SIMtrace » History » Revision 5
Revision 4 (laforge, 02/19/2016 10:48 PM) → Revision 5/62 (laforge, 02/19/2016 10:48 PM)
[[PageOutline]] = Osmocom SIMtrace = Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller. The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device, parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer. == Features == * Completely passive scanner * RST and ATR detection * auto-bauding with PPS / PTS support * Segmentation of APDUs == TODO == * Check for parity errors * Verify TCK / PCK check-bytes == Hardware == There is no ready-built hardware for this yet. They only existing implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. We are thinking of doing some custom hardware, but nothing is certain yet. === Interconnections === The hardware schematics are very, very simple: * Connect SIM-RST with PA7 * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0) * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0) * Connect SIM-GND with GND === Mode of operation === The USART of the AT91SAM7S is capable of T=0. However, the documentation only mentions it in clock-master mode, like you would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer, you can use an externally-generated CLK like the one from the SIM card socket of the phone. Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time) handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more than we should. == Firmware == The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD] RFID reader. There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code. Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated. At that point, the firmware source can become part of simtrace.git === Building the firmware === Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB]. {{{ $ git clone git://git.gnumonks.org/openpcd.git $ cd openpcd/firmware $ git checkout simtrace $ make -f Makefile.dfu BOARD=OLIMEX $ make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace $ cat dfu.bin main_simtraece.bin > main_simtrace.samba }}} === Flashing the firmware === The firmware build process creates two images: * dfu.bin -- the sam7dfu 2nd level bootloader * main_simtrace.bin -- the actual simtrace program (to be loaded via DFU) * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image (to be loaded via SAM-BA / sam7utils) ==== SAM-BA ==== The first time you flash the device, you will have to use the SAM-BA method using the main_simtrace.samba image. The SAM-BA procedure entails the following steps: * setting a certain jumper on your board * powering up the board, waiting for something like 20 seconds * unpowering the board * removing the jumper * powering up the board again * using sam7utils to flash the image * power-cycling the board to make it boot the actual application program For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component. ==== [http://www.openpcd.org/Sam7dfu sam7dfu] ==== As the SAM-BA procedure is somewhat complex and tiresome for quick development cycles, [http://www.openpcd.org/Sam7dfu sam7dfu] was developed as a 2nd stage bootloader. It implements the USB DFU (Device Firmware Upgrade) profile and can be used with any DFU compatible flashing tool such as the [http://dfu-util.gnumonks.org/ dfu-util] program. === TODO === == Host PC Software == The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost. It will also print hexdumps of the frames to the console, looking like this: {{{ APDU: (9): a0 a4 00 00 02 6f 07 9f 0f APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 APDU: (9): a0 a4 00 00 02 6f 38 9f 0f APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 APDU: (9): a0 a4 00 00 02 6f ad 9f 0f APDU: (8): a0 b0 00 00 01 00 91 78 APDU: (9): a0 a4 00 00 02 6f 07 9f 0f APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 APDU: (9): a0 a4 00 00 02 6f 78 9f 0f APDU: (9): a0 b0 00 00 02 00 01 91 78 APDU: (9): a0 a4 00 00 02 6f 74 9f 0f APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 APDU: (9): a0 a4 00 00 02 6f 20 9f 0f APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 APDU: (9): a0 a4 00 00 02 6f 30 9f 0f APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 }}} == Wireshark integration == There is an experimental patch, also part of the simtrace.git package. You will have to apply this against the latest wireshark developer version. [[Image(wireshark-sim.png)]] Protocol parsing is far from being complete, patches are always welcome!