BFC mode (Siemens x65 Service mode)

0) About
1) Stucture of an BFC Command
2) Starting the BFC mode
2.1) starting the online BFC mode
2.2) starting the offline BFC mode
3) Leave BFC mode
4) Commands
5) Answer
6) Keys Table
7) Full Command List (without names)
8) Greetings & Respect

0) About:

Written by ACiD[mrp] and Phantom special thanks SiNgle and Skylord for help with discovering commands.
2004 by GSM Development Crew

This is the completest documentation (the only? ;)) about BFC Service mode for Siemens mobiles.
BFC is the new (undocumented) service protocol for mobiles since x65. For mobiles older than x65
use BFB service mode.

1) Structure of an BFC Command

Header Subdata Checksum
[Command] [01] [Length, Length] [Chk Flag] [Header XOR]
[Subdata, Subdata, Subdata]
[Checksum]

[Command]:
see Command Table

[Length]:
Length of Subdata

[Chk Flag]:
0x20: CRC16
0x04: no checksum

[Header XOR]:
XOR of all Header Bytes

2) Starting the BFC mode

There are two different ways to put the phone into BFC mode. Phone can be online or offline.
for offline mode an flashable cable must be present.

2.1) starting the online BFC mode

Starting the online BFC mode is simple:
- set port speed to 115200 Baud
- make shure you can access the AT mode
- send the AT command AT^SQWE=1 + 0x13

That's all, you're in online BFC mode now ;)

2.2) starting the offline BFC mode

Starting the offline BFC mode is more work:
- set port speed to 115200 Baud
- send "AT" to the Port in a loop. Wait 50ms after every command
- when the user presses the red key, the mobile will answer with 0xB0
- now you can send the Bootcode to the phone:

30
57
00
F1
04
A0
E3
20
10
90
E5
FF
10
C1
E3
A5
10
81
E3
20
10
80
E5
1E
FF
2F
E1
04
01
08
00
00
00
00
00
00
00
00
00
00
00
00
00
53
49
45
4D
45
4E
53
5F
42
4F
4F
54
43
4F
44
45
01
00
07
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
04
05
00
8B
00
8B
  
96


- phone will answer with: 0xB1
now you have to wait some time till phone is ready with booting.

you can send an Authentification for command 0x11 to see when phone is started (Ping).
now you are in offline BFC mode.

3) Leave BFC mode

Leaving BFC mode is different for online and offline mode.
In online mode send command: SwitchFromBfcToRccpMode In offline mode send command: TurnMobileOn or TurnMobileOff

4) Commands

Name Command Subdata (hexadecimal)
Authentifcation / Ping:
Authentificate for Command Group XX = Command 80 11
     
Firmware Internal :
GetListOfFlashBFCCommands 02 01
GetAddressOfBFCCommand 02 02 + BFC command (eg.: 021105 for BFC_L2_ReadIMEI)
 
Keypad:
RedirectKeypad 09 01
RestoreKeypad 09 02
PressKeypad 09 03 [key]
ReleaseKeypad 09 03 01
 
Display:
GetDisplayType 0A 01 [DisplayNumber]
RedirectDisplay 0A 02 [DisplayNumber]
RestoreDisplay 0A 03 [DisplayNumber]
SwitchOffDisplay 0A 05 [DisplayNumber]
GetDisplayCount 0A 06 [DisplayNumber]
GetDisplayInformation 0A 07 [DisplayNumber]
  returns: 01 0A 00 06 00 0D 07 [84 00 = width] [B0 00 = height] 03
GetBufferInformation 0A 09 [DisplayNumber]
GenerateDisplayPattern 0A 0A [DisplayNumber]
 
Audio:
WriteAudioSettings 0B 6F 00 00 00 [02 = DL_Dest (02 - BT 01 speaker)] 01 [03 = DL_PCM0_s 01-mp3aac] 00 [03 = UL_Source 01 inmic] 00 00 01 00 00 00 00 00 03 00 00 01 00
ReadAudioSettings 0B 72
 
Information:
ReadIMEI 11 05
GetSwInfo 11 06 [00 - 06]
ReadMobileSwDateAndTime 11  
ReadOperateAndTalkTime 11 07
ReadTalkTime 11 08
GetSWVersion 11 0B
GetManuID 11 0C
GetProductID 11 0D
GetLGVersion 11 0E
GetPhoneType 11 11
 
EEPROM:
EeLiteReadBlock 14 04 [0100 = Block 1] [000000 = Offset] 00 [000001 = Bytes to read] 000000
EeFullReadBlock 14 14 [8F13 = Block 5007] [000001 = Offset] 00 [000003 = Bytes to read] 000000
EeLiteGetBlockInfo 14 05 [8F13 = Block 5007] 0000
EeFullGetBlockInfo 14 15 [8F13 = Block 5007] 0000
  returns [01 14 00 07 20 32] 05 00 [60 1C = size] 00 00 [00 = version]
EeLiteMaxBlockId 14 06
EeFullMaxBlockId 14 16
Create_EeLiteBlock 14 01 [0100 = Block 1] 0000 [0100 = Size 1] 0000 [00 = Version 0]
Create_EeFullBlock 14 11 [3B 15 = Block 5435] 0000 [0100 = Size 1] 0000 [00 = Version 0]
Write_EeLiteBlock 14 02 [01 00 = Block 1] 0000 [1400 Offset = 0x14] 0000 [Data]
Write_EeFullBlock 14 12 [3B 15 = Block 5435] 0000 [1400 Offset = 0x14] 0000 [Data]
Finish_EeLiteBlock 14 03 [01 00 = Block 1] 0000
Finish_EeFullBlock 14 13 [3B 15 = Block 5435] 0000
Delete_EELiteBlock 14 07 [01 00 = Block 1] 0000
Delete_EEFullBlock 14 17 [3B 15 = Block 5435] 0000
 
AT Commands:
SendATCommand 17 AT_COMMAND + 0x0D
SwitchFromBfcToRccpMode 17 AT^SQWE=0 + 0x0D
SwitchFromRccpToBfcMode 17 AT^SQWE=1 + 0x0D
SwitchFromBfcToGipsyMode 17 AT^SQWE=2 + 0x0D
 
Phone State:
SwitchMobileOn 19 01
SwitchMobileOff 19 03
 
Light:
LightDeact 1A 4A
SetDisplayLight 1A 46 [01 = display] [FF = level]
LightSwitch 1A 47 01 AF01 00 0000
47 [01 = Channel] AF01 [00 = intensity] [0000 = fade time]
Channel -> (00 = Display, 01 = Keypad, 02 = Nightdesign)
LightGetIllumination 1A 48 01 00 01
 
Vibra:
VibraOff 1B 01
VibraOn 1B 02
VibraContol 1B 03 [FF = state (00 = off / FF = on)] maybe Vibra level in future versions.
 
SIM Card:
SimulateSim 1C 01
 
MMC:
GetMmcId 28 01

5) Answer:

the answer of every BFC command starts with the two bytes of the sended
commands in reverse order.

6) Keys Table:

Key name
Code
  Key name Code
EOB
00
   CARKIT_CRADLE_LEFT
24
SOFT_1
01
   CARKIT_CRADLE_RIGHT
25
SOFT_2
02
   CARKIT_CRADLE_CENTER
26
SOFT_3
03
   PTT_WAS_HEADSET
27
SOFT_4
04
   STAR
2A
BOOK
05
   PTT_BT_HS_SIEM
2D
MEMO
06
   PTT_BT_HS_SIG
2E
INFO
07
   KEY_FOR_UP
2F
CLEAR
09
   KEY_0
30
END
0A
   KEY_1
31
START
0B
   KEY_2
32
ONOFF
0C
   KEY_3
33
UP
0C
   KEY_4
34
DOWN
0D
   KEY_5
35
MENU
10
   KEY_6
36
OPERATOR_KEY
11
   KEY_7
37
KEY_LOCK
12
   KEY_8
38
KEY_UNLOCK
13
   KEY_9
39
JOG_DL
14
   PTT_HEADSET
3A
JOG_TURN
15
   NAVI_UP
3B
SW0ON
16
   NAVI_DOWN
3C
SW0OFF
17
   NAVI_LEFT
3D
SW1ON
18
   NAVI_RIGHT
3E
SW1OFF
19
   KEY_PLAY_STOP
3F
NAVI_CENTER
1A
    
HASH
23
    

7) Full Command List (without names):

This is a bruteforced list from CX65 with FW25. If you like to try out
unexplored commands, you should start with commands from this list. This
should be all commands included into the firmware. Note, that for S65 there
may be some more commands because of the MMC and BT.

CX65 FW25 LG1 Full BFC Scan (Online mode)
C65 FW16 LG1 Full BFC Scan (Online mode)
C65 FW16 LG1 Full BFC Scan (Offline mode)
S65 FW32 LG1 Full BFC Scan (Online mode)
S65 FW32 LG1 Full BFC Scan (Offline mode)

8) Greetings & Respect

Greetings and respect goes out to all my friends in GSM Scene:
to SiNgle for heaving great ideas all over the day and I nice talk
to Phantom for always good cooperation and very good contact.
to Chaos for very good contact and the crazyest (and working!!!) ideas ;)
to Skylord for all the good tools
to Valera for VKlay
to RizaPN for SLIK stuff (you're the master of patching)
to flused for handling gsm-dev togheter with me :)
to Cluni for being good friend all the time
to b@iLLi for good work toghther
to holg for his 3rd point of view
to Multifund for giving an online home ;)
to DarkBear (never forget all the work you did on Siemens)
to TheSig for doing similar document for BFB mode

and of course to all I forgot in this list ;) I could continue
this till tomorrow but I have to go eating now ;)