RebelSIM Scanner » History » Version 3
laforge, 02/19/2016 10:48 PM
update about bitbang jitter/dropouts
| 1 | 2 | laforge | [[PageOutline]] |
|---|---|---|---|
| 2 | 1 | laforge | = Rebel Simcard Scanner = |
| 3 | |||
| 4 | 2 | laforge | The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as ''Simcard Scanner''. |
| 5 | |||
| 6 | [[Image(rebelsim-scanner.jpg)]] |
||
| 7 | |||
| 8 | You can find the full kit for less than USD 25 at the |
||
| 9 | 1 | laforge | [http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1 Rebelsimcard shop]. |
| 10 | |||
| 11 | == Hardware architecture == |
||
| 12 | |||
| 13 | The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard. |
||
| 14 | |||
| 15 | It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim. |
||
| 16 | |||
| 17 | You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner. |
||
| 18 | |||
| 19 | Furthermore, you connect it via the USB-B connector to your PC. |
||
| 20 | |||
| 21 | The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner. Unfortunately, the CLK |
||
| 22 | line is not connected, and neither can the device serve as a proxy between SIM and phone. |
||
| 23 | |||
| 24 | 3 | laforge | == Mode of operation == |
| 25 | |||
| 26 | === Original UART use === |
||
| 27 | The original RebelSIM users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM |
||
| 28 | card reader. Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal |
||
| 29 | generated by the reader. |
||
| 30 | |||
| 31 | This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud |
||
| 32 | rate which you can then program the FT232R to use. |
||
| 33 | |||
| 34 | === Modified bit-banging use === |
||
| 35 | |||
| 36 | By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding |
||
| 37 | 1 | laforge | the actual T=0 (or with some SIM cards + phones T=1) protocol. |
| 38 | 3 | laforge | |
| 39 | The '''unresolved problem''' with this is that the sample clock of the FT232R seems very unstable. This results in |
||
| 40 | a lot of jitter in the sample stream. Furthermore it is suspected that USB may cause buffer overruns and leads to |
||
| 41 | lost samples. |
||
| 42 | |||
| 43 | Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now. |
