The Psion Link Protocol
1998-08-25
Olaf Flebbe
1) What is the Psion Link.Protocol?
2) Layers
2.1) Link
2.2) NCP
2.3) Higher Level Protocols
1) What is the Psion Link Protocol?
The Psion series of organizers (Psion3, 3a, 3c, Siena and Psion 5) use a special software for communication with a PC:
The protocol described here is for the Psion 3a, but it seems to work for the Psion 5, too.
Information resources
Installing RCOM in dosemu running LINUX. Using the strace utility I looked for system calls dealing with the serial port. (It would be simple to patch dosemu to print out this information, but I was too lazy). Here is a perl script for examine the output of strace:
The information in the prcdsk.zip File downloadable from http://www.epocworld.com for free. It is the documentation of a win16 API for Psion remote communication (PRC).
2) Layers
There seems to be different layers which make up the Psion Link Protocol:
2.1) LINK
An error correction protocol, called by PSION the Psion Link Protocol (PLP).
Data is encapsulated in packets. Each packet contains a type field containing a sequence number. The packet ca be checked with an CRC checksum.
[All Bytes are in hex.]
Each packet has the form
16 10 02 TYPE DATA 10 03 CRC.
TYPE (BYTE)
DATA A stream of data (for this level of abstraction). If DATA contains a byte with the value 0x10, it will be escaped by an additional byte 0x10. This additional byte is not included in the frame. The length of the DATA field is restricted by the maximum frame size of 300 (?) bytes.
CRC (word) The checksum is the CCITT checksum (GenCRC) of the built-in EPOC OS. It is the 16 bit checksum with poly x^16+x^12+x^5+1 (i.e. 0x1021). If a byte 0x10 is transmitted twice, it will not be included in CRC checksum. The CRC is calculated from the type byte and the DATA part.
Example:
PC: 16 10 02 31 .... 10 03 ?? ??
Psion: 16 10 02 01 10 03 21 01
This protocol seems to build up a reliable connection between PC and Psion.
2.2) NCP
On top of the LINK protocol explained in part 2.1) is the NCP protocol, which seems to multiplex different channels on the serial line. It handles up to eight channels. There is a supervisor or control channel with the number 0, which is open by default. Each higher level service requests one logical channel by control messages over the control channel.
The length of NCP messages is not limited. The information is splitted and reassembled by the NCP protocol.
Each DATA section of a LINK packet with type field 0x3? contains an NCP frame: The first byte contains the channel id of the sending process and the second byte contains the channel id of the receiving process.
Consider the messages for opening the Remote File Services
PSION->PC: 16 10 02 33 00 03 03 53 59 53 24 52 46 53 56 2e 2a 00 10 03 b5 5a
ASCII: 3 . . . S Y S $ R F S V . * .
PC->PSION: 16 10 02 03 10 03 30 63
PC->PSION: 16 10 02 33 00 03 04 03 00 10 03 f3 23
PSION->PC: 16 10 02 03 10 03 30 63
16 10 02 -> Header
33 -> type (data with sequence id 3)
00 -> channel number 0 = controlling channel
03 -> (?) concerning channel 3
03 -> (?) Inter Controller Messagetype (see below) = CONNECT TO SERVER
53 59 53 24 52 46 53 56 2e 2a 00 "SYS$RFSV.*"
-> (?) Open server process "SYStem Remote File SerVices"
10 03 -> Footer
b5 5a -> CRC
The response on supervisor channel 0:
16 10 02 -> Header
33 -> Type and sequence id.
00 -> channel number 0 = controlling channel
03 -> (?) concerning channel 3
04 -> (?) Inter Controller Messagetype 04 = CONNECT RESPONSE
03 -> ?
00 -> ?
10 03 -> Footer
f3 23 -> CRC
/* Inter controller message types */
#define NCON_MSG_DATA_XOFF 1
#define NCON_MSG_DATA_XON 2
#define NCON_MSG_CONNECT_TO_SERVER 3
#define NCON_MSG_CONNECT_RESPONSE 4
#define NCON_MSG_CHANNEL_CLOSED 5
#define NCON_MSG_NCP_INFO 6
#define NCON_MSG_CHANNEL_DISCONNECT 7
#define NCON_MSG_NCP_END 8
2.3) Higher Level Protocols
There seems to be a couple of client-server protocols/processes working when the link is activated. Most of them are simply unclear to me.
One of the first messages sent both from psion and pc:
00 00 06 03 TIME
TIME (dword)
and
00 00 06 02 TIME
Fileserver protocol
File server commands sent from the PC are wrapped into the NCP protocol. The sys$rfsv is the remote service to open.
Each message is answered by the remote server with a special tag, indicating an answer.
The messages are of the form COMMAND SIZE DATA.
Response from remote srver (Psion): 1a 00 SIZE DATA.
Possible values of COMMAND (word):
SIZE (word) The size of the whole command incl. DATA
DATA
Many commands simply return an error code (word) or 00 00 (no error). The error codes seem to be identical to the error codes in the prcsdk documentation.
All numbers are in little endian.
For each command decrypted: what is contained in DATA:
FOPEN (0) : Open file or directory
SIZE (word)
ATTRIB (word)
P_FOPEN 0x0000 /* Open file */
P_FCREATE 0x0001 /* Create file */
P_FREPLACE 0x0002 /* Replace file */
P_FAPPEND 0x0003 /* Append records */
P_FUNIQUE 0x0004 /* Unique file open */
P_FSTREAM 0x0000 /* Stream access to a binary file */
P_FSTREAM_TEXT 0x0010 /* Stream access to a text file */
P_FTEXT 0x0020 /* Record access to a text file */
P_FDIR 0x0030 /* Record access to a directory file */
P_FFORMAT 0x0040 /* Format a device */
P_FDEVICE 0x0050 /* Record access to device name list */
P_FNODE 0x0060 /* Record access to node name list */
P_FUPDATE 0x0100 /* Read and write access */
P_FRANDOM 0x0200 /* Random access */
P_FSHARE 0x0400 /* File can be shared */
NAME (string) File/DirName
Response:
STATUS (word)
HANDLE (word) file handle for access to this file object, if operation was sucessful.
---------------------------------------
FCLOSE (2)
Close file.
LENGTH (word)
HANDLE (word)
Reply:
STATUS (word) OK, if file
---------------------------------------
FDIRREAD (6)
Read Directory entries.
length (word) Length of command message.
handle (word) Handle of the directory to read. Must be obtained from the open command.
Response:
VERSION(word) 02 00 The Version of this response is 2)
STATUS (word)
P_FAWRITE 0x0001 /* can the file be written to? */
P_FAHIDDEN 0x0002 /* set if file is hidden */
P_FASYSTEM 0x0004 /* set if file is a system file */
P_FAVOLUME 0x0008 /* set if the name is a volume name */
P_FADIR 0x0010 /* set if file is a directory file */
P_FAMOD 0x0020 /* has the file been modified? */
P_FAREAD 0x0100 /* can the file be read? */
P_FAEXEC 0x0200 /* is the file executable? */
P_FASTREAM 0x0400 /* is the file a byte stream file? */
P_FATEXT 0x0800 /* is it a text file? */
SIZE (dword) The size of the file in bytes. A folder should have the size 0.
DATE (dword) The file date in seconds since 1970-01-01 00:00:00.
RESERVED (byte[4]) 4 reserved bytes.
NAME (string)
---------------------------------------
FWRITE 10
LENGTH (word)
HANDLE (word)
DATA
Response:
STATUS (word)
---------------------------------------
FINFO 22
length (word)
file name (string)
Response:
00 00
02 00 Version
status (word)
size (dword)
time (dword)
---------------------------------------
SFSTAT 24
VALUE (word)
MASK (word)
Reply:
status (word)
---------------------------------------
MKDIR 28
file name (string)
Response:
STATUS (word)
---------------------------------------
SFDATE 40
TIME (dword)
NAME (string) file name
Response:
STATUS (word)
BYTE[4] spare 69 6c 65 54
Credits
Michael Pieper