FreeCalypso > hg > fc-sim-sniff
diff doc/Sniffer-FPGA-design @ 4:b275c69c1b80
doc: describe proposed FPGA design
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 29 Jul 2023 07:06:54 +0000 |
parents | |
children | 41e6026e5d1a |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Sniffer-FPGA-design Sat Jul 29 07:06:54 2023 +0000 @@ -0,0 +1,191 @@ +The first FPGA gateware function to be implemented in the SIMtrace-ice project +is the passive sniffer: receiving level-shifted SIM RST, CLK and I/O signals +from the 74LVC4T3144 buffer and capturing all exchanges that happen on the SIM +interface between a DUS and a SIM. + +The sniffer FPGA logic function will be implemented on the inexpensive off-the- +shelf Icestick board, featuring an iCE40HX1K FPGA and an FT2232H-based USB host +interface. This FPGA logic function will operate principally as a byte +forwarder from the ISO 7816-3 sniffer block to the FT2232H UART: every time the +bus sniffer block captures a character (in ISO 7816-3 terminology) being passed +on the SIM electrical interface in either direction (the two directions of +transmission are indistinguishable to a tap sniffer that does not actively +participate in the protocol), the FPGA will forward this character to the +connected host computer (by way of FT2232H UART) for further processing in +software. The UART data line going from the FPGA to the FT2232H will be the +sole functional output from this FPGA, beyond debug outputs being added during +logic development and troubleshooting. The other UART data line going the +opposite direction (output from FT2232H) will remain unused, i.e., the host +software application will only read/receive from the ttyUSBx FPGA device and +won't send anything to it. All modem control lines on this UART interface will +likewise remain unused. + +Serial interface format +======================= + +For every ISO 7816-3 character captured by the sniffer, two back-to-back UART +bytes will be transferred from the FPGA to the host computer; more generally, +the FPGA will only transmit pairs of back-to-back bytes on this UART and no +singletons or other arrangements - thus the host receiver can always recover +synchronization by dropping any partially received two-byte message (the first +byte of an expected pair) during prolonged pauses. The FPGA will transmit the +two back-to-back UART bytes as a single shift-out of 20 bits, conveying two +bytes in 8N1 framing. + +Why are we turning every captured ISO 7816-3 character into a pair of bytes on +our internal UART interface, why not simply forward it as a single byte? The +reason is that we need to pass some additional bits beyond the 8 that comprise +the ISO 7816-3 character payload; the additional bits which we need to pass are +as follows: + +- the received parity bit; +- a flag indicating whether or not an error signal (ISO 7816-3 section 7.3) + was seen; +- additional flag bits communicating SIM RST assertion and negation events, + as distinct from ISO 7816-3 characters; +- an additional flag indicating an action of the integrated PPS catcher state + machine, to be described later in this document. + +Assertion or negation of SIM RST is the only other possible event (besides ISO +7816-3 character capture, with or without attendant PPS catcher state machine +action) that can cause the FPGA to send a byte-pair UART message to the host +computer. One bit in the 16-bit message will distinguish between characters +and RST events, another bit will indicate the state of RST at the time of the +event (new RST for transitions, 1 for characters), and all other bits are +meaningful only for characters. + +Clocking design +=============== + +The FPGA on the Icestick board receives a 12 MHz clock input; the on-chip PLL +will be used to multiply this clock by 4, producing a 48 MHz system clock. +This 48 MHz SYSCLK will be used for the entirety of the present logic design - +a single-clock fully synchronous design is the best current practice. + +The 3 inputs to the FPGA coming from the SIM electrical sniffer (buffered and +level-shifted SIM RST, CLK and I/O lines) will pass through two cascaded DFFs, +bringing them into our internal clock domain. The delay added by these cascaded +DFFs is not a concern: we are a passive sniffer without any output back to the +SIM interface, and all 3 signal inputs will be subject to the same delay. + +The baud rate on the UART interface between the FPGA and the FT2232H converter +will be 3000000 bps. The UART output block in the FPGA will use a simple /16 +divider from SYSCLK to time its output bits; future derivative designs that will +use the UART interface bidirectionally (such as the planned card emulator FPGA +design) will use SYSCLK directly as the 16x clock for UART reception. This +high (and very non-RS232-standard) UART baud rate was chosen for the following +reasons: + +* Our UART interface is totally private, going nowhere but the on-board FT2232H, + thus it doesn't matter if the baud rate is standard-ish or totally + non-standard. + +* No cables of any kind are used, instead the UART interface is confined to + short PCB traces running between the FPGA and the FTDI chip on the same board + - hence high baud rates are not a problem. + +* Our UART baud rate needs to be high enough to provide good margin, despite + our 2x expansion, at the highest possible effective bps rate on the SIM + interface, meaning the highest possible SIM CLK frequency and the most + aggressive F/D ratio. The combination of SIM CLK at 5 MHz, F=512 and D=64 + corresponds to 625000 bps effective on the SIM interface; running our UART at + 3 Mbps provides sufficient margin. + +ISO 7816-3 sniffer block +======================== + +Our ISO 7816-3 receiver will trigger on the falling edge of the I/O line. Once +it detects a high-to-low transition on the SYSCLK-synchronized SIM_IO input, it +will start counting SIM CLK cycles - we are arbitrarily choosing low-to-high +transition of SYSCLK-synchronized SIM_CLK input as the trigger point. (This +choice is arbitrary because per the spec there is no defined phase relation +between SIM CLK and SIM I/O transitions.) Our ISO 7816-3 receiver will need to +know how many SIM CLK cycles constitute one etu - or more precisely, our +sniffing receiver will operate in half-etu counts, as we need to measure 0.5 etu +to get from the initial falling edge on the I/O line to the mid-etu data +sampling point. Following the session-opening low-to-high transition on the RST +line, our half-etu register will be set to 8'd186, corresponding to F/D=372. +Our PPS catcher state machine will then overwrite this register with a smaller +value based on the captured PPS exchange. + +Direct and inverse coding conventions +===================================== + +Only the card and not the DUS (interface device in ISO 7816-3 terminology) +determines which coding convention is used, direct or inverse. So far we +(FreeCalypso) have not yet encountered a real-life SIM that uses the inverse +convention, only the direct convention kind. In the sniffer function of +SIMtrace-ice, we are going to keep our FPGA gateware simple in this regard and +punt all inverse convention handling to the software application on the host +computer: the FPGA will pass the 9 received bits (8 data bits and 1 parity bit) +to the 16-bit UART message as-is, without inverting or reordering them. + +Integrated PPS catcher +====================== + +The logic described so far will be sufficient to capture all exchanges on the +SIM interface between a DUS and a SIM *if* the etu-defining F/D ratio is never +switched from the basic default of 372. However, given that most SIM cards of +interest to us (our own FCSIM1, as well as SIMs issued by various commercial +operators) support Fi=512 Di=8 or higher, and given that even very classic +implementations of GSM ME (including our dear Calypso) support this F=512 D=8 +speed enhancement mode endorsed by GSM 11.11 spec, many real-life DUS-to-SIM +sessions (which we would like to sniff and trace) will include a PPS exchange +switching to a smaller number of SIM CLK cycles per etu. + +The main difficulty with capturing SIM interface sessions that use speed +enhancement is as follows: in order for the session capture to be complete, +without any lost bits, the sniffing receiver's knowledge of how many SIM CLK +cycles constitute a half-etu needs to change to the new value at exactly the +correct moment in time, which is the moment immediately after the last byte +(PCK) of the SIM's PPS response passes across the wire. If we were to rely on +host software to decode all byte exchanges up to this point (ATR from the SIM, +PPS request from the DUS, then PPS response) and command the FPGA (UART in the +other direction, or a modem control line) to switch the half-etu counter, we +stand very little chance of getting this command to the FPGA in time, before +the DUS starts transmitting its next command to the SIM using the new etu +definition. + +The Mother's proposed solution is to embed a PPS catcher state machine in the +sniffer FPGA. This state machine will be set to its initial state upon the +session-opening low-to-high transition on the RST line, and it will look at +every ISO 7816-3 character received by the sniffer. The machine will need to +step through the following states between this starting point and the final +action of changing the half-etu count register: + +* As the ATR bytes are transferred, the state machine will need to understand + enough of ATR format to know which byte constitutes the end of ATR. A fatal + error in ATR real-time parsing (if the first byte is anything other than + 8'h3B) will put the machine into its inactive state for the remainder of the + session until next reset. + +* If the byte following ATR is 8'hFF, the machine will proceed into PPS request + real-time parsing state. If this byte equals any other value, go to the + inactive state for the remainder of the session. + +* In the PPS request real-time parsing series of states, the state machine will + need to catch the PPS0 byte and based on this byte, figure out how many bytes + it needs to skip. + +* Following the PPS request, the machine will need to real-time-parse the PPS + response. Any invalid conditions will take it to the inactive state; however, + if the PPS exchange is valid, the machine will need to capture the PPS1 byte + and then step through states until the final PCK byte of the PPS response. + +* Upon receiving that last PCK byte after all prior bytes following the expected + protocol, effect the half-etu count change. Either way, the inactive state + is entered at this point, and the state machine will take no further action + for the remainder of the session. + +This state machine is of course going to be very complicated, as evident from +the functional requirements listed above. The first version of SIMtrace-ice +sniffer FPGA will omit this block altogether, and we will get the rest of the +system working for DUS-to-SIM sessions that stick with F/D=372 - a good test +configuration would be to use a FreeCalypso GSM ME as DUS, with SIM speed +enhancement disabled via AT@SPENH=0. Then we shall embark on implementing this +proposed PPS catcher state machine. + +The addition of this PPS catcher state machine may increase the complexity of +our logic beyond the capacity of the iCE40HX1K FPGA on the Icestick board. If +we run into this problem, we'll have to look for a board with a bigger FPGA - +but we'll try to fit into the Icestick first.