Project

General

Profile

Wiki » History » Version 19

emvivre, 07/29/2018 09:17 AM

1 1 tsaitgaist
h1. Osmocom SIMtrace 2
2 15 mschramm
3
{{>toc}}
4 1 tsaitgaist
5 8 laforge
Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.
6 9 tsaitgaist
While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case).
7 1 tsaitgaist
8 16 roh
It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html).
9 1 tsaitgaist
10
h2. Hardware
11
12 10 tsaitgaist
The SIMtrace 2 firmware supports several boards.
13
The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller.
14 1 tsaitgaist
15 12 tsaitgaist
Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future.
16 1 tsaitgaist
17 12 tsaitgaist
h3. SIMtrace v2
18 1 tsaitgaist
19 10 tsaitgaist
!{width:20%}simtrace-board-mini.jpg!
20 9 tsaitgaist
21 10 tsaitgaist
The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
22 1 tsaitgaist
23 17 roh
This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller.
24 1 tsaitgaist
25 10 tsaitgaist
Note: This hardware is "open source":https://git.osmocom.org/simtrace/tree/hardware.
26 1 tsaitgaist
27
h3. sysmoQMOD
28
29
!{width:25%}sysmoqmod.png!
30
31
The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities.
32
33
Note: This hardware is not open source.
34
35
h2. Firmware
36
37 10 tsaitgaist
The SIMtrace 2 firmware source code is available in "git":https://git.osmocom.org/simtrace2/.
38
It is currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities.
39 1 tsaitgaist
40
The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers.
41 18 roh
*The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.*
42 1 tsaitgaist
43 12 tsaitgaist
h3. trace
44 1 tsaitgaist
45 12 tsaitgaist
The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
46
It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware.
47 10 tsaitgaist
48 12 tsaitgaist
The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs.
49
Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use).
50
51 10 tsaitgaist
!{width:25%}simtrace_and_phone.jpg!
52
53
The application firmware to be flashed using [[Flashing#DFU|DFU]] is attachment:simtrace-trace-dfu.bin.
54
55 13 tsaitgaist
h3. Development
56
57
To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt .
58
59 10 tsaitgaist
h2. Flashing
60 11 tsaitgaist
61 1 tsaitgaist
The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]].
62
63
64
h2. Host PC Software
65
66 13 tsaitgaist
The SIMtrace 2 host PC software are available in the "simtrace2 git":https://git.osmocom.org/simtrace2/.
67
68
h3. Preconditions
69
70
[[libosmocore:]] and libusb.
71
72
to install both packages:
73
<pre>
74
sudo apt-get install libusb-1.0-0-dev libosmocore-dev 
75
</code></pre>
76
77
h3. Compiling it
78
79
<pre>
80
git clone git://git.osmocom.org/simtrace2.git
81
cd simtrace2/host/
82
make
83
</pre>
84
85
h3. Accessing it
86
87
Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user:
88
<pre>
89
# add current user to plugdev group (user needs to re-login for this change to take effect)
90
sudo adduser $USERNAME plugdev
91
# grant access permission to SIMtrace 2 for plugdev group
92 19 emvivre
sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://git.osmocom.org/simtrace2/plain/host/99-simtrace2.rules 
93 13 tsaitgaist
# reload udev rules
94
sudo udevadm control --reload-rules
95
sudo udevadm trigger
96
</pre>
97
98
h3. Applications
99
100
h4. simtrace2-list
101
102
@simtrace2-list@ allows to list all SIMtrace 2 compatible devices:
103
<pre>
104
./simtrace2-list
105
USB matches: 1
106
	1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
107
</pre>
108
109
This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specific with device to use by the other applications.
110
111
h4. simtrace2-sniff
112
113
This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication.
114
The activity will be shown on the consol output:
115
<pre>
116
./simtrace2-sniff 
117
simtrace2-sniff - Phone-SIM card communication sniffer 
118
(C) 2010-2017 by Harald Welte <laforge@gnumonks.org>
119
(C) 2018 by Kevin Redon <kredon@sysmocom.de>
120
121
Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
122
Entering main loop
123
Card state change: reset hold
124
Card state change: reset release
125
ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
126
PPS: ff 10 96 79 
127
PPS: ff 10 96 79 
128
Fi/Di switched to 512/32
129
TPDU: a0 a4 00 00 02 3f 00 9f 22 
130
TPDU: a0 a4 00 00 02 7f 20 9f 22 
131
TPDU: a0 a4 00 00 02 6f 46 9f 0f 
132
TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 
133
Card state change: reset hold
134
</pre>
135
136
The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729.
137
This also allows to analyze the communication in wireshark using the GSM SIM dissector.
138
!{width:50%}wireshark-sim.png!
Add picture from clipboard (Maximum size: 48.8 MB)