NBX protocol

NBX protocol

This page is here since there is a total lack of online support from 3com.

The 3com phones use a protocol that runs at the ether layer.

struct packet {
    char dest[6];   // ehter addr
    char src[6];    // ehter addr
    short proto;    // always 0x8868
    short type; //'HA'..'HB'..'HC'...
    char orig[6];   // ehter addr
    short seq;
    unsigned char data[4];  // its bigger...
};
The dest, src and proto are low level ethernet level addresses. There is also a crc on the end but that can be ignored unless you want to work at a very low level.

The 'H' may be because its Henry Houh's protocol. The letter after the 'H' is one of these:

The format of an HH (Ack Packet is):
HA, mac-address, Seq_no, channel, state, unknown (last 3 could be swaped)
The seq no is the seq no of the packet being acked

      H H Ether  address snum      chan  dev
8868 4848 00e0 bb03 d0b1 0001 95ec 0001 0004
8868 4848 00e0 bb03 d0b1 0001 95ec 0001 0004

Proto h h Ether  address seq  0001 0001 dev
8868 4848 00e0 bb04 27c5 d873 0001 0001 0005 [ filler ....]
The format of an HE (Error Packet is):
HA, mac-address, Seq_no, 01, state, error code? (last 3 could be swaped)
The seq no is the seq no of the packet being acked

The error is sent to the address inside the recieved packet and not the source address. This menas you cna fake mssages without setting your own ether address to the ncp. Ifyou want to fake a message to a phone ,you should set the internal address to the ncp. 

      H E Ether  address snum flag chan  dev error code
8868 4848 00e0 bb03 d0b1 0001 95ec 0001 0004
8868 4845 00e0 bb04 27c5 0400 0101 0001 0005 ffff 8002
The HR (Request?) packets come in two sizes. 
H R  Ether  address snum 
4852 00e0 bb0b d8be d722 
                         0001 0101 0000
0005 0202 80b3 0027 0000 0007 0007 ffff
1107 00ff 0007 0017 0017 ffff 
                              Ring
                              1207 
                                   00ff
0007 5500 00
            Button lights
            03 0000 f003 000f fff0      
			           ????
                                   0220
Display Text....
2020 2020 2020 2020 2020 2020 2020 2020
2020 2020 2020 2020 2020 2020 2020 2020
2020 2020 2020 2020 2020 2020 2020 2020
2020 2020 2020 2020 2020 2020 2020 2020
What to display
          CC          TT 
0000 0101 0000 0101 0000 0101 0000
Buttons 0=off
1=slow flash
2=fast flash
3=solid
Ring 0-9 for ring toneA
0-3 for how many rings (0 on always, 1 1 ring ,2=two rings, 3 3 rings.)
Next bits may be for how long its on

What to display sets the default display settings. CC=1 for a clock with seconds, TT=01 for a count up call timer

The voice packets 'A' may be scambled. I'm not sure how that is done. They are 8kbytes/sec packets (ISDN rate). The music on hold packets hold are 192 bytes. 







case    'A':    //// Voice Packet
// mulaw encoded 8 bit packets
//printf("HA\n");
//write(sound, &d[12], 192);
printf("A%d %d",d[10]*256+d[11],count);
//fprintf(out,"%c",'X');
for(i=12;i<192+12;i++) {
//printf("%02x",d[i]);
//fprintf(out,"%d,\n",d[i]);
fprintf(out,"%c",d[i]);
}
printf("\n");
break;

This expame has 4 known phones
8868 4855 00e0 bb0b d8be eaf9
0001 0101 0000 0000 0001 80b3 0000 0000 c0a8
69be 07d2 0709 150f 1f40 0300 0000 0200
 cnt PPPP  P=One nibble per phone that is on line upto cnt
0002 3300 0600 0006 0000 0000 0000 0900
0000

5 phones:
0001 8868 4855 00e0 bb0b d8be 62fb 0001
0101 0000 0000 0001 80b3 0000 0000 c0a8
69be 07d2 0709 151a c350 0300 0000 0200
0004 0300 0000 0600 0006 0000 0000 0000
0900 0000

6 phones:
0001 8868 4855 00e0 bb0b d8be 99fb 0001
0101 0000 0000 0001 80b3 0000 0000 c0a8
69be 07d2 0709 151c 84d0 0300 0000 0200
0004 0000 0000 0600 0006 0000 0000 0000
0900 0000
This will pull bits out of the 'U' packets and tell you which phones are online.
// 'U' decoding
//data[0..5] is the dest address
//dec11 213 ???????               h
//0c0b 0e0b e2900300 00000200 000e3000
//48   50   52       56           60
// real structure is:
// 2:  0x0200
//     2 byte size (rounded to words)
// ... each phone is 4 bits
//     phones are '3'
case    'U':    //// 0x55 update
//// broadcast every second or so
//// sometimes to specifc phones
printf("Update: \n");
for(i=14+32;i<s;i++) {
printf( "%02x",data[i]);
if(i%4==1) printf(" ");
}

printf("%s %d %d:%02d  %d \n",Months[data[14+32]],
data[47], data[48]%12, data[49], data[50], data[51]);

ph_cnt=0;
printf("type of table=%04x\n",data[59-2]+data[58-2]*256);
printf("size of table=%d\n",data[59]+data[58]*256);
for(i=60;i<72;i++) {
int a,b;
a=b=data[i];
a=a>>4;
b=b&0xf;
if(a) ph_cnt++;
if(b) ph_cnt++;
if(a)
printf("phone %d (%s) on a %x (%02x)\n",(i-60)*2,
Phones[(i-60)*2],a,data[i]);
if(b)
printf("phone %d (%s) on a %x (%02x)\n",(i-60)*2+1,
Phones[(i-60)*2+1],b,data[i]);
}
printf("%d phones on line\n",ph_cnt);
break;

This (goggle for nbx nboss) claims that the NBX uses: 5.Internal NBX100 Protocols
MULAW Scrambled & unscrambled, Unreliable 192 bytes per frame.
MULAW Scrambled, Unreliable 192 bytes per frame.
MULAW Unscrambled, reliable
IMA ADPCM Scrambled/Unscrambled,

They also claim With multiple pseudo-TLIMs, each pseudo TLIM will require a separate MAC address. It seems convenient to tie this MAC address specification to licensing. A license is a file that has pseudo TLIM MAC addresses along with the NBOSS MAC address encrypted in it. Therefore a license only works with one NCP, and two gateways on the same NCP cannot use the same license. [ Someone can pirate a single channel version easily, but to run multiple channels, they’d need a PC per channel.]


Back to Tim's Homepage Back to current subject Related Links thogard@abnormal.com
 This page was last updated Tuesday, 09-Jul-2002 11:31:51 UTC Copyright 2000-2020 thogard™ is a trademark of Tim Hogard