Project

General

Profile

SIMtrace » History » Version 37

tsaitgaist, 02/19/2016 10:48 PM
udp sink

1 1 laforge
[[PageOutline]]
2
= Osmocom SIMtrace =
3
4
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
5
6 18 laforge
It looks a bit like this:
7
{{{
8
#!graphviz
9
digraph G{
10
  //rankdir = LR;
11
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
12
  SIMtrace -> SIM;
13
  SIMtrace -> PC [label = "USB cable"];
14 1 laforge
15 18 laforge
  SIMtrace [ label = "SIMtrace hardware" ];
16
}
17
}}}
18
19 29 laforge
When connected to a phone, it looks like this:
20
21
22 30 tsaitgaist
[[Image(simtrace_and_phone.jpg, align=center,50%)]]
23 33 laforge
[[Image(simtrace_functions.png, align=right,33%)]]
24 29 laforge
25 18 laforge
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
26
27 1 laforge
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
28
The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,
29
parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.
30
31
== Features ==
32
 * Completely passive scanner
33 17 laforge
 * RST and ATR detection
34 1 laforge
 * Auto-bauding with PPS / PTS support
35
 * Segmentation of APDUs
36 32 tsaitgaist
37 1 laforge
38
== TODO ==
39
 * Check for parity errors
40
 * Verify TCK / PCK check-bytes
41 31 laforge
 * Implement MITM
42 1 laforge
43
== Hardware ==
44 17 laforge
45 1 laforge
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. If the RebelSIM scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
46
47 31 laforge
Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.
48
49
However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace
50
51 27 laforge
More details are available at [wiki:SIMtrace/Hardware]
52 4 laforge
53 1 laforge
== Firmware ==
54
55 28 laforge
The firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]
56
RFID reader.  Details are available at [wiki:SIMtrace/Firmware].
57 24 tsaitgaist
58 1 laforge
59 5 laforge
== Host PC Software ==
60
61 6 tsaitgaist
The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device
62 5 laforge
and send GSMTAP frames using UDP/IPv4 to localhost:4729.
63 6 tsaitgaist
64 14 tsaitgaist
=== Preconditions ===
65 1 laforge
66 14 tsaitgaist
[wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.
67
68
additional packages :
69 6 tsaitgaist
{{{
70 26 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
71 7 tsaitgaist
}}}
72 1 laforge
73 6 tsaitgaist
=== Compiling it ===
74
75 1 laforge
{{{
76 14 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
77 21 tsaitgaist
cd simtrace/host/
78 6 tsaitgaist
make
79
}}}
80
81 35 tsaitgaist
=== Accessing it ===
82
83
Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)
84
85
{{{
86
sudo groupadd osmocom
87
sudo adduser $USERNAME osmocom
88
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
89
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
90
# rule to grant read/write access on SIMtrace to group named osmocom.
91
ACTION=="add", BUS=="usb", SYSFS{idVendor}=="16c0", SYSFS{idProduct}=="0762", GROUP:="osmocom", MODE:="0660"
92
EOF
93
sudo service udev reload
94
}}}
95
96
you must log out and back in so to take effect.
97
98 6 tsaitgaist
=== Using it ===
99
100
Simply start '''simtrace'''.
101 13 tsaitgaist
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
102 1 laforge
103
It will also print hexdumps of the frames to the console, looking like this:
104 6 tsaitgaist
{{{
105 1 laforge
sudo ./simtrace
106
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
107
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
108
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
109
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
110
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
111
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
112
APDU: (8):  a0 b0 00 00 01 00 91 78
113
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
114
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
115
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
116
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
117
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
118
APDU: (9):  a0 b0 00 00 02 00 01 91 78
119
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
120 2 laforge
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
121
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
122
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
123
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
124 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
125
}}}
126
127
== Wireshark integration ==
128
129 34 tsaitgaist
There is an experimental patch, also part of the simtrace.git package.  It is also included in the [wiki:wireshark] developer version (since wireshark 1.7.1).
130
131
To see the APDUs in wireshark:
132 37 tsaitgaist
 * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything
133
 * to get the data on another machine
134
  * start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
135 34 tsaitgaist
{{{
136 37 tsaitgaist
socat -u udp-recv:4729 /dev/null
137 34 tsaitgaist
}}}
138 37 tsaitgaist
  * tell SIMtrace on which machine to forward
139 34 tsaitgaist
{{{
140 37 tsaitgaist
./simtrace -i 192.168.0.1
141 34 tsaitgaist
}}}
142 1 laforge
143
[[Image(wireshark-sim.png)]]
144
145
Protocol parsing is far from being complete, patches are always welcome!
146 31 laforge
147
== Contact / Mailing List ==
148
149
For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/
150
151
Please kindly observe our [http://openbsc.osmocom.org/trac/wiki/MailingListRules Mailing List Rules]
Add picture from clipboard (Maximum size: 48.8 MB)