SIMtrace » History » Revision 5
« Previous |
Revision 5/62
(diff)
| Next »
laforge, 02/19/2016 10:48 PM
add some notes on the flashing procedure
PageOutline = Osmocom SIMtrace =
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller.
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,
parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.
There is no ready-built hardware for this yet. They only existing implementations used an Olimex SAM7-P64 development board
with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. We are thinking of
doing some custom hardware, but nothing is certain yet.
=== Interconnections ===
The hardware schematics are very, very simple:
- Connect SIM-RST with PA7
- Connect SIM-I/O with PA6 and PA1
- Connect SIM-CLK with PA2 and PA4
- Connect SIM-GND with GND
=== Mode of operation ===
The USART of the AT91SAM7S is capable of T=0. However, the documentation only mentions it in clock-master mode, like you
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
you can use an externally-generated CLK like the one from the SIM card socket of the phone.
Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more
than we should.
The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]
RFID reader.
There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.
Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated. At that point, the firmware source can become
part of simtrace.git
=== Building the firmware ===
Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB].
{{{
$ git clone git://git.gnumonks.org/openpcd.git
$ cd openpcd/firmware
$ git checkout simtrace
$ make -f Makefile.dfu BOARD=OLIMEX
$ make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace
$ cat dfu.bin main_simtraece.bin > main_simtrace.samba
}}}
=== Flashing the firmware ===
The firmware build process creates two images: * dfu.bin -- the sam7dfu 2nd level bootloader * main_simtrace.bin -- the actual simtrace program (to be loaded via DFU) * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image (to be loaded via SAM-BA / sam7utils)
==== SAM-BA ====
The first time you flash the device, you will have to use the SAM-BA method using the main_simtrace.samba image.
The SAM-BA procedure entails the following steps:
* setting a certain jumper on your board
* powering up the board, waiting for something like 20 seconds
* unpowering the board
* removing the jumper
* powering up the board again
* using sam7utils to flash the image
* power-cycling the board to make it boot the actual application program
For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.
==== [http://www.openpcd.org/Sam7dfu sam7dfu] ====
As the SAM-BA procedure is somewhat complex and tiresome for quick development cycles, [http://www.openpcd.org/Sam7dfu sam7dfu] was developed
as a 2nd stage bootloader. It implements the USB DFU (Device Firmware Upgrade) profile and can be used with any DFU compatible flashing
tool such as the [http://dfu-util.gnumonks.org/ dfu-util] program.
=== TODO ===
Host PC SoftwareThe {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device
and send GSMTAP frames using UDP/IPv4 to localhost.
It will also print hexdumps of the frames to the console, looking like this:
{{{
APDU: (9): a0 a4 00 00 02 6f 07 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
APDU: (9): a0 a4 00 00 02 6f 38 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
APDU: (9): a0 a4 00 00 02 6f ad 9f 0f
APDU: (8): a0 b0 00 00 01 00 91 78
APDU: (9): a0 a4 00 00 02 6f 07 9f 0f
APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f
APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
APDU: (9): a0 a4 00 00 02 6f 78 9f 0f
APDU: (9): a0 b0 00 00 02 00 01 91 78
APDU: (9): a0 a4 00 00 02 6f 74 9f 0f
APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
APDU: (9): a0 a4 00 00 02 6f 20 9f 0f
APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
APDU: (9): a0 a4 00 00 02 6f 30 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
}}}
There is an experimental patch, also part of the simtrace.git package. You will have to apply this against the latest
wireshark developer version.
Protocol parsing is far from being complete, patches are always welcome!
Updated by laforge about 8 years ago · 5 revisions