SIMtrace » History » Revision 6
Revision 5 (laforge, 02/19/2016 10:48 PM) → Revision 6/62 (tsaitgaist, 02/19/2016 10:48 PM)
[[PageOutline]]
= Osmocom SIMtrace =
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller.
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,
parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.
== Features ==
* Completely passive scanner
* RST and ATR detection
* auto-bauding with PPS / PTS support
* Segmentation of APDUs
== TODO ==
* Check for parity errors
* Verify TCK / PCK check-bytes
== Hardware ==
There is no ready-built hardware for this yet, but there will be.
The yet. They only existing implementations used an Olimex SAM7-P64 development board
with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. We are thinking of
doing some custom hardware, but nothing is certain yet.
=== Interconnections ===
The hardware schematics are very, very simple:
* Connect SIM-RST with PA7
* Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)
* Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)
* Connect SIM-GND with GND
=== Mode of operation ===
The USART of the AT91SAM7S is capable of T=0. The However, the documentation only mentions it in clock-master mode, like you
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
you can use an externally-generated CLK like the one from the SIM card socket of the phone.
Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more
than we should.
== Firmware ==
The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]
RFID reader.
There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.
Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated. At that point, the firmware source can become
part of simtrace.git
=== Toolchain ===
The toolchain gnuarm-4.0.2 can be used to crosscompile the firmware.
{{{
wget http://www.gnuarm.com/bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2
tar xf bu-*_gcc-*-c-c++_nl-*_gi-*_x86-64.tar.bz2
mv gnuarm-* ~/gnuarm
}}}
To be able to use the toolchain, add the crosscompilers to your PATH
{{{
export PATH=~/gnuarm/bin:$PATH
}}}
=== Building the firmware ===
Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB].
{{{
$ git clone git://git.gnumonks.org/openpcd.git
$ cd openpcd/firmware
$ git checkout simtrace
$ make -f Makefile.dfu BOARD=OLIMEX
$ make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace
$ cat dfu.bin main_simtrace.bin main_simtraece.bin > main_simtrace.samba
cd ../..
}}}
=== Firmware parts Flashing the firmware ===
The firmware build process creates two images:
* dfu.bin -- the sam7dfu 2nd level bootloader. It implements the USB DFU (Device Firmware Upgrade) profile. bootloader
* main_simtrace.bin -- the actual simtrace program. To program (to be loaded via DFU, using [http://dfu-util.gnumonks.org/ dfu-util]. DFU)
* main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image. to image (to be loaded via SAM-BA, using sam7utils (see below). SAM-BA / sam7utils)
=== Flashing the firmware ===
after the firmware has been flashed, '''lsusb''' should show:
{{{
Bus 004 Device 005: ID 16c0:0762 VOTI
}}}
==== SAM-BA ====
The first time you flash the device, you will have to use the SAM-BA method using the '''main_simtrace.samba''' main_simtrace.samba image.
To put the board into
The SAM-BA mode, use procedure entails the following steps:
* unplug the board
* short TEST to VCC (3.3V) pin, using setting a certain jumper on your board
* power powering up the board, waiting for something like 20 seconds
* unpowering the board
* wait 20s removing the jumper
* unplug powering up the board again
* remove jumper
Now when using sam7utils to flash the image
* power-cycling the board is attached to USB, '''lsusb''' should show :
{{{
Bus 002 Device 015: ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader
}}} make it boot the actual application program
For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.
==== sam7utils [http://www.openpcd.org/Sam7dfu sam7dfu] ====
sam7utils will be used to flash As the '''main_simtrace.samba''' image over SAM-BA. SAM-BA procedure is somewhat complex and tiresome for quick development cycles, [http://www.openpcd.org/Sam7dfu sam7dfu] was developed
{{{
sudo aptitude install libreadline-dev
wget http://www.openpcd.org/dl/sam7utils-0.2.1-bm.tar.bz2
tar xf sam7utils-*.tar.bz2
cd sam7utils
./configure --prefix=/usr/local
make
}}}
===== sam7utils for x86 =====
On x86, sam7utils will be compile to communicate with the board using POSIX.
The board should be attached to as a node. On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACM0 using the cdc_cam module. If not mapped, use usbserial :
{{{
sudo rmmod usbserial
sudo modprobe usbserial vendor=0x03EB product=0x6124
}}}
Now replug board. 2nd stage bootloader. It should map to /dev/ttyUSBx (use dmesg to know which). Now to flash implements the samba image :
{{{
sudo ./sam7 -l /dev/ttyUSB0 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
}}}
===== sam7utils for amd64 =====
On amd64, sam7utils will USB DFU (Device Firmware Upgrade) profile and can be compile to communicate used with the board using libusb.
On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACMx using the cdc_cam module. any DFU compatible flashing
Remove it while tool such as the board is plugged, so sam7utils is able to communicate with it.
{{{
sudo rmmod cdc_acm
sudo ./sam7 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
}}} [http://dfu-util.gnumonks.org/ dfu-util] program.
==== DFU ====
=== TODO ===
== Host PC Software ==
The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device
and send GSMTAP frames using UDP/IPv4 to localhost:4729. localhost.
=== Getting it ===
Use the following git repository:
{{{
git clone git://git.osmocom.org/simtrace.git
}}}
=== Compiling it ===
Precondition: [wiki:libosmocore] and headers from the firmware.
{{{
cd simtrace/at91sam7/host/
rm simtrace_usb.h
ln -s ../../../openpcd/firmware/include/simtrace_usb.h simtrace_usb.h
make
}}}
=== Using it ===
Simply start '''simtrace'''.
It will senf the GSMTAP frames to UDP/IPv4 localhost:4729.
It will also print hexdumps of the frames to the console, looking like this:
{{{
sudo ./simtrace
APDU: (9): a0 a4 00 00 02 6f 07 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
APDU: (9): a0 a4 00 00 02 6f 38 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
APDU: (9): a0 a4 00 00 02 6f ad 9f 0f
APDU: (8): a0 b0 00 00 01 00 91 78
APDU: (9): a0 a4 00 00 02 6f 07 9f 0f
APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f
APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
APDU: (9): a0 a4 00 00 02 6f 78 9f 0f
APDU: (9): a0 b0 00 00 02 00 01 91 78
APDU: (9): a0 a4 00 00 02 6f 74 9f 0f
APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
APDU: (9): a0 a4 00 00 02 6f 20 9f 0f
APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
APDU: (9): a0 a4 00 00 02 6f 30 9f 0f
APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
}}}
== Wireshark integration ==
There is an experimental patch, also part of the simtrace.git package. You will have to apply this against the latest
[wiki:wireshark] wireshark developer version.
[[Image(wireshark-sim.png)]]
Protocol parsing is far from being complete, patches are always welcome!
