SIMtrace » History » Version 49
laforge, 11/11/2016 03:57 PM
1 | 41 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 41 | tsaitgaist | h1. Osmocom SIMtrace |
4 | |||
5 | |||
6 | 1 | laforge | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
7 | |||
8 | 18 | laforge | It looks a bit like this: |
9 | 42 | laforge | {{graphviz_link() |
10 | 18 | laforge | digraph G{ |
11 | //rankdir = LR; |
||
12 | Phone -> SIMtrace [label = "Flexi-PCB cable"]; |
||
13 | 1 | laforge | SIMtrace -> SIM; |
14 | 18 | laforge | SIMtrace -> PC [label = "USB cable"]; |
15 | 1 | laforge | |
16 | SIMtrace [ label = "SIMtrace hardware" ]; |
||
17 | 18 | laforge | } |
18 | 42 | laforge | }} |
19 | 18 | laforge | |
20 | 29 | laforge | When connected to a phone, it looks like this: |
21 | |||
22 | 1 | laforge | |
23 | 43 | laforge | !{width:50%}simtrace_and_phone.jpg! |
24 | |||
25 | !{width:33%}simtrace_functions.png! |
||
26 | 1 | laforge | |
27 | It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller. |
||
28 | |||
29 | 46 | zecke | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer. |
30 | 38 | tsaitgaist | |
31 | 1 | laforge | |
32 | 41 | tsaitgaist | h2. Features |
33 | 1 | laforge | |
34 | |||
35 | 41 | tsaitgaist | * Completely passive scanner |
36 | * RST and ATR detection |
||
37 | * Auto-bauding with PPS / PTS support |
||
38 | * Segmentation of APDUs |
||
39 | |||
40 | |||
41 | 38 | tsaitgaist | SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM. |
42 | While the hardware supports all these modes, only the monitoring aspect has been implemented in software. |
||
43 | 1 | laforge | |
44 | |||
45 | 41 | tsaitgaist | h2. TODO |
46 | 1 | laforge | |
47 | |||
48 | 41 | tsaitgaist | * Check for parity errors |
49 | * Verify TCK / PCK check-bytes |
||
50 | * Implement MITM |
||
51 | 1 | laforge | |
52 | 41 | tsaitgaist | h2. Hardware |
53 | |||
54 | |||
55 | The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card. |
||
56 | |||
57 | 31 | laforge | Now we have a dedicated PCB design. The schematics and Gerber files are released as open source hardware and can be produced by everyone. |
58 | 1 | laforge | |
59 | 4 | laforge | However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace |
60 | 1 | laforge | |
61 | 47 | laforge | More details are available at [[SIMtrace_Hardware]] |
62 | 1 | laforge | |
63 | 41 | tsaitgaist | h2. Firmware |
64 | 1 | laforge | |
65 | |||
66 | 41 | tsaitgaist | The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/ |
67 | 48 | laforge | RFID reader. Details are available at [[SIMtrace Firmware]]. |
68 | 41 | tsaitgaist | |
69 | h2. Documentation |
||
70 | |||
71 | |||
72 | 1 | laforge | Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for |
73 | your favorite Linux Distribution. |
||
74 | 39 | laforge | |
75 | 1 | laforge | |
76 | h2. Host PC Software |
||
77 | 41 | tsaitgaist | |
78 | |||
79 | 46 | zecke | The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729. |
80 | 5 | laforge | |
81 | 41 | tsaitgaist | h3. Preconditions |
82 | 14 | tsaitgaist | |
83 | 1 | laforge | |
84 | 49 | laforge | [[libosmocore:]] and headers (simtrace_usb.h) from the firmware. |
85 | 41 | tsaitgaist | |
86 | 1 | laforge | additional packages : |
87 | 41 | tsaitgaist | <pre> |
88 | 14 | tsaitgaist | sudo apt-get install libusb-1.0-0-dev |
89 | 1 | laforge | </code></pre> |
90 | 7 | tsaitgaist | |
91 | 41 | tsaitgaist | h3. Compiling it |
92 | |||
93 | |||
94 | <pre> |
||
95 | 35 | tsaitgaist | git clone git://git.osmocom.org/simtrace.git |
96 | cd simtrace/host/ |
||
97 | make |
||
98 | 41 | tsaitgaist | </code></pre> |
99 | 35 | tsaitgaist | |
100 | |||
101 | 41 | tsaitgaist | h3. Accessing it |
102 | |||
103 | |||
104 | 35 | tsaitgaist | Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group) |
105 | |||
106 | 41 | tsaitgaist | <pre> |
107 | 6 | tsaitgaist | sudo groupadd osmocom |
108 | sudo adduser $USERNAME osmocom |
||
109 | 1 | laforge | sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF |
110 | # to use, install this file in /etc/udev/rules.d as 10-osmocom.rules |
||
111 | 6 | tsaitgaist | # rule to grant read/write access on SIMtrace to group named osmocom. |
112 | 1 | laforge | SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" |
113 | EOF |
||
114 | sudo service udev reload |
||
115 | 41 | tsaitgaist | </code></pre> |
116 | 1 | laforge | |
117 | you must log out and back in so to take effect. |
||
118 | 13 | tsaitgaist | |
119 | 1 | laforge | |
120 | 41 | tsaitgaist | h3. Using it |
121 | |||
122 | |||
123 | Simply start *simtrace*. |
||
124 | 1 | laforge | It will send the GSMTAP frames to UDP/IPv4 localhost:4729. |
125 | |||
126 | It will also print hexdumps of the frames to the console, looking like this: |
||
127 | 41 | tsaitgaist | <pre> |
128 | 1 | laforge | sudo ./simtrace |
129 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
130 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
131 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
132 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
133 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
134 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
135 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
136 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
137 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
138 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
139 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
140 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
141 | 2 | laforge | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
142 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
143 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
144 | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
||
145 | 1 | laforge | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
146 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
147 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
148 | 41 | tsaitgaist | </code></pre> |
149 | 1 | laforge | |
150 | 41 | tsaitgaist | h2. Wireshark integration |
151 | 34 | tsaitgaist | |
152 | 41 | tsaitgaist | |
153 | There is an experimental patch, also part of the simtrace.git package. It is also included in the [[wireshark]] developer version (since wireshark 1.7.1). |
||
154 | |||
155 | 34 | tsaitgaist | To see the APDUs in wireshark: |
156 | 41 | tsaitgaist | * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything |
157 | * to get the data on another machine |
||
158 | ** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back) |
||
159 | <pre> |
||
160 | 37 | tsaitgaist | socat -u udp-recv:4729 /dev/null |
161 | 41 | tsaitgaist | </code></pre> |
162 | ** tell SIMtrace on which machine to forward |
||
163 | <pre> |
||
164 | 1 | laforge | ./simtrace -i 192.168.0.1 |
165 | 41 | tsaitgaist | </code></pre> |
166 | 1 | laforge | |
167 | 44 | laforge | !wireshark-sim.png! |
168 | 31 | laforge | |
169 | Protocol parsing is far from being complete, patches are always welcome! |
||
170 | |||
171 | 41 | tsaitgaist | h2. Contact / Mailing List |
172 | |||
173 | |||
174 | 1 | laforge | For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/ |
175 | |||
176 | 45 | laforge | Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting. |