Wiki » History » Version 43
mschramm, 10/20/2023 03:45 PM
1 | 1 | tsaitgaist | h1. Osmocom SIMtrace 2 |
---|---|---|---|
2 | 15 | mschramm | |
3 | {{>toc}} |
||
4 | 1 | tsaitgaist | |
5 | 8 | laforge | Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation. |
6 | 9 | tsaitgaist | While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case). |
7 | 1 | tsaitgaist | |
8 | 42 | steviehs | It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/lab/sysmoqmod/index.html). |
9 | 1 | tsaitgaist | |
10 | h2. Hardware |
||
11 | |||
12 | 10 | tsaitgaist | The SIMtrace 2 firmware supports several boards. |
13 | The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller. |
||
14 | 1 | tsaitgaist | |
15 | 12 | tsaitgaist | Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future. |
16 | 1 | tsaitgaist | |
17 | 26 | tsaitgaist | h3. SIMtrace board for SIMtrace 2 project |
18 | 1 | tsaitgaist | |
19 | 10 | tsaitgaist | !{width:20%}simtrace-board-mini.jpg! |
20 | 9 | tsaitgaist | |
21 | 10 | tsaitgaist | The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
22 | 1 | tsaitgaist | |
23 | 17 | roh | This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller. |
24 | 1 | tsaitgaist | |
25 | 37 | laforge | Note: This hardware is "open source hardware (OSHW)":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/hardware |
26 | 1 | tsaitgaist | |
27 | 27 | laforge | h4. SIMtrace2 hardware availability |
28 | 1 | tsaitgaist | |
29 | 37 | laforge | Fully assembled SIMtrace2 boards and related accessories like FPC cables can be obtained from the "sysmocom webshop":https://shop.sysmocom.de/SIMtrace2-Hardware-Kit/simtrace2-kit |
30 | 34 | laforge | |
31 | h3. ngff-cardem |
||
32 | |||
33 | !{width:25%}ngff-cardem.jpg! |
||
34 | |||
35 | This is a carrier board for cellular modems in ngff / M.2 form-factor with on-board simtrace2. It is wired in a way that it can operate both as passive tracer/sniffer, or in @cardem@ mode. |
||
36 | |||
37 | See [[ngff-cardem:]] for all information on the ngff-cardem board, including design files. |
||
38 | |||
39 | Note: This hardware is "open source hardeware (OSHW)":https://gitea.osmocom.org/electronics/osmo-small-hardware/src/branch/master/ngff-cardem |
||
40 | |||
41 | h4. ngff-cardem availability |
||
42 | |||
43 | 37 | laforge | Fully assembled ngff-cardem boards can be obtained from the "sysmocom webshop":https://shop.sysmocom.de/M.2-modem-carrier-with-remote-SIM-tracing/ngff-cardem-kit-external |
44 | 34 | laforge | |
45 | 27 | laforge | |
46 | 1 | tsaitgaist | h3. sysmoQMOD |
47 | |||
48 | !{width:25%}sysmoqmod.png! |
||
49 | |||
50 | 42 | steviehs | The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/lab/sysmoqmod/index.html board to provide remote SIM operation capabilities. |
51 | 1 | tsaitgaist | |
52 | Note: This hardware is not open source. |
||
53 | 27 | laforge | |
54 | 1 | tsaitgaist | h4. sysmoQMOD hardware availability |
55 | |||
56 | 37 | laforge | Fully assembled sysmoQMOD boards and related products can be obtained from "sysmocom":https://www.sysmocom.de/products/lab/sysmoqmod/index.html |
57 | 1 | tsaitgaist | |
58 | 37 | laforge | An Evaluation kit is available from the "sysmocom webshop":https://shop.sysmocom.de/sysmoQMOD-evaluation-kit/sysmoQMOD-evk - please contact sales@sysmocom.de for inquiries on quantity pricing. |
59 | |||
60 | 1 | tsaitgaist | h2. Firmware |
61 | |||
62 | 37 | laforge | The SIMtrace 2 firmware source code is available in "git":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/firmware |
63 | Pre-built firmware binaries are available "here":https://ftp.osmocom.org/binaries/simtrace2/firmware/. |
||
64 | 20 | tsaitgaist | The firmware are currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities. |
65 | 1 | tsaitgaist | |
66 | The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers. |
||
67 | 18 | roh | *The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.* |
68 | 1 | tsaitgaist | |
69 | 35 | laforge | To get the version of the firmware flashed on the device, you can use the @simtrace2-list@ tool |
70 | 23 | tsaitgaist | |
71 | 12 | tsaitgaist | h3. trace |
72 | 1 | tsaitgaist | |
73 | 12 | tsaitgaist | The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
74 | 1 | tsaitgaist | It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware. |
75 | 10 | tsaitgaist | |
76 | 12 | tsaitgaist | The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs. |
77 | Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use). |
||
78 | |||
79 | 1 | tsaitgaist | !{width:25%}simtrace_and_phone.jpg! |
80 | 10 | tsaitgaist | |
81 | 39 | tsaitgaist | The application firmware to be flashed using [[Flashing#DFU|DFU]] is "simtrace-trace-dfu.bin":https://ftp.osmocom.org/binaries/simtrace2/firmware/latest/simtrace-trace-dfu-latest.bin. |
82 | 10 | tsaitgaist | |
83 | 24 | tsaitgaist | h3. card emulation |
84 | 1 | tsaitgaist | |
85 | 25 | tsaitgaist | The card emulation application firmware allows to emulate a card (e.g SIM). This is useful if you don't want to change the card in the device (e.g. phone), or have the card in a remote location. |
86 | 24 | tsaitgaist | |
87 | This firmware comes preflashed on the sysmoQMOD board. |
||
88 | 43 | mschramm | It also exists for the SIMtrace v2 board, but is currently in beta. If you still would like to try it, read this [[Cardem|article]]. |
89 | 25 | tsaitgaist | |
90 | 13 | tsaitgaist | h3. Development |
91 | 1 | tsaitgaist | |
92 | 37 | laforge | To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/firmware/README.txt |
93 | 13 | tsaitgaist | |
94 | 10 | tsaitgaist | h2. Flashing |
95 | 11 | tsaitgaist | |
96 | 1 | tsaitgaist | The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]]. |
97 | |||
98 | h2. Host PC Software |
||
99 | |||
100 | 37 | laforge | The source code of the SIMtrace 2 host PC software are available in the "simtrace2 git":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/host |
101 | 13 | tsaitgaist | |
102 | 33 | laforge | Binary packages are made available for a variety of Linux distributions, see [[cellular-infrastructure:Binary_Packages]] for more details. In case of doubt, use the nightly builds. |
103 | 1 | tsaitgaist | |
104 | 33 | laforge | h3. Installing binary packages |
105 | |||
106 | We assume that you've added the binary package feed, for example as described at [[cellular-infrastructure:Nightly_Builds]]. |
||
107 | |||
108 | All you need to do is to do |
||
109 | |||
110 | <pre> |
||
111 | 38 | laforge | $ sudo apt-get install simtrace2-utils |
112 | 33 | laforge | </pre> |
113 | |||
114 | h3. Building from source |
||
115 | |||
116 | this assumes you are a software developer familiar with building software from source using GNU autotools. If you're not, please use the binary packages (see above). |
||
117 | |||
118 | h4. Preconditions |
||
119 | |||
120 | 22 | jbruckner | [[libosmocore:]], libpcsclite and libusb. |
121 | 13 | tsaitgaist | |
122 | 22 | jbruckner | to install those packages: |
123 | 13 | tsaitgaist | <pre> |
124 | 1 | tsaitgaist | sudo apt-get install libusb-1.0-0-dev libosmocore-dev libpcsclite-dev |
125 | 13 | tsaitgaist | </code></pre> |
126 | 1 | tsaitgaist | |
127 | 33 | laforge | h4. Compiling it |
128 | 13 | tsaitgaist | |
129 | <pre> |
||
130 | 36 | k_o_ | git clone https://gitea.osmocom.org/sim-card/simtrace2.git |
131 | 13 | tsaitgaist | cd simtrace2/host/ |
132 | 28 | roh | autoreconf -fi |
133 | 13 | tsaitgaist | ./configure |
134 | 1 | tsaitgaist | make |
135 | 13 | tsaitgaist | </pre> |
136 | |||
137 | h3. Accessing it |
||
138 | |||
139 | Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user: |
||
140 | <pre> |
||
141 | # add current user to plugdev group (user needs to re-login for this change to take effect) |
||
142 | sudo adduser $USERNAME plugdev |
||
143 | # grant access permission to SIMtrace 2 for plugdev group |
||
144 | 37 | laforge | sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://gitea.osmocom.org/sim-card/simtrace2/raw/branch/master/host/contrib/99-simtrace2.rules |
145 | 13 | tsaitgaist | # reload udev rules |
146 | sudo udevadm control --reload-rules |
||
147 | sudo udevadm trigger |
||
148 | </pre> |
||
149 | |||
150 | h3. Applications |
||
151 | |||
152 | h4. simtrace2-list |
||
153 | |||
154 | @simtrace2-list@ allows to list all SIMtrace 2 compatible devices: |
||
155 | <pre> |
||
156 | ./simtrace2-list |
||
157 | USB matches: 1 |
||
158 | 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) |
||
159 | </pre> |
||
160 | |||
161 | 40 | steviehs | This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specify which device to use by other applications. |
162 | 13 | tsaitgaist | |
163 | h4. simtrace2-sniff |
||
164 | |||
165 | This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication. |
||
166 | 41 | laforge | The activity will be shown on the console output: |
167 | 13 | tsaitgaist | <pre> |
168 | ./simtrace2-sniff |
||
169 | simtrace2-sniff - Phone-SIM card communication sniffer |
||
170 | (C) 2010-2017 by Harald Welte <laforge@gnumonks.org> |
||
171 | (C) 2018 by Kevin Redon <kredon@sysmocom.de> |
||
172 | |||
173 | Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) |
||
174 | Entering main loop |
||
175 | Card state change: reset hold |
||
176 | Card state change: reset release |
||
177 | ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 |
||
178 | PPS: ff 10 96 79 |
||
179 | PPS: ff 10 96 79 |
||
180 | Fi/Di switched to 512/32 |
||
181 | TPDU: a0 a4 00 00 02 3f 00 9f 22 |
||
182 | TPDU: a0 a4 00 00 02 7f 20 9f 22 |
||
183 | TPDU: a0 a4 00 00 02 6f 46 9f 0f |
||
184 | TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 |
||
185 | Card state change: reset hold |
||
186 | </pre> |
||
187 | 1 | tsaitgaist | |
188 | 41 | laforge | The TPDU will also be sent via [[baseband:GSMTAP]] frames to UDP/IPv4 localhost:4729. This means you can have other programs that process and further decode the data. This also means you can create pcap files of the SIM TPDUs by e.g. tcpdump using a command line like @tcpdump -npi lo -w /tmp/my_pcap_file.pcap udp port 4729@. |
189 | |||
190 | The real-time TPDU stream (via GSMTAP) or the recorded pcap file containing GSMTAP can be analyzed in other programs such as |
||
191 | |||
192 | * wireshark (general-purpose network protocol analyzer, https://wireshark.org/) |
||
193 | ** very basic decoder only at the the CLA/INS level, knows some FIDs without understanding filesystem hierarchy |
||
194 | ** primarily focussed on classic GSM SIM cards |
||
195 | ** doesn't receive much love |
||
196 | ** nice GUI |
||
197 | * @pySim-trace.py@ (part of [[pySim:]] suite of SIM card related tools) |
||
198 | ** *very* complete/comprehensive decode all the way up into the contents of the files read/written |
||
199 | ** primarily focussed on modern UICC/USIM/ISIM cards |
||
200 | ** no GUI at all |
||
201 | |||
202 | wireshark using the GSM SIM dissector. |
||
203 | 21 | laforge | !{width:50%}wireshark-sim.png! |
204 | 1 | tsaitgaist | |
205 | 21 | laforge | {{include(cellular-infrastructure:MacroBinaryPackages)}} |
206 | 31 | Anonymous | {{include(cellular-infrastructure:MacroCommercialSupport)}} |