Project

General

Profile

Actions

Wiki » History » Revision 26

« Previous | Revision 26/44 (diff) | Next »
tsaitgaist, 10/01/2019 04:50 PM
clarify hardware name


Osmocom SIMtrace 2

Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.
While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case).

It is a followup of the SIMtrace project, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, sysmoQMOD).

Hardware

The SIMtrace 2 firmware supports several boards.
The firmware is written for an ATSAM3S4B micro-controller.

Note: The SAM3S is meanwhile labelled as not recommended for new designs by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future.

SIMtrace board for SIMtrace 2 project

The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card).

This is the same circuit board as the previous SIMtrace v1, with the exception that the ATSAM3S4B micro-controller replaces the old AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller.

Note: This hardware is open source.

sysmoQMOD

The SAM3S micro-controller with SIMtrace 2 firmware is also used on the sysmoQMOD board to provide remote SIM operation capabilities.

Note: This hardware is not open source.

Firmware

The SIMtrace 2 firmware source code is available in git.
Pre-built firmware binaries are available here.
The firmware are currently under active development and we recommend to flash the new firmware images to profit from the latest bug fixes and added functionalities.

The SIMtrace 2 firmware is a complete rewrite and can only be flashed on hardware with SAM3S ARM Cortex-M3-based micro-controllers.
The SIMtrace 2 firmware is not compatible with the older SIMtrace v1 using SAM7S ARM7TDMI-based micro-controllers.

To get the version of the firmware flashed on the device:
  • connect a USB to UART cable either to the 2.5 mm stereo headphone connector (tip = TX, ring = RX, sleeve = GND) or the nearby DEBUG port (pin 1 = GND, pin 4 = TX, pin 5 = RX)
  • open the serial port with the following configuration: 921600 8N1 (115200 8N1 before version 0.5.1.2-80d9 from 2018-08-28)
  • reboot the board using the RESET button or by re-plugging the USB connector
  • you should see a banner containing the version information:
=============================================================================
SIMtrace2 firmware 0.4.195-acb7 (C) 2010-2016 by Harald Welte                
=============================================================================

trace

The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
It is intended for the SIMtrace v2 hardware and its function is analog to the SIMtrace v1.

The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs.
Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use).

The application firmware to be flashed using DFU is simtrace-trace-dfu.bin.

card emulation

The card emulation application firmware allows to emulate a card (e.g SIM). This is useful if you don't want to change the card in the device (e.g. phone), or have the card in a remote location.

This firmware comes preflashed on the sysmoQMOD board.
It also exists from the SIMtrace v2 board, but is currently in beta. If you still would like to try it, read this article.

Do not use the simtrace-cardem-dfu.bin firmware from the firmware repository since this currently does not include the fixes from the beta firmware.

Development

To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the README .

Flashing

The firmware images can be flashed as described here.

Host PC Software

The SIMtrace 2 host PC software are available in the simtrace2 git.

Preconditions

libosmocore, libpcsclite and libusb.

to install those packages:

sudo apt-get install libusb-1.0-0-dev libosmocore-dev libpcsclite-dev

Compiling it

git clone git://git.osmocom.org/simtrace2.git
cd simtrace2/host/
make

Accessing it

Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user:

# add current user to plugdev group (user needs to re-login for this change to take effect)
sudo adduser $USERNAME plugdev
# grant access permission to SIMtrace 2 for plugdev group
sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://git.osmocom.org/simtrace2/plain/host/99-simtrace2.rules 
# reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger

Applications

simtrace2-list

simtrace2-list allows to list all SIMtrace 2 compatible devices:

./simtrace2-list
USB matches: 1
    1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)

This is useful when you have multiple devices (such as with the Wiki) and have to specific with device to use by the other applications.

simtrace2-sniff

This will use the trace firmware and retrieve the sniffed phone-SIM communication.
The activity will be shown on the consol output:

./simtrace2-sniff 
simtrace2-sniff - Phone-SIM card communication sniffer 
(C) 2010-2017 by Harald Welte <laforge@gnumonks.org>
(C) 2018 by Kevin Redon <kredon@sysmocom.de>

Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
Entering main loop
Card state change: reset hold
Card state change: reset release
ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
PPS: ff 10 96 79 
PPS: ff 10 96 79 
Fi/Di switched to 512/32
TPDU: a0 a4 00 00 02 3f 00 9f 22 
TPDU: a0 a4 00 00 02 7f 20 9f 22 
TPDU: a0 a4 00 00 02 6f 46 9f 0f 
TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 
Card state change: reset hold

The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729.
This also allows to analyze the communication in wireshark using the GSM SIM dissector.

Binary Packages

Osmocom provides binary packages for several flavors of Debian and Ubuntu GNU/Linux on a variety of architectures (i586, x86_64, armhf, armv7l). Unless you are a software developer interested in developing on Osmocom, it is recommended you use those packages instead of building from source.

For more details see Binary_Packages

Files (5)
sysmoqmod.png View sysmoqmod.png 731 KB tsaitgaist, 07/09/2018 03:03 PM
simtrace-board-mini.jpg View simtrace-board-mini.jpg 314 KB tsaitgaist, 07/09/2018 04:41 PM
simtrace_and_phone.jpg View simtrace_and_phone.jpg 573 KB tsaitgaist, 07/10/2018 03:09 PM
wireshark-sim.png View wireshark-sim.png 68.4 KB tsaitgaist, 07/10/2018 07:12 PM
ngff-cardem.jpg View ngff-cardem.jpg 422 KB laforge, 04/28/2022 01:07 PM

Updated by tsaitgaist over 4 years ago · 26 revisions

Add picture from clipboard (Maximum size: 48.8 MB)