Version 18 - History - SIMtrace - SIMtrace - Open Source Mobile Communications

SIMtrace » History » Version 18

laforge, 02/19/2016 10:48 PM
add image and update status

-laforge
+[[PageOutline]]
 = Osmocom SIMtrace =
 Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
-laforge
+It looks a bit like this:
 {{{
 #!graphviz
 digraph G{
   //rankdir = LR;
   Phone -> SIMtrace [label = "Flexi-PCB cable"];
   SIMtrace -> SIM;
   SIMtrace -> PC [label = "USB cable"];
 laforge
-laforge
+  SIMtrace [ label = "SIMtrace hardware" ];
+}
 }}}
 It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
-laforge
+The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
 The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,
 parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.
 == Features ==
  * Completely passive scanner
-laforge
+ * RST and ATR detection
-laforge
+ * Auto-bauding with PPS / PTS support
  * Segmentation of APDUs
 == TODO ==
  * Check for parity errors
  * Verify TCK / PCK check-bytes
 == Hardware ==
 laforge
-laforge
+There is no ready-built hardware for this yet, but we're working on it; see [wiki:SIMtrace/Hardware]
 laforge
-laforge
+The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. If the RebelSIM scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
 laforge
-laforge
+Right now we are in the prototpying phase for a custom circuit board which looks like this:
 [[Image(SIMtrace/Hardware:simtrace_v09_top_mid.jpg, 33%)]]
-laforge
+=== Interconnections ===
 The hardware schematics are very, very simple:
  * Connect SIM-RST with PA7
  * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)
  * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)
  * Connect SIM-GND with GND
 === Mode of operation ===
-tsaitgaist
+The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you
 would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
-laforge
+you can use an externally-generated CLK like the one from the SIM card socket of the phone.
-laforge
+Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
 handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more
 than we should.
-laforge
+== Firmware ==
 The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]
 RFID reader.
 There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.
 Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated.  At that point, the firmware source can become
 part of simtrace.git
-tsaitgaist
+=== Toolchain ===
 The toolchain gnuarm-4.0.2 can be used to crosscompile the firmware.
 {{{
 wget http://www.gnuarm.com/bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2
 tar xf bu-*_gcc-*-c-c++_nl-*_gi-*_x86-64.tar.bz2
 mv gnuarm-* ~/gnuarm
 }}}
 To be able to use the toolchain, add the crosscompilers to your PATH
 {{{
 export PATH=~/gnuarm/bin:$PATH
 }}}
-laforge
+=== Building the firmware ===
 laforge
-laforge
+Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB].
 {{{
-tsaitgaist
+git clone git://git.gnumonks.org/openpcd.git
 cd openpcd/firmware
 git checkout simtrace
 make -f Makefile.dfu BOARD=OLIMEX
 make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace
 cat dfu.bin main_simtrace.bin > main_simtrace.samba
 cd ../..
-laforge
+}}}
-tsaitgaist
+=== Firmware parts ===
 laforge
 The firmware build process creates two images:
-tsaitgaist
+ * dfu.bin -- the sam7dfu 2nd level bootloader. It implements the USB DFU (Device Firmware Upgrade) profile.
  * main_simtrace.bin -- the actual simtrace program. To be loaded via DFU, using [http://dfu-util.gnumonks.org/ dfu-util].
  * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image. to be loaded via SAM-BA, using sam7utils (see below).
 laforge
-tsaitgaist
+=== Flashing the firmware ===
 after the firmware has been flashed, '''lsusb''' should show:
 {{{
 Bus 004 Device 005: ID 16c0:0762 VOTI
 }}}
-laforge
+==== SAM-BA ====
-tsaitgaist
+The first time you flash the device, you will have to use the SAM-BA method using the '''main_simtrace.samba''' image.
 To put the board into SAM-BA mode, use the following steps:
  * unplug the board
-tsaitgaist
+ * short TEST to VCC (3.3V) pin using a jumper. leave PA0,PA1,PA2 unconnected.
-tsaitgaist
+ * power up the board
  * wait 20s
  * unplug board
  * remove jumper
 Now when the board is attached to USB, '''lsusb''' should show :
 {{{
 Bus 002 Device 015: ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader
 }}}
-laforge
+For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.
-tsaitgaist
+==== sam7utils ====
 laforge
-tsaitgaist
+sam7utils will be used to flash the '''main_simtrace.samba''' image over SAM-BA.
 {{{
 sudo aptitude install libreadline-dev
 wget http://www.openpcd.org/dl/sam7utils-0.2.1-bm.tar.bz2
 tar xf sam7utils-*.tar.bz2
 cd sam7utils
 ./configure --prefix=/usr/local
 make
 }}}
 laforge
-tsaitgaist
+to flash the samba image using serial :
 {{{
 sudo ./sam7 -l /dev/ttyUSB0 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
 }}}
 to flash the samba image using libusb :
 {{{
 sudo ./sam7 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
 }}}
-tsaitgaist
+===== sam7utils for x86 =====
 On x86, sam7utils will be compile to communicate with the board using POSIX.
 The board should be attached to a node. On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACM0 using the cdc_cam module. If not mapped, use usbserial :
 {{{
 sudo rmmod usbserial
 sudo modprobe usbserial vendor=0x03EB product=0x6124
-laforge
+}}}
 tsaitgaist
-tsaitgaist
+Now replug board. It should map to /dev/ttyUSBx (use dmesg to know which).
 ===== sam7utils for amd64 =====
 tsaitgaist
-tsaitgaist
+On amd64, sam7utils will be compiled to communicate with the board using libusb.
 tsaitgaist
 On ubuntu 10.10 & 11.04, the usb device 03eb:6124 is mapped on /dev/ttyACMx using the cdc_cam module.
-tsaitgaist
+Remove it while the board is plugged, so sam7utils is able to communicate with it (using libusb for 10.10 and serial for 11.04).
 {{{
 sudo rmmod cdc_acm
 }}}
 laforge
-tsaitgaist
+==== DFU ====
-laforge
+TODO: Document this.
 laforge
-laforge
+== Host PC Software ==
-tsaitgaist
+The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device
-laforge
+and send GSMTAP frames using UDP/IPv4 to localhost:4729.
 tsaitgaist
-tsaitgaist
+=== Preconditions ===
 laforge
-tsaitgaist
+[wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.
 additional packages :
-tsaitgaist
+{{{
-tsaitgaist
+sudo apt-get install libusb-dev
-tsaitgaist
+}}}
-tsaitgaist
+=== Compiling it ===
 laforge
-tsaitgaist
+Precondition:  [wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.
 {{{
-tsaitgaist
+git clone git://git.osmocom.org/simtrace.git
-tsaitgaist
+cd simtrace/at91sam7/host/
 make
 }}}
 === Using it ===
 Simply start '''simtrace'''.
-tsaitgaist
+It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
 laforge
 It will also print hexdumps of the frames to the console, looking like this:
-tsaitgaist
+{{{
-laforge
+sudo ./simtrace
 APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
 APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
 APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
 APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
 APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
 APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
 APDU: (8):  a0 b0 00 00 01 00 91 78
 APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
 APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
 APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
 APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
 APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
 APDU: (9):  a0 b0 00 00 02 00 01 91 78
 APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
-laforge
+APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
 APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
 APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
 APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
-laforge
+APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
 }}}
 == Wireshark integration ==
-tsaitgaist
+There is an experimental patch, also part of the simtrace.git package.  You will have to apply this against the latest
-laforge
+[wiki:wireshark] developer version.
 [[Image(wireshark-sim.png)]]
 Protocol parsing is far from being complete, patches are always welcome!

WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by SIMtrace2, which uses the SAM3S replacement micro-controller.

Project

General

Profile

SIM card related Projects » SIMtrace

SIMtrace » History » Version 18