Use '-h' command line option to get a list of all options.
</p>
<pclass="toppic">
<aname="sniff"></a>
Sniffing SIM Card
</p>
<p>
To run the sniffer, use the "sniff" keyword at the end of the command line.
You only need to connect I/O line to the RX line of your serial interface. (And ground of course!)
Use the '-s' option to give the correct serial interface:
</p>
<pre>
# src/sim/cnetz_sim -s /dev/ttyUSB0 sniff
sniffer.c: 602 info : ----------------------------------------
sniffer.c: 609 info : Reading ATR normal bit order:
sniffer.c: 547 info : TD1 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info : ----------------------------------------
sniffer.c: 547 info : TD2 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info : ----------------------------------------
sniffer.c: 418 info : TA3 fsmin = 3 MHz
sniffer.c: 433 info : TA3 fsmax = 5 MHz (Default)
sniffer.c: 470 info : TB3 Maximum block size = 42
sniffer.c: 516 info : TC3 Character Waiting Time = 3
sniffer.c: 547 info : TD3 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info : ----------------------------------------
sniffer.c: 440 info : TA4 Block Waiting Time = 4
sniffer.c: 590 info : ----------------------------------------
sniffer.c: 595 info : History byte #1: 0x92
sniffer.c: 595 info : History byte #2: 0x80
sniffer.c: 595 info : History byte #3: 0x00
sniffer.c: 595 info : History byte #4: 0x41
sniffer.c: 595 info : History byte #5: 0x32
sniffer.c: 595 info : History byte #6: 0x36
sniffer.c: 595 info : History byte #7: 0x01
sniffer.c: 595 info : History byte #8: 0x11
sniffer.c: 690 info : Checksum 0xe4 ok.
sniffer.c: 697 info : ATR done!
sniffer.c: 715 info : ----------------------------------------
sniffer.c: 734 info : Layer 2:
sniffer.c: 735 info : source 3 -> to 1
sniffer.c: 737 info : control I: N(S)=0 N(R)=0
sniffer.c: 744 info : length 15
sniffer.c: 203 info : Interface control layer ICB1:
sniffer.c: 207 info : ON-LINE-BIT: 0 = Off-line data
sniffer.c: 211 info : CONFIRM-BIT: 0 = No meaning
sniffer.c: 213 info : MASTER/SLAVE-BIT: 1 = Sender is master
sniffer.c: 219 info : WT-EXTENSION-BIT: 0 = No request for WT-Extension
sniffer.c: 223 info : ABORT/TERMINATE-BIT: 0 = No meaning
sniffer.c: 227 info : ERROR-BIT: 0 = No meaning
sniffer.c: 231 info : CHAINING-BIT: 0 = No more ICL data follows
sniffer.c: 235 info : ICB-EXTENSION-BIT: 0 = no ICB follows
sniffer.c: 48 info : Layer 7:
sniffer.c: 50 info : I = Command
sniffer.c: 51 info : CLA = 0x02
sniffer.c: 54 info : -> CNTR (Control Class)
sniffer.c: 75 info : INS = 0xf1
sniffer.c: 80 info : -> SL-APPL (Select Application)
sniffer.c: 180 info : DLNG = 11
sniffer.c: 187 info : DATA(0) = 0x38 '8' 56
sniffer.c: 187 info : DATA(1) = 0x39 '9' 57
sniffer.c: 187 info : DATA(2) = 0x34 '4' 52
sniffer.c: 187 info : DATA(3) = 0x39 '9' 57
sniffer.c: 187 info : DATA(4) = 0x30 '0' 48
sniffer.c: 187 info : DATA(5) = 0x31 '1' 49
sniffer.c: 187 info : DATA(6) = 0x30 '0' 48
sniffer.c: 187 info : DATA(7) = 0x30 '0' 48
sniffer.c: 187 info : DATA(8) = 0x33 '3' 51
sniffer.c: 187 info : DATA(9) = 0x30 '0' 48
sniffer.c: 187 info : DATA(10) = 0x31 '1' 49
sniffer.c: 715 info : ----------------------------------------
sniffer.c: 734 info : Layer 2:
sniffer.c: 735 info : source 1 -> to 3
sniffer.c: 737 info : control I: N(S)=0 N(R)=1
sniffer.c: 744 info : length 4
sniffer.c: 203 info : Interface control layer ICB1:
sniffer.c: 207 info : ON-LINE-BIT: 0 = Off-line data
sniffer.c: 211 info : CONFIRM-BIT: 0 = No meaning
sniffer.c: 215 info : MASTER/SLAVE-BIT: 0 = Sender is slave
sniffer.c: 219 info : WT-EXTENSION-BIT: 0 = No request for WT-Extension
sniffer.c: 223 info : ABORT/TERMINATE-BIT: 0 = No meaning
sniffer.c: 227 info : ERROR-BIT: 0 = No meaning
sniffer.c: 231 info : CHAINING-BIT: 0 = No more ICL data follows
sniffer.c: 235 info : ICB-EXTENSION-BIT: 0 = no ICB follows
sniffer.c: 48 info : Layer 7:
sniffer.c: 142 info : I = Response
sniffer.c: 143 info : CCRC = 0x05
sniffer.c: 145 info : -> PIN-NOT-OK
sniffer.c: 149 info : -> APRC valid
sniffer.c: 158 info : APRC = 0x02
sniffer.c: 160 info : -> Bit 2 = 1:PIN-Check required
sniffer.c: 166 info : -> Bit 3 = 0:Application unlocked
sniffer.c: 170 info : -> Bit 5 = 0:GEBZ/RUFN unlocked
sniffer.c: 174 info : -> Bit 6 = 0:GEBZ not full
sniffer.c: 180 info : DLNG = 0
sniffer.c: 302 info : Resetting sniffer
</pre>
<p>
When the phone is switched on, the SIM card is powered up and outputs the ATR sequence (Answer To Reset).
</p>
<p>
The first message is a command message that is transmitted from the phone towards the SIM card.
The layer 2 header indicates the direction and the length of 15 bytes.
The ICR layer has no meaning with the C-Netz.
Except for the MASTER/SLAVE-BIT, no other bit is used.
The layer 7 (application) header indicates the command and the message type and length, followed by 11 bytes of data.
This command tells the SIM card to select C-Netz application.
</p>
<p>
The second message is a response message that is transmitted from the SIM card towards the phone.
The layer 2 header indicates the direction and the length of 4 bytes.
The layer 7 header indicates the response and status bits and length, followed by 0 bytes of data.
The response tells the SIM card that a PIN is required to complete the command.
The user is prompted to enter the pin.
</p>
<p>
To read more about the protocol, and the meaning of messages, refer to <ahref="http://download.eversberg.eu/mobilfunk/C-Netz-Dokus/FTZ%20171%20TR%2060%20-%20Anhang%201%20Berechtigungskarte%20als%20Prozessorkarte.pdf">FTZ 171 TR 60 - Anhang 1 Berechtigungskarte als Prozessorkarte.pdf</a>
</p>
<pclass="toppic">
<aname="byo"></a>
Build Your Own SIM Card
</p>
<center><imgsrc="sim_layout.png"/></center>
<p>
You find the PCB drawings inside the "layout" directory of the git repository.
You may use an "Arduino UNO" or "ATTINY85" to emulate a SIM card without a PC.
In case of the Arduino, you still need wires to connect it to the card reader of the phone.
If you use an ATTINY85, you can put the micro controller directly on a PCB card, as shown on top of this page.
</p>
<p>
To compile and run with Arduino, you need to open "src/sim/sim.ino" with Arduino software and select the "Arduino UNO" board.
The RESET input is at pin 6 and the I/O line at pin 7.
Connect these two lines together with ground line to the card reader or ISO card PCB.
You don't need a diode this time, since pin 7 is automatically switched between input and output.
The serial protocol is emulated in software.
The status LED (pin 13) will flash whenever a message is received from the card reader.
</p>
<p>
To compile and run with ATTINY85, you need to open "src/sim/sim.ino" with Arduino software and select the "ATiny25/45/85" board and the "ATiny85" chip.
Refer to the internet on how to compile and flash the ATTINY85 without boot-loader.
It is beyond the scope of this documentation.
This time you need 5 wires to connect (VCC and Clock also).
</p>
<p>
<fontcolor="red">Important: After flashing you need to wait 10 seconds before removing power.
During that time the EEPROM is initialized.
If you would read out the EEPROM, you will notice the letter 'C' at address 0.
Then you would know that the init process was finished with success.
</font>
</p>
<p>
If you use the DIP version of the ATTINY85, you cannot put it on the card itself.
The PCB in the picture on top of this page shows the DIP socket next to the actual card area.
Be sure to put the chip on the back side of the SIM card.
This works only if the phone does not completely enclose the card.
</p>
<p>
If you use the SOIC version of the ATTINY85, you need to make it flat, so it fits into your phone.
You may use the full size SIM or just the mini SIM.
I prefer the mini SIM and use an adapter card for larger phones.
</p>
<center><imgsrc="sim-attiny85.jpg"/></center>
<p>
The original ATTINY85 (1) is shown upside down.
Bend the legs straight and shorten them, so they still fit into a programmer's socket. (2)