Project

General

Profile

Wiki » History » Version 39

tsaitgaist, 01/16/2023 10:33 PM
fix trace firmware link

1 1 tsaitgaist
h1. Osmocom SIMtrace 2
2 15 mschramm
3
{{>toc}}
4 1 tsaitgaist
5 8 laforge
Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.
6 9 tsaitgaist
While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case).
7 1 tsaitgaist
8 16 roh
It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html).
9 1 tsaitgaist
10
h2. Hardware
11
12 10 tsaitgaist
The SIMtrace 2 firmware supports several boards.
13
The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller.
14 1 tsaitgaist
15 12 tsaitgaist
Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future.
16 1 tsaitgaist
17 26 tsaitgaist
h3. SIMtrace board for SIMtrace 2 project
18 1 tsaitgaist
19 10 tsaitgaist
!{width:20%}simtrace-board-mini.jpg!
20 9 tsaitgaist
21 10 tsaitgaist
The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
22 1 tsaitgaist
23 17 roh
This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller.
24 1 tsaitgaist
25 37 laforge
Note: This hardware is "open source hardware (OSHW)":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/hardware
26 1 tsaitgaist
27 27 laforge
h4. SIMtrace2 hardware availability
28 1 tsaitgaist
29 37 laforge
Fully assembled SIMtrace2 boards and related accessories like FPC cables can be obtained from the "sysmocom webshop":https://shop.sysmocom.de/SIMtrace2-Hardware-Kit/simtrace2-kit
30 34 laforge
31
h3. ngff-cardem
32
33
!{width:25%}ngff-cardem.jpg!
34
35
This is a carrier board for cellular modems in ngff / M.2 form-factor with on-board simtrace2.  It is wired in a way that it can operate both as passive tracer/sniffer, or in @cardem@ mode.
36
37
See [[ngff-cardem:]] for all information on the ngff-cardem board, including design files.
38
39
Note: This hardware is "open source hardeware (OSHW)":https://gitea.osmocom.org/electronics/osmo-small-hardware/src/branch/master/ngff-cardem
40
41
h4. ngff-cardem availability
42
43 37 laforge
Fully assembled ngff-cardem boards can be obtained from the "sysmocom webshop":https://shop.sysmocom.de/M.2-modem-carrier-with-remote-SIM-tracing/ngff-cardem-kit-external
44 34 laforge
45 27 laforge
46 1 tsaitgaist
h3. sysmoQMOD
47
48
!{width:25%}sysmoqmod.png!
49
50
The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities.
51
52
Note: This hardware is not open source.
53 27 laforge
54 1 tsaitgaist
h4. sysmoQMOD hardware availability
55
56 37 laforge
Fully assembled sysmoQMOD boards and related products can be obtained from "sysmocom":https://www.sysmocom.de/products/lab/sysmoqmod/index.html 
57 1 tsaitgaist
58 37 laforge
An Evaluation kit is available from the "sysmocom webshop":https://shop.sysmocom.de/sysmoQMOD-evaluation-kit/sysmoQMOD-evk - please contact sales@sysmocom.de for inquiries on quantity pricing.
59
60 1 tsaitgaist
h2. Firmware
61
62 37 laforge
The SIMtrace 2 firmware source code is available in "git":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/firmware
63
Pre-built firmware binaries are available "here":https://ftp.osmocom.org/binaries/simtrace2/firmware/.
64 20 tsaitgaist
The firmware are currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities.
65 1 tsaitgaist
66
The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers.
67 18 roh
*The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.*
68 1 tsaitgaist
69 35 laforge
To get the version of the firmware flashed on the device, you can use the @simtrace2-list@ tool
70 23 tsaitgaist
71 12 tsaitgaist
h3. trace
72 1 tsaitgaist
73 12 tsaitgaist
The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card).
74 1 tsaitgaist
It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware.
75 10 tsaitgaist
76 12 tsaitgaist
The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs.
77
Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use).
78
79 1 tsaitgaist
!{width:25%}simtrace_and_phone.jpg!
80 10 tsaitgaist
81 39 tsaitgaist
The application firmware to be flashed using [[Flashing#DFU|DFU]] is "simtrace-trace-dfu.bin":https://ftp.osmocom.org/binaries/simtrace2/firmware/latest/simtrace-trace-dfu-latest.bin.
82 10 tsaitgaist
83 24 tsaitgaist
h3. card emulation
84 1 tsaitgaist
85 25 tsaitgaist
The card emulation application firmware allows to emulate a card (e.g SIM). This is useful if you don't want to change the card in the device (e.g. phone), or have the card in a remote location.
86 24 tsaitgaist
87
This firmware comes preflashed on the sysmoQMOD board.
88 1 tsaitgaist
It also exists from the SIMtrace v2 board, but is currently in beta. If you still would like to try it, read this [[Cardem|article]].
89 25 tsaitgaist
90 13 tsaitgaist
h3. Development
91 1 tsaitgaist
92 37 laforge
To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/firmware/README.txt
93 13 tsaitgaist
94 10 tsaitgaist
h2. Flashing
95 11 tsaitgaist
96 1 tsaitgaist
The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]].
97
98
h2. Host PC Software
99
100 37 laforge
The source code of the SIMtrace 2 host PC software are available in the "simtrace2 git":https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/host
101 13 tsaitgaist
102 33 laforge
Binary packages are made available for a variety of Linux distributions, see [[cellular-infrastructure:Binary_Packages]] for more details.   In case of doubt, use the nightly builds.
103 1 tsaitgaist
104 33 laforge
h3. Installing binary packages
105
106
We assume that you've added the binary package feed, for example as described at [[cellular-infrastructure:Nightly_Builds]].
107
108
All you need to do is to do
109
110
<pre>
111 38 laforge
$ sudo apt-get install simtrace2-utils
112 33 laforge
</pre>
113
114
h3. Building from source
115
116
this assumes you are a software developer familiar with building software from source using GNU autotools.  If you're not, please use the binary packages (see above).
117
118
h4. Preconditions
119
120 22 jbruckner
[[libosmocore:]], libpcsclite and libusb.
121 13 tsaitgaist
122 22 jbruckner
to install those packages:
123 13 tsaitgaist
<pre>
124 1 tsaitgaist
sudo apt-get install libusb-1.0-0-dev libosmocore-dev libpcsclite-dev
125 13 tsaitgaist
</code></pre>
126 1 tsaitgaist
127 33 laforge
h4. Compiling it
128 13 tsaitgaist
129
<pre>
130 36 k_o_
git clone https://gitea.osmocom.org/sim-card/simtrace2.git
131 13 tsaitgaist
cd simtrace2/host/
132 28 roh
autoreconf -fi
133 13 tsaitgaist
./configure
134 1 tsaitgaist
make
135 13 tsaitgaist
</pre>
136
137
h3. Accessing it
138
139
Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user:
140
<pre>
141
# add current user to plugdev group (user needs to re-login for this change to take effect)
142
sudo adduser $USERNAME plugdev
143
# grant access permission to SIMtrace 2 for plugdev group
144 37 laforge
sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://gitea.osmocom.org/sim-card/simtrace2/raw/branch/master/host/contrib/99-simtrace2.rules
145 13 tsaitgaist
# reload udev rules
146
sudo udevadm control --reload-rules
147
sudo udevadm trigger
148
</pre>
149
150
h3. Applications
151
152
h4. simtrace2-list
153
154
@simtrace2-list@ allows to list all SIMtrace 2 compatible devices:
155
<pre>
156
./simtrace2-list
157
USB matches: 1
158
	1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
159
</pre>
160
161
This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specific with device to use by the other applications.
162
163
h4. simtrace2-sniff
164
165
This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication.
166
The activity will be shown on the consol output:
167
<pre>
168
./simtrace2-sniff 
169
simtrace2-sniff - Phone-SIM card communication sniffer 
170
(C) 2010-2017 by Harald Welte <laforge@gnumonks.org>
171
(C) 2018 by Kevin Redon <kredon@sysmocom.de>
172
173
Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer)
174
Entering main loop
175
Card state change: reset hold
176
Card state change: reset release
177
ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5 
178
PPS: ff 10 96 79 
179
PPS: ff 10 96 79 
180
Fi/Di switched to 512/32
181
TPDU: a0 a4 00 00 02 3f 00 9f 22 
182
TPDU: a0 a4 00 00 02 7f 20 9f 22 
183
TPDU: a0 a4 00 00 02 6f 46 9f 0f 
184
TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00 
185
Card state change: reset hold
186
</pre>
187
188
The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729.
189 1 tsaitgaist
This also allows to analyze the communication in wireshark using the GSM SIM dissector.
190 21 laforge
!{width:50%}wireshark-sim.png!
191 1 tsaitgaist
192 21 laforge
{{include(cellular-infrastructure:MacroBinaryPackages)}}
193 31 Anonymous
{{include(cellular-infrastructure:MacroCommercialSupport)}}
Add picture from clipboard (Maximum size: 48.8 MB)