SIM card related Projects » SIMtrace

[[PageOutline]]

= Osmocom SIMtrace =

Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.

It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller.

The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.

The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,

parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.

== Features ==

 * Completely passive scanner

 * RST and ATR detection

 * auto-bauding with PPS / PTS support

 * Segmentation of APDUs

== TODO ==

 * Check for parity errors

 * Verify TCK / PCK check-bytes

== Hardware ==

There is no ready-built hardware for this yet.  They only existing implementations used an Olimex SAM7-P64 development board

with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner].  We are thinking of

doing some custom hardware, but nothing is certain yet.

=== Interconnections ===

The hardware schematics are very, very simple:

 * Connect SIM-RST with PA7

 * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)

 * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)

 * Connect SIM-GND with GND

=== Mode of operation ===

The USART of the AT91SAM7S is capable of T=0.  However, the documentation only mentions it in clock-master mode, like you

would run it in a smart card reader to actively talk to a smart card.  However, by using the USART input clock multiplexer,

you can use an externally-generated CLK like the one from the SIM card socket of the phone.

Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)

handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more

than we should.

== Firmware ==

The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]

RFID reader.  

There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.

Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated.  At that point, the firmware source can become

part of simtrace.git

=== Building the firmware ===

Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB].

{{{

$ git clone git://git.gnumonks.org/openpcd.git

$ cd openpcd/firmware

$ git checkout simtrace

$ make -f Makefile.dfu BOARD=OLIMEX

$ make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace

$ cat dfu.bin main_simtraece.bin > main_simtrace.samba

}}}

=== Flashing the firmware ===

The firmware build process creates two images:

 * dfu.bin -- the sam7dfu 2nd level bootloader

 * main_simtrace.bin -- the actual simtrace program (to be loaded via DFU)

 * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image (to be loaded via SAM-BA / sam7utils)

==== SAM-BA ====

The first time you flash the device, you will have to use the SAM-BA method using the main_simtrace.samba image.

The SAM-BA procedure entails the following steps:

 * setting a certain jumper on your board

 * powering up the board, waiting for something like 20 seconds

 * unpowering the board

 * removing the jumper

 * powering up the board again

 * using sam7utils to flash the image

 * power-cycling the board to make it boot the actual application program

For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.

==== [http://www.openpcd.org/Sam7dfu sam7dfu] ====

As the SAM-BA procedure is somewhat complex and tiresome for quick development cycles, [http://www.openpcd.org/Sam7dfu sam7dfu] was developed

as a 2nd stage bootloader.  It implements the USB DFU (Device Firmware Upgrade) profile and can be used with any DFU compatible flashing

tool such as the [http://dfu-util.gnumonks.org/ dfu-util] program.

=== TODO ===

== Host PC Software ==

The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device

and send GSMTAP frames using UDP/IPv4 to localhost.

It will also print hexdumps of the frames to the console, looking like this:

{{{

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78

APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78

APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f

APDU: (8):  a0 b0 00 00 01 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78

APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f

APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78

APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f

APDU: (9):  a0 b0 00 00 02 00 01 91 78

APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f

APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f

APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78

APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78

}}}

== Wireshark integration ==

There is an experimental patch, also part of the simtrace.git package.  You will have to apply this against the latest

wireshark developer version.

[[Image(wireshark-sim.png)]]

Protocol parsing is far from being complete, patches are always welcome!