RebelSIM Scanner » History » Version 12
laforge, 10/06/2019 03:15 PM
1 | 6 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 12 | laforge | *NOTE: This page is mostly for historical reasons. Ever since we created our own SIMtrace hardware in 2011, there is no interest by Osmocom in the Rebelsim Scanner. We believe the [[SIMtrace]] and later [[SIMtrace2]] to be far superior in terms of capabilities.* |
4 | |||
5 | 6 | tsaitgaist | h1. Rebel Simcard Scanner |
6 | 1 | laforge | |
7 | 6 | tsaitgaist | |
8 | The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as _Simcard Scanner_. |
||
9 | |||
10 | 7 | laforge | !rebelsim-scanner.jpg! |
11 | 1 | laforge | |
12 | 6 | tsaitgaist | You can find the full kit for less than USD 25 at the "Rebelsimcard shop":http://rebelmicrosimcutter.com/fully-assembled-gsm-umts-cdma-network-simcard-and-mobile-phone-hex-scan.html |
13 | ("mirror":http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1). |
||
14 | 4 | tsaitgaist | |
15 | |||
16 | 6 | tsaitgaist | h2. Hardware architecture |
17 | |||
18 | |||
19 | 1 | laforge | The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard. |
20 | |||
21 | It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim. |
||
22 | |||
23 | You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner. |
||
24 | |||
25 | Furthermore, you connect it via the USB-B connector to your PC. |
||
26 | |||
27 | The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner. Unfortunately, the CLK |
||
28 | line is not connected, and neither can the device serve as a proxy between SIM and phone. |
||
29 | |||
30 | 6 | tsaitgaist | h2. Pinout |
31 | 4 | tsaitgaist | |
32 | 6 | tsaitgaist | |
33 | It's possible to use it as smart card physical interface for [[SIMtrace]]. |
||
34 | |||
35 | 1 | laforge | Here the pinout : |
36 | 11 | laforge | |_.Smart Card |_.CON1 |_.CON2 |_.CON3 |_.CON17 |_.USB3 | |
37 | 8 | laforge | | C1-VCC | 1 | 3 | 1 | 8 | 8 | |
38 | | C2-RST | 2 | 5 | | | 6 | |
||
39 | | C3-CLK | 3 | 7 | | | 4 | |
||
40 | | C5-GND | 6 | 4 | 5 | 4,9,11,13,15 | 7 | |
||
41 | 9 | laforge | | C6-VPP | 5 | | | | | |
42 | 8 | laforge | | C7-I/O | 4 | 8 | 6 | 2 | 3 | |
43 | 6 | tsaitgaist | |
44 | 4 | tsaitgaist | {{thumbnail(rebelsimscan_pin.jpg, size=500)}} |
45 | 1 | laforge | |
46 | 6 | tsaitgaist | h2. Mode of operation |
47 | |||
48 | |||
49 | |||
50 | h3. Original UART use |
||
51 | |||
52 | The original [[RebelSIM]] users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM |
||
53 | 3 | laforge | card reader. Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal |
54 | generated by the reader. |
||
55 | |||
56 | This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud |
||
57 | rate which you can then program the FT232R to use. |
||
58 | |||
59 | |||
60 | 6 | tsaitgaist | h3. Modified bit-banging use |
61 | |||
62 | |||
63 | 1 | laforge | By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding |
64 | 3 | laforge | the actual T=0 (or with some SIM cards + phones T=1) protocol. |
65 | |||
66 | 6 | tsaitgaist | The *unresolved problem* with this is that the sample clock of the FT232R seems very unstable. This results in |
67 | 3 | laforge | a lot of jitter in the sample stream. Furthermore it is suspected that USB may cause buffer overruns and leads to |
68 | lost samples. |
||
69 | |||
70 | 1 | laforge | Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now. |