diff --git a/.gitignore b/.gitignore index d0f0cd0..9c57ee7 100644 --- a/.gitignore +++ b/.gitignore @@ -69,6 +69,7 @@ src/tv/osmotv src/radio/osmoradio src/datenklo/datenklo src/zeitansage/zeitansage +src/sim/cnetz_sim extra/cnetz_memory_card_generator src/test/test_filter src/test/test_sendevolumenregler diff --git a/configure.ac b/configure.ac index a09e5d6..42921eb 100644 --- a/configure.ac +++ b/configure.ac @@ -100,6 +100,7 @@ AC_OUTPUT( src/radio/Makefile src/datenklo/Makefile src/zeitansage/Makefile + src/sim/Makefile src/test/Makefile src/Makefile extra/Makefile diff --git a/docs/index.html b/docs/index.html index 25dbaa0..ac17e70 100644 --- a/docs/index.html +++ b/docs/index.html @@ -112,6 +112,7 @@ Additional features:
diff --git a/docs/sim.html b/docs/sim.html new file mode 100644 index 0000000..e9826fe --- /dev/null +++ b/docs/sim.html @@ -0,0 +1,472 @@ + + + +
+
+
+
+ |
+ |
+Connect Ground to GND.
+ |
+
+To run the emulator, use the "sim" keyword at the end of the command line. +Use the '-s' option to give the correct serial interface: +
+ ++ +# src/sim/cnetz_sim -s /dev/ttyUSB0 sim + +... +FUTLN=23100001, Sicherungscode=3103, Kartekennung=3, Sonderheitenschluessel=0, Wartungsschluessel=65535 +Telephone directory has 80 entries. +SIM emulator ready, please start the phone! +sim.c:1352 info : Reset singnal on (low) +sim.c:1352 info : Reset singnal off (high) +sim.c:1371 info : Card has disabled PIN (system PIN '0000') Selecting card #1. +sim.c:1374 info : Sending ATR +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=0 N(R)=0 +sim.c: 473 info : SL-APPL app 3 +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=0 N(R)=1 +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=1 N(R)=1 +sim.c: 558 info : RD-EBDT +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=1 N(R)=2 +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=2 N(R)=2 +sim.c: 473 info : SL-APPL app 4 +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=2 N(R)=3 +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=3 N(R)=3 +sim.c: 473 info : SL-APPL app 3 +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=3 N(R)=4 +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=4 N(R)=4 +sim.c: 558 info : RD-EBDT +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=4 N(R)=5 +sim.c:1125 info : RX message +sim.c:1135 info : control I: N(S)=5 N(R)=5 +sim.c: 599 info : RD-RUFN (loc=0) +sim.c: 655 info : 80 numbers can be stored in EEPROM +sim.c:1222 info : TX resonse +sim.c:1228 info : control I: N(S)=5 N(R)=6 +sim.c:1352 info : Reset singnal on (low) + ++ +
+Use '-h' command line option to get a list of all options. +
+ + + + ++To run the sniffer, use the "sniff" keyword at the end of the command line. +You only need to connect I/O line to the RX line of your serial interface. (And ground of course!) +Use the '-s' option to give the correct serial interface: +
+ + ++ +# src/sim/cnetz_sim -s /dev/ttyUSB0 sniff + +sniffer.c: 602 info : ---------------------------------------- +sniffer.c: 609 info : Reading ATR normal bit order: +sniffer.c: 547 info : TD1 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17. +sniffer.c: 590 info : ---------------------------------------- +sniffer.c: 547 info : TD2 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17. +sniffer.c: 590 info : ---------------------------------------- +sniffer.c: 418 info : TA3 fsmin = 3 MHz +sniffer.c: 433 info : TA3 fsmax = 5 MHz (Default) +sniffer.c: 470 info : TB3 Maximum block size = 42 +sniffer.c: 516 info : TC3 Character Waiting Time = 3 +sniffer.c: 547 info : TD3 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17. +sniffer.c: 590 info : ---------------------------------------- +sniffer.c: 440 info : TA4 Block Waiting Time = 4 +sniffer.c: 590 info : ---------------------------------------- +sniffer.c: 595 info : History byte #1: 0x92 +sniffer.c: 595 info : History byte #2: 0x80 +sniffer.c: 595 info : History byte #3: 0x00 +sniffer.c: 595 info : History byte #4: 0x41 +sniffer.c: 595 info : History byte #5: 0x32 +sniffer.c: 595 info : History byte #6: 0x36 +sniffer.c: 595 info : History byte #7: 0x01 +sniffer.c: 595 info : History byte #8: 0x11 +sniffer.c: 690 info : Checksum 0xe4 ok. +sniffer.c: 697 info : ATR done! +sniffer.c: 715 info : ---------------------------------------- +sniffer.c: 734 info : Layer 2: +sniffer.c: 735 info : source 3 -> to 1 +sniffer.c: 737 info : control I: N(S)=0 N(R)=0 +sniffer.c: 744 info : length 15 +sniffer.c: 203 info : Interface control layer ICB1: +sniffer.c: 207 info : ON-LINE-BIT: 0 = Off-line data +sniffer.c: 211 info : CONFIRM-BIT: 0 = No meaning +sniffer.c: 213 info : MASTER/SLAVE-BIT: 1 = Sender is master +sniffer.c: 219 info : WT-EXTENSION-BIT: 0 = No request for WT-Extension +sniffer.c: 223 info : ABORT/TERMINATE-BIT: 0 = No meaning +sniffer.c: 227 info : ERROR-BIT: 0 = No meaning +sniffer.c: 231 info : CHAINING-BIT: 0 = No more ICL data follows +sniffer.c: 235 info : ICB-EXTENSION-BIT: 0 = no ICB follows +sniffer.c: 48 info : Layer 7: +sniffer.c: 50 info : I = Command +sniffer.c: 51 info : CLA = 0x02 +sniffer.c: 54 info : -> CNTR (Control Class) +sniffer.c: 75 info : INS = 0xf1 +sniffer.c: 80 info : -> SL-APPL (Select Application) +sniffer.c: 180 info : DLNG = 11 +sniffer.c: 187 info : DATA(0) = 0x38 '8' 56 +sniffer.c: 187 info : DATA(1) = 0x39 '9' 57 +sniffer.c: 187 info : DATA(2) = 0x34 '4' 52 +sniffer.c: 187 info : DATA(3) = 0x39 '9' 57 +sniffer.c: 187 info : DATA(4) = 0x30 '0' 48 +sniffer.c: 187 info : DATA(5) = 0x31 '1' 49 +sniffer.c: 187 info : DATA(6) = 0x30 '0' 48 +sniffer.c: 187 info : DATA(7) = 0x30 '0' 48 +sniffer.c: 187 info : DATA(8) = 0x33 '3' 51 +sniffer.c: 187 info : DATA(9) = 0x30 '0' 48 +sniffer.c: 187 info : DATA(10) = 0x31 '1' 49 +sniffer.c: 715 info : ---------------------------------------- +sniffer.c: 734 info : Layer 2: +sniffer.c: 735 info : source 1 -> to 3 +sniffer.c: 737 info : control I: N(S)=0 N(R)=1 +sniffer.c: 744 info : length 4 +sniffer.c: 203 info : Interface control layer ICB1: +sniffer.c: 207 info : ON-LINE-BIT: 0 = Off-line data +sniffer.c: 211 info : CONFIRM-BIT: 0 = No meaning +sniffer.c: 215 info : MASTER/SLAVE-BIT: 0 = Sender is slave +sniffer.c: 219 info : WT-EXTENSION-BIT: 0 = No request for WT-Extension +sniffer.c: 223 info : ABORT/TERMINATE-BIT: 0 = No meaning +sniffer.c: 227 info : ERROR-BIT: 0 = No meaning +sniffer.c: 231 info : CHAINING-BIT: 0 = No more ICL data follows +sniffer.c: 235 info : ICB-EXTENSION-BIT: 0 = no ICB follows +sniffer.c: 48 info : Layer 7: +sniffer.c: 142 info : I = Response +sniffer.c: 143 info : CCRC = 0x05 +sniffer.c: 145 info : -> PIN-NOT-OK +sniffer.c: 149 info : -> APRC valid +sniffer.c: 158 info : APRC = 0x02 +sniffer.c: 160 info : -> Bit 2 = 1:PIN-Check required +sniffer.c: 166 info : -> Bit 3 = 0:Application unlocked +sniffer.c: 170 info : -> Bit 5 = 0:GEBZ/RUFN unlocked +sniffer.c: 174 info : -> Bit 6 = 0:GEBZ not full +sniffer.c: 180 info : DLNG = 0 +sniffer.c: 302 info : Resetting sniffer + ++ +
+When the phone is switched on, the SIM card is powered up and outputs the ATR sequence (Answer To Reset). +
+ ++The first message is a command message that is transmitted from the phone towards the SIM card. +The layer 2 header indicates the direction and the length of 15 bytes. +The ICR layer has no meaning with the C-Netz. +Except for the MASTER/SLAVE-BIT, no other bit is used. +The layer 7 (application) header indicates the command and the message type and length, followed by 11 bytes of data. +This command tells the SIM card to select C-Netz application. +
+ ++The second message is a response message that is transmitted from the SIM card towards the phone. +The layer 2 header indicates the direction and the length of 4 bytes. +The layer 7 header indicates the response and status bits and length, followed by 0 bytes of data. +The response tells the SIM card that a PIN is required to complete the command. +The user is prompted to enter the pin. +
+ ++To read more about the protocol, and the meaning of messages, refer to FTZ 171 TR 60 - Anhang 1 Berechtigungskarte als Prozessorkarte.pdf +
+ + + + ++You find the PCB drawings inside the "layout" directory of the git repository. +Be sure to print it without scaling! +Check if the printed size matches an ISO card. +Also there is the source files for the 'Eagle' layout program, if you like to change it. +
+ ++You may use an "Arduino UNO" or "ATTINY85" to emulate a SIM card without a PC. +In case of the Arduino, you still need wires to connect it to the card reader of the phone. +If you use an ATTINY85, you can put the micro controller directly on a PCB card, as shown on top of this page. +
+ ++To compile and run with Arduino, you need to open "src/sim/sim.ino" with Arduino software and select the "Arduino UNO" board. +The RESET input is at pin 6 and the I/O line at pin 7. +Connect these two lines together with ground line to the card reader or ISO card PCB. +You don't need a diode this time, since pin 7 is automatically switched between input and output. +The serial protocol is emulated in software. +The status LED (pin 13) will flash whenever a message is received from the card reader. +
+ ++To compile and run with ATTINY85, you need to open "src/sim/sim.ino" with Arduino software and select the "ATiny25/45/85" board and the "ATiny85" chip. +Refer to the internet on how to compile and flash the ATTINY85 without boot-loader. +It is beyond the scope of this documentation. +This time you need 5 wires to connect (VCC and Clock also). +
+ ++Important: After flashing you need to wait 10 seconds before removing power. +During that time the EEPROM is initialized. +If you would read out the EEPROM, you will notice the letter 'C' at address 0. +Then you would know that the init process was finished with success. + +
+ ++If you use the DIP version of the ATTINY85, you cannot put it on the card itself. +The PCB in the picture on top of this page shows the DIP socket next to the actual card area. +Be sure to put the chip on the back side of the SIM card. +This works only if the phone does not completely enclose the card. +
+ ++If you use the SOIC version of the ATTINY85, you need to make it flat, so it fits into your phone. +You may use the full size SIM or just the mini SIM. +I prefer the mini SIM and use an adapter card for larger phones. +
+ ++The original ATTINY85 (1) is shown upside down. +Bend the legs straight and shorten them, so they still fit into a programmer's socket. (2) +The use P400 sand paper to sand off the bottom of the case until you reach copper plate. (3) +Make a hole into the PBC and solder the chip upside down into that hole. +Pin 1 is marked on the PCB. +
+ ++Important: You need to change clock source to pin 1. + +
+ +
+Change lower fuse of 0xc0.
+Note that you will not be able to do any further programming unless you apply clock signal to pin 1.
+Use a crystal oscillator connected to pin 1 when you like to update the firmware in the future.
+You may also use other type of clock signal.
+Try something between 1 and 8 MHz.
+I recommend to use the USBasp or a clone of that. It is cheap and easy and works with USB.
+To set the fuses using "avrdude" in conjunction with "usbasp" flash tool, use:
+
+avrdude -c usbasp-clone -p t85 -U lfuse:w:0xc0:m -U hfuse:w:0xdf:m -U efuse:w:0xff:m
+
+If you run it again, you might notice that there is no response without a clock applied.
+Apply a clock to pin 1 and see if you get a response again.
+
+After powering up the phone with SIM adapter/emulator attached, the phone should show the default subscriber number (FUTLN) on the display. +(Not all phones do. Read the manual to get the key code on how to show the subscriber number.) +There is no PIN enabled by default, so the SIM card is ready after inserting or poweing up the phone. +Now you can make calls, add telephone numbers or change PIN. +
+ ++The SIM card can emulate 8 different cards. +They share the same telephone directory, but have different subscriber data. +Subscriber data can be changed to anything you like. +This way it is possible to even emulate service cards ("Wartungskarten"), to put phones into service mode or special cell monitor mode. +
+ ++If the PIN is disabled (default), the first card with first subscriber data is emulates. +To select different card with dfferent subscriber data, change the PIN to 0001 .. 0008. +Refer to the phone's manual on how to change the PIN. +E.g. if you store the PIN 0000 or 0001, the first card with the first subscriber data is emulated. +E.g. if you store the PIN 0005, the fifth card with the fifth subscriber data is emulated. +In all cases, there is no PIN required when you turn on the phone. +
+ ++
PIN | FUTLN = Subscriber | Sicherungs- code | Karten- kennung | Sonderheiten- schlüssel | Wartungs- schlüssel |
---|---|---|---|---|---|
0000 or 0001 | 2222001 | 3103 | 3 | 0 | 65535 |
0002 | 2222002 | 3103 | 3 | 0 | 65535 |
0003 | 2222003 | 3103 | 3 | 0 | 65535 |
0004 | 2222004 | 3103 | 3 | 0 | 65535 |
0005 | 2222005 | 3103 | 3 | 0 | 65535 |
0006 | 2222006 | 3103 | 3 | 0 | 65535 |
0007 | 2222007 | 3103 | 3 | 0 | 65535 |
0008 | 2222008 | 3103 | 3 | 0 | 65535 |
+You may want to use a PIN to select the card whenever you turn on the phone. +Use the phone to enable a PIN that does not start with "000". +When you restart your phone, you may enter that PIN, to select the first card. +Alternatively you may enter the PIN 0000 or 0001, to select the first card, no matter what the PIN was. +Or you may enter the PIN 0002 .. 0008, to select second to eight card. +
+ ++You may also alter each of the 8 different subscriber data store on the SIM. +In order to do that, you need to set a PIN, so the phone will ask for a PIN whenever it is turned on. +Choose any PIN you like, but not a PIN stat starts with 000. +Turn on the phone and you will be asked for a PIN. +Enter the PIN 9991 to alter the first subscriber data. +Enter the PIN 9992 .. 9998 to alter second to eigtht subscriber data. +The subscriber data is shown in the telephone directory and can be altered by changing the numbers in that directory. +
+ +
+The default subscriber data and where to change them in the telephone directory:
+
+
Entry | Name | Number |
---|---|---|
01 | FUTLN | 2222001 * |
02 | Sicherungscode | 3103 |
03 | Kartenkennung | 3 |
04 | Sonderheitsschl. | 0 |
05 | Wartungsschl. | 65535 |
+To program one of the following service cards, change the subscriber data to the indicated values. +
+ ++
Type | FUTLN = Subscriber | Sicherungs- code | Karten- kennung | Sonderheiten- schlüssel | Wartungs- schlüssel |
---|---|---|---|---|---|
Siemens C5 service mode | - | - | - | 900 | 1000 |
Phillips Miniporty service mode | - | - | - | 900 | 1000 |
Phillips Miniporty cell monitor | - | - | - | 900 | 1728 or 2729 |
Phillips Porty service mode | 0 | 0 | 0 | 2304 | - |
Phillips Porty cell monitor | - | - | - | 898 | - |
-Importaint: SDR is required! It must be capable of about 15 Mega samples per second.
+Important: SDR is required! It must be capable of about 15 Mega samples per second.
If you use LimeSDR, you MUST use USB 3.0 to have enough bandwidth!