RebelSIM » History » Version 1
laforge, 02/19/2016 10:48 PM
add page on the RebelSIM
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | = RebelSIM Card = |
||
3 | |||
4 | The RebelSIM card is a type of ''Proxy SIM'' that can be put between the SIM card reader and the actual SIM card |
||
5 | |||
6 | The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) |
||
7 | is not encrypted or authenticated. |
||
8 | |||
9 | The RebelSIM is typically used for SIM unlocking phones. However, as it is a general proxy SIM, it can be used for |
||
10 | any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) |
||
11 | |||
12 | == RebelSIMCard == |
||
13 | |||
14 | This model has not been analyzed yet. |
||
15 | |||
16 | == RebelSIMCard II == |
||
17 | |||
18 | The RebelSIMCard II contains a [http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf C8051F300] microcontroller |
||
19 | with 8kBytes of Flash and 256 Bytes internal RAM. It runs at about 24 MHz internal clock rate. |
||
20 | |||
21 | === Wiring === |
||
22 | |||
23 | The two SIM card interfaces are wired with the F300 controller the following way: |
||
24 | {{{ |
||
25 | F300 pin SIM/socket signal |
||
26 | |||
27 | P0.0 socket I/O |
||
28 | P0.1 SIM RESET |
||
29 | VDD SIM/socket Vcc |
||
30 | P0.2 NC |
||
31 | P0.3 SIM/socket CLK |
||
32 | P0.7/C2D testpad |
||
33 | P0.6 NC |
||
34 | C2CK/nRST socket RESET |
||
35 | C2CK/nRST testpad |
||
36 | P0.5 SIM I/O |
||
37 | P0.4 NC |
||
38 | }}} |
||
39 | |||
40 | === Programming === |
||
41 | |||
42 | The F300 controller can be programmed using a two-wire protocol known as C2. |
||
43 | |||
44 | However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. |
||
45 | It is suggested that the official RebelSIM firmware images probably contain some alternate |
||
46 | (but unknown) means of flashing via the actual SIM card interface. |
||
47 | |||
48 | It is not known if any of the LOCK bits have been set on the card. Nobody has yet tried |
||
49 | to re-program it with custom firmware. |
||
50 | |||
51 | === Development === |
||
52 | |||
53 | The SDCC compiler claims to support the F300. |