SIM card related Projects » SIMtrace 2

h1. Osmocom SIMtrace 2

Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation.

It is a followup of the "SIMtrace project":https://osmocom.org/projects/simtrace/wiki/SIMtrace, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html).

h2. Hardware

The SIMtrace 2 firmware supports several boards (see below)

The firmware is written for a "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller, replacing the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64 used by the older "SIMtrace":https://osmocom.org/projects/simtrace/wiki/SIMtrace

Note: The SAM3S is meanwhile also labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S, in the future.

h3. SIMtrace2

The SAM3S is pin compatible with the SAM7S.

This allows to continue using the same "SIMtrace":https://osmocom.org/projects/simtrace/wiki/SIMtrace_Hardware circuit board, just by replacing the micro-controller.

Note: This hardware is open source.

h3. sysmoQMOD

The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities.

Note: This hardware is not open source.

h2. Firmware

The SIMtrace 2 firmware source code is available "here":https://git.osmocom.org/simtrace2/ but is still under development.

Once ready binary files will also be released.

The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers.

*simtrace2 firmware is not compatible with the older "SIMtrace hardware":https://osmocom.org/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.*

h3. Flashing

h4. DFU

SIMtrace 2 comes with a USB DFU bootloader pre-installed which allows to flash the application firmware over USB using the @dfu-util@ utility.

To get @dfu-util@:

<pre>

sudo apt-get install dfu-util

</pre>

To flash the firmware:

<pre>

sudo dfu-util --device 1d50:60e3 --cfg 1 --alt 1 --reset --download ./bin/simtrace-trace-dfu.bin

</pre>

To prevent using @sudo@ in order to use @dfu-util@ on SIMtrace 2, grant access permission to the USB device to the current user:

<pre>

# create osmocom group

sudo groupadd osmocom

# add current user to osmocom group (user needs to re-login for this change to take effect)

sudo adduser $USERNAME osmocom

# grant access permission to SIMtrace 2 for osmocom group

sudo tee -a /etc/udev/rules.d/10-osmocom.rules << EOF

# SIMtrace 2

SUBSYSTEM=="usb", ATTRS{idVendor}=="1d50", ATTR{idProduct}=="60e3",  MODE="0660", GROUP="osmocom" 

EOF

# reload udev rules

sudo udevadm control --reload-rules

sudo udevadm trigger

</pre>

@dfu-util@ should reset the board and use the DFU bootloader.

Try the command a second time if it did not work at first.

If this still does not work, power up the board while pressing the *BOOTLOADER* button.

If the USB DFU bootloader is missing, defective, or needs to be updated, use the JTAG or SAM-BA methods to flash the bootloader firmware.

h4. SAMBA

The SAM3S micro-controller comes with an embedded bootloader called SAMBA, allowing to flash firmwares over USB.

The SAMBA bootloader can be used to flash the DFU bootloader.

To activate the SAMBA bootloader:

# short the *ERASE* pin on the top of the board with the nearby 3V3 pin using a jumper

# connect SIMtrace 2 over USB to power it up (no LED will light up)

# using @lsusb@ you should find the following entry:

<pre>

ID 03eb:6124 Atmel Corp. at91sam SAMBA bootloader

</pre>

# using @journalctl -f@ ensure SIMtrace 2 has been recognized as USB ACM device:

<pre>

kernel: usb 2-2: new full-speed USB device number 4 using xhci_hcd

kernel: usb 2-2: New USB device found, idVendor=03eb, idProduct=6124

kernel: usb 2-2: New USB device strings: Mfr=0, Product=0, SerialNumber=0

kernel: cdc_acm 2-2:1.0: ttyACM0: USB ACM device

kernel: usbcore: registered new interface driver cdc_acm

kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters

</pre>

# remove the jumper shorting *ERASE* to 3V3

# install the @bossac@ utility to flash using the SAMBA protocol

<pre>

sudo apt install bossac

</pre>

# flash the USB DFU firmware using @bossac@ (note: @erase@ ensures no main application remains so to force booting the USB DFU bootloader; @boot=1@ ensures the micro-controller will boot from the internal flash instead of the embedded bootloader next time it is powered up)

<pre>

sudo bossac --port /dev/ttyACM0 --erase --write ./bin/simtrace-dfu-flash.bin --verify --boot=1

</pre>

# to prevent using @sudo@, grant to current user the permission to access USB serial devices (e.g. @/dev/ttyACM0@). Note: this change only takes effect after re-logging-in

<pre>

sudo adduser $USERNAME dialout

</pre>

Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method.

h4. JTAG

It is also possible to flash or debug SIMtrace 2 over JTAG using the ARM 20-pin JTAG header on the top of the board.

To flash the USB DFU firmware using JTAG:

# install the JTAG utility @openOCD@

<pre>

sudo apt install openocd

</pre>

# flash the USB DFU bootloader firmware

<pre>

openocd --file interface/jlink.cfg --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown"

</pre>

#* replace @interface/jlink.cfg@ with the configuration file for your JTAG debugging adapter

#* @at91sam3 gpnvm set 1@ ensures the micro-controller will boot from the internal flash (i.e. not from the embedded SAMBA bootloader)

The SAM3S also offers the low pin-count SWD alternative to JTAG, allowing to use an inexpensive ST-Link V2 (clone) to flash (and debug):

<pre>

openocd --file interface/stlink-v2.cfg --command "set CPUTAPID 0x2ba01477" --file target/at91sam3sXX.cfg --command "init" --command "halt" --command "flash write_bank 0 ./bin/simtrace-dfu-flash.bin 0" --command "at91sam3 gpnvm set 1" --command "reset" --command "shutdown"

</pre>

SWD pinout:

!simtrace_swd.jpg!

Once the USB DFU bootloader is flashed, when re-pluging SIMtrace 2 over USB, you can flash the main application firmware using the DFU method.

h3. Development

To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt .

h2. Host PC Software

TODO