Project

General

Profile

RebelSIM Scanner » History » Version 12

laforge, 10/06/2019 03:15 PM

1 6 tsaitgaist
{{>toc}}
2 1 laforge
3 12 laforge
*NOTE: This page is mostly for historical reasons.  Ever since we created our own SIMtrace hardware in 2011, there is no interest by Osmocom in the Rebelsim Scanner.  We believe the [[SIMtrace]] and later [[SIMtrace2]] to be far superior in terms of capabilities.*
4
5 6 tsaitgaist
h1. Rebel Simcard Scanner
6 1 laforge
7 6 tsaitgaist
8
The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as _Simcard Scanner_. 
9
10 7 laforge
!rebelsim-scanner.jpg!
11 1 laforge
12 6 tsaitgaist
You can find the full kit for less than USD 25 at the "Rebelsimcard shop":http://rebelmicrosimcutter.com/fully-assembled-gsm-umts-cdma-network-simcard-and-mobile-phone-hex-scan.html
13
("mirror":http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1).
14 4 tsaitgaist
15
16 6 tsaitgaist
h2. Hardware architecture
17
18
19 1 laforge
The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard.
20
21
It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim.
22
23
You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner.
24
25
Furthermore, you connect it via the USB-B connector to your PC.
26
27
The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner.  Unfortunately, the CLK
28
line is not connected, and neither can the device serve as a proxy between SIM and phone.
29
30 6 tsaitgaist
h2. Pinout
31 4 tsaitgaist
32 6 tsaitgaist
33
It's possible to use it as smart card physical interface for [[SIMtrace]].
34
35 1 laforge
Here the pinout :
36 11 laforge
|_.Smart Card |_.CON1 |_.CON2 |_.CON3 |_.CON17 |_.USB3 |
37 8 laforge
| C1-VCC | 1 | 3 | 1 | 8 | 8 |
38
| C2-RST | 2 | 5 |   |   | 6 |
39
| C3-CLK | 3 | 7 |   |   | 4 |
40
| C5-GND | 6 | 4 | 5 | 4,9,11,13,15  | 7 |
41 9 laforge
| C6-VPP | 5 |   |   |   |  |
42 8 laforge
| C7-I/O | 4 | 8 | 6 | 2  | 3 |
43 6 tsaitgaist
44 4 tsaitgaist
{{thumbnail(rebelsimscan_pin.jpg, size=500)}}
45 1 laforge
46 6 tsaitgaist
h2. Mode of operation
47
48
49
50
h3. Original UART use
51
52
The original [[RebelSIM]] users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM
53 3 laforge
card reader.  Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal
54
generated by the reader.
55
56
This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud
57
rate which you can then program the FT232R to use.
58
59
60 6 tsaitgaist
h3. Modified bit-banging use
61
62
63 1 laforge
By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding
64 3 laforge
the actual T=0 (or with some SIM cards + phones T=1) protocol.
65
66 6 tsaitgaist
The *unresolved problem* with this is that the sample clock of the FT232R seems very unstable. This results in
67 3 laforge
a lot of jitter in the sample stream.  Furthermore it is suspected that USB may cause buffer overruns and leads to
68
lost samples.
69
70 1 laforge
Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now.
Add picture from clipboard (Maximum size: 48.8 MB)