RebelSIM Scanner » History » Version 5
tsaitgaist, 02/19/2016 10:48 PM
pinout error
1 | 2 | laforge | [[PageOutline]] |
---|---|---|---|
2 | 1 | laforge | = Rebel Simcard Scanner = |
3 | |||
4 | 2 | laforge | The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as ''Simcard Scanner''. |
5 | |||
6 | [[Image(rebelsim-scanner.jpg)]] |
||
7 | |||
8 | 4 | tsaitgaist | You can find the full kit for less than USD 25 at the [http://rebelmicrosimcutter.com/fully-assembled-gsm-umts-cdma-network-simcard-and-mobile-phone-hex-scan.html Rebelsimcard shop] |
9 | ([http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1 mirror]). |
||
10 | 1 | laforge | |
11 | == Hardware architecture == |
||
12 | |||
13 | The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard. |
||
14 | |||
15 | It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim. |
||
16 | |||
17 | You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner. |
||
18 | |||
19 | Furthermore, you connect it via the USB-B connector to your PC. |
||
20 | |||
21 | The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner. Unfortunately, the CLK |
||
22 | line is not connected, and neither can the device serve as a proxy between SIM and phone. |
||
23 | 4 | tsaitgaist | |
24 | == Pinout == |
||
25 | |||
26 | It's possible to use it as smart card physical interface for [wiki:SIMtrace]. |
||
27 | |||
28 | Here the pinout : |
||
29 | || Smart Card || CON1 || CON2 || CON3 || CON17 || USB3 || |
||
30 | || C1-VCC || 1 || 3 || 1 || 8 || 8 || |
||
31 | || C2-RST || 2 || 5 || || || 6 || |
||
32 | || C3-CLK || 3 || 7 || || || 4 || |
||
33 | 5 | tsaitgaist | || C5-GND || 6 || 4 || 5 || 4,9,11,13,15 || 7 || |
34 | || C6-VPP || 5 || || || || |
||
35 | || C7-I/O || 4 || 8 || 6 || 2 || 3 || |
||
36 | 4 | tsaitgaist | |
37 | [[Image(rebelsimscan_pin.jpg,500px)]] |
||
38 | 1 | laforge | |
39 | 3 | laforge | == Mode of operation == |
40 | |||
41 | === Original UART use === |
||
42 | The original RebelSIM users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM |
||
43 | card reader. Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal |
||
44 | generated by the reader. |
||
45 | |||
46 | This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud |
||
47 | rate which you can then program the FT232R to use. |
||
48 | |||
49 | === Modified bit-banging use === |
||
50 | |||
51 | By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding |
||
52 | 1 | laforge | the actual T=0 (or with some SIM cards + phones T=1) protocol. |
53 | 3 | laforge | |
54 | The '''unresolved problem''' with this is that the sample clock of the FT232R seems very unstable. This results in |
||
55 | a lot of jitter in the sample stream. Furthermore it is suspected that USB may cause buffer overruns and leads to |
||
56 | lost samples. |
||
57 | |||
58 | Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now. |