Hello SIMtrace enthusiasts, As mentioned previously on various occasions, FreeCalypso SIMsniff is a hardware+FPGA+software solution I put together to serve as a partial replacement for Osmocom SIMtrace. I call it a partial rather than complete replacement for SIMtrace because the piece which I consider to be the essence of SIMtrace (the Sysmocom-made, webshop-sold piece that goes into the phone's SIM socket) stays the same in my SIMsniff solution, only the active component changes: instead of using a SIMtrace1 or SIMtrace2 board, I use my own little hw contraption (currently a mess, needs to be simplified) to sniff and level-shift the electrical signals, followed by an iCE40 FPGA for ISO 7816-3 character sniffing. The whole project lives here:
https://www.freecalypso.org/hg/fc-sim-sniff/ Earlier this week I got the last required hw piece assembled (the mv-sniffer board that hosts my choice of level shifter IC, Nexperia 74LVC4T3144), and I am happy to report that the whole solution works as designed! The two principal design objectives, which are also principal differences from SIMtrace1/2, are as follows: * Make a strictly non-invasive Hi-Z connection to the SIM bus being traced or sniffed, without Heisenbug-inducing pull resistors or switches or other artifacts; * Hi-Z-sniff ME-to-SIM interfaces that can operate at any voltage from 1.8V to 5V. With my current messy hw setup of two tiny boards (sim-fpc-pasv and mv-sniffer) inserted between the original SIMtrace FPC cable and the Icestick FPGA board, the just-stated objectives are met: I can successfully sniff ME-to-SIM sessions at all 3 voltage classes, *without* the tracing apparatus altering any electrical aspects of the interface under study in any way. Here are some examples of what SIMsniff trace logs look like: https://www.freecalypso.org/members/falcon/SIMsniff-traces/ The 3 log files in the above directory are: 2190-fcsim1.log: Nokia 2190E talking to FCSIM1 2190-sjs1.log: Nokia 2190E talking to sysmoUSIM-SJS1 fcdev3b-sjs1.log: FCDEV3B (standard fw) talking to sysmoUSIM-SJS1 Nokia 2190E always puts out 5V toward the SIM, hence those two logs are proof of working 5V sniffing. Calypso+Iota chipset supports 3V and 1.8V and FreeCalypso fw talks to the SIM at 1.8V by default, thus the last log is proof of working 1.8V sniffing. The last log also exhibits switching from F/D=372 to F/D=64 (F=512 D=8), demonstrating how my sniffer FPGA handles such sessions. These are very raw, low-level trace logs: each line in the log file is one 16-bit word received from the FPGA, corresponding to one character (in the ISO 7816-3 sense) captured on the SIM-ME interface. More details here: https://www.freecalypso.org/hg/fc-sim-sniff/file/tip/doc/Sniffer-FPGA-design To get a human-readable trace of ME-to-SIM interface activity, each raw log needs to be passed through higher-level decoding utility simsniff-dec, residing in fc-sim-sniff Hg repository. I invite interested parties to compile that utility, run it on the raw log files I posted, and see what kind of trace logs you then get for human study. Note of course my very different technology preferences: I don't use Wireshark, hence I never developed any tools for feeding SIM interface traces into that world, and I never succeeded in getting the current incarnation of pySim to run on my system (too much dependency hell, and Python is too alien to me), hence no integration with pySim-trace.py either. But just because I haven't developed those pieces doesn't mean that no one else can! If anyone in the wider Osmocom+FC community superset likes what I did in electrical terms, but also likes the original Osmocom SIMtrace high-level sw design better than my concoction, you should be able to take my simsniff-rx program (the one that receives traces from the FPGA by way of FT2232H UART channel) and modify it to emit traces in a way that fits into Osmocom SIMtrace sw paradigm - why not? The hardware part also needs polishing: the current arrangement of separate sim-fpc-pasv and mv-sniffer boards connected with jumper wires is a mess. My plan is to make a proper FC SIMsniff "pod" board: put the SIMtrace FPC connector, a physical SIM socket, 2.54 mm headers for o'scope probing and the 74LVC4T3144 buffer on the same PCB, interconnected together on the "SIM bus" side, plus a 6-pin header on the 'B' side of 74LVC4T3144 for connecting to the Icestick FPGA board. I am also now thinking (counter to my original plans) about making a combined SIMsniff+SIMemu pod, i.e., making just one hw setup that can work for either sniffing or card emulation by loading different FPGA gateware and opening/closing a jumper on the "pod" board. How does card emulation fit into my SIMsniff hw architecture? Answer: it will be almost the same as sniffing, with only one little hw component (an OD driver IC) added. The same hw path that passively sniffs SIM RST, CLK and I/O lines (via 74LVC4T3144) will also work for cardem, but one more component needs to be added: a 74LVC1G07 OD buffer, driven by an FPGA output, with the output side of this OD buffer connected to the physical SIM I/O line. The only active driving done by real SIM cards is driving the I/O line low in the manner of an OD output, there is no high drive (the pull-up resistor in the ME is responsible for making the line go high), and on all other interface lines the SIM only receives - hence the combination of a Hi-Z receiver like current SIMsniff plus an OD driver on the I/O line would be a fully proper emulation of a real SIM card. My original hesitation against combining SIMsniff and SIMemu pods into one was that I don't like the idea of the OD driver turning on by mistake (wrong FPGA loaded perhaps) and fighting with the physical SIM card in the socket. But my current plan is to insert a jumper (or more precisely, a pair of 2.54 mm header pins onto which a shorting block may be placed) between the "SIM bus" I/O line and the output pin of 74LVC1G07 OD buffer: this way if you insert a physical SIM into the socket for tracing, remove the jumper, and if you leace the SIM socket empty for cardem, install the jumper. Why jumper and not a little slide switch? With the switch there would be the extra cognitive load of looking at the switch carefully and remembering which position is which, whereas presence or absence of a shorting jumper on a pair of pins is an immediate, almost subconscious visual indicator. Any feedback ideas would be appreciated. When I design my new SIMsniff+SIMemu "pod" board, I would like to make a large-ish batch (maybe 20 boards), thus it would be really nice if the same hardware could be made palatable to both FC and Osmocom communities. Hasta la Victoria, Siempre, Mychaela aka The Mother _______________________________________________ Community mailing list Community@freecalypso.org https://www.freecalypso.org/mailman/listinfo/community