SIM card related Projects » SIMtrace

[[PageOutline]]

= Osmocom SIMtrace =

Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.

It looks a bit like this:

{{{

#!graphviz

digraph G{

  //rankdir = LR;

  Phone -> SIMtrace [label = "Flexi-PCB cable"];

  SIMtrace -> SIM;

  SIMtrace -> PC [label = "USB cable"];

  SIMtrace [ label = "SIMtrace hardware" ];

}

}}}

When connected to a phone, it looks like this:

[[Image(simtrace_and_phone.jpg, align=center,50%)]]

It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.

The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.

The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,

parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.

== Features ==

 * Completely passive scanner

 * RST and ATR detection

 * Auto-bauding with PPS / PTS support

 * Segmentation of APDUs

== Modi ==

[[Image(simtrace_functions.png, align=right,33%)]]

SIMtrace has the possibility to work as:

 * sniffer

 * card reader

 * card emulator

 * man-in-the-middle

The SAM7S offers 2 T=0 capable USART ports.

One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7).

The lines goes from the phone to the SIM through a bus switch (IC4=[http://www.ti.com/lit/ds/symlink/sn74cb3q3244.pdf CB3Q3244]).

The bus switch offer 2 buses of 4 lines:

 * The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20)

 * The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19)

The various modi require to interrupt different lines:

|| SW_SC (PA20) || SC_I/O (PA19) || description || modus ||

|| L || L || phone and SIM directly connected || sniffer (use any USART port) ||

|| L || H || only I/O interrupted || MitM (use both USART port) ||

|| H || H || phone and SIM not connected || card read, emulator (use each USART port) ||

As of 2012-01-12, only the sniffer is implemented

SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V.

SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support.

To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage.

SIMtrace v2 will support all 3 classes.

== TODO ==

 * Check for parity errors

 * Verify TCK / PCK check-bytes

 * Implement MITM

== Hardware ==

The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. If the RebelSIM scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.

Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.

However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace

More details are available at [wiki:SIMtrace/Hardware]

== Firmware ==

The firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]

RFID reader.  Details are available at [wiki:SIMtrace/Firmware].

== Host PC Software ==

The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device

and send GSMTAP frames using UDP/IPv4 to localhost:4729.

=== Preconditions ===

[wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.

additional packages :

{{{

sudo apt-get install libusb-1.0-0-dev

}}}

=== Compiling it ===

{{{

git clone git://git.osmocom.org/simtrace.git

cd simtrace/host/

make

}}}

=== Using it ===

Simply start '''simtrace'''.

It will send the GSMTAP frames to UDP/IPv4 localhost:4729.

It will also print hexdumps of the frames to the console, looking like this:

{{{

sudo ./simtrace

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78

APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78

APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f

APDU: (8):  a0 b0 00 00 01 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78

APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f

APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78

APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f

APDU: (9):  a0 b0 00 00 02 00 01 91 78

APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f

APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f

APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78

APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78

}}}

== Wireshark integration ==

There is an experimental patch, also part of the simtrace.git package.  You will have to apply this against the latest

[wiki:wireshark] developer version.

[[Image(wireshark-sim.png)]]

Protocol parsing is far from being complete, patches are always welcome!

== Contact / Mailing List ==

For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/

Please kindly observe our [http://openbsc.osmocom.org/trac/wiki/MailingListRules Mailing List Rules]