Project

General

Profile

SIMtrace » History » Version 60

gnutoo, 04/26/2019 02:04 PM
simplify wireshark integration text

1 1 laforge
h1. Osmocom SIMtrace
2 59 fixeria
3 59 fixeria
**%{background:yellow}WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by project:simtrace2, which uses the SAM3S replacement micro-controller.%**
4 58 fixeria
5 58 fixeria
{{>toc}}
6 41 tsaitgaist
7 1 laforge
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
8 1 laforge
9 18 laforge
It looks a bit like this:
10 42 laforge
{{graphviz_link()
11 18 laforge
digraph G{
12 18 laforge
  //rankdir = LR;
13 18 laforge
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
14 1 laforge
  SIMtrace -> SIM;
15 18 laforge
  SIMtrace -> PC [label = "USB cable"];
16 1 laforge
17 1 laforge
  SIMtrace [ label = "SIMtrace hardware" ];
18 18 laforge
}
19 42 laforge
}}
20 18 laforge
21 29 laforge
When connected to a phone, it looks like this:
22 29 laforge
23 43 laforge
24 43 laforge
!{width:50%}simtrace_and_phone.jpg!
25 1 laforge
26 1 laforge
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
27 1 laforge
28 46 zecke
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer.
29 38 tsaitgaist
30 1 laforge
31 41 tsaitgaist
h2. Features
32 1 laforge
33 1 laforge
34 41 tsaitgaist
* Completely passive scanner
35 41 tsaitgaist
* RST and ATR detection
36 41 tsaitgaist
* Auto-bauding with PPS / PTS support
37 41 tsaitgaist
* Segmentation of APDUs
38 41 tsaitgaist
39 41 tsaitgaist
40 38 tsaitgaist
SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM.
41 38 tsaitgaist
While the hardware supports all these modes, only the monitoring aspect has been implemented in software.
42 1 laforge
43 41 tsaitgaist
h2. TODO
44 1 laforge
45 53 gnutoo
SIMtrace is a community project, and help is more than welcome.
46 1 laforge
47 54 gnutoo
Some tasks do and require no knowledge of electronics or SIM cards protocols, and only require very basic C programming skills:
48 54 gnutoo
* Use libusb hot-plugging API to keep the program running across SIMrtace disconnects
49 54 gnutoo
50 55 gnutoo
Some tasks do not require microcontroller programming skills:
51 55 gnutoo
* extending/completing the wireshark dissectors for the SIM protocol.
52 55 gnutoo
53 54 gnutoo
Here's some of the other things that could be improved:
54 41 tsaitgaist
* Check for parity errors
55 1 laforge
* Verify TCK / PCK check-bytes
56 54 gnutoo
* Implement MITM
57 1 laforge
58 41 tsaitgaist
h2. Hardware
59 41 tsaitgaist
60 41 tsaitgaist
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
61 41 tsaitgaist
62 31 laforge
Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.
63 1 laforge
64 1 laforge
However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace
65 51 gnutoo
66 52 gnutoo
It could also be interfaced with full size SIM card "with a separate adapter":http://shop.sysmocom.de/products/fullsize-sim-fpc
67 1 laforge
68 47 laforge
More details are available at [[SIMtrace_Hardware]]
69 1 laforge
70 41 tsaitgaist
h2. Firmware
71 1 laforge
72 1 laforge
73 41 tsaitgaist
The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/
74 48 laforge
RFID reader.  Details are available at [[SIMtrace Firmware]].
75 41 tsaitgaist
76 41 tsaitgaist
h2. Documentation
77 41 tsaitgaist
78 41 tsaitgaist
79 1 laforge
Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for
80 1 laforge
your favorite Linux Distribution.
81 39 zecke2
82 1 laforge
83 1 laforge
h2. Host PC Software
84 41 tsaitgaist
85 41 tsaitgaist
86 46 zecke
The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729.
87 5 laforge
88 41 tsaitgaist
h3. Preconditions
89 14 tsaitgaist
90 1 laforge
91 49 laforge
[[libosmocore:]] and headers (simtrace_usb.h) from the firmware.
92 41 tsaitgaist
93 1 laforge
additional packages :
94 41 tsaitgaist
<pre>
95 14 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
96 1 laforge
</code></pre>
97 7 tsaitgaist
98 41 tsaitgaist
h3. Compiling it
99 41 tsaitgaist
100 41 tsaitgaist
101 41 tsaitgaist
<pre>
102 35 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
103 35 tsaitgaist
cd simtrace/host/
104 35 tsaitgaist
make
105 41 tsaitgaist
</code></pre>
106 35 tsaitgaist
107 35 tsaitgaist
108 41 tsaitgaist
h3. Accessing it
109 41 tsaitgaist
110 41 tsaitgaist
111 35 tsaitgaist
Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)
112 35 tsaitgaist
113 41 tsaitgaist
<pre>
114 6 tsaitgaist
sudo groupadd osmocom
115 6 tsaitgaist
sudo adduser $USERNAME osmocom
116 1 laforge
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
117 1 laforge
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
118 6 tsaitgaist
# rule to grant read/write access on SIMtrace to group named osmocom.
119 1 laforge
SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom"
120 1 laforge
EOF
121 1 laforge
sudo service udev reload
122 41 tsaitgaist
</code></pre>
123 1 laforge
124 1 laforge
you must log out and back in so to take effect.
125 13 tsaitgaist
126 1 laforge
127 41 tsaitgaist
h3. Using it
128 41 tsaitgaist
129 41 tsaitgaist
130 41 tsaitgaist
Simply start *simtrace*.
131 1 laforge
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
132 1 laforge
133 1 laforge
It will also print hexdumps of the frames to the console, looking like this:
134 41 tsaitgaist
<pre>
135 1 laforge
sudo ./simtrace
136 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
137 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
138 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
139 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
140 1 laforge
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
141 1 laforge
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
142 1 laforge
APDU: (8):  a0 b0 00 00 01 00 91 78
143 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
144 1 laforge
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
145 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
146 1 laforge
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
147 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
148 2 laforge
APDU: (9):  a0 b0 00 00 02 00 01 91 78
149 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
150 2 laforge
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
151 2 laforge
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
152 1 laforge
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
153 1 laforge
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
154 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
155 41 tsaitgaist
</code></pre>
156 1 laforge
157 41 tsaitgaist
h2. Wireshark integration
158 34 tsaitgaist
159 60 gnutoo
The Support for the SIM protocol is included in [[wireshark]] since wireshark 1.7.1.
160 1 laforge
161 1 laforge
To see the APDUs in wireshark:
162 60 gnutoo
By default, SIMtrace automatically opens a UDP sink on localhost. So launching simtrace is enough to send the traces to localhost:
163 1 laforge
<pre>
164 60 gnutoo
$ sudo simtrace
165 60 gnutoo
</pre>
166 60 gnutoo
167 60 gnutoo
To then capture the traces with wireshark you can use the following command:
168 60 gnutoo
<pre>
169 60 gnutoo
$ wireshark -i lo -f 'udp port 4729' 
170 60 gnutoo
</pre>
171 60 gnutoo
172 60 gnutoo
To get the data on another machine:
173 60 gnutoo
* start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
174 60 gnutoo
<pre>
175 41 tsaitgaist
socat -u udp-recv:4729 /dev/null
176 41 tsaitgaist
</code></pre>
177 60 gnutoo
* tell SIMtrace on which machine to forward
178 41 tsaitgaist
<pre>
179 1 laforge
./simtrace -i 192.168.0.1
180 41 tsaitgaist
</code></pre>
181 1 laforge
182 44 laforge
!wireshark-sim.png!
183 31 laforge
184 60 gnutoo
Wireshark's protocol parsing is far from being complete, patches are always welcome!
185 31 laforge
186 50 gnutoo
h2. Other software
187 50 gnutoo
188 50 gnutoo
* "simlabTrace":https://github.com/kamwar/simlabTrace/wiki seem to be capable of MITM and also seem to have a CCID driver to use SIMtrace as a card reader.
189 50 gnutoo
190 41 tsaitgaist
h2. Contact / Mailing List
191 41 tsaitgaist
192 41 tsaitgaist
193 1 laforge
For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/
194 1 laforge
195 45 laforge
Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting.
Add picture from clipboard (Maximum size: 48.8 MB)