SIMtrace » History » Version 7
tsaitgaist, 02/19/2016 10:48 PM
simtrace_usb.h link removed
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | = Osmocom SIMtrace = |
||
3 | |||
4 | Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone. |
||
5 | |||
6 | It works by utilizing the T=0 capable USART of the usb-attached AT91SAM7 microcontroller. |
||
7 | |||
8 | The USART passively receives the bytes as they are exchanged on the ISO 7816-3 / TS 11.11 interface between SIM and phone. |
||
9 | The received bytes are sent via USB to the PC, where a program called {{{simtrace}}} on the PC gathers data from the USB device, |
||
10 | parses the APDUs and forwards them via [wiki:GSMTAP] to the [wiki:wireshark] protocol analyzer. |
||
11 | |||
12 | == Features == |
||
13 | * Completely passive scanner |
||
14 | * RST and ATR detection |
||
15 | * auto-bauding with PPS / PTS support |
||
16 | * Segmentation of APDUs |
||
17 | |||
18 | == TODO == |
||
19 | * Check for parity errors |
||
20 | * Verify TCK / PCK check-bytes |
||
21 | |||
22 | == Hardware == |
||
23 | |||
24 | 6 | tsaitgaist | There is no ready-built hardware for this yet, but there will be. |
25 | The existing implementations used an Olimex SAM7-P64 development board with some of the I/O lines hooked up to the mechanical SIM card adapters from [wiki:RebelSIM_Scanner]. |
||
26 | 1 | laforge | |
27 | === Interconnections === |
||
28 | |||
29 | The hardware schematics are very, very simple: |
||
30 | |||
31 | * Connect SIM-RST with PA7 |
||
32 | * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0) |
||
33 | * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0) |
||
34 | * Connect SIM-GND with GND |
||
35 | |||
36 | === Mode of operation === |
||
37 | |||
38 | 6 | tsaitgaist | The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you |
39 | would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer, |
||
40 | 1 | laforge | you can use an externally-generated CLK like the one from the SIM card socket of the phone. |
41 | |||
42 | 4 | laforge | Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time) |
43 | handling by means of the TC (timer/counter) block 0. Due to technical limitations, we will wait up to one byte (12 etu) more |
||
44 | than we should. |
||
45 | |||
46 | 1 | laforge | == Firmware == |
47 | |||
48 | The Firmware for the AT91SAM7S device was written by reusing a lot of the code for the [http://www.openpcd.org/ OpenPCD] |
||
49 | RFID reader. |
||
50 | |||
51 | There is a {{{simtrace}}} branch in the git://git.gnumonks.org/openpcd.git repository containing the latest firmware code. |
||
52 | |||
53 | Eventually, the OS part of OpenPCD/OpenPICC/SIMtrace will be separated. At that point, the firmware source can become |
||
54 | part of simtrace.git |
||
55 | |||
56 | 6 | tsaitgaist | === Toolchain === |
57 | |||
58 | The toolchain gnuarm-4.0.2 can be used to crosscompile the firmware. |
||
59 | |||
60 | {{{ |
||
61 | wget http://www.gnuarm.com/bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2 |
||
62 | tar xf bu-*_gcc-*-c-c++_nl-*_gi-*_x86-64.tar.bz2 |
||
63 | mv gnuarm-* ~/gnuarm |
||
64 | }}} |
||
65 | |||
66 | To be able to use the toolchain, add the crosscompilers to your PATH |
||
67 | |||
68 | {{{ |
||
69 | export PATH=~/gnuarm/bin:$PATH |
||
70 | }}} |
||
71 | |||
72 | 1 | laforge | === Building the firmware === |
73 | 5 | laforge | |
74 | 1 | laforge | Precondition: You need to set your PATH in a way that contains an arm-elf toolchain, i.e. the same way that you build [OsmocomBB]. |
75 | |||
76 | {{{ |
||
77 | 6 | tsaitgaist | git clone git://git.gnumonks.org/openpcd.git |
78 | cd openpcd/firmware |
||
79 | git checkout simtrace |
||
80 | make -f Makefile.dfu BOARD=OLIMEX |
||
81 | make BOARD=SIMTRACE DEBUG=1 TARGET=main_simtrace |
||
82 | cat dfu.bin main_simtrace.bin > main_simtrace.samba |
||
83 | cd ../.. |
||
84 | 1 | laforge | }}} |
85 | |||
86 | 6 | tsaitgaist | === Firmware parts === |
87 | 1 | laforge | |
88 | The firmware build process creates two images: |
||
89 | 6 | tsaitgaist | * dfu.bin -- the sam7dfu 2nd level bootloader. It implements the USB DFU (Device Firmware Upgrade) profile. |
90 | * main_simtrace.bin -- the actual simtrace program. To be loaded via DFU, using [http://dfu-util.gnumonks.org/ dfu-util]. |
||
91 | * main_simtrace.samba -- [http://www.openpcd.org/Sam7dfu sam7dfu] + simtrace image. to be loaded via SAM-BA, using sam7utils (see below). |
||
92 | 1 | laforge | |
93 | 6 | tsaitgaist | === Flashing the firmware === |
94 | |||
95 | after the firmware has been flashed, '''lsusb''' should show: |
||
96 | {{{ |
||
97 | Bus 004 Device 005: ID 16c0:0762 VOTI |
||
98 | }}} |
||
99 | |||
100 | 1 | laforge | ==== SAM-BA ==== |
101 | |||
102 | 6 | tsaitgaist | The first time you flash the device, you will have to use the SAM-BA method using the '''main_simtrace.samba''' image. |
103 | |||
104 | To put the board into SAM-BA mode, use the following steps: |
||
105 | * unplug the board |
||
106 | * short TEST to VCC (3.3V) pin, using a jumper |
||
107 | * power up the board |
||
108 | * wait 20s |
||
109 | * unplug board |
||
110 | * remove jumper |
||
111 | |||
112 | Now when the board is attached to USB, '''lsusb''' should show : |
||
113 | {{{ |
||
114 | Bus 002 Device 015: ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader |
||
115 | }}} |
||
116 | |||
117 | 1 | laforge | For more information about SAM-BA, please refer to the Atmel documentation on the AT91SAM7S component. |
118 | |||
119 | 6 | tsaitgaist | ==== sam7utils ==== |
120 | 1 | laforge | |
121 | 6 | tsaitgaist | sam7utils will be used to flash the '''main_simtrace.samba''' image over SAM-BA. |
122 | {{{ |
||
123 | sudo aptitude install libreadline-dev |
||
124 | wget http://www.openpcd.org/dl/sam7utils-0.2.1-bm.tar.bz2 |
||
125 | tar xf sam7utils-*.tar.bz2 |
||
126 | cd sam7utils |
||
127 | ./configure --prefix=/usr/local |
||
128 | make |
||
129 | }}} |
||
130 | 1 | laforge | |
131 | 6 | tsaitgaist | ===== sam7utils for x86 ===== |
132 | 5 | laforge | |
133 | 6 | tsaitgaist | On x86, sam7utils will be compile to communicate with the board using POSIX. |
134 | |||
135 | The board should be attached to a node. On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACM0 using the cdc_cam module. If not mapped, use usbserial : |
||
136 | {{{ |
||
137 | sudo rmmod usbserial |
||
138 | sudo modprobe usbserial vendor=0x03EB product=0x6124 |
||
139 | }}} |
||
140 | |||
141 | Now replug board. It should map to /dev/ttyUSBx (use dmesg to know which). Now to flash the samba image : |
||
142 | {{{ |
||
143 | sudo ./sam7 -l /dev/ttyUSB0 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba" |
||
144 | }}} |
||
145 | |||
146 | ===== sam7utils for amd64 ===== |
||
147 | |||
148 | On amd64, sam7utils will be compile to communicate with the board using libusb. |
||
149 | |||
150 | On ubuntu 10.10, the usb device 03eb:6124 is mapped on /dev/ttyACMx using the cdc_cam module. |
||
151 | Remove it while the board is plugged, so sam7utils is able to communicate with it. |
||
152 | {{{ |
||
153 | sudo rmmod cdc_acm |
||
154 | sudo ./sam7 --exec set_clock --exec unlock_regions --exec "flash ../openpcd/firmware/main_simtrace.samba" |
||
155 | }}} |
||
156 | |||
157 | ==== DFU ==== |
||
158 | |||
159 | TODO |
||
160 | |||
161 | 1 | laforge | == Host PC Software == |
162 | 5 | laforge | |
163 | The {{{simtrace}}} program is part of the git://git.osmocom.org/simtrace.git repository. It will bind to the USB device |
||
164 | 6 | tsaitgaist | and send GSMTAP frames using UDP/IPv4 to localhost:4729. |
165 | 5 | laforge | |
166 | 6 | tsaitgaist | === Getting it === |
167 | |||
168 | Use the following git repository: |
||
169 | {{{ |
||
170 | git clone git://git.osmocom.org/simtrace.git |
||
171 | }}} |
||
172 | |||
173 | === Compiling it === |
||
174 | |||
175 | 7 | tsaitgaist | Precondition: [wiki:libosmocore] and headers (simtrace_usb.h) from the firmware. |
176 | 6 | tsaitgaist | |
177 | {{{ |
||
178 | cd simtrace/at91sam7/host/ |
||
179 | make |
||
180 | }}} |
||
181 | |||
182 | === Using it === |
||
183 | |||
184 | Simply start '''simtrace'''. |
||
185 | It will senf the GSMTAP frames to UDP/IPv4 localhost:4729. |
||
186 | |||
187 | 1 | laforge | It will also print hexdumps of the frames to the console, looking like this: |
188 | {{{ |
||
189 | 6 | tsaitgaist | sudo ./simtrace |
190 | 1 | laforge | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
191 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 07 04 00 15 00 15 01 02 00 00 91 78 |
||
192 | APDU: (9): a0 a4 00 00 02 6f 38 9f 0f |
||
193 | APDU: (22): a0 c0 00 00 0f 00 00 00 09 6f 38 04 00 15 00 55 01 02 00 00 91 78 |
||
194 | APDU: (16): a0 b0 00 00 09 ff 3f ff ff 00 00 3f 03 00 91 78 |
||
195 | APDU: (9): a0 a4 00 00 02 6f ad 9f 0f |
||
196 | APDU: (8): a0 b0 00 00 01 00 91 78 |
||
197 | APDU: (9): a0 a4 00 00 02 6f 07 9f 0f |
||
198 | APDU: (16): a0 b0 00 00 09 08 49 06 20 11 49 00 11 06 91 78 |
||
199 | APDU: (9): a0 a4 00 00 02 6f 7e 9f 0f |
||
200 | APDU: (18): a0 b0 00 00 0b ff ff ff ff 64 f0 00 ff fe 00 03 91 78 |
||
201 | APDU: (9): a0 a4 00 00 02 6f 78 9f 0f |
||
202 | APDU: (9): a0 b0 00 00 02 00 01 91 78 |
||
203 | APDU: (9): a0 a4 00 00 02 6f 74 9f 0f |
||
204 | APDU: (23): a0 b0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 78 |
||
205 | 2 | laforge | APDU: (9): a0 a4 00 00 02 6f 20 9f 0f |
206 | APDU: (16): a0 b0 00 00 09 ff ff ff ff ff ff ff ff 07 91 78 |
||
207 | APDU: (9): a0 a4 00 00 02 6f 30 9f 0f |
||
208 | APDU: (22): a0 c0 00 00 0f 00 00 00 f0 6f 30 04 00 11 00 55 01 02 00 00 91 78 |
||
209 | 1 | laforge | }}} |
210 | |||
211 | == Wireshark integration == |
||
212 | |||
213 | There is an experimental patch, also part of the simtrace.git package. You will have to apply this against the latest |
||
214 | 6 | tsaitgaist | [wiki:wireshark] developer version. |
215 | 1 | laforge | |
216 | [[Image(wireshark-sim.png)]] |
||
217 | |||
218 | Protocol parsing is far from being complete, patches are always welcome! |