RebelSIM Scanner » History » Version 9
laforge, 02/21/2016 10:17 AM
1 | 6 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 6 | tsaitgaist | h1. Rebel Simcard Scanner |
4 | 1 | laforge | |
5 | 6 | tsaitgaist | |
6 | The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as _Simcard Scanner_. |
||
7 | |||
8 | 7 | laforge | !rebelsim-scanner.jpg! |
9 | 1 | laforge | |
10 | 6 | tsaitgaist | You can find the full kit for less than USD 25 at the "Rebelsimcard shop":http://rebelmicrosimcutter.com/fully-assembled-gsm-umts-cdma-network-simcard-and-mobile-phone-hex-scan.html |
11 | ("mirror":http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1). |
||
12 | 4 | tsaitgaist | |
13 | |||
14 | 6 | tsaitgaist | h2. Hardware architecture |
15 | |||
16 | |||
17 | 1 | laforge | The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard. |
18 | |||
19 | It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim. |
||
20 | |||
21 | You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner. |
||
22 | |||
23 | Furthermore, you connect it via the USB-B connector to your PC. |
||
24 | |||
25 | The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner. Unfortunately, the CLK |
||
26 | line is not connected, and neither can the device serve as a proxy between SIM and phone. |
||
27 | |||
28 | 6 | tsaitgaist | h2. Pinout |
29 | 4 | tsaitgaist | |
30 | 6 | tsaitgaist | |
31 | It's possible to use it as smart card physical interface for [[SIMtrace]]. |
||
32 | |||
33 | 1 | laforge | Here the pinout : |
34 | 8 | laforge | | Smart Card | CON1 | CON2 | CON3 | CON17 | USB3 | |
35 | | C1-VCC | 1 | 3 | 1 | 8 | 8 | |
||
36 | | C2-RST | 2 | 5 | | | 6 | |
||
37 | | C3-CLK | 3 | 7 | | | 4 | |
||
38 | | C5-GND | 6 | 4 | 5 | 4,9,11,13,15 | 7 | |
||
39 | 9 | laforge | | C6-VPP | 5 | | | | | |
40 | 8 | laforge | | C7-I/O | 4 | 8 | 6 | 2 | 3 | |
41 | 6 | tsaitgaist | |
42 | 4 | tsaitgaist | {{thumbnail(rebelsimscan_pin.jpg, size=500)}} |
43 | 1 | laforge | |
44 | 6 | tsaitgaist | h2. Mode of operation |
45 | |||
46 | |||
47 | |||
48 | h3. Original UART use |
||
49 | |||
50 | The original [[RebelSIM]] users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM |
||
51 | 3 | laforge | card reader. Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal |
52 | generated by the reader. |
||
53 | |||
54 | This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud |
||
55 | rate which you can then program the FT232R to use. |
||
56 | |||
57 | |||
58 | 6 | tsaitgaist | h3. Modified bit-banging use |
59 | |||
60 | |||
61 | 1 | laforge | By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding |
62 | 3 | laforge | the actual T=0 (or with some SIM cards + phones T=1) protocol. |
63 | |||
64 | 6 | tsaitgaist | The *unresolved problem* with this is that the sample clock of the FT232R seems very unstable. This results in |
65 | 3 | laforge | a lot of jitter in the sample stream. Furthermore it is suspected that USB may cause buffer overruns and leads to |
66 | lost samples. |
||
67 | |||
68 | 1 | laforge | Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now. |