Project

General

Profile

SIMtrace » History » Version 44

laforge, 02/21/2016 10:35 AM

1 41 tsaitgaist
{{>toc}}
2 1 laforge
3 41 tsaitgaist
h1. Osmocom SIMtrace
4 41 tsaitgaist
5 41 tsaitgaist
6 1 laforge
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
7 1 laforge
8 18 laforge
It looks a bit like this:
9 42 laforge
{{graphviz_link()
10 18 laforge
digraph G{
11 18 laforge
  //rankdir = LR;
12 18 laforge
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
13 1 laforge
  SIMtrace -> SIM;
14 18 laforge
  SIMtrace -> PC [label = "USB cable"];
15 1 laforge
16 1 laforge
  SIMtrace [ label = "SIMtrace hardware" ];
17 18 laforge
}
18 42 laforge
}}
19 18 laforge
20 29 laforge
When connected to a phone, it looks like this:
21 29 laforge
22 1 laforge
23 43 laforge
!{width:50%}simtrace_and_phone.jpg!
24 43 laforge
25 43 laforge
!{width:33%}simtrace_functions.png!
26 1 laforge
27 1 laforge
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
28 1 laforge
29 1 laforge
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
30 41 tsaitgaist
<pre>
31 41 tsaitgaist
parses the APDUs and forwards them via [[GSMTAP]] to the [[wireshark]] protocol analyzer.
32 38 tsaitgaist
33 1 laforge
34 41 tsaitgaist
h2. Features
35 1 laforge
36 1 laforge
37 41 tsaitgaist
* Completely passive scanner
38 41 tsaitgaist
* RST and ATR detection
39 41 tsaitgaist
* Auto-bauding with PPS / PTS support
40 41 tsaitgaist
* Segmentation of APDUs
41 41 tsaitgaist
42 41 tsaitgaist
43 38 tsaitgaist
SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM.
44 38 tsaitgaist
While the hardware supports all these modes, only the monitoring aspect has been implemented in software.
45 1 laforge
46 1 laforge
47 41 tsaitgaist
h2. TODO
48 1 laforge
49 1 laforge
50 41 tsaitgaist
* Check for parity errors
51 41 tsaitgaist
* Verify TCK / PCK check-bytes
52 41 tsaitgaist
* Implement MITM
53 1 laforge
54 41 tsaitgaist
55 41 tsaitgaist
h2. Hardware
56 41 tsaitgaist
57 41 tsaitgaist
58 41 tsaitgaist
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
59 41 tsaitgaist
60 31 laforge
Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.
61 1 laforge
62 4 laforge
However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace
63 1 laforge
64 41 tsaitgaist
More details are available at [[SIMtraceHardware]]
65 1 laforge
66 1 laforge
67 41 tsaitgaist
h2. Firmware
68 1 laforge
69 1 laforge
70 41 tsaitgaist
The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/
71 41 tsaitgaist
RFID reader.  Details are available at [[SIMtraceFirmware]].
72 41 tsaitgaist
73 41 tsaitgaist
74 41 tsaitgaist
h2. Documentation
75 41 tsaitgaist
76 41 tsaitgaist
77 1 laforge
Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for
78 1 laforge
your favorite Linux Distribution.
79 39 zecke2
80 1 laforge
81 41 tsaitgaist
h2. Host PC Software
82 41 tsaitgaist
83 41 tsaitgaist
84 41 tsaitgaist
<pre>
85 6 tsaitgaist
and send GSMTAP frames using UDP/IPv4 to localhost:4729.
86 5 laforge
87 6 tsaitgaist
88 41 tsaitgaist
h3. Preconditions
89 14 tsaitgaist
90 41 tsaitgaist
91 41 tsaitgaist
[[libosmocore]] and headers (simtrace_usb.h) from the firmware.
92 41 tsaitgaist
93 1 laforge
additional packages :
94 41 tsaitgaist
<pre>
95 14 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
96 41 tsaitgaist
</code></pre>
97 1 laforge
98 7 tsaitgaist
99 41 tsaitgaist
h3. Compiling it
100 41 tsaitgaist
101 41 tsaitgaist
102 41 tsaitgaist
<pre>
103 35 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
104 35 tsaitgaist
cd simtrace/host/
105 35 tsaitgaist
make
106 41 tsaitgaist
</code></pre>
107 35 tsaitgaist
108 35 tsaitgaist
109 41 tsaitgaist
h3. Accessing it
110 41 tsaitgaist
111 41 tsaitgaist
112 35 tsaitgaist
Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)
113 35 tsaitgaist
114 41 tsaitgaist
<pre>
115 6 tsaitgaist
sudo groupadd osmocom
116 6 tsaitgaist
sudo adduser $USERNAME osmocom
117 1 laforge
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
118 1 laforge
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
119 6 tsaitgaist
# rule to grant read/write access on SIMtrace to group named osmocom.
120 1 laforge
SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom"
121 1 laforge
EOF
122 1 laforge
sudo service udev reload
123 41 tsaitgaist
</code></pre>
124 1 laforge
125 1 laforge
you must log out and back in so to take effect.
126 13 tsaitgaist
127 1 laforge
128 41 tsaitgaist
h3. Using it
129 41 tsaitgaist
130 41 tsaitgaist
131 41 tsaitgaist
Simply start *simtrace*.
132 1 laforge
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
133 1 laforge
134 1 laforge
It will also print hexdumps of the frames to the console, looking like this:
135 41 tsaitgaist
<pre>
136 1 laforge
sudo ./simtrace
137 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
138 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
139 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
140 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
141 1 laforge
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
142 1 laforge
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
143 1 laforge
APDU: (8):  a0 b0 00 00 01 00 91 78
144 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
145 1 laforge
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
146 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
147 1 laforge
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
148 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
149 2 laforge
APDU: (9):  a0 b0 00 00 02 00 01 91 78
150 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
151 2 laforge
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
152 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
153 1 laforge
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
154 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
155 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
156 41 tsaitgaist
</code></pre>
157 1 laforge
158 41 tsaitgaist
h2. Wireshark integration
159 34 tsaitgaist
160 41 tsaitgaist
161 41 tsaitgaist
There is an experimental patch, also part of the simtrace.git package.  It is also included in the [[wireshark]] developer version (since wireshark 1.7.1).
162 41 tsaitgaist
163 34 tsaitgaist
To see the APDUs in wireshark:
164 41 tsaitgaist
* on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything
165 41 tsaitgaist
* to get the data on another machine
166 41 tsaitgaist
** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
167 41 tsaitgaist
<pre>
168 37 tsaitgaist
socat -u udp-recv:4729 /dev/null
169 41 tsaitgaist
</code></pre>
170 41 tsaitgaist
** tell SIMtrace on which machine to forward
171 41 tsaitgaist
<pre>
172 1 laforge
./simtrace -i 192.168.0.1
173 41 tsaitgaist
</code></pre>
174 1 laforge
175 44 laforge
!wireshark-sim.png!
176 31 laforge
177 31 laforge
Protocol parsing is far from being complete, patches are always welcome!
178 31 laforge
179 41 tsaitgaist
h2. Contact / Mailing List
180 41 tsaitgaist
181 41 tsaitgaist
182 1 laforge
For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/
183 1 laforge
184 41 tsaitgaist
Please kindly observe our "Mailing List Rules":http://openbsc.osmocom.org/trac/wiki/MailingListRules
Add picture from clipboard (Maximum size: 48.8 MB)