RebelSIM » History » Version 6
laforge, 02/20/2022 07:11 PM
1 | 3 | laforge | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 3 | laforge | h1. [[RebelSIM]] Card |
4 | 1 | laforge | |
5 | 3 | laforge | |
6 | The [[RebelSIM]] card is a type of _Proxy SIM_ that can be put between the SIM card reader and the actual SIM card |
||
7 | |||
8 | 1 | laforge | The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) |
9 | is not encrypted or authenticated. |
||
10 | |||
11 | 3 | laforge | The [[RebelSIM]] is typically used for SIM unlocking phones. However, as it is a general proxy SIM, it can be used for |
12 | 1 | laforge | any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) |
13 | |||
14 | 3 | laforge | [[RebelSIM]] comes in multiple flavors. |
15 | 2 | laforge | |
16 | 1 | laforge | |
17 | 3 | laforge | h2. [[RebelSIMCard]] |
18 | |||
19 | |||
20 | 1 | laforge | This model has not been analyzed yet. |
21 | |||
22 | 3 | laforge | h2. [[RebelSIMCard]] II |
23 | |||
24 | 1 | laforge | |
25 | 4 | laforge | !rebelsim2.jpg! |
26 | 1 | laforge | |
27 | 3 | laforge | The [[RebelSIMCard]] II contains a "C8051F300":http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf microcontroller |
28 | 2 | laforge | with 8kBytes of Flash and 256 Bytes internal RAM. It runs at about 24 MHz internal clock rate. |
29 | 1 | laforge | |
30 | 3 | laforge | h3. Wiring |
31 | |||
32 | |||
33 | 1 | laforge | The two SIM card interfaces are wired with the F300 controller the following way: |
34 | |||
35 | 5 | laforge | |_.F300 pin|_.SIM/socket|_.signal| |
36 | |P0.0|socket|I/O| |
||
37 | |P0.1|SIM|RESET| |
||
38 | |VDD|SIM/socket|Vcc| |
||
39 | |P0.2|NC|| |
||
40 | |P0.3|SIM/socket|CLK| |
||
41 | |P0.7/C2D|testpad|| |
||
42 | |P0.6|NC|| |
||
43 | |C2CK/nRST|socket|RESET| |
||
44 | |C2CK/nRST|testpad|| |
||
45 | |P0.5|SIM|I/O| |
||
46 | |P0.4|NC|| |
||
47 | 1 | laforge | |
48 | 3 | laforge | h3. Programming |
49 | |||
50 | |||
51 | 1 | laforge | The F300 controller can be programmed using a two-wire protocol known as C2. |
52 | |||
53 | However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. |
||
54 | 3 | laforge | It is suggested that the official [[RebelSIM]] firmware images probably contain some alternate |
55 | 1 | laforge | (but unknown) means of flashing via the actual SIM card interface. |
56 | |||
57 | It is not known if any of the LOCK bits have been set on the card. Nobody has yet tried |
||
58 | to re-program it with custom firmware. |
||
59 | |||
60 | 3 | laforge | |
61 | h3. Development |
||
62 | |||
63 | 1 | laforge | |
64 | The SDCC compiler claims to support the F300. |