Project

General

Profile

SIMtrace Hardware » History » Version 31

tsaitgaist, 02/19/2016 10:49 PM
v1.3 added

1 31 tsaitgaist
{{>toc}}
2 1 laforge
3 31 tsaitgaist
h1. Osmocom SIMtrace Hardware
4 1 laforge
5 31 tsaitgaist
6 31 tsaitgaist
This page is dedicated to the Hardware for Osmocom [[SIMtrace]], which looks like this:
7 31 tsaitgaist
8 1 laforge
[[Image(simtrace_11_front.jpg, 33%)]][[Image(simtrace_connectors_scaled.png, 33%)]]
9 1 laforge
10 31 tsaitgaist
You can buy the device on the "sysmocom shop":http://shop.sysmocom.de/products/simtrace.
11 1 laforge
12 1 laforge
13 31 tsaitgaist
h2. Connectors
14 1 laforge
15 1 laforge
16 31 tsaitgaist
* USB: USB mini-B connector. The main connector. The host software communicates (sniffing,...) through USB with the board. It can also be used to flash the micro-controller (using DFU).
17 31 tsaitgaist
* serial: 2.5 mm jack serial cable, as used by osmocomBB. port used to debug the device (printf goes there).
18 31 tsaitgaist
* debug (P2): same as serial, but using the FTDI serial cable. *It is recommended to cut the voltage wire of the 6pin FTDI connector before plugging the cable into the simtrace.*
19 31 tsaitgaist
* jtag (P1): JTAG 20 pin connector to do hardware assisted debugging.
20 31 tsaitgaist
* BT1: battery connector (4.5-6V DC). normally the USB provides power, but the battery port can be used for autonomous use of SIMtrace. The sniffed data can be saved in the flash (U1).
21 31 tsaitgaist
* FFC_SIM (P3): to connect the flat flexible cable with SIM end for the phone.
22 31 tsaitgaist
* SIM (P4): put your SIM in there (instead of in the phone)
23 31 tsaitgaist
* reset (SW1): to reset the board (not erasing the firmware). If your are too lazy to unplug and re-plug the USB.
24 31 tsaitgaist
* bootloader (SW2): used to start the bootloader to flash the device using DFU. press when plugging in the USB.
25 31 tsaitgaist
* test (JP1): short circuit using a jumper to flash using [[SIMtraceFirmware#EnteringtheSAM-BAmode|SAM-BA]].
26 31 tsaitgaist
* erase (JP2): short circuit using a jumper to completely erase the firmware.
27 31 tsaitgaist
28 31 tsaitgaist
29 31 tsaitgaist
h2. Schematics, Gerber & Co
30 31 tsaitgaist
31 31 tsaitgaist
32 2 laforge
The schematics, Gerber files, etc. can be found in the 'hardware' subdirectory of the simtrace.git repository:
33 31 tsaitgaist
* http://cgit.osmocom.org/cgit/simtrace/tree/hardware (web browsing)
34 31 tsaitgaist
* git://git.osmocom.org/simtrace (git clone URL)
35 15 zecke2
36 15 zecke2
We're using Kicad as EDA tool.  Most of the work on the schematics and Gerber files has been done by Kevin Redon,
37 15 zecke2
based on the original design by Harald Welte.
38 15 zecke2
39 1 laforge
The latest schematics are also available as an attachment to this page.
40 1 laforge
41 1 laforge
42 31 tsaitgaist
h2. Interconnections
43 31 tsaitgaist
44 31 tsaitgaist
45 1 laforge
The hardware schematics are very, very simple:
46 1 laforge
47 31 tsaitgaist
* Connect SIM-RST with PA7
48 31 tsaitgaist
* Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)
49 31 tsaitgaist
* Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)
50 31 tsaitgaist
* Connect SIM-GND with GND
51 15 zecke2
52 15 zecke2
53 31 tsaitgaist
h2. Mode of operation
54 31 tsaitgaist
55 31 tsaitgaist
56 25 zecke2
The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you
57 25 zecke2
would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,
58 25 zecke2
you can use an externally-generated CLK like the one from the SIM card socket of the phone.
59 25 zecke2
60 25 zecke2
Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)
61 25 zecke2
handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more
62 1 laforge
than we should.
63 25 zecke2
64 1 laforge
65 31 tsaitgaist
h2. Modi
66 31 tsaitgaist
67 31 tsaitgaist
68 1 laforge
SIMtrace has the possibility to work as:
69 31 tsaitgaist
* sniffer
70 31 tsaitgaist
* card reader
71 31 tsaitgaist
* card emulator
72 31 tsaitgaist
* man-in-the-middle
73 1 laforge
74 1 laforge
The SAM7S offers 2 T=0 capable USART ports.
75 1 laforge
One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7).
76 31 tsaitgaist
The lines goes from the phone to the SIM through a bus switch (IC4="CB3Q3244":http://www.ti.com/lit/ds/symlink/sn74cb3q3244.pdf).
77 1 laforge
The bus switch offer 2 buses of 4 lines:
78 31 tsaitgaist
* The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20)
79 31 tsaitgaist
* The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19)
80 1 laforge
81 1 laforge
The various modi require to interrupt different lines:
82 1 laforge
83 1 laforge
|| SW_SC (PA20) || SC_I/O (PA19) || description || modus ||
84 1 laforge
|| L || L || phone and SIM directly connected || sniffer (use any USART port) ||
85 1 laforge
|| L || H || only I/O interrupted || MitM (use both USART port) ||
86 1 laforge
|| H || H || phone and SIM not connected || card read, emulator (use each USART port) ||
87 1 laforge
88 1 laforge
As of 2012-01-12, only the sniffer is implemented
89 1 laforge
90 1 laforge
SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V.
91 1 laforge
SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support.
92 1 laforge
To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage.
93 1 laforge
SIMtrace v2 will support all 3 classes.
94 30 tsaitgaist
95 1 laforge
96 1 laforge
97 31 tsaitgaist
h2. Revisions
98 1 laforge
99 31 tsaitgaist
100 31 tsaitgaist
101 31 tsaitgaist
h3. v2.0
102 31 tsaitgaist
103 31 tsaitgaist
104 1 laforge
This is on going (stalled) work.
105 30 tsaitgaist
The changes compared to v1.x are:
106 31 tsaitgaist
* ID-1 and ID-000 smart card slots (with presence detection): so to be able to also sniff credit card sized smart cards
107 31 tsaitgaist
* through hole USB Mini-B and Serial/Jack 2.5 connector: to be more robust
108 31 tsaitgaist
* properly support all smart card classes (A,B,C): better compatibility
109 31 tsaitgaist
* switch from AT91SAM7S to AT91SAM3S: it has more USB endpoints
110 31 tsaitgaist
* be able to forward voltage from phone to SIM or provide voltage from the board: ideal sniffer and reader
111 31 tsaitgaist
* use an microSD slot instead of built-on flash: easier data transfer
112 31 tsaitgaist
* a SWP sniffer (maybe)
113 30 tsaitgaist
114 30 tsaitgaist
115 31 tsaitgaist
h3. v1.3
116 31 tsaitgaist
117 31 tsaitgaist
118 1 laforge
[[Image(simtrace_v13_front.jpg, 33%)]]
119 30 tsaitgaist
120 1 laforge
Changes:
121 31 tsaitgaist
* added a FPF2109 power switch
122 31 tsaitgaist
* added a zener diode on LDO to SIM to provide ~3.0V to SIM (closer to ISO 7812 specified class B)
123 31 tsaitgaist
* it is now possible to choose the power source for the SIM card: provided by the SIMtrace on-board LDO, or forwarded from the phone
124 31 tsaitgaist
* no production customizations required
125 31 tsaitgaist
* silkscreen redone (sadly missing on the produced batch)
126 1 laforge
127 31 tsaitgaist
*BUG:* because of this new feature (selecting power source for the SIM), we wanted to be able to identify the v1.3 board.
128 1 laforge
To do that, we tied PA0 to ground. But this needs to be HIGH for the AT91SAM7S to be able to enter it's SAM-BA mode (for flashing the first time).
129 1 laforge
If you produce the board yourself, you have to cut the path between the left upper pin and the capacitor.
130 31 tsaitgaist
The version is now written in flash. To flash the firmware the first time (only), follow the dedicated [[ProductionFlashingV13|instructions]].
131 24 tsaitgaist
132 26 tsaitgaist
Downloads:
133 31 tsaitgaist
* [attachment:simtrace_v13_schematic.pdf]
134 31 tsaitgaist
* [attachment:simtrace_v13_board.zip]
135 23 tsaitgaist
136 23 tsaitgaist
137 31 tsaitgaist
h3. v1.2p (1.2 Production branch)
138 31 tsaitgaist
139 31 tsaitgaist
140 1 laforge
[[Image(simtrace_v12p_front.jpg, 33%)]]
141 1 laforge
142 23 tsaitgaist
adaptation of the v1.1p because of component availability for new batch.
143 1 laforge
144 1 laforge
Changes:
145 31 tsaitgaist
* capacitor is even nearer to the LDO
146 31 tsaitgaist
* one diode slightly changed place
147 31 tsaitgaist
* quartz crystal is smaller (footprint still fits)
148 31 tsaitgaist
* SIM slot is another (not available from Amphenol anymore). No presence switch.
149 1 laforge
150 1 laforge
Downloads:
151 31 tsaitgaist
* [attachment:simtrace_v12_schematic.pdf]
152 31 tsaitgaist
* [attachment:simtrace_v12p_gerber.zip]
153 1 laforge
154 1 laforge
155 31 tsaitgaist
h3. v1.1p (1.1 Production branch)
156 31 tsaitgaist
157 31 tsaitgaist
158 23 tsaitgaist
[[Image(simtrace_11_front.jpg, 33%)]]
159 23 tsaitgaist
160 23 tsaitgaist
This is a slightly corrected version of the v1.0p.
161 23 tsaitgaist
162 23 tsaitgaist
Changes:
163 31 tsaitgaist
* a critical capacitor is near the LDO
164 31 tsaitgaist
* some other capacitors are nearer to the CPU
165 31 tsaitgaist
* some power traces are wider
166 31 tsaitgaist
* the SIM C6/VPP contact is also routed through the bus switch (sometimes used for Single Wire Protocol)
167 31 tsaitgaist
* sysmocom is added in the copper for legal reasons
168 31 tsaitgaist
* the FTDI Vcc is cut
169 20 tsaitgaist
170 7 laforge
Downloads:
171 31 tsaitgaist
* [attachment:simtrace_v11p_schematic.pdf]
172 31 tsaitgaist
* [attachment:simtrace_v11p_gerber.zip]
173 7 laforge
174 7 laforge
175 31 tsaitgaist
h3. v1.0p (1.0 Production branch)
176 22 tsaitgaist
177 31 tsaitgaist
178 31 tsaitgaist
179 7 laforge
[[Image(simtrace_v10p_front_mid.jpg, 33%)]]
180 20 tsaitgaist
181 20 tsaitgaist
This is identical to v1.0 on the schematics side, we simply altered the footprints of some components to accommodate
182 20 tsaitgaist
whatever the SMT factory had in stock.  Specifically the LED are 0805 instead of 0603, and the shottky diodes are
183 7 laforge
in a slightly awkward looking very large package.
184 7 laforge
185 7 laforge
Downloads:
186 31 tsaitgaist
* [attachment:simtrace_v10p_schematic.pdf]
187 31 tsaitgaist
* [attachment:simtrace_v10p_gerber.zip]
188 7 laforge
189 7 laforge
190 31 tsaitgaist
h3. v1.0
191 20 tsaitgaist
192 31 tsaitgaist
193 31 tsaitgaist
194 7 laforge
[[Image(simtrace_10_front.jpg, 33%)]]
195 1 laforge
196 1 laforge
This is the first stable release.  We built some 5 prototypes from this version.
197 7 laforge
198 1 laforge
Downloads:
199 31 tsaitgaist
* [attachment:simtrace_schem_v10.pdf]
200 31 tsaitgaist
* [attachment:simtrace_10_gerber.zip]
201 20 tsaitgaist
202 20 tsaitgaist
203 31 tsaitgaist
h3. v0.9
204 31 tsaitgaist
205 31 tsaitgaist
206 7 laforge
[[Image(simtrace_v09_top_mid.jpg, 33%)]]
207 7 laforge
208 1 laforge
As of June 04, 2011 the components had all arrived and four PCBs were in production.  We assemble the first
209 1 laforge
units around June 14, 2011.
210 1 laforge
211 1 laforge
As of June 21st, we had four re-worked prototypes that are fully functional.
212 1 laforge
213 1 laforge
214 31 tsaitgaist
h3. v0.8
215 7 laforge
216 31 tsaitgaist
217 31 tsaitgaist
218 8 laforge
[[Image(simtrace_08_front_mid.jpg, 33%)]]
219 8 laforge
220 8 laforge
Never really was an official release.  However, a friend took the unfinished Gerber files and built 5 units.
221 8 laforge
222 8 laforge
Since the Gerber was not finished, we had to do lots and lots of re-work in order to make them work at all.
223 8 laforge
224 8 laforge
225 31 tsaitgaist
h2. License
226 31 tsaitgaist
227 31 tsaitgaist
228 8 laforge
Schematics and Gerber files are released under the Creative Commons CC-BY-SA (Share Alike / Attribution) license.
229 1 laforge
230 1 laforge
231 31 tsaitgaist
h2. Sales
232 1 laforge
233 1 laforge
234 31 tsaitgaist
Sales started at the 2011 CCC Camp and the hardware can be bought through the web-shop of sysmocom GmbH ("h2. Credits
235 31 tsaitgaist
236 31 tsaitgaist
237 31 tsaitgaist
* Harald Welte
238 31 tsaitgaist
** Original project idea, schematic design
239 31 tsaitgaist
** Olimex SAM7-P64 based prototypes
240 31 tsaitgaist
** Firmware and host software
241 31 tsaitgaist
* Kevin Redon
242 31 tsaitgaist
** [[KiCAD]] work on schematics, footprints and routing
243 31 tsaitgaist
** Soldering of some prototypes
244 31 tsaitgaist
* [http://sysmocom.de/ sysmocom - systems for mobile communications GmbH":http://shop.sysmocom.de/])
245 31 tsaitgaist
** funding for hardware prototyping (PCB, components, etc)
246 31 tsaitgaist
* Christian Daniel
247 31 tsaitgaist
** post-production flashing + debugging, design + test of v1.0p rework
Add picture from clipboard (Maximum size: 48.8 MB)