Wiki » History » Version 21
laforge, 08/26/2018 10:12 AM
1 | 1 | tsaitgaist | h1. Osmocom SIMtrace 2 |
---|---|---|---|
2 | 15 | mschramm | |
3 | {{>toc}} |
||
4 | 1 | tsaitgaist | |
5 | 8 | laforge | Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation. |
6 | 9 | tsaitgaist | While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case). |
7 | 1 | tsaitgaist | |
8 | 16 | roh | It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html). |
9 | 1 | tsaitgaist | |
10 | h2. Hardware |
||
11 | |||
12 | 10 | tsaitgaist | The SIMtrace 2 firmware supports several boards. |
13 | The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller. |
||
14 | 1 | tsaitgaist | |
15 | 12 | tsaitgaist | Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future. |
16 | 1 | tsaitgaist | |
17 | 12 | tsaitgaist | h3. SIMtrace v2 |
18 | 1 | tsaitgaist | |
19 | 10 | tsaitgaist | !{width:20%}simtrace-board-mini.jpg! |
20 | 9 | tsaitgaist | |
21 | 10 | tsaitgaist | The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
22 | 1 | tsaitgaist | |
23 | 17 | roh | This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller. |
24 | 1 | tsaitgaist | |
25 | 10 | tsaitgaist | Note: This hardware is "open source":https://git.osmocom.org/simtrace/tree/hardware. |
26 | 1 | tsaitgaist | |
27 | h3. sysmoQMOD |
||
28 | |||
29 | !{width:25%}sysmoqmod.png! |
||
30 | |||
31 | The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities. |
||
32 | |||
33 | Note: This hardware is not open source. |
||
34 | |||
35 | h2. Firmware |
||
36 | |||
37 | 10 | tsaitgaist | The SIMtrace 2 firmware source code is available in "git":https://git.osmocom.org/simtrace2/. |
38 | 20 | tsaitgaist | Pre-built firmware binaries are available "here":http://ftp.osmocom.org/binaries/simtrace2/firmware/. |
39 | The firmware are currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities. |
||
40 | 1 | tsaitgaist | |
41 | The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers. |
||
42 | 18 | roh | *The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.* |
43 | 1 | tsaitgaist | |
44 | 12 | tsaitgaist | h3. trace |
45 | 1 | tsaitgaist | |
46 | 12 | tsaitgaist | The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
47 | It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware. |
||
48 | 10 | tsaitgaist | |
49 | 12 | tsaitgaist | The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs. |
50 | Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use). |
||
51 | |||
52 | 1 | tsaitgaist | !{width:25%}simtrace_and_phone.jpg! |
53 | 10 | tsaitgaist | |
54 | 20 | tsaitgaist | The application firmware to be flashed using [[Flashing#DFU|DFU]] is "simtrace-trace-dfu.bin":http://ftp.osmocom.org/binaries/simtrace2/firmware/simtrace-trace-dfu.bin. |
55 | 10 | tsaitgaist | |
56 | 13 | tsaitgaist | h3. Development |
57 | |||
58 | To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt . |
||
59 | |||
60 | 10 | tsaitgaist | h2. Flashing |
61 | 11 | tsaitgaist | |
62 | 1 | tsaitgaist | The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]]. |
63 | |||
64 | h2. Host PC Software |
||
65 | |||
66 | 13 | tsaitgaist | The SIMtrace 2 host PC software are available in the "simtrace2 git":https://git.osmocom.org/simtrace2/. |
67 | |||
68 | h3. Preconditions |
||
69 | |||
70 | [[libosmocore:]] and libusb. |
||
71 | |||
72 | to install both packages: |
||
73 | <pre> |
||
74 | sudo apt-get install libusb-1.0-0-dev libosmocore-dev |
||
75 | </code></pre> |
||
76 | |||
77 | h3. Compiling it |
||
78 | |||
79 | <pre> |
||
80 | git clone git://git.osmocom.org/simtrace2.git |
||
81 | cd simtrace2/host/ |
||
82 | make |
||
83 | </pre> |
||
84 | |||
85 | h3. Accessing it |
||
86 | |||
87 | Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user: |
||
88 | <pre> |
||
89 | # add current user to plugdev group (user needs to re-login for this change to take effect) |
||
90 | sudo adduser $USERNAME plugdev |
||
91 | # grant access permission to SIMtrace 2 for plugdev group |
||
92 | 19 | emvivre | sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://git.osmocom.org/simtrace2/plain/host/99-simtrace2.rules |
93 | 13 | tsaitgaist | # reload udev rules |
94 | sudo udevadm control --reload-rules |
||
95 | sudo udevadm trigger |
||
96 | </pre> |
||
97 | |||
98 | h3. Applications |
||
99 | |||
100 | h4. simtrace2-list |
||
101 | |||
102 | @simtrace2-list@ allows to list all SIMtrace 2 compatible devices: |
||
103 | <pre> |
||
104 | ./simtrace2-list |
||
105 | USB matches: 1 |
||
106 | 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) |
||
107 | </pre> |
||
108 | |||
109 | This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specific with device to use by the other applications. |
||
110 | |||
111 | h4. simtrace2-sniff |
||
112 | |||
113 | This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication. |
||
114 | The activity will be shown on the consol output: |
||
115 | <pre> |
||
116 | ./simtrace2-sniff |
||
117 | simtrace2-sniff - Phone-SIM card communication sniffer |
||
118 | (C) 2010-2017 by Harald Welte <laforge@gnumonks.org> |
||
119 | (C) 2018 by Kevin Redon <kredon@sysmocom.de> |
||
120 | |||
121 | Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) |
||
122 | Entering main loop |
||
123 | Card state change: reset hold |
||
124 | Card state change: reset release |
||
125 | ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 |
||
126 | PPS: ff 10 96 79 |
||
127 | PPS: ff 10 96 79 |
||
128 | Fi/Di switched to 512/32 |
||
129 | TPDU: a0 a4 00 00 02 3f 00 9f 22 |
||
130 | TPDU: a0 a4 00 00 02 7f 20 9f 22 |
||
131 | TPDU: a0 a4 00 00 02 6f 46 9f 0f |
||
132 | TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 |
||
133 | Card state change: reset hold |
||
134 | </pre> |
||
135 | |||
136 | The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729. |
||
137 | This also allows to analyze the communication in wireshark using the GSM SIM dissector. |
||
138 | 1 | tsaitgaist | !{width:50%}wireshark-sim.png! |
139 | 21 | laforge | |
140 | {{include(cellular-infrastructure:MacroBinaryPackages)}} |