RebelSIM Scanner » History » Version 6
tsaitgaist, 02/19/2016 10:49 PM
pinout error
1 | 6 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 6 | tsaitgaist | h1. Rebel Simcard Scanner |
4 | 1 | laforge | |
5 | 6 | tsaitgaist | |
6 | The Rebel Simcard folks are selling a relatively inexpensive device for generating SIM card traces as _Simcard Scanner_. |
||
7 | |||
8 | 1 | laforge | [[Image(rebelsim-scanner.jpg)]] |
9 | |||
10 | 6 | tsaitgaist | You can find the full kit for less than USD 25 at the "Rebelsimcard shop":http://rebelmicrosimcutter.com/fully-assembled-gsm-umts-cdma-network-simcard-and-mobile-phone-hex-scan.html |
11 | ("mirror":http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1). |
||
12 | 4 | tsaitgaist | |
13 | |||
14 | 6 | tsaitgaist | h2. Hardware architecture |
15 | |||
16 | |||
17 | 1 | laforge | The Scanner has one small plug-in SIM sized slot and one full-size (ISO 7816-1) slot for your actual simcard. |
18 | |||
19 | It also has a small socket for a FPC cable that goes to a small PCB in the size of a plug-in sim. |
||
20 | |||
21 | You put the FPC-attached PCB into your phone (instead of the SIM card) and put the actual SIM inside the Scanner. |
||
22 | |||
23 | Furthermore, you connect it via the USB-B connector to your PC. |
||
24 | |||
25 | The I/O line of the SIM card is wired to the RxD pin (5) of the FT232RL on the Scanner. Unfortunately, the CLK |
||
26 | line is not connected, and neither can the device serve as a proxy between SIM and phone. |
||
27 | |||
28 | |||
29 | 6 | tsaitgaist | h2. Pinout |
30 | 4 | tsaitgaist | |
31 | 6 | tsaitgaist | |
32 | It's possible to use it as smart card physical interface for [[SIMtrace]]. |
||
33 | |||
34 | 1 | laforge | Here the pinout : |
35 | || Smart Card || CON1 || CON2 || CON3 || CON17 || USB3 || |
||
36 | || C1-VCC || 1 || 3 || 1 || 8 || 8 || |
||
37 | || C2-RST || 2 || 5 || || || 6 || |
||
38 | || C3-CLK || 3 || 7 || || || 4 || |
||
39 | || C5-GND || 6 || 4 || 5 || 4,9,11,13,15 || 7 || |
||
40 | || C6-VPP || 5 || || || || |
||
41 | 5 | tsaitgaist | || C7-I/O || 4 || 8 || 6 || 2 || 3 || |
42 | |||
43 | 6 | tsaitgaist | {{thumbnail(rebelsimscan_pin.jpg, size=500)}} |
44 | 4 | tsaitgaist | |
45 | 1 | laforge | |
46 | 6 | tsaitgaist | h2. Mode of operation |
47 | |||
48 | |||
49 | |||
50 | h3. Original UART use |
||
51 | |||
52 | The original [[RebelSIM]] users simply use the FT232RL in UART mode and set the baud rate to match that of the actual SIM |
||
53 | 3 | laforge | card reader. Since the baudrate is negotiated in the PPS after ATR, and it depends on the frequency of the CLK signal |
54 | generated by the reader. |
||
55 | |||
56 | This means you effectively have to use an oscilloscope to measure the bit length (etu) and calculate a matching baud |
||
57 | rate which you can then program the FT232R to use. |
||
58 | |||
59 | |||
60 | 6 | tsaitgaist | h3. Modified bit-banging use |
61 | |||
62 | |||
63 | 1 | laforge | By using the FT232 asynchronous bit-banging mode, it is possible to obtain samples of the I/O line, decoding |
64 | 3 | laforge | the actual T=0 (or with some SIM cards + phones T=1) protocol. |
65 | |||
66 | 6 | tsaitgaist | The *unresolved problem* with this is that the sample clock of the FT232R seems very unstable. This results in |
67 | 3 | laforge | a lot of jitter in the sample stream. Furthermore it is suspected that USB may cause buffer overruns and leads to |
68 | lost samples. |
||
69 | |||
70 | 1 | laforge | Harald has been doing a lot of experimentation with this, and unfortunately abandonded the project for now. |