Project

General

Profile

SIMtrace » History » Revision 45

Revision 44 (laforge, 02/21/2016 10:35 AM) → Revision 45/62 (laforge, 04/16/2016 12:46 PM)

{{>toc}} 

 h1. Osmocom SIMtrace 


 Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. 

 It looks a bit like this: 
 {{graphviz_link() 
 digraph G{ 
   //rankdir = LR; 
   Phone -> SIMtrace [label = "Flexi-PCB cable"]; 
   SIMtrace -> SIM; 
   SIMtrace -> PC [label = "USB cable"]; 

   SIMtrace [ label = "SIMtrace hardware" ]; 
 } 
 }} 

 When connected to a phone, it looks like this: 


 !{width:50%}simtrace_and_phone.jpg! 

 !{width:33%}simtrace_functions.png! 

 It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller. 

 The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. 
 <pre> 
 parses the APDUs and forwards them via [[GSMTAP]] to the [[wireshark]] protocol analyzer. 


 h2. Features 


 * Completely passive scanner 
 * RST and ATR detection 
 * Auto-bauding with PPS / PTS support 
 * Segmentation of APDUs 


 SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM. 
 While the hardware supports all these modes, only the monitoring aspect has been implemented in software. 


 h2. TODO 


 * Check for parity errors 
 * Verify TCK / PCK check-bytes 
 * Implement MITM 


 h2. Hardware 


 The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card. 

 Now we have a dedicated PCB design.    The schematics and Gerber files are released as open source hardware and can be produced by everyone. 

 However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace 

 More details are available at [[SIMtraceHardware]] 


 h2. Firmware 


 The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/ 
 RFID reader.    Details are available at [[SIMtraceFirmware]]. 


 h2. Documentation 


 Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for 
 your favorite Linux Distribution. 


 h2. Host PC Software 


 <pre> 
 and send GSMTAP frames using UDP/IPv4 to localhost:4729. 


 h3. Preconditions 


 [[libosmocore]] and headers (simtrace_usb.h) from the firmware. 

 additional packages : 
 <pre> 
 sudo apt-get install libusb-1.0-0-dev 
 </code></pre> 


 h3. Compiling it 


 <pre> 
 git clone git://git.osmocom.org/simtrace.git 
 cd simtrace/host/ 
 make 
 </code></pre> 


 h3. Accessing it 


 Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group) 

 <pre> 
 sudo groupadd osmocom 
 sudo adduser $USERNAME osmocom 
 sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF 
 # to use, install this file in /etc/udev/rules.d as 10-osmocom.rules 
 # rule to grant read/write access on SIMtrace to group named osmocom. 
 SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" 
 EOF 
 sudo service udev reload 
 </code></pre> 

 you must log out and back in so to take effect. 


 h3. Using it 


 Simply start *simtrace*. 
 It will send the GSMTAP frames to UDP/IPv4 localhost:4729. 

 It will also print hexdumps of the frames to the console, looking like this: 
 <pre> 
 sudo ./simtrace 
 APDU: (9):    a0 a4 00 00 02 6f 07 9f 0f 
 APDU: (22):    a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 38 9f 0f 
 APDU: (22):    a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 
 APDU: (16):    a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 
 APDU: (9):    a0 a4 00 00 02 6f ad 9f 0f 
 APDU: (8):    a0 b0 00 00 01 00 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 07 9f 0f 
 APDU: (16):    a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 7e 9f 0f 
 APDU: (18):    a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 78 9f 0f 
 APDU: (9):    a0 b0 00 00 02 00 01 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 74 9f 0f 
 APDU: (23):    a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 20 9f 0f 
 APDU: (16):    a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 
 APDU: (9):    a0 a4 00 00 02 6f 30 9f 0f 
 APDU: (22):    a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 
 </code></pre> 

 h2. Wireshark integration 


 There is an experimental patch, also part of the simtrace.git package.    It is also included in the [[wireshark]] developer version (since wireshark 1.7.1). 

 To see the APDUs in wireshark: 
 * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything 
 * to get the data on another machine 
 ** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back) 
 <pre> 
 socat -u udp-recv:4729 /dev/null 
 </code></pre> 
 ** tell SIMtrace on which machine to forward 
 <pre> 
 ./simtrace -i 192.168.0.1 
 </code></pre> 

 !wireshark-sim.png! 

 Protocol parsing is far from being complete, patches are always welcome! 

 h2. Contact / Mailing List 


 For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/ 

 Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting. kindly observe our "Mailing List Rules":http://openbsc.osmocom.org/trac/wiki/MailingListRules
Add picture from clipboard (Maximum size: 48.8 MB)