Project

General

Profile

Actions

Wiki » History » Revision 10

« Previous | Revision 10/44 (diff) | Next »
tsaitgaist, 07/10/2018 03:21 PM
updated hardware and firmware


Osmocom SIMtrace 2

Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.
While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case).

It is a followup of the SIMtrace, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, sysmoQMOD).

Hardware

The SIMtrace 2 firmware supports several boards.
The firmware is written for an ATSAM3S4B micro-controller.

Note: The SAM3S is meanwhile labelled as not recommended for new designs by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S, in the future.

SIMtrace 2

The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card).

This is the same board as the previous SIMtrace 1, with the exception that the ATSAM3S4B micro-controller replaces the old AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace 1 board can be converted into a SIMtrace 2 board simply by replacing the micro-controller.

Note: This hardware is open source.

sysmoQMOD

The SAM3S micro-controller with SIMtrace 2 firmware is also used on the sysmoQMOD board to provide remote SIM operation capabilities.

Note: This hardware is not open source.

Firmware

The SIMtrace 2 firmware source code is available in git.
It is currently under active development and we recommend to flash the new firmware images to profit from the latest bug fixes and added functionalities.

The SIMtrace 2 firmware is a complete rewrite and can only be flashed on hardware with SAM3S ARM Cortex-M3-based micro-controllers.
The SIMtrace 2 firmware is not compatible with the older SIMtrace 1 using SAM7S ARM7TDMI-based micro-controllers.

sniffer

The sniffer firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
It is intended for the SIMtrace 2 hardware and its function is analog to the SIMtrace 1.

The application firmware to be flashed using DFU is attachment:simtrace-trace-dfu.bin.
It corresponds to the trace app in the source code.

Flashing

The firmware images can be flashed as described here.

DFU

SIMtrace 2 comes with a USB DFU bootloader pre-installed which allows to flash the application firmware over USB using the dfu-util utility.

To get dfu-util:

sudo apt-get install dfu-util

To flash the firmware:

sudo dfu-util --device 1d50:60e3 --cfg 1 --alt 1 --reset --download ./bin/simtrace-trace-dfu.bin

To prevent using sudo in order to use dfu-util on SIMtrace 2, grant access permission to the USB device to the current user:

# create osmocom group
sudo groupadd osmocom
# add current user to osmocom group (user needs to re-login for this change to take effect)
sudo adduser $USERNAME osmocom
# grant access permission to SIMtrace 2 for osmocom group
sudo tee -a /etc/udev/rules.d/10-osmocom.rules << EOF
# SIMtrace 2
SUBSYSTEM=="usb", ATTRS{idVendor}=="1d50", ATTR{idProduct}=="60e3",  MODE="0660", GROUP="osmocom" 
EOF
# reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger

dfu-util should reset the board and use the DFU bootloader.
Try the command a second time if it did not work at first.
If this still does not work, power up the board while pressing the BOOTLOADER button.

If the USB DFU bootloader is missing, defective, or needs to be updated, use the JTAG or SAM-BA methods to flash the bootloader firmware.

SAMBA

The SAM3S micro-controller comes with an embedded bootloader called SAMBA, allowing to flash firmwares over USB.
The SAMBA bootloader can be used to flash the DFU bootloader.
To activate the SAMBA bootloader:
  1. short the ERASE pin on the top of the board with the nearby 3V3 pin using a jumper
  2. connect SIMtrace 2 over USB to power it up (no LED will light up)
  3. using lsusb you should find the following entry:
    ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader
    
  4. using journalctl -f ensure SIMtrace 2 has been recognized as USB ACM device:
    kernel: usb 2-2: new full-speed USB device number 4 using xhci_hcd
    kernel: usb 2-2: New USB device found, idVendor=03eb, idProduct=6124
    kernel: usb 2-2: New USB device strings: Mfr=0, Product=0, SerialNumber=0
    kernel: cdc_acm 2-2:1.0: ttyACM0: USB ACM device
    kernel: usbcore: registered new interface driver cdc_acm
    kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
    
  5. remove the jumper shorting ERASE to 3V3
  6. install the bossac utility to flash using the SAMBA protocol
    sudo apt install bossac
    
  7. flash the USB DFU firmware using bossac (note: erase ensures no main application remains so to force booting the USB DFU bootloader; boot=1 ensures the micro-controller will boot from the internal flash instead of the embedded bootloader next time it is powered up)
    sudo bossac --port /dev/ttyACM0 --erase --write ./bin/simtrace-dfu-flash.bin --verify --boot=1
    
  8. to prevent using sudo, grant to current user the permission to access USB serial devices (e.g. /dev/ttyACM0). Note: this change only takes effect after re-logging-in
    sudo adduser $USERNAME dialout
    

Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method.

JTAG

It is also possible to flash or debug SIMtrace 2 over JTAG using the ARM 20-pin JTAG header on the top of the board.

To flash the USB DFU firmware using JTAG:
  1. install the JTAG utility openOCD
    sudo apt install openocd
    
  2. flash the USB DFU bootloader firmware
    openocd --file interface/jlink.cfg --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown" 
    
    • replace interface/jlink.cfg with the configuration file for your JTAG debugging adapter
    • at91sam3 gpnvm set 1 ensures the micro-controller will boot from the internal flash (i.e. not from the embedded SAMBA bootloader)

The SAM3S also offers the low pin-count SWD alternative to JTAG, allowing to use an inexpensive ST-Link V2 (clone) to flash (and debug):

openocd --file interface/stlink-v2.cfg --command "set CPUTAPID 0x2ba01477" --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown" 

SWD pinout:

Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method.

Development

To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the README .

Host PC Software

TODO

Files (5)
sysmoqmod.png View sysmoqmod.png 731 KB tsaitgaist, 07/09/2018 03:03 PM
simtrace-board-mini.jpg View simtrace-board-mini.jpg 314 KB tsaitgaist, 07/09/2018 04:41 PM
simtrace_and_phone.jpg View simtrace_and_phone.jpg 573 KB tsaitgaist, 07/10/2018 03:09 PM
wireshark-sim.png View wireshark-sim.png 68.4 KB tsaitgaist, 07/10/2018 07:12 PM
ngff-cardem.jpg View ngff-cardem.jpg 422 KB laforge, 04/28/2022 01:07 PM

Updated by tsaitgaist over 5 years ago · 10 revisions

Add picture from clipboard (Maximum size: 48.8 MB)