Osmocom SIMtrace¶

WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by SIMtrace 2, which uses the SAM3S replacement micro-controller. Patches to add support for the Atmel AT91SAM7S in the simtrace2 software are welcome.

• Table of contents
• Osmocom SIMtrace
  • Features
  • TODO
  • Hardware
  • Firmware
  • Documentation
  • Host PC Software
    • Preconditions
    • Compiling it
    • Accessing it
    • Using it
  • Wireshark integration
  • Other software
  • Contact / Mailing List

Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.

It looks a bit like this:

When connected to a phone, it looks like this:

It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.

The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer.

Features¶

• Completely passive scanner
• RST and ATR detection
• Auto-bauding with PPS / PTS support
• Segmentation of APDUs

SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM.
While the hardware supports all these modes, only the monitoring aspect has been implemented in software.

TODO¶

SIMtrace is a community project, and help is more than welcome.

Some tasks do and require no knowledge of electronics or SIM cards protocols, and only require very basic C programming skills:

• Use libusb hot-plugging API to keep the program running across SIMrtace disconnects

Some tasks do not require microcontroller programming skills:

• extending/completing the wireshark dissectors for the SIM protocol.

Here's some of the other things that could be improved:

• Check for parity errors
• Verify TCK / PCK check-bytes
• Implement MITM

Hardware¶

The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from RebelSIM_Scanner. If the RebelSIM scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.

Now we have a dedicated PCB design. The schematics and Gerber files are released as open source hardware and can be produced by everyone.

However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace

It could also be interfaced with full size SIM card with a separate adapter

More details are available at SIMtrace_Hardware

Firmware¶

The firmware for the AT91SAM7S device was written by reusing a lot of the code for the OpenPCD
RFID reader. Details are available at SIMtrace Firmware.

Documentation¶

Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for
your favorite Linux Distribution.

Host PC Software¶

The simtrace program is part of the https://gitea.osmocom.org/sim-card/simtrace repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729.

Preconditions¶

libosmocore and headers (simtrace_usb.h) from the firmware.

additional packages :

sudo apt-get install libusb-1.0-0-dev

Compiling it¶

git clone https://gitea.osmocom.org/sim-card/simtrace
cd simtrace/host/
make

Accessing it¶

Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)

sudo groupadd osmocom
sudo adduser $USERNAME osmocom
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
# rule to grant read/write access on SIMtrace to group named osmocom.
SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" 
EOF
sudo service udev reload

you must log out and back in so to take effect.

Using it¶

Simply start simtrace.
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.

It will also print hexdumps of the frames to the console, looking like this:

sudo ./simtrace
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
APDU: (8):  a0 b0 00 00 01 00 91 78
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
APDU: (9):  a0 b0 00 00 02 00 01 91 78
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78

Wireshark integration¶

The Support for the SIM protocol is included in wireshark since wireshark 1.7.1.

To see the APDUs in wireshark:
By default, SIMtrace automatically opens a UDP sink on localhost. So launching simtrace is enough to send the traces to localhost:

$ sudo simtrace

To then capture the traces with wireshark you can use the following command:

$ wireshark -i lo -f 'udp port 4729' 

To get the data on another machine:

• start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
  

  socat -u udp-recv:4729 /dev/null
  

• tell SIMtrace on which machine to forward
  

  ./simtrace -i 192.168.0.1
  

Wireshark's protocol parsing is far from being complete, patches are always welcome!

Other software¶

• simlabTrace seem to be capable of MITM and also seem to have a CCID driver to use SIMtrace as a card reader.

Contact / Mailing List¶

For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/

Please make sure you read the MailingListRules before you start posting.