Collecting the data

Two streams of data are of interest: trace information from the mobile and position information from a GPS receiver.

To acquire position information, I used a commercial Navman device, which was modified to boot into WinCE and transmit NMEA data over a TCP connection (via Bluetooth Dial-Up Networking and GPS2Blue) to a virtual serial port on my laptop, which in turn was connected to gpsd. Full details can be found here.

To enable network monitor mode and receive trace information from the mobile, gammu is the way to go. Thanks to 'wumpus' and the protocol/packet dissection available at Project Blacksphere, gammu's 'nokiadebug' mode will enable a computer to receive information on what the phone is doing (note: trace data only applies to your phone only, no one else's, so don't get any ideas...).

A sample (pretty-printed) trace is as follows:

t=0a4f nr=6e: D 11: 03 07 11 65 00 a2 00 65 01 00 00 00
<2413> (0/0623)
t=0a4f nr=6f:
<240E> L2:prim/RR<-:UNIT_DATA_IND(0/05EB)
t=0a4f nr=70:
t=0a95 nr=71: D 80: ch=50 bsic=7 err=0 t=23DBD6 arfcn=101 shift=4453
Length : used=18 ID=1
Inform : [06 1b 54 93 05 f5 30 07 d6 c8 04 14 14 63 00 51 00 00]
  Radio Resources management messages (GSM 04.18)
<255A> Unknown
t=0a95 nr=72: 03 f9
t=0afe nr=73: D 83: 00 00 b1 b1 00 65 ab a3 b1 a0 a0 a6 9d a1 80 a4 80 80 80 80 80 80 80 aa
<1999> MDI:d2m/TXC_BIAS_MEAS
t=0afe nr=74: D 99: 00
t=0afe nr=75: D 4A: 01 30 14 50
t=0aff nr=76: D 11: 03 22 0d 3c 00 93 00 5a 01 00 00 00
t=0b1f nr=77: D 80: ch=50 bsic=34 err=0 t=23DCC6 arfcn=90 shift=3388
Length : used=16 ID=1
Inform : [06 1c 05 f5 30 07 d5 63 00 51 00 00 64 51 40 5a]
  Radio Resources management messages (GSM 04.18)

The packets sent to and received from the network are also logged in XML format, which can then be read by Wireshark:

To enable the trace information to be streamed into the final mapping application, I modified gammu by adding a TCP server, which allows clients to connect and receive the raw trace data as it sent by the mobile. (To aid debugging and further reverse engineering of the packet information, I also added log file name incrementing so the previous would not be overwritten - very handy indeed.)

The relevant data is collected from Radio Resource System Information packets (via MDI RECEIVED_BLOCK), as well as low-level information from phone-specific messages (in particular RSSI_RESULTS, which is not correctly documented on Project Blacksphere and required reversing).