RebelSIM » History » Version 3
laforge, 02/19/2016 10:49 PM
re-format table and add picture
| 1 | 3 | laforge | {{>toc}} |
|---|---|---|---|
| 2 | 1 | laforge | |
| 3 | 3 | laforge | h1. [[RebelSIM]] Card |
| 4 | 1 | laforge | |
| 5 | 3 | laforge | |
| 6 | The [[RebelSIM]] card is a type of _Proxy SIM_ that can be put between the SIM card reader and the actual SIM card |
||
| 7 | |||
| 8 | 1 | laforge | The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) |
| 9 | is not encrypted or authenticated. |
||
| 10 | |||
| 11 | 3 | laforge | The [[RebelSIM]] is typically used for SIM unlocking phones. However, as it is a general proxy SIM, it can be used for |
| 12 | 1 | laforge | any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) |
| 13 | |||
| 14 | 3 | laforge | [[RebelSIM]] comes in multiple flavors. |
| 15 | 2 | laforge | |
| 16 | 1 | laforge | |
| 17 | 3 | laforge | h2. [[RebelSIMCard]] |
| 18 | |||
| 19 | |||
| 20 | 1 | laforge | This model has not been analyzed yet. |
| 21 | |||
| 22 | |||
| 23 | 3 | laforge | h2. [[RebelSIMCard]] II |
| 24 | |||
| 25 | |||
| 26 | 1 | laforge | [[Image(rebelsim2.jpg)]] |
| 27 | |||
| 28 | 3 | laforge | The [[RebelSIMCard]] II contains a "C8051F300":http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf microcontroller |
| 29 | 2 | laforge | with 8kBytes of Flash and 256 Bytes internal RAM. It runs at about 24 MHz internal clock rate. |
| 30 | 1 | laforge | |
| 31 | |||
| 32 | 3 | laforge | h3. Wiring |
| 33 | |||
| 34 | |||
| 35 | 1 | laforge | The two SIM card interfaces are wired with the F300 controller the following way: |
| 36 | 2 | laforge | |
| 37 | ||F300 pin||SIM/socket||signal|| |
||
| 38 | ||P0.0||socket||I/O|| |
||
| 39 | ||P0.1||SIM||RESET|| |
||
| 40 | ||VDD||SIM/socket||Vcc|| |
||
| 41 | 1 | laforge | ||P0.2||NC|| |
| 42 | ||P0.3||SIM/socket||CLK|| |
||
| 43 | ||P0.7/C2D||testpad|| |
||
| 44 | 2 | laforge | ||P0.6||NC|| |
| 45 | ||C2CK/nRST||socket||RESET|| |
||
| 46 | 1 | laforge | ||C2CK/nRST||testpad|| |
| 47 | 2 | laforge | ||P0.5||SIM||I/O|| |
| 48 | ||P0.4||NC|| |
||
| 49 | |||
| 50 | 1 | laforge | |
| 51 | 3 | laforge | h3. Programming |
| 52 | |||
| 53 | |||
| 54 | 1 | laforge | The F300 controller can be programmed using a two-wire protocol known as C2. |
| 55 | |||
| 56 | However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. |
||
| 57 | 3 | laforge | It is suggested that the official [[RebelSIM]] firmware images probably contain some alternate |
| 58 | 1 | laforge | (but unknown) means of flashing via the actual SIM card interface. |
| 59 | |||
| 60 | It is not known if any of the LOCK bits have been set on the card. Nobody has yet tried |
||
| 61 | to re-program it with custom firmware. |
||
| 62 | |||
| 63 | 3 | laforge | |
| 64 | h3. Development |
||
| 65 | |||
| 66 | 1 | laforge | |
| 67 | The SDCC compiler claims to support the F300. |
