SIMtrace / OsmoCos hacking Entry: Preliminary exploration Date: Mon Jul 8 12:56:39 EDT 2013 Goal: make a PC <-> phone interface to allow emulation of card on PC. Eventually this should use the SIMtrace board: The SIMtrace is based on an Atmel AT91SAM7S64 http://www.atmel.com/devices/sam7s64.aspx Until the SIMtrace arrives I only have a SAM7S256 atmel dev board. Should be enough to get some software going. These are the same family, so pinouts are the same. Properties of the SIMtrace to keep in mind: - I/O = TDX1/RXD1 (PA22/PA21) - CLK = SCK1 (PA23) - RST = RTS1 (PA24) - VCC = CTS1 (PA25) # cd SIM/tools/sam7 # gdb ../openpcd/firmware/dfu.elf (gdb) connect (gdb) load Things to know: * the .elf files don't have proper LMA addresses. Flashing from GDB (e.g. using Segger) needs offset: load dfu.elf 0 load main_simtrace.elf 0x4000 * the bootloader does chip setup: can't start the app straight from 0x4000 Entry: Osmocom SIMtrace firmware Date: Tue Jul 9 10:25:54 EDT 2013 SNIFFER: Repo linked from here: http://bb.osmocom.org/trac/wiki/SIMtrace http://bb.osmocom.org/trac/wiki/SIMtrace/Firmware git clone git://git.gnumonks.org/openpcd.git Is the same as linked from the http://www.openbeacon.org/ project. 1. How to get the FW on the board? 2. What about the DFU? 3. Instructions mention Samba, which I don't have. Where to upload the .bin files? The .elf files are also present. dfu.elf VMA=00000000 main_simtrace.elf VMA=00104000 so I can just concatenate the .bin files and dump them at the beginning of the flash. CARD INTERFACE: git://git.gnumonks.org/at91work.git usb-device-ccid-project text data bss dec hex filename 272 0 0 272 110 obj/sram_board_cstartup.o 0 0 0 0 0 obj/sram_cp15_asm.o 1276 0 1 1277 4fd obj/sram_main.o 0 0 0 0 0 obj/sram_USBD_OTGHS.o 4450 0 116 4566 11d6 obj/sram_USBD_UDP.o 0 0 0 0 0 obj/sram_USBD_UDPHS.o 1871 0 0 1871 74f obj/sram_USBDDriver.o 64 0 0 64 40 obj/sram_USBDCallbacks_Initialized.o 4 0 0 4 4 obj/sram_USBDCallbacks_Reset.o 4 0 0 4 4 obj/sram_USBDDriverCb_CfgChanged.o 4 0 0 4 4 obj/sram_USBDDriverCb_IfSettingChanged.o 32 0 0 32 20 obj/sram_USBSetAddressRequest.o 28 0 0 28 1c obj/sram_USBGenericDescriptor.o 64 0 0 64 40 obj/sram_USBInterfaceRequest.o 84 0 0 84 54 obj/sram_USBGenericRequest.o 68 0 0 68 44 obj/sram_USBGetDescriptorRequest.o 32 0 0 32 20 obj/sram_USBSetConfigurationRequest.o 68 0 0 68 44 obj/sram_USBFeatureRequest.o 52 0 0 52 34 obj/sram_USBEndpointDescriptor.o 260 0 0 260 104 obj/sram_USBConfigurationDescriptor.o 244 0 0 244 f4 obj/sram_dfu.o 332 0 0 332 14c obj/sram_led.o 56 0 0 56 38 obj/sram_math.o 1544 1072 0 2616 a38 obj/sram_stdio.o 92 0 0 92 5c obj/sram_aic.o 380 0 0 380 17c obj/sram_dbgu.o 404 0 0 404 194 obj/sram_pio.o 460 0 60 520 208 obj/sram_pio_it.o 180 0 0 180 b4 obj/sram_pit.o 445 0 0 445 1bd obj/sram_pmc.o 0 0 0 0 0 obj/sram_cp15.o 124 0 0 124 7c obj/sram_board_memories.o 324 0 0 324 144 obj/sram_board_lowlevel.o 740 0 0 740 2e4 obj/sram_usart.o 1748 1 12 1761 6e1 obj/sram_iso7816_4.o 2444 28 572 3044 be4 obj/sram_cciddriver.o 17432 0 764 18196 4714 bin/usb-device-ccid-project-simtrace-at91sam7s256-sram.elf Entry: DFU Date: Tue Jul 9 16:29:40 EDT 2013 openpcd/firmware/src/ : dfu/dfu.h dfu/dfu.c start/Cstartup.S start/Cstartup_SAM7.c It behaves in a strange way, jumping to 'exit'. Trying to step in the main function makes 'usb_hdlr_register' trigger. Maybe it's best to wait for the board, and get a basic SAM7S setup running. OK, didn't pay attention: compiling with -O0 (though I had it enabled - forgot to save the Makefile) does make stepping a little easier. Entry: Differnces between S64 and S256 Date: Tue Jul 9 18:43:38 EDT 2013 Maybe the Flash addresses are not the same? objdump -h main_simtrace.elf .text = 00104000 main = 0x00107fe4 It just loads at the wrong place? segger: Downloading 4064 bytes @ address 0x00000000 Downloading 4064 bytes @ address 0x00000FE0 Downloading 4048 bytes @ address 0x00001FC0 Downloading 4064 bytes @ address 0x00002F90 Downloading 4048 bytes @ address 0x00003F70 Downloading 4064 bytes @ address 0x00004F40 Downloading 4048 bytes @ address 0x00005F20 Downloading 4064 bytes @ address 0x00006EF0 Downloading 3056 bytes @ address 0x00007ED0 Downloading 1228 bytes @ address 0x00008AC0 gdb: Loading section .text, size 0x8ac0 lma 0x0 LMA is not set correctly. Use this: load main_simtrace.elf 0x4000 Ok, next problem is probably the watchdog. It runs up to main() and somewhere to led_init() but after that keeps resetting. Still no debug output. Stack is not setup properly: $11 = (void *) 0xffffffc8 Looks like app expects this to be done earlier. Ok, I see, the bootloader got overwritten. Jul 9 19:39:13 zoo kernel: [3616293.616961] usb 3-2.4.2: new full-speed USB device number 21 using ehci_hcd Jul 9 19:39:13 zoo kernel: [3616293.728360] usb 3-2.4.2: New USB device found, idVendor=16c0, idProduct=0762 Jul 9 19:39:13 zoo kernel: [3616293.728371] usb 3-2.4.2: New USB device strings: Mfr=4, Product=5, SerialNumber=0 Jul 9 19:39:13 zoo kernel: [3616293.728381] usb 3-2.4.2: Product: SimTrace SIM Sniffer - Runtime Mode Jul 9 19:39:13 zoo kernel: [3616293.728388] usb 3-2.4.2: Manufacturer: sysmocom - systems for mobile communications GmbH Entry: SIMtrace firmware MITM Date: Thu Jul 11 10:04:05 EDT 2013 Trying to get a good idea of where to go next. There are two main problems: * Low level functionality: send ATR, send/receive APDU. * What interface to present Latter is problematic. Entry: AT91SAM7 ISO7816 mode Date: Thu Jul 11 10:24:56 EDT 2013 AT91SAM7S256 data sheet: 29.6.1.5 Baud Rate in ISO 7816 Mode 29.6.4 ISO7816 Mode US_MR:USART_MODE = 0x4 for protocol T = 0 TXD becomes bidirectional The USART cannot operate concurrently in both receiver and transmitter modes as the com- munication is unidirectional at a time. It has to be configured according to the required mode by enabling or disabling either the receiver or the transmitter as desired. Enabling both the receiver and the transmitter at the same time in ISO7816 mode may lead to unpredictable results. The ISO7816 specification defines an inverse transmission format. Data bits of the character must be transmitted on the I/O line at their negative value. The USART does not support this format and the user has to perform an exclusive OR on the data before writing it in the Trans- mit Holding Register (US_THR) or after reading it in the Receive Holding Register (US_RHR). -> TS = 3B / 3F (direct / inverse) Entry: Extending SIMtrace card reader app Date: Thu Jul 11 10:54:23 EDT 2013 Roadmap: - Load new firmware onto SAM7-EK - Hook up sim card + explore ISO7816 init code. - Patch code to drive ISO7816 phone side - Hook up phone Load address: See linker files *.lds under: at91lib/boards Which board is actually used in the default build? It has defs for: simtrace sam7-p at91sam7s-ek Looks like these are mostly the same. Probably ok to use simtrace. These are the respective defs in the makefile: CHIP = at91sam7s256 BOARD = simtrace For me, this file needs edit: at91lib/boards/sam7-p/at91sam7s128/flash_dfu.lds Fixing LMA BEFORE: [master] tom@zoo:~/at91work/usb-device-ccid-project$ objdump -h bin/usb-device-ccid-project-simtrace-at91sam7s256-flash_dfu.elf bin/usb-device-ccid-project-simtrace-at91sam7s256-flash_dfu.elf: file format elf32-little Sections: Idx Name Size VMA LMA File off Algn 0 .fixed 00003ecc 00104000 00000000 00004000 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .relocate 00000450 00200028 00003ecc 00008028 2**3 CONTENTS, ALLOC, LOAD, DATA 2 .bss 000002fc 00200478 0000431c 00008478 2**2 ALLOC 3 .ARM.attributes 0000002d 00000000 00000000 00008478 2**0 CONTENTS, READONLY 4 .comment 0000003a 00000000 00000000 000084a5 2**0 CONTENTS, READONLY 5 .debug_line 00002b12 00000000 00000000 000084df 2**0 CONTENTS, READONLY, DEBUGGING 6 .debug_info 000093c4 00000000 00000000 0000aff1 2**0 CONTENTS, READONLY, DEBUGGING 7 .debug_abbrev 00002496 00000000 00000000 000143b5 2**0 CONTENTS, READONLY, DEBUGGING 8 .debug_aranges 00000870 00000000 00000000 00016850 2**3 CONTENTS, READONLY, DEBUGGING 9 .debug_loc 00003381 00000000 00000000 000170c0 2**0 CONTENTS, READONLY, DEBUGGING 10 .debug_ranges 00000868 00000000 00000000 0001a441 2**0 CONTENTS, READONLY, DEBUGGING 11 .debug_str 00002ad2 00000000 00000000 0001aca9 2**0 CONTENTS, READONLY, DEBUGGING 12 .debug_frame 00001060 00000000 00000000 0001d77c 2**2 CONTENTS, READONLY, DEBUGGING AFTER: [master] tom@zoo:~/at91work/usb-device-ccid-project$ objdump -h bin/usb-device-ccid-project-simtrace-at91sam7s256-flash_dfu.elf bin/usb-device-ccid-project-simtrace-at91sam7s256-flash_dfu.elf: file format elf32-little Sections: Idx Name Size VMA LMA File off Algn 0 .fixed 00003ecc 00104000 00104000 00004000 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .relocate 00000450 00200028 00107ecc 00008028 2**3 CONTENTS, ALLOC, LOAD, DATA 2 .bss 000002fc 00200478 0010831c 00008478 2**2 ALLOC 3 .ARM.attributes 0000002d 00000000 00000000 00008478 2**0 CONTENTS, READONLY 4 .comment 0000003a 00000000 00000000 000084a5 2**0 CONTENTS, READONLY 5 .debug_line 00002b12 00000000 00000000 000084df 2**0 CONTENTS, READONLY, DEBUGGING 6 .debug_info 000093a4 00000000 00000000 0000aff1 2**0 CONTENTS, READONLY, DEBUGGING 7 .debug_abbrev 00002496 00000000 00000000 00014395 2**0 CONTENTS, READONLY, DEBUGGING 8 .debug_aranges 00000870 00000000 00000000 00016830 2**3 CONTENTS, READONLY, DEBUGGING 9 .debug_loc 00003381 00000000 00000000 000170a0 2**0 CONTENTS, READONLY, DEBUGGING 10 .debug_ranges 00000868 00000000 00000000 0001a421 2**0 CONTENTS, READONLY, DEBUGGING 11 .debug_str 00002ab2 00000000 00000000 0001ac89 2**0 CONTENTS, READONLY, DEBUGGING 12 .debug_frame 00001060 00000000 00000000 0001d73c 2**2 CONTENTS, READONLY, DEBUGGING Entry: SIMtrace board Date: Fri Jul 12 12:19:16 EDT 2013 Board arrived, so probably best to use it for dev. I don't have a lot of time to get this working. What shortcuts to take? Main trouble is understanding the currently working code. It seems more complex than necessary. First, set up tagging. (cscope) The mainloop calls CCID_SmartCardRequest() -> CCID_Read() -> USBD_Read() There are 2 USBD_Read() : USBD_UDP.c & USBD_UDPHS.c simtrace uses USBD_UDP.c Passed in is a callback: CCIDCommandDispatcher() Where is this called? USBD_Read() just schedules a transfer. Endpoint interrupt handler eventually calls UDP_EndOfTransfer() which invokes the callback. Approach: - Check if card driver works from python pc/sc bindings. - Use the 0xFF apdu approach. Does it use TPDU or APDU? What's the difference? Minor it seems.. can it be ignored for now? Depends on features, which are set in configurationDescriptorsFS CCID_FEATURES_AUTO_CLOCK | CCID_FEATURES_AUTO_BAUD | CCID_FEATURES_AUTO_PCONF | CCID_FEATURES_AUTO_PNEGO | CCID_FEATURES_EXC_TPDU, Top row was added by Harald, bottom row was in the original example. SIMtrace only does TPDU-level exchanges. It seems both APDU/TPDU are handled in PCtoRDRXfrBlock() Transfer (request + reply) is done by ISO7816_XfrBlockTPDU_T0() USB reply is handled by RDRtoPCDatablock(); This mentions the ESCAPE command is supported: http://pcsclite.alioth.debian.org/ccid.html but this mentions they need to be explicitly enableD: http://wiki.yobi.be/wiki/RFID#ACR122U_PICC Is it supported in pysc? Doesn't look like. It seems more trouble than it's worth.. let's use the CLA=FF approach. From the code, it seems the card sends an ack before the command's data payload is sent. Makes no sense.. http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_annex-a.aspx Yes in apdu_split.c there is an ack byte that's parsed. ISO7816-3 3.5.b - Structure and processing of commands: After transmission of such 5 byte header, the interface device waits for a procedure byte. Status? - Embedding in CLA=FF should work - Problem: low level code is bound to a single serial port Entry: DFU SIMtrace Date: Mon Jul 15 09:50:07 EDT 2013 After adding the ID to udev List: # dfu-util -d 16c0:0762 -l Backup: # dfu-util -d 16c0:0762 -U --alt 0 SIMtrace_alt0.bin # dfu-util -d 16c0:0762 -U --alt 1 SIMtrace_alt1.bin Backing up the RAM partition gives a large image, stopped at 40MB, the others were: $ ls -l *.bin -rw-r--r-- 1 tom tom 114688 Jul 15 09:53 SIMtrace_alt0.bin -rw-r--r-- 1 tom tom 131072 Jul 15 09:53 SIMtrace_alt1.bin [master] tom@zoo:~/at91work/usb-device-ccid-project/bin$ dfu-util -d 16c0:0762 --alt 0 -D usb-device-ccid-project-simtrace-at91sam7s256-flash_dfu.bin dfu-util 0.7 Copyright 2005-2008 Weston Schmidt, Harald Welte and OpenMoko Inc. Copyright 2010-2012 Tormod Volden and Stefan Schmidt This program is Free Software and has ABSOLUTELY NO WARRANTY Please report bugs to dfu-util@lists.gnumonks.org Filter on vendor = 0x16c0 product = 0x0762 Opening DFU capable USB device... ID 16c0:0762 Run-time device DFU version 0100 Found DFU: [16c0:0762] devnum=0, cfg=1, intf=0, alt=0, name="SimTrace DFU Interface - Application Partition" Claiming USB DFU Interface... Setting Alternate Setting #0 ... Determining device status: state = dfuIDLE, status = 0 dfuIDLE, continuing DFU mode device DFU version 0100 Device returned transfer size 256 No valid DFU suffix signature Warning: File has no DFU suffix bytes_per_hash=344 Copying data from PC to DFU device Starting download: [##################################################] finished! state(7) = dfuMANIFEST, status(0) = No error condition is present state(2) = dfuIDLE, status(0) = No error condition is present Done! So that seems to work. However, I'll need to use JTAG anyway since debugging won't work otherwise. [1] http://dfu-util.gnumonks.org/ Entry: latest pcsc-lite & libccid Date: Mon Jul 15 14:04:29 EDT 2013 # wget https://alioth.debian.org/frs/download.php/file/3920/ccid-1.4.11.tar.bz2 # wget https://alioth.debian.org/frs/download.php/file/3862/pcsc-lite-1.8.8.tar.bz2 sudo LIBCCID_ifdLogLevel=0x000F /usr/local/sbin/pcscd --foreground --debug --apdu These are also in debian/sid Next problem is that pcscd seems to load the DFU configurations. How does that work really? Why are the DFU configs enabled? It does expose 4 interfaces. # lsusb -v -d 03eb:6129 Bus 003 Device 074: ID 03eb:6129 Atmel Corp. AT91SAM Mass Storage Demo Application Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x03eb Atmel Corp. idProduct 0x6129 AT91SAM Mass Storage Demo Application bcdDevice 1.00 iManufacturer 1 ATMEL iProduct 2 ATMEL AT91 CCID DRIVER iSerial 3 0123456789AF bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 120 bNumInterfaces 4 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 11 Chip/SmartCard bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 ChipCard Interface Descriptor: bLength 54 bDescriptorType 33 bcdCCID 1.10 (Warning: Only accurate for version 1.0) nMaxSlotIndex 0 bVoltageSupport 1 5.0V dwProtocols 1 T=0 dwDefaultClock 3580 dwMaxiumumClock 3580 bNumClockSupported 0 dwDataRate 9600 bps dwMaxDataRate 9600 bps bNumDataRatesSupp. 0 dwMaxIFSD 254 dwSyncProtocols 00000000 dwMechanical 00000000 dwFeatures 00010072 Auto configuration based on ATR Auto clock change Auto baud rate change Auto parameter negotation made by CCID TPDU level exchange dwMaxCCIDMsgLen 271 bClassGetResponse echo bClassEnvelope echo wlcdLayout none bPINSupport 0 bMaxCCIDBusySlots 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 1 iInterface 4 SimTrace DFU Interface - Application Partition Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 2 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 1 iInterface 5 SimTrace DFU Interface - Bootloader Partition Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 3 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 254 Application Specific Interface bInterfaceSubClass 1 Device Firmware Update bInterfaceProtocol 1 iInterface 6 SimTrace DFU Interface - RAM Device Status: 0x0000 (Bus Powered) The DFU interfaces give trouble. Jul 15 14:22:16 zoo pcscd: ccid_usb.c:1065:ControlUSB() control failed (3/74): -7 Success Jul 15 14:22:16 zoo pcscd: ifdwrapper.c:348:IFDStatusICC() Card not transacted: 612 Jul 15 14:22:16 zoo pcscd: eventhandler.c:202:EHSpawnEventHandler() Initial Check Failed on Sysmocom SIMtrace (0123456789AF) 00 00 Jul 15 14:22:16 zoo pcscd: readerfactory.c:338:RFAddReader() Sysmocom SIMtrace (0123456789AF) init failed. Jul 15 14:22:16 zoo pcscd: hotplug_libudev.c:384:HPAddDevice() Failed adding USB device: Sysmocom SIMtrace Jul 15 14:22:16 zoo pcscd: ifdhandler.c:117:CreateChannelByNameOrChannel() failed Jul 15 14:22:16 zoo pcscd: readerfactory.c:1009:RFInitializeReader() Open Port 0x200001 Failed (usb:03eb/6129:libudev:1:/dev/bus/usb/003/074) Jul 15 14:22:16 zoo pcscd: readerfactory.c:312:RFAddReader() Sysmocom SIMtrace [SimTrace DFU Interface - Application Partition] (0123456789AF) init failed. Jul 15 14:22:16 zoo pcscd: ifdhandler.c:117:CreateChannelByNameOrChannel() failed Jul 15 14:22:16 zoo pcscd: readerfactory.c:1009:RFInitializeReader() Open Port 0x200002 Failed (uhttps://news.ycombinator.com/item?id=6048993sb:03eb/6129:libudev:2:/dev/bus/usb/003/074) Jul 15 14:22:16 zoo pcscd: readerfactory.c:312:RFAddReader() Sysmocom SIMtrace [SimTrace DFU Interface - Bootloader Partition] (0123456789AF) init failed. Jul 15 14:22:16 zoo pcscd: ifdhandler.c:117:CreateChannelByNameOrChannel() failed Jul 15 14:22:16 zoo pcscd: readerfactory.c:1009:RFInitializeReader() Open Port 0x200003 Failed (usb:03eb/6129:libudev:3:/dev/bus/usb/003/074) Jul 15 14:22:16 zoo pcscd: readerfactory.c:312:RFAddReader() Sysmocom SIMtrace [SimTrace DFU Interface - RAM] (0123456789AF) init failed. Removing BOARD_USB_DFU pcscd -a -d -f pcsc :: eventhandler.c :: EHSpawnEventHandler() # Initial Check Failed on Sysmocom SIMtrace (0123456789AF) 00 00 pcsc :: ifdwrapper.c :: IFDStatusICC() # Card not transacted: 612 That rv is from #ifndef PCSCLITE_STATIC_DRIVER rv = (*IFDH_icc_presence) (rContext->slot); #else rv = IFDHICCPresence(rContext->slot); #endif I need to trace this in the debugger.. too hard to follow. gdb --args pcscd -a -d -f sudo gdb -i-mi --args pcscd -a -d -f Break IFDStatusICC ifdhandler.c 59054 C/l ~/priv/git-private/beep/SIM/tools/ccid-1.4.11/src/ifdhandler.c EXTERNAL RESPONSECODE IFDHICCPresence(DWORD Lun) return_value = CmdGetSlotStatus(reader_index, pcbuffer); #define IFD_COMMUNICATION_ERROR 612 /**< generic error */ sudo cp src/.libs/libccid.so /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/ Yeah wtf.. not easy to get it all set up. Basically, the CmdGetSlotStatus() -> IFD_COMMUNICATION_ERROR is where to look. It's the GET_SLOT_STATUS request. It returns: (gdb) p/x (unsigned char[10])buffer $4 = {0xf0, 0xe5, 0xff, 0xff, 0xff, 0x7f, 0x0, 0x0, 0x0, 0x0} The CmdGetSlotStatus() actually doesn't return the error. It is the caller IFDHICCPresence() which decides it in the switch statement on L1716 in ifdhandler.c switch (pcbuffer[7] & CCID_ICC_STATUS_MASK) { } #define CCID_ICC_STATUS_MASK 0x03 #define CCID_ICC_PRESENT_ACTIVE 0x00 /* 00 0000 00 */ #define CCID_ICC_PRESENT_INACTIVE 0x01 /* 00 0000 01 */ #define CCID_ICC_ABSENT 0x02 /* 00 0000 10 */ contents pf pcbuffer[7] is 0x03 which not in the 3 cases. Why is SIZE_GET_SLOT_STATUS == 10, and the buffer smaller? -> nope, same. Next: why does cciddriver.c :: RDRtoPCSlotStatus() store 0x03 as status? Still wrong: Need to distinguish: 6.3.1 slot change 6.2.6 slot status Where does the slot status come from? RDRtoPCSlotStatus() uses ccidDriver.SlotStatus, which uses the encoding from the slot change message. Seems the fix would be to translate the change to the status representation. Entry: Reading the Atmel CCID app note Date: Tue Jul 16 18:14:02 EDT 2013 It seems best to first get the cardreader to work. Help should be available, and knowledge gained is useful for the phone side interface. Reader: * How does it provide clock to card? US_BRGR contains 13 = 48MHz / 3.7MHz. It looks like that's the clock presented to the device. This particular value corresponds also to 9600 baud using the default clock divisor or 372, so it can support both self-clocked and clocked cards. * What about bootup sequence? The appnote mentions the tb time delay necessary to bring up the sim card. However, the "for" loop seems a bit weird: // tb: wait 400 cycles, 3.58MHz => 80µs 48000000Hz (3840) for( i=0; i<(120*(BOARD_MCK/1000000)); i++ ) { } [1] http://www.atmel.com/Images/doc6348.pdf‎ Entry: for loop Date: Tue Jul 16 18:31:18 EDT 2013 // tb: wait 400 cycles, 3.58MHz => 80µs 48000000Hz (3840) for( i=0; i<(120*(BOARD_MCK/1000000)); i++ ) { } // With -O0 (gdb) disassemble ISO7816_cold_reset Dump of assembler code for function ISO7816_cold_reset: 0x0010a8c0 <+0>: push {r11, lr} 0x0010a8c4 <+4>: add r11, sp, #4 0x0010a8c8 <+8>: sub sp, sp, #8 0x0010a8cc <+12>: mov r3, #0 0x0010a8d0 <+16>: str r3, [r11, #-8] 0x0010a8d4 <+20>: b 0x10a8e4 0x0010a8d8 <+24>: ldr r3, [r11, #-8] 0x0010a8dc <+28>: add r3, r3, #1 0x0010a8e0 <+32>: str r3, [r11, #-8] 0x0010a8e4 <+36>: ldr r2, [r11, #-8] 0x0010a8e8 <+40>: ldr r3, [pc, #48] ; 0x10a920 0x0010a8ec <+44>: cmp r2, r3 0x0010a8f0 <+48>: bls 0x10a8d8 0x0010a8f4 <+52>: ldr r3, [pc, #40] ; 0x10a924 0x0010a8f8 <+56>: ldr r3, [r3, #24] 0x0010a8fc <+60>: ldr r3, [pc, #32] ; 0x10a924 0x0010a900 <+64>: mov r2, #24832 ; 0x6100 0x0010a904 <+68>: str r2, [r3] 0x0010a908 <+72>: ldr r3, [pc, #24] ; 0x10a928 0x0010a90c <+76>: mov lr, pc 0x0010a910 <+80>: bx r3 0x0010a914 <+84>: sub sp, r11, #4 0x0010a918 <+88>: pop {r11, lr} 0x0010a91c <+92>: bx lr 0x0010a920 <+96>: andeq r1, r0, pc, ror r6 0x0010a924 <+100>: ; instruction: 0xfffc0000 0x0010a928 <+104>: andseq r9, r0, r0, lsr sp End of assembler dump. // with -Os Dump of assembler code for function ISO7816_cold_reset: 0x001076b4 <+0>: push {r0, r1, r2, lr} 0x001076b8 <+4>: mov r3, #0 0x001076bc <+8>: str r3, [sp, #4] 0x001076c0 <+12>: ldr r3, [pc, #64] ; 0x107708 0x001076c4 <+16>: b 0x1076d4 0x001076c8 <+20>: ldr r2, [sp, #4] 0x001076cc <+24>: add r2, r2, #1 0x001076d0 <+28>: str r2, [sp, #4] 0x001076d4 <+32>: ldr r2, [sp, #4] 0x001076d8 <+36>: cmp r2, r3 0x001076dc <+40>: bls 0x1076c8 0x001076e0 <+44>: mvn r3, #258048 ; 0x3f000 0x001076e4 <+48>: ldr r2, [r3, #-4071] ; 0xfe7 0x001076e8 <+52>: mov r2, #24832 ; 0x6100 0x001076ec <+56>: str r2, [r3, #-4095] ; 0xfff 0x001076f0 <+60>: ldr r0, [pc, #20] ; 0x10770c 0x001076f4 <+64>: ldr r3, [pc, #20] ; 0x107710 0x001076f8 <+68>: mov lr, pc 0x001076fc <+72>: bx r3 0x00107700 <+76>: pop {r1, r2, r3, lr} 0x00107704 <+80>: bx lr 0x00107708 <+84>: andeq r1, r0, pc, ror r6 0x0010770c <+88>: eoreq r0, r0, r0, lsr #10 0x00107710 <+92>: andseq r6, r0, r12, lsr r11 End of assembler dump. Weird.. !! What I missed was the declaration: volatile unsigned int i; This guarantees the variable is in memory, so the operations will not be optimized away. Entry: Board problem? Date: Tue Jul 16 19:47:56 EDT 2013 Board seems to have a short between RST and CLK. Getting a replacement. Entry: Phone side Date: Fri Jul 19 11:35:47 EDT 2013 How to get this started? Let's hook up the SIMtrace to a throwaway phone. First thing that happens is assertion of 3V and wait for reset. This can be taken from the openpcd code. Ok, got it going up to reset: -- SIMtrace PHONE side driver -- Compiled: Jul 19 2013 16:04:50 -- PIOA & PA24 = 01000000 PIOA & PA24 = 00000000 PIOA & PA24 = 01000000 PIOA & PA24 = 00000000 PIOA & PA24 = 01000000 PIOA & PA24 = 00000000 PIOA & PA24 = 01000000 PIOA & PA24 = 00000000 Phone tries 4 times: corresponds to scope measurements: 1.8 3 3 1.8 volts So clock is present on the line, but TX doesn't want to advance. Read the sniffer code again. Also, I don't see TXEN anywhere in the reader code? OK, found a bug: enabled US0 instead of US1. Seems to +- work: can send bytes, but get a nack from time to time. ( What's a nack? ) Note: for simultaneous reader/phone interface, the polled architecture needs to poll both interfaces, or it needs to be changed to interrupt/DMA. Looks like nack is asserted in the guard time slot. www.smartcard.co.uk/tutorials/sct-itsc.pdf‎: There is a further problem with the asynchronous character transmission that makes life difficult for a PC to act as the interface device. The 7816-3 standard defines an error detection and recovery operation (mandatory for T=0) that cannot be managed by the normal PC UART. When the receiver detects a parity error on reception it takes the I/O line to the space or low state in the middle of the first stop bit guard time. The transmitter is mandated to sample the I/O line at the start of the second stop bit guard time period. When the error condition is sensed then the transmitter should retransmit the erroneously received character. Clearly the transmitter cannot be outputting stop bits but must let the line go high during the guard time in order to sense the line state. Entry: PTS received Date: Mon Jul 22 16:46:24 EDT 2013 Looks like lowest layer is ok now: receiving PTS: FF 00 FF -- SIMtrace PHONE side driver -- Compiled: Jul 22 2013 16:41:29 -- -D- ATR -D- PHONE_TX -D- phone_rx timeout -D- phone_rx timeout -D- phone_rx timeout -D- rx ff -D- rx 00 -D- rx ff -D- OFF -D- ATR -D- PHONE_TX -D- phone_rx timeout -D- phone_rx timeout -D- phone_rx timeout Entry: Status Date: Tue Jul 23 09:04:52 EDT 2013 Looks like it's on the right path. Some trouble: - ccid code blocks on card comm -> either poll both rx and tx during busy wait, or use interrupt / dma transfer. start from openpcd code since it is already interrupt based? - protocol is a bit more complex than I thought, so need to see where this is going by building my specific use case. - it might be best to write a generic two-sided iso7816 parser that can handle the 3 cases: host/card/sniff Entry: TPDU protocol Date: Tue Jul 23 18:26:58 EDT 2013 Basic low-level comm is working with state machine in-place. Next is trying to capture the transport protocol, i.e. difference between push data and pull data APDU commands It seems there are no push/pull TPDU commands as there is only one size byte in the TPDU header. Push-pull APDUs get embedded in a 9FXX response + GET_RESPONSE request. It's not too easy to understand the boundary between APDU and TPDU, though this helps: http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_annex-a.aspx Looks like for passive sniffing, the data packet size is in the same spot for both directions, so no distinction needs to be made based on INS. For a pure master or slave side, this is important. Entry: USB Date: Thu Jul 25 10:24:43 EDT 2013 Minimal slave-side functionality is there. Next: how to tie it to PC over USB? There is currently no good solution. - ccid extension: PC_to_RDR_Escape / RDR_to_PC_Escape - embed in apdu request/response - control requests The CCID escape solution needs host-side driver extension. Embedding in APDU only works if there is a card in the slot, and it has the wrong symmetry, i.e. it would need polling from the host side. Control requests are a bit of a mystery to me. Also, they seem to be host-oriented, so would probably require polling. Maybe it's best to start with a proprietary interface, from scratch, and see where it goes. Eliminate the system unknowns first, i.e. at91lib USB code + host side libusb code. The CCID doesn't work with my current SIMtrace, so until the other arrives, let's just use a CDC interface. Entry: simtrace ribbon Date: Fri Jul 26 16:39:15 EDT 2013 |board - VCC - - CLK Entry: BLU phone Date: Fri Jul 26 16:44:22 EDT 2013 It doesn't switch to 3V3 signalling. Need to skip one power cycle, since there is no way to detect the voltage. Just skipping the first init seems to work as a hackaround. Entry: SCM card reader bad Date: Fri Jul 26 19:01:58 EDT 2013 SCR 331 freezes. DK38T seems to work. Next crash is a buffer overflow (known bug). Entry: Got a bit further Date: Mon Jul 29 19:03:18 EDT 2013 BTU phone seems to work N1 doesn't cooperate: signals at different voltage: 2.3V ? Reset after size 194 r-apdu Wait, maybe the supply voltage class should be set in ATR? See 6.2 in ETSI TS 102 221 Entry: ATR daisy chaining Date: Tue Jul 30 10:21:34 EDT 2013 TD_i encodes the presence of Tx_{i+1} x:A,B,C,D Seems complicated to make this work, not even clear which TA byte it is. I was able to get it to boot like this: - set skip_reset=1 in firmware - reboot firmware - reboot phone sucess: 3 fail: 3 It seems to always fail after a 258 byte packet. Suspicious.. Anyway, probably best to modify the ATR to use a slower bitrate, or to set the voltage class. Entry: Nexus One Date: Tue Jul 30 12:52:15 EDT 2013 Starts SIM at 2.4V for about 100ms 0V for 40 ms 3V for 30 ms Works with proper power cycle counting: - skip SIMtrace VCC pullup - skip N1 2V powerup - start at N1 3V powerup Entry: SIMtrace release notes Date: Wed Jul 31 16:43:53 EDT 2013 git@github.com:zwizwa/at91work.git branch apdu_phone https://github.com/zwizwa/at91work/tree/apdu_phone Relevant files are in: iso7816-slave-cdc-project/ src/ Entry: Trouble with other sim cards Date: Tue Aug 6 11:24:09 EDT 2013 SIM works, but the 2 USIM cards I have give trouble. Things go wrong here: -W- R-APDU data size incorrect size:2 != r_apdu_size:258 C-APDU:80F2000C00 R-APDU:9000 Some questions: - What is CLA=0x80? - Why is 0x00 not 0x100 here? It seems 0x80 is proprietary. Why does it do that? Anyways. It seems this apdu is a standard status command, and the reply is standard too. 0x00 means 0 bytes, not 0x100. Why does the phone reset the card? It queries the ICCID, then asks STATUS and turns it off. Maybe STATUS should report something else? I.e. that it was reset? Forcing SIM protocol seems to work, i.e. no resets, but still doesn't connect through to network. Forcing SIM protocol on AT&T card, phone sends terminal profile, and then it stops dead: C-APDU:A010000014FFFFFFFF1F0000DFD7030A000000000600000000 TERMINAL_PROFILE R-APDU:910E Need to change the API a bit so parameters are easier to verify. - ATR - reset - power cycle wait Entry: Additional interfaces Date: Fri Aug 9 08:48:35 EDT 2013 As suggested by Peter Stuge, add a second interface to the USB device. This allows the default endpoint to be used to create a side channel for the phone APDU traffic and communication control. A recap: - USBDeviceDescriptor.bNumConfigurations = 1 - CCIDDriverConfigurationDescriptors contains all descriptors returned for a GET_CONFIGURATION request. In the at91lib code, interfaces are added in cciddriver.c : Entry: Flakey USB Date: Fri Aug 9 14:40:32 EDT 2013 Having trouble with USB. Had some hard crashes when sending control requests. Might be my machine. Need to try on laptop. Also, for some bizarre reason, the APDU is echoed back: -W- R-APDU data size incorrect size:7 != r_apdu_size:2 C-APDU:00A40004023F00 R-APDU:00A40004023F00 this happened before maybe time to get rid of the CDC stuff let's try to get control transfers to work. current problem: >>> ctrl_IN() Traceback (most recent call last): File "", line 1, in File "test-usb.py", line 31, in ctrl_IN index=0) usb.USBError: error sending control message: Connection timed out [ 4399.020884] usb 4-2.4.2: usbfs: USBDEVFS_CONTROL failed cmd python rqt 192 rq 123 len 0 ret -110 [ 4400.020787] usb 4-2.4: clear tt 1 (8250) error -110 [ 4405.940887] hub 4-2.4:1.0: cannot reset port 1 (err = -110) [ 4406.436308] hub 4-2:1.0: hub_port_status failed (err = -110) [ 4406.940853] hub 4-2.4:1.0: cannot reset port 1 (err = -110) [ 4407.940898] hub 4-2.4:1.0: cannot reset port 1 (err = -110) -W- Vendor_RequestHandler -W- USBGenericReques But the ctrl_OUT() doesn't crash: -W- Vendor_RequestHandler -W- USBGenericRequest_OUT Entry: UNBLOCK PIN 0x2C Date: Tue Aug 13 10:33:28 EDT 2013 C-APDU:002C000100 UNBLOCK_PIN R-APDU:63CA ETSI TS 102 221 V8.2.0 (2009-06) 10.2.1.3 Warnings 63CX - Command successful but after using an internal update retry routine 'X' times - Verification failed, 'X' retries remaining (see note) For the VERIFY PIN command, SW1SW2 indicates that the command was successful but the PIN was not correct and there are 'X' retries left. For all other commands it indicates the number of internal retries performed by the card to complete the command. Next: use the tracer? Problem might be card reset, but implementing that some other things break (ack not fast enough)? Hmm... can't get it to work reliably any more. It works reverting back to the previous approach with only one USB poll per C-ADPU. Entry: Interrupt problem? Date: Wed Aug 14 13:59:43 EDT 2013 I'm running into some weird shit.. So let's see if it's not an ISR problem. void USBDCallbacks_Initialized(void) { #if defined(BOARD_USB_UDP) // Configure and enable the UDP interrupt AIC_ConfigureIT(AT91C_ID_UDP, 0, USBD_InterruptHandler); AIC_EnableIT(AT91C_ID_UDP); #elif defined(BOARD_USB_UDPHS) // Configure and enable the UDPHS interrupt AIC_ConfigureIT(AT91C_ID_UDPHS, 0, USBD_InterruptHandler); AIC_EnableIT(AT91C_ID_UDPHS); #else #error Unsupported controller. #endif } What about disabling interrupts, and polling the ISR? Can't do that as the USB read/write routines wait for conditions set in ISRs.. Entry: USB packet sizes? Date: Wed Aug 14 14:55:59 EDT 2013 Guess is: timing error due to packet sizes. Doesn't seem to be it... So what is the problem? It is very unpredictable... a noise thing? So I got it to go a bit further. Now 3 cards run up to: C-APDU:002C000100 UNBLOCK_PIN R-APDU:63CA And then things freeze: one byte is received (CLA = 0) and waiting for the next 4 bytes. No resets, no VCC off, nothing.. Entry: Iphone 3 terminal profile Date: Wed Aug 14 18:02:34 EDT 2013 8010000012 FFFFFFFF7F0100DFBF000000000080020040 link/AT91SAM7S128-ROM-sam7dfu-app.ld Entry: Tracing with orig sniffer firmware Date: Wed Aug 14 22:33:20 EDT 2013 It gets messed up a bit, but this is what comes out after demangling: 00 2c 00 01 00 63 ca 00 20 00 01 00 63 c3 00 2c 00 81 00 63 ca 00 20 00 81 00 63 c3 (orig) APDU: 00 c0 00 00 2e 62 2c 82 02 78 21 84 10 a0 00 00 00 87 10 02 ff ff ff ff 89 03 02 00 00 8a 01 05 8b 2f 06 0c c6 0c 90 01 60 83 01 01 83 01 0a 83 01 81 90 00 00 APDU: 2c 00 01 00 63 ca 00 APDU: 20 00 01 00 63 c3 00 APDU: 2c 00 81 00 63 ca 00 APDU: 20 00 81 00 63 c3 00 APDU: a4 00 04 02 a4 6f 38 APDU: 61 19 00 c0 00 00 19 APDU: c0 62 17 82 02 41 21 APDU: 83 02 6f 38 8a 01 05 APDU: 8b 03 6f 06 04 80 02 APDU: 00 0c 88 01 20 90 00 APDU: 00 b0 00 00 0c 1e 4a 13 0c 27 f6 01 00 00 02 10 00 90 00 APDU: 80 10 00 00 14 ff ff ff ff 1f 00 00 df d7 03 0a 00 00 00 00 06 00 00 00 00 91 0e APDU: 80 12 00 00 0e d0 0c 81 03 01 05 00 82 02 81 82 19 01 03 90 00 APDU: 00 a4 00 04 02 6f 56 61 19 APDU: 00 c0 00 00 19 62 17 82 02 41 21 83 02 6f 56 8a 01 05 8b 03 6f 06 06 80 02 00 02 88 01 28 90 00 APDU: 00 b0 00 00 02 00 00 90 00 APDU: 80 14 00 00 0c 81 03 01 05 00 02 02 82 81 03 01 00 91 0b APDU: 80 12 00 00 0b d0 09 81 03 01 26 01 82 02 82 90 00 00 Apart from the messed up parsing (missed bytes?), this does look like normal traffic. Why is it not working in the mim? In the mim, phone sends a single 00 byte after a couple of seconds. Entry: PROCEDURE BYTE problem Date: Wed Sep 4 20:47:52 EDT 2013 Now it only sends procedure byte when the R_APDU size is > 2. Sill these resets occur: C-APDU:00B20104B0 READ_RECORD R-APDU:00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9000 RESET CARD RESET CARD RESET CARD C-APDU:801200000E FETCH R-APDU:D00C8103010500820281821901039000 RESET CARD RESET CARD RESET CARD C-APDU:00A40004026F61 SELECT_FILE FID_EF_OPLMNWACT R-APDU:6119 C-APDU:00C0000019 GET_RESPONSE R-APDU:62178202412183026F618A01058B036F0604800201F48801889000 C-APDU:00B0000000 READ_BINARY R-APDU:1300144000130014800013001400801300300080090181800009018100801300380080130130008013018000801300010080130098008013005900801301900080130140008013005480001300540080130043008013001600801300230080FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FF9000 RESET CARD RESET CARD RESET CARD C-APDU:00A4000C026F06 SELECT_FILE FID_EF_ARR R-APDU:9000 C-APDU:00B2030426 READ_RECORD R-APDU:8001019000800102A406830101950108800158A40683010A9501088001249700FFFFFFFFFFFF9000 RESET CARD RESET CARD RESET CARD C-APDU:80F2010C00 STATUS R-APDU:910E C-APDU:801200000E FETCH R-APDU:D00C8103010500820281821901039000 RESET CARD RESET CARD RESET CARD Entry: Supply voltage Date: Tue Sep 10 11:38:50 EDT 2013 6.2.1 Supply voltage classes The supply voltage class shall be indicated in the ATR by the UICC (TAi, i > 2). Table 6.1: Supply voltage classes indicated in ATR Symbol Minimum Maximum Unit Class Encoding (Binary) ---------------------------------------------------- Vcc 4,5 5,5 V A xx xxx1 Vcc 2,7 3,3 V B xx xx1x Vcc 1,62 1,98 V C xx x1xx Vcc RFU RFU V D xx 1xxx Vcc RFU RFU V E x1 xxxx NOTE: Class A, B and C values are according to ISO/IEC 7816-3 [11]. Class D is a further evolution of values specified in ISO/IEC 7816-3 [11]. It is possible to support a range of classes. The support shall be consecutive e.g. AB, BC. A combination like AC is not allowed. [1] http://electronics.stackexchange.com/questions/35358/determine-the-operating-voltage-of-a-sim-card [2] http://smartcard-atr.appspot.com/parse?ATR=3BDA18FF81B1FE751F030031C573C001400090000C Entry: Cleaning up the code Date: Tue Oct 29 15:35:19 EDT 2013 - make the CCID code run - restore the DFU interface - integrate with vendor requests for phone-side interface Entry: CCID part Date: Tue Oct 29 15:48:34 EDT 2013 - Compile usb-device-ccid-project-simtrace-at91sam7s128-flash_dfu.elf - pcscd doesn't pick up the device. reason? USB ID needs to be recorded in: /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist on Debian: /etc/libccid_Info.plist ifdVendorID + 0x03EB 0x072F ifdProductID + 0x6129 0x90CC ifdFriendlyName + SIMtrace CCID ACS ACR 38U-CCID - Error then is: Oct 29 16:01:47 tx pcscd: ccid_usb.c:1065:ControlUSB() control failed (4/49): -7 Success Oct 29 16:01:47 tx pcscd: ccid_usb.c:712:ReadUSB() read failed (4/49): -7 Success Oct 29 16:01:47 tx pcscd: ccid_usb.c:712:ReadUSB() read failed (4/49): -7 Success Oct 29 16:01:47 tx pcscd: ifdhandler.c:155:CreateChannelByNameOrChannel() failed Oct 29 16:01:47 tx pcscd: readerfactory.c:1009:RFInitializeReader() Open Port 0x200000 Failed (usb:03eb/6129:libudev:0:/dev/bus/usb/004/049) Oct 29 16:01:47 tx pcscd: readerfactory.c:312:RFAddReader() Simtrace CCID (0123456789AF) init failed. Oct 29 16:01:47 tx pcscd: hotplug_libudev.c:384:HPAddDevice() Failed adding USB device: Simtrace CC - Enabling debug console messages: at91work/usb-device-ccid-project/Makefile TRACE_LEVEL = 5 - run pcscd on console with debug on: sudo pcscd -f -d this shows that regardless of the error messages, there is some activity: 00000030 eventhandler.c:387:EHStatusHandlerThread() Card inserted into Simtrace CCID (0123456789AF) 00 00 Card ATR: 00 00 Entry: Card eject Date: Tue Oct 29 16:13:03 EDT 2013 SIMTRACE: -H- Removal -D- CCID_Removal Write3(2) E3 st:0x8F01 Wr EoNo callBack E1 st:0xA8240 Rd 10 Eo-D- typ=0x65 -D- PCtoRDRGetSlotStatus -D- RDRtoPCSlotStatus Write2(10) E2 st:0x8601 Wr EoNo callBack Read1(270) PCSCD: 71441191 eventhandler.c:325:EHStatusHandlerThread() Card Removed From Simtrace CCID (0123456789AF) 00 00 Entry: card insert Date: Tue Oct 29 17:43:04 EDT 2013 -H- Insert -D- CCID_Insertion Write3(2) -H- Insert -D- CCID_Insertion E3 st:0x8701 Wr EoNo callBack E1 st:0xA8240 Rd 10 Eo-D- typ=0x65 -D- PCtoRDRGetSlotStatus -D- RDRtoPCSlotStatus Write2(10) E2 st:0x8601 Wr EoNo callBack Read1(270) E1 st:0xA8A02 Rd 10 Eo-D- typ=0x65 -D- PCtoRDRGetSlotStatus -D- RDRtoPCSlotStatus Write2(10) E2 st:0x8E01 Wr EoNo callBack Read1(270) E1 st:0xA8240 Rd 10 Eo-D- typ=0x62 -D- PCtoRDRIccPowerOn -D- ISO7816_GetChar TimeOut -D- ISO7816_GetChar TimeOut Length = 2ATR = 00 00 Write2(12) E2 st:0x8601 Wr EoNo callBack Read1(270) E1 st:0xA8A02 Rd 10 Eo-D- typ=0x65 -D- PCtoRDRGetSlotStatus -D- RDRtoPCSlotStatus Write2(10) E2 st:0x8E01 Wr EoNo callBack Read1(270) E1 st:0xA8240 Rd 10 Eo-D- typ=0x65 -D- PCtoRDRGetSlotStatus -D- RDRtoPCSlotStatus Write2(10) E2 st:0x8601 Wr EoNo callBack Read1(270) PCSCD: 99999999 ifdhandler.c:1123:IFDHPowerICC() action: PowerUp, usb:03eb/6129:libudev:0:/dev/bus/usb/004/050 (lun: 0) 00028299 eventhandler.c:372:EHStatusHandlerThread() powerState: POWER_STATE_POWERED 00000009 eventhandler.c:387:EHStatusHandlerThread() Card inserted into Simtrace CCID (0123456789AF) 00 00 00000006 Card ATR: 00 00 05009700 eventhandler.c:446:EHStatusHandlerThread() powerState: POWER_STATE_UNPOWERED Entry: CCID Date: Tue Oct 29 18:16:10 EDT 2013 The weird thing is that when I disable the new code, the thing doesn't do anything. When I enable it, it does something. This would require some serious time investment to get to work. Probably to revert back to the original code by Harald, then add a minimal set of patches. Entry: Rewinding to master Date: Tue Oct 29 18:59:33 EDT 2013 Not all of the CCID errors make any sense. Probably best to remove some of the pcsc bugs first. I.e. this one: http://arch.debian.org/tracker/?func=detail&atid=410088&aid=313651&group_id=30105 Here's a CCID emulator: https://chromium.googlesource.com/chromiumos/third_party/qemu/+/25985396423706d8fba9bd8c0e49217844700299/hw/usb-ccid.c So either fix the pcsc bug, or implement the datarates call. For the USB control call: - find the datarates message type - find out how to send a reply: USBD_Write() Using a dummy u32 = 0 write it gets a bit further: 00008859 ccid_usb.c:1032:get_data_rates() declared: 0 bps After that it fails with the earlier error: 00016780 ifdwrapper.c:348:IFDStatusICC() Card not transacted: 612 Next: try to add this to the apdu_phone branch. Entry: Integration issues Date: Wed Oct 30 10:32:41 EDT 2013 An attempt to capture the state of the MITM code. - Basic idea: export the ISO78160-4 slave-side I spent another day trying to merge the CCID and new APDU forwarder code. Current state of the MITM firmware: - approach for slave-side: use USB VENDOR control requests to: - set ATR and other state machine options - Issues: - Original CCID code doesn't work for me. Entry: simtrace README Date: Wed Oct 30 11:52:07 EDT 2013 An anecdotal aside: I've experienced a lot of trouble with my development setup: hard crashes that were only resolved by power-cycling host Linux PC and/or USB hubs. I don't have enough experience developing USB firmware to figure out what is wrong with my setup. The number of possible failure points seems too high. I've switched PCs, Linux versions, USB hubs and cables, and still can't figure out the pattern.. I've run into this kind of trouble developing PIC USB firmware as well. Entry: Merge qemu osmocom Date: Wed Dec 11 19:01:00 EST 2013 [master] tom@tx:~/git/qemu-osmocom$ git pull ~/git/qemu-dev master remote: Counting objects: 66880, done. remote: Compressing objects: 100% (14136/14136), done. remote: Total 65545 (delta 52474), reused 64130 (delta 51162) Receiving objects: 100% (65545/65545), 19.17 MiB | 16.88 MiB/s, done. Resolving deltas: 100% (52474/52474), completed with 1012 local objects. From /home/tom/git/qemu-dev * branch master -> FETCH_HEAD Removing xtensa-semi.c Removing xen-mapcache.h Removing x86_64.ld Removing vmstate.h Removing usb-stub.c Removing usb-redir.c Removing usb-linux.c Removing usb-bsd.c Removing ui/vnc-jobs-sync.c Removing ui/vnc-jobs-async.c Removing ui/spice-display.h Removing ui/qemu-spice.h Removing trace/stderr.h Removing thunk.h Removing test-string-output-visitor.c Removing test-string-input-visitor.c Removing test-qmp-output-visitor.c Removing test-qmp-input-visitor.c Removing test-qmp-commands.c Removing test-coroutine.c Removing tci-dis.c Removing tcg/hppa/tcg-target.h Removing tcg/hppa/tcg-target.c Removing targphys.h Removing target-xtensa/machine.c Removing target-xtensa/helpers.h Removing target-sparc/op_helper.c Removing target-sparc/cpu_init.c Removing target-sh4/machine.c Removing target-s390x/op_helper.c Removing target-s390x/machine.c Removing target-s390x/helpers.h Removing target-ppc/op_helper.c Removing target-ppc/helper.c Removing target-microblaze/machine.c Removing target-m68k/machine.c Removing target-m68k/helpers.h Removing target-i386/op_helper.c Removing target-i386/hyperv.h Removing target-i386/hyperv.c Removing target-i386/helper_template.h Removing target-i386/cpuid.c Removing target-alpha/op_helper.c Removing sysemu.h Removing sparc64.ld Removing sparc.ld Removing sparc-dis.c Removing softmmu_template.h Removing softmmu_header.h Removing softmmu_exec.h Removing softmmu_defs.h Removing softmmu-semi.h Removing sh4-dis.c Adding scripts/tracetool/format/stap.py Adding scripts/tracetool/format/h.py Adding scripts/tracetool/format/events_h.py Adding scripts/tracetool/format/events_c.py Adding scripts/tracetool/format/d.py Adding scripts/tracetool/format/c.py Adding scripts/tracetool/format/__init__.py Adding scripts/tracetool/backend/ust.py Adding scripts/tracetool/backend/stderr.py Adding scripts/tracetool/backend/simple.py Adding scripts/tracetool/backend/ftrace.py Adding scripts/tracetool/backend/events.py Adding scripts/tracetool/backend/dtrace.py Adding scripts/tracetool/backend/__init__.py Adding scripts/tracetool/__init__.py Removing scripts/tracetool Removing scripts/signrom.sh Removing s390.ld Removing s390-dis.c Removing readline.h Removing range.h Removing qstring.h Removing qstring.c Removing qom/Makefile Removing qobject.h Removing qlist.h Removing qlist.c Removing qjson.h Removing qjson.c Removing qint.h Removing qint.c Removing qfloat.h Removing qfloat.c Removing qerror.h Removing qerror.c Removing qemu_socket.h Removing qemu-tool.c Removing qemu-timer.h Removing qemu-timer-common.c Removing qemu-thread.h Removing qemu-thread-win32.h Removing qemu-thread-win32.c Removing qemu-thread-posix.h Removing qemu-thread-posix.c Removing qemu-sockets.c Removing qemu-queue.h Removing qemu-progress.c Removing qemu-os-win32.h Removing qemu-os-posix.h Removing qemu-option.h Removing qemu-option.c Removing qemu-objects.h Removing qemu-log.h Removing qemu-ga.c Removing qemu-file.h Removing qemu-error.h Removing qemu-error.c Removing qemu-coroutine.h Removing qemu-coroutine-int.h Removing qemu-config.h Removing qemu-config.c Removing qemu-common.h Removing qemu-char.h Removing qemu-barrier.h Removing qemu-aio.h Removing qdict.h Removing qdict.c Removing qbool.h Removing qbool.c Removing qapi/string-output-visitor.h Removing qapi/string-input-visitor.h Removing qapi/qmp-output-visitor.h Removing qapi/qmp-input-visitor.h Removing qapi/qmp-core.h Removing qapi/qapi-visit-impl.h Removing qapi/qapi-visit-core.h Removing qapi/qapi-types-core.h Removing qapi/qapi-dealloc-visitor.h Removing qapi-schema-test.json Removing qapi-schema-guest.json Removing ppc64.ld Removing ppc.ld Removing ppc-dis.c Removing posix-aio-compat.c Removing poison.h Removing pflib.h Removing pflib.c Removing pci-ids.txt Removing pc-bios/mpc8544ds.dts Removing pc-bios/mpc8544ds.dtb Removing path.c Removing oslib-win32.c Removing oslib-posix.c Removing osdep.h Removing osdep.c Removing notify.h Removing notify.c Removing net/vde.h Removing net/tap.h Removing net/socket.h Removing net/slirp.h Removing net/queue.h Removing net/dump.h Removing net/checksum.h Removing net.h Removing net.c Removing nbd.h Removing monitor.h Removing module.c Removing mips.ld Removing mips-dis.c Removing migration.h Removing microblaze-dis.c Removing memory.h Removing main-loop.h Removing m68k.ld Removing m68k-semi.c Removing m68k-dis.c Removing linux-user/qemu-types.h Removing linux-user/mipsn32/termbits.h Removing linux-user/mipsn32/target_signal.h Removing linux-user/mipsn32/syscall_nr.h Removing linux-user/mipsn32/syscall.h Removing linux-aio.c Removing libfdt_env.h Removing kvm.h Removing json-streamer.h Removing json-streamer.c Removing json-parser.h Removing json-parser.c Removing json-lexer.h Removing json-lexer.c Removing iov.h Removing iov.c Removing iorange.h Removing ioport.h Removing ioport-user.c Removing int128.h Removing input.c Removing include/qemu/qom-qobject.h Removing include/qemu/object.h Removing ia64.ld Removing ia64-dis.c Removing i386.ld Removing i386-dis.c Removing hw/zaurus.c Removing hw/z2.c Removing hw/xtensa_sim.c Removing hw/xtensa_pic.c Removing hw/xtensa_lx60.c Removing hw/xio3130_upstream.h Removing hw/xio3130_upstream.c Removing hw/xio3130_downstream.h Removing hw/xio3130_downstream.c Removing hw/xilinx_uartlite.c Removing hw/xilinx_timer.c Removing hw/xilinx_intc.c Removing hw/xilinx_ethlite.c Removing hw/xilinx_axienet.c Removing hw/xilinx_axidma.h Removing hw/xilinx_axidma.c Removing hw/xilinx.h Removing hw/xics.h Removing hw/xics.c Removing hw/xgmac.c Removing hw/xenfb.c Removing hw/xen_platform.c Removing hw/xen_nic.c Removing hw/xen_machine_pv.c Removing hw/xen_domainbuild.h Removing hw/xen_domainbuild.c Removing hw/xen_disk.c Removing hw/xen_devconfig.c Removing hw/xen_console.c Removing hw/xen_common.h Removing hw/xen_backend.h Removing hw/xen_backend.c Removing hw/xen.h Removing hw/wm8750.c Removing hw/wdt_ib700.c Removing hw/wdt_i6300esb.c Removing hw/watchdog.h Removing hw/watchdog.c Removing hw/vt82c686.c Removing hw/vmware_vga.h Removing hw/vmware_vga.c Removing hw/vmport.c Removing hw/vmmouse.c Removing hw/virtio.h Removing hw/virtio.c Removing hw/virtio-serial.h Removing hw/virtio-serial-bus.c Removing hw/virtio-scsi.h Removing hw/virtio-scsi.c Removing hw/virtio-pci.h Removing hw/virtio-pci.c Removing hw/virtio-net.h Removing hw/virtio-net.c Removing hw/virtio-console.c Removing hw/virtio-blk.h Removing hw/virtio-blk.c Removing hw/virtio-balloon.h Removing hw/virtio-balloon.c Removing hw/virtex_ml507.c Removing hw/vhost_net.h Removing hw/vhost_net.c Removing hw/vhost.h Removing hw/vhost.c Removing hw/vga_template.h Removing hw/vga_int.h Removing hw/vga.c Removing hw/vga-pci.c Removing hw/vga-isa.c Removing hw/vga-isa-mm.c Removing hw/vexpress.c Removing hw/versatilepb.c Removing hw/versatile_pci.c Removing hw/usb.h Removing hw/usb.c Removing hw/usb-xhci.c Removing hw/usb-wacom.c Removing hw/usb-uhci.h Removing hw/usb-uhci.c Removing hw/usb-serial.c Removing hw/usb-ohci.h Removing hw/usb-ohci.c Removing hw/usb-net.c Removing hw/usb-musb.c Removing hw/usb-msd.c Removing hw/usb-libhw.c Removing hw/usb-hub.c Removing hw/usb-hid.c Removing hw/usb-ehci.c Removing hw/usb-desc.h Removing hw/usb-desc.c Removing hw/usb-ccid.c Removing hw/usb-bus.c Removing hw/usb-bt.c Removing hw/usb-audio.c Removing hw/unin_pci.c Removing hw/twl92230.c Removing hw/tusb6010.c Removing hw/tsc210x.c Removing hw/tsc2005.c Removing hw/tosa.c Removing hw/tmp105.c Removing hw/tcx.c Removing hw/tc6393xb_template.h Removing hw/tc6393xb.c Removing hw/tc58128.c Removing hw/sysbus.h Removing hw/sysbus.c Removing hw/sun4u.c Removing hw/sun4m_iommu.c Removing hw/sun4m.h Removing hw/sun4m.c Removing hw/sun4c_intctl.c Removing hw/strongarm.h Removing hw/strongarm.c Removing hw/stellaris_input.c Removing hw/stellaris_enet.c Removing hw/stellaris.c Removing hw/ssi.h Removing hw/ssi.c Removing hw/ssi-sd.c Removing hw/ssd0323.c Removing hw/ssd0303.c Removing hw/srp.h Removing hw/spitz.c Removing hw/sparc32_dma.h Removing hw/sparc32_dma.c Removing hw/spapr_vty.c Removing hw/spapr_vscsi.c Removing hw/spapr_vio.h Removing hw/spapr_vio.c Removing hw/spapr_rtas.c Removing hw/spapr_pci.h Removing hw/spapr_pci.c Removing hw/spapr_llan.c Removing hw/spapr_hcall.c Removing hw/spapr.h Removing hw/spapr.c Removing hw/soc_dma.h Removing hw/soc_dma.c Removing hw/smc91c111.c Removing hw/smbus_eeprom.c Removing hw/smbus.h Removing hw/smbus.c Removing hw/smbios.h Removing hw/smbios.c Removing hw/sm501.c Removing hw/slavio_timer.c Removing hw/slavio_misc.c Removing hw/slavio_intctl.c Removing hw/shix.c Removing hw/sharpsl.h Removing hw/sh_timer.c Removing hw/sh_serial.c Removing hw/sh_pci.c Removing hw/sh_intc.h Removing hw/sh_intc.c Removing hw/sh7750_regnames.c Removing hw/sh7750.c Removing hw/sh.h Removing hw/sga.c Removing hw/serial.c Removing hw/sd.h Removing hw/sd.c Removing hw/scsi.h Removing hw/scsi-generic.c Removing hw/scsi-disk.c Removing hw/scsi-defs.h Removing hw/scsi-bus.c Removing hw/sbi.c Removing hw/sb16.c Removing hw/s390-virtio.c Removing hw/s390-virtio-bus.h Removing hw/s390-virtio-bus.c Removing hw/rtl8139.c Removing hw/realview_gic.c Removing hw/realview.c Removing hw/rc4030.c Removing hw/r2d.c Removing hw/qxl.h Removing hw/qxl.c Removing hw/qxl-render.c Removing hw/qxl-logger.c Removing hw/qdev.h Removing hw/qdev.c Removing hw/qdev-properties.c Removing hw/qdev-monitor.c Removing hw/qdev-addr.h Removing hw/qdev-addr.c Removing hw/pxa2xx_timer.c Removing hw/pxa2xx_pic.c Removing hw/pxa2xx_pcmcia.c Removing hw/pxa2xx_mmci.c Removing hw/pxa2xx_lcd.c Removing hw/pxa2xx_keypad.c Removing hw/pxa2xx_gpio.c Removing hw/pxa2xx_dma.c Removing hw/pxa2xx.c Removing hw/pxa.h Removing hw/ptimer.h Removing hw/ptimer.c Removing hw/ps2.h Removing hw/ps2.c Removing hw/prep_pci.c Removing hw/ppce500_spin.c Removing hw/ppce500_pci.c Removing hw/ppce500_mpc8544ds.c Removing hw/ppc_prep.c Removing hw/ppc_oldworld.c Removing hw/ppc_newworld.c Removing hw/ppc_mac.h Removing hw/ppc_booke.c Removing hw/ppc4xx_pci.c Removing hw/ppc4xx_devs.c Removing hw/ppc4xx.h Removing hw/ppc440_bamboo.c Removing hw/ppc405_uc.c Removing hw/ppc405_boards.c Removing hw/ppc405.h Removing hw/ppc.h Removing hw/ppc.c Removing hw/pm_smbus.h Removing hw/pm_smbus.c Removing hw/pl190.c Removing hw/pl181.c Removing hw/pl110_template.h Removing hw/pl110.c Removing hw/pl080.c Removing hw/pl061.c Removing hw/pl050.c Removing hw/pl041.c Removing hw/pl031.c Removing hw/pl022.c Removing hw/pl011.c Removing hw/piix_pci.c Removing hw/piix4.c Removing hw/pflash_cfi02.c Removing hw/pflash_cfi01.c Removing hw/petalogix_s3adsp1800_mmu.c Removing hw/petalogix_ml605_mmu.c Removing hw/pcspk.h Removing hw/pcspk.c Removing hw/pcnet.h Removing hw/pcnet.c Removing hw/pcnet-pci.c Removing hw/pcmcia.h Removing hw/pckbd.c Removing hw/pcie_port.h Removing hw/pcie_port.c Removing hw/pcie_host.h Removing hw/pcie_host.c Removing hw/pcie_aer.h Removing hw/pcie_aer.c Removing hw/pcie.h Removing hw/pcie.c Removing hw/pci_regs.h Removing hw/pci_internals.h Removing hw/pci_ids.h Removing hw/pci_host.h Removing hw/pci_host.c Removing hw/pci_bridge.h Removing hw/pci_bridge.c Removing hw/pci.h Removing hw/pci.c Removing hw/pci-stub.c Removing hw/pci-hotplug.c Removing hw/pc_sysfw.c Removing hw/pc_piix.c Removing hw/pc.h Removing hw/pc.c Removing hw/parallel.c Removing hw/palm.c Removing hw/openpic.h Removing hw/openpic.c Removing hw/opencores_eth.c Removing hw/onenand.c Removing hw/omap_uart.c Removing hw/omap_tap.c Removing hw/omap_synctimer.c Removing hw/omap_sx1.c Removing hw/omap_spi.c Removing hw/omap_sdrc.c Removing hw/omap_mmc.c Removing hw/omap_lcdc.c Removing hw/omap_l4.c Removing hw/omap_intc.c Removing hw/omap_i2c.c Removing hw/omap_gptimer.c Removing hw/omap_gpmc.c Removing hw/omap_gpio.c Removing hw/omap_dss.c Removing hw/omap_dma.c Removing hw/omap_clk.c Removing hw/omap2.c Removing hw/omap1.c Removing hw/omap.h Removing hw/nvram.h Removing hw/nseries.c Removing hw/ne2000.h Removing hw/ne2000.c Removing hw/ne2000-isa.c Removing hw/nand.c Removing hw/musicpal.c Removing hw/multiboot.h Removing hw/multiboot.c Removing hw/mst_fpga.c Removing hw/msmouse.h Removing hw/msmouse.c Removing hw/msix.h Removing hw/msix.c Removing hw/msi.h Removing hw/msi.c Removing hw/mpc8544_guts.c Removing hw/mipsnet.c Removing hw/mips_timer.c Removing hw/mips_r4k.c Removing hw/mips_mipssim.c Removing hw/mips_malta.c Removing hw/mips_jazz.c Removing hw/mips_int.c Removing hw/mips_fulong2e.c Removing hw/mips_cpudevs.h Removing hw/mips_addr.c Removing hw/mips.h Removing hw/milkymist.c Removing hw/milkymist-vgafb_template.h Removing hw/milkymist-vgafb.c Removing hw/milkymist-uart.c Removing hw/milkymist-tmu2.c Removing hw/milkymist-sysctl.c Removing hw/milkymist-softusb.c Removing hw/milkymist-pfpu.c Removing hw/milkymist-minimac2.c Removing hw/milkymist-memcard.c Removing hw/milkymist-hw.h Removing hw/milkymist-hpdmc.c Removing hw/milkymist-ac97.c Removing hw/microblaze_pic_cpu.h Removing hw/microblaze_pic_cpu.c Removing hw/mcf_uart.c Removing hw/mcf_intc.c Removing hw/mcf_fec.c Removing hw/mcf5208.c Removing hw/mcf5206.c Removing hw/mcf.h Removing hw/mc146818rtc.h Removing hw/mc146818rtc.c Removing hw/max7310.c Removing hw/max111x.c Removing hw/marvell_88w8618_audio.c Removing hw/mainstone.c Removing hw/macio.c Removing hw/mac_nvram.c Removing hw/mac_dbdma.h Removing hw/mac_dbdma.c Removing hw/m48t59.c Removing hw/lsi53c895a.c Removing hw/loader.h Removing hw/loader.c Removing hw/lm832x.c Removing hw/lm4549.h Removing hw/lm4549.c Removing hw/lm32_uart.c Removing hw/lm32_timer.c Removing hw/lm32_sys.c Removing hw/lm32_pic.h Removing hw/lm32_pic.c Removing hw/lm32_juart.h Removing hw/lm32_juart.c Removing hw/lm32_hwsetup.h Removing hw/lm32_boards.c Removing hw/lm32.h Removing hw/leon3.c Removing hw/lance.c Removing hw/lan9118.c Removing hw/kvmvapic.c Removing hw/kvm/ioapic.c Removing hw/kvm/i8259.c Removing hw/kvm/clock.c Removing hw/kvm/apic.c Removing hw/jazz_led.c Removing hw/ivshmem.c Removing hw/isa_mmio.c Removing hw/isa.h Removing hw/isa-bus.c Removing hw/irq.h Removing hw/irq.c Removing hw/ioh3420.h Removing hw/ioh3420.c Removing hw/ioapic_internal.h Removing hw/ioapic_common.c Removing hw/ioapic.h Removing hw/ioapic.c Removing hw/intel-hda.h Removing hw/intel-hda.c Removing hw/integratorcp.c Removing hw/ide.h Removing hw/i8259_internal.h Removing hw/i8259_common.c Removing hw/i8259.c Removing hw/i8254.h Removing hw/i8254.c Removing hw/i82378.c Removing hw/i82374.c Removing hw/i2c.h Removing hw/i2c.c Removing hw/hw.h Removing hw/hpet_emul.h Removing hw/hpet.c Removing hw/highbank.c Removing hw/hid.h Removing hw/hid.c Removing hw/heathrow_pic.c Removing hw/hda-audio.c Removing hw/gus.c Removing hw/gumstix.c Removing hw/gt64xxx.c Removing hw/grlib_irqmp.c Removing hw/grlib_gptimer.c Removing hw/grlib_apbuart.c Removing hw/grlib.h Removing hw/grackle_pci.c Removing hw/g364fb.c Removing hw/fw_cfg.h Removing hw/fw_cfg.c Removing hw/framebuffer.h Removing hw/framebuffer.c Removing hw/flash.h Removing hw/fdc.h Removing hw/fdc.c Removing hw/exynos4_boards.c Removing hw/exynos4210_uart.c Removing hw/exynos4210_pwm.c Removing hw/exynos4210_pmu.c Removing hw/exynos4210_mct.c Removing hw/exynos4210_gic.c Removing hw/exynos4210_fimd.c Removing hw/exynos4210_combiner.c Removing hw/exynos4210.h Removing hw/exynos4210.c Removing hw/etraxfs_timer.c Removing hw/etraxfs_ser.c Removing hw/etraxfs_pic.c Removing hw/etraxfs_eth.c Removing hw/etraxfs_dma.h Removing hw/etraxfs_dma.c Removing hw/etraxfs.h Removing hw/esp.h Removing hw/esp.c Removing hw/escc.h Removing hw/escc.c Removing hw/es1370.c Removing hw/empty_slot.h Removing hw/empty_slot.c Removing hw/elf_ops.h Removing hw/eeprom93xx.c Removing hw/eepro100.c Removing hw/eccmemctl.c Removing hw/ecc.c Removing hw/e1000_hw.h Removing hw/e1000.c Removing hw/dummy_m68k.c Removing hw/ds1338.c Removing hw/ds1225y.c Removing hw/dp8393x.c Removing hw/dma.c Removing hw/devices.h Removing hw/device-hotplug.c Removing hw/dec_pci.h Removing hw/dec_pci.c Removing hw/debugcon.c Removing hw/cuda.c Removing hw/cs4231a.c Removing hw/cs4231.c Removing hw/cris_pic_cpu.c Removing hw/cris-boot.h Removing hw/cris-boot.c Removing hw/collie.c Removing hw/cirrus_vga.c Removing hw/cdrom.c Removing hw/ccid.h Removing hw/ccid-card-passthru.c Removing hw/ccid-card-emulated.c Removing hw/cbus.c Removing hw/bt.h Removing hw/bt.c Removing hw/bt-sdp.c Removing hw/bt-l2cap.c Removing hw/bt-hid.c Removing hw/bt-hci.c Removing hw/bt-hci-csr.c Removing hw/bonito.c Removing hw/boards.h Removing hw/blizzard_template.h Removing hw/blizzard.c Removing hw/bitbang_i2c.h Removing hw/bitbang_i2c.c Removing hw/baum.h Removing hw/baum.c Removing hw/axis_dev88.c Removing hw/audiodev.h Removing hw/armv7m_nvic.c Removing hw/armv7m.c Removing hw/arm_timer.c Removing hw/arm_sysctl.c Removing hw/arm_pic.c Removing hw/arm_mptimer.c Removing hw/arm_l2x0.c Removing hw/arm_gic.c Removing hw/arm_boot.c Removing hw/arm11mpcore.c Removing hw/arm-misc.h Removing hw/applesmc.c Removing hw/apm.h Removing hw/apm.c Removing hw/apic_internal.h Removing hw/apic_common.c Removing hw/apic.h Removing hw/apic.c Removing hw/apb_pci.h Removing hw/apb_pci.c Removing hw/an5206.c Removing hw/alpha_typhoon.c Removing hw/alpha_sys.h Removing hw/alpha_pci.c Removing hw/alpha_dp264.c Removing hw/ads7846.c Removing hw/adlib.c Removing hw/adb.h Removing hw/adb.c Removing hw/acpi_piix4.c Removing hw/acpi.h Removing hw/acpi.c Removing hw/ac97.c Removing hw/a9mpcore.c Removing hw/a15mpcore.c Removing hw/9p.h Removing hppa.ld Removing hppa-dis.c Removing host-utils.h Removing host-utils.c Removing gen-icount.h Removing gdbstub.h Removing fpu/softfloat.h Removing exec-obsolete.h Removing exec-memory.h Removing exec-all.h Removing event_notifier.h Removing event_notifier.c Removing error_int.h Removing error.h Removing error.c Removing envlist.c Removing elf.h Removing dyngen-exec.h Removing dma.h Removing disas.h Removing dis-asm.h Removing device_tree.h Removing default-configs/ppc-darwin-user.mak Removing default-configs/i386-darwin-user.mak Removing def-helper.h Removing darwin-user/syscalls.h Removing darwin-user/syscall.c Removing darwin-user/signal.c Removing darwin-user/qemu.h Removing darwin-user/mmap.c Removing darwin-user/main.c Removing darwin-user/machload.c Removing darwin-user/ioctls_types.h Removing darwin-user/ioctls.h Removing darwin-user/commpage.c Removing cutils.c Removing cursor.c Removing cris-dis.c Removing cpus.h Removing cpu-defs.h Removing cpu-common.h Removing cpu-all.h Removing console.h Removing console.c Removing compiler.h Removing compatfd.c Removing cmd.h Removing cmd.c Removing check-qstring.c Removing check-qlist.c Removing check-qjson.c Removing check-qint.c Removing check-qfloat.c Removing check-qdict.c Removing cache-utils.h Removing cache-utils.c Removing buffered_file.h Removing buffered_file.c Removing bt-host.h Removing bswap.h Removing bsd-user/qemu-types.h Removing blockdev.h Removing block_int.h Removing block/raw.c Removing block/raw-posix-aio.h Removing block.h Removing bitops.h Removing bitops.c Removing bitmap.h Removing bitmap.c Removing balloon.h Removing arm.ld Removing arm-semi.c Removing arm-dis.c Removing arch_init.h Removing alpha.ld Removing alpha-dis.c Removing aio.c Removing aes.h Removing aes.c Removing acl.h Removing acl.c Removing a.out.h Removing TODO Removing QMP/qmp.py Removing QMP/qmp-spec.txt Removing QMP/qmp-shell Removing QMP/qmp-events.txt Removing QMP/README Removing Makefile.user Auto-merging Makefile.target CONFLICT (content): Merge conflict in Makefile.target Removing Makefile.hw Removing Makefile.dis warning: inexact rename detection was skipped due to too many files. warning: you may want to set your merge.renamelimit variable to at least 2169 and retry the command. Automatic merge failed; fix conflicts and then commit the result. [master] tom@tx:~/git/qemu-osmocom$ Hmm... unexpected trouble. The last merge was this, which is in mainline qemu 2aeabc08179553e1a7eed6cf26286c3efc06ee0b [osmocom_cc32rs512] tom@tx:~/git/qemu-osmocom$ git diff last_master diff --git a/Makefile.target b/Makefile.target index 343eb78..7513e5d 100644 --- a/Makefile.target +++ b/Makefile.target @@ -374,6 +374,7 @@ obj-arm-y += vexpress.o obj-arm-y += strongarm.o obj-arm-y += collie.o obj-arm-y += pl041.o lm4549.o +obj-arm-y += cc32rs512.o cc32_iso_slave.o obj-arm-$(CONFIG_FDT) += device_tree.o obj-sh4-y = shix.o r2d.o sh7750.o sh7750_regnames.o tc58128.o diff --git a/hw/cc32_iso_slave.c b/hw/cc32_iso_slave.c ... diff --git a/hw/cc32rs512.c b/hw/cc32rs512.c ... Hmm... maybe best to just cherry pick the patches.. 0aafdf2366e12d767555c6d25719a4fd34eef839 cc32rs512: add simulation of the built-in flash controller a4fb8f496a49976e8b6669a427d518c4dc98268d Initial support for the ChipCity CC32RS512 smart card Entry: cc32rs512 qemu merge (again) Date: Thu Dec 12 13:07:47 EST 2013 I experienced some trouble with the 2012-03-03 qemu, so I'm merging it with current mainline. ( Some build errors in the previous merge. Trying again with a clear head. ) Step 1: merge just the files into the tree, discarding makefile changes. See if it builds. Doesn't : util/oslib-posix.c: In function ‘qemu_anon_ram_alloc’: util/oslib-posix.c:128:5: error: implicit declaration of function ‘trace_qemu_anon_ram_alloc’ [-Werror=implicit-function-declaration] trace_qemu_anon_ram_alloc(size, ptr); Same error as before. I did build this with minimal options, so let's try that again. EDIT: After manual cleaning of .o and .a files it worked. Entry: Serial ports Date: Thu Dec 12 17:40:41 EST 2013 Next for emulator: serial ports. from osmo-cos/src/cc32/uart_sc16is740.c : Sysmocom board has a debug port based on SPU sc16is740. I don't see a point emulating that, so what about a fake serial port in the system controller?