FreeCalypso > hg > fc-sim-sniff
annotate doc/Motivation @ 55:5268246520de
simsniff-dec: decode command opcodes
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Wed, 04 Oct 2023 00:20:05 +0000 |
parents | 510bef2b2000 |
children |
rev | line source |
---|---|
0
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
1 Q: What is the principal idea behind SIMtrace, as distinct from the specific |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
2 implementation realized by "standard" Osmocom SIMtrace? |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
3 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
4 A: The two principal objectives of SIMtrace are: |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
5 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
6 1) Passive sniffing of communication between a phone-type device and a SIM, |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
7 ideally as transparent and non-invasive as possible. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
8 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
9 2) Card emulation: the SIMtrace apparatus presents itself to the phone (or |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
10 modem or other phone-type device) as a SIM, either emulating the entire |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
11 SIM CardOS functionality in software or communicating with a real SIM |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
12 located somewhere remotely, across the Internet. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
13 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
14 Q: What are the shortcomings of the existing Osmocom SIMtrace implementation of |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
15 the above goals? |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
16 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
17 A: In the opinion of Mother Mychaela of FreeCalypso, the electrical aspects of |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
18 Osmocom SIMtrace implementation are its biggest shortcoming. The following |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
19 problems are most acute currently: |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
20 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
21 * Current SIMtrace v2 hardware is not 5V-tolerant: connecting this apparatus to |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
22 an old phone that puts out 5V (class A) on its SIM socket can damage the |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
23 hardware, as class A SIM voltages exceed the absolute maximum rating spec of |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
24 the AT91SAM3S4B microcontroller on the SIMtrace v2 board, which is connected |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
25 directly to the SIM bus. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
26 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
27 * One option would be to revive the previous hardware generation as in SIMtrace |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
28 v1, replacing the AT91SAM3S with AT91SAM7S. However, all firmware maintained |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
29 by Osmocom is written for SAM3S only, thus a backport to SAM7S would involve |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
30 significant work. Given that the resulting solution would still be far from |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
31 my idea of perfection, I find it difficult to justify investing in that |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
32 software effort - instead I would rather work on a more philosophically-proper |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
33 solution. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
34 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
35 * AT91SAMx-based SIMtrace, both v1 and v2, works (most of the time, but not 100% |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
36 reliably) with 1.8V phone-SIM combination (a phone that prefers class C and a |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
37 SIM that supports it) only by accident. The Vih spec (the minimum required |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
38 voltage on a signal line for it to register reliably as a 1) is 2.0 V for |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
39 AT91SAM7S or 2.31 V (0.7 * Vddio, Vddio = 3.3 V) for AT91SAM3S, but the actual |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
40 voltage on SIM interface lines in class C operation will never rise above |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
41 1.8 V. The electrical interface on this hw operates severely out of spec, |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
42 and I find it rather miraculous that it works at all. Not surprisingly, |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
43 reports are starting to trickle in with user experiences of it actually NOT |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
44 working sometimes. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
45 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
46 * Even if the SIM interface is restricted (by the phone, by the SIM, or by |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
47 SIMtrace MITM function tampering with ATR or file characteristics bytes) to |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
48 operating in class B (3.0 V nominal) only, the existing AT91SAMx SIMtrace |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
49 boards are still electrically unclean. Looking at the schematics, one can see |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
50 that both CLK and I/O lines are pulled up (with resistors) to the SIMtrace |
40
510bef2b2000
new README, old stuff goes to doc/Motivation
Mychaela Falconia <falcon@freecalypso.org>
parents:
0
diff
changeset
|
51 board's 3.3V rail, which is a higher voltage than what the phone will put out |
0
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
52 (3.0 V or 1.8 V), and in the case of SIMtrace v1 with a 5V phone, that pull-up |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
53 will turn into a pull-midway-down instead. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
54 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
55 * My philosophy is that the tracing apparatus should be making only a high- |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
56 impedance connection to the SIM bus and nothing more, while the SIM bus itself |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
57 is galvanically connected from the phone to the physical SIM without passing |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
58 through any switches or other potential Heisenbug-inducing artifacts. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
59 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
60 My first thought was to gently modify the existing AT91SAMx-based SIMtrace |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
61 design for electrically clean multivolt operation: |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
62 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
63 * Replace the electrical switches for SIM VCC (FPF2109) and SIM RST/CLK/IO |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
64 (CB3Q3244) with either a relay (my initial thought, but way too power-hungry) |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
65 or a manually operated 5PDT slide switch; |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
66 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
67 * Insert a Nexperia 74LVC4T3144 dual-supply buffer between the SIM bus and the |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
68 MCU, providing a sniffing path that not only supports all 3 voltage classes, |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
69 but is electrically clean, making only a high-impedance connection to the SIM |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
70 bus as I desire; |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
71 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
72 * Connect a 74LVC1G07 open drain driver (fed with TxD from the MCU) to the SIM |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
73 bus I/O line, providing a signal path for card emulation mode. (In trace mode |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
74 the firmware would be responsible for never turning on this OD driver, keeping |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
75 the tracing apparatus High-Z.) |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
76 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
77 However, as I was reading AT91SAMx datasheets more carefully in preparation for |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
78 embarking on a project to turn the above idea into reality, I saw a big problem: |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
79 when the USART is put into ISO 7816-3 mode, it uses the chip's TxD pin (switched |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
80 to open drain operation) for both Rx and Tx, and there is no option to keep |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
81 separate RxD and TxD pins with an external receiving buffer and an external OD |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
82 driver. |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
83 |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
84 It would probably be possible to build an all-voltage SIM interface with |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
85 AT91SAMx, perhaps by using one of those bidirectional level shifter ICs that |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
86 somehow automagically handle driving direction reversals. But I personally am |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
87 not too inclined to trust those automagical bidirectional translators, they |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
88 just don't align with my design philosophy - I would much much rather have |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
89 unidirectional buffers, one for sniffing and another for OD-driving the I/O |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
90 line in card emulation mode. Seeing that AT91SAMx is incompatible with such |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
91 electrical design, I decided to screw AT91SAMx and go for a radically different |
fbbafa93b52b
starting project with README and sim-fpc-pasv adapter
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
92 approach. |