SIMtrace » History » Version 4
laforge, 02/19/2016 10:48 PM
note about TC / waiting time
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | = Osmocom SIMtrace = |
||
3 | |||
4 | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
||
5 | |||
6 | It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller. |
||
7 | |||
8 | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. |
||
9 | The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device, |
||
10 | parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer. |
||
11 | |||
12 | == Features == |
||
13 | * Completely passive scanner |
||
14 | * RST and ATR detection |
||
15 | * auto-bauding with PPS / PTS support |
||
16 | * Segmentation of APDUs |
||
17 | |||
18 | == TODO == |
||
19 | * Check for parity errors |
||
20 | * Verify TCK / PCK check-bytes |
||
21 | |||
22 | == Hardware == |
||
23 | |||
24 | There is no ready-built hardware for this yet. They only existing implementations used an Olimex SAM7-P64 development board |
||
25 | with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. We are thinking of |
||
26 | doing some custom hardware, but nothing is certain yet. |
||
27 | |||
28 | === Interconnections === |
||
29 | |||
30 | The hardware schematics are very, very simple: |
||
31 | |||
32 | * Connect SIM-RST with PA7 |
||
33 | * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0) |
||
34 | * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0) |
||
35 | * Connect SIM-GND with GND |
||
36 | |||
37 | === Mode of operation === |
||
38 | |||
39 | The USART of the AT91SAM7S is capable of T=0. However, the documentation only mentions it in clock-master mode, like you |
||
40 | would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer, |
||
41 | you can use an externally-generated CLK like the one from the SIM card socket of the phone. |
||
42 | |||
43 | 4 | laforge | Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time) |
44 | handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more |
||
45 | than we should. |
||
46 | |||
47 | 1 | laforge | == Firmware == |
48 | |||
49 | The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD] |
||
50 | RFID reader. |
||
51 | |||
52 | There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code. |
||
53 | |||
54 | Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated. At that point, the firmware source can become |
||
55 | part of simtrace.git |
||
56 | |||
57 | 3 | laforge | === Building the firmware === |
58 | |||
59 | Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB]. |
||
60 | |||
61 | {{{ |
||
62 | $ git clone git://git.gnumonks.org/openpcd.git |
||
63 | $ cd openpcd/firmware |
||
64 | $ git checkout simtrace |
||
65 | $ make -f Makefile.dfu BOARD=OLIMEX |
||
66 | $ make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace |
||
67 | $ cat dfu.bin main_simtraece.bin > main_simtrace.samba |
||
68 | }}} |
||
69 | 1 | laforge | === TODO === |
70 | |||
71 | == Host PC Software == |
||
72 | |||
73 | The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device |
||
74 | and send GSMTAP frames using UDP/IPv4 to localhost. |
||
75 | |||
76 | It will also print hexdumps of the frames to the console, looking like this: |
||
77 | {{{ |
||
78 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
79 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
80 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
81 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
82 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
83 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
84 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
85 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
86 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
87 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
88 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
89 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
90 | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
||
91 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
92 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
93 | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
||
94 | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
||
95 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
96 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
97 | }}} |
||
98 | |||
99 | == Wireshark integration == |
||
100 | |||
101 | There is an experimental patch, also part of the simtrace.git package. You will have to apply this against the latest |
||
102 | wireshark developer version. |
||
103 | 2 | laforge | |
104 | [[Image(wireshark-sim.png)]] |
||
105 | |||
106 | Protocol parsing is far from being complete, patches are always welcome! |