RebelSIM » History » Version 4
laforge, 02/21/2016 10:19 AM
| 1 | 3 | laforge | {{>toc}} |
|---|---|---|---|
| 2 | 1 | laforge | |
| 3 | 3 | laforge | h1. [[RebelSIM]] Card |
| 4 | 1 | laforge | |
| 5 | 3 | laforge | |
| 6 | The [[RebelSIM]] card is a type of _Proxy SIM_ that can be put between the SIM card reader and the actual SIM card |
||
| 7 | |||
| 8 | 1 | laforge | The proxy is able to manipulate any message from the phone to the card or vice versa, as the SIM Card protocol (TS 11.11) |
| 9 | is not encrypted or authenticated. |
||
| 10 | |||
| 11 | 3 | laforge | The [[RebelSIM]] is typically used for SIM unlocking phones. However, as it is a general proxy SIM, it can be used for |
| 12 | 1 | laforge | any purpose, e.g. for filtering any STK commands between SIM and ME (to fully SIM toolkit) |
| 13 | |||
| 14 | 3 | laforge | [[RebelSIM]] comes in multiple flavors. |
| 15 | 2 | laforge | |
| 16 | 1 | laforge | |
| 17 | 3 | laforge | h2. [[RebelSIMCard]] |
| 18 | |||
| 19 | |||
| 20 | 1 | laforge | This model has not been analyzed yet. |
| 21 | |||
| 22 | 3 | laforge | h2. [[RebelSIMCard]] II |
| 23 | |||
| 24 | 1 | laforge | |
| 25 | 4 | laforge | !rebelsim2.jpg! |
| 26 | 1 | laforge | |
| 27 | 3 | laforge | The [[RebelSIMCard]] II contains a "C8051F300":http://www.silabs.com/Support%20Documents/TechnicalDocs/C8051F300_Short.pdf microcontroller |
| 28 | 2 | laforge | with 8kBytes of Flash and 256 Bytes internal RAM. It runs at about 24 MHz internal clock rate. |
| 29 | 1 | laforge | |
| 30 | |||
| 31 | 3 | laforge | h3. Wiring |
| 32 | |||
| 33 | |||
| 34 | 1 | laforge | The two SIM card interfaces are wired with the F300 controller the following way: |
| 35 | 2 | laforge | |
| 36 | ||F300 pin||SIM/socket||signal|| |
||
| 37 | ||P0.0||socket||I/O|| |
||
| 38 | ||P0.1||SIM||RESET|| |
||
| 39 | ||VDD||SIM/socket||Vcc|| |
||
| 40 | 1 | laforge | ||P0.2||NC|| |
| 41 | ||P0.3||SIM/socket||CLK|| |
||
| 42 | ||P0.7/C2D||testpad|| |
||
| 43 | 2 | laforge | ||P0.6||NC|| |
| 44 | ||C2CK/nRST||socket||RESET|| |
||
| 45 | 1 | laforge | ||C2CK/nRST||testpad|| |
| 46 | 2 | laforge | ||P0.5||SIM||I/O|| |
| 47 | ||P0.4||NC|| |
||
| 48 | |||
| 49 | 1 | laforge | |
| 50 | 3 | laforge | h3. Programming |
| 51 | |||
| 52 | |||
| 53 | 1 | laforge | The F300 controller can be programmed using a two-wire protocol known as C2. |
| 54 | |||
| 55 | However, the C2 programming pins are not wired to the SIM Card itself but only to test pads. |
||
| 56 | 3 | laforge | It is suggested that the official [[RebelSIM]] firmware images probably contain some alternate |
| 57 | 1 | laforge | (but unknown) means of flashing via the actual SIM card interface. |
| 58 | |||
| 59 | It is not known if any of the LOCK bits have been set on the card. Nobody has yet tried |
||
| 60 | to re-program it with custom firmware. |
||
| 61 | |||
| 62 | 3 | laforge | |
| 63 | h3. Development |
||
| 64 | |||
| 65 | 1 | laforge | |
| 66 | The SDCC compiler claims to support the F300. |
