SIM card related Projects » SIMtrace

**%{background:yellow}WARNING: this project only applies to the first generation SIMtrace hardware, which uses the Atmel AT91SAM7S micro-controller. This project is not supported anymore. The hardware and software are still working, but won't get updates. This project is now replaced by project:simtrace2, which uses the SAM3S replacement micro-controller. Patches to add support for the Atmel AT91SAM7S in the simtrace2 software are welcome.%**

h1. Osmocom SIMtrace Hardware

{{>toc}}

This page is dedicated to the Hardware for Osmocom [[SIMtrace]], which looks like this:

{{thumbnail(simtrace_11_front.jpg)}}{{thumbnail(simtrace_connectors_scaled.png)}}

You can buy the device on the "sysmocom shop":http://shop.sysmocom.de/products/simtrace.

h2. Connectors

* USB: USB mini-B connector. The main connector. The host software communicates (sniffing,...) through USB with the board. It can also be used to flash the micro-controller (using DFU).

* serial: 2.5 mm jack serial cable, as used by osmocomBB. port used to debug the device (printf goes there).

* debug (P2): same as serial, but using the FTDI serial cable. *It is recommended to cut the voltage wire of the 6pin FTDI connector before plugging the cable into the simtrace.*

* jtag (P1): JTAG 20 pin connector to do hardware assisted debugging.

* BT1: battery connector (4.5-6V DC). normally the USB provides power, but the battery port can be used for autonomous use of SIMtrace. The sniffed data can be saved in the flash (U1).

* FFC_SIM (P3): to connect the flat flexible cable with SIM end for the phone.

* SIM (P4): put your SIM in there (instead of in the phone)

* reset (SW1): to reset the board (not erasing the firmware). If your are too lazy to unplug and re-plug the USB.

* bootloader (SW2): used to start the bootloader to flash the device using DFU. press when plugging in the USB.

* test (JP1): short circuit using a jumper to flash using [[SIMtraceFirmware#EnteringtheSAM-BAmode|SAM-BA]].

* erase (JP2): short circuit using a jumper to completely erase the firmware.

h2. Schematics, Gerber & Co

{{thumbnail(simtrace_v14_schematic.png)}}

The schematics, Gerber files, etc. can be found in the 'hardware' subdirectory of the simtrace.git repository:

* http://cgit.osmocom.org/cgit/simtrace/tree/hardware (web browsing)

* git://git.osmocom.org/simtrace (git clone URL)

We're using Kicad as EDA tool.  Most of the work on the schematics and Gerber files has been done by Kevin Redon,

based on the original design by Harald Welte.

PDF renderings of the latest schematics are also available as an attachment to this page.

h2. Interconnections

The hardware schematics are very, very simple:

* Connect SIM-RST with PA7

* Connect SIM-I/O with PA6(TXD0) and PA1(TIOB0)

* Connect SIM-CLK with PA2(SCK0) and PA4(TCLK0)

* Connect SIM-GND with GND

h2. Mode of operation

The USART of the AT91SAM7S is capable of T=0. The documentation only mentions it in clock-master mode, like you

would run it in a smart card reader to actively talk to a smart card. However, by using the USART input clock multiplexer,

you can use an externally-generated CLK like the one from the SIM card socket of the phone.

Unfortunately, the Rx Timeout feature of the USART is not working in T=0 mode, so I had to re-implement Rx timeout (waiting time)

handling by means of the TC (timer/counter) block 0.  Due to technical limitations, we will wait up to one byte (12 etu) more

than we should.

h2. Modi

SIMtrace has the possibility to work as:

* sniffer

* card reader

* card emulator

* man-in-the-middle

The SAM7S offers 2 T=0 capable USART ports.

One is connected to the phone (PA21-PA27), the other to the SIM (PA1-PA7).

The lines goes from the phone to the SIM through a bus switch (IC4="CB3Q3244":http://www.ti.com/lit/ds/symlink/sn74cb3q3244.pdf).

The bus switch offer 2 buses of 4 lines:

* The first is used to forward RST, CLK, and VPP (between the SIM and the phone). It is controlled by SC_SW (PA20)

* The second is used to forward I/O (between the SIM and the phone). It is controlled by SC_I/O (PA19)

The various modi require to interrupt different lines:

|_.SW_SC (PA20) |_.SC_I/O (PA19) |_.description |_.modus |

| L | L | phone and SIM directly connected | sniffer (use any USART port) |

| L | H | only I/O interrupted | MitM (use both USART port) |

| H | H | phone and SIM not connected | card read, emulator (use each USART port) |

As of now, still only the sniffer is implemented in the firmware

SIM cards support various classes (voltage levels): class A = 5.0V, class B = 3.0V, class C = 1.8V.

SIMtrace v1.x only supports class B (3.0V), which all actual SIM cards and phone also support.

To ensure class B is used, SIMtrace forces 3.3V (within the 3.0V±10% spec) by holding the VCC line at this voltage.

SIMtrace v2 will support all 3 classes.

h2. Revisions

h3. v2.0

This was formerly ongoing (but now long stalled) work.

The changes compared to v1.x are:

* ID-1 and ID-000 smart card slots (with presence detection): so to be able to also sniff credit card sized smart cards

* through hole USB Mini-B and Serial/Jack 2.5 connector: to be more robust

* properly support all smart card classes (A,B,C): better compatibility

* be able to forward voltage from phone to SIM or provide voltage from the board: ideal sniffer and reader

* use an microSD slot instead of built-on flash: easier data transfer

* a SWP sniffer (maybe)

j3. v1.4p-SAM3 (unreleased, available upon request)

* switch from AT91SAM7S to AT91SAM3S: it has more USB endpoints

** new firmware incomplete

h3. v1.4 / v1.4p (2014-06)

Changes:

* ensure PA0, PA1 and PA2 are high logic level at power-up (low interferes with SAM-BA operation)

** PA0 hard-wired to 3V#

** PA1 and PA2 get R25, R26 pull-up

* update to AT91SAM128D (previous we used AT91SAM128C which is now EOL)

* switch to alternative type of ferrite bead/filter, as old one is EOL

Downloads:

* [attachment:simtrace_v14_schematic.pdf]

* [attachment:simtrace_v14p_gerber.zip]

h3. v1.3 (2013-11)

{{thumbnail(simtrace_v13_front.jpg)}}

Changes:

* added a FPF2109 power switch

* added a zener diode on LDO to SIM to provide ~3.0V to SIM (closer to ISO 7812 specified class B)

* it is now possible to choose the power source for the SIM card: provided by the SIMtrace on-board LDO, or forwarded from the phone

* no production customizations required

* silkscreen redone (sadly missing on the produced batch)

* change SPI flash to S25FL032P0XMFI011

*BUG:* because of this new feature (selecting power source for the SIM), we wanted to be able to identify the v1.3 board.

To do that, we tied PA0 to ground. But this needs to be HIGH for the AT91SAM7S to be able to enter it's SAM-BA mode (for flashing the first time).

If you produce the board yourself, you have to cut the path between the left upper pin and the capacitor.

The version is now written in flash. To flash the firmware the first time (only), follow the dedicated [[ProductionFlashingV13|instructions]].

Downloads:

* [attachment:simtrace_v13_schematic.pdf]

* [attachment:simtrace_v13_board.zip]

h3. v1.2p (1.2 Production branch, 2012-05)

{{thumbnail(simtrace_v12p_front.jpg)}}

adaptation of the v1.1p because of component availability for new batch.

Changes:

* capacitor is even nearer to the LDO

* one diode slightly changed place

* quartz crystal is smaller (footprint still fits)

* SIM slot is another (not available from Amphenol anymore). No presence switch.

Downloads:

* [attachment:simtrace_v12_schematic.pdf]

* [attachment:simtrace_v12p_gerber.zip]

h3. v1.1p (1.1 Production branch, 2011-12)

{{thumbnail(simtrace_11_front.jpg)}}

This is a slightly corrected version of the v1.0p.

Changes:

* a critical capacitor is near the LDO

* some other capacitors are nearer to the CPU

* some power traces are wider

* the SIM C6/VPP contact is also routed through the bus switch (sometimes used for Single Wire Protocol)

* sysmocom is added in the copper for legal reasons

* the FTDI Vcc is cut

Downloads:

* [attachment:simtrace_v11p_schematic.pdf]

* [attachment:simtrace_v11p_gerber.zip]

h3. v1.0p (1.0 Production branch, 2011-07)

{{thumbnail(simtrace_v10p_front_mid.jpg)}}

This is identical to v1.0 on the schematics side, we simply altered the footprints of some components to accommodate

whatever the SMT factory had in stock.  Specifically the LED are 0805 instead of 0603, and the shottky diodes are

in a slightly awkward looking very large package.

Downloads:

* [attachment:simtrace_v10p_schematic.pdf]

* [attachment:simtrace_v10p_gerber.zip]

h3. v1.0

{{thumbnail(simtrace_10_front.jpg)}}

This is the first stable release.  We built some 5 prototypes from this version.

Downloads:

* [attachment:simtrace_schem_v10.pdf]

* [attachment:simtrace_10_gerber.zip]

h3. v0.9

{{thumbnail(simtrace_v09_top_mid.jpg)}}

As of June 04, 2011 the components had all arrived and four PCBs were in production.  We assemble the first

units around June 14, 2011.

As of June 21st, we had four re-worked prototypes that are fully functional.

h3. v0.8

{{thumbnail(simtrace_08_front_mid.jpg)}}

Never really was an official release.  However, a friend took the unfinished Gerber files and built 5 units.

Since the Gerber was not finished, we had to do lots and lots of re-work in order to make them work at all.

h2. License

Schematics and Gerber files are released under the Creative Commons CC-BY-SA (Share Alike / Attribution) license.

h2. Sales

Sales started at the 2011 CCC Camp and the hardware can be bought through the web-shop of sysmocom GmbH ("h2. Credits

* Harald Welte

** Original project idea, schematic design

** Olimex SAM7-P64 based prototypes

** Firmware and host software

* Kevin Redon

** [[KiCAD]] work on schematics, footprints and routing

** Soldering of some prototypes

* [http://sysmocom.de/ sysmocom - systems for mobile communications GmbH":http://shop.sysmocom.de/])

** funding for hardware prototyping (PCB, components, etc)

* Christian Daniel

** post-production flashing + debugging, design + test of v1.0p rework