annotate doc/Sniffing-workflow @ 45:b0524d1dc6ef

simtrace3-sniff-dec: implement command decoding
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 31 Aug 2023 09:32:48 +0000
parents 432d756a21f1
children 1068f9fd41d5
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
37
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 Workflow for SIM sniffing with SIMtrace3
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 ========================================
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 To sniff ME-to-SIM communication with SIMtrace3, follow this workflow:
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 * Assemble the hardware as described in the Sniffing-hw-setup article, and
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 program the serial flash chip on the Icestick board with our sniffer FPGA
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 image. You will need to use iceprog utility from IceStorm suite for the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 latter part.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 * Make sure that the ME is still able to talk to the SIM going through the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 additional plumbing. Only the parts up to sim-fpc-pasv matter here: the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 mv-sniffer adapter and the Icestick board can be disconnected and unpowered,
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14 yet the ME should still see the SIM inserted into the socket on the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15 sim-fpc-pasv board.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17 * When you are ready to start sniffing, complete all hw connections per the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 desired hw setup you are following and plug the Icestick board into your PC
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 or laptop. With our sniffer FPGA image, the initial LED pattern should be:
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 with the Icestick oriented horizontally, upper and lower red LEDs on, left
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21 and right red LEDs off, center green LED off.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23 * Run simtrace3-sniff-rx as follows:
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25 simtrace3-sniff-rx /dev/ttyUSBx logfile
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 The /dev/ttyUSBx device needs to be the one corresponding to FT2232H Channel B
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 on the Icestick board, and you need to specify the name of the log file to be
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29 written.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
30
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
31 * Power on the phone, or otherwise cause the ME to bring up its SIM interface.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
32 Once the ME applies power to its SIM interface and raises its RST output, the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
33 green LED should light on the Icestick, and you should see an stdout message
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
34 from simtrace3-sniff-rx that reads "SIM RST is high".
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
35
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
36 * When you power off the phone or cause the modem to shut down its SIM interface
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
37 with AT+CFUN=0, the green LED will go out and simtrace3-sniff-rx will print
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
38 "SIM RST is low" on stdout. You can kill the process now, or you can kill it
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
39 earlier once you've captured enough - but you do need to start each sniffing
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
40 session from the beginning.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
41
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
42 When you run simtrace3-sniff-rx with a logfile argument as recommended above,
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
43 there will be very little output on stdout - just SIM RST transition messages
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
44 indicating start and end of SIM interface sessions - while all other output gets
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
45 written to the log file.
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
46
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
47 The main output of simtrace3-sniff-rx - written to the log file if specified or
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
48 to stdout otherwise - is very low-level and very voluminuous. Each line
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
49 corresponds to just one character in the ISO 7816-3 sense passing across the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
50 SIM interface, and is logged as the raw 16-bit value received from the FPGA, as
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
51 described in the Sniffer-FPGA-design document. This low-level logging format
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
52 makes it possible to troubleshoot phone-to-SIM compatibility problems at the
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
53 lowest level: microsecond timestamps allow you to see how long the SIM takes to
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
54 respond with each byte, and you can see all procedure bytes below the level of
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
55 APDU exchanges. Did the card ask for data transfer in one swoop or one byte at
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
56 a time? Did it use any stalling bytes, and how many? All of these lowest-level
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
57 details might matter when trying to solve the mystery of why vintage phone model
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
58 ABC seemingly-inexplicably refuses to work with SIM card model XYZ!
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
59
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
60 There will also be a higher-level decoding program, tentatively named
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
61 simtrace3-sniff-dec. This program will read log files written by
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
62 simtrace3-sniff-rx and decode them into slightly-higher-level elements as in
432d756a21f1 doc/Sniffing-workflow: document written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
63 ATR, PPS exchanges, command headers, data transfers and status bytes.