My latest research shows that the TDMA phones support simultaneously both MBUS protocols, the old one used for 21xx,31xx phones and the new 1F protocol used by the 51xx,61xx phones.
Both protocols can be used at the same time on the MBUS. The phone will decode both and react accordingly.
The old MBUS frame structure can be found in the MBUS documentation on the HERE.

Here are the few frames used by a 3Com cellular modem card:

reg cellmodem:    00 F8 05 E9 01 01 1C 01 1C SQ CS
reg response:     F8 00 7E 1C 01 1C SQ CS

unknown purpose : 00 E0 00 1D SQ CS                         probably request Alive response from cellmodem

UC_RESERVE_REQ:   00 E0 05 19 00 00 01 01 00 SQ CS          register sytem state info presentation

UC_RESERVE_REQ:   E0 00 01 CD 01 SQ CS                      phone tries to register some info from cellmodem

LN_KEY_REQ:       00 E0 02 17 01 KEYNUM SQ CS               push key
LN_KEY_REQ:       00 E0 02 17 00 KEYNUM SQ CS               release key

Dialing as cellmodem forces the phone into analoge AMPS mode, answering a call as cellmodem answers in AMPS mode
This allows transparent transmission of the analoge modem tones since digital TDMA won't transmit them transparently.
It also switches audio to the XEAR , XMIC pins automatically.

LN_ALIVE_REQ:     E0 00 00 1E SQ CS                         checks if cellmodem is still present (sent  1 /sec.)

SYS_STATE_IND:    FF 02 07 CA 1C Con 02 01 0E 0F 00 SQ CS   sytems state information
                                                            Con holds the connection state
                                                                00 = idle
                                                                01 = ringing
                                                                02 = connecting
                                                                03 = talk
                                                                04 = ringing / alternating with 01
                                                                            the other data fields are mainly fixed after phone has registered
                                                                                                                            the destignation is the Global object and the source is subaddress 02 of the Nokia phone.
 

MBUS frames (new format):

1F    = protocol identifier 1F=MBUS , 1E=FBUS, 1C=IrDa
00    = destignation address 00=phone, 10=Sevice Software, 1D=PC
1D    = source address       00=phone, 04=Carkit, 10=Sevice Software, 1D=PC, 48=DLR3 cable, F8=unknown target, FF=global target
40    = command
00 05 = data length
00 01 = data field (some fixed header)
47... = more data
SQ    = sequence number 2...63
CS    = checksum  XOR of all bytes
 

register commands:

Register req:     00 F8 05 E9    00 02 1D 00 1D        02 3C (old 2110 style)  register device 1D
 
 

0x40 commands:    (usually direct register r/w commands)

kind of end:  1F 00 10 40 00 04 00 01 64 01           SQ CS sent by Service Software when exiting

Rd phonebook:  1F 00 1D 40 00 07 00 01 1F 01 04 86 NO   SQ CS read phonebook location NO (high level)
Rd phonebook:  1F 00 7F 40 00 08 00 00 07 11 00 10 00 NO SQ CS same phonebook read more low level (works also on CDMA 6185)
Wr phonebook:  1F 00 1D 40 00 LN 00 01 1F 01 04 87 NO phone# 00 Name 00 SQ CSwrite phonebook - phone# / name are ASCII strings
 
 

0x4E commands:    (sent from a 5160i TDMA / 6160i TDMA / 6185 CDMA  or 7110 GSM phone to the uC in the DLR-3 cable)

DLR-3 req:     1F 48 00 4E 00 02 01 XX SQ CS frame sent from the phone to the DLR-3 cable (after 15kOhm resistor detected betw. XMIC (3)  and DGND (9).)
                                                                                                                             DLR-3 needs only to ACK every frame from Nokia phone on MBUS to maintain DLR-3 mode.

DLR-3 mode = enable a 19.200 bit/s AT-command set interface on the FBUS-TX and FBUS-RX lines.
DLR-3 modes are especailly useful for the new "REAL" digital data modes in TDMA networks. Also for CDMA data modes and High speed GSM  (HSCSD) data on GSM.

Flow control lines are DSR,DCD,CTS arecoded into the 2nd databyte XX:
bit.0    =    /CTS  (negative logic)
bit.1    =    /DCD (negative logic)
bit.2    =    CMD / DATA
bit.3    =    DSR
bit.4-7=0

See more information how to build a DLR-3 cable here: Adrians Datacable pages
 
 
 

0x78 / 0x79 commands:    (used by handsfree carkit) Works also on GSM phones (5110 / 6110 / etc)
These commands are used by the Nokia Carkits to switch the phone audio path to XMiC and XEAR , turn the phone on/off according to the car ignition, and control the
PA loudspeaker amplifier in the carkit and the car radio mute output which silences the car radio during a call

mute status tone:  1F 04 00 78 00 04 01 02 0E 00       SQCS status indication  = disable carkit audio amplifier (no audio / no tone)
mute status tone:  1F 04 00 78 00 04 01 02 0E 03     SQ CS status indication  = enable carkit audio amplifier (audio /  tone present)

mute status call:  1F 04 00 78 00 04 01 02 07 00     SQ CS status indication  = disable radio mute output (no call)
mute status call:  1F 04 00 78 00 04 01 02 07 01     SQ CS status indication  = enable radio mute output  (call active )

enable ???:        1F 04 00 78 00 04 01 02 08 01       SQCS status indication  = enable ???  sent to HFU-2 on power on

byte 9 (07,08,0E) seems to be a pointer to a memory location , byte 10 is the data at this memeory location.

response from HFU: 1F 00 04 78 00 03 02 01 03        SQ CS response message from HFU-2  (use unknown)

go HF and IGN on:  1F 00 04 79 00 05 02 01 01 63 00    SQ CS enables carkit mode + turns phone on  + req. mute status
go HF and IGN off: 1F 00 04 79 00 05 02 01 01 61 00    SQ CS enables carkit mode + powers phone off (1 min delay) + req. mute status

ext. HS Offhk:     1F 00 04 79 00 05 02 01 01 23 00    SQ CS enables carkit mode + external handset lifted       (OFF-Hook)
ext. HS Onhk:      1F 00 04 79 00 05 02 01 01 63 00    SQ CS enables carkit mode + external handset put back (ON-Hook)

Ignition and Hook are coded into one byte
bit.0 = 0:on power on 1:when in operation
bit.1 = IGNITION STATUS
bit.2 = x  can be 1 or 0
bit.3 = 0
bit.4 = 0
bit.5 = 1
bit.6 = Hook (inverted)
bit.7 = 0

HFU-2 version:     1F00 04 79 00 12 02 01 02 06 00 56 20 30 36 2E 30 30 0A 48 46 55 32 00 SQ CS HFU-2 version string
                                                    V      0  6  .  0  0 LF  H  F  U  2
0xD0 commands:

init:          1F 00 1D D0 00 01 04                  SQ CS   sent by the Service Software or HFU-2  on startup
init resp:     1F 1D 00 D0 00 01 05                  SQ CS   response from phone to above frame
 
 

0xD1 commands:

undefind behv.:1F 00 1D D1 00 05 00 01 47 00 00           SQ CS   Caution - might delete data
unknown     :  1F 00 1D D1 00 05 00 01 47 00 05           SQ CS   Caution - might delete data

registr. req:  1F 00 1D D1 00 09 00 F8 05 E9 00 02 1D 00 1D SQ CSnew style registration request

for the TDMA 516x, 616x phones:
key-press:     1F 00 1D D1 00 06 00 01 50 00 01 KY          SQ CS dials in digital TDMA default mode
key-release 1: 1F 00 1D D1 00 06 00 01 50 00 00 KY          SQ CS
key-release 2: 1F 00 1D D1 00 06 00 01 51 00 01 KY          SQ CS

for the CDMA phone 6185:
key-press:     1F 00 1D D1 00 06 00 01 51 00 01 KY          SQ CS dials in digital CDMA default mode
key-release 2: 1F 00 1D D1 00 06 00 01 52 00 01 KY          SQ CS
 

for the 7110 GSM and 7160 TDMA phones:
key-press:     1F 00 1D D1 00 06 00 01 46 00 01 KY         SQ CS dials in digital default mode
key-release 1: 1F 00 1D D1 00 06 00 01 47 00 01 KY          SQ CS
 

for all phones:
req phone ID:  1F 00 10 D1 00 05 00 01 00 03 00            SQ CS
req. version:  1F 00 1D D1 00 07 00 01 00 0D 00 00 02     SQ CS  requests a version information from phone
 

Keypress codes:
01..09  =     "1...9"
0x0A    =    "0"
0x0B    =    "*"
0x0C    =    '#"
0x0D    =    POWER
0x0E    =    YES
0x0F    =    NO
0x10    =    VOLUME + (ARROW UP)
0x11    =    VOLUME - (ARROW DOWN)
0x12    =    CLEAR
0x13    =    MENU LEFT
0x14    =    MENU RIGHT
...
0x17    =    MENU UP
0x18    =    MENU DOWN
0x19    =    MENU SELECT
...
0x1F    =    (some kind of reset)

Keypress commands shall be followed by key release commands.
On certain phones if a keypress is followed by another keypress the release can be omitted.
The time between keypress and keyrelease can be short (< 200 msec.) or long (> 700msec.)
These keypresses have exactly the same effect as pushing the keys on the phone.
 

0xD2 responses:

Keypress resp: 1F 1D 00 D2 00 04 01 00 50 00              SQ CSreturned from phone after receiving a keypress frame

D1 47 resp.    1F 1D 00 D2 00 04 01 00 47 00              SQ CS

ID response:   1F 10 00 D2 00 24 01 00 00 03
                                 56 20 30 33 2E 34 37 0A           V 03.47
                                 31 35 2D 30 37 2D 39 39 0A        15/7/99
                                 4E 53 57 2D 31 0A                 NSW-1
                                 28 63 29 20 4E 4D 50 2E 00    SQ CS    (c) NMP.

version resp:  1F 1D 00 D2 00 11 01 00 00 0D
                                 56 20 30 33 2E 30 32 0A           V 03.02
                                 31 38 2D 31 31           SQ CS    18-11

reg response:  1F 1D 00 D2 00 0A F8 00 05 06 AB CD EF AB CD EF SQ CS    response to new registration request
 
 

0xD8 registration:

answ:    1F F8 00 D8 00 01 55                       SQ CS       response to old registration request
 

0xDA frame:

for HFU-2:  1F 04 00 DA 00 02 00 02                  SQ CS  function unknown - sent from Nokia phone to HFU-2mute output  (call active )
 

0x7F ACK frames:

ACK frame:    1F 1D 00 7F SQ CS                                      Acknowledge for every received frameframe
 

Checksum problem:
It seems  that some phones have problems with a checksum of 1F. The frame will be recognized but it will not respond with a ACK frame.
Workaround: If the checksum will be 1F , increment the sequence number so that the checksum will be different., recalculate the checksum then and send.