Phone hack: endless loop

Motorola seems to be in an endless loop?
In any case, it only shows the motorola logo and does not react to
pressing the power button.

sam3s_example/simtrace/phone.c

@@ -82,7 +82,10 @@ unsigned char USBState = STATE_IDLE;
 /** ISO7816 pins */
 static const Pin pinsISO7816_PHONE[]    = {PINS_ISO7816_PHONE};
 /** Bus switch pins */
-static const Pin pins_bus[]    = {PINS_BUS_DEFAULT};
+//static const Pin pins_bus[]    = {PINS_BUS_DEFAULT};
+// FIXME: temporary enable bus switch 
+static const Pin pins_bus[]    = {PINS_BUS_SNIFF};
+
 /** ISO7816 RST pin */
 static const Pin pinIso7816RstMC  = PIN_ISO7816_RST_PHONE;
 static uint8_t sim_inserted = 0;
@@ -124,6 +127,8 @@ extern uint8_t rcvdChar;
 
 extern volatile uint8_t timeout_occured;
 
+static rst_cnt = 0;
+
 /*-----------------------------------------------------------------------------
  *          Interrupt routines
  *-----------------------------------------------------------------------------*/
@@ -131,9 +136,13 @@ extern volatile uint8_t timeout_occured;
 static void ISR_PhoneRST( const Pin *pPin)
 {
     printf("+++ Int!!\n\r");
-    if (state == NONE) {
+    state = RST_RCVD;
+   
+/*    if (state == NONE || rst_cnt > 2) {
         state = RST_RCVD;
     }
+    rst_cnt++;
+*/
     // FIXME: What to do on reset?
     // FIXME: It seems like the phone is constantly sending a lot of these RSTs
 //    PIO_DisableIt( &pinPhoneRST ) ;
@@ -296,6 +305,13 @@ void sendResponse( uint8_t *pArg, uint8_t status, uint32_t transferred, uint32_t
     for ( i = 0; i < transferred; i++ ) {
         _ISO7816_SendChar(*(pArg++));
     }
+/*
+    if (*(pArg-1) == 0x8A) {
+        for (i=0; i<20000; i++) ;
+        _ISO7816_SendChar(0x90);
+        _ISO7816_SendChar(0x00);
+    }
+*/
     state = WAIT_CMD_PHONE;
 }
 
@@ -315,7 +331,7 @@ void wait_for_response(uint8_t pBuffer[]) {
         PR("b:%x %x %x %x %x.\n\r", buf.buf[0], buf.buf[1],buf.buf[2], buf.buf[3], buf.buf[4]);
 
         rcvdChar = 0;
-    } else if (timeout_occured  && buf.idx != 0) {
+    } else if (timeout_occured && buf.idx != 0) {
         printf(" to ");
         ret = USBD_Write( DATAIN, buf.buf, buf.idx, 0, 0 );
         timeout_occured = 0;
@@ -362,6 +378,7 @@ void Phone_run( void )
     switch (state) {
         case RST_RCVD:
             USBD_Write( INT, &msg, 1, 0, 0 );
+            TC0_Counter_Reset();
             // send_ATR sets state to WAIT_CMD
             if ((ret = USBD_Read(DATAOUT, pBuffer, MAX_MSG_LEN, (TransferCallback)&send_ATR, pBuffer)) == USBD_STATUS_SUCCESS) {
                 TRACE_INFO("Reading started sucessfully (ATR)");

sam3s_example/simtrace/simtrace.h

@@ -6,7 +6,7 @@
 #define DATAIN      2
 #define INT         3
 
-#define BUFLEN  5
+#define BUFLEN  5 
 typedef struct ring_buffer
 {
     uint8_t     buf[BUFLEN*2];   // data buffer

sam3s_example/simtrace/simtrace_iso7816.c

@@ -144,7 +144,7 @@ void USART1_IrqHandler( void )
 //            buf_push((USART_PHONE->US_RHR) & 0xFF);
             PR("e");
             PR("%x\n\r", (USART_PHONE->US_RHR) & 0xFF);
-            PR("st:", stat);
+            PR("st: %x ", stat);
         } /* else: error occured */
 
         if ((buf.idx % BUFLEN) == BUFLEN-1) {

sam3s_example/simtrace/tc_etu.c

@@ -76,7 +76,7 @@ void Timer_Init()
     PMC_EnablePeripheral(ID_TC0);
 
     /** Configure TC for a $ARG1 Hz frequency and trigger on RC compare. */
-    TC_FindMckDivisor( 20, BOARD_MCK, &div, &tcclks, BOARD_MCK );
+    TC_FindMckDivisor( 8, BOARD_MCK, &div, &tcclks, BOARD_MCK );
     TRACE_INFO("Chosen div, tcclk: %d, %d", div, tcclks);
     /* TC_CMR: TC Channel Mode Register: Capture Mode */
     /* CPCTRG: RC Compare resets the counter and starts the counter clock. */

usb_application/phone.py

@@ -20,7 +20,12 @@ import traceback    # Exception timeout
 # phone ? sim : 00 (??)
 
 # SuperSIM ATR
-atr= [0x3B, 0x9A, 0x94, 0x00, 0x92, 0x02, 0x75, 0x93, 0x11, 0x00, 0x01, 0x02, 0x02, 0x19]
+# atr= [0x3B, 0x9A, 0x94, 0x00, 0x92, 0x02, 0x75, 0x93, 0x11, 0x00, 0x01, 0x02, 0x02, 0x19]
+
+# Faster sysmocom SIM
+#atr = [0x3B, 0x99, 0x18, 0x00, 0x11, 0x88, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x60]
+atr = [0x3B, 0x99, 0x11, 0x00, 0x11, 0x88, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x60]
+
 RESP_OK = [0x60, 0x00]
 
 def find_dev():
@@ -66,7 +71,8 @@ WAIT_CMD = 1
 
 def handle_wait_rst(dev):
     # ATR handling
-    arr = dev.read(0x83, 64, 1000)    # Notification endpoint
+    print("Handle ATR")
+    arr = dev.read(0x83, 64, 300)    # Notification endpoint
 #    print("arr: ", arr)
     c=arr.pop()
 #    print(c)
@@ -74,8 +80,8 @@ def handle_wait_rst(dev):
     if c == ord('R'):
         # We received a Reset, so we send ATR
         written = dev.write(0x1, atr, 1000)
-#        print("Written data: ")
+        print("Written ATR of size: ")
-#        print(written)
+        print(written)
         state = WAIT_CMD;
     return state
 
@@ -86,13 +92,17 @@ def handle_wait_cmd(dev):
     print("Received request!: ")
     print("".join("%02x " % b for b in cmd))
 
-    send_response(dev, cmd);
+    return send_response(dev, cmd);
-    return WAIT_CMD
 
 handle_msg_funcs = { WAIT_RST: handle_wait_rst,
                         WAIT_CMD: handle_wait_cmd }
 
 def handle_phone_request(dev, state):
+    if state == WAIT_CMD:
+        try:
+            state = handle_msg_funcs[WAIT_RST](dev)
+        except usb.USBError as e:
+            print e
     state = handle_msg_funcs[state](dev)
     return state
 
@@ -100,6 +110,7 @@ INS = 1
 
 def send_response(dev, cmd):
 # FIXME: We could get data of length 5 as well! Implement another distinct criteria!
+    state = WAIT_CMD
     if len(cmd) == 5:         # Received cmd from phone
         if cmd[INS] == 0xA4:
             resp = [cmd[INS]]       # Respond with INS byte
@@ -112,6 +123,8 @@ def send_response(dev, cmd):
                     0x83, 0x8A]
             SW = [0x90, 0x00]
             resp = [cmd[INS]] + data + SW       # Respond with INS byte
+            #resp = SW       # Respond with INS byte
+            state = WAIT_RST
         else:
             print("Unknown cmd")
             resp = [0x60, 0x00]
@@ -128,7 +141,8 @@ def send_response(dev, cmd):
     print("Cmd, resp: ")
     print("".join("%02x " % b for b in cmd))
     print("".join("%02x " % b for b in resp))
-
+        
+    return state
 
 def emulate_sim():
     dev = find_dev()

usb_application/simtrace.py

@@ -41,6 +41,13 @@ class find_class(object):
 
         return False
 
+def find_dev():
+    dev = usb.core.find(idVendor=0x03eb, idProduct=0x6004)
+    if dev is None:
+        raise ValueError("Device not found")
+    else:
+        print("Found device")
+    return dev
 
 # main code
 def main():
@@ -59,15 +66,15 @@ def main():
 
 # FIXME: why is it a ccid function?
     if args.conf is not None:
-        devs = usb.core.find(find_all=1, custom_match=find_class(0xb))  # 0xb = Smartcard
+#FIXME: Change means to find devices
-        for dev in devs:
+        dev = find_dev()
-            dev.set_configuration(args.conf)
+        dev.set_configuration(args.conf)
-#            ret = dev.read(0x83, 64, 100)
 
     if args.read_bin is True: 
         ccid.pySim_read() 
 
     if args.cmd is not None:
+#FIXME: Change means to find devices
         devs = usb.core.find(find_all=1, custom_match=find_class(0xb))  # 0xb = Smartcard
         for dev in devs:
             dev.write(0x1, args.cmd)