FreeCalypso > hg > fc-sim-sniff

comparison doc/Sniffing-workflow @ 37:432d756a21f1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc/Sniffing-workflow: document written
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 30 Aug 2023 03:03:04 +0000
parents
children 1068f9fd41d5
comparison
equal deleted inserted replaced
36:f1c3dd2173d3 37:432d756a21f1
1 Workflow for SIM sniffing with SIMtrace3
2 ========================================
3
4 To sniff ME-to-SIM communication with SIMtrace3, follow this workflow:
5
6 * Assemble the hardware as described in the Sniffing-hw-setup article, and
7 program the serial flash chip on the Icestick board with our sniffer FPGA
8 image. You will need to use iceprog utility from IceStorm suite for the
9 latter part.
10
11 * Make sure that the ME is still able to talk to the SIM going through the
12 additional plumbing. Only the parts up to sim-fpc-pasv matter here: the
13 mv-sniffer adapter and the Icestick board can be disconnected and unpowered,
14 yet the ME should still see the SIM inserted into the socket on the
15 sim-fpc-pasv board.
16
17 * When you are ready to start sniffing, complete all hw connections per the
18 desired hw setup you are following and plug the Icestick board into your PC
19 or laptop. With our sniffer FPGA image, the initial LED pattern should be:
20 with the Icestick oriented horizontally, upper and lower red LEDs on, left
21 and right red LEDs off, center green LED off.
22
23 * Run simtrace3-sniff-rx as follows:
24
25 simtrace3-sniff-rx /dev/ttyUSBx logfile
26
27 The /dev/ttyUSBx device needs to be the one corresponding to FT2232H Channel B
28 on the Icestick board, and you need to specify the name of the log file to be
29 written.
30
31 * Power on the phone, or otherwise cause the ME to bring up its SIM interface.
32 Once the ME applies power to its SIM interface and raises its RST output, the
33 green LED should light on the Icestick, and you should see an stdout message
34 from simtrace3-sniff-rx that reads "SIM RST is high".
35
36 * When you power off the phone or cause the modem to shut down its SIM interface
37 with AT+CFUN=0, the green LED will go out and simtrace3-sniff-rx will print
38 "SIM RST is low" on stdout. You can kill the process now, or you can kill it
39 earlier once you've captured enough - but you do need to start each sniffing
40 session from the beginning.
41
42 When you run simtrace3-sniff-rx with a logfile argument as recommended above,
43 there will be very little output on stdout - just SIM RST transition messages
44 indicating start and end of SIM interface sessions - while all other output gets
45 written to the log file.
46
47 The main output of simtrace3-sniff-rx - written to the log file if specified or
48 to stdout otherwise - is very low-level and very voluminuous. Each line
49 corresponds to just one character in the ISO 7816-3 sense passing across the
50 SIM interface, and is logged as the raw 16-bit value received from the FPGA, as
51 described in the Sniffer-FPGA-design document. This low-level logging format
52 makes it possible to troubleshoot phone-to-SIM compatibility problems at the
53 lowest level: microsecond timestamps allow you to see how long the SIM takes to
54 respond with each byte, and you can see all procedure bytes below the level of
55 APDU exchanges. Did the card ask for data transfer in one swoop or one byte at
56 a time? Did it use any stalling bytes, and how many? All of these lowest-level
57 details might matter when trying to solve the mystery of why vintage phone model
58 ABC seemingly-inexplicably refuses to work with SIM card model XYZ!
59
60 There will also be a higher-level decoding program, tentatively named
61 simtrace3-sniff-dec. This program will read log files written by
62 simtrace3-sniff-rx and decode them into slightly-higher-level elements as in
63 ATR, PPS exchanges, command headers, data transfers and status bytes.