: Details of the N900 Cellular Services Daemon
 

And remove battery, as most nowadays devices (aka build in last 10 years, or even more) are able to power modem and allow "emergency tracking" even when turned off. I don't have idea how it looks in N900 case.

Thankfuly, the built-in bupbats aren't enough (yet) to allow tracking without real battery inside... ;) Well, at least, not for prolonged time, so it's not implemented (or we don't know about it, yet ;) )

/Estel

// Edit

Yes, it does. It comes up as pop-up notification (the black one, not yellow banner).

Re: Details of the N900 Cellular Services Daemon
 

any device transmitting a signal can be tracked is all i know.

Re: Details of the N900 Cellular Services Daemon
 

Sure, how about constantly changing IMSI? I think someone managed on Symbian...

However as it's now clarified, let's get back to topic. This is a whole other discussion to be held elsewhere :-)

I still hope you find someone capable to help you out!

Cheers

Re: Details of the N900 Cellular Services Daemon
 

CodeRUS managed even to change IMEI on symbian, and you're right IMSI too

Re: Details of the N900 Cellular Services Daemon
 

Now this is fairly pointless I can assure you!

If you "constantly change your IMSI" sure yeah network will not be able to place you but what good is it going to do to you?
You cannot receive or initiate any calls, and that includes both IuCS and IuPS... :D

Easier to just take the battery off from the device.

Re: Details of the N900 Cellular Services Daemon
 

The Cellular Services Daemon exposes the following DBUS paths that are referenced by other parts of the system: (each path is followed by a list of the other parts of the system that reference them)

/com/nokia/csd/call
/usr/sbin/bluetoothd (part of bluez, open source)
/usr/bin/intellisyncd (part of nokiamessaging, not necessary to support this on Neo900)
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/librtcom-call-ui.so.0 (dialer shared library)
/usr/lib/telepathy/telepathy-ring (telepathy module that handles cellular calls and SMS)
/usr/lib/libcodelockui.so.1 (device code lock UI)
/usr/lib/hildon-desktop/librtcom-notification-ui.so (notification UI)
/usr/lib/systemui/libsystemuiplugin_emergency.so (system UI emergency call plugin)
/usr/sbin/sscd (handles cellular modem startup/shutdown/reset)

/com/nokia/csd/gprs
/usr/lib/libconnui.so.0 (shared library for the connectivity UI layer)
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/icd2/libicd_network_gprs.so (Internet Connectivity Daemon cellular data plugin)

/com/nokia/csd/info
/usr/bin/cherry (part of MyNokia, not necessary to support this on Neo900)
/usr/bin/gen-obex-capability.sh (shell script)
/usr/lib/hildon-control-panel/libcpcherry.so (part of MyNokia, not necessary to support this on Neo900)
/usr/lib/libqtsysteminfo.so.1 (QT system information library, open source)
/usr/lib/libmaesync.so (used for synchronizing with Nokia PC Suite, not necessary to support this on Neo900)
/usr/sbin/as-daemon (ActiveSync daemon, not necessary to support this on Neo900)

/com/nokia/phone/net
/usr/sbin/bluetoothd (part of bluez, open source)
/usr/bin/cherry (part of MyNokia, not necessary to support this on Neo900)
/usr/bin/clockd (clock daemon)
/usr/bin/gen-obex-capability.sh (shell script)
/usr/sbin/gprs-provisioning (not exactly sure what this is, something to do with GPRS)
/usr/bin/intellisyncd (part of nokiamessaging, not necessary to support this on Neo900)
/usr/lib/microb-engine/components/libatlas.so (part of Nokia Maps, not necessary to support this on Neo900)
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/hildon-control-panel/libcpcherry.so (part of MyNokia, not necessary to support this on Neo900)
/usr/lib/icd2/libicd_network_gprs.so (Internet Connectivity Daemon cellular data plugin)
/usr/lib/libosso-abook-1.0.so.0 (osso addressbook library)
/usr/lib/libqtsysteminfo.so.1 (QT system information library, open source)
/usr/lib/librtcom-call-ui.so.0 (dialer shared library)
/usr/bin/osso-connectivity-ui-conndlgs.launch (connectivity UI connectivity dialog daemon)
/usr/bin/osso_startup_wizard.launch (first-boot app that sets time/language/etc)
/usr/bin/wl1251-cal (daemon for initializing WiFi chip, not needed on Neo900 as Neo900 will probably have different WiFi chip and/or will have WiFi initialization stuff provided by WiFi chip vendor, open source re-implementation exists in any case)
/usr/sbin/wlancond (WiFi connectivity daemon, open source)

/com/nokia/phone/sim
/etc/event.replace.d/tonegend and /etc/event.d/tonegend (shell script, both are identical but not linked to each other as far as I can see)
/usr/bin/cherry (part of MyNokia, not necessary to support this on Neo900)
/usr/bin/controlpanel.launch (part of hildon-control-panel, open source)
/usr/sbin/gprs-provisioning (not exactly sure what this is, something to do with GPRS)
/usr/bin/intellisyncd (part of nokiamessaging, not necessary to support this on Neo900)
/usr/lib/hildon-control-panel/libcpcherry.so (part of MyNokia, not necessary to support this on Neo900)
/usr/lib/libconnui.so.0 (shared library for the connectivity UI layer)
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/evolution-data-server-1.2/extensions/libebookbackendsim.so (addressbook SIM backend)
/usr/lib/icd2/libicd_network_gprs.so (Internet Connectivity Daemon cellular data plugin)
/usr/lib/libosso-abook-1.0.so.0 (osso addressbook library)
/usr/lib/libqtsysteminfo.so.1 (QT system information library, open source)
/usr/bin/location-proxy (daemon that handles supl server)
/usr/bin/osso_startup_wizard.launch (first-boot app that sets time/language/etc)
/usr/sbin/ota-settings (handles cellular data settings sent over-the-air by the cellular network)
/usr/lib/telepathy/telepathy-ring (telepathy module that handles cellular calls and SMS)

/com/nokia/phone/sim/security
/usr/bin/cherry (part of MyNokia, not necessary to support this on Neo900)
/usr/bin/controlpanel.launch (part of hildon-control-panel, open source)
/usr/bin/intellisyncd (part of nokiamessaging, not necessary to support this on Neo900)
/usr/lib/hildon-control-panel/libcpcherry.so (part of MyNokia, not necessary to support this on Neo900)
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/hildon-control-panel/libcpdevice.so ("about device" control panel)
/usr/lib/librtcom-call-ui.so.0 (dialer shared library)

/com/nokia/phone/sim/phonebook
/usr/sbin/bluetoothd (part of bluez, open source)
/usr/bin/intellisyncd (part of nokiamessaging, not necessary to support this on Neo900)
/usr/lib/evolution-data-server-1.2/extensions/libebookbackendsim.so (addressbook SIM backend)

/com/nokia/phone/sms
/usr/bin/cherry (part of MyNokia, not necessary to support this on Neo900)
/usr/lib/hildon-control-panel/libcpcherry.so (part of MyNokia, not necessary to support this on Neo900)
/usr/sbin/sms-manager (handles dispatching certain special kinds of SMS messages to the right place)
/usr/lib/telepathy/telepathy-ring (telepathy module that handles cellular calls and SMS)

/com/nokia/csd/ss
/usr/lib/libconnui_cell.so.0 (shared library for the cellular parts of the connectivity UI layer)
/usr/lib/librtcom-call-ui.so.0 (dialer shared library)

Re: Details of the N900 Cellular Services Daemon
 

[ot]
doesn't the software that allows to track (and / or wipe) the N900 in case it is stolen use silent SMS?
[/ot]