FreeCalypso > hg > fc-sim-sniff
changeset 48:1068f9fd41d5
doc: project rename
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Thu, 21 Sep 2023 06:31:34 +0000 |
parents | 7c9bf72d460f |
children | 7e87b03dd57d |
files | doc/Cardem-plans doc/ME-ID-terminology doc/PPS-catcher-FSM doc/Sniffer-FPGA-design doc/Sniffing-hw-setup doc/Sniffing-workflow |
diffstat | 6 files changed, 54 insertions(+), 51 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/Cardem-plans Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/Cardem-plans Thu Sep 21 06:31:34 2023 +0000 @@ -1,6 +1,6 @@ -The long-term goal of SIMtrace3 project is to support both SIM interface -sniffing and card emulation. Both functions are needed when working in the -realm of Vintage Mobile Phones: +The long-term goal of FreeCalypso SIMtrace replacement project is to support +both SIM interface sniffing (SIMsniff) and card emulation (SIMemu). Both +functions are needed when working in the realm of Vintage Mobile Phones: * Non-invasive, Heisenbug-free Hi-Z sniffing is needed in order to see why certain phone-to-SIM combinations work while others don't, and to see exactly @@ -13,30 +13,30 @@ like. However, in terms of scheduling priority, all of our initial work focuses on -the sniffer, with cardem deferred to some indefinite later time. We do, -however, have a preliminary idea of how we envision cardem working: +the sniffer, with SIMemu (cardem) deferred to some indefinite later time. We +do, however, have a preliminary idea of how we envision card emulation working: -* Hardware setups will be different between sniffing and cardem. Our initial +* Hardware setups will be different between SIMsniff and SIMemu. Our initial objective is to produce a solidly usable, production quality sniffer pod, described as HW setup version 2 in the Sniffing-hw-setup article. As the name says, this pod will be for sniffing only. For card emulation there will - be a different cardem pod. + be a different SIMemu pod. -* The cardem pod will be similar to the sniffer pod, with just two changes: +* The SIMemu pod will be similar to the SIMsniff pod, with just two changes: - We'll add a 74LVC1G07 OD driver for pulling the I/O line low in exactly the same way how real SIM cards do it; - - The SIM socket will be eliminated from the cardem pod, to eliminate any - possibility of a real SIM and cardem "fighting" to talk back to the same + - The SIM socket will be eliminated from the SIMemu pod, to eliminate any + possibility of a real SIM and SIMemu "fighting" to talk back to the same ME/ID. -* FPGA gateware will also be different between sniffing and cardem. The cardem +* FPGA gateware will also be different between SIMsniff and SIMemu. The SIMemu design is expected to be more complex and use more FPGA resources, but there is a good chance it will still fit into iCE40-HX1K FPGA and thus allow us to keep using the same Icestick board. -* Right now we have no plans to stick a soft CPU core into the FPGA for cardem, +* Right now we have no plans to stick a soft CPU core into the FPGA for SIMemu, instead the plan is to use the same principal architecture as the sniffer FPGA, using the UART channel at 3 Mbps to communicate with the host - although this time this UART will be used bidirectionally.
--- a/doc/ME-ID-terminology Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/ME-ID-terminology Thu Sep 21 06:31:34 2023 +0000 @@ -1,4 +1,5 @@ What term should we use for the active device that drives the ISO 7816-3 electrical interface to a SIM card? GSM specs use the term ME, while ISO 7816-3 -spec uses the term "interface device". In SIMtrace3 documentation we sometimes -use our own abbreviation ME/ID to refer to either conceptual entity. +spec uses the term "interface device". In FreeCalypso SIMsniff documentation +we sometimes use our own abbreviation ME/ID to refer to either conceptual +entity.
--- a/doc/PPS-catcher-FSM Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/PPS-catcher-FSM Thu Sep 21 06:31:34 2023 +0000 @@ -1,5 +1,5 @@ This document describes the PPS catcher state machine that has been implemented -in the SIMtrace3 sniffer FPGA, using a sort of verbal pseudocode. +in the FPGA part of FreeCalypso SIMsniff, using a sort of verbal pseudocode. INITIAL:
--- a/doc/Sniffer-FPGA-design Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/Sniffer-FPGA-design Thu Sep 21 06:31:34 2023 +0000 @@ -1,11 +1,11 @@ -FPGA component of SIMtrace3 sniffer -=================================== +FPGA component of FreeCalypso SIMsniff +====================================== -The SIM interface sniffing apparatus of SIMtrace3 consists of a sniffer pod -(hardware adapter with level shifters) and a Lattice Icestick FPGA board, loaded -with the appropriate gateware image from the present project. This document -describes the design and operation of the FPGA component of this SIMtrace3 -sniffing solution. +The present FreeCalypso solution for SIM interface sniffing consists of a +sniffer pod (hardware adapter with level shifters) and a Lattice Icestick FPGA +board, loaded with the appropriate gateware image from the present project. +This document describes the design and operation of the FPGA component of +FC SIMsniff. Hardware architecture and FPGA design principle =============================================== @@ -178,11 +178,12 @@ Only the card and not the interface device (ISO 7816-3 terminology) determines which coding convention is used, direct or inverse. So far we (FreeCalypso) have not yet encountered a real-life SIM that uses the inverse convention, only -the direct convention kind. In the sniffer function of SIMtrace-ice, we are -going to keep our FPGA gateware simple in this regard and punt all inverse -convention handling to the software application on the host computer: the FPGA -passes the 9 received bits (8 data bits and 1 parity bit) to the 16-bit UART -message as-is, without inverting or reordering them. +the direct convention kind. The approach taken in FC SIMsniff is that the FPGA +is mostly (except for the integrated PPS catcher) oblivious to the coding +convention: it passes the 9 received bits (8 data bits and 1 parity bit) to the +16-bit UART message as-is, without inverting or reordering them. The coding +convention and the parity check are then handled in simsniff-dec host +application. Integrated PPS catcher ====================== @@ -229,7 +230,7 @@ receiver block, such as original Osmocom SIMtrace in which the local CPU core and the ISO 7816-3 receiver sit in the same AT91SAMx chip, don't suffer from this problem: with a local (dedicated, embedded) CPU so close, the firmware can -react and intervene in time. However, in the case of our SIMtrace3, the nearest +react and intervene in time. However, in the case of FC SIMsniff, the nearest CPU is the host computer separated by UART and USB links - not closely coupled enough to provide the degree of real-time response that is needed here. Someone could say that we should stick a soft CPU core with firmware into our FPGA - but
--- a/doc/Sniffing-hw-setup Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/Sniffing-hw-setup Thu Sep 21 06:31:34 2023 +0000 @@ -1,5 +1,5 @@ -The hardware setup for SIM sniffing with SIMtrace3 consists of the following -components: +The hardware setup for SIM interface sniffing with FC SIMsniff consists of the +following components: * The same SIMtrace FPC cables (going from a SIM socket to the 6-pin FPC connector) that were originally developed for SIMtrace1/2 and are sold by @@ -48,11 +48,11 @@ supply logic voltage level translator IC, powered from SIM_VCC on its A side and from Icestick board +3.3V rail on its B side. -The mv-sniffer PCB is currently on its way to FreeCalypso HQ from the PCB fab -in China, and once the PCB arrives, assembly will require another trip to -Technotronix. Once we have this board assembled, we should have a working -SIMtrace3 sniffing path that is fully compatible with all 3 voltage classes, -per the original intent of SIMtrace3 project. +The mv-sniffer PCB has been fabricated and received at FreeCalypso HQ, but we +still need to get it assembled, which will require at least one trip to +Technotronix, or maybe even two trips. Once we have this board assembled, we +should have a working SIM sniffing path that is fully compatible with all 3 +voltage classes, per the original intent of FC SIMsniff project. HW setup version 2 ================== @@ -63,9 +63,10 @@ quite inconvenient because of the number of pieces required - clutter on the lab bench - plus poor electrical design with jumper wires between the two boards extending the electrical length of the SIM bus before the LVC buffer. In the -fully polished version of SIMtrace3, these two adapter boards will need to be -combined into one. The final SIMtrace3 sniffer pod is expected to be a single -board (still very simple and low cost) featuring the following components: +fully polished version of FC SIMsniff, these two adapter boards will need to be +combined into one. The final FreeCalypso SIMsniff pod is expected to be a +single board (still very simple and low cost) featuring the following +components: 1) SIMtrace FPC connector 2) SIM socket
--- a/doc/Sniffing-workflow Thu Sep 21 05:00:50 2023 +0000 +++ b/doc/Sniffing-workflow Thu Sep 21 06:31:34 2023 +0000 @@ -1,7 +1,7 @@ -Workflow for SIM sniffing with SIMtrace3 -======================================== +Workflow for SIM interface sniffing with FC SIMsniff +==================================================== -To sniff ME-to-SIM communication with SIMtrace3, follow this workflow: +To sniff ME-to-SIM communication with FC SIMsniff, follow this workflow: * Assemble the hardware as described in the Sniffing-hw-setup article, and program the serial flash chip on the Icestick board with our sniffer FPGA @@ -20,9 +20,9 @@ with the Icestick oriented horizontally, upper and lower red LEDs on, left and right red LEDs off, center green LED off. -* Run simtrace3-sniff-rx as follows: +* Run simsniff-rx as follows: - simtrace3-sniff-rx /dev/ttyUSBx logfile + simsniff-rx /dev/ttyUSBx logfile The /dev/ttyUSBx device needs to be the one corresponding to FT2232H Channel B on the Icestick board, and you need to specify the name of the log file to be @@ -31,21 +31,21 @@ * Power on the phone, or otherwise cause the ME to bring up its SIM interface. Once the ME applies power to its SIM interface and raises its RST output, the green LED should light on the Icestick, and you should see an stdout message - from simtrace3-sniff-rx that reads "SIM RST is high". + from simsniff-rx that reads "SIM RST is high". * When you power off the phone or cause the modem to shut down its SIM interface - with AT+CFUN=0, the green LED will go out and simtrace3-sniff-rx will print + with AT+CFUN=0, the green LED will go out and simsniff-rx will print "SIM RST is low" on stdout. You can kill the process now, or you can kill it earlier once you've captured enough - but you do need to start each sniffing session from the beginning. -When you run simtrace3-sniff-rx with a logfile argument as recommended above, -there will be very little output on stdout - just SIM RST transition messages -indicating start and end of SIM interface sessions - while all other output gets -written to the log file. +When you run simsniff-rx with a logfile argument as recommended above, there +will be very little output on stdout - just SIM RST transition messages +indicating start and end of SIM interface sessions - while all other output +gets written to the log file. -The main output of simtrace3-sniff-rx - written to the log file if specified or -to stdout otherwise - is very low-level and very voluminuous. Each line +The main output of simsniff-rx - written to the log file if specified or to +stdout otherwise - is very low-level and very voluminuous. Each line corresponds to just one character in the ISO 7816-3 sense passing across the SIM interface, and is logged as the raw 16-bit value received from the FPGA, as described in the Sniffer-FPGA-design document. This low-level logging format