FC SIMsniff works in first prototype version

Mychaela Falconia falcon at freecalypso.org
Wed Oct 4 21:14:20 UTC 2023 

Hello SIMtrace enthusiasts,

As mentioned previously on various occasions, FreeCalypso SIMsniff is
a hardware+FPGA+software solution I put together to serve as a partial
replacement for Osmocom SIMtrace.  I call it a partial rather than
complete replacement for SIMtrace because the piece which I consider
to be the essence of SIMtrace (the Sysmocom-made, webshop-sold piece
that goes into the phone's SIM socket) stays the same in my SIMsniff
solution, only the active component changes: instead of using a
SIMtrace1 or SIMtrace2 board, I use my own little hw contraption
(currently a mess, needs to be simplified) to sniff and level-shift
the electrical signals, followed by an iCE40 FPGA for ISO 7816-3
character sniffing.  The whole project lives here:

https://www.freecalypso.org/hg/fc-sim-sniff/

Earlier this week I got the last required hw piece assembled (the
mv-sniffer board that hosts my choice of level shifter IC, Nexperia
74LVC4T3144), and I am happy to report that the whole solution works
as designed!  The two principal design objectives, which are also
principal differences from SIMtrace1/2, are as follows:

* Make a strictly non-invasive Hi-Z connection to the SIM bus being
  traced or sniffed, without Heisenbug-inducing pull resistors or
  switches or other artifacts;

* Hi-Z-sniff ME-to-SIM interfaces that can operate at any voltage from
  1.8V to 5V.

With my current messy hw setup of two tiny boards (sim-fpc-pasv and
mv-sniffer) inserted between the original SIMtrace FPC cable and the
Icestick FPGA board, the just-stated objectives are met: I can
successfully sniff ME-to-SIM sessions at all 3 voltage classes,
*without* the tracing apparatus altering any electrical aspects of the
interface under study in any way.  Here are some examples of what
SIMsniff trace logs look like:

https://www.freecalypso.org/members/falcon/SIMsniff-traces/

The 3 log files in the above directory are:

2190-fcsim1.log:	Nokia 2190E talking to FCSIM1
2190-sjs1.log:		Nokia 2190E talking to sysmoUSIM-SJS1
fcdev3b-sjs1.log:	FCDEV3B (standard fw) talking to sysmoUSIM-SJS1

Nokia 2190E always puts out 5V toward the SIM, hence those two logs
are proof of working 5V sniffing.  Calypso+Iota chipset supports 3V
and 1.8V and FreeCalypso fw talks to the SIM at 1.8V by default, thus
the last log is proof of working 1.8V sniffing.  The last log also
exhibits switching from F/D=372 to F/D=64 (F=512 D=8), demonstrating
how my sniffer FPGA handles such sessions.

These are very raw, low-level trace logs: each line in the log file is
one 16-bit word received from the FPGA, corresponding to one character
(in the ISO 7816-3 sense) captured on the SIM-ME interface.  More
details here:

https://www.freecalypso.org/hg/fc-sim-sniff/file/tip/doc/Sniffer-FPGA-design

To get a human-readable trace of ME-to-SIM interface activity, each
raw log needs to be passed through higher-level decoding utility
simsniff-dec, residing in fc-sim-sniff Hg repository.  I invite
interested parties to compile that utility, run it on the raw log
files I posted, and see what kind of trace logs you then get for human
study.

Note of course my very different technology preferences: I don't use
Wireshark, hence I never developed any tools for feeding SIM interface
traces into that world, and I never succeeded in getting the current
incarnation of pySim to run on my system (too much dependency hell,
and Python is too alien to me), hence no integration with pySim-trace.py
either.  But just because I haven't developed those pieces doesn't mean
that no one else can!  If anyone in the wider Osmocom+FC community
superset likes what I did in electrical terms, but also likes the
original Osmocom SIMtrace high-level sw design better than my
concoction, you should be able to take my simsniff-rx program (the one
that receives traces from the FPGA by way of FT2232H UART channel) and
modify it to emit traces in a way that fits into Osmocom SIMtrace sw
paradigm - why not?

The hardware part also needs polishing: the current arrangement of
separate sim-fpc-pasv and mv-sniffer boards connected with jumper wires
is a mess.  My plan is to make a proper FC SIMsniff "pod" board: put
the SIMtrace FPC connector, a physical SIM socket, 2.54 mm headers for
o'scope probing and the 74LVC4T3144 buffer on the same PCB, interconnected
together on the "SIM bus" side, plus a 6-pin header on the 'B' side of
74LVC4T3144 for connecting to the Icestick FPGA board.  I am also now
thinking (counter to my original plans) about making a combined
SIMsniff+SIMemu pod, i.e., making just one hw setup that can work for
either sniffing or card emulation by loading different FPGA gateware
and opening/closing a jumper on the "pod" board.

How does card emulation fit into my SIMsniff hw architecture?  Answer:
it will be almost the same as sniffing, with only one little hw
component (an OD driver IC) added.  The same hw path that passively
sniffs SIM RST, CLK and I/O lines (via 74LVC4T3144) will also work for
cardem, but one more component needs to be added: a 74LVC1G07 OD buffer,
driven by an FPGA output, with the output side of this OD buffer
connected to the physical SIM I/O line.  The only active driving done
by real SIM cards is driving the I/O line low in the manner of an OD
output, there is no high drive (the pull-up resistor in the ME is
responsible for making the line go high), and on all other interface
lines the SIM only receives - hence the combination of a Hi-Z receiver
like current SIMsniff plus an OD driver on the I/O line would be a
fully proper emulation of a real SIM card.

My original hesitation against combining SIMsniff and SIMemu pods into
one was that I don't like the idea of the OD driver turning on by
mistake (wrong FPGA loaded perhaps) and fighting with the physical SIM
card in the socket.  But my current plan is to insert a jumper (or
more precisely, a pair of 2.54 mm header pins onto which a shorting
block may be placed) between the "SIM bus" I/O line and the output pin
of 74LVC1G07 OD buffer: this way if you insert a physical SIM into the
socket for tracing, remove the jumper, and if you leace the SIM socket
empty for cardem, install the jumper.  Why jumper and not a little
slide switch?  With the switch there would be the extra cognitive load
of looking at the switch carefully and remembering which position is
which, whereas presence or absence of a shorting jumper on a pair of
pins is an immediate, almost subconscious visual indicator.

Any feedback ideas would be appreciated.  When I design my new
SIMsniff+SIMemu "pod" board, I would like to make a large-ish batch
(maybe 20 boards), thus it would be really nice if the same hardware
could be made palatable to both FC and Osmocom communities.

Hasta la Victoria, Siempre,
Mychaela aka The Mother

More information about the Community mailing list