The Bold Explorer

Anatomy of a Service Book

Before you get started with this post, read this.

You must understand the basic concepts explained there to make sense of what follows.

This is an example of a service book, displayed in a hex editor. The file was created to enable MMS on Koodo prepaid on my Bold 9900.

 

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65  Inter@ctive Page

00000010  72 20 42 61 63 6B 75 70 2F 52 65 73 74 6F 72 65  r Backup/Restore

00000020  20 46 69 6C 65 0A 02 00 01 00 0D 00 53 65 72 76   File.......Serv

00000030  69 63 65 20 42 6F 6F 6B 00 00 00 24 01 00 00 02  ice Book...$....

00000040  0B 00 01 E8 21 11 04 00 01 01 00 00 00 04 00 02  ...è!...........

00000050  00 00 00 00 04 00 17 01 E8 21 11 0F 00 03 4D 4D  ........è!....MM

00000060  53 20 43 6F 6E 66 69 67 20 32 2E 30 00 01 00 05  S Config 2.0....

00000070  00 04 00 06 FF FF FF FF 09 00 07 4D 4D 53 20 74  ....ÿÿÿÿ...MMS t

00000080  72 61 6E 73 05 00 08 57 50 54 43 50 50 00 09 01  rans...WPTCPP...

00000090  01 0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 08  ..74.49.0.18:80.

000000A0  0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 0D 29  .74.49.0.18:80.)

000000B0  68 74 74 70 3A 2F 2F 61 6C 69 61 73 72 65 64 69  http://aliasredi

000000C0  72 65 63 74 2E 6E 65 74 2F 70 72 6F 78 79 2F 6B  rect.net/proxy/k

000000D0  6F 6F 64 6F 2F 6D 6D 73 63 02 01 01 03 01 01 04  oodo/mmsc.......

000000E0  00 0A 01 00 00 00 04 00 0B 01 00 00 00 1F 00 0F  ................

000000F0  4D 4D 53 20 57 41 50 20 54 72 61 6E 73 70 6F 72  MMS WAP Transpor

00000100  74 20 53 65 72 76 69 63 65 20 62 6F 6F 6B 00 01  t Service book..

00000110  00 11 02 04 00 12 00 00 00 00 04 00 18 76 6D D8  .............vmØ

00000120  48 3F 00 16 01 00 0A 03 0C 00 09 41 6E 79 20 6E  H?.........Any n

00000130  65 74 77 6F 72 6B 00 04 00 06 30 00 00 00 0C 00  etwork....0.....

00000140  03 73 70 2E 6B 6F 6F 64 6F 2E 63 6F 6D 05 00 12  .sp.koodo.com...

00000150  00 00 00 00 00 04 00 10 00 00 00 00 04 00 11 00  ................

00000160  00 00 00                                         ...



What does it all mean?


Section and subsection headers

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65  Inter@ctive Page

00000010  72 20 42 61 63 6B 75 70 2F 52 65 73 74 6F 72 65  r Backup/Restore

00000020  20 46 69 6C 65 0A 02 00 01 00 0D 00 53 65 72 76   File.......Serv

00000030  69 63 65 20 42 6F 6F 6B 00 00 00 24 01 00 00 02  ice Book...$....

00000040  0B 00 01 E8 21 11 04 00 01 01 00 00 00 04 00 02  ...è!...........

00000050  00 00 00 00 04 00 17 01 E8 21 11 0F 00 03 4D 4D  ........è!....MM

00000060  53 20 43 6F 6E 66 69 67 20 32 2E 30 00 01 00 05  S Config 2.0....

00000070  00 04 00 06 FF FF FF FF 09 00 07 4D 4D 53 20 74  ....ÿÿÿÿ...MMS t

00000080  72 61 6E 73 05 00 08 57 50 54 43 50 50 00 09 01  rans...WPTCPP...

00000090  01 0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 08  ..74.49.0.18:80.

000000A0  0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 0D 29  .74.49.0.18:80.)

000000B0  68 74 74 70 3A 2F 2F 61 6C 69 61 73 72 65 64 69  http://aliasredi

000000C0  72 65 63 74 2E 6E 65 74 2F 70 72 6F 78 79 2F 6B  rect.net/proxy/k

000000D0  6F 6F 64 6F 2F 6D 6D 73 63 02 01 01 03 01 01 04  oodo/mmsc.......

000000E0  00 0A 01 00 00 00 04 00 0B 01 00 00 00 1F 00 0F  ................

000000F0  4D 4D 53 20 57 41 50 20 54 72 61 6E 73 70 6F 72  MMS WAP Transpor

00000100  74 20 53 65 72 76 69 63 65 20 62 6F 6F 6B 00 01  t Service book..

00000110  00 11 02 04 00 12 00 00 00 00 04 00 18 76 6D D8  .............vmØ

00000120  48 3F 00 16 01 00 0A 03 0C 00 09 41 6E 79 20 6E  H?.........Any n

00000130  65 74 77 6F 72 6B 00 04 00 06 30 00 00 00 0C 00  etwork....0.....

00000140  03 73 70 2E 6B 6F 6F 64 6F 2E 63 6F 6D 05 00 12  .sp.koodo.com...

00000150  00 00 00 00 00 04 00 10 00 00 00 00 04 00 11 00  ................

00000160  00 00 00                                         ...


Green Block Header. This header starts every service book. The three 00 bytes always follow the header. They may denote the end of the header block, or they may denote the beginning of the service book length block. In any case, they serve as the divider between the two.

Dark Grey Block The service book length block. A count of the total number of bytes that follow. It defines the total length of the service book. In this file, the value is 24 01 00 00, which breaks down as: 24(hex)=36 01(hex)=256. The total (36+256) is 292. If the number of bytes following the grey block was less than 256, there would be no 01 in the second position. For example, if there were 226 bytes following the block, the grey block would look like this: E2 00 00 00.

Light Grey Blocks Each “section” or “field” in the service book is preceded by a header or label of three bytes that defines the section length and purpose. The first of the three bytes indicates the number of bytes in the section that follows. The middle byte is always “00.” The last byte is the section identification number. So 04 00 01 means that a four byte long section follows, and that it is section type 1. You’ll notice that the next section is section type 2. If the service book contains no information for a particular section type, it is absent from the record. Hence, the jump from section 3 to section 5.

Bolded Light Grey Blocks There are two “special” sections in this example, and I’ve bolded those three-byte section headers. Type 23 (hex 17), which starts what I refer to as the “main body” of the service book, and type 22 (hex 16), which starts the Host Routing Table. Note that the content of section type 23 is always a repetition of the four bytes that appear in the “Red” Block, discussed below.

Yellow Blocks These blocks indicate subsections within section 9. In these special subsection headers, the final byte is the length indicator. I don’t understand the syntax of the preceding bytes, although they must be subsection type identifiers.

Red Block The final four bytes in this block are always repeated at the point where the main body of the service book begins. I’m not sure what the first three bytes mean, or if they’re even related. I thought they had something to do with the number of sections that follow, but that seems to be inaccurate.

In any case, knowing the basic structure of service book headers and fields should allow you to decrypt other service books.

Section content

I do not know what every section does. In what follows, each section in this particular service book is presented in order, and explained, if I understand it. In general, the section header is highlighted (as it is in the service book above) and the content, which follows the header, is not. I figured out a lot of this by opening .ipd files in the hex editor, MagicBerry, and a program called “IPDEditor,” which you can download here: https://code.google.com/p/ipdeditor/ I compared what I saw in the files with the published information on MMS settings. While the example is for an MMS service books, all service books share the same basic structure.

Where the hexadecimal numbers represent human-readable alphanumeric information, it is provided in parentheses.

49 6E 74 65 72 40 63 74 69 76 65 20 50 61 67 65 72 20 42 61 63 6B 75 70 2F 52 65 73 74 6F 72 65 20 46 69 6C 65 0A 02 00 01 00 0D 00 53 65 72 76 69 63 65 20 42 6F 6F 6B (“Inter@ctive Pager Backup/Restore File.......Service Book”) This is the main header.


00 00 00  This section always divides main header from service book length block.


24 01 00 00  The service book length block.


02 0B 00 01 E8 21 11  Not completely understood. See the explanation above.


04 00 01 01 00 00 00


04 00 02 00 00 00 00


04 00 17 01 E8 21 11 The main body of the service book begins here.


0F 00 03 4D 4D 53 20 43 6F 6E 66 69 67 20 32 2E 30 00 (“MMS Config 2.0.”) Service Book Name.


01 00 05 00


04 00 06 FF FF FF FF


09 00 07 4D 4D 53 20 74 72 61 6E 73 (“MMS trans”) Service Book UID


05 00 08 57 50 54 43 50 (“WPTCP”) Service Book CID


50 00 09 Section 9 Starts here. This section specifies the MMS configuration information and has three subsections.


01 01 0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 (“74.49.0.18:80”) The MMS Proxy Server and Port


08 0D 37 34 2E 34 39 2E 30 2E 31 38 3A 38 30 (“74.49.0.18:80”) MMS Proxy Server Information Repeated.


0D 29 68 74 74 70 3A 2F 2F 61 6C 69 61 73 72 65 64 69 72 65 63 74 2E 6E 65 74 2F 70 72 6F 78 79 2F 6B 6F 6F 64 6F 2F 6D 6D 73 63 (“http://aliasredirect.net/proxy/ koodo/mmsc”) MMSC URL


02 01 01 03 01 01


04 00 0A 01 00 00 00


04 00 0B 01 00 00 00


1F 00 0F 4D 4D 53 20 57 41 50 20 54 72 61 6E 73 70 6F 72 74 20 53 65 72 76 69 63 65 20 62 6F 6F 6B 00 (“MMS WAP Transport Service book”) Service Book Description


01 00 11 02


04 00 12 00 00 00 00


04 00 18 76 6D D8 48


3F 00 16 The Host Routing Table begins here.


01 00 0A 03 This field is labelled “Wireless Network” in MagicBerry


0C 00 09 41 6E 79 20 6E 65 74 77 6F 72 6B 00 (“Any network.”) Network Name


04 00 06 30 00 00 00  This field is labelled “Network Provider Code” in MagicBerry. “30” in hex is network provider code 48 in decimal numbers.


0C 00 03 73 70 2E 6B 6F 6F 64 6F 2E 63 6F 6D (sp.koodo.com) MMS Access Point Name


05 00 12 00 00 00 00 00  This field is labelled Q.O.S. in MagicBerry. It always seems to be filled with “0.0.0.0.0”


04 00 10 00 00 00 00 Gateway IP. It’s not filled in, but if it was, each byte represents one section of the IP. For example AC 19 00 6B would equal 172.25.0.107


04 00 11 00 00 00 00 MMS Port Numbers. Two port numbers may be added here. Each port number is encoded in a byte pair. So if the section was filled in as 23 F1 20 0D, you would convert the first hexadecimal pair, 23F1, as port 9201 and the second hexademical pair, 200D, as port 8205.


Happy hacking! If you notice any errors, let me know.

EOFTop