FreeCalypso > hg > fc-sim-sniff
view doc/Sniffing-hw-setup @ 58:95ed46b5f8f1 default tip
doc/Sniffing-hw-setup: mv-sniffer is here
| author | Mychaela Falconia <falcon@freecalypso.org> | 
|---|---|
| date | Wed, 04 Oct 2023 05:55:09 +0000 | 
| parents | 8a3003860cf8 | 
| children | 
line wrap: on
 line source
The hardware setup for SIM interface sniffing with FC SIMsniff consists of the following components: * The same SIMtrace FPC cables (going from a SIM socket to the 6-pin FPC connector) that were originally developed for SIMtrace1/2 and are sold by Sysmocom; * An off-the-shelf Lattice Icestick FPGA board (sold by Digi-Key, for example) that has been outfitted with header pins: the board ships with empty PTHs (plated through holes) at J1, hence a small soldering job is required to populate this header; * Some in-between components described below. For the in-between components of the last bullet point above, there are 3 possibilities, each described in its own section below. HW setup version 1 ================== (works today) In this solution there are two little ad hoc boards sitting between the SIMtrace FPC cable and the Icestick board: * sim-fpc-pasv board produced in the fall of 2022 * mv-sniffer board produced in the fall of 2023 The first board (sim-fpc-pasv) passively interconnects an FPC connector for SIMtrace cables, a physical SIM socket and a bunch of 2.54 mm header pins, bringing out all lines of the SIM-ME electrical interface. This board was originally produced a year ago for the purpose of observing SIM voltages and clocks with an oscilloscope. The second board adds one active component: Nexperia 74LVC4T3144 dual supply logic voltage level translator IC, powered from SIM_VCC on its A side and from Icestick board +3.3V rail on its B side. The buffer IC receives (sniffs) the SIM-ME electrical interface at whichever voltage the ME puts out (everything from 1.8V to 5V is accepted) and puts out the same signals at the fixed logic voltage level needed by the FPGA on the Icestick; the FPGA then sniffs the ISO 7816-3 protocol just above the electrical level. Wire assignments for this HW setup ---------------------------------- A 6-wire ribbon cable, cut from a standard multicolor ribbon cable spool and outfitted with custom crimped connectors, is used to make the connection between sim-fpc-pasv and mv-sniffer boards. Wire color assignments in this ad hoc connection cable are: Wire SIM interface pin --------------------------------- brown VCC red RST orange CLK yellow GND green GND blue I/O HW setup version 2 ================== (a little more distant, but will be needed before wider spread) The solution with separate sim-fpc-pasv and mv-sniffer boards is quite inconvenient because of the number of pieces required - clutter on the lab bench - plus poor electrical design with jumper wires between the two boards extending the electrical length of the SIM bus before the LVC buffer. In the fully polished version of FC SIMsniff, these two adapter boards will need to be combined into one. The final FreeCalypso SIMsniff pod is expected to be a single board (still very simple and low cost) featuring the following components: 1) SIMtrace FPC connector 2) SIM socket 3) 74LVC4T3144 buffer IC 4) SIM bus solidly connected between components 1, 2 and 3 5) A header for FPGA board connection, wired to the 'B' side of component 3 HW setup version 0 (historical) =============================== In the beginning of FC SIMsniff project, there was no new custom hardware - but we did have our sim-fpc-pasv board from a year ago, and we got the Icestick board outfitted with header pins. Our first hw setup thus consisted of jumper wires connecting from FPGA I/O pins (plus Icestick GND) directly to SIM bus pins on the sim-fpc-pasv adapter. This hw setup could not be used for any real SIM-ME sniffing: a class A (5V) ME would destroy the FPGA (grossly exceeds Absolute Maximum Ratings), while class C (1.8V) operation produced by all newer ME (from Calypso+Iota onward) cannot be picked up directly by the FPGA as the high logic level falls right between Vil_max and Vih_min, causing the FPGA to receive garbage. However, this setup worked with FCDEV3B forced into class B operation, and was used to develop our FPGA logic and prove it working before the arrival of mv-sniffer board.
