At this point we have a fairly good idea of what Carrier IQ is, and which manufacturers and carriers see fit to install it on their phones, but the Electronic Frontier Foundation (EFF) — the preeminent protector of your digital rights — has taken it one step further and reverse engineered some of the program’s code to work out what’s actually going on.

There are three parts to a Carrier IQ installation on your phone: The program itself, which captures your keystrokes and other “metrics”; a configuration file, which varies from handset to handset and carrier to carrier; and a database that stores your actions until it can be transmitted to the carrier. Now, the Carrier IQ program is a binary application and fairly hard to reverse engineer, and the database sounds like it’s stored in RAM and thus hard to obtain — but the configuration profile… well, it turns out that that is very easy to crack.

An EFF volunteer, Jered Wierzbicki, reverse engineered the format of these profiles — which were unencrypted — and now, if you understand the Forth programming language, you can see the rules that dictate when Carrier IQ transmits your data to the carrier, and in some cases a hint of what data is being captured. Better yet, Wierzbicki has shared his findings in the form of IQIQ, a program that parse your phone’s Carrier IQ profile into a human-readable XML format.

If you don’t read Forth, you can see an annotated version of the default T-Mobile Carrier IQ profile — but only the section that defines when a handset tries to send data home. The complete, uncommented profile contains rules about which data (“metrics” in codespeak) should be uploaded to the carrier, but as we have no idea what “SS10,” “SS2A,” and myriad other metrics are, we can’t draw many conclusions.

The EFF now has a call-out on XDA-Developers asking Android users to upload their profiles so that Carrier IQ can be better understood. If you have a rooted phone, you’re strongly encouraged to help out — it doesn’t take long to scan your phone for the files, and there’s no risk involved. Don’t forget, though, if you already have CyanogenMod installed, Carrier IQ won’t be on there.

Ultimately, Carrier IQ — not the carriers — aren’t going to tell us the exact extent of the data being keylogged by our own phones. Senator Al Franken squeezed a fair bit of data out of the carriers and OEMs, and he’ll no doubt go back for more, but it’s almost guaranteed that the corporate overlords are holding data back. Hopefully, if the community can produce enough data points, and perhaps if the Carrier IQ software itself can be reverse engineered, we should be able to answer the remaining questions ourselves.

Read more at EFF