Project

General

Profile

SIMtrace » History » Version 46

zecke, 04/17/2016 06:01 PM

1 41 tsaitgaist
{{>toc}}
2 1 laforge
3 41 tsaitgaist
h1. Osmocom SIMtrace
4
5
6 1 laforge
Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.
7
8 18 laforge
It looks a bit like this:
9 42 laforge
{{graphviz_link()
10 18 laforge
digraph G{
11
  //rankdir = LR;
12
  Phone -> SIMtrace [label = "Flexi-PCB cable"];
13 1 laforge
  SIMtrace -> SIM;
14 18 laforge
  SIMtrace -> PC [label = "USB cable"];
15 1 laforge
16
  SIMtrace [ label = "SIMtrace hardware" ];
17 18 laforge
}
18 42 laforge
}}
19 18 laforge
20 29 laforge
When connected to a phone, it looks like this:
21
22 1 laforge
23 43 laforge
!{width:50%}simtrace_and_phone.jpg!
24
25
!{width:33%}simtrace_functions.png!
26 1 laforge
27
It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller.
28
29 46 zecke
The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer.
30 38 tsaitgaist
31 1 laforge
32 41 tsaitgaist
h2. Features
33 1 laforge
34
35 41 tsaitgaist
* Completely passive scanner
36
* RST and ATR detection
37
* Auto-bauding with PPS / PTS support
38
* Segmentation of APDUs
39
40
41 38 tsaitgaist
SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM.
42
While the hardware supports all these modes, only the monitoring aspect has been implemented in software.
43 1 laforge
44
45 41 tsaitgaist
h2. TODO
46 1 laforge
47
48 41 tsaitgaist
* Check for parity errors
49
* Verify TCK / PCK check-bytes
50
* Implement MITM
51 1 laforge
52 41 tsaitgaist
53
h2. Hardware
54
55
56
The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card.
57
58 31 laforge
Now we have a dedicated PCB design.  The schematics and Gerber files are released as open source hardware and can be produced by everyone.
59 1 laforge
60 4 laforge
However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace
61 1 laforge
62 41 tsaitgaist
More details are available at [[SIMtraceHardware]]
63 1 laforge
64
65 41 tsaitgaist
h2. Firmware
66 1 laforge
67
68 41 tsaitgaist
The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/
69
RFID reader.  Details are available at [[SIMtraceFirmware]].
70
71
72
h2. Documentation
73
74
75 1 laforge
Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for
76
your favorite Linux Distribution.
77 39 laforge
78 1 laforge
79
h2. Host PC Software
80 41 tsaitgaist
81
82 46 zecke
The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729.
83 5 laforge
84 6 tsaitgaist
85 41 tsaitgaist
h3. Preconditions
86 14 tsaitgaist
87 41 tsaitgaist
88
[[libosmocore]] and headers (simtrace_usb.h) from the firmware.
89
90 1 laforge
additional packages :
91 41 tsaitgaist
<pre>
92 14 tsaitgaist
sudo apt-get install libusb-1.0-0-dev
93 41 tsaitgaist
</code></pre>
94 1 laforge
95 7 tsaitgaist
96 41 tsaitgaist
h3. Compiling it
97
98
99
<pre>
100 35 tsaitgaist
git clone git://git.osmocom.org/simtrace.git
101
cd simtrace/host/
102
make
103 41 tsaitgaist
</code></pre>
104 35 tsaitgaist
105
106 41 tsaitgaist
h3. Accessing it
107
108
109 35 tsaitgaist
Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group)
110
111 41 tsaitgaist
<pre>
112 6 tsaitgaist
sudo groupadd osmocom
113
sudo adduser $USERNAME osmocom
114 1 laforge
sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF
115
# to use, install this file in /etc/udev/rules.d as 10-osmocom.rules
116 6 tsaitgaist
# rule to grant read/write access on SIMtrace to group named osmocom.
117 1 laforge
SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom"
118
EOF
119
sudo service udev reload
120 41 tsaitgaist
</code></pre>
121 1 laforge
122
you must log out and back in so to take effect.
123 13 tsaitgaist
124 1 laforge
125 41 tsaitgaist
h3. Using it
126
127
128
Simply start *simtrace*.
129 1 laforge
It will send the GSMTAP frames to UDP/IPv4 localhost:4729.
130
131
It will also print hexdumps of the frames to the console, looking like this:
132 41 tsaitgaist
<pre>
133 1 laforge
sudo ./simtrace
134
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
135
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78
136
APDU: (9):  a0 a4 00 00 02 6f 38 9f 0f
137
APDU: (22):  a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78
138
APDU: (16):  a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78
139
APDU: (9):  a0 a4 00 00 02 6f ad 9f 0f
140
APDU: (8):  a0 b0 00 00 01 00 91 78
141
APDU: (9):  a0 a4 00 00 02 6f 07 9f 0f
142
APDU: (16):  a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78
143
APDU: (9):  a0 a4 00 00 02 6f 7e 9f 0f
144
APDU: (18):  a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78
145
APDU: (9):  a0 a4 00 00 02 6f 78 9f 0f
146 2 laforge
APDU: (9):  a0 b0 00 00 02 00 01 91 78
147
APDU: (9):  a0 a4 00 00 02 6f 74 9f 0f
148
APDU: (23):  a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78
149
APDU: (9):  a0 a4 00 00 02 6f 20 9f 0f
150 1 laforge
APDU: (16):  a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78
151
APDU: (9):  a0 a4 00 00 02 6f 30 9f 0f
152
APDU: (22):  a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78
153 41 tsaitgaist
</code></pre>
154 1 laforge
155 41 tsaitgaist
h2. Wireshark integration
156 34 tsaitgaist
157 41 tsaitgaist
158
There is an experimental patch, also part of the simtrace.git package.  It is also included in the [[wireshark]] developer version (since wireshark 1.7.1).
159
160 34 tsaitgaist
To see the APDUs in wireshark:
161 41 tsaitgaist
* on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything
162
* to get the data on another machine
163
** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back)
164
<pre>
165 37 tsaitgaist
socat -u udp-recv:4729 /dev/null
166 41 tsaitgaist
</code></pre>
167
** tell SIMtrace on which machine to forward
168
<pre>
169 1 laforge
./simtrace -i 192.168.0.1
170 41 tsaitgaist
</code></pre>
171 1 laforge
172 44 laforge
!wireshark-sim.png!
173 31 laforge
174
Protocol parsing is far from being complete, patches are always welcome!
175
176 41 tsaitgaist
h2. Contact / Mailing List
177
178
179 1 laforge
For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/
180
181 45 laforge
Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting.
Add picture from clipboard (Maximum size: 48.8 MB)