SIMtrace Hardware » History » Version 39
laforge, 03/17/2017 07:37 AM
1 | 31 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 31 | tsaitgaist | h1. Osmocom SIMtrace Hardware |
4 | 1 | laforge | |
5 | 31 | tsaitgaist | |
6 | This page is dedicated to the Hardware for Osmocom [[SIMtrace]], which looks like this: |
||
7 | |||
8 | 32 | zecke | {{thumbnail(simtrace_11_front.jpg)}}{{thumbnail(simtrace_connectors_scaled.png)}} |
9 | 1 | laforge | |
10 | 31 | tsaitgaist | You can buy the device on the "sysmocom shop":http://shop.sysmocom.de/products/simtrace. |
11 | 1 | laforge | |
12 | |||
13 | 31 | tsaitgaist | h2. Connectors |
14 | 1 | laforge | |
15 | |||
16 | 31 | tsaitgaist | * USB: USB mini-B connector. The main connector. The host software communicates (sniffing,...) through USB with the board. It can also be used to flash the micro-controller (using DFU). |
17 | * serial: 2.5 mm jack serial cable, as used by osmocomBB. port used to debug the device (printf goes there). |
||
18 | * debug (P2): same as serial, but using the FTDI serial cable. *It is recommended to cut the voltage wire of the 6pin FTDI connector before plugging the cable into the simtrace.* |
||
19 | * jtag (P1): JTAG 20 pin connector to do hardware assisted debugging. |
||
20 | * BT1: battery connector (4.5-6V DC). normally the USB provides power, but the battery port can be used for autonomous use of SIMtrace. The sniffed data can be saved in the flash (U1). |
||
21 | * FFC_SIM (P3): to connect the flat flexible cable with SIM end for the phone. |
||
22 | * SIM (P4): put your SIM in there (instead of in the phone) |
||
23 | * reset (SW1): to reset the board (not erasing the firmware). If your are too lazy to unplug and re-plug the USB. |
||
24 | * bootloader (SW2): used to start the bootloader to flash the device using DFU. press when plugging in the USB. |
||
25 | * test (JP1): short circuit using a jumper to flash using [[SIMtraceFirmware#EnteringtheSAM-BAmode|SAM-BA]]. |
||
26 | * erase (JP2): short circuit using a jumper to completely erase the firmware. |
||
27 | |||
28 | h2. Schematics, Gerber & Co |
||
29 | 1 | laforge | |
30 | 38 | laforge | {{thumbnail(simtrace_v14_schematic.png)}} |
31 | 31 | tsaitgaist | |
32 | 2 | laforge | The schematics, Gerber files, etc. can be found in the 'hardware' subdirectory of the simtrace.git repository: |
33 | 31 | tsaitgaist | * http://cgit.osmocom.org/cgit/simtrace/tree/hardware (web browsing) |
34 | * git://git.osmocom.org/simtrace (git clone URL) |
||
35 | 15 | laforge | |
36 | We're using Kicad as EDA tool. Most of the work on the schematics and Gerber files has been done by Kevin Redon, |
||
37 | based on the original design by Harald Welte. |
||
38 | 1 | laforge | |
39 | 38 | laforge | PDF renderings of the latest schematics are also available as an attachment to this page. |
40 | |||
41 | 1 | laforge | |
42 | |||
43 | 31 | tsaitgaist | h2. Interconnections |
44 | |||
45 | |||
46 | 1 | laforge | The hardware schematics are very, very simple: |
47 | |||
48 | 31 | tsaitgaist | * Connect SIM-RST with PA7 |
49 | * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0) |
||
50 | * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0) |
||
51 | * Connect SIM-GND with GND |
||
52 | 15 | laforge | |
53 | |||
54 | 31 | tsaitgaist | h2. Mode of operation |
55 | |||
56 | |||
57 | 25 | laforge | The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you |
58 | would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer, |
||
59 | you can use an externally-generated CLK like the one from the SIM card socket of the phone. |
||
60 | |||
61 | Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time) |
||
62 | handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more |
||
63 | 1 | laforge | than we should. |
64 | 25 | laforge | |
65 | 31 | tsaitgaist | h2. Modi |
66 | |||
67 | |||
68 | 1 | laforge | SIMtrace has the possibility to work as: |
69 | 31 | tsaitgaist | * sniffer |
70 | * card reader |
||
71 | * card emulator |
||
72 | * man-in-the-middle |
||
73 | 1 | laforge | |
74 | The SAM7S offers 2 T=0 capable USART ports. |
||
75 | One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7). |
||
76 | 31 | tsaitgaist | The lines goes from the phone to the SIM through a bus switch (IC4="CB3Q3244":http://www.ti.com/lit/ds/symlink/sn74cb3q3244.pdf). |
77 | 1 | laforge | The bus switch offer 2 buses of 4 lines: |
78 | 31 | tsaitgaist | * The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20) |
79 | * The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19) |
||
80 | 1 | laforge | |
81 | The various modi require to interrupt different lines: |
||
82 | |||
83 | 35 | laforge | |_.SW_SC (PA20) |_.SC_I/O (PA19) |_.description |_.modus | |
84 | | L | L | phone and SIM directly connected | sniffer (use any USART port) | |
||
85 | | L | H | only I/O interrupted | MitM (use both USART port) | |
||
86 | | H | H | phone and SIM not connected | card read, emulator (use each USART port) | |
||
87 | 1 | laforge | |
88 | 35 | laforge | As of now, still only the sniffer is implemented in the firmware |
89 | 1 | laforge | |
90 | SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V. |
||
91 | SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support. |
||
92 | To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage. |
||
93 | SIMtrace v2 will support all 3 classes. |
||
94 | 30 | tsaitgaist | |
95 | 31 | tsaitgaist | h2. Revisions |
96 | 1 | laforge | |
97 | h3. v2.0 |
||
98 | 31 | tsaitgaist | |
99 | 34 | laforge | This was formerly ongoing (but now long stalled) work. |
100 | 30 | tsaitgaist | The changes compared to v1.x are: |
101 | 31 | tsaitgaist | * ID-1 and ID-000 smart card slots (with presence detection): so to be able to also sniff credit card sized smart cards |
102 | * through hole USB Mini-B and Serial/Jack 2.5 connector: to be more robust |
||
103 | * properly support all smart card classes (A,B,C): better compatibility |
||
104 | 1 | laforge | * be able to forward voltage from phone to SIM or provide voltage from the board: ideal sniffer and reader |
105 | 31 | tsaitgaist | * use an microSD slot instead of built-on flash: easier data transfer |
106 | 1 | laforge | * a SWP sniffer (maybe) |
107 | |||
108 | j3. v1.4p-SAM3 (unreleased, available upon request) |
||
109 | 33 | laforge | |
110 | 31 | tsaitgaist | * switch from AT91SAM7S to AT91SAM3S: it has more USB endpoints |
111 | 34 | laforge | ** new firmware incomplete |
112 | 1 | laforge | |
113 | 34 | laforge | h3. v1.4 / v1.4p (2014-06) |
114 | 1 | laforge | |
115 | 33 | laforge | Changes: |
116 | * ensure PA0, PA1 and PA2 are high logic level at power-up (low interferes with SAM-BA operation) |
||
117 | 1 | laforge | ** PA0 hard-wired to 3V# |
118 | 33 | laforge | ** PA1 and PA2 get R25, R26 pull-up |
119 | * update to AT91SAM128D (previous we used AT91SAM128C which is now EOL) |
||
120 | * switch to alternative type of ferrite bead/filter, as old one is EOL |
||
121 | |||
122 | 36 | laforge | Downloads: |
123 | * [attachment:simtrace_v14_schematic.pdf] |
||
124 | 37 | laforge | * [attachment:simtrace_v14p_gerber.zip] |
125 | 36 | laforge | |
126 | 34 | laforge | h3. v1.3 (2013-11) |
127 | 33 | laforge | |
128 | 32 | zecke | {{thumbnail(simtrace_v13_front.jpg)}} |
129 | 30 | tsaitgaist | |
130 | 1 | laforge | Changes: |
131 | * added a FPF2109 power switch |
||
132 | 31 | tsaitgaist | * added a zener diode on LDO to SIM to provide ~3.0V to SIM (closer to ISO 7812 specified class B) |
133 | * it is now possible to choose the power source for the SIM card: provided by the SIMtrace on-board LDO, or forwarded from the phone |
||
134 | * no production customizations required |
||
135 | * silkscreen redone (sadly missing on the produced batch) |
||
136 | 33 | laforge | * change SPI flash to S25FL032P0XMFI011 |
137 | 1 | laforge | |
138 | 31 | tsaitgaist | *BUG:* because of this new feature (selecting power source for the SIM), we wanted to be able to identify the v1.3 board. |
139 | 1 | laforge | To do that, we tied PA0 to ground. But this needs to be HIGH for the AT91SAM7S to be able to enter it's SAM-BA mode (for flashing the first time). |
140 | If you produce the board yourself, you have to cut the path between the left upper pin and the capacitor. |
||
141 | 31 | tsaitgaist | The version is now written in flash. To flash the firmware the first time (only), follow the dedicated [[ProductionFlashingV13|instructions]]. |
142 | 1 | laforge | |
143 | 24 | tsaitgaist | Downloads: |
144 | 31 | tsaitgaist | * [attachment:simtrace_v13_schematic.pdf] |
145 | * [attachment:simtrace_v13_board.zip] |
||
146 | 23 | tsaitgaist | |
147 | |||
148 | 34 | laforge | h3. v1.2p (1.2 Production branch, 2012-05) |
149 | 31 | tsaitgaist | |
150 | |||
151 | 32 | zecke | {{thumbnail(simtrace_v12p_front.jpg)}} |
152 | 1 | laforge | |
153 | 23 | tsaitgaist | adaptation of the v1.1p because of component availability for new batch. |
154 | 1 | laforge | |
155 | Changes: |
||
156 | 31 | tsaitgaist | * capacitor is even nearer to the LDO |
157 | * one diode slightly changed place |
||
158 | * quartz crystal is smaller (footprint still fits) |
||
159 | 1 | laforge | * SIM slot is another (not available from Amphenol anymore). No presence switch. |
160 | 31 | tsaitgaist | |
161 | 1 | laforge | Downloads: |
162 | 31 | tsaitgaist | * [attachment:simtrace_v12_schematic.pdf] |
163 | * [attachment:simtrace_v12p_gerber.zip] |
||
164 | 1 | laforge | |
165 | 34 | laforge | h3. v1.1p (1.1 Production branch, 2011-12) |
166 | 31 | tsaitgaist | |
167 | |||
168 | 32 | zecke | {{thumbnail(simtrace_11_front.jpg)}} |
169 | 23 | tsaitgaist | |
170 | This is a slightly corrected version of the v1.0p. |
||
171 | |||
172 | Changes: |
||
173 | 31 | tsaitgaist | * a critical capacitor is near the LDO |
174 | * some other capacitors are nearer to the CPU |
||
175 | * some power traces are wider |
||
176 | * the SIM C6/VPP contact is also routed through the bus switch (sometimes used for Single Wire Protocol) |
||
177 | 1 | laforge | * sysmocom is added in the copper for legal reasons |
178 | 31 | tsaitgaist | * the FTDI Vcc is cut |
179 | 20 | tsaitgaist | |
180 | 7 | laforge | Downloads: |
181 | 31 | tsaitgaist | * [attachment:simtrace_v11p_schematic.pdf] |
182 | * [attachment:simtrace_v11p_gerber.zip] |
||
183 | 7 | laforge | |
184 | 34 | laforge | h3. v1.0p (1.0 Production branch, 2011-07) |
185 | 22 | tsaitgaist | |
186 | 31 | tsaitgaist | |
187 | |||
188 | 32 | zecke | {{thumbnail(simtrace_v10p_front_mid.jpg)}} |
189 | 20 | tsaitgaist | |
190 | This is identical to v1.0 on the schematics side, we simply altered the footprints of some components to accommodate |
||
191 | whatever the SMT factory had in stock. Specifically the LED are 0805 instead of 0603, and the shottky diodes are |
||
192 | 7 | laforge | in a slightly awkward looking very large package. |
193 | |||
194 | Downloads: |
||
195 | 31 | tsaitgaist | * [attachment:simtrace_v10p_schematic.pdf] |
196 | * [attachment:simtrace_v10p_gerber.zip] |
||
197 | 7 | laforge | |
198 | |||
199 | 31 | tsaitgaist | h3. v1.0 |
200 | 20 | tsaitgaist | |
201 | 31 | tsaitgaist | |
202 | |||
203 | 32 | zecke | {{thumbnail(simtrace_10_front.jpg)}} |
204 | 1 | laforge | |
205 | This is the first stable release. We built some 5 prototypes from this version. |
||
206 | 7 | laforge | |
207 | 1 | laforge | Downloads: |
208 | 31 | tsaitgaist | * [attachment:simtrace_schem_v10.pdf] |
209 | * [attachment:simtrace_10_gerber.zip] |
||
210 | 20 | tsaitgaist | |
211 | |||
212 | 31 | tsaitgaist | h3. v0.9 |
213 | |||
214 | |||
215 | 32 | zecke | {{thumbnail(simtrace_v09_top_mid.jpg)}} |
216 | 7 | laforge | |
217 | 1 | laforge | As of June 04, 2011 the components had all arrived and four PCBs were in production. We assemble the first |
218 | units around June 14, 2011. |
||
219 | |||
220 | As of June 21st, we had four re-worked prototypes that are fully functional. |
||
221 | |||
222 | 31 | tsaitgaist | |
223 | 7 | laforge | h3. v0.8 |
224 | 31 | tsaitgaist | |
225 | |||
226 | 32 | zecke | |
227 | 8 | laforge | {{thumbnail(simtrace_08_front_mid.jpg)}} |
228 | |||
229 | Never really was an official release. However, a friend took the unfinished Gerber files and built 5 units. |
||
230 | |||
231 | Since the Gerber was not finished, we had to do lots and lots of re-work in order to make them work at all. |
||
232 | |||
233 | 31 | tsaitgaist | h2. License |
234 | |||
235 | |||
236 | 8 | laforge | Schematics and Gerber files are released under the Creative Commons CC-BY-SA (Share Alike / Attribution) license. |
237 | 1 | laforge | |
238 | |||
239 | 31 | tsaitgaist | h2. Sales |
240 | 1 | laforge | |
241 | |||
242 | 31 | tsaitgaist | Sales started at the 2011 CCC Camp and the hardware can be bought through the web-shop of sysmocom GmbH ("h2. Credits |
243 | |||
244 | |||
245 | * Harald Welte |
||
246 | ** Original project idea, schematic design |
||
247 | ** Olimex SAM7-P64 based prototypes |
||
248 | ** Firmware and host software |
||
249 | * Kevin Redon |
||
250 | ** [[KiCAD]] work on schematics, footprints and routing |
||
251 | ** Soldering of some prototypes |
||
252 | * [http://sysmocom.de/ sysmocom - systems for mobile communications GmbH":http://shop.sysmocom.de/]) |
||
253 | ** funding for hardware prototyping (PCB, components, etc) |
||
254 | * Christian Daniel |
||
255 | ** post-production flashing + debugging, design + test of v1.0p rework |