Packet Sniffer for the Physical Layer of the Single Wire ...€¦ · Packet Sniffer for the...
Transcript of Packet Sniffer for the Physical Layer of the Single Wire ...€¦ · Packet Sniffer for the...
Packet Sniffer for the Physical Layer of theSingle Wire Protocol
Michael Roland, Christian Saminger, Josef Langer
Upper Austria University of Applied Sciences, Hagenberg, Austria
FH Science Day 2008
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 1 / 23
© Michael Roland www.mroland.at
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 2 / 23
© Michael Roland www.mroland.at
Motivation Secure Element
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 3 / 23
© Michael Roland www.mroland.at
Motivation Secure Element
Secure Element
Container for NFC applicationsApplications and data related to a certain userUICC already contains subscriber identity module (SIM)UICC can be used as the secure element⇒ independent of the mobile phone⇒ bound to a user identity
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 4 / 23
© Michael Roland www.mroland.at
Motivation Single Wire Protocol
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 5 / 23
© Michael Roland www.mroland.at
Motivation Single Wire Protocol
Why use the Single Wire Protocol?
UICC used as the secure elementDirect interface between the UICC and the CLF necessaryUICC has only one unused IO pin leftMajor vendors agreed on the Single Wire ProtocolFirst devices announced and in production
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 6 / 23
© Michael Roland www.mroland.at
Motivation Single Wire Protocol
What is the Single Wire Protocol?
Full-duplex serial communication protocolUses only one IO wireMaster-to-slave data (S1): voltage domainSlave-to-master data (S2): current domain
ETSI
ETSI TS 102 613 V7.1.0 (2008-02)10
3.4 Coding conventions For the purposes of the present document, the following coding conventions apply:
• All lengths are presented in bytes, unless otherwise stated.
• Each byte is represented by bits b8 to b1, where b8 is the Most Significant Bit (MSB) and b1 is the Least Significant Bit (LSB). In each representation, the leftmost bit is the MSB.
• Hexadecimal values are enclosed in single quotes ('xx').
In the UICC, all bytes specified as RFU shall be set to '00' and all bits specifies as RFU shall be set to 0.
4 Principle of the Single Wire Protocol The SWP interface is a bit oriented, point-to-point communication protocol between a UICC and a contactless frontend (CLF) as shown in figure 4.1.
The CLF is the master and the UICC is the slave.
CLF(Master)
UICC(Slave)
Gnd
S1CLF to UICC
SWIOINPUT
Gnd
SWIOOUTPUT
S2UICC to CLF
S1
S2
Figure 4.1: SWP data transmission
The principle of the Single Wire Protocol is based on the transmission of digital information in full duplex mode:
• The signal S1 is transmitted by a digital modulation (L or H) in the voltage domain.
• The signal S2 is transmitted by a digital modulation (L or H) in the current domain.
When the master sends S1 as state H then the slave may either draw a current (state H) or not (state L) and thus transmit S2. With pulse width modulation bit coding of S1, it is possible to transmit a transmission clock, as well as data in full duplex mode. This bit coding of S1 is described in clause 8.1 of the present document. S2 is meaningful only when S1 is in state H.
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 7 / 23
© Michael Roland www.mroland.at
Motivation Single Wire Protocol
Master-to-slave (S1) Signaling
Voltage domain
Disabled: S1 is constantly lowEnabled: S1 is constantly highData: S1 is modulated
T
3/4 T
1/4 T
Logical 1
Logical 0
t
t
V
V
Pulse width modulation bit codingLogical 1: 75% high, 25% lowLogical 0: 25% high, 75% lowVariable bit-duration on each transmitted bit
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 8 / 23
© Michael Roland www.mroland.at
Motivation Single Wire Protocol
Slave-to-master (S2) Signaling
Current domain
No data: S2 is constantly lowData: S2 is modulated
Non-return-to-zero-level bit codingCurrent signal is only valid during high-pulses of S1Logical 1: current between 600 and 1000 µALogical 0: current between 0 and 20 µA
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 9 / 23
© Michael Roland www.mroland.at
Motivation Packet Sniffing
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 10 / 23
© Michael Roland www.mroland.at
Motivation Packet Sniffing
Wiretapping and Packet Sniffing
Tap into wired data linkIntercept electrical signalAnalyze the state of the communicationReceive the data frames
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 11 / 23
© Michael Roland www.mroland.at
Motivation Packet Sniffing
Why is Packet Sniffing useful?
Analyze communicationDebug communication problems
Framing errorsBit-stuffing errorsChecksum errorsProblems with the interface state
Log data traffic
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 12 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System System Design
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 13 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System System Design
System Design
Discrete tapping circuitFPGA-based processing of PHY and MAC layersPC-based processing of higher layers
SWP master
SWP slave
tapping circuit PHY
MAC
LLC
MAC
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 14 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Tapping the Physical Layer
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 15 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Tapping the Physical Layer
Using an Analog SWP Front-end
Master connected to a slave’s analog front-endSlave connected to a master’s analog front-endIntermediate digital signals can be easily tapped
SW
P m
aste
r
SW
P s
lave
anal
og fr
ont-e
ndS
WP
mas
ter
anal
og fr
ont-e
ndS
WP
sla
ve SWP_
S1
SWP_
S2
⇒ Induces additional signal delays⇒ Leads to invalid relation between S1 and S2
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 16 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Tapping the Physical Layer
Measuring Current and Voltage on SWIO
Voltage signal S1Directly usable
Current signal S2Current signal has only between 0.6 and 1 mACurrent signal must be transformed into voltage signalCurrent measurement must not influence the signalingVery low voltage drop required
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 17 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Tapping the Physical Layer
Measuring Current and Voltage on SWIO
Ampere meter with low voltage drop transforms current signal intovoltage signalAnalog voltage signals converted to binary digital signals
2
31
U1A
84
6
57
U1B
R2.
AR
2.B
R1.A
R1.B
R3.1
R3.3
R3.2
R3.4
2
36
U2
74
2 4U35
3
2 4U55
3
A3B 4U6
12
6
DIR5
A3B 4U4
12
6
DIR5
SWIO_MASTER
SWIO_SLAVE
SWP_S1
SWP_S2
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 18 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Recovering the Interface State
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 19 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Recovering the Interface State
Recovering the State of the SWP Interface
FPGA-based processing of the digital versions of S1 and S2Decoded into bit-streams based on the interface state (i.e. whenS1 is active)
S1: high and low phases compared to calculate logical ones andzerosS2: sampled during the high phases of S1
Bit-streams are then scanned for SWP framesPacket sniffer should be used to debug communication problems
⇒ Fault-tolerance required
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 20 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Transmitting LLC Layer Packets to the PC
Outline
1 MotivationSecure ElementSingle Wire ProtocolPacket Sniffing
2 SWP Packet Sniffing SystemSystem DesignTapping the Physical LayerRecovering the Interface StateTransmitting LLC Layer Packets to the PC
3 Summary and Outlook
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 21 / 23
© Michael Roland www.mroland.at
SWP Packet Sniffing System Transmitting LLC Layer Packets to the PC
Transmitting LLC Layer Packets to the PC
SWP’s minimum bit-duration is 590 ns⇒ Each signal has a maximum data throughput of about 1.7 Mbps
Full-duplex communication is possible⇒ Data and status information requires up to 4 Mbps
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 22 / 23
© Michael Roland www.mroland.at
Summary and Outlook
Summary and Outlook
Packet sniffing supports the debugging of SWP applications.A promising measurement circuit has been found.
OutlookThe evaluated circuit has to be tested with bit-durations up to590 ns.The system has to be tested with real SWP devices outside the testenvironment.
Roland, Saminger, Langer Packet Sniffer for the Single Wire Protocol FH Science Day 2008 23 / 23
© Michael Roland www.mroland.at