SIM card related Projects » SIMtrace

[[PageOutline]]

= Osmocom SIMtrace =

Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.

It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller.

The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.

The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,

parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.

== Features ==

 * Completely passive scanner

 * RST and ATR detection

 * auto-bauding with PPS / PTS support

 * Segmentation of APDUs

== TODO ==

 * Check for parity errors

 * Verify TCK / PCK check-bytes

== Hardware ==

There is no ready-built hardware for this yet, but there will be.

The existing implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner].

=== Interconnections ===

The hardware schematics are very, very simple:

 * Connect SIM-RST with PA7

 * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)

 * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)

 * Connect SIM-GND with GND

=== Mode of operation ===

The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you

would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,

you can use an externally-generated CLK like the one from the SIM card socket of the phone.

Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)

handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more

than we should.

== Firmware ==

The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]

RFID reader.  

There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.

Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated.  At that point, the firmware source can become

part of simtrace.git

=== Toolchain ===

The toolchain gnuarm-4.0.2 can be used to crosscompile the firmware.

{{{

wget http://www.gnuarm.com/bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2

tar xf bu-*_gcc-*-c-c++_nl-*_gi-*_x86-64.tar.bz2

mv gnuarm-* ~/gnuarm

}}}

To be able to use the toolchain, add the crosscompilers to your PATH

{{{

export PATH=~/gnuarm/bin:$PATH

}}}

=== Building the firmware ===

Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB].

{{{

git clone git://git.gnumonks.org/openpcd.git

cd openpcd/firmware

git checkout simtrace

make -f Makefile.dfu BOARD=OLIMEX

make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace

cat dfu.bin main_simtrace.bin > main_simtrace.samba

cd ../..

}}}

=== Firmware parts ===

The firmware build process creates two images:

 * dfu.bin -- the sam7dfu 2nd level bootloader. It implements the USB DFU (Device Firmware Upgrade) profile.

 * main_simtrace.bin -- the actual simtrace program. To be loaded via DFU, using [http://dfu-util.gnumonks.org/ dfu-util].

 * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image. to be loaded via SAM-BA, using sam7utils (see below).

=== Flashing the firmware ===

after the firmware has been flashed, '''lsusb''' should show:

{{{

Bus 004 Device 005: ID 16c0:0762 VOTI

}}}

==== SAM-BA ====

The first time you flash the device, you will have to use the SAM-BA method using the '''main_simtrace.samba''' image.

To put the board into SAM-BA mode, use the following steps:

 * unplug the board

 * short TEST to VCC (3.3V) pin, using a jumper

 * power up the board

 * wait 20s

 * unplug board

 * remove jumper

Now when the board is attached to USB, '''lsusb''' should show :

{{{

Bus 002 Device 015: ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader

}}}

For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.

==== sam7utils ====

sam7utils will be used to flash the '''main_simtrace.samba''' image over SAM-BA.

{{{

sudo aptitude install libreadline-dev

wget http://www.openpcd.org/dl/sam7utils-0.2.1-bm.tar.bz2

tar xf sam7utils-*.tar.bz2

cd sam7utils

./configure --prefix=/usr/local

make

}}}

===== sam7utils for x86 =====

On x86, sam7utils will be compile to communicate with the board using POSIX.

The board should be attached to a node. On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACM0 using the cdc_cam module. If not mapped, use usbserial :

{{{

sudo rmmod usbserial

sudo modprobe usbserial vendor=0x03EB product=0x6124

}}}

Now replug board. It should map to /dev/ttyUSBx (use dmesg to know which). Now to flash the samba image :

{{{

sudo ./sam7 -l /dev/ttyUSB0 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"

}}}

===== sam7utils for amd64 =====

On amd64, sam7utils will be compile to communicate with the board using libusb.

On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACMx using the cdc_cam module.

Remove it while the board is plugged, so sam7utils is able to communicate with it.

{{{

sudo rmmod cdc_acm

sudo ./sam7 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"

}}}

==== DFU ====

TODO

== Host PC Software ==

The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device

and send GSMTAP frames using UDP/IPv4 to localhost:4729.

=== Getting it ===

Use the following git repository:

{{{

git clone git://git.osmocom.org/simtrace.git

}}}

=== Compiling it ===

Precondition:  [wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.

{{{

cd simtrace/at91sam7/host/

make

}}}

=== Using it ===

Simply start '''simtrace'''.

It will senf the GSMTAP frames to UDP/IPv4 localhost:4729.

It will also print hexdumps of the frames to the console, looking like this:

{{{

sudo ./simtrace

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78

APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78

APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f

APDU: (8):  a0 b0 00 00 01 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f

APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78

APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f

APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78

APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f

APDU: (9):  a0 b0 00 00 02 00 01 91 78

APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f

APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78

APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f

APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78

APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f

APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78

}}}

== Wireshark integration ==

There is an experimental patch, also part of the simtrace.git package.  You will have to apply this against the latest

[wiki:wireshark] developer version.

[[Image(wireshark-sim.png)]]

Protocol parsing is far from being complete, patches are always welcome!