Wiki » History » Version 10
tsaitgaist, 07/10/2018 03:21 PM
updated hardware and firmware
1 | 1 | tsaitgaist | h1. Osmocom SIMtrace 2 |
---|---|---|---|
2 | |||
3 | 8 | laforge | Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation. |
4 | 9 | tsaitgaist | While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case). |
5 | 1 | tsaitgaist | |
6 | 9 | tsaitgaist | It is a followup of the project:simtrace, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html). |
7 | 1 | tsaitgaist | |
8 | h2. Hardware |
||
9 | |||
10 | 10 | tsaitgaist | The SIMtrace 2 firmware supports several boards. |
11 | The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller. |
||
12 | 1 | tsaitgaist | |
13 | 10 | tsaitgaist | Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S, in the future. |
14 | 1 | tsaitgaist | |
15 | 10 | tsaitgaist | h3. SIMtrace 2 |
16 | 1 | tsaitgaist | |
17 | 10 | tsaitgaist | !{width:20%}simtrace-board-mini.jpg! |
18 | 9 | tsaitgaist | |
19 | 10 | tsaitgaist | The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
20 | 1 | tsaitgaist | |
21 | 10 | tsaitgaist | This is the same board as the previous "SIMtrace 1":/project/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace 1 board can be converted into a SIMtrace 2 board simply by replacing the micro-controller. |
22 | 1 | tsaitgaist | |
23 | 10 | tsaitgaist | Note: This hardware is "open source":https://git.osmocom.org/simtrace/tree/hardware. |
24 | 1 | tsaitgaist | |
25 | h3. sysmoQMOD |
||
26 | |||
27 | !{width:25%}sysmoqmod.png! |
||
28 | |||
29 | The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities. |
||
30 | |||
31 | Note: This hardware is not open source. |
||
32 | |||
33 | h2. Firmware |
||
34 | |||
35 | 10 | tsaitgaist | The SIMtrace 2 firmware source code is available in "git":https://git.osmocom.org/simtrace2/. |
36 | It is currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities. |
||
37 | 1 | tsaitgaist | |
38 | The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers. |
||
39 | 10 | tsaitgaist | *The SIMtrace 2 firmware is not compatible with the older "SIMtrace 1":/project/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.* |
40 | 1 | tsaitgaist | |
41 | 10 | tsaitgaist | h3. sniffer |
42 | 1 | tsaitgaist | |
43 | 10 | tsaitgaist | The sniffer firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card). |
44 | It is intended for the [[Wiki#SIMtrace 2|SIMtrace 2 hardware]] and its function is analog to the "SIMtrace 1":/projects/simtrace/wiki/SIMtrace_Firmware. |
||
45 | |||
46 | !{width:25%}simtrace_and_phone.jpg! |
||
47 | |||
48 | The application firmware to be flashed using [[Flashing#DFU|DFU]] is attachment:simtrace-trace-dfu.bin. |
||
49 | It corresponds to the @trace@ app in the source code. |
||
50 | |||
51 | h2. Flashing |
||
52 | |||
53 | The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]]. |
||
54 | 1 | tsaitgaist | |
55 | 3 | tsaitgaist | h4. DFU |
56 | |||
57 | SIMtrace 2 comes with a USB DFU bootloader pre-installed which allows to flash the application firmware over USB using the @dfu-util@ utility. |
||
58 | |||
59 | To get @dfu-util@: |
||
60 | <pre> |
||
61 | sudo apt-get install dfu-util |
||
62 | </pre> |
||
63 | |||
64 | |||
65 | To flash the firmware: |
||
66 | <pre> |
||
67 | 5 | tsaitgaist | sudo dfu-util --device 1d50:60e3 --cfg 1 --alt 1 --reset --download ./bin/simtrace-trace-dfu.bin |
68 | 3 | tsaitgaist | </pre> |
69 | |||
70 | To prevent using @sudo@ in order to use @dfu-util@ on SIMtrace 2, grant access permission to the USB device to the current user: |
||
71 | <pre> |
||
72 | # create osmocom group |
||
73 | sudo groupadd osmocom |
||
74 | # add current user to osmocom group (user needs to re-login for this change to take effect) |
||
75 | sudo adduser $USERNAME osmocom |
||
76 | # grant access permission to SIMtrace 2 for osmocom group |
||
77 | sudo tee -a /etc/udev/rules.d/10-osmocom.rules << EOF |
||
78 | # SIMtrace 2 |
||
79 | SUBSYSTEM=="usb", ATTRS{idVendor}=="1d50", ATTR{idProduct}=="60e3", MODE="0660", GROUP="osmocom" |
||
80 | EOF |
||
81 | # reload udev rules |
||
82 | sudo udevadm control --reload-rules |
||
83 | sudo udevadm trigger |
||
84 | </pre> |
||
85 | |||
86 | @dfu-util@ should reset the board and use the DFU bootloader. |
||
87 | Try the command a second time if it did not work at first. |
||
88 | If this still does not work, power up the board while pressing the *BOOTLOADER* button. |
||
89 | |||
90 | If the USB DFU bootloader is missing, defective, or needs to be updated, use the JTAG or SAM-BA methods to flash the bootloader firmware. |
||
91 | |||
92 | h4. SAMBA |
||
93 | |||
94 | The SAM3S micro-controller comes with an embedded bootloader called SAMBA, allowing to flash firmwares over USB. |
||
95 | The SAMBA bootloader can be used to flash the DFU bootloader. |
||
96 | To activate the SAMBA bootloader: |
||
97 | # short the *ERASE* pin on the top of the board with the nearby 3V3 pin using a jumper |
||
98 | # connect SIMtrace 2 over USB to power it up (no LED will light up) |
||
99 | # using @lsusb@ you should find the following entry: |
||
100 | <pre> |
||
101 | ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader |
||
102 | </pre> |
||
103 | # using @journalctl -f@ ensure SIMtrace 2 has been recognized as USB ACM device: |
||
104 | <pre> |
||
105 | kernel: usb 2-2: new full-speed USB device number 4 using xhci_hcd |
||
106 | kernel: usb 2-2: New USB device found, idVendor=03eb, idProduct=6124 |
||
107 | kernel: usb 2-2: New USB device strings: Mfr=0, Product=0, SerialNumber=0 |
||
108 | kernel: cdc_acm 2-2:1.0: ttyACM0: USB ACM device |
||
109 | kernel: usbcore: registered new interface driver cdc_acm |
||
110 | kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters |
||
111 | </pre> |
||
112 | # remove the jumper shorting *ERASE* to 3V3 |
||
113 | # install the @bossac@ utility to flash using the SAMBA protocol |
||
114 | <pre> |
||
115 | sudo apt install bossac |
||
116 | </pre> |
||
117 | # flash the USB DFU firmware using @bossac@ (note: @erase@ ensures no main application remains so to force booting the USB DFU bootloader; @boot=1@ ensures the micro-controller will boot from the internal flash instead of the embedded bootloader next time it is powered up) |
||
118 | <pre> |
||
119 | sudo bossac --port /dev/ttyACM0 --erase --write ./bin/simtrace-dfu-flash.bin --verify --boot=1 |
||
120 | </pre> |
||
121 | # to prevent using @sudo@, grant to current user the permission to access USB serial devices (e.g. @/dev/ttyACM0@). Note: this change only takes effect after re-logging-in |
||
122 | <pre> |
||
123 | sudo adduser $USERNAME dialout |
||
124 | </pre> |
||
125 | |||
126 | Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method. |
||
127 | |||
128 | h4. JTAG |
||
129 | |||
130 | It is also possible to flash or debug SIMtrace 2 over JTAG using the ARM 20-pin JTAG header on the top of the board. |
||
131 | |||
132 | To flash the USB DFU firmware using JTAG: |
||
133 | # install the JTAG utility @openOCD@ |
||
134 | <pre> |
||
135 | sudo apt install openocd |
||
136 | </pre> |
||
137 | # flash the USB DFU bootloader firmware |
||
138 | <pre> |
||
139 | 6 | tsaitgaist | openocd --file interface/jlink.cfg --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown" |
140 | 3 | tsaitgaist | </pre> |
141 | 1 | tsaitgaist | #* replace @interface/jlink.cfg@ with the configuration file for your JTAG debugging adapter |
142 | #* @at91sam3 gpnvm set 1@ ensures the micro-controller will boot from the internal flash (i.e. not from the embedded SAMBA bootloader) |
||
143 | 6 | tsaitgaist | |
144 | The SAM3S also offers the low pin-count SWD alternative to JTAG, allowing to use an inexpensive ST-Link V2 (clone) to flash (and debug): |
||
145 | <pre> |
||
146 | 7 | tsaitgaist | openocd --file interface/stlink-v2.cfg --command "set CPUTAPID 0x2ba01477" --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown" |
147 | 6 | tsaitgaist | </pre> |
148 | |||
149 | 7 | tsaitgaist | SWD pinout: |
150 | !simtrace_swd.jpg! |
||
151 | 3 | tsaitgaist | |
152 | Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method. |
||
153 | 1 | tsaitgaist | |
154 | h3. Development |
||
155 | |||
156 | To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt . |
||
157 | |||
158 | h2. Host PC Software |
||
159 | |||
160 | TODO |