Difference between pages "AT Commands" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Reference Links)
 
 
Line 1: Line 1:
<ul><li>AT and AT+ commands can be used to manually collect simple information. This is an ideal choice for "full control" over the communications that are sent and returned from the phone. These can also be used when there is no tool available to communicate with the phone. These commands were tested using a Motorola v551 GSM phone using Bluetooth and USB data cables. It is important to note that not all of these commands are supported by all phones, but the AT+CLAC command (usually) displays all of the available commands the GSM phone can respond to.</li>
+
{{expand}}
<li>With Motorola phones (and many others) there are '''NO''' AT commands that can be used to retrieve multimedia content. For these, OBEX commands must be issued to the phone to return directory contents, ringtones, pictures and video.</li><li>Samsung GSM phones, on the other hand, '''DO''' have AT commands that allow access to the multimedia content.</li></ul><br/>
+
  
To use these AT commands:
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
<ol><li> Connect the phone and determine the number of the COM port that is associated with it.</li>
+
<li>Open HyperTerminal, Realterm or any other terminal program that will communicate with a specified COM port.</li>
+
<li>With the Motorola phone, type '''AT+MODE=2'''. This prepares the phone for an extended AT+ command set. (+Cxxx and +MPxx)</li></ol><br/>
+
After following these steps, you can continue with any of the commands below.
+
  
== '''Phonebook''' ==
+
<b>Note that the following format specification are incomplete.</b>
'''AT+CPBS=?'''<br/>
+
Lists the phonebooks that the phone contains. (Choose phonebook storage)<br/>
+
Returns: +CPBS: ("ME","SM","MT","ON","DC","MC","RC","EN","AD","QD","SD","FD")<br/>
+
  
+CPBS="ME" sets the "retrieve mode" to the internal phonebook.<br/>
+
== SuperFetch DB files ==
+CPBS="SM" sets the "retrieve mode" to the SIM phonebook.
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
 +
<pre>
 +
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
  
'''AT+CPBR=?'''<br/>
+
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
Describes the phonebook selected above. (Simple) This gives the max number of entries the phone can contain. It also gives the maximum phone number (or email address) length and name length.<br/>
+
* Compressed SuperFetch DB - MEMO file format; Windows Vista
'''NOTE:''' You can substitute +MPBR for any +CPBR command, but the phone returns a much more specific (and less intelligible) response containing more fields that may act as internal “programming” flags of some sort.<br/>
+
* Compressed SuperFetch DB - MEM0 file format; Windows  7
Returns: +CPBR: (1-1000),40,24
+
* Compressed SuperFetch DB - MAM file format; Windows 8
  
'''AT+CPBR=[beginning index],[ending index]'''<br/>
+
=== Compressed SuperFetch DB - MEMO file format ===
Returns a list of numbers with the index between the two numbers entered. Also denotes what TYPE of phonebook entry was selected.<br/>
+
The MEM file consists of:
Returns: +CPBR: 9,"18005555555",129,"Contact Name" – 129 refers to a phone number.<br/>
+
* file header
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name" – 128 refers to an email.
+
* compressed blocks
  
'''AT+CPBR=[index]'''<br/>
+
This format uses the LZNT1 compression method
Returns the specified index.<br/>
+
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name"
+
  
'''AT+MPBF="Name"'''<br/>
+
==== File header ====
Searches the phonebook for the Name or string.
+
The file header is 84 bytes of size and consists of:
+
{| class="wikitable"
'''AT+MPBR=?'''<br/>
+
|-
Similar to above, but a more verbose result is displayed.<br/>
+
! Offset
Returns: +MPBR: 1-1000,40,24,8,0-1,50,(0,2,4,6,9-30,255),(0),(0-1),(1-30),(255),25,(0-1,255),264,(0),0,0,0,0,0,0,0
+
! Size
<ul><li>1-1000 denotes the number of entries that can be stored on the selected (+CPBS) phonebook.</li><li>40 represents the number of characters that the email or phone number can have.</li><li>24 indicates the number of characters the “friendly” name can have.</li><li>The 8 refers to the different “types” of phonebook entry (i.e. Mobile, Main, Email, Home, Fax, Work … etc).</li><li>The +CPBR command does not list anything after the 24 (as seen above), so there are times when the +MPBR may be useful.</li></ul>
+
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
'''AT+MPBR=[index]'''<br/>
+
==== Compressed blocks ====
Returns: +MPBR: 18,"user@domain.net",128,"Contact Name",6,0,255,0,0,1,255,255,0,"",0,0,"","","","","","","",""
+
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
  
== '''SMS Messages''' ==
+
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
'''AT+CMGF=1'''<br/>
+
This tells the phone to display the entries as text rather than binary. +CMFG=0 would display the data in binary format.
+
  
'''AT+CPMS=?'''<br/>
+
=== Compressed SuperFetch DB - MEM0 file format ===
This displays all of the locations in which the phone can save the SMS messages.<br/>
+
The MEM file consists of:
Returns: +CPMS: ("MT","IM","OM","BM","DM"),("OM","DM"),("IM")
+
* file header
 +
* compressed blocks
  
'''AT+CMGL=?'''<br/>
+
This format uses the LZXPRESS Huffman compression method
Returns the options on which messages you wish to display.<br/>
+
Returns: +CMGL: ("REC UNREAD", "REC READ", "STO UNSENT", "STO SENT", "ALL")
+
  
'''AT+CMGL="ALL"'''<br/>
+
==== File header ====
Selects and displays all of the SMS messages on the selected source.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
== '''Misc. Information''' ==
+
==== Compressed blocks ====
'''AT+CGSN'''<br/>
+
The file header is followed by compressed blocks:
Returns the IMEI of the phone.<br/>
+
{| class="wikitable"
Returns: +CGSN: IMEI356252000861622 <br/>
+
|-
Returns: +GSN: 299B5900 (Samsung)
+
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
'''AT+CGMR'''<br/>
+
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
Returns the manufacturer’s OS revision.<br/>
+
Returns: +CGMR: "R47_G_08.17.0FR_01"
+
  
'''AT+GMI'''<br/>
+
=== Compressed SuperFetch DB - MAM file format ===
Returns the manufacturer name (Samsung).<br/>
+
The MAM file consists of:
Returns: +GMI: SAMSUNG
+
* file header
 +
* compressed blocks
  
'''AT+CGMM'''<br/>
+
This format uses the <b>TODO</b> compression method
Returns the make, model and capabilities of the phones.<br/>
+
Returns: +CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=V551" <br/>
+
Returns: +GMM: SCH-A670 (Samsung)
+
  
'''AT+CNUM'''<br/>
+
==== File header ====
Returns the subscriber name/number from the SIM.<br/>
+
<b>TODO</b>
Returns: +CNUM: Owner Name,15555555555,129
+
  
'''AT+CLAC'''<br/>
+
{| class="wikitable"
Lists AT commands that the phone supports.
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
  
'''AT+MODE=22'''<br/>
+
==== Compressed blocks ====
Prepares the phone (Motorola) for OBEX commands.
+
<b>TODO</b>
  
'''AT+MODE=0'''<br/>
+
=== Uncompressed SuperFetch DB format ===
This returns the phone to simple AT command mode.
+
<b>TODO</b>
  
== '''Reference Links''' ==
+
==== File header ====
 +
<b>TODO</b>
  
[http://gatling.ikk.sztaki.hu/~kissg/gsm/index.html AT+C Command Set of GSM]
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x0000000e
 +
| Unknown (Database type or signature?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
 +
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
  
[http://www.traud.de/gsm/atex.htm Alexander Traud's GSM pages ]
+
<b>Note that the following format specification is incomplete.</b>
  
[http://www.anotherurl.com/library/at_test.htm AT Test Commands]
+
=== File header ===
 +
The file header is variable of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Maximum number of records (of the record offsets array)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 +
|-
 +
|}
  
[http://www.csparks.com/MotoBackup/MotorolaAT.xhtml AT Commands to Access the Motorola]
+
=== Record ===
 +
<b>TODO describe</b>
  
[http://webapp.etsi.org/key/key.asp?GSMSpecPart1=27&GSMSpecPart2=007  ETSI-3GPP Standards]
+
== See Also ==
 +
* [[SuperFetch]]
  
[http://wiki.forum.nokia.com/index.php/AT_Commands Nokia AT Commands]
+
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
  
[http://www.parallax.com/Portals/0/Education/custapps/Nokia_AThelp.pdf Support Guide for the Nokia Phones and AT Commands]
+
[[Category:File Formats]]
 
+
[http://www.daimi.au.dk/~jones/sms/packed/Nokia_30_AT_Command_Guide_2_0.pdf Nokia 30 GSM Connectivity Terminal AT Command Guide]
+
 
+
[http://nds1.nokia.com/phones/files/guides/at_commands.pdf Nokia PremiCell List of AT Commands]
+

Revision as of 01:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links