simtrace2-cardem-pcsc: Make it work again

* support Interrupt STATUS notifications
* use osmocom libusb abstraction
* use asynchronous URBs for interrupt + bulk

Change-Id: Ib04798572295f25477719124530b6584780c5b75

firmware/apps/cardem/Makefile

@@ -1,3 +1,3 @@
 C_FILES += $(C_LIBUSB_RT)
 
-C_FILES += card_emu.c cciddriver.c iso7816_3.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c tc_etu.c usb.c
+C_FILES += card_emu.c cciddriver.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c usb.c

firmware/apps/trace/Makefile

@@ -1,3 +1,3 @@
 C_FILES += $(C_LIBUSB_RT)
 
-C_FILES += card_emu.c cciddriver.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c tc_etu.c usb.c
+C_FILES += card_emu.c cciddriver.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c usb.c

firmware/apps/triple_play/Makefile

@@ -1,3 +1,3 @@
 C_FILES += $(C_LIBUSB_RT)
 
-C_FILES += card_emu.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c tc_etu.c usb.c
+C_FILES += card_emu.c iso7816_4.c iso7816_fidi.c mitm.c mode_cardemu.c mode_ccid.c simtrace_iso7816.c sniffer.c usb.c

firmware/libboard/common/include/sim_switch.h

@@ -14,5 +14,13 @@
  */
 #pragma once
 
+/** switch card lines to use physical or emulated card
+ *  @param[in] nr card interface number (i.e. slot)
+ *  @param[in] physical which physical interface to switch to (e.g. 0: physical, 1: virtual)
+ *  @return 0 on success, negative else
+ */
 int sim_switch_use_physical(unsigned int nr, int physical);
+/** initialise card switching capabilities
+ *  @return number of switchable card interfaces
+ */
 int sim_switch_init(void);

firmware/libboard/qmod/source/sim_switch.c

@@ -0,0 +1,90 @@
+/* Code to switch between local (physical) and remote (emulated) SIM
+ *
+ * (C) 2015-2017 by Harald Welte <hwelte@hmw-consulting.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA
+ */
+#include "board.h"
+#include "trace.h"
+#include "led.h"
+#include "sim_switch.h"
+
+#ifdef PIN_SIM_SWITCH1
+static const Pin pin_conn_usim1 = {PIO_PA20, PIOA, ID_PIOA, PIO_OUTPUT_0, PIO_DEFAULT};
+#endif
+#ifdef PIN_SIM_SWITCH2
+static const Pin pin_conn_usim2 = {PIO_PA28, PIOA, ID_PIOA, PIO_OUTPUT_0, PIO_DEFAULT};
+#endif
+
+static int initialized = 0;
+
+int sim_switch_use_physical(unsigned int nr, int physical)
+{
+	const Pin *pin;
+	enum led led;
+
+	if (!initialized) {
+		TRACE_ERROR("Somebody forgot to call sim_switch_init()\r\n");
+		sim_switch_init();
+	}
+
+	TRACE_INFO("Modem %d: %s SIM\n\r", nr,
+		   physical ? "physical" : "virtual");
+
+	switch (nr) {
+#ifdef PIN_SIM_SWITCH1
+	case 0:
+		pin = &pin_conn_usim1;
+		led = LED_USIM1;
+		break;
+#endif
+#ifdef PIN_SIM_SWITCH2
+	case 1:
+		pin = &pin_conn_usim2;
+		led = LED_USIM2;
+		break;
+#endif
+	default:
+		TRACE_ERROR("Invalid SIM%u\n\r", nr);
+		return -1;
+	}
+
+	if (physical) {
+		TRACE_INFO("%u: Use local/physical SIM\r\n", nr);
+		PIO_Clear(pin);
+		led_blink(led, BLINK_ALWAYS_ON);
+	} else {
+		TRACE_INFO("%u: Use remote/emulated SIM\r\n", nr);
+		PIO_Set(pin);
+		led_blink(led, BLINK_ALWAYS_OFF);
+	}
+
+	return 0;
+}
+
+int sim_switch_init(void)
+{
+	int num_switch = 0;
+#ifdef PIN_SIM_SWITCH1
+	PIO_Configure(&pin_conn_usim1, 1);
+	num_switch++;
+#endif
+#ifdef PIN_SIM_SWITCH2
+	PIO_Configure(&pin_conn_usim2, 1);
+	num_switch++;
+#endif
+	initialized = 1;
+	return num_switch;
+}

firmware/libboard/simtrace/source/sim_switch.c

@@ -0,0 +1,54 @@
+/* Code to switch between local (physical) and remote (emulated) SIM
+ *
+ * (C) 2015-2017 by Harald Welte <hwelte@hmw-consulting.de>
+ * (C) 2018, sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>
+ * 
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA
+ */
+#include "board.h"
+#include "trace.h"
+#include "led.h"
+#include "sim_switch.h"
+
+int sim_switch_use_physical(unsigned int nr, int physical)
+{
+	const Pin pin_sc = PIN_SC_SW_DEFAULT; // pin to control bus switch for VCC/RST/CLK signals
+	const Pin pin_io = PIN_IO_SW_DEFAULT; // pin to control bus switch for I/O signal
+
+	if (nr > 0) {
+		TRACE_ERROR("SIM interface for Modem %d can't be switched\r\n", nr);
+		return -1;
+	}
+
+	TRACE_INFO("Modem %u: %s SIM\n\r", nr, physical ? "physical" : "virtual");
+
+	if (physical) {
+		TRACE_INFO("%u: Use local/physical SIM\r\n", nr);
+		PIO_Set(&pin_sc);
+		PIO_Set(&pin_io);
+	} else {
+		TRACE_INFO("%u: Use remote/emulated SIM\r\n", nr);
+		PIO_Clear(&pin_sc);
+		PIO_Clear(&pin_io);
+	}
+
+	return 0;
+}
+
+int sim_switch_init(void)
+{
+	// the bus switch is already initialised
+	return 1; // SIMtrace hardware has only one switchable interface
+}

firmware/libcommon/include/card_emu.h

@@ -58,10 +58,17 @@ struct llist_head *card_emu_get_uart_tx_queue(struct card_handle *ch);
 void card_emu_have_new_uart_tx(struct card_handle *ch);
 void card_emu_report_status(struct card_handle *ch, bool report_on_irq);
 
-#define ENABLE_TX	0x01
-#define ENABLE_RX	0x02
+void card_emu_wtime_half_expired(void *ch);
+void card_emu_wtime_expired(void *ch);
+
+
+#define ENABLE_TX		0x01
+#define ENABLE_RX		0x02
+#define ENABLE_TX_TIMER_ONLY	0x03
 
 int card_emu_uart_update_fidi(uint8_t uart_chan, unsigned int fidi);
+void card_emu_uart_update_wt(uint8_t uart_chan, uint32_t wt);
+void card_emu_uart_reset_wt(uint8_t uart_chan);
 int card_emu_uart_tx(uint8_t uart_chan, uint8_t byte);
 void card_emu_uart_enable(uint8_t uart_chan, uint8_t rxtx);
 void card_emu_uart_wait_tx_idle(uint8_t uart_chan);

firmware/libcommon/include/iso7816_3.h

@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2019 sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-*/
-
-/* this library provides utilities to handle the ISO-7816 part 3 communication aspects (e.g. related
- * to F and D) */
-
-#pragma once
-
-#include <stdint.h>
-#include <stdbool.h>
-
-/*! default clock rate conversion integer Fd.
- *  ISO/IEC 7816-3:2006(E) section 8.1 */
-#define ISO7816_3_DEFAULT_FD 372
-
-/*! default baud rate adjustment factor Dd.
- *  ISO/IEC 7816-3:2006(E) section 8.1 */
-#define ISO7816_3_DEFAULT_DD 1
-
-/*! default clock rate conversion integer Fi.
- *  ISO/IEC 7816-3:2006(E) section 8.3
- *  \note non-default value is optionally specified in TA1 */
-#define ISO7816_3_DEFAULT_FI 372
-
-/*! default baud rate adjustment factor Di.
- *  ISO/IEC 7816-3:2006(E) section 8.3
- *  \note non-default value is optionally specified in TA1 */
-#define ISO7816_3_DEFAULT_DI 1
-
-/*! default maximum clock frequency, in Hz.
- *  ISO/IEC 7816-3:2006(E) section 8.3
- *  \note non-default value is optionally specified in TA1 */
-#define ISO7816_3_DEFAULT_FMAX 5000000UL
-
-/*! default Waiting Integer (WI) value for T=0.
- *  ISO/IEC 7816-3:2006(E) section 10.2
- *  \note non-default value is optionally specified in TC2 */
-#define ISO7816_3_DEFAULT_WI 10
-
-/*! default Waiting Time (WT) value, in ETU.
- *  ISO/IEC 7816-3:2006(E) section 8.1
- *  \note depends on Fi, Di, and WI if protocol T=0 is selected */
-#define ISO7816_3_DEFAULT_WT 9600
-
-extern const uint16_t iso7816_3_fi_table[];
-
-extern const uint32_t iso7816_3_fmax_table[];
-
-extern const uint8_t iso7816_3_di_table[];
-
-bool iso7816_3_valid_f(uint16_t f);
-
-bool iso7816_3_valid_d(uint8_t d);
-
-int32_t iso7816_3_calculate_wt(uint8_t wi, uint16_t fi, uint8_t di, uint16_t f, uint8_t d);

firmware/libcommon/include/iso7816_fidi.h

@@ -21,10 +21,10 @@
 #include <stdint.h>
 
 /* Table 7 of ISO 7816-3:2006 */
-extern const uint16_t fi_table[];
+extern const uint16_t iso7816_3_fi_table[16];
 
 /* Table 8 from ISO 7816-3:2006 */
-extern const uint8_t di_table[];
+extern const uint8_t iso7816_3_di_table[16];
 
-/* compute the F/D ratio based on Fi and Di values */
-int compute_fidi_ratio(uint8_t fi, uint8_t di);
+/* compute the F/D ratio based on F_index and D_index values */
+int iso7816_3_compute_fd_ratio(uint8_t f_index, uint8_t d_index);

firmware/libcommon/include/simtrace_prot.h

@@ -231,10 +231,10 @@ struct cardemu_usb_msg_status {
 	/* phone-applied target voltage in mV */
 	uint16_t voltage_mv;
 	/* Fi/Di related information */
-	uint8_t fi;
-	uint8_t di;
-	uint8_t wi;
-	uint32_t waiting_time;
+	uint8_t F_index;	/* <! Index to ISO7816-3 Table 7 (F and f_max values) */
+	uint8_t D_index;	/* <! Index into ISO7816-3 Table 8 (D value) */
+	uint8_t wi;		/* <! Waiting Integer as defined in ISO7816-3 Section 10.2 */
+	uint32_t waiting_time;	/* <! Waiting Time in etu as defined in ISO7816-3 Section 8.1 */
 } __attribute__ ((packed));
 
 /* CEMU_USB_MSGT_DO_PTS */

firmware/libcommon/source/card_emu.c

@@ -1,6 +1,6 @@
 /* ISO7816-3 state machine for the card side
  *
- * (C) 2010-2019 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010-2021 by Harald Welte <laforge@gnumonks.org>
  * (C) 2018 by sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -27,7 +27,6 @@
 #include "utils.h"
 #include "trace.h"
 #include "iso7816_fidi.h"
-#include "tc_etu.h"
 #include "card_emu.h"
 #include "simtrace_prot.h"
 #include "usb_buf.h"
@@ -154,19 +153,35 @@ struct card_handle {
 	bool in_reset;	/*< if card is in reset (true = RST low/asserted, false = RST high/ released) */
 	bool clocked;	/*< if clock is active ( true = active, false = inactive) */
 
-	/* timing parameters, from PTS */
-	uint8_t fi;
-	uint8_t di;
+	/* All below variables with _index suffix are indexes from 0..15 into Tables 7 + 8
+	 * of ISO7816-3. */
+
+	/*! Index to clock rate conversion integer Fi (ISO7816-3 Table 7).
+	 *  \note this represents the maximum value supported by the card, and can be indicated in TA1 */
+	uint8_t Fi_index;
+	/*! Current value of index to clock rate conversion integer F (ISO 7816-3 Section 7.1). */
+	uint8_t F_index;
+
+	/*! Index to baud rate adjustment factor Di (ISO7816-3 Table 8).
+	 *  \note this represents the maximum value supported by the card, and can be indicated in TA1 */
+	uint8_t Di_index;
+	/*! Current value of index to baud rate adjustment factor D (ISO 7816-3 Section 7.1). */
+	uint8_t D_index;
+
+	/*! Waiting Integer (ISO7816-3 Section 10.2).
+	 *  \note this value can be set in TA2 */
 	uint8_t wi;
 
+	/*! Waiting Time, in ETU (ISO7816-3 Section 8.1).
+	 *  \note this depends on Fi, Di, and WI if T=0 is used */
+	uint32_t waiting_time;	/* in etu */
+
 	uint8_t tc_chan;	/* TC channel number */
 	uint8_t uart_chan;	/* UART channel */
 
 	uint8_t in_ep;		/* USB IN EP */
 	uint8_t irq_ep;		/* USB IN EP */
 
-	uint32_t waiting_time;	/* in clocks */
-
 	/* ATR state machine */
 	struct {
 		uint8_t idx;
@@ -206,7 +221,7 @@ static void card_handle_reset(struct card_handle *ch)
 {
 	struct msgb *msg;
 
-	tc_etu_disable(ch->tc_chan);
+	card_emu_uart_update_wt(ch->uart_chan, 0);
 
 	/* release any buffers we may still own */
 	if (ch->uart_tx_msg) {
@@ -361,16 +376,14 @@ static void emu_update_fidi(struct card_handle *ch)
 {
 	int rc;
 
-	rc = compute_fidi_ratio(ch->fi, ch->di);
+	rc = iso7816_3_compute_fd_ratio(ch->F_index, ch->D_index);
 	if (rc > 0 && rc < 0x400) {
-		TRACE_INFO("%u: computed Fi(%u) Di(%u) ratio: %d\r\n",
-			    ch->num, ch->fi, ch->di, rc);
+		TRACE_INFO("%u: computed F(%u)/D(%u) ratio: %d\r\n", ch->num,
+			   ch->F_index, ch->D_index, rc);
 		/* make sure UART uses new F/D ratio */
 		card_emu_uart_update_fidi(ch->uart_chan, rc);
-		/* notify ETU timer about this */
-		tc_etu_set_etu(ch->tc_chan, rc);
 	} else
-		TRACE_INFO("%u: computed FiDi ration %d unsupported\r\n",
+		TRACE_INFO("%u: computed F/D ratio %d unsupported\r\n",
 			   ch->num, rc);
 }
 
@@ -392,19 +405,23 @@ static void card_set_state(struct card_handle *ch,
 	case ISO_S_WAIT_RST:
 		/* disable Rx and Tx of UART */
 		card_emu_uart_enable(ch->uart_chan, 0);
+		/* disable timeout */
+		card_emu_uart_update_wt(ch->uart_chan, 0);
 		break;
 	case ISO_S_WAIT_ATR:
 		/* Reset to initial Fi / Di ratio */
-		ch->fi = 1;
-		ch->di = 1;
+		ch->Fi_index = ch->F_index = 1;
+		ch->Di_index = ch->D_index = 1;
+		ch->wi = ISO7816_3_DEFAULT_WI;
+		ch->waiting_time = ISO7816_3_INIT_WTIME;
 		emu_update_fidi(ch);
+		/* enable TX to be able to use the timeout */
+		card_emu_uart_enable(ch->uart_chan, ENABLE_TX_TIMER_ONLY);
 		/* the ATR should only be sent 400 to 40k clock cycles after the RESET.
-		 * we use the tc_etu mechanism to wait this time.
+		 * we use the UART timeout mechanism to wait this time.
 		 * since the initial ETU is Fd=372/Dd=1 clock cycles long, we have to wait 2-107 ETU.
 		 */
-		tc_etu_set_wtime(ch->tc_chan, 2);
-		/* enable the TC/ETU counter once reset has been released */
-		tc_etu_enable(ch->tc_chan);
+		card_emu_uart_update_wt(ch->uart_chan, 2);
 		break;
 	case ISO_S_IN_ATR:
 		/* initialize to default WI, this will be overwritten if we
@@ -414,7 +431,7 @@ static void card_set_state(struct card_handle *ch,
 		/* update waiting time to initial waiting time */
 		ch->waiting_time = ISO7816_3_INIT_WTIME;
 		/* set initial waiting time */
-		tc_etu_set_wtime(ch->tc_chan, ch->waiting_time);
+		card_emu_uart_update_wt(ch->tc_chan, ch->waiting_time);
 		/* Set ATR sub-state to initial state */
 		ch->atr.idx = 0;
 		/* enable USART transmission to reader */
@@ -490,8 +507,7 @@ static int tx_byte_atr(struct card_handle *ch)
 			}
 		}
 		/* update waiting time (see ISO 7816-3 10.2) */
-		ch->waiting_time = ch->wi * 960 * ch->fi;
-		tc_etu_set_wtime(ch->tc_chan, ch->waiting_time);
+		ch->waiting_time = ch->wi * 960 * iso7816_3_fi_table[ch->F_index];
 		/* go to next state */
 		card_set_state(ch, ISO_S_WAIT_TPDU);
 		return 0;
@@ -626,10 +642,11 @@ static int tx_byte_pts(struct card_handle *ch)
 	case PTS_S_WAIT_RESP_PTS1:
 		byte = ch->pts.resp[_PTS1];
 		/* This must be TA1 */
-		ch->fi = byte >> 4;
-		ch->di = byte & 0xf;
-		TRACE_DEBUG("%u: found Fi=%u Di=%u\r\n", ch->num,
-			    ch->fi, ch->di);
+		ch->F_index = byte >> 4;
+		ch->D_index = byte & 0xf;
+		TRACE_DEBUG("%u: found F=%u D=%u\r\n", ch->num,
+			    iso7816_3_fi_table[ch->F_index], iso7816_3_di_table[ch->D_index]);
+		/* FIXME: if F or D are 0, become unresponsive to signal error condition */
 		break;
 	case PTS_S_WAIT_RESP_PTS2:
 		byte = ch->pts.resp[_PTS2];
@@ -654,10 +671,11 @@ static int tx_byte_pts(struct card_handle *ch)
 	switch (ch->pts.state) {
 	case PTS_S_WAIT_RESP_PCK:
 		card_emu_uart_wait_tx_idle(ch->uart_chan);
-		/* update baud rate generator with Fi/Di */
+		/* update baud rate generator with F/D */
 		emu_update_fidi(ch);
 		/* Wait for the next TPDU */
 		card_set_state(ch, ISO_S_WAIT_TPDU);
+		set_pts_state(ch, PTS_S_WAIT_REQ_PTSS);
 		break;
 	default:
 		/* calculate the next state and set it */
@@ -733,14 +751,28 @@ static void set_tpdu_state(struct card_handle *ch, enum tpdu_state new_ts)
 
 	switch (new_ts) {
 	case TPDU_S_WAIT_CLA:
-	case TPDU_S_WAIT_RX:
+		/* switch back to receiving mode */
 		card_emu_uart_enable(ch->uart_chan, ENABLE_RX);
+		/* disable waiting time since we don't expect any data */
+		card_emu_uart_update_wt(ch->uart_chan, 0);
+		break;
+	case TPDU_S_WAIT_INS:
+		/* start waiting for the rest of the header/body */
+		card_emu_uart_update_wt(ch->uart_chan, ch->waiting_time);
+		break;
+	case TPDU_S_WAIT_RX:
+		/* switch to receive mode to receive the body */
+		card_emu_uart_enable(ch->uart_chan, ENABLE_RX);
+		/* start waiting for the body */
+		card_emu_uart_update_wt(ch->uart_chan, ch->waiting_time);
 		break;
 	case TPDU_S_WAIT_PB:
 		/* we just completed the TPDU header from reader to card
 		 * and now need to disable the receiver, enable the
 		 * transmitter and transmit the procedure byte */
 		card_emu_uart_enable(ch->uart_chan, ENABLE_TX);
+		/* prepare to extend the waiting time once half of it is reached */
+		card_emu_uart_update_wt(ch->uart_chan, ch->waiting_time);
 		break;
 	default:
 		break;
@@ -1025,8 +1057,8 @@ void card_emu_report_status(struct card_handle *ch, bool report_on_irq)
 	if (ch->in_reset)
 		sts->flags |= CEMU_STATUS_F_RESET_ACTIVE;
 	/* FIXME: voltage + card insert */
-	sts->fi = ch->fi;
-	sts->di = ch->di;
+	sts->F_index = ch->F_index;
+	sts->D_index = ch->D_index;
 	sts->wi = ch->wi;
 	sts->waiting_time = ch->waiting_time;
 
@@ -1083,9 +1115,7 @@ void card_emu_io_statechg(struct card_handle *ch, enum card_io io, int active)
 	case CARD_IO_RST:
 		if (active == 0 && ch->in_reset) {
 			TRACE_INFO("%u: RST released\r\n", ch->num);
-			if (ch->vcc_active && ch->clocked) {
-				/* enable the TC/ETU counter once reset has been released */
-				tc_etu_enable(ch->tc_chan);
+			if (ch->vcc_active && ch->clocked && ch->state == ISO_S_WAIT_RST) {
 				/* prepare to send the ATR */
 				card_set_state(ch, ISO_S_WAIT_ATR);
 			}
@@ -1094,6 +1124,7 @@ void card_emu_io_statechg(struct card_handle *ch, enum card_io io, int active)
 			TRACE_INFO("%u: RST asserted\r\n", ch->num);
 			card_handle_reset(ch);
 			chg_mask |= CEMU_STATUS_F_RESET_ACTIVE;
+			card_set_state(ch, ISO_S_WAIT_RST);
 		}
 		ch->in_reset = active;
 		break;
@@ -1143,7 +1174,7 @@ int card_emu_set_atr(struct card_handle *ch, const uint8_t *atr, uint8_t len)
 }
 
 /* hardware driver informs us that one (more) ETU has expired */
-void tc_etu_wtime_half_expired(void *handle)
+void card_emu_wtime_half_expired(void *handle)
 {
 	struct card_handle *ch = handle;
 	/* transmit NULL procedure byte well before waiting time expires */
@@ -1153,7 +1184,10 @@ void tc_etu_wtime_half_expired(void *handle)
 		case TPDU_S_WAIT_PB:
 		case TPDU_S_WAIT_TX:
 			putchar('N');
+			/* we are waiting for data from the user. Send a procedure byte to ask the
+			 * reader to wait more time */
 			card_emu_uart_tx(ch->uart_chan, ISO7816_3_PB_NULL);
+			card_emu_uart_reset_wt(ch->uart_chan);
 			break;
 		default:
 			break;
@@ -1165,7 +1199,7 @@ void tc_etu_wtime_half_expired(void *handle)
 }
 
 /* hardware driver informs us that one (more) ETU has expired */
-void tc_etu_wtime_expired(void *handle)
+void card_emu_wtime_expired(void *handle)
 {
 	struct card_handle *ch = handle;
 	switch (ch->state) {
@@ -1232,8 +1266,8 @@ struct card_handle *card_emu_init(uint8_t slot_num, uint8_t tc_chan, uint8_t uar
 	ch->in_reset = in_reset;
 	ch->clocked = clocked;
 
-	ch->fi = 0;
-	ch->di = 1;
+	ch->Fi_index = ch->F_index = 1;
+	ch->Di_index = ch->D_index = 1;
 	ch->wi = ISO7816_3_DEFAULT_WI;
 
 	ch->tc_chan = tc_chan;
@@ -1244,9 +1278,10 @@ struct card_handle *card_emu_init(uint8_t slot_num, uint8_t tc_chan, uint8_t uar
 	ch->atr.len = sizeof(default_atr);
 	memcpy(ch->atr.atr, default_atr, ch->atr.len);
 
-	card_handle_reset(ch);
+	ch->pts.state = PTS_S_WAIT_REQ_PTSS;
+	ch->tpdu.state = TPDU_S_WAIT_CLA;
 
-	tc_etu_init(ch->tc_chan, ch);
+	card_handle_reset(ch);
 
 	return ch;
 }

firmware/libcommon/source/iso7816_3.c

@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2019 sysmocom -s.f.m.c. GmbH, Author: Kevin Redon <kredon@sysmocom.de>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-*/
-#include <stdint.h>
-#include <stddef.h>
-
-#include "utils.h"
-#include "iso7816_3.h"
-
-/*! Table of clock rate conversion integer F indexed by Fi.
- *  \note Fi is indicated in TA1, but the same table is used for F and Fn during PPS
- *  ISO/IEC 7816-3:2006(E) table 7 */
-const uint16_t iso7816_3_fi_table[16] = {
-	372, 372, 558, 744, 1116, 1488, 1860, 0,
-	0, 512, 768, 1024, 1536, 2048, 0, 0
-};
-
-/*! Table of maximum clock frequency f_max in Hz indexed by Fi.
- *  ISO/IEC 7816-3:2006(E) table 7
- *  \note f_max is indicated in TA1, but the same table is used for F and Fn during PPS */
-const uint32_t iso7816_3_fmax_table[16] = {
-	4000000, 5000000, 6000000, 8000000, 12000000, 16000000, 20000000, 0,
-	0, 5000000, 7500000, 10000000, 15000000, 20000000, 0, 0
-};
-
-/*! Table encoding the baud rate adjust integer D indexed by Di.
- *  ISO/IEC 7816-3:2006(E) table 8
- *  \note Di is indicated in TA1, but the same table is used for D and Dn during PPS */
-const uint8_t iso7816_3_di_table[16] = {
-	0, 1, 2, 4, 8, 16, 32, 64,
-	12, 20, 0, 0, 0, 0, 0, 0,
-};
-
-/* All values are based on the Elementary Time Unit (ETU), defined in ISO/IEC 7816-3 section 7.1
- * this is the time required to transmit a bit, and is calculated as follows:
- * 	1 ETU = (F / D) x (1 / f)
- * where:
- * - F is the clock rate conversion integer
- * - D is the baud rate adjustment factor
- * - f is the clock frequency
- *
- * The possible F, f(max), and D values are defined in ISO/IEC 7816-3 table 7 and 8
- * - the initial value for F (after reset) is Fd = 372
- * - the initial value for D (after reset) is Dd = 1
- * - the initial maximum frequency f(max) is 5 MHz
- *
- * The card must measure the ETU based on the clock signal provided by the reader
- * one ETU (e.g. 1 bit) takes F/D clock cycles, which the card must count
- *
- * The card can indicate an alternative set of supported values Fi (with corresponding f(max)) and
- * Di for higher baud rate in TA1 in the ATR (see ISO/IEC 7816-3 section 8.3)
- *
- * These values are selected according to ISO/IEC 7816-3 section 6.3.1:
- * - card in specific mode: they are enforced if TA2 is present (the reader can deactivate the card
- *   if it does not support these values)
- * - card in negotiable mode:
- * -- they can be selected by the reader using the Protocol and Parameters Selection (PPS) procedure
- * -- the first offered protocol and default values are used when no PPS is started
- *
- * PPS is done with Fd and Dd (see ISO/IEC 7816-3 section 9) the reader can propose any F and D
- * values between from Fd to Fi, and from Dd to Di (Fi and Di are indicated in TA1) the in PPS
- * agreed values F and D are called Fn and Dn and are applied after a successful exchange,
- * corresponding to PPS1_Response bit 5
- *
- * The F and D values must be provided to the SAM3S USART peripheral (after reset and PPS)
- */
-
-/*! Verify if the clock rate conversion integer F value is valid.
- *  \param[in] f F value to be validated
- *  \return if F value is valid
- *  \note only values in ISO/IEC 7816-3:2006(E) table 7 are valid */
-bool iso7816_3_valid_f(uint16_t f)
-{
-	if (0 == f) {
-		return false;
-	}
-	uint8_t i = 0;
-	for (i = 0; i < ARRAY_SIZE(iso7816_3_fi_table) && iso7816_3_fi_table[i] != f; i++);
-	return (i < ARRAY_SIZE(iso7816_3_fi_table) && iso7816_3_fi_table[i] == f);
-}
-
-/*! Verify if the baud rate adjustment factor D value is valid.
- *  \param[in] d D value to be validated
- *  \return if D value is valid
- *  \note only values in ISO/IEC 7816-3:2006(E) table 8 are valid */
-bool iso7816_3_valid_d(uint8_t d)
-{
-	if (0 == d) {
-		return false;
-	}
-	uint8_t i = 0;
-	for (i = 0; i < ARRAY_SIZE(iso7816_3_di_table) && iso7816_3_di_table[i] != d; i++);
-	return (i < ARRAY_SIZE(iso7816_3_di_table) && iso7816_3_di_table[i] == d);
-}
-
-/* The ETU is not only used to define the baud rate, but also the Waiting Time (WT) (see ISO/IEC
- * 7816-3 section 8.1)
- *
- * when exceeding WT without card response, the reader flags the card as unresponsive, and resets it
- * this can be used by the card to indicate errors or unsupported operations if the card requires
- * more time to respond, it shall send a procedure byte to restart WT WT is calculated as follows
- * (for T=0, see ISO/IEC 7816-3 section 10.2): WT = WI x 960 x (Fi / f(max)) where
- * - WI is encoded in TC2 in the ATR (10 if absent)
- * - WI does not depend on D/Di (used for the ETU)
- * - after reset WT is 9600 ETU
- * - WI (e.g. the new WT) is applied when T=0 is used (after 6.3.1), even if Fi is not Fn (this WT
- *   extension is important to know for the reader so to have the right timeout)
- */
-
-/*! Calculate Waiting Time (WT) in units of ETU.
- *  \param[in] wi Waiting Integer
- *  \param[in] fi clock rate conversion integer Fi value
- *  \param[in] di baud rate adjustment factor Di value
- *  \param[in] f clock rate conversion integer F value
- *  \param[in] d baud rate adjustment factor D value
- *  \return Waiting Time WT, in ETU, or < 0 on error (see code for return codes)
- *  \note this should happen after reset and T=0 protocol select (through PPS or implicit)
- *  ISO/IEC 7816-3:2006(E) section 8.1 and 10.2 */
-int32_t iso7816_3_calculate_wt(uint8_t wi, uint16_t fi, uint8_t di, uint16_t f, uint8_t d)
-{
-	/* sanity checks */
-	if (0 == wi)
-		return -1;
-
-	if (!iso7816_3_valid_f(fi))
-		return -2;
-
-	if (!iso7816_3_valid_d(di))
-		return -3;
-
-	if (!iso7816_3_valid_f(f))
-		return -4;
-
-	if (!iso7816_3_valid_d(d))
-		return -5;
-
-	if (f > fi)
-		return -6;
-
-	if (d > di)
-		return -7;
-
-	/* see 7816-3 Section 10.2 */
-	return wi * 960UL * (fi/f) * (di/d); // calculate timeout value in ETU
-}

firmware/libcommon/source/iso7816_fidi.c

@@ -23,38 +23,38 @@
 #include "iso7816_fidi.h"
 
 /* Table 7 of ISO 7816-3:2006 */
-const uint16_t fi_table[] = {
+const uint16_t iso7816_3_fi_table[] = {
 	372, 372, 558, 744, 1116, 1488, 1860, 0,
 	0, 512, 768, 1024, 1536, 2048, 0, 0
 };
 
 /* Table 8 from ISO 7816-3:2006 */
-const uint8_t di_table[] = {
+const uint8_t iso7816_3_di_table[] = {
 	0, 1, 2, 4, 8, 16, 32, 64,
 	12, 20, 2, 4, 8, 16, 32, 64,
 };
 
 /* compute the F/D ratio based on Fi and Di values */
-int compute_fidi_ratio(uint8_t fi, uint8_t di)
+int iso7816_3_compute_fd_ratio(uint8_t f_index, uint8_t d_index)
 {
 	uint16_t f, d;
 	int ret;
 
-	if (fi >= ARRAY_SIZE(fi_table) ||
-	    di >= ARRAY_SIZE(di_table))
+	if (f_index >= ARRAY_SIZE(iso7816_3_fi_table) ||
+	    d_index >= ARRAY_SIZE(iso7816_3_di_table))
 		return -EINVAL;
 
-	f = fi_table[fi];
+	f = iso7816_3_fi_table[f_index];
 	if (f == 0)
 		return -EINVAL;
 
-	d = di_table[di];
+	d = iso7816_3_di_table[d_index];
 	if (d == 0)
 		return -EINVAL;
 
 	/* See table 7 of ISO 7816-3: From 1000 on we divide by 1/d,
 	 * which equals a multiplication by d */
-	if (di < 8)
+	if (d_index < 8)
 		ret = f / d;
 	else
 		ret = f * d;

firmware/libcommon/source/mode_cardemu.c

@@ -55,6 +55,14 @@ struct cardem_inst {
 	struct llist_head usb_out_queue;
 	struct ringbuf rb;
 	struct Usart_info usart_info;
+	struct {
+		/*! receiver waiting time to trigger timeout (0 to deactivate it) */
+		uint32_t total;
+		/*! remaining waiting time (we may need multiple timer runs to reach total */
+		uint32_t remaining;
+		/*! did we already notify about half the time having expired? */
+		bool half_time_notified;
+	} wt;
 	int usb_pending_old;
 	uint8_t ep_out;
 	uint8_t ep_in;
@@ -62,6 +70,7 @@ struct cardem_inst {
 	const Pin pin_insert;
 #ifdef DETECT_VCC_BY_ADC
 	uint32_t vcc_uv;
+	uint32_t vcc_uv_last;
 #endif
 	bool vcc_active;
 	bool vcc_active_last;
@@ -140,12 +149,23 @@ void card_emu_uart_enable(uint8_t uart_chan, uint8_t rxtx)
 	Usart *usart = get_usart_by_chan(uart_chan);
 	switch (rxtx) {
 	case ENABLE_TX:
-		USART_DisableIt(usart, ~US_IER_TXRDY);
+		USART_DisableIt(usart, ~(US_IER_TXRDY | US_IER_TIMEOUT));
 		/* as irritating as it is, we actually want to keep the
 		 * receiver enabled during transmit */
 		USART_SetReceiverEnabled(usart, 1);
 		usart->US_CR = US_CR_RSTSTA | US_CR_RSTIT | US_CR_RSTNACK;
-		USART_EnableIt(usart, US_IER_TXRDY);
+		USART_EnableIt(usart, US_IER_TXRDY | US_IER_TIMEOUT);
+		USART_SetTransmitterEnabled(usart, 1);
+		break;
+	case ENABLE_TX_TIMER_ONLY:
+		/* enable the transmitter without generating TXRDY interrupts
+		 * just so that the timer can run */
+		USART_DisableIt(usart, ~US_IER_TIMEOUT);
+		/* as irritating as it is, we actually want to keep the
+		 * receiver enabled during transmit */
+		USART_SetReceiverEnabled(usart, 1);
+		usart->US_CR = US_CR_RSTSTA | US_CR_RSTIT | US_CR_RSTNACK;
+		USART_EnableIt(usart, US_IER_TIMEOUT);
 		USART_SetTransmitterEnabled(usart, 1);
 		break;
 	case ENABLE_RX:
@@ -198,6 +218,7 @@ int card_emu_uart_tx(uint8_t uart_chan, uint8_t byte)
  *  \param[in] inst_num Instance number, range 0..1 (some boards only '0' permitted) */
 static void usart_irq_rx(uint8_t inst_num)
 {
+	OSMO_ASSERT(inst_num < ARRAY_SIZE(cardem_inst));
 	Usart *usart = get_usart_by_chan(inst_num);
 	struct cardem_inst *ci = &cardem_inst[inst_num];
 	uint32_t csr;
@@ -225,11 +246,40 @@ static void usart_irq_rx(uint8_t inst_num)
 	}
 
 	/* check if any error flags are set */
-	if (csr & (US_CSR_OVRE|US_CSR_FRAME|US_CSR_PARE|US_CSR_TIMEOUT|US_CSR_NACK|(1<<10))) {
+	if (csr & (US_CSR_OVRE|US_CSR_FRAME|US_CSR_PARE|US_CSR_NACK|(1<<10))) {
 		/* clear any error flags */
 		usart->US_CR = US_CR_RSTSTA | US_CR_RSTIT | US_CR_RSTNACK;
 		TRACE_ERROR("%u USART error on 0x%x status: 0x%lx\n", ci->num, byte, csr);
 	}
+
+	/* check if the timeout has expired. We "abuse" the receive timer for tracking
+	 * how many etu have expired since we last sent a byte.  See section
+	 * 33.7.3.11 "Receiver Time-out" of the SAM3S8 Data Sheet */
+	if (csr & US_CSR_TIMEOUT) {
+		/* RX has been inactive for some time */
+		if (ci->wt.remaining <= (usart->US_RTOR & 0xffff)) {
+			/* waiting time is over; will stop the timer */
+			ci->wt.remaining = 0;
+		} else {
+			/* subtract the actual timeout since the new might not have been set and
+			 * reloaded yet */
+			ci->wt.remaining -= (usart->US_RTOR & 0xffff);
+		}
+		if (ci->wt.remaining == 0) {
+			/* let the FSM know that WT has expired */
+			card_emu_wtime_expired(ci->ch);
+		} else if (ci->wt.remaining <= ci->wt.total / 2 && !ci->wt.half_time_notified) {
+			/* let the FS know that half of the WT has expired */
+			card_emu_wtime_half_expired(ci->ch);
+			ci->wt.half_time_notified = true;
+		}
+		/* if value exceeds the USART TO range, use the maximum for now */
+		usart->US_RTOR = OSMO_MIN(ci->wt.remaining, 0xffff);
+		/* clear timeout flag (and stop timeout until next character is received) */
+		usart->US_CR |= US_CR_STTTO;
+		/* restart the counter (it wt is 0, the timeout is not started) */
+		usart->US_CR |= US_CR_RETTO;
+	}
 }
 
 /*! ISR called for USART0 */
@@ -258,6 +308,38 @@ int card_emu_uart_update_fidi(uint8_t uart_chan, unsigned int fidi)
 	return 0;
 }
 
+/*! Update WT on USART peripheral.  Will automatically re-start timer with new value.
+ *  \param[in] usart USART peripheral to configure
+ *  \param[in] wt inactivity Waiting Time before card_emu_wtime_expired is called (0 to disable) */
+void card_emu_uart_update_wt(uint8_t uart_chan, uint32_t wt)
+{
+	OSMO_ASSERT(uart_chan < ARRAY_SIZE(cardem_inst));
+	struct cardem_inst *ci = &cardem_inst[uart_chan];
+	Usart *usart = get_usart_by_chan(uart_chan);
+
+	ci->wt.total = wt;
+	/* reset and start the timer */
+	card_emu_uart_reset_wt(uart_chan);
+	TRACE_INFO("%u: USART WT set to %lu ETU\r\n", uart_chan, wt);
+}
+
+/*! Reset and re-start waiting timeout count down on USART peripheral.
+ *  \param[in] usart USART peripheral to configure */
+void card_emu_uart_reset_wt(uint8_t uart_chan)
+{
+	OSMO_ASSERT(uart_chan < ARRAY_SIZE(cardem_inst));
+	struct cardem_inst *ci = &cardem_inst[uart_chan];
+	Usart *usart = get_usart_by_chan(uart_chan);
+
+	/* FIXME: guard against race with interrupt handler */
+	ci->wt.remaining = ci->wt.total;
+	ci->wt.half_time_notified = false;
+	/* if value exceeds the USART TO range, use the maximum for now */
+	usart->US_RTOR = OSMO_MIN(ci->wt.remaining, 0xffff);
+	/* restart the counter (if wt is 0, the timeout is not started) */
+	usart->US_CR |= US_CR_RETTO;
+}
+
 /* call-back from card_emu.c to force a USART interrupt */
 void card_emu_uart_interrupt(uint8_t uart_chan)
 {
@@ -330,10 +412,14 @@ static int card_vcc_adc_init(void)
 
 static void process_vcc_adc(struct cardem_inst *ci)
 {
-	if (ci->vcc_uv >= VCC_UV_THRESH_3V)
+	if (ci->vcc_uv >= VCC_UV_THRESH_3V &&
+	    ci->vcc_uv_last < VCC_UV_THRESH_3V) {
 		ci->vcc_active = true;
-	else
+	} else if (ci->vcc_uv < VCC_UV_THRESH_3V &&
+		 ci->vcc_uv_last >= VCC_UV_THRESH_3V) {
 		ci->vcc_active = false;
+	}
+	ci->vcc_uv_last = ci->vcc_uv;
 }
 
 void ADC_IrqHandler(void)
@@ -434,7 +520,20 @@ void mode_cardemu_init(void)
 
 	/* configure USART as ISO-7816 slave (e.g. card) */
 	ISO7816_Init(&cardem_inst[0].usart_info, CLK_SLAVE);
+#ifdef BOARD_simtrace
+	/* simtrace board uses uart timeouts */
+
+	/*  don't use receive timeout timer for now */
+	cardem_inst[0].usart_info.base->US_RTOR = 0;
+	/* enable interrupts to indicate when data has been received or timeout occurred */
+	USART_EnableIt(cardem_inst[0].usart_info.base, US_IER_RXRDY | US_IER_TIMEOUT);
+#else
+	/* enable interrupts to indicate when data has been received */
+	USART_EnableIt(cardem_inst[0].usart_info.base, US_IER_RXRDY );
+#endif
+	/*  enable interrupt requests for the USART peripheral */
 	NVIC_EnableIRQ(USART1_IRQn);
+
 	PIO_ConfigureIt(&pin_usim1_rst, usim1_rst_irqhandler);
 	PIO_EnableIt(&pin_usim1_rst);
 

firmware/libcommon/source/simtrace_iso7816.c

@@ -125,7 +125,7 @@ void update_fidi(Usart_info *usart, uint8_t fidi)
 
 	uint8_t fi = fidi >> 4;
 	uint8_t di = fidi & 0xf;
-	int ratio = compute_fidi_ratio(fi, di);
+	int ratio = iso7816_3_compute_fd_ratio(fi, di);
 
 	if (ratio > 0 && ratio < 0x8000) {
 		/* make sure USART uses new F/D ratio */

firmware/libcommon/source/sniffer.c

@@ -658,9 +658,10 @@ static void process_byte_pps(uint8_t byte)
 					fn = 1;
 					dn = 1;
 				}
-				TRACE_INFO("PPS negotiation successful: Fn=%u Dn=%u\n\r", fi_table[fn], di_table[dn]);
+				TRACE_INFO("PPS negotiation successful: Fn=%u Dn=%u\n\r",
+					   iso7816_3_fi_table[fn], iso7816_3_di_table[dn]);
 				update_fidi(&sniff_usart, pps_cur[2]);
-				update_wt(0, di_table[dn]);
+				update_wt(0, iso7816_3_di_table[dn]);
 				usb_send_fidi(pps_cur[2]); /* send Fi/Di change notification to host software over USB */
 			} else { /* checksum is invalid */
 				TRACE_INFO("PPS negotiation failed\n\r");

host/src/simtrace2-cardem-pcsc.c

@@ -47,11 +47,13 @@
 #include <osmocom/core/utils.h>
 #include <osmocom/core/socket.h>
 #include <osmocom/core/msgb.h>
+#include <osmocom/core/select.h>
 #include <osmocom/sim/class_tables.h>
 #include <osmocom/sim/sim.h>
 
 #define ATR_MAX_LEN 33
 
+#define LOGCI(ci, lvl, fmt, args ...) printf(fmt, ## args)
 
 /* reasonable ATR offering all protocols and voltages
  * smartphones might not care, but other readers do
@@ -180,6 +182,9 @@ static int process_usb_msg(struct osmo_st2_cardem_inst *ci, uint8_t *buf, int le
 	case SIMTRACE_MSGT_DO_CEMU_RX_DATA:
 		rc = process_do_rx_da(ci, buf, len);
 		break;
+	case SIMTRACE_MSGT_BD_CEMU_CONFIG:
+		/* firmware confirms configuration change; ignore */
+		break;
 	default:
 		printf("unknown simtrace msg type 0x%02x\n", sh->msg_type);
 		rc = -1;
@@ -189,6 +194,144 @@ static int process_usb_msg(struct osmo_st2_cardem_inst *ci, uint8_t *buf, int le
 	return rc;
 }
 
+/*! \brief Process a STATUS message on IRQ endpoint from the SIMtrace2 */
+static int process_irq_status(struct osmo_st2_cardem_inst *ci, const uint8_t *buf, int len)
+{
+	const struct cardemu_usb_msg_status *status = (struct cardemu_usb_msg_status *) buf;
+
+	LOGCI(ci, LOGL_INFO, "SIMtrace IRQ STATUS: flags=0x%x, fi=%u, di=%u, wi=%u wtime=%u\n",
+		status->flags, status->F_index, status->D_index, status->wi,
+		status->waiting_time);
+
+	return 0;
+}
+
+static int process_usb_msg_irq(struct osmo_st2_cardem_inst *ci, const uint8_t *buf, unsigned int len)
+{
+	struct simtrace_msg_hdr *sh = (struct simtrace_msg_hdr *)buf;
+	int rc;
+
+	LOGCI(ci, LOGL_INFO, "SIMtrace IRQ %s\n", osmo_hexdump(buf, len));
+
+	buf += sizeof(*sh);
+
+	switch (sh->msg_type) {
+	case SIMTRACE_MSGT_BD_CEMU_STATUS:
+		rc = process_irq_status(ci, buf, len);
+		break;
+	default:
+		LOGCI(ci, LOGL_ERROR, "unknown simtrace msg type 0x%02x\n", sh->msg_type);
+		rc = -1;
+		break;
+	}
+
+	return rc;
+}
+
+static void usb_in_xfer_cb(struct libusb_transfer *xfer)
+{
+	struct osmo_st2_cardem_inst *ci = xfer->user_data;
+	int rc;
+
+	switch (xfer->status) {
+	case LIBUSB_TRANSFER_COMPLETED:
+		/* hand the message up the stack */
+		process_usb_msg(ci, xfer->buffer, xfer->actual_length);
+		break;
+	case LIBUSB_TRANSFER_NO_DEVICE:
+		LOGCI(ci, LOGL_FATAL, "USB device disappeared\n");
+		exit(1);
+		break;
+	default:
+		LOGCI(ci, LOGL_FATAL, "USB IN transfer failed, status=%u\n", xfer->status);
+		exit(1);
+		break;
+	}
+
+	/* re-submit the IN transfer */
+	rc = libusb_submit_transfer(xfer);
+	OSMO_ASSERT(rc == 0);
+}
+
+
+static void allocate_and_submit_in(struct osmo_st2_cardem_inst *ci)
+{
+	struct osmo_st2_transport *transp = ci->slot->transp;
+	struct libusb_transfer *xfer;
+	int rc;
+
+	xfer = libusb_alloc_transfer(0);
+	OSMO_ASSERT(xfer);
+	xfer->dev_handle = transp->usb_devh;
+	xfer->flags = 0;
+	xfer->type = LIBUSB_TRANSFER_TYPE_BULK;
+	xfer->endpoint = transp->usb_ep.in;
+	xfer->timeout = 0;
+	xfer->user_data = ci;
+	xfer->length = 16*256;
+
+	xfer->buffer = libusb_dev_mem_alloc(xfer->dev_handle, xfer->length);
+	OSMO_ASSERT(xfer->buffer);
+	xfer->callback = usb_in_xfer_cb;
+
+	/* submit the IN transfer */
+	rc = libusb_submit_transfer(xfer);
+	OSMO_ASSERT(rc == 0);
+}
+
+
+static void usb_irq_xfer_cb(struct libusb_transfer *xfer)
+{
+	struct osmo_st2_cardem_inst *ci = xfer->user_data;
+	int rc;
+
+	switch (xfer->status) {
+	case LIBUSB_TRANSFER_COMPLETED:
+		process_usb_msg_irq(ci, xfer->buffer, xfer->actual_length);
+		break;
+	case LIBUSB_TRANSFER_NO_DEVICE:
+		LOGCI(ci, LOGL_FATAL, "USB device disappeared\n");
+		exit(1);
+		break;
+	default:
+		LOGCI(ci, LOGL_FATAL, "USB IN transfer failed, status=%u\n", xfer->status);
+		exit(1);
+		break;
+	}
+
+	/* re-submit the IN transfer */
+	rc = libusb_submit_transfer(xfer);
+	OSMO_ASSERT(rc == 0);
+}
+
+
+static void allocate_and_submit_irq(struct osmo_st2_cardem_inst *ci)
+{
+	struct osmo_st2_transport *transp = ci->slot->transp;
+	struct libusb_transfer *xfer;
+	int rc;
+
+	xfer = libusb_alloc_transfer(0);
+	OSMO_ASSERT(xfer);
+	xfer->dev_handle = transp->usb_devh;
+	xfer->flags = 0;
+	xfer->type = LIBUSB_TRANSFER_TYPE_INTERRUPT;
+	xfer->endpoint = transp->usb_ep.irq_in;
+	xfer->timeout = 0;
+	xfer->user_data = ci;
+	xfer->length = 64;
+
+	xfer->buffer = libusb_dev_mem_alloc(xfer->dev_handle, xfer->length);
+	OSMO_ASSERT(xfer->buffer);
+	xfer->callback = usb_irq_xfer_cb;
+
+	/* submit the IN transfer */
+	rc = libusb_submit_transfer(xfer);
+	OSMO_ASSERT(rc == 0);
+}
+
+
+
 static void print_welcome(void)
 {
 	printf("simtrace2-cardem-pcsc - Using PC/SC reader as SIM\n"
@@ -234,31 +377,9 @@ static const struct option opts[] = {
 
 static void run_mainloop(struct osmo_st2_cardem_inst *ci)
 {
-	struct osmo_st2_transport *transp = ci->slot->transp;
-	unsigned int msg_count, byte_count = 0;
-	uint8_t buf[16*265];
-	int xfer_len;
-	int rc;
-
 	printf("Entering main loop\n");
-
 	while (1) {
-		/* read data from SIMtrace2 device (local or via USB) */
-		rc = libusb_bulk_transfer(transp->usb_devh, transp->usb_ep.in,
-					  buf, sizeof(buf), &xfer_len, 100);
-		if (rc < 0 && rc != LIBUSB_ERROR_TIMEOUT &&
-			      rc != LIBUSB_ERROR_INTERRUPTED &&
-			      rc != LIBUSB_ERROR_IO) {
-			fprintf(stderr, "BULK IN transfer error; rc=%d\n", rc);
-			return;
-		}
-		/* dispatch any incoming data */
-		if (xfer_len > 0) {
-			printf("URB: %s\n", osmo_hexdump(buf, xfer_len));
-			process_usb_msg(ci, buf, xfer_len);
-			msg_count++;
-			byte_count += xfer_len;
-		}
+		osmo_select_main(0);
 	}
 }
 
@@ -307,6 +428,12 @@ int main(int argc, char **argv)
 
 	print_welcome();
 
+	rc = osmo_libusb_init(NULL);
+	if (rc < 0) {
+		fprintf(stderr, "libusb initialization failed\n");
+		return rc;
+	}
+
 	while (1) {
 		int option_index = 0;
 
@@ -413,6 +540,8 @@ int main(int argc, char **argv)
 		ifm->addr = addr;
 		if (path)
 			osmo_strlcpy(ifm->path, path, sizeof(ifm->path));
+		transp->udp_fd = -1;
+		transp->usb_async = true;
 		transp->usb_devh = osmo_libusb_open_claim_interface(NULL, NULL, ifm);
 		if (!transp->usb_devh) {
 			fprintf(stderr, "can't open USB device\n");
@@ -432,6 +561,13 @@ int main(int argc, char **argv)
 			goto close_exit;
 		}
 
+		allocate_and_submit_irq(ci);
+		for (int i = 0; i < 4; i++)
+			allocate_and_submit_in(ci);
+
+		/* request firmware to generate STATUS on IRQ endpoint */
+		osmo_st2_cardem_request_config(ci, CEMU_FEAT_F_STATUS_IRQ);
+
 		/* simulate card-insert to modem (owhw, not qmod) */
 		osmo_st2_cardem_request_card_insert(ci, true);