Project

General

Profile

SIMtrace Hardware » History » Version 29

tsaitgaist, 02/19/2016 10:49 PM
v1.2p added

1 1 laforge
[[PageOutline]]
2 1 laforge
= Osmocom SIMtrace Hardware =
3 1 laforge
4 7 laforge
This page is dedicated to the Hardware for Osmocom [wiki:SIMtrace], which looks like this:
5 7 laforge
6 26 tsaitgaist
[[Image(simtrace_11_front.jpg, 33%)]][[Image(simtrace_connectors_scaled.png, 33%)]]
7 1 laforge
8 26 tsaitgaist
You can buy the device on the [http://shop.sysmocom.de/products/simtrace sysmocom shop].
9 1 laforge
10 9 tsaitgaist
== Connectors ==
11 9 tsaitgaist
12 9 tsaitgaist
 * USB: USB mini-B connector. The main connector. The host software communicates (sniffing,...) through USB with the board. It can also be used to flash the micro-controller (using DFU).
13 9 tsaitgaist
 * serial: 2.5 mm jack serial cable, as used by osmocomBB. port used to debug the device (printf goes there).
14 27 ahuemer
 * debug (P2): same as serial, but using the FTDI serial cable. '''It is recommended to cut the voltage wire of the 6pin FTDI connector before plugging the cable into the simtrace.'''
15 9 tsaitgaist
 * jtag (P1): JTAG 20 pin connector to do hardware assisted debugging.
16 28 ahuemer
 * BT1: battery connector (4.5-6V DC). normally the USB provides power, but the battery port can be used for autonomous use of SIMtrace. The sniffed data can be saved in the flash (U1).
17 9 tsaitgaist
 * FFC_SIM (P3): to connect the flat flexible cable with SIM end for the phone.
18 9 tsaitgaist
 * SIM (P4): put your SIM in there (instead of in the phone)
19 9 tsaitgaist
 * reset (SW1): to reset the board (not erasing the firmware). If your are too lazy to unplug and re-plug the USB.
20 28 ahuemer
 * bootloader (SW2): used to start the bootloader to flash the device using DFU. press when plugging in the USB.
21 19 zecke2
 * test (JP1): short circuit using a jumper to flash using [wiki:SIMtrace/Firmware#EnteringtheSAM-BAmode SAM-BA].
22 28 ahuemer
 * erase (JP2): short circuit using a jumper to completely erase the firmware.
23 9 tsaitgaist
24 4 laforge
== Schematics, Gerber & Co ==
25 4 laforge
26 1 laforge
The schematics, Gerber files, etc. can be found in the 'hardware' subdirectory of the simtrace.git repository:
27 1 laforge
 * http://cgit.osmocom.org/cgit/simtrace/tree/hardware (web browsing
28 1 laforge
 * git://git.osmocom.org/simtrace (git clone URL)
29 1 laforge
30 2 laforge
We're using Kicad as EDA tool.  Most of the work on the schematics and Gerber files has been done by Kevin Redon,
31 1 laforge
based on the original design by Harald Welte.
32 5 laforge
33 1 laforge
The latest schematics are also available as an attachment to this page.
34 1 laforge
35 15 zecke2
== Interconnections ==
36 15 zecke2
37 15 zecke2
The hardware schematics are very, very simple:
38 15 zecke2
39 15 zecke2
 * Connect SIM-RST with PA7
40 15 zecke2
 * Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)
41 15 zecke2
 * Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)
42 15 zecke2
 * Connect SIM-GND with GND
43 15 zecke2
44 15 zecke2
== Mode of operation ==
45 15 zecke2
46 15 zecke2
The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you
47 15 zecke2
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
48 15 zecke2
you can use an externally-generated CLK like the one from the SIM card socket of the phone.
49 15 zecke2
50 15 zecke2
Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
51 15 zecke2
handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more
52 15 zecke2
than we should.
53 15 zecke2
54 25 zecke2
== Modi ==
55 25 zecke2
56 25 zecke2
57 25 zecke2
58 25 zecke2
SIMtrace has the possibility to work as:
59 25 zecke2
 * sniffer
60 25 zecke2
 * card reader
61 25 zecke2
 * card emulator
62 25 zecke2
 * man-in-the-middle
63 25 zecke2
64 25 zecke2
The SAM7S offers 2 T=0 capable USART ports.
65 25 zecke2
One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7).
66 25 zecke2
The lines goes from the phone to the SIM through a bus switch (IC4=[http://www.ti.com/lit/ds/symlink/sn74cb3q3244.pdf CB3Q3244]).
67 25 zecke2
The bus switch offer 2 buses of 4 lines:
68 25 zecke2
 * The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20)
69 25 zecke2
 * The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19)
70 25 zecke2
71 25 zecke2
The various modi require to interrupt different lines:
72 25 zecke2
73 25 zecke2
|| SW_SC (PA20) || SC_I/O (PA19) || description || modus ||
74 25 zecke2
|| L || L || phone and SIM directly connected || sniffer (use any USART port) ||
75 25 zecke2
|| L || H || only I/O interrupted || MitM (use both USART port) ||
76 25 zecke2
|| H || H || phone and SIM not connected || card read, emulator (use each USART port) ||
77 25 zecke2
78 25 zecke2
As of 2012-01-12, only the sniffer is implemented
79 25 zecke2
80 25 zecke2
SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V.
81 25 zecke2
SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support.
82 25 zecke2
To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage.
83 25 zecke2
SIMtrace v2 will support all 3 classes.
84 25 zecke2
85 25 zecke2
86 1 laforge
== Revisions ==
87 24 tsaitgaist
88 24 tsaitgaist
=== v2.0 ===
89 24 tsaitgaist
90 29 tsaitgaist
This is on going (stalled) work.
91 24 tsaitgaist
The changes compared to v1.x are:
92 24 tsaitgaist
 * ID-1 and ID-000 smart card slots (with presence detection): so to be able to also sniff credit card sized smart cards
93 24 tsaitgaist
 * through hole USB Mini-B and Serial/Jack 2.5 connector: to be more robust
94 24 tsaitgaist
 * properly support all smart card classes (A,B,C): better compatibility
95 24 tsaitgaist
 * switch from AT91SAM7S to AT91SAM3S: it has more USB endpoints
96 24 tsaitgaist
 * be able to forward voltage from phone to SIM or provide voltage from the board: ideal sniffer and reader
97 24 tsaitgaist
 * use an microSD slot instead of built-on flash: easier data transfer
98 1 laforge
 * a SWP sniffer (maybe)
99 29 tsaitgaist
100 29 tsaitgaist
=== v1.2p (1.2 Production branch) ===
101 29 tsaitgaist
102 29 tsaitgaist
[[Image(simtrace_v12p_front.jpg, 33%)]]
103 29 tsaitgaist
104 29 tsaitgaist
adaptation of the v1.1p because of component availability for new batch.
105 29 tsaitgaist
106 29 tsaitgaist
Changes:
107 29 tsaitgaist
 * capacitor is even nearer to the LDO
108 29 tsaitgaist
 * one diode slightly changed place
109 29 tsaitgaist
 * quartz crystal is smaller (footprint still fits)
110 29 tsaitgaist
 * SIM slot is another (not available from Amphenol anymore). No presence switch.
111 29 tsaitgaist
112 29 tsaitgaist
Downloads:
113 29 tsaitgaist
 * [attachment:simtrace_v12_schematic.pdf]
114 29 tsaitgaist
 * [attachment:simtrace_v12p_gerber.zip]
115 1 laforge
116 24 tsaitgaist
=== v1.1p (1.1 Production branch) ===
117 26 tsaitgaist
118 26 tsaitgaist
[[Image(simtrace_11_front.jpg, 33%)]]
119 23 tsaitgaist
120 23 tsaitgaist
This is a slightly corrected version of the v1.0p.
121 23 tsaitgaist
122 23 tsaitgaist
Changes:
123 23 tsaitgaist
 * a critical capacitor is near the LDO
124 23 tsaitgaist
 * some other capacitors are nearer to the CPU
125 23 tsaitgaist
 * some power traces are wider
126 23 tsaitgaist
 * the SIM C6/VPP contact is also routed through the bus switch (sometimes used for Single Wire Protocol)
127 23 tsaitgaist
 * sysmocom is added in the copper for legal reasons
128 23 tsaitgaist
 * the FTDI Vcc is cut
129 23 tsaitgaist
130 23 tsaitgaist
Downloads:
131 23 tsaitgaist
 * [attachment:simtrace_v11p_schematic.pdf]
132 23 tsaitgaist
 * [attachment:simtrace_v11p_gerber.zip]
133 23 tsaitgaist
134 7 laforge
=== v1.0p (1.0 Production branch) ===
135 7 laforge
136 20 tsaitgaist
137 20 tsaitgaist
[[Image(simtrace_v10p_front_mid.jpg, 33%)]]
138 20 tsaitgaist
139 7 laforge
This is identical to v1.0 on the schematics side, we simply altered the footprints of some components to accommodate
140 7 laforge
whatever the SMT factory had in stock.  Specifically the LED are 0805 instead of 0603, and the shottky diodes are
141 7 laforge
in a slightly awkward looking very large package.
142 7 laforge
143 7 laforge
Downloads:
144 22 tsaitgaist
 * [attachment:simtrace_v10p_schematic.pdf]
145 22 tsaitgaist
 * [attachment:simtrace_v10p_gerber.zip]
146 7 laforge
147 7 laforge
=== v1.0 ===
148 7 laforge
149 20 tsaitgaist
150 20 tsaitgaist
[[Image(simtrace_10_front.jpg, 33%)]]
151 20 tsaitgaist
152 7 laforge
This is the first stable release.  We built some 5 prototypes from this version.
153 7 laforge
154 7 laforge
Downloads:
155 13 zecke2
 * [attachment:simtrace_schem_v10.pdf]
156 13 zecke2
 * [attachment:simtrace_10_gerber.zip]
157 7 laforge
158 7 laforge
=== v0.9 ===
159 7 laforge
160 20 tsaitgaist
161 20 tsaitgaist
[[Image(simtrace_v09_top_mid.jpg, 33%)]]
162 20 tsaitgaist
163 7 laforge
As of June 04, 2011 the components had all arrived and four PCBs were in production.  We assemble the first
164 1 laforge
units around June 14, 2011.
165 1 laforge
166 7 laforge
As of June 21st, we had four re-worked prototypes that are fully functional.
167 1 laforge
168 7 laforge
=== v0.8 ===
169 20 tsaitgaist
170 20 tsaitgaist
171 20 tsaitgaist
[[Image(simtrace_08_front_mid.jpg, 33%)]]
172 1 laforge
173 7 laforge
Never really was an official release.  However, a friend took the unfinished Gerber files and built 5 units.
174 1 laforge
175 7 laforge
Since the Gerber was not finished, we had to do lots and lots of re-work in order to make them work at all.
176 7 laforge
177 1 laforge
== License ==
178 1 laforge
179 1 laforge
Schematics and Gerber files are released under the Creative Commons CC-BY-SA (Share Alike / Attribution) license.
180 1 laforge
181 1 laforge
== Sales ==
182 1 laforge
183 12 zecke2
Sales started at the 2011 CCC Camp and the hardware can be bought through the web-shop of sysmocom GmbH ([http://shop.sysmocom.de/])
184 7 laforge
185 7 laforge
== Credits ==
186 7 laforge
187 8 laforge
 * Harald Welte
188 8 laforge
  * Original project idea, schematic design
189 8 laforge
  * Olimex SAM7-P64 based prototypes
190 8 laforge
  * Firmware and host software
191 8 laforge
 * Kevin Redon
192 8 laforge
  * KiCAD work on schematics, footprints and routing
193 8 laforge
  * Soldering of some prototypes
194 8 laforge
 * [http://sysmocom.de/ sysmocom - systems for mobile communications GmbH]
195 8 laforge
  * funding for hardware prototyping (PCB, components, etc)
196 8 laforge
 * Christian Daniel
197 8 laforge
  * post-production flashing + debugging, design + test of v1.0p rework
Add picture from clipboard (Maximum size: 48.8 MB)