SIMtrace » History » Version 46
zecke, 04/17/2016 06:01 PM
1 | 41 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 41 | tsaitgaist | h1. Osmocom SIMtrace |
4 | |||
5 | |||
6 | 1 | laforge | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
7 | |||
8 | 18 | laforge | It looks a bit like this: |
9 | 42 | laforge | {{graphviz_link() |
10 | 18 | laforge | digraph G{ |
11 | //rankdir = LR; |
||
12 | Phone -> SIMtrace [label = "Flexi-PCB cable"]; |
||
13 | 1 | laforge | SIMtrace -> SIM; |
14 | 18 | laforge | SIMtrace -> PC [label = "USB cable"]; |
15 | 1 | laforge | |
16 | SIMtrace [ label = "SIMtrace hardware" ]; |
||
17 | 18 | laforge | } |
18 | 42 | laforge | }} |
19 | 18 | laforge | |
20 | 29 | laforge | When connected to a phone, it looks like this: |
21 | |||
22 | 1 | laforge | |
23 | 43 | laforge | !{width:50%}simtrace_and_phone.jpg! |
24 | |||
25 | !{width:33%}simtrace_functions.png! |
||
26 | 1 | laforge | |
27 | It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller. |
||
28 | |||
29 | 46 | zecke | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer. |
30 | 38 | tsaitgaist | |
31 | 1 | laforge | |
32 | 41 | tsaitgaist | h2. Features |
33 | 1 | laforge | |
34 | |||
35 | 41 | tsaitgaist | * Completely passive scanner |
36 | * RST and ATR detection |
||
37 | * Auto-bauding with PPS / PTS support |
||
38 | * Segmentation of APDUs |
||
39 | |||
40 | |||
41 | 38 | tsaitgaist | SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM. |
42 | While the hardware supports all these modes, only the monitoring aspect has been implemented in software. |
||
43 | 1 | laforge | |
44 | |||
45 | 41 | tsaitgaist | h2. TODO |
46 | 1 | laforge | |
47 | |||
48 | 41 | tsaitgaist | * Check for parity errors |
49 | * Verify TCK / PCK check-bytes |
||
50 | * Implement MITM |
||
51 | 1 | laforge | |
52 | 41 | tsaitgaist | |
53 | h2. Hardware |
||
54 | |||
55 | |||
56 | The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card. |
||
57 | |||
58 | 31 | laforge | Now we have a dedicated PCB design. The schematics and Gerber files are released as open source hardware and can be produced by everyone. |
59 | 1 | laforge | |
60 | 4 | laforge | However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace |
61 | 1 | laforge | |
62 | 41 | tsaitgaist | More details are available at [[SIMtraceHardware]] |
63 | 1 | laforge | |
64 | |||
65 | 41 | tsaitgaist | h2. Firmware |
66 | 1 | laforge | |
67 | |||
68 | 41 | tsaitgaist | The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/ |
69 | RFID reader. Details are available at [[SIMtraceFirmware]]. |
||
70 | |||
71 | |||
72 | h2. Documentation |
||
73 | |||
74 | |||
75 | 1 | laforge | Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for |
76 | your favorite Linux Distribution. |
||
77 | 39 | laforge | |
78 | 1 | laforge | |
79 | h2. Host PC Software |
||
80 | 41 | tsaitgaist | |
81 | |||
82 | 46 | zecke | The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729. |
83 | 5 | laforge | |
84 | 6 | tsaitgaist | |
85 | 41 | tsaitgaist | h3. Preconditions |
86 | 14 | tsaitgaist | |
87 | 41 | tsaitgaist | |
88 | [[libosmocore]] and headers (simtrace_usb.h) from the firmware. |
||
89 | |||
90 | 1 | laforge | additional packages : |
91 | 41 | tsaitgaist | <pre> |
92 | 14 | tsaitgaist | sudo apt-get install libusb-1.0-0-dev |
93 | 41 | tsaitgaist | </code></pre> |
94 | 1 | laforge | |
95 | 7 | tsaitgaist | |
96 | 41 | tsaitgaist | h3. Compiling it |
97 | |||
98 | |||
99 | <pre> |
||
100 | 35 | tsaitgaist | git clone git://git.osmocom.org/simtrace.git |
101 | cd simtrace/host/ |
||
102 | make |
||
103 | 41 | tsaitgaist | </code></pre> |
104 | 35 | tsaitgaist | |
105 | |||
106 | 41 | tsaitgaist | h3. Accessing it |
107 | |||
108 | |||
109 | 35 | tsaitgaist | Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group) |
110 | |||
111 | 41 | tsaitgaist | <pre> |
112 | 6 | tsaitgaist | sudo groupadd osmocom |
113 | sudo adduser $USERNAME osmocom |
||
114 | 1 | laforge | sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF |
115 | # to use, install this file in /etc/udev/rules.d as 10-osmocom.rules |
||
116 | 6 | tsaitgaist | # rule to grant read/write access on SIMtrace to group named osmocom. |
117 | 1 | laforge | SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" |
118 | EOF |
||
119 | sudo service udev reload |
||
120 | 41 | tsaitgaist | </code></pre> |
121 | 1 | laforge | |
122 | you must log out and back in so to take effect. |
||
123 | 13 | tsaitgaist | |
124 | 1 | laforge | |
125 | 41 | tsaitgaist | h3. Using it |
126 | |||
127 | |||
128 | Simply start *simtrace*. |
||
129 | 1 | laforge | It will send the GSMTAP frames to UDP/IPv4 localhost:4729. |
130 | |||
131 | It will also print hexdumps of the frames to the console, looking like this: |
||
132 | 41 | tsaitgaist | <pre> |
133 | 1 | laforge | sudo ./simtrace |
134 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
135 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
136 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
137 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
138 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
139 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
140 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
141 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
142 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
143 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
144 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
145 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
146 | 2 | laforge | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
147 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
148 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
149 | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
||
150 | 1 | laforge | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
151 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
152 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
153 | 41 | tsaitgaist | </code></pre> |
154 | 1 | laforge | |
155 | 41 | tsaitgaist | h2. Wireshark integration |
156 | 34 | tsaitgaist | |
157 | 41 | tsaitgaist | |
158 | There is an experimental patch, also part of the simtrace.git package. It is also included in the [[wireshark]] developer version (since wireshark 1.7.1). |
||
159 | |||
160 | 34 | tsaitgaist | To see the APDUs in wireshark: |
161 | 41 | tsaitgaist | * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything |
162 | * to get the data on another machine |
||
163 | ** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back) |
||
164 | <pre> |
||
165 | 37 | tsaitgaist | socat -u udp-recv:4729 /dev/null |
166 | 41 | tsaitgaist | </code></pre> |
167 | ** tell SIMtrace on which machine to forward |
||
168 | <pre> |
||
169 | 1 | laforge | ./simtrace -i 192.168.0.1 |
170 | 41 | tsaitgaist | </code></pre> |
171 | 1 | laforge | |
172 | 44 | laforge | !wireshark-sim.png! |
173 | 31 | laforge | |
174 | Protocol parsing is far from being complete, patches are always welcome! |
||
175 | |||
176 | 41 | tsaitgaist | h2. Contact / Mailing List |
177 | |||
178 | |||
179 | 1 | laforge | For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/ |
180 | |||
181 | 45 | laforge | Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting. |