SIMtrace » History » Version 47
laforge, 11/11/2016 03:57 PM
1 | 41 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 41 | tsaitgaist | h1. Osmocom SIMtrace |
4 | |||
5 | |||
6 | 1 | laforge | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
7 | |||
8 | 18 | laforge | It looks a bit like this: |
9 | 42 | laforge | {{graphviz_link() |
10 | 18 | laforge | digraph G{ |
11 | //rankdir = LR; |
||
12 | Phone -> SIMtrace [label = "Flexi-PCB cable"]; |
||
13 | 1 | laforge | SIMtrace -> SIM; |
14 | 18 | laforge | SIMtrace -> PC [label = "USB cable"]; |
15 | 1 | laforge | |
16 | SIMtrace [ label = "SIMtrace hardware" ]; |
||
17 | 18 | laforge | } |
18 | 42 | laforge | }} |
19 | 18 | laforge | |
20 | 29 | laforge | When connected to a phone, it looks like this: |
21 | |||
22 | 1 | laforge | |
23 | 43 | laforge | !{width:50%}simtrace_and_phone.jpg! |
24 | |||
25 | !{width:33%}simtrace_functions.png! |
||
26 | 1 | laforge | |
27 | It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller. |
||
28 | |||
29 | 46 | zecke | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer. |
30 | 38 | tsaitgaist | |
31 | 1 | laforge | |
32 | 41 | tsaitgaist | h2. Features |
33 | 1 | laforge | |
34 | |||
35 | 41 | tsaitgaist | * Completely passive scanner |
36 | * RST and ATR detection |
||
37 | * Auto-bauding with PPS / PTS support |
||
38 | * Segmentation of APDUs |
||
39 | |||
40 | |||
41 | 38 | tsaitgaist | SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM. |
42 | While the hardware supports all these modes, only the monitoring aspect has been implemented in software. |
||
43 | 1 | laforge | |
44 | |||
45 | 41 | tsaitgaist | h2. TODO |
46 | 1 | laforge | |
47 | |||
48 | 41 | tsaitgaist | * Check for parity errors |
49 | * Verify TCK / PCK check-bytes |
||
50 | * Implement MITM |
||
51 | 1 | laforge | |
52 | 41 | tsaitgaist | h2. Hardware |
53 | |||
54 | |||
55 | The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card. |
||
56 | |||
57 | 31 | laforge | Now we have a dedicated PCB design. The schematics and Gerber files are released as open source hardware and can be produced by everyone. |
58 | 1 | laforge | |
59 | 4 | laforge | However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace |
60 | 1 | laforge | |
61 | 47 | laforge | More details are available at [[SIMtrace_Hardware]] |
62 | 1 | laforge | |
63 | 41 | tsaitgaist | h2. Firmware |
64 | 1 | laforge | |
65 | |||
66 | 41 | tsaitgaist | The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/ |
67 | RFID reader. Details are available at [[SIMtraceFirmware]]. |
||
68 | |||
69 | |||
70 | h2. Documentation |
||
71 | |||
72 | |||
73 | 1 | laforge | Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for |
74 | your favorite Linux Distribution. |
||
75 | 39 | laforge | |
76 | 1 | laforge | |
77 | h2. Host PC Software |
||
78 | 41 | tsaitgaist | |
79 | |||
80 | 46 | zecke | The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729. |
81 | 5 | laforge | |
82 | 6 | tsaitgaist | |
83 | 41 | tsaitgaist | h3. Preconditions |
84 | 14 | tsaitgaist | |
85 | 41 | tsaitgaist | |
86 | [[libosmocore]] and headers (simtrace_usb.h) from the firmware. |
||
87 | |||
88 | 1 | laforge | additional packages : |
89 | 41 | tsaitgaist | <pre> |
90 | 14 | tsaitgaist | sudo apt-get install libusb-1.0-0-dev |
91 | 41 | tsaitgaist | </code></pre> |
92 | 1 | laforge | |
93 | 7 | tsaitgaist | |
94 | 41 | tsaitgaist | h3. Compiling it |
95 | |||
96 | |||
97 | <pre> |
||
98 | 35 | tsaitgaist | git clone git://git.osmocom.org/simtrace.git |
99 | cd simtrace/host/ |
||
100 | make |
||
101 | 41 | tsaitgaist | </code></pre> |
102 | 35 | tsaitgaist | |
103 | |||
104 | 41 | tsaitgaist | h3. Accessing it |
105 | |||
106 | |||
107 | 35 | tsaitgaist | Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group) |
108 | |||
109 | 41 | tsaitgaist | <pre> |
110 | 6 | tsaitgaist | sudo groupadd osmocom |
111 | sudo adduser $USERNAME osmocom |
||
112 | 1 | laforge | sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF |
113 | # to use, install this file in /etc/udev/rules.d as 10-osmocom.rules |
||
114 | 6 | tsaitgaist | # rule to grant read/write access on SIMtrace to group named osmocom. |
115 | 1 | laforge | SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" |
116 | EOF |
||
117 | sudo service udev reload |
||
118 | 41 | tsaitgaist | </code></pre> |
119 | 1 | laforge | |
120 | you must log out and back in so to take effect. |
||
121 | 13 | tsaitgaist | |
122 | 1 | laforge | |
123 | 41 | tsaitgaist | h3. Using it |
124 | |||
125 | |||
126 | Simply start *simtrace*. |
||
127 | 1 | laforge | It will send the GSMTAP frames to UDP/IPv4 localhost:4729. |
128 | |||
129 | It will also print hexdumps of the frames to the console, looking like this: |
||
130 | 41 | tsaitgaist | <pre> |
131 | 1 | laforge | sudo ./simtrace |
132 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
133 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
134 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
135 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
136 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
137 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
138 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
139 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
140 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
141 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
142 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
143 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
144 | 2 | laforge | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
145 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
146 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
147 | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
||
148 | 1 | laforge | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
149 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
150 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
151 | 41 | tsaitgaist | </code></pre> |
152 | 1 | laforge | |
153 | 41 | tsaitgaist | h2. Wireshark integration |
154 | 34 | tsaitgaist | |
155 | 41 | tsaitgaist | |
156 | There is an experimental patch, also part of the simtrace.git package. It is also included in the [[wireshark]] developer version (since wireshark 1.7.1). |
||
157 | |||
158 | 34 | tsaitgaist | To see the APDUs in wireshark: |
159 | 41 | tsaitgaist | * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything |
160 | * to get the data on another machine |
||
161 | ** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back) |
||
162 | <pre> |
||
163 | 37 | tsaitgaist | socat -u udp-recv:4729 /dev/null |
164 | 41 | tsaitgaist | </code></pre> |
165 | ** tell SIMtrace on which machine to forward |
||
166 | <pre> |
||
167 | 1 | laforge | ./simtrace -i 192.168.0.1 |
168 | 41 | tsaitgaist | </code></pre> |
169 | 1 | laforge | |
170 | 44 | laforge | !wireshark-sim.png! |
171 | 31 | laforge | |
172 | Protocol parsing is far from being complete, patches are always welcome! |
||
173 | |||
174 | 41 | tsaitgaist | h2. Contact / Mailing List |
175 | |||
176 | |||
177 | 1 | laforge | For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/ |
178 | |||
179 | 45 | laforge | Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting. |