|
1
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
<chapter id="chapter_sniff">
|
|
3
|
<title>Sniffing your SIM</title>
|
|
4
|
|
|
5
|
<section id="hw_setup">
|
|
6
|
<title>Connecting your device</title>
|
|
7
|
<para>You will need to put your SIM into the SIMtrace hardware, connect
|
|
8
|
one of the four flex cables to the SIMtrace hardware, put the other side
|
|
9
|
into the SIM socket of your phone. Use USB to connect the SIMtrace hardware
|
|
10
|
to the PC. On your PC you should be able to see the USB device now.</para>
|
|
11
|
|
|
12
|
<figure><title>Connecting the SIMtrace Hardware</title>
|
|
13
|
<mediaobject>
|
|
14
|
<imageobject>
|
|
15
|
<imagedata fileref="images/simtrace_hw_setup.png" width="15cm"/>
|
|
16
|
</imageobject>
|
|
17
|
<textobject><phrase>SIMtrace being connected</phrase></textobject>
|
|
18
|
</mediaobject>
|
|
19
|
</figure>
|
|
20
|
</section>
|
|
21
|
|
|
22
|
<section id="launching_simtrace">
|
|
23
|
<title>Launching SIMtrace</title>
|
|
24
|
<screen>
|
|
25
|
$ <command>./simtrace</command>
|
|
26
|
simtrace - GSM SIM and smartcard tracing
|
|
27
|
(C) 2010 by Harald Welte <laforge@gnumonks.org>
|
|
28
|
</screen>
|
|
29
|
<para>Launching the <command>simtrace</command> will try to find
|
|
30
|
the SIMtrace hardware and then try to claim the USB device. The
|
|
31
|
application will send the received data encapsulated in the GSMTAP
|
|
32
|
format on localhost and the IANA assigned GSMTAP port.</para>
|
|
33
|
</section>
|
|
34
|
|
|
35
|
<section id="launching_wireshark">
|
|
36
|
<title>Launching Wireshark</title>
|
|
37
|
<para>The <command>wireshark</command> application will start a GUI
|
|
38
|
and given the right permissions you should be able listen to the
|
|
39
|
localhost interface and filter for the GSMTAP port on 4729. You should
|
|
40
|
be able to see the decoded messages like in the figure below.</para>
|
|
41
|
|
|
42
|
<figure><title>GSMTAP in Wireshark</title>
|
|
43
|
<mediaobject>
|
|
44
|
<imageobject>
|
|
45
|
<imagedata fileref="images/wireshark-sim.png" width="16cm"/>
|
|
46
|
</imageobject>
|
|
47
|
<textobject><phrase>SIMtrace sending data</phrase></textobject>
|
|
48
|
</mediaobject>
|
|
49
|
</figure>
|
|
50
|
</section>
|
|
51
|
|
|
52
|
<section id="known_firmware_issues">
|
|
53
|
<title>Known Firmware Issues</title>
|
|
54
|
<section>
|
|
55
|
<title>Combined ATR/APDU message</title>
|
|
56
|
<para>For some cards the firmware does not send an USB message at
|
|
57
|
the end of the ATR. The ATR and first APDU will be send in one message
|
|
58
|
and the host utility fails to split APDUs and nothing will be traced.
|
|
59
|
A band-aid for the firmware exists and can be found on the mailinglist.
|
|
60
|
</para>
|
|
61
|
</section>
|
|
62
|
<section>
|
|
63
|
<title>Lost bytes</title>
|
|
64
|
<para>For some new high speed cards the firmware can lose bytes. The
|
|
65
|
issue appears to be when the received bytes will be copied to the memory
|
|
66
|
of the USB controller. The workaround is to reduce the size of the buffer.
|
|
67
|
</para>
|
|
68
|
</section>
|
|
69
|
</section>
|
|
70
|
|
|
71
|
<section id="other_modes">
|
|
72
|
<title>Other modes</title>
|
|
73
|
<para>The hardware is capable to be used as an ordinary card reader,
|
|
74
|
provide Man-In-The-Middle (MITM) attacks, or operate as a SIM. The
|
|
75
|
firmware currently does not have support for these modes.</para>
|
|
76
|
|
|
77
|
<para>The SIMtrace hardware supports ISO7816 Part 3 T=0/T=1 protocols,
|
|
78
|
it basically can be used to intercept and analyze any traffic from (ISO7816)
|
|
79
|
smart cards. This includes SIM cards, Pay TV cards (smart card for CAM),
|
|
80
|
ATM cards, chip credit card, PKI smart cards, e-passport etc. etc. However
|
|
81
|
watch out: You have to make your chip card fitting in the "SIM card size"
|
|
82
|
ID-000 reader or build another adapter.</para>
|
|
83
|
</section>
|
|
84
|
</chapter>
|
