SIMtrace » History » Version 58
fixeria, 10/28/2018 06:00 PM
1 | 57 | tsaitgaist | **%{background:yellow}WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by project:simtrace2, which uses the SAM3S replacement micro-controller.%** |
---|---|---|---|
2 | 1 | laforge | |
3 | h1. Osmocom SIMtrace |
||
4 | 58 | fixeria | |
5 | {{>toc}} |
||
6 | 41 | tsaitgaist | |
7 | 1 | laforge | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
8 | |||
9 | 18 | laforge | It looks a bit like this: |
10 | 42 | laforge | {{graphviz_link() |
11 | 18 | laforge | digraph G{ |
12 | //rankdir = LR; |
||
13 | Phone -> SIMtrace [label = "Flexi-PCB cable"]; |
||
14 | 1 | laforge | SIMtrace -> SIM; |
15 | 18 | laforge | SIMtrace -> PC [label = "USB cable"]; |
16 | 1 | laforge | |
17 | SIMtrace [ label = "SIMtrace hardware" ]; |
||
18 | 18 | laforge | } |
19 | 42 | laforge | }} |
20 | 18 | laforge | |
21 | 29 | laforge | When connected to a phone, it looks like this: |
22 | |||
23 | 43 | laforge | |
24 | !{width:50%}simtrace_and_phone.jpg! |
||
25 | 1 | laforge | |
26 | It works by utilizing the T=0 capable USART of the USB-attached AT91SAM7 microcontroller. |
||
27 | |||
28 | 46 | zecke | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. The received bytes are sent via USB to the PC, where a program called simtrace on the PC gathers data from the USB device, parses the APDUs and forwards them via GSMTAP to the wireshark protocol analyzer. |
29 | 38 | tsaitgaist | |
30 | 1 | laforge | |
31 | 41 | tsaitgaist | h2. Features |
32 | 1 | laforge | |
33 | |||
34 | 41 | tsaitgaist | * Completely passive scanner |
35 | * RST and ATR detection |
||
36 | * Auto-bauding with PPS / PTS support |
||
37 | * Segmentation of APDUs |
||
38 | |||
39 | |||
40 | 38 | tsaitgaist | SIMtrace can be used to monitor the ME-SIM communication, but also emulate a phone or SIM, or be MitM. |
41 | While the hardware supports all these modes, only the monitoring aspect has been implemented in software. |
||
42 | 1 | laforge | |
43 | 41 | tsaitgaist | h2. TODO |
44 | 1 | laforge | |
45 | 53 | gnutoo | SIMtrace is a community project, and help is more than welcome. |
46 | 1 | laforge | |
47 | 54 | gnutoo | Some tasks do and require no knowledge of electronics or SIM cards protocols, and only require very basic C programming skills: |
48 | * Use libusb hot-plugging API to keep the program running across SIMrtace disconnects |
||
49 | |||
50 | 55 | gnutoo | Some tasks do not require microcontroller programming skills: |
51 | * extending/completing the wireshark dissectors for the SIM protocol. |
||
52 | |||
53 | 54 | gnutoo | Here's some of the other things that could be improved: |
54 | 41 | tsaitgaist | * Check for parity errors |
55 | 1 | laforge | * Verify TCK / PCK check-bytes |
56 | 54 | gnutoo | * Implement MITM |
57 | 1 | laforge | |
58 | 41 | tsaitgaist | h2. Hardware |
59 | |||
60 | The first implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [[RebelSIM_Scanner]]. If the [[RebelSIM]] scanner is used, connect the USB even if just the lines are used. It needs to be powered, else the real reader will often fail to initialize the card. |
||
61 | |||
62 | 31 | laforge | Now we have a dedicated PCB design. The schematics and Gerber files are released as open source hardware and can be produced by everyone. |
63 | 1 | laforge | |
64 | However, those of you who are not interested in building it from scratch can buy a complete factory-produced, tested and flashed PCB assembly from http://shop.sysmocom.de/products/simtrace |
||
65 | 51 | gnutoo | |
66 | 52 | gnutoo | It could also be interfaced with full size SIM card "with a separate adapter":http://shop.sysmocom.de/products/fullsize-sim-fpc |
67 | 1 | laforge | |
68 | 47 | laforge | More details are available at [[SIMtrace_Hardware]] |
69 | 1 | laforge | |
70 | 41 | tsaitgaist | h2. Firmware |
71 | 1 | laforge | |
72 | |||
73 | 41 | tsaitgaist | The firmware for the AT91SAM7S device was written by reusing a lot of the code for the "OpenPCD":http://www.openpcd.org/ |
74 | 48 | laforge | RFID reader. Details are available at [[SIMtrace Firmware]]. |
75 | 41 | tsaitgaist | |
76 | h2. Documentation |
||
77 | |||
78 | |||
79 | 1 | laforge | Please check the attachments for a usermanual. In there you will find some hints to install ready made packages for |
80 | your favorite Linux Distribution. |
||
81 | 39 | laforge | |
82 | 1 | laforge | |
83 | h2. Host PC Software |
||
84 | 41 | tsaitgaist | |
85 | |||
86 | 46 | zecke | The simtrace program is part of the ​git://git.osmocom.org/simtrace.git repository. It will bind to the USB device and send GSMTAP frames using UDP/IPv4 to localhost:4729. |
87 | 5 | laforge | |
88 | 41 | tsaitgaist | h3. Preconditions |
89 | 14 | tsaitgaist | |
90 | 1 | laforge | |
91 | 49 | laforge | [[libosmocore:]] and headers (simtrace_usb.h) from the firmware. |
92 | 41 | tsaitgaist | |
93 | 1 | laforge | additional packages : |
94 | 41 | tsaitgaist | <pre> |
95 | 14 | tsaitgaist | sudo apt-get install libusb-1.0-0-dev |
96 | 1 | laforge | </code></pre> |
97 | 7 | tsaitgaist | |
98 | 41 | tsaitgaist | h3. Compiling it |
99 | |||
100 | |||
101 | <pre> |
||
102 | 35 | tsaitgaist | git clone git://git.osmocom.org/simtrace.git |
103 | cd simtrace/host/ |
||
104 | make |
||
105 | 41 | tsaitgaist | </code></pre> |
106 | 35 | tsaitgaist | |
107 | |||
108 | 41 | tsaitgaist | h3. Accessing it |
109 | |||
110 | |||
111 | 35 | tsaitgaist | Add udev rules so to be able to use simtrace and access the device as non-root user (only need to be in the osmocom group) |
112 | |||
113 | 41 | tsaitgaist | <pre> |
114 | 6 | tsaitgaist | sudo groupadd osmocom |
115 | sudo adduser $USERNAME osmocom |
||
116 | 1 | laforge | sudo tee /etc/udev/rules.d/10-osmocom.rules << EOF |
117 | # to use, install this file in /etc/udev/rules.d as 10-osmocom.rules |
||
118 | 6 | tsaitgaist | # rule to grant read/write access on SIMtrace to group named osmocom. |
119 | 1 | laforge | SUBSYSTEM=="usb", ATTR{idProduct}=="0762", ATTRS{idVendor}=="16c0", MODE="0660", GROUP="osmocom" |
120 | EOF |
||
121 | sudo service udev reload |
||
122 | 41 | tsaitgaist | </code></pre> |
123 | 1 | laforge | |
124 | you must log out and back in so to take effect. |
||
125 | 13 | tsaitgaist | |
126 | 1 | laforge | |
127 | 41 | tsaitgaist | h3. Using it |
128 | |||
129 | |||
130 | Simply start *simtrace*. |
||
131 | 1 | laforge | It will send the GSMTAP frames to UDP/IPv4 localhost:4729. |
132 | |||
133 | It will also print hexdumps of the frames to the console, looking like this: |
||
134 | 41 | tsaitgaist | <pre> |
135 | 1 | laforge | sudo ./simtrace |
136 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
137 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
138 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
139 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
140 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
141 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
142 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
143 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
144 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
145 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
146 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
147 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
148 | 2 | laforge | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
149 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
150 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
151 | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
||
152 | 1 | laforge | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
153 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
154 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
155 | 41 | tsaitgaist | </code></pre> |
156 | 1 | laforge | |
157 | 41 | tsaitgaist | h2. Wireshark integration |
158 | 34 | tsaitgaist | |
159 | 41 | tsaitgaist | |
160 | There is an experimental patch, also part of the simtrace.git package. It is also included in the [[wireshark]] developer version (since wireshark 1.7.1). |
||
161 | |||
162 | 34 | tsaitgaist | To see the APDUs in wireshark: |
163 | 41 | tsaitgaist | * on localhost SIMtrace automatically opens a UDP sink locally, no need to do any anything |
164 | * to get the data on another machine |
||
165 | ** start an UDP sink for GSMTAP on the other machine (do not use netcat as it "connects" back) |
||
166 | <pre> |
||
167 | 37 | tsaitgaist | socat -u udp-recv:4729 /dev/null |
168 | 41 | tsaitgaist | </code></pre> |
169 | ** tell SIMtrace on which machine to forward |
||
170 | <pre> |
||
171 | 1 | laforge | ./simtrace -i 192.168.0.1 |
172 | 41 | tsaitgaist | </code></pre> |
173 | 1 | laforge | |
174 | 44 | laforge | !wireshark-sim.png! |
175 | 31 | laforge | |
176 | Protocol parsing is far from being complete, patches are always welcome! |
||
177 | |||
178 | 50 | gnutoo | h2. Other software |
179 | |||
180 | * "simlabTrace":https://github.com/kamwar/simlabTrace/wiki seem to be capable of MITM and also seem to have a CCID driver to use SIMtrace as a card reader. |
||
181 | |||
182 | 41 | tsaitgaist | h2. Contact / Mailing List |
183 | |||
184 | |||
185 | 1 | laforge | For any development or usage related questions, there is a mailinglist [mailto:simtrace@lists.osmocom.org], you can subscribe/unsubscribe to it at http://lists.osmocom.org/mailman/listinfo/simtrace and read the archives at http://lists.osmocom.org/pipermail/simtrace/ |
186 | |||
187 | 45 | laforge | Please make sure you read the [[cellular-infrastructure:MailingListRules]] before you start posting. |