Project

General

Profile

SIMtrace » History » Version 52

gnutoo, 03/07/2018 02:23 AM
fix typo

1 41 tsaitgaist
{{>toc}}
2 1 laforge
3 41 tsaitgaist
h1. Osmocom SIMtrace
4 41 tsaitgaist
5 41 tsaitgaist
6 1 laforge
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
7 1 laforge
8 18 laforge
It looks a bit like this:
9 42 laforge
{{graphviz_link()
10 18 laforge
digraph G{
11 18 laforge
  //rankdir = LR;
12 18 laforge
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
13 1 laforge
  SIMtrace -> SIM;
14 18 laforge
  SIMtrace -> PC [label = "USB cable"];
15 1 laforge
16 1 laforge
  SIMtrace [ label = "SIMtrace hardware" ];
17 18 laforge
}
18 42 laforge
}}
19 18 laforge
20 29 laforge
When connected to a phone, it looks like this:
21 29 laforge
22 1 laforge
23 43 laforge
!{width:50%}simtrace_and_phone.jpg!
24 43 laforge
25 43 laforge
!{width:33%}simtrace_functions.png!
26 1 laforge
27 1 laforge
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
28 1 laforge
29 46 zecke
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer.
30 38 tsaitgaist
31 1 laforge
32 41 tsaitgaist
h2. Features
33 1 laforge
34 1 laforge
35 41 tsaitgaist
* Completely passive scanner
36 41 tsaitgaist
* RST and ATR detection
37 41 tsaitgaist
* Auto-bauding with PPS / PTS support
38 41 tsaitgaist
* Segmentation of APDUs
39 41 tsaitgaist
40 41 tsaitgaist
41 38 tsaitgaist
SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM.
42 38 tsaitgaist
While the hardware supports all these modes, only the monitoring aspect has been implemented in software.
43 1 laforge
44 1 laforge
45 41 tsaitgaist
h2. TODO
46 1 laforge
47 1 laforge
48 41 tsaitgaist
* Check for parity errors
49 41 tsaitgaist
* Verify TCK / PCK check-bytes
50 41 tsaitgaist
* Implement MITM
51 1 laforge
52 41 tsaitgaist
h2. Hardware
53 41 tsaitgaist
54 41 tsaitgaist
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
55 41 tsaitgaist
56 31 laforge
Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.
57 1 laforge
58 1 laforge
However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace
59 51 gnutoo
60 52 gnutoo
It could also be interfaced with full size SIM card "with a separate adapter":http://shop.sysmocom.de/products/fullsize-sim-fpc
61 1 laforge
62 47 laforge
More details are available at [[SIMtrace_Hardware]]
63 1 laforge
64 41 tsaitgaist
h2. Firmware
65 1 laforge
66 1 laforge
67 41 tsaitgaist
The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/
68 48 laforge
RFID reader.  Details are available at [[SIMtrace Firmware]].
69 41 tsaitgaist
70 41 tsaitgaist
h2. Documentation
71 41 tsaitgaist
72 41 tsaitgaist
73 1 laforge
Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for
74 1 laforge
your favorite Linux Distribution.
75 39 zecke2
76 1 laforge
77 1 laforge
h2. Host PC Software
78 41 tsaitgaist
79 41 tsaitgaist
80 46 zecke
The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729.
81 5 laforge
82 41 tsaitgaist
h3. Preconditions
83 14 tsaitgaist
84 1 laforge
85 49 laforge
[[libosmocore:]] and headers (simtrace_usb.h) from the firmware.
86 41 tsaitgaist
87 1 laforge
additional packages :
88 41 tsaitgaist
<pre>
89 14 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
90 1 laforge
</code></pre>
91 7 tsaitgaist
92 41 tsaitgaist
h3. Compiling it
93 41 tsaitgaist
94 41 tsaitgaist
95 41 tsaitgaist
<pre>
96 35 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
97 35 tsaitgaist
cd simtrace/host/
98 35 tsaitgaist
make
99 41 tsaitgaist
</code></pre>
100 35 tsaitgaist
101 35 tsaitgaist
102 41 tsaitgaist
h3. Accessing it
103 41 tsaitgaist
104 41 tsaitgaist
105 35 tsaitgaist
Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)
106 35 tsaitgaist
107 41 tsaitgaist
<pre>
108 6 tsaitgaist
sudo groupadd osmocom
109 6 tsaitgaist
sudo adduser $USERNAME osmocom
110 1 laforge
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
111 1 laforge
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
112 6 tsaitgaist
# rule to grant read/write access on SIMtrace to group named osmocom.
113 1 laforge
SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom"
114 1 laforge
EOF
115 1 laforge
sudo service udev reload
116 41 tsaitgaist
</code></pre>
117 1 laforge
118 1 laforge
you must log out and back in so to take effect.
119 13 tsaitgaist
120 1 laforge
121 41 tsaitgaist
h3. Using it
122 41 tsaitgaist
123 41 tsaitgaist
124 41 tsaitgaist
Simply start *simtrace*.
125 1 laforge
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
126 1 laforge
127 1 laforge
It will also print hexdumps of the frames to the console, looking like this:
128 41 tsaitgaist
<pre>
129 1 laforge
sudo ./simtrace
130 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
131 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
132 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
133 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
134 1 laforge
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
135 1 laforge
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
136 1 laforge
APDU: (8):  a0 b0 00 00 01 00 91 78
137 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
138 1 laforge
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
139 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
140 1 laforge
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
141 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
142 2 laforge
APDU: (9):  a0 b0 00 00 02 00 01 91 78
143 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
144 2 laforge
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
145 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
146 1 laforge
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
147 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
148 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
149 41 tsaitgaist
</code></pre>
150 1 laforge
151 41 tsaitgaist
h2. Wireshark integration
152 34 tsaitgaist
153 41 tsaitgaist
154 41 tsaitgaist
There is an experimental patch, also part of the simtrace.git package.  It is also included in the [[wireshark]] developer version (since wireshark 1.7.1).
155 41 tsaitgaist
156 34 tsaitgaist
To see the APDUs in wireshark:
157 41 tsaitgaist
* on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything
158 41 tsaitgaist
* to get the data on another machine
159 41 tsaitgaist
** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
160 41 tsaitgaist
<pre>
161 37 tsaitgaist
socat -u udp-recv:4729 /dev/null
162 41 tsaitgaist
</code></pre>
163 41 tsaitgaist
** tell SIMtrace on which machine to forward
164 41 tsaitgaist
<pre>
165 1 laforge
./simtrace -i 192.168.0.1
166 41 tsaitgaist
</code></pre>
167 1 laforge
168 44 laforge
!wireshark-sim.png!
169 31 laforge
170 31 laforge
Protocol parsing is far from being complete, patches are always welcome!
171 31 laforge
172 50 gnutoo
h2. Other software
173 50 gnutoo
174 50 gnutoo
* "simlabTrace":https://github.com/kamwar/simlabTrace/wiki seem to be capable of MITM and also seem to have a CCID driver to use SIMtrace as a card reader.
175 50 gnutoo
176 41 tsaitgaist
h2. Contact / Mailing List
177 41 tsaitgaist
178 41 tsaitgaist
179 1 laforge
For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/
180 1 laforge
181 45 laforge
Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting.
Add picture from clipboard (Maximum size: 48.8 MB)