Project

General

Profile

Wiki » History » Version 24

tsaitgaist, 09/10/2019 12:14 PM
add cardem rederence

1 1 tsaitgaist
h1. Osmocom SIMtrace 2
2 15 mschramm
3
{{>toc}}
4 1 tsaitgaist
5 8 laforge
Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.
6 9 tsaitgaist
While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case).
7 1 tsaitgaist
8 16 roh
It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html).
9 1 tsaitgaist
10
h2. Hardware
11
12 10 tsaitgaist
The SIMtrace 2 firmware supports several boards.
13
The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller.
14 1 tsaitgaist
15 12 tsaitgaist
Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future.
16 1 tsaitgaist
17 12 tsaitgaist
h3. SIMtrace v2
18 1 tsaitgaist
19 10 tsaitgaist
!{width:20%}simtrace-board-mini.jpg!
20 9 tsaitgaist
21 10 tsaitgaist
The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
22 1 tsaitgaist
23 17 roh
This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller.
24 1 tsaitgaist
25 10 tsaitgaist
Note: This hardware is "open source":https://git.osmocom.org/simtrace/tree/hardware.
26 1 tsaitgaist
27
h3. sysmoQMOD
28
29
!{width:25%}sysmoqmod.png!
30
31
The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities.
32
33
Note: This hardware is not open source.
34
35
h2. Firmware
36
37 10 tsaitgaist
The SIMtrace 2 firmware source code is available in "git":https://git.osmocom.org/simtrace2/.
38 20 tsaitgaist
Pre-built firmware binaries are available "here":http://ftp.osmocom.org/binaries/simtrace2/firmware/.
39
The firmware are currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities.
40 1 tsaitgaist
41
The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers.
42 18 roh
*The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.*
43 1 tsaitgaist
44 23 tsaitgaist
To get the version of the firmware flashed on the device:
45
* connect a USB to UART cable either to the 2.5 mm stereo headphone connector (tip = TX, ring = RX, sleeve = GND) or the nearby DEBUG port (pin 1 = GND, pin 4 = TX, pin 5 = RX)
46
* open the serial port with the following configuration: 921600 8N1 (115200 8N1 before version 0.5.1.2-80d9 from 2018-08-28)
47
* reboot the board using the RESET button or by re-plugging the USB connector
48
* you should see a banner containing the version information:
49
50
<pre>
51
=============================================================================
52
SIMtrace2 firmware 0.4.195-acb7 (C) 2010-2016 by Harald Welte                
53
=============================================================================
54
</pre>
55
56 12 tsaitgaist
h3. trace
57 1 tsaitgaist
58 12 tsaitgaist
The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
59
It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware.
60 10 tsaitgaist
61 12 tsaitgaist
The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs.
62
Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use).
63
64 1 tsaitgaist
!{width:25%}simtrace_and_phone.jpg!
65 10 tsaitgaist
66 20 tsaitgaist
The application firmware to be flashed using [[Flashing#DFU|DFU]] is "simtrace-trace-dfu.bin":http://ftp.osmocom.org/binaries/simtrace2/firmware/simtrace-trace-dfu.bin.
67 10 tsaitgaist
68 24 tsaitgaist
h3. card emulation
69
70
The SIMtrace2 firmware also allows to emulate SIM card. This is useful if you don't want to change the card in the device (e.g. phone), or have the card in a remote location.
71
72
This firmware comes preflashed on the sysmoQMOD board.
73
It also exists from the SIMtrace v2 board, but is currently in beta. If you still would like to try it, read this [[Cardem|article]].
74
75 13 tsaitgaist
h3. Development
76
77
To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt .
78
79 10 tsaitgaist
h2. Flashing
80 11 tsaitgaist
81 1 tsaitgaist
The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]].
82
83
h2. Host PC Software
84
85 13 tsaitgaist
The SIMtrace 2 host PC software are available in the "simtrace2 git":https://git.osmocom.org/simtrace2/.
86
87
h3. Preconditions
88
89 22 jbruckner
[[libosmocore:]], libpcsclite and libusb.
90 13 tsaitgaist
91 22 jbruckner
to install those packages:
92 13 tsaitgaist
<pre>
93 22 jbruckner
sudo apt-get install libusb-1.0-0-dev libosmocore-dev libpcsclite-dev
94 13 tsaitgaist
</code></pre>
95
96
h3. Compiling it
97
98
<pre>
99
git clone git://git.osmocom.org/simtrace2.git
100
cd simtrace2/host/
101
make
102
</pre>
103
104
h3. Accessing it
105
106
Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user:
107
<pre>
108
# add current user to plugdev group (user needs to re-login for this change to take effect)
109
sudo adduser $USERNAME plugdev
110
# grant access permission to SIMtrace 2 for plugdev group
111 19 emvivre
sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://git.osmocom.org/simtrace2/plain/host/99-simtrace2.rules 
112 13 tsaitgaist
# reload udev rules
113
sudo udevadm control --reload-rules
114
sudo udevadm trigger
115
</pre>
116
117
h3. Applications
118
119
h4. simtrace2-list
120
121
@simtrace2-list@ allows to list all SIMtrace 2 compatible devices:
122
<pre>
123
./simtrace2-list
124
USB matches: 1
125
	1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
126
</pre>
127
128
This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specific with device to use by the other applications.
129
130
h4. simtrace2-sniff
131
132
This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication.
133
The activity will be shown on the consol output:
134
<pre>
135
./simtrace2-sniff 
136
simtrace2-sniff - Phone-SIM card communication sniffer 
137
(C) 2010-2017 by Harald Welte <laforge@gnumonks.org>
138
(C) 2018 by Kevin Redon <kredon@sysmocom.de>
139
140
Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
141
Entering main loop
142
Card state change: reset hold
143
Card state change: reset release
144
ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
145
PPS: ff 10 96 79 
146
PPS: ff 10 96 79 
147
Fi/Di switched to 512/32
148
TPDU: a0 a4 00 00 02 3f 00 9f 22 
149
TPDU: a0 a4 00 00 02 7f 20 9f 22 
150
TPDU: a0 a4 00 00 02 6f 46 9f 0f 
151
TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 
152
Card state change: reset hold
153
</pre>
154
155
The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729.
156
This also allows to analyze the communication in wireshark using the GSM SIM dissector.
157 1 tsaitgaist
!{width:50%}wireshark-sim.png!
158 21 laforge
159
{{include(cellular-infrastructure:MacroBinaryPackages)}}
Add picture from clipboard (Maximum size: 48.8 MB)