Project

General

Profile

SIMtrace » History » Version 26

tsaitgaist, 02/19/2016 10:48 PM
libusb-1.0-0-dev

1 1 laforge
[[PageOutline]]
2
= Osmocom SIMtrace =
3
4
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
5
6 18 laforge
It looks a bit like this:
7
{{{
8
#!graphviz
9
digraph G{
10
  //rankdir = LR;
11
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
12
  SIMtrace -> SIM;
13
  SIMtrace -> PC [label = "USB cable"];
14 1 laforge
15 18 laforge
  SIMtrace [ label = "SIMtrace hardware" ];
16
}
17
}}}
18
19
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
20
21 1 laforge
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone.
22
The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device,
23
parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer.
24
25
== Features ==
26
 * Completely passive scanner
27 17 laforge
 * RST and ATR detection
28 1 laforge
 * Auto-bauding with PPS / PTS support
29
 * Segmentation of APDUs
30
31
== TODO ==
32
 * Check for parity errors
33
 * Verify TCK / PCK check-bytes
34
35
== Hardware ==
36 17 laforge
37 1 laforge
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. If the RebelSIM scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
38
39 20 laforge
Next we started prototyping a custom board.  More details are available at [wiki:SIMtrace/Hardware]
40
41
Update (2011-07-29): We just have received the first 100 units from the SMT factory. They will be available at [http://events.ccc.de/camp/2011 CCC Camp 2011].
42
43
This is how the v0.9 hardware looks like:
44 18 laforge
45
[[Image(SIMtrace/Hardware:simtrace_v09_top_mid.jpg, 33%)]]
46 1 laforge
=== Interconnections ===
47
48
The hardware schematics are very, very simple:
49
50
 * Connect SIM-RST with PA7
51
 * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)
52
 * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)
53
 * Connect SIM-GND with GND
54
55
=== Mode of operation ===
56
57 6 tsaitgaist
The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you
58
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
59 1 laforge
you can use an externally-generated CLK like the one from the SIM card socket of the phone.
60
61 4 laforge
Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
62
handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more
63
than we should.
64
65 1 laforge
== Firmware ==
66
67
The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD]
68
RFID reader.  
69
70 22 tsaitgaist
There is a {{{simtrace}}} Makefile target in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code.
71 1 laforge
72
Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated.  At that point, the firmware source can become
73
part of simtrace.git
74 6 tsaitgaist
75
=== Building the firmware ===
76 5 laforge
77 22 tsaitgaist
Precondition: You need to set your PATH in a way that contains an arm-elf [wiki:toolchain], i.e. the same way that you build [wiki:GettingStarted OsmocomBB].
78 1 laforge
79
{{{
80 6 tsaitgaist
git clone git://git.gnumonks.org/openpcd.git
81
cd openpcd/firmware
82 21 tsaitgaist
make -f Makefile.dfu BOARD=SIMTRACE
83 6 tsaitgaist
make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace
84
cat dfu.bin main_simtrace.bin > main_simtrace.samba
85
cd ../..
86 1 laforge
}}}
87
88 6 tsaitgaist
=== Firmware parts ===
89 1 laforge
90
The firmware build process creates two images:
91 6 tsaitgaist
 * dfu.bin -- the sam7dfu 2nd level bootloader. It implements the USB DFU (Device Firmware Upgrade) profile.
92
 * main_simtrace.bin -- the actual simtrace program. To be loaded via DFU, using [http://dfu-util.gnumonks.org/ dfu-util].
93
 * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image. to be loaded via SAM-BA, using sam7utils (see below).
94 1 laforge
95 6 tsaitgaist
=== Flashing the firmware ===
96
97
after the firmware has been flashed, '''lsusb''' should show:
98
{{{
99
Bus 004 Device 005: ID 16c0:0762 VOTI
100
}}}
101
102 1 laforge
==== SAM-BA ====
103
104 6 tsaitgaist
The first time you flash the device, you will have to use the SAM-BA method using the '''main_simtrace.samba''' image.
105
106
To put the board into SAM-BA mode, use the following steps:
107
 * unplug the board
108 10 tsaitgaist
 * short TEST to VCC (3.3V) pin using a jumper. leave PA0,PA1,PA2 unconnected.
109 6 tsaitgaist
 * power up the board
110
 * wait 20s
111
 * unplug board
112
 * remove jumper
113
114
Now when the board is attached to USB, '''lsusb''' should show :
115
{{{
116
Bus 002 Device 015: ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader
117
}}}
118
119 23 tsaitgaist
note for v1.0p boards: sometimes the SAM-BA mode it not working.
120
This is the case if the 2 LEDs are on when powering up the board while VCC and TEST are shorted.
121
The reason in unknown yet, but there are several methods to correct this:
122
 * press the RESET button while powering up
123
 * touch PA0 (pin 48, on the right upper corner) with a piece of metal
124
 * short PA0 and PA1 (pin 48 and 47, next to ech other on the right upper corner)
125
As soon as the LEDs go off, the SAM-BA mode is working.
126
127 1 laforge
For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component.
128
129 6 tsaitgaist
==== sam7utils ====
130 1 laforge
131 6 tsaitgaist
sam7utils will be used to flash the '''main_simtrace.samba''' image over SAM-BA.
132
{{{
133
sudo aptitude install libreadline-dev
134
wget http://www.openpcd.org/dl/sam7utils-0.2.1-bm.tar.bz2
135
tar xf sam7utils-*.tar.bz2
136
cd sam7utils
137
./configure --prefix=/usr/local
138
make
139
}}}
140 1 laforge
141 11 tsaitgaist
to flash the samba image using serial :
142
{{{
143
sudo ./sam7 -l /dev/ttyUSB0 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
144
}}}
145
to flash the samba image using libusb :
146
{{{
147
sudo ./sam7 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba"
148
}}}
149
150 25 tsaitgaist
if you want to use sam7 multiple times, remove the loaded module after each run:
151
{{{
152
sudo rmmod sam_ba
153
}}}
154
155 6 tsaitgaist
===== sam7utils for x86 =====
156
157 19 laforge
On x86, sam7utils will be compiled to communicate with the board using POSIX.
158 6 tsaitgaist
159
The board should be attached to a node. On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACM0 using the cdc_cam module. If not mapped, use usbserial :
160
{{{
161
sudo rmmod usbserial
162
sudo modprobe usbserial vendor=0x03EB product=0x6124
163 1 laforge
}}}
164 11 tsaitgaist
165 6 tsaitgaist
Now replug board. It should map to /dev/ttyUSBx (use dmesg to know which).
166
167
===== sam7utils for amd64 =====
168 11 tsaitgaist
169 6 tsaitgaist
On amd64, sam7utils will be compiled to communicate with the board using libusb.
170 11 tsaitgaist
171
On ubuntu 10.10 & 11.04, the usb device 03eb:6124 is mapped on /dev/ttyACMx using the cdc_cam module.
172 6 tsaitgaist
Remove it while the board is plugged, so sam7utils is able to communicate with it (using libusb for 10.10 and serial for 11.04).
173
{{{
174
sudo rmmod cdc_acm
175
}}}
176 1 laforge
177 6 tsaitgaist
==== DFU ====
178
179 24 tsaitgaist
The SAM-BA mode is useful to recover from broken firmwares, but the DFU bootloader included into it is easier to use for updates.
180
You can upload the firmware over USB using dfu-util.
181
182
To get dfu-util:
183
{{{
184
sudo apt-get install dfu-util
185
}}}
186
187
To flash the firmware:
188
{{{
189
dfu-util -d 16c0:0762 -a0 -D ./main_simtrace.bin -R
190
}}}
191
dfu-util should reset the board and use the DFU bootloader. Try the command a second time if it did not work at first.
192
If this still does not work, power up the board while pressing the '''BOOTLOADER''' button.
193
194 1 laforge
195 5 laforge
== Host PC Software ==
196
197 6 tsaitgaist
The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device
198 5 laforge
and send GSMTAP frames using UDP/IPv4 to localhost:4729.
199 6 tsaitgaist
200 14 tsaitgaist
=== Preconditions ===
201 1 laforge
202 14 tsaitgaist
[wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.
203
204
additional packages :
205 6 tsaitgaist
{{{
206 26 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
207 6 tsaitgaist
}}}
208
209 7 tsaitgaist
=== Compiling it ===
210 1 laforge
211 6 tsaitgaist
Precondition:  [wiki:libosmocore] and headers (simtrace_usb.h) from the firmware.
212
213 1 laforge
{{{
214 14 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
215 21 tsaitgaist
cd simtrace/host/
216 6 tsaitgaist
make
217
}}}
218
219
=== Using it ===
220
221
Simply start '''simtrace'''.
222 13 tsaitgaist
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
223 1 laforge
224
It will also print hexdumps of the frames to the console, looking like this:
225 6 tsaitgaist
{{{
226 1 laforge
sudo ./simtrace
227
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
228
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
229
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
230
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
231
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
232
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
233
APDU: (8):  a0 b0 00 00 01 00 91 78
234
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
235
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
236
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
237
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
238
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
239
APDU: (9):  a0 b0 00 00 02 00 01 91 78
240
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
241 2 laforge
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
242
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
243
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
244
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
245 1 laforge
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
246
}}}
247
248
== Wireshark integration ==
249
250 6 tsaitgaist
There is an experimental patch, also part of the simtrace.git package.  You will have to apply this against the latest
251 1 laforge
[wiki:wireshark] developer version.
252
253
[[Image(wireshark-sim.png)]]
254
255
Protocol parsing is far from being complete, patches are always welcome!
Add picture from clipboard (Maximum size: 48.8 MB)