SIMtrace presentation

SIMtrace function overview

Presenter Notes

talk metada

speaker: Kévin Redon

status: Master student at the Technische Universität Berlin

event: osmocom Berlin meeting

date: 2012-05-09 19:00 GMT+2

location: CCC Berlin (Marienstr. 11, 10113 Berlin)

topic: osmocom SIMtrace introduction and workshop

project page: http://bb.osmocom.org/trac/wiki/SIMtrace

where to get it: sysmocom (90€), or build it yourself (several hours)




osmocom SIMtrace logo

Presenter Notes

initial purpose

  • what does the telephone do with the SIM card?

  • what does the operator do with the SIM card?

  • what does the SIM card do with the phone?

  • what applications are running (STK)?

-> it's time to listen to the phone <-> SIM communication

Presenter Notes

existing solutions (professional)

IT³ Platform IT³ Prove!

Presenter Notes

existing solutions (affordable)

SIM-ME Communication Tracing Kit

Green Spy

Presenter Notes

existing solutions (not SIM specific)

SmartCard Detective
  • ChipcardLab by dexter (open source software and hardware)
ChipcardLab

Presenter Notes

existing solutions (the cheap way)

Rebel Simcard
  • USB serial cable
USB serial cable

Presenter Notes

how to sniff

normal communication

sniffing

tap the phone <-> SIM communication

sniffing

Presenter Notes

more then sniffing

be able to be MitM

sniffing

Presenter Notes

SIMtrace basic design

the AT91SAM7S has an undocumented feature (T=0 capable USART) allowing to sniff, be slave (simulate a SIM), and master (read a SIM, or simulate a phone)

sniffing

Presenter Notes

SIMtrace real design

credit card size PCB


SIMtrace silk screen

Presenter Notes

SIMtrace design process

warning

I am not an electro-engineer. This is my first PCB design.

Designed using KiCAD. Schematics, board, PCB, BOM, … under CC-BY-SA

File available in git and general information in wiki

it works

SIMtrace at work

Presenter Notes

SIMtrace design process

schematic

SIMtrace schematic

Presenter Notes

SIMtrace design process

v0.8

someone was to impatient and produced an early PCB (lots of ground missing)

SIMtrace v0.8

v0.9

first real prototype. mainly the footprints where wrong (RTFDatasheet)

SIMtrace v0.9

Presenter Notes

SIMtrace design process

v1.0

second prototype (still hand soldered). it worked

SIMtrace v1.0

v1.0p

production line. some capacitor was to far away -> hand solder one additional on every board

SIMtrace v1.0p

Presenter Notes

SIMtrace design process

v1.1p

capacitor error corrected (not perfect), slightly bigger traces (could still be bigger), VPP line forwarded

SIMtrace v1.1p

Presenter Notes

SIMtrace future

plan and wish list for v2.0:

  • gEDA replaced KiCAD (more scriptable)
  • support all voltage classes (A=5.0V, B=3.0V, C=1.8V). 3.3V is enforced in v1.x
  • add credit card slot
  • replace flash with µSD
  • be able to measure frequency
  • add Single Wire Protocol decoder (used for NFC<->UICC communication)
  • add U.FL connector for power measurement

Presenter Notes

SIMtrace software

  • I only made the hardware

  • Harald Welte wrote the firmware and host software

  • firmware based on OpenPCD RFID reader

  • only the sniffing mode has been implemented (no MitM, but the hardware is capable of)

Presenter Notes

use SIMtrace

flashing firmware

  • instruction available on the wiki
  • use the SAM-BA loader from Atmel using the TEST pins (impossible to brick)
SAM-BA activation
  • flash DFU bootloader + main firmware
  • then use DFU to flash new firmware (push BOOTLOADER button while booting if auto-switch fails)

Presenter Notes

use SIMtrace

host application

  • information available in wiki
  • start host application: simtrace

  • APDUs shown in ~ real time

    APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
APDU: (8):  a0 b0 00 00 01 00 91 78
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f

Presenter Notes

use SIMtrace

wireshark

  • a SIM APDU decoder (using GSMTAP) is integrated into wireshark (1.7.1)

  • use GSMTAP

    nc -ul 4729 > /dev/null &
./simtrace -i 127.0.0.1
wireshark integration

Presenter Notes

SIM specification

what is a SIM?

Subscriber Identity Module: a smart card with information about the operator and subscriber.

It's the plastic card and the application on it. This changes with UICC (hardware) + USIM (software).

ICC

Presenter Notes

SIM specification

ISO7816

SIM specifications are based on ISO/IEC 7816: Identification cards — Integrated circuit(s) cards with contacts

  • Part 1: Physical characteristics
  • Part 2: Cards with contacts — Dimensions and location of the contacts
  • Part 3: Cards with contacts — Electrical interface and transmission protocols
  • Part 4: Organization, security and commands for interchange

but you have to pay to get them

3GPP

SIM application (and small ISO/IEC 7816 reminders) specified in 3GPP TS 11.11 (last version 8.9.1 Release 1999, before Rel-4).

Presenter Notes

SIM specification

3GPP/ETSI history

  • last standalone 3GPP SIM specification: 3GPP TS 51.011 version 4.2.0 Release 4, ETSI TS 151 011 V4.2.0 (2001-09).
  • now merged with 3G (UICC/SIM). 3GPP TS 51.011 (Release 4, currently V4.15.0 2005-06) refers and is a restriction (for SIM) of 3GPP TS 31.101 (31.* is the 3G Release 99 IC branch).
  • last standalone 3GPP 31.101: V3.2.0 2000-08-22
  • now 3GPP 31.101 (currently V10.0.1 2011-07-11) entirely refers to ETSI TS 102 221
  • ETSI TS 102 221 (Smart Cards; UICC-Terminal interface; Physical and logical characteristics) is completely in the hands of ETSI (no 3GPP anymore)
  • ETSI TS 102 221 (currently V10.0.0 2011-12) defines UICC+USIM, and SIM restrictions + file are in 3GPP TS 51.011
  • USIM files defined in 3GPP TS 31.102

Presenter Notes

UICC specification

going through ETSI TS 102 221:

  • Physical characteristics: different sizes
  • Electrical specifications: different classes
  • Initial communication establishment procedures: ATR & PPS
  • Transmission protocols: T=0
  • Structure of commands and responses: APDU commands
  • Application and file structure: the informations stored
ICC contacts

Presenter Notes

T=0 protocol

  • serial equivalent
  • 1 byte / etu (etu = elementary time unit)
  • 1 etu = (F / D) x (1 / f)
  • F is the clock rate conversion (372 per default, and for ATR)
  • D is the baud rate adjustment (1 per default, and for ATR)
  • f = 3.6864MHz (frequent and common clock)
  • then per default (and for the ATR), 1 etu = 0.1001ms -> 9910 bps (9621 bps for f = 3.579MHz)

but the phone can use other F & D values (using the PPS procedure), and change the clock frequency

possible values are defined in the ATR. UICC shall at least support (F,D) = (512,8) and (512,16) in addition to (372,1), and 1MHz to 5Mhz (156250bps should be possible per default)

Presenter Notes

Single Wire Protocol

  • used to connect the NFC directly to the SIM
  • using the VPP pin (SWIO)
  • phone (CLF) uses voltage to encode, while UICC uses current (thus somehow duplex)
  • defined in ETSI TS 102.613 and ETSI TS 102.622
SWP

Presenter Notes