Revision 2 - History - RebelSIM - SIMtrace - Open Source Mobile Communications

RebelSIM » History » Revision 2

Revision 1 (laforge, 02/19/2016 10:48 PM) → Revision 2/6 (laforge, 02/19/2016 10:48 PM)

[[PageOutline]] 
 = RebelSIM Card = 

 The RebelSIM card is a type of ''Proxy SIM'' that can be put between the SIM card reader and the actual SIM card 

 The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) 
 is not encrypted or authenticated. 

 The RebelSIM is typically used for SIM unlocking phones.    However, as it is a general proxy SIM, it can be used for 
 any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) 

 RebelSIM comes in multiple flavors. 

 == RebelSIMCard == 

 This model has not been analyzed yet. 

 == RebelSIMCard II == 

 [[Image(rebelsim2.jpg)]] 

 The RebelSIMCard II contains a [http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf C8051F300] microcontroller 
 with 8kBytes of Flash and 256 Bytes internal RAM.    It runs at about 24 MHz internal clock rate. 

 === Wiring === 

 The two SIM card interfaces are wired with the F300 controller the following way: 
 {{{ 
 F300 pin          SIM/socket        signal 

 ||F300 pin||SIM/socket||signal|| P0.0              socket            I/O 
 ||P0.0||socket||I/O|| P0.1              SIM               RESET 
 ||P0.1||SIM||RESET|| VDD               SIM/socket        Vcc 
 ||VDD||SIM/socket||Vcc|| P0.2              NC 
 ||P0.2||NC|| P0.3              SIM/socket        CLK 
 ||P0.3||SIM/socket||CLK|| P0.7/C2D          testpad 
 ||P0.7/C2D||testpad|| P0.6              NC 
 ||P0.6||NC|| C2CK/nRST         socket            RESET 
 ||C2CK/nRST||socket||RESET|| C2CK/nRST         testpad 
 ||C2CK/nRST||testpad|| P0.5              SIM               I/O 
 ||P0.5||SIM||I/O|| P0.4              NC 
 ||P0.4||NC|| }}} 

 === Programming === 

 The F300 controller can be programmed using a two-wire protocol known as C2. 

 However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. 
 It is suggested that the official RebelSIM firmware images probably contain some alternate 
 (but unknown) means of flashing via the actual SIM card interface. 

 It is not known if any of the LOCK bits have been set on the card.    Nobody has yet tried 
 to re-program it with custom firmware. 

 === Development === 

 The SDCC compiler claims to support the F300.

WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by SIMtrace2, which uses the SAM3S replacement micro-controller.

Project

General

Profile

SIM card related Projects » SIMtrace

RebelSIM » History » Revision 2