fc-sim-sniff: doc/Sniffing-workflow annotate

annotate doc/Sniffing-workflow @ 58:95ed46b5f8f1 default tip

doc/Sniffing-hw-setup: mv-sniffer is here

author	Mychaela Falconia <falcon@freecalypso.org>
date	Wed, 04 Oct 2023 05:55:09 +0000
parents	7e87b03dd57d
children

rev	line source
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	1 Workflow for SIM interface sniffing with FC SIMsniff
1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	2 ====================================================
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	3
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	4 To sniff ME-to-SIM communication with FC SIMsniff, follow this workflow:
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	5
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	6 * Assemble the hardware as described in the Sniffing-hw-setup article, and
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	7 program the serial flash chip on the Icestick board with our sniffer FPGA
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	8 image. You will need to use iceprog utility from IceStorm suite for the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	9 latter part.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	10
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	11 * Make sure that the ME is still able to talk to the SIM going through the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	12 additional plumbing. Only the parts up to sim-fpc-pasv matter here: the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	13 mv-sniffer adapter and the Icestick board can be disconnected and unpowered,
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	14 yet the ME should still see the SIM inserted into the socket on the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	15 sim-fpc-pasv board.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	16
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	17 * When you are ready to start sniffing, complete all hw connections per the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	18 desired hw setup you are following and plug the Icestick board into your PC
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	19 or laptop. With our sniffer FPGA image, the initial LED pattern should be:
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	20 with the Icestick oriented horizontally, upper and lower red LEDs on, left
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	21 and right red LEDs off, center green LED off.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	22
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	23 * Run simsniff-rx as follows:
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	24
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	25 simsniff-rx /dev/ttyUSBx logfile
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	26
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	27 The /dev/ttyUSBx device needs to be the one corresponding to FT2232H Channel B
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	28 on the Icestick board, and you need to specify the name of the log file to be
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	29 written.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	30
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	31 * Power on the phone, or otherwise cause the ME to bring up its SIM interface.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	32 Once the ME applies power to its SIM interface and raises its RST output, the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	33 green LED should light on the Icestick, and you should see an stdout message
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	34 from simsniff-rx that reads "SIM RST is high".
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	35
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	36 * When you power off the phone or cause the modem to shut down its SIM interface
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	37 with AT+CFUN=0, the green LED will go out and simsniff-rx will print
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	38 "SIM RST is low" on stdout. You can kill the process now, or you can kill it
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	39 earlier once you've captured enough - but you do need to start each sniffing
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	40 session from the beginning.
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	41
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	42 When you run simsniff-rx with a logfile argument as recommended above, there
1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	43 will be very little output on stdout - just SIM RST transition messages
1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	44 indicating start and end of SIM interface sessions - while all other output
1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	45 gets written to the log file.
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	46
48 1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	47 The main output of simsniff-rx - written to the log file if specified or to
1068f9fd41d5 doc: project rename Mychaela Falconia <falcon@freecalypso.org> parents: 37 diff changeset	48 stdout otherwise - is very low-level and very voluminuous. Each line
37 432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	49 corresponds to just one character in the ISO 7816-3 sense passing across the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	50 SIM interface, and is logged as the raw 16-bit value received from the FPGA, as
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	51 described in the Sniffer-FPGA-design document. This low-level logging format
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	52 makes it possible to troubleshoot phone-to-SIM compatibility problems at the
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	53 lowest level: microsecond timestamps allow you to see how long the SIM takes to
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	54 respond with each byte, and you can see all procedure bytes below the level of
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	55 APDU exchanges. Did the card ask for data transfer in one swoop or one byte at
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	56 a time? Did it use any stalling bytes, and how many? All of these lowest-level
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	57 details might matter when trying to solve the mystery of why vintage phone model
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	58 ABC seemingly-inexplicably refuses to work with SIM card model XYZ!
432d756a21f1 doc/Sniffing-workflow: document written Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	59
49 7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	60 Once you have the log captured, decode it as follows:
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	61
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	62 simsniff-dec logfile
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	63
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	64 This program reads log files written by simsniff-rx and decodes them into
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	65 higher-level elements as in ATR, PPS exchanges, command headers, data transfers
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	66 and status bytes. You should now be able to see what the ME is requesting from
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	67 the SIM and how the SIM responds - hopefully enough insight to figure out why
7e87b03dd57d doc/Sniffing-workflow: document simsniff-dec Mychaela Falconia <falcon@freecalypso.org> parents: 48 diff changeset	68 the finicky phone accepts some SIMs but rejects others.

FreeCalypso > hg > fc-sim-sniff

annotate doc/Sniffing-workflow @ 58:95ed46b5f8f1 default tip