RebelSIM » History » Version 2
laforge, 02/19/2016 10:48 PM
re-format table and add picture
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | = RebelSIM Card = |
||
3 | |||
4 | The RebelSIM card is a type of ''Proxy SIM'' that can be put between the SIM card reader and the actual SIM card |
||
5 | |||
6 | The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) |
||
7 | is not encrypted or authenticated. |
||
8 | |||
9 | The RebelSIM is typically used for SIM unlocking phones. However, as it is a general proxy SIM, it can be used for |
||
10 | any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) |
||
11 | |||
12 | 2 | laforge | RebelSIM comes in multiple flavors. |
13 | |||
14 | 1 | laforge | == RebelSIMCard == |
15 | |||
16 | This model has not been analyzed yet. |
||
17 | |||
18 | == RebelSIMCard II == |
||
19 | |||
20 | 2 | laforge | [[Image(rebelsim2.jpg)]] |
21 | |||
22 | 1 | laforge | The RebelSIMCard II contains a [http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf C8051F300] microcontroller |
23 | with 8kBytes of Flash and 256 Bytes internal RAM. It runs at about 24 MHz internal clock rate. |
||
24 | |||
25 | === Wiring === |
||
26 | |||
27 | The two SIM card interfaces are wired with the F300 controller the following way: |
||
28 | |||
29 | 2 | laforge | ||F300 pin||SIM/socket||signal|| |
30 | ||P0.0||socket||I/O|| |
||
31 | ||P0.1||SIM||RESET|| |
||
32 | ||VDD||SIM/socket||Vcc|| |
||
33 | ||P0.2||NC|| |
||
34 | ||P0.3||SIM/socket||CLK|| |
||
35 | ||P0.7/C2D||testpad|| |
||
36 | ||P0.6||NC|| |
||
37 | ||C2CK/nRST||socket||RESET|| |
||
38 | ||C2CK/nRST||testpad|| |
||
39 | ||P0.5||SIM||I/O|| |
||
40 | ||P0.4||NC|| |
||
41 | 1 | laforge | |
42 | === Programming === |
||
43 | |||
44 | The F300 controller can be programmed using a two-wire protocol known as C2. |
||
45 | |||
46 | However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. |
||
47 | It is suggested that the official RebelSIM firmware images probably contain some alternate |
||
48 | (but unknown) means of flashing via the actual SIM card interface. |
||
49 | |||
50 | It is not known if any of the LOCK bits have been set on the card. Nobody has yet tried |
||
51 | to re-program it with custom firmware. |
||
52 | |||
53 | === Development === |
||
54 | |||
55 | The SDCC compiler claims to support the F300. |