Project

General

Profile

Actions

WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by SIMtrace 2, which uses the SAM3S replacement micro-controller. Patches to add support for the Atmel AT91SAM7S in the simtrace2 software are welcome.

Osmocom SIMtrace Hardware

This page is dedicated to the Hardware for Osmocom SIMtrace, which looks like this:

simtrace_11_front.jpgsimtrace_connectors_scaled.png

You can buy the device on the sysmocom shop.

Connectors

  • USB: USB mini-B connector. The main connector. The host software communicates (sniffing,...) through USB with the board. It can also be used to flash the micro-controller (using DFU).
  • serial: 2.5 mm jack serial cable, as used by osmocomBB. port used to debug the device (printf goes there).
  • debug (P2): same as serial, but using the FTDI serial cable. It is recommended to cut the voltage wire of the 6pin FTDI connector before plugging the cable into the simtrace.
  • jtag (P1): JTAG 20 pin connector to do hardware assisted debugging.
  • BT1: battery connector (4.5-6V DC). normally the USB provides power, but the battery port can be used for autonomous use of SIMtrace. The sniffed data can be saved in the flash (U1).
  • FFC_SIM (P3): to connect the flat flexible cable with SIM end for the phone.
  • SIM (P4): put your SIM in there (instead of in the phone)
  • reset (SW1): to reset the board (not erasing the firmware). If your are too lazy to unplug and re-plug the USB.
  • bootloader (SW2): used to start the bootloader to flash the device using DFU. press when plugging in the USB.
  • test (JP1): short circuit using a jumper to flash using SAM-BA.
  • erase (JP2): short circuit using a jumper to completely erase the firmware.

Schematics, Gerber & Co

simtrace_v14_schematic.png

The schematics, Gerber files, etc. can be found in the 'hardware' subdirectory of the simtrace.git repository:

We're using Kicad as EDA tool. Most of the work on the schematics and Gerber files has been done by Kevin Redon,
based on the original design by Harald Welte.

PDF renderings of the latest schematics are also available as an attachment to this page.

Interconnections

The hardware schematics are very, very simple:

  • Connect SIM-RST with PA7
  • Connect SIM-I/O with PA6 and PA1
  • Connect SIM-CLK with PA2 and PA4
  • Connect SIM-GND with GND

Mode of operation

The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
you can use an externally-generated CLK like the one from the SIM card socket of the phone.

Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more
than we should.

Modi

SIMtrace has the possibility to work as:
  • sniffer
  • card reader
  • card emulator
  • man-in-the-middle
The SAM7S offers 2 T=0 capable USART ports.
One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7).
The lines goes from the phone to the SIM through a bus switch (IC4=CB3Q3244).
The bus switch offer 2 buses of 4 lines:
  • The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20)
  • The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19)

The various modi require to interrupt different lines:

SW_SC (PA20) SC_I/O (PA19) description modus
L L phone and SIM directly connected sniffer (use any USART port)
L H only I/O interrupted MitM (use both USART port)
H H phone and SIM not connected card read, emulator (use each USART port)

As of now, still only the sniffer is implemented in the firmware

SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V.
SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support.
To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage.
SIMtrace v2 will support all 3 classes.

Revisions

v2.0

This was formerly ongoing (but now long stalled) work.
The changes compared to v1.x are:
  • ID-1 and ID-000 smart card slots (with presence detection): so to be able to also sniff credit card sized smart cards
  • through hole USB Mini-B and Serial/Jack 2.5 connector: to be more robust
  • properly support all smart card classes (A,B,C): better compatibility
  • be able to forward voltage from phone to SIM or provide voltage from the board: ideal sniffer and reader
  • use an microSD slot instead of built-on flash: easier data transfer
  • a SWP sniffer (maybe)

j3. v1.4p-SAM3 (unreleased, available upon request)

  • switch from AT91SAM7S to AT91SAM3S: it has more USB endpoints
    • new firmware incomplete

v1.4 / v1.4p (2014-06)

Changes:
  • ensure PA0, PA1 and PA2 are high logic level at power-up (low interferes with SAM-BA operation)
    • PA0 hard-wired to 3V#
    • PA1 and PA2 get R25, R26 pull-up
  • update to AT91SAM128D (previous we used AT91SAM128C which is now EOL)
  • switch to alternative type of ferrite bead/filter, as old one is EOL
Downloads:

v1.3 (2013-11)

simtrace_v13_front.jpg

Changes:
  • added a FPF2109 power switch
  • added a zener diode on LDO to SIM to provide ~3.0V to SIM (closer to ISO 7812 specified class B)
  • it is now possible to choose the power source for the SIM card: provided by the SIMtrace on-board LDO, or forwarded from the phone
  • no production customizations required
  • silkscreen redone (sadly missing on the produced batch)
  • change SPI flash to S25FL032P0XMFI011

BUG: because of this new feature (selecting power source for the SIM), we wanted to be able to identify the v1.3 board.
To do that, we tied PA0 to ground. But this needs to be HIGH for the AT91SAM7S to be able to enter it's SAM-BA mode (for flashing the first time).
If you produce the board yourself, you have to cut the path between the left upper pin and the capacitor.
The version is now written in flash. To flash the firmware the first time (only), follow the dedicated instructions.

Downloads:

v1.2p (1.2 Production branch, 2012-05)

simtrace_v12p_front.jpg

adaptation of the v1.1p because of component availability for new batch.

Changes:
  • capacitor is even nearer to the LDO
  • one diode slightly changed place
  • quartz crystal is smaller (footprint still fits)
  • SIM slot is another (not available from Amphenol anymore). No presence switch.
Downloads:

v1.1p (1.1 Production branch, 2011-12)

simtrace_11_front.jpg

This is a slightly corrected version of the v1.0p.

Changes:
  • a critical capacitor is near the LDO
  • some other capacitors are nearer to the CPU
  • some power traces are wider
  • the SIM C6/VPP contact is also routed through the bus switch (sometimes used for Single Wire Protocol)
  • sysmocom is added in the copper for legal reasons
  • the FTDI Vcc is cut
Downloads:

v1.0p (1.0 Production branch, 2011-07)

simtrace_v10p_front_mid.jpg

This is identical to v1.0 on the schematics side, we simply altered the footprints of some components to accommodate
whatever the SMT factory had in stock. Specifically the LED are 0805 instead of 0603, and the shottky diodes are
in a slightly awkward looking very large package.

Downloads:

v1.0

simtrace_10_front.jpg

This is the first stable release. We built some 5 prototypes from this version.

Downloads:

v0.9

simtrace_v09_top_mid.jpg

As of June 04, 2011 the components had all arrived and four PCBs were in production. We assemble the first
units around June 14, 2011.

As of June 21st, we had four re-worked prototypes that are fully functional.

v0.8

simtrace_08_front_mid.jpg

Never really was an official release. However, a friend took the unfinished Gerber files and built 5 units.

Since the Gerber was not finished, we had to do lots and lots of re-work in order to make them work at all.

License

Schematics and Gerber files are released under the Creative Commons CC-BY-SA (Share Alike / Attribution) license.

Sales

Sales started at the 2011 CCC Camp and the hardware can be bought through the web-shop of sysmocom GmbH ("h2. Credits

  • Harald Welte
    • Original project idea, schematic design
    • Olimex SAM7-P64 based prototypes
    • Firmware and host software
  • Kevin Redon
    • KiCAD work on schematics, footprints and routing
    • Soldering of some prototypes
  • [http://sysmocom.de/ sysmocom - systems for mobile communications GmbH":http://shop.sysmocom.de/])
    • funding for hardware prototyping (PCB, components, etc)
  • Christian Daniel
    • post-production flashing + debugging, design + test of v1.0p rework
Files (28)
BDE4de895362bc98_01.jpg View BDE4de895362bc98_01.jpg 87.3 KB prototype PCB after drilling laforge, 06/04/2011 10:13 AM
BDE4de895362bc98_02.jpg View BDE4de895362bc98_02.jpg 115 KB prototype PCB after lithography/exposure laforge, 06/04/2011 10:13 AM
BDE4de895362bc98_03.jpg View BDE4de895362bc98_03.jpg 106 KB laforge, 06/08/2011 11:05 AM
BDE4de895362bc98_04.jpg View BDE4de895362bc98_04.jpg 150 KB laforge, 06/08/2011 11:06 AM
BDE4de895362bc98_05.jpg View BDE4de895362bc98_05.jpg 104 KB laforge, 06/08/2011 11:06 AM
simtrace_v09_top_mid.jpg View simtrace_v09_top_mid.jpg 422 KB photograph of the first SIMtrace prototype, version 0.9 laforge, 06/21/2011 05:08 PM
simtrace_schem_v10.pdf View simtrace_schem_v10.pdf 599 KB simtrace schematics v1.0 laforge, 06/21/2011 05:39 PM
simtrace_10_gerber.zip simtrace_10_gerber.zip 323 KB PCB layout (gerber file) for SIMtrace v1.0 laforge, 06/21/2011 05:39 PM
simtrace_10_front.jpg View simtrace_10_front.jpg 823 KB photograph of SIMtrace prototype version v1.0 laforge, 07/02/2011 06:53 PM
simtrace_v10p_schematic.pdf View simtrace_v10p_schematic.pdf 197 KB version 1.0p (production) schematics laforge, 07/30/2011 02:29 PM
simtrace_connectors.png View simtrace_connectors.png 61.3 KB SIMtrace pins and connectors tsaitgaist, 08/13/2011 09:20 AM
simtrace_connectors_scaled.png View simtrace_connectors_scaled.png 57.5 KB Scaled to try to make it match with simtrace_10_front , 10/07/2011 05:01 PM
simtrace_08_front_mid.jpg View simtrace_08_front_mid.jpg 417 KB SIMtrace v0.8 mounted PCB tsaitgaist, 10/18/2011 04:02 PM
simtrace_v10p_front_mid.jpg View simtrace_v10p_front_mid.jpg 357 KB SIMtrace v1.0p final product tsaitgaist, 10/18/2011 04:02 PM
simtrace_v10p_gerber.zip simtrace_v10p_gerber.zip 441 KB tsaitgaist, 12/21/2011 04:18 PM
simtrace_v10p_schematic.2.pdf View simtrace_v10p_schematic.2.pdf 197 KB tsaitgaist, 12/21/2011 04:19 PM
simtrace_v11p_gerber.zip simtrace_v11p_gerber.zip 441 KB tsaitgaist, 12/21/2011 04:29 PM
simtrace_v11p_schematic.pdf View simtrace_v11p_schematic.pdf 204 KB tsaitgaist, 12/21/2011 04:30 PM
simtrace_11_front.jpg View simtrace_11_front.jpg 181 KB SIMtrace v1.1p product front tsaitgaist, 04/26/2012 01:17 PM
simtrace_v12p_front.jpg View simtrace_v12p_front.jpg 178 KB SIMtrace v1.2p product front tsaitgaist, 12/06/2012 05:30 PM
simtrace_v12_schematic.pdf View simtrace_v12_schematic.pdf 131 KB schematic for SIMtrace v1.2p tsaitgaist, 12/06/2012 05:32 PM
simtrace_v12p_gerber.zip simtrace_v12p_gerber.zip 315 KB fabrication files for SIMtrace v1.2p tsaitgaist, 12/06/2012 05:33 PM
simtrace_v13_front.jpg View simtrace_v13_front.jpg 659 KB SIMtrace v1.3 board, front side tsaitgaist, 12/11/2013 10:47 AM
simtrace_v13_schematic.pdf View simtrace_v13_schematic.pdf 119 KB SIMtrace v1.3 schematic tsaitgaist, 12/11/2013 11:27 AM
simtrace_v13_board.zip simtrace_v13_board.zip 626 KB SIMtace v1.3 board files (gerber, bom, …) tsaitgaist, 12/11/2013 11:30 AM
simtrace_v14_schematic.pdf View simtrace_v14_schematic.pdf 170 KB schematics v1.4 laforge, 03/17/2017 07:29 AM
simtrace_v14p_gerber.zip simtrace_v14p_gerber.zip 299 KB gerber file v1.4p laforge, 03/17/2017 07:29 AM
simtrace_v14_schematic.png View simtrace_v14_schematic.png 359 KB laforge, 03/17/2017 07:36 AM

Updated by laforge 12 months ago · 42 revisions

Add picture from clipboard (Maximum size: 48.8 MB)