Project

General

Profile

Actions

Bug #1704

closed

test/port card emulation firmware for SAM3S based SIMtrace2

Added by laforge almost 8 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
firmware
Target version:
-
Start date:
05/09/2016
Due date:
% Done:

100%

Spec Reference:

Description

We have card emulation working on a different board already, but the changes need to be re-tested against a real SIMtrace board with SAM3S


Related issues

Related to SIMtrace 2 - Bug #1705: re-integrate tracing + card reader modes into SIMtrace2 firmware (SAM3S)Stalledlaforge05/09/2016

Actions
Actions #1

Updated by laforge almost 6 years ago

  • Assignee changed from laforge to tsaitgaist
Actions #2

Updated by laforge almost 6 years ago

  • Project changed from SIMtrace to SIMtrace 2
  • Category deleted (SIMtrace firmware)
  • Status changed from New to In Progress
Actions #3

Updated by tsaitgaist over 5 years ago

current state of cardem firmware on SIMtrace board, as reported by a user on the mailing list:
I've built (make BOARD=simtrace APP=cardem) the cardemulation-firmware of
the current master-branch (0.4.131-8f70) and flashed the resulting
simtrace-cardem-dfu.bin using dfu-util.

Furthermore I compiled the host binaries, triggered a reset on my simtrace2
device to make sure it's in runtime mode and then executed the remote-sim
program (sudo ./simtrace2-remsim -V 1d50 -P 60e3 -C 1 -I 0 -A `sudo
./simtrace2-list | cut -d = -f 2 | cut -d , -f 1 | tail -1`). The simtrace2
device, as well as an USB-CCID compliant omnikey cardreader are attached to
my linux computer as described in the QMOD manual. During runtime mode the
red LED on the simtrace2 is blinking, while the green LED is off.

I noticed that when the simtrace2-remsim program tries to send an ATR to
the simtrace2 device via usb (cardem_request_set_atr), the
libusb_bulk_transfer function is blocking, before returning
LIBUSB_ERROR_TIMEOUT. The serial debugging-output I got on the simtrace2
doesn't show any futher information (last state is "-I- USB is now
configured").

When I reset the usb-modem that is connected to the simtrace2 device I get
the following messages on the debug-serial:
I Changed to ISO 7816-3 state 1
reset de-asserted
I WT updated to 9600
I Changed to ISO 7816-3 state 0
reset asserted
I Changed to ISO 7816-3 state 1
reset de-asserted
[...]

while the simtrace2-remsim program is also receiving some garbage:
URB:
> 03 00 00 00 00 00 0c 00 04 00 00 00
unknown simtrace msg type 0x00
URB:
> 03 00 00 00 00 00 0c 00 08 00 00 00
unknown simtrace msg type 0x00
URB:
-> 03 00 00 00 00 00 0c 00 04 00 00 00
unknown simtrace msg type 0x00
[...]

I've also tried several older versions/commits - however I didn't get any
of them working properly.
When using version 0.4.13-ba2a (from this commit:
https://git.osmocom.org/simtrace2/commit/?id=ba2ad563cc0e389213a3f6f6ebe79dc21dfb26a3)
I was able to send the ATR to the simtrace and directly entered the main
loop on the host program.
The serial debugging-output (after a manual modem-reset) also looked
somehow more promising, but didn't work either:
I 0: VCC activated
I 0: CLK activated
I 0: RST released
I 0: computed Fi(1) Di(1) ratio: 372
I 0: send_tpdu_header: 00 a4 00 04 02
I 0: VCC deactivated
I 0: CLK deactivated
I 0: VCC activated
I 0: CLK activated
I 0: VCC deactivated
I 0: CLK deactivated
[...]

Actions #4

Updated by laforge over 5 years ago

  • Category set to firmware
Actions #5

Updated by tsaitgaist over 5 years ago

  • Related to Bug #1705: re-integrate tracing + card reader modes into SIMtrace2 firmware (SAM3S) added
Actions #6

Updated by tsaitgaist over 5 years ago

  • Status changed from In Progress to Stalled

will do once cardem is tested automatically on sysmoQMOD.

Actions #7

Updated by tsaitgaist over 5 years ago

  • Status changed from Stalled to In Progress

resumed to continue osmo-remsim work

Actions #8

Updated by laforge about 3 years ago

  • Status changed from In Progress to Stalled
  • Assignee deleted (tsaitgaist)
Actions #9

Updated by laforge about 3 years ago

  • Priority changed from Normal to High
Actions #10

Updated by laforge about 3 years ago

  • Assignee set to Hoernchen
Hoernchen and I discussed the following process:
  1. rebase the hoernchen/simtrace_cardem branch once more
  2. Hoernchen re-tests on simtrace2 and qmod hardware
  3. I re-test on owhw hardware
  4. we collaborate to merge the branch
Actions #11

Updated by laforge almost 3 years ago

  • Status changed from Stalled to In Progress
  • Assignee changed from Hoernchen to laforge
  • % Done changed from 0 to 90

I've started with a rebase of the said branch followed by a thorough review of the code in detail. Unfortuantely there were many problems with the existing branch, starting from functional bugs in the code, coding style issues as well as mixing too many different tasks in the same patch[es].

So I basically re-wrote large parts of Kevin's code, as it seemed easier to split it up that way, and create individual changes that only change one thing at a time

for the record:

  • I have severe doubts that the pull-up/pull-down of SIM_IO has ever worked. It's a great idea and I understand the problem, but I think this needs a proper and verified mplementation that really switches between alternate function and GPIO mode as needed
  • the transition from tc_etu to UART tmer has been done (split out in one as small as possible patch)
    • PTS has been tested, works finr with sysmoISIM-SJA2 and their F/D ratio of 16
    • has been tested on qmod + simtrace boards, so no new board-specific #ifdefs in the card_emu code
    • the UART timer of the original patch had two issues which are resolved now
      • half-time callback function was not called for any WT < 65535 etu (virtually any etu), as the hardware timeer was not set to half of the WT
      • timer didn't restart after the first expiration (no "NNNNNNNNNNNNNNN..." on the debug UART if the remote SIM stalls for some time
  • the field renames went not just from "fi to "f" but actually to "F", as 'f' is the frequency in ISO7816-3
  • field renames of user-visible simtrace_proto.h has been done with backwards compatibility
TODO
  • revisit I/O pull-up/pull-down topic
  • incorporate "Fi/Fn * Dn/Di" factor in WT computation for correctness in PTS cases
  • implement function to become unresponsive (needed in various situations as per spec)
  • test second UART on QMOD ST12
  • test on OWHW
  • make proper use of LEDs
Actions #12

Updated by roh almost 3 years ago

i just updated a board and retested it and got a 'no sim' from a s4mini (worked before already)

serial trace:

=============================================================================
SIMtrace2 firmware 0.7.0.103-c690, BOARD=simtrace, APP=cardem
(C) 2010-2019 by Harald Welte, 2018-2019 by Kevin Redon
=============================================================================
-I- Chip ID: 0x28900960 (Ext 0x00000000)
-I- Serial Nr. 51203220-574a4a52-30303620-30323037
-I- Reset Cause: general reset (first power-up reset)
-I- USB init...
USBD_Init
SetAddr(42) -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ SetCfg(1) cfgChanged1 -I- calling configure of all configurations...
-I- Sniffer config
-I- calling init of config 1...
-I- Sniffer Init
-I- entering main loop...
-I- USB is now configured
'nknown command '0] -W- _ 
'nknown command ' <power on phone here>
'nknown command '
'nknown command '
-I- Changed to ISO 7816-3 state 1
reset de-asserted
-I- WT updated to 9600 ETU
-I- Changed to ISO 7816-3 state 0
reset asserted
-I- Changed to ISO 7816-3 state 1
reset de-asserted
-I- WT updated to 9600 ETU
-I- Changed to ISO 7816-3 state 0
reset asserted
'nknown command '
'nknown command ' <power off phone here>
'nknown command '

$ ./simtrace2-cardem-pcsc -n 0 -V 1d50 -P 60e3 -H 2-1.2 -C 1 -I 0 -k
simtrace2-cardem-pcsc - Using PC/SC reader as SIM
(C) 2010-2020, Harald Welte <laforge@gnumonks.org>
(C) 2018, sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>

<= osmo_st2_cardem_request_config(00000001)
SIMtrace <- 01 08 00 00 00 00 0c 00 01 00 00 00 
SIMtrace <- 01 05 00 00 00 00 09 00 01 
SIMtrace <- 02 02 00 00 00 00 09 00 01 
<= osmo_st2_cardem_request_set_atr(3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 )
SIMtrace <- 01 02 00 00 00 00 1f 00 16 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
SIMtrace <- 02 01 00 00 00 00 0b 00 02 2c 01 
Entering main loop
-> 03 00 00 00 00 00 0c 00 04 00 00 00 
unknown simtrace msg type 0x00
-> 03 00 00 00 00 00 0c 00 04 00 00 00 
unknown simtrace msg type 0x00
-> 03 00 00 00 00 00 0c 00 04 00 00 00 
unknown simtrace msg type 0x00

<power on phone here>

-> 03 00 00 00 00 00 0c 00 08 00 00 00 
unknown simtrace msg type 0x00
-> 03 00 00 00 00 00 0c 00 04 00 00 00 
unknown simtrace msg type 0x00
-> 03 00 00 00 00 00 0c 00 08 00 00 00 
unknown simtrace msg type 0x00
-> 03 00 00 00 00 00 0c 00 04 00 00 00 
unknown simtrace msg type 0x00

<power off phone here>

build just moments ago from master

Actions #13

Updated by roh almost 3 years ago

just because i was confused why it worked for me before i retestet - as a comparison with an older version of the cardem firmware, and it worked with 4d2f. and it does not with c690.

both testruns with the following setup:
S4mini, red sysmoUSIM-SJS1 in thinkpad ccid reader, host utils built from git c690a1f13042c5a1a464cf094b6d304dfb8b6288
i also tried a sysmoISIM-SJA2

the difference is only simtrace firmware:
working run:
SIMtrace2 firmware 0.7.0.100-4d2f-dirty, BOARD=simtrace, APP=cardem

failing run:
SIMtrace2 firmware 0.7.0.103-c690, BOARD=simtrace, APP=cardem
-> no sim

serial log of working version

=============================================================================
SIMtrace2 firmware 0.7.0.100-4d2f-dirty, BOARD=simtrace, APP=cardem
(C) 2010-2019 by Harald Welte, 2018-2019 by Kevin Redon
=============================================================================
-I- Chip ID: 0x299b0a60 (Ext 0x00000000)
-I- Serial Nr. 44203020-48574336-30303132-32313035
-I- Reset Cause: user reset (NRST pin detected low)
-I- USB init...
USBD_Init
SetAddr(57) -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ SetCfg(1) cfgChanged1 -I- calling configure of all configurations...
-I- calling init of config 1...
-I- Modem 0: physical SIM
-I- 0: Use local/physical SIM
-I- entering main loop...
-I- USB is now configured
-W- Sta 0x88828 [0] -W- _ -I- 0: skipping unsupported card_insert to INSERTED
-I- Modem 0: virtual SIM
-I- 0: Use remote/emulated SIM
-I- 0: ATR set: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
-I- 0: VCC activated
-I- 0: CLK activated
-I- 0: RST released
-I- 0: computed F(1)/D(1) ratio: 372
-I- 0: computed F(9)/D(6) ratio: 16
-I- 0: send_tpdu_header: 00 a4 00 04 02
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: 00 c0 00 00 60
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 c0 00 00 56
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 a4 08 04 02
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: 00 c0 00 00 60
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 c0 00 00 20
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 b0 00 00 0a
-I- 0: flush_rx_buffer (5)
N-I- 0: send_tpdu_header: 00 a4 00 04 02
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: 00 c0 00 00 60
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 c0 00 00 20
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 a4 08 04 02
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: 00 c0 00 00 60
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 c0 00 00 23
-I- 0: flush_rx_buffer (5)
-I- 0: send_tpdu_header: 00 b2 04 04 6e
-I- 0: flush_rx_buffer (5)
NN-I- 0: send_tpdu_header: 00 b2 04 04 6e
-I- 0: flush_rx_buffer (5)
N-I- 0: send_tpdu_header: 00 a4 08 0c 02
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: 00 a4 00 0c 02
....
I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (2)
N-I- 0: send_tpdu_header: a0 d6 00 00 14
-I- 0: flush_rx_buffer (5)
-I- 0: flush_rx_buffer (20)
-I- 0: send_tpdu_header: a0 f2 00 00 16
-I- 0: flush_rx_buffer (5)
N-I- 0: RST asserted
-I- 0: VCC deactivated
-I- 0: CLK deactivated
-I- 0: skipping unsupported card_insert to REMOVED

serial log of failing version

=============================================================================
SIMtrace2 firmware 0.7.0.103-c690, BOARD=simtrace, APP=cardem
(C) 2010-2019 by Harald Welte, 2018-2019 by Kevin Redon
=============================================================================
-I- Chip ID: 0x299b0a60 (Ext 0x00000000)
-I- Serial Nr. 44203020-48574336-30303132-32313035
-I- Reset Cause: user reset (NRST pin detected low)
-I- USB init...
USBD_Init
SetAddr(69) -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ -W- Sta 0x888A8 [0] -W- _ SetCfg(1) cfgChanged1 -I- calling configure of all configurations...
-I- Sniffer config
-I- calling init of config 1...
-I- Sniffer Init
-I- entering main loop...
-I- USB is now configured
'Unknown command '
-W- Sta 0x88828 [0] -W- _ -I- Changed to ISO 7816-3 state 1
reset de-asserted
-I- WT updated to 9600 ETU
-I- Changed to ISO 7816-3 state 0
reset asserted
-I- Changed to ISO 7816-3 state 1
reset de-asserted
-I- WT updated to 9600 ETU
-I- Changed to ISO 7816-3 state 0
reset asserted

Actions #14

Updated by laforge almost 3 years ago

Hi roh,

can you please try with the laforge/cardem2 branch (141ba6f887773913b2c005c66362b488774423f2)
which I just pushed?

That should be 4d2f rebased on top of current master. If it works, I'll merge it.

Thanks!

Actions #15

Updated by laforge almost 3 years ago

  • Status changed from In Progress to Feedback
  • Assignee changed from laforge to roh

laforge wrote:

can you please try with the laforge/cardem2 branch (141ba6f887773913b2c005c66362b488774423f2)
which I just pushed?

That should be 4d2f rebased on top of current master. If it works, I'll merge it.

Any news on this? It's also worth re-testing master now, before goign for that branch.

Actions #16

Updated by roh over 2 years ago

  • Assignee changed from roh to laforge

i checked the git and it seemed to me that all relevant patches are already in head, so i tested a nightly build ( 0.7.0.147-1f75 ) instead.

sadly it seems sth broke the bootloader:

i can flash it as usual via bossac.

after powerup, the leds both flash, and repeat flashing every ~3seconds. the usb stays dead. on the serial there is this:

HardFault
R0=fcfbffcd, R1=80000000, R2=03040032, R3=03080409, R12=0420a102
LR[R14]=00402a83, PC[R15]=0040107e, PSR=81005a00
BFAR=e000ed38, CFSR=00000400, HFSR=40000000
DFSR=00000000, AFSR=00000400, SHCSR=00000000
FORCED IMPRECISERR

repeating in the same 3sec pattern.

i have bisected the issue to inbetween simtrace-dfu-flash-0.7.0.134-c749.bin(working) and simtrace-dfu-flash-0.7.0.141-23a9.bin(faulty)

meanwhile i continue with the last working bootloader.

flashing simtrace-cardem-dfu-0.7.0.147-1f75.bin was uneventful.

from here everything worked as it should

i think cardem is 'fixed and working' for simtrace2 now :)

View serial log...

host-utils:

simtrace2-cardem-pcsc output...

Actions #17

Updated by Hoernchen over 2 years ago

The downloaded simtrace-dfu-flash-0.7.0.147-1f75.bin works fine for, me as does my own built version of current nightly flashed using jtag, so I don't really know what to debug here?

Actions #18

Updated by roh over 2 years ago

this is really odd... lets compare sha256sum

3dc653f64d12e387a2da353bbf8191371887d6159b74fc8060d44d45cf909d0b simtrace-dfu-flash-0.7.0.147-1f75.bin
15712 bytes

Actions #19

Updated by laforge over 2 years ago

On Tue, Sep 14, 2021 at 11:55:41AM +0000, roh [REDMINE] wrote:

this is really odd... lets compare sha256sum

3dc653f64d12e387a2da353bbf8191371887d6159b74fc8060d44d45cf909d0b simtrace-dfu-flash-0.7.0.147-1f75.bin
15712 bytes

beyond that: maybe the dfu loader version installed has an impact? Or the problem
only happens on one specific board?

Actions #20

Updated by Hoernchen over 2 years ago

I've managed to reproduce this:
erase the chip, clear gpnvm bit 1

 openocd -f interface/ftdi/jtag-lock-pick_tiny_2.cfg -c "transport select swd"  --command "set CPUTAPID 0x2ba01477" --file target/at91sam3sXX.cfg --command "init;halt;flash erase_sector 0 0 last;at91sam3 gpnvm clear 1;reset" --command "shutdown" 

bossac 1.3b
3dc653f64d12e387a2da353bbf8191371887d6159b74fc8060d44d45cf909d0b simtrace-dfu-flash-0.7.0.147-1f75.bin
bossac -e -w simtrace-dfu-flash-0.7.0.147-1f75.bin -b1 -R

(gdb) bt
#0  0x004012de in hard_fault_handler_c (args=<optimized out>) at ./atmel_softpack_libraries/libchip_sam3s/source/exceptions.c:141
#1  <signal handler called>
#2  0x0040107e in PIO_SetPeripheralB (enablePullUp=<optimized out>, mask=50593842, pio=0x3080409)
    at ./atmel_softpack_libraries/libchip_sam3s/source/pio.c:106
#3  PIO_Configure (list=0x403a8c, size=4) at ./atmel_softpack_libraries/libchip_sam3s/source/pio.c:319
#4  0x00402a82 in main () at apps/dfu/main.c:268

This is with the elf for my own built version, so the lines for main:c are slightly off, but pio and below matches.
It's the LED config, but LED config does not have pio b, it's size 48, and the mask is crap, too.

Flashing the same file with jtag works, as does bossucking my own built version.

No Idea what to fix here.

Actions #21

Updated by Hoernchen over 2 years ago

Maybe also fixed by https://gerrit.osmocom.org/c/simtrace2/+/25683 tho I don't see why.

Actions #22

Updated by Hoernchen over 2 years ago

This is actually https://gerrit.osmocom.org/c/simtrace2/+/25850/1 - I was finally able to accidentally reproduce this with a clang built firmware and had a matching elf file to properly debug it instead of having to guess.
Depending on the generated ram/stack/flash and code layout this can lead to all kinds of issues, so simtrace-like devices with leds that were flashed after the issue was introduced 3 years ago might need a new bootloader.

Actions #23

Updated by laforge over 2 years ago

  • Assignee changed from laforge to roh

re-assinging to roh for feedback, if he can confirm the problem is resolved after deploying code with the fix mentioned by Hoernchen.

Actions #24

Updated by mschramm over 2 years ago

Now we have 0.7.0.165 - any news here?

Actions #25

Updated by laforge about 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

has been waiting for feedback for months. 'cardem' on simtrace2 works in general, for specific bugs we should have specific issues.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)