FreeCalypso > hg > fc-sim-sniff
comparison README @ 40:510bef2b2000
new README, old stuff goes to doc/Motivation
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Wed, 30 Aug 2023 05:39:53 +0000 |
| parents | fbbafa93b52b |
| children | f8c27c2bde0e |
comparison
equal
deleted
inserted
replaced
| 39:a9e87abeeaa2 | 40:510bef2b2000 |
|---|---|
| 1 Alternative implementation of SIMtrace idea, | 1 Welcome to FreeCalypso SIMtrace3 |
| 2 using iCE40 FPGA instead of AT91SAMx | 2 ================================ |
| 3 ============================================ | |
| 4 | 3 |
| 5 Q: What is the principal idea behind SIMtrace, as distinct from the specific | 4 FC SIMtrace3 (aka SIMtrace-ice) is an alternative implementation of Osmocom |
| 6 implementation realized by "standard" Osmocom SIMtrace? | 5 SIMtrace principal idea, using an iCE40 FPGA instead of AT91SAMx MCU as the ISO |
| 6 7816-3 sniffing receiver. Aside from this change from an MCU to an FPGA and | |
| 7 thus from firmware to gateware, the other principal difference is that SIMtrace3 | |
| 8 is electrically clean and proper: | |
| 7 | 9 |
| 8 A: The two principal objectives of SIMtrace are: | 10 * The sniffing apparatus makes a strictly Hi-Z connection to the SIM bus being |
| 11 sniffed; | |
| 9 | 12 |
| 10 1) Passive sniffing of communication between a phone-type device and a SIM, | 13 * The SIM bus itself is solidly connected from the phone's SIM socket to the |
| 11 ideally as transparent and non-invasive as possible. | 14 physical SIM without any switches or pull-ups or other Heisenbug-inducing |
| 15 artifacts; | |
| 12 | 16 |
| 13 2) Card emulation: the SIMtrace apparatus presents itself to the phone (or | 17 * The sniffing apparatus supports all 3 voltage classes that can be put out by |
| 14 modem or other phone-type device) as a SIM, either emulating the entire | 18 the ME or other interface device: 1.8V, 3V and 5V are all good. |
| 15 SIM CardOS functionality in software or communicating with a real SIM | |
| 16 located somewhere remotely, across the Internet. | |
| 17 | 19 |
| 18 Q: What are the shortcomings of the existing Osmocom SIMtrace implementation of | 20 The hardware setup of SIMtrace3 consists of: |
| 19 the above goals? | |
| 20 | 21 |
| 21 A: In the opinion of Mother Mychaela of FreeCalypso, the electrical aspects of | 22 * The same SIMtrace FPC cables (going from a SIM socket to the 6-pin FPC |
| 22 Osmocom SIMtrace implementation are its biggest shortcoming. The following | 23 connector) that were originally developed for SIMtrace1/2 and are sold by |
| 23 problems are most acute currently: | 24 Sysmocom; |
| 24 | 25 |
| 25 * Current SIMtrace v2 hardware is not 5V-tolerant: connecting this apparatus to | 26 * An off-the-shelf Lattice Icestick FPGA board; |
| 26 an old phone that puts out 5V (class A) on its SIM socket can damage the | |
| 27 hardware, as class A SIM voltages exceed the absolute maximum rating spec of | |
| 28 the AT91SAM3S4B microcontroller on the SIMtrace v2 board, which is connected | |
| 29 directly to the SIM bus. | |
| 30 | 27 |
| 31 * One option would be to revive the previous hardware generation as in SIMtrace | 28 * A little bit of custom hardware: two very simple boards in the initial |
| 32 v1, replacing the AT91SAM3S with AT91SAM7S. However, all firmware maintained | 29 version, intending to consolidate them into one board in the final version, |
| 33 by Osmocom is written for SAM3S only, thus a backport to SAM7S would involve | 30 see doc/Sniffing-hw-setup for the details. |
| 34 significant work. Given that the resulting solution would still be far from | |
| 35 my idea of perfection, I find it difficult to justify investing in that | |
| 36 software effort - instead I would rather work on a more philosophically-proper | |
| 37 solution. | |
| 38 | 31 |
| 39 * AT91SAMx-based SIMtrace, both v1 and v2, works (most of the time, but not 100% | 32 This source repository contains: |
| 40 reliably) with 1.8V phone-SIM combination (a phone that prefers class C and a | |
| 41 SIM that supports it) only by accident. The Vih spec (the minimum required | |
| 42 voltage on a signal line for it to register reliably as a 1) is 2.0 V for | |
| 43 AT91SAM7S or 2.31 V (0.7 * Vddio, Vddio = 3.3 V) for AT91SAM3S, but the actual | |
| 44 voltage on SIM interface lines in class C operation will never rise above | |
| 45 1.8 V. The electrical interface on this hw operates severely out of spec, | |
| 46 and I find it rather miraculous that it works at all. Not surprisingly, | |
| 47 reports are starting to trickle in with user experiences of it actually NOT | |
| 48 working sometimes. | |
| 49 | 33 |
| 50 * Even if the SIM interface is restricted (by the phone, by the SIM, or by | 34 boards Design files for little adapter boards |
| 51 SIMtrace MITM function tampering with ATR or file characteristics bytes) to | 35 fpga Gateware for the iCE40HX1K FPGA on the Icestick board |
| 52 operating in class B (3.0 V nominal) only, the existing AT91SAMx SIMtrace | 36 sw Host software tools |
| 53 boards are still electrically unclean. Looking at the schematics, one can see | |
| 54 that both CLK and I/O lines are pulled up (with resistors) to the SIMtrace | |
| 55 board's 3.3V rail, which is a higher voltage that what the phone will put out | |
| 56 (3.0 V or 1.8 V), and in the case of SIMtrace v1 with a 5V phone, that pull-up | |
| 57 will turn into a pull-midway-down instead. | |
| 58 | |
| 59 * My philosophy is that the tracing apparatus should be making only a high- | |
| 60 impedance connection to the SIM bus and nothing more, while the SIM bus itself | |
| 61 is galvanically connected from the phone to the physical SIM without passing | |
| 62 through any switches or other potential Heisenbug-inducing artifacts. | |
| 63 | |
| 64 My first thought was to gently modify the existing AT91SAMx-based SIMtrace | |
| 65 design for electrically clean multivolt operation: | |
| 66 | |
| 67 * Replace the electrical switches for SIM VCC (FPF2109) and SIM RST/CLK/IO | |
| 68 (CB3Q3244) with either a relay (my initial thought, but way too power-hungry) | |
| 69 or a manually operated 5PDT slide switch; | |
| 70 | |
| 71 * Insert a Nexperia 74LVC4T3144 dual-supply buffer between the SIM bus and the | |
| 72 MCU, providing a sniffing path that not only supports all 3 voltage classes, | |
| 73 but is electrically clean, making only a high-impedance connection to the SIM | |
| 74 bus as I desire; | |
| 75 | |
| 76 * Connect a 74LVC1G07 open drain driver (fed with TxD from the MCU) to the SIM | |
| 77 bus I/O line, providing a signal path for card emulation mode. (In trace mode | |
| 78 the firmware would be responsible for never turning on this OD driver, keeping | |
| 79 the tracing apparatus High-Z.) | |
| 80 | |
| 81 However, as I was reading AT91SAMx datasheets more carefully in preparation for | |
| 82 embarking on a project to turn the above idea into reality, I saw a big problem: | |
| 83 when the USART is put into ISO 7816-3 mode, it uses the chip's TxD pin (switched | |
| 84 to open drain operation) for both Rx and Tx, and there is no option to keep | |
| 85 separate RxD and TxD pins with an external receiving buffer and an external OD | |
| 86 driver. | |
| 87 | |
| 88 It would probably be possible to build an all-voltage SIM interface with | |
| 89 AT91SAMx, perhaps by using one of those bidirectional level shifter ICs that | |
| 90 somehow automagically handle driving direction reversals. But I personally am | |
| 91 not too inclined to trust those automagical bidirectional translators, they | |
| 92 just don't align with my design philosophy - I would much much rather have | |
| 93 unidirectional buffers, one for sniffing and another for OD-driving the I/O | |
| 94 line in card emulation mode. Seeing that AT91SAMx is incompatible with such | |
| 95 electrical design, I decided to screw AT91SAMx and go for a radically different | |
| 96 approach. | |
| 97 | |
| 98 Outline of FPGA-based alternative design | |
| 99 ======================================== | |
| 100 | |
| 101 My (Mother Mychaela's) idea of alternative SIMtrace implementation consists of | |
| 102 the following pieces: | |
| 103 | |
| 104 1) The passive SIMtrace FPC connection board (boards/sim-fpc-pasv) is a trivial | |
| 105 PCB that electrically interconnects a SIM socket, an FPC connection for | |
| 106 SIMtrace FPC cables and a set of 2.54 mm header pins bringing out all SIM | |
| 107 interface signals. | |
| 108 | |
| 109 2) A second little adapter board (tentatively named mv-sniffer) will feature one | |
| 110 active component, but will still be just as trivial: it will be a PCB hosting | |
| 111 a single 74LVC4T3144 IC, with 2.54 mm header pins for the SIM side (SIM VCC | |
| 112 will go to the buffer IC's VccA) and for the FPGA board side; a power rail | |
| 113 from the latter board will go to the buffer IC's VccB. | |
| 114 | |
| 115 3) The FPGA board will be an off-the-shelf item, eliminating the major hurdle | |
| 116 of having to design and build a custom board of substantial complexity. My | |
| 117 first attempt will be to use the Icestick board with iCE40HX1K FPGA; if this | |
| 118 FPGA proves to be too small, I will then look for another suitable board | |
| 119 with a bigger FPGA. | |
| 120 | |
| 121 The Icestick board features not only the HX1K FPGA, but also an FT2232H chip | |
| 122 handling the USB interface. FT2232H channel A is for FPGA programming, but | |
| 123 channel B is a regular UART, connected with PCB traces to FPGA I/O pins for | |
| 124 user logic. The logic implemented in the FPGA will use this UART interface to | |
| 125 communicate with higher-level software, which will be implemented as simple | |
| 126 userspace programs - thus there is no "firmware" component per se. | |
| 127 | |
| 128 In terms of FPGA gateware functionality, the passive sniffer function will be | |
| 129 implemented first; once it works, a different logic design will be implemented | |
| 130 for card emulation mode. | |
| 131 | |
| 132 In terms of hardware as in boards, the first prototype version will use separate | |
| 133 sim-fpc-pasv and mv-sniffer boards, connected with jumper wires between 2.54 mm | |
| 134 header pins. Because the signals carried by these jumper wires reside on the | |
| 135 "target" SIM bus side of the buffer, these wires add more than just clutter - | |
| 136 they also add to the electrical length of the external SIM bus, which is | |
| 137 obviously bad. Once the basic design is proven good, I plan to spin out another | |
| 138 simple board that will feature the SIM socket, the SIMtrace FPC connector, the | |
| 139 74LVC4T3144 buffer and a header for connecting to the FPGA board. Because the | |
| 140 latter connection resides past the buffer, wire length here does NOT add to the | |
| 141 SIM bus. | |
| 142 | |
| 143 All of the just-described hardware config is for tracing only, not for card | |
| 144 emulation. For the latter function yet another, albeit still very simple, | |
| 145 adapter board will need to be made. The cardem adapter board will feature the | |
| 146 SIMtrace FPC connector, two active ICs (74LVC4T3144 receiving buffer and | |
| 147 74LVC1G07 OD driver) and the header for connecting to the FPGA board. Note the | |
| 148 absence of a SIM socket - hardware setups for sniffing a phone's communication | |
| 149 with a real SIM on the one hand and for running with a software-emulated SIM on | |
| 150 the other hand are different, and it does no good trying to combine them. |