MagicSIM » History » Version 1
laforge, 02/19/2016 10:47 PM
new page about 16-in-1 SIM
1 | 1 | laforge | When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known. |
---|---|---|---|
2 | |||
3 | Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible. |
||
4 | |||
5 | Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki. |
||
6 | |||
7 | == Magic SIM 16-in-1 == |
||
8 | |||
9 | Various stores around the world seem to be selling cheap so-called ''16-in-1'' SIM cards. They are intended for COMP128v1 based cloning, |
||
10 | and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching |
||
11 | the currently active identity from the Phone UI. |
||
12 | |||
13 | Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming. |
||
14 | |||
15 | We've spent some time reverse engineering those cards. Here is some information on how you can program them. Please note, this information |
||
16 | assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification. |
||
17 | |||
18 | === DF.ADMIN === |
||
19 | |||
20 | DF.ADMIN is a dedicated file (directory) with the File ID '''7f 4d'''. It contains EF's with the user-modifiable IMSI, Ki and other values. |
||
21 | |||
22 | You can change to DF.ADMIN using the SELECT sequence '''a0 a4 00 00 02 7f 4d''' |
||
23 | {{{ |
||
24 | (GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d |
||
25 | 0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M.......... |
||
26 | 0010: 06 00 83 8a 83 8a 00 ....... |
||
27 | Normal execution (SW 9000) |
||
28 | }}} |
||
29 | |||
30 | === EF.OPN Operator Name === |
||
31 | |||
32 | EF.OPN is a record-oriented file with the File ID '''8f 0c''' and a record-length of 0x12. |
||
33 | |||
34 | Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM. |
||
35 | |||
36 | You can select and read the records in this file using the following example APDU sequence: |
||
37 | {{{ |
||
38 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c |
||
39 | 0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D.... |
||
40 | Normal execution (SW 9000) |
||
41 | |||
42 | (GSM, ISO 7816-4) > a0 b2 02 04 12 |
||
43 | 0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1....... |
||
44 | 0010: 09 01 .. |
||
45 | Normal execution (SW 9000) |
||
46 | }}} |
||
47 | In this example, the record 0x02 (i.e. the first record) is called "Operator1" |
||
48 | |||
49 | |||
50 | === EF 8f 0d: Ki, IMSI, ICCID === |
||
51 | |||
52 | This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number). |
||
53 | It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that |
||
54 | the card supports. They are numbered from 0x01 up to 0x10. |
||
55 | |||
56 | The following sequence reads the contents of this EF: |
||
57 | {{{ |
||
58 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d |
||
59 | 0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J |
||
60 | Normal execution (SW 9000) |
||
61 | |||
62 | (GSM, ISO 7816-4) > a0 b2 01 04 4a |
||
63 | 0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """""""""""""""" |
||
64 | 0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD. |
||
65 | 0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0. |
||
66 | 0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ |
||
67 | 0040: ff ff ff ff ff ff ff ff ff ff .......... |
||
68 | Normal execution (SW 9000) |
||
69 | }}} |
||
70 | |||
71 | In this example, the following numbers have been added for illustration purpose: |
||
72 | * 22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1) |
||
73 | * 44 = ICCID, exported through EF.ICCID |
||
74 | * 11 = IMSI, exported through EF.IMSI |
||
75 | * ff = PLMN selector, exported through EF.PLMNsel |
||
76 | |||
77 | As you can also see, each of the file contents (except Ki) is prefixed with the file name + path |
||
78 | and the length. |
||
79 | {{{ |
||
80 | DF DF EF EF LEN File content |
||
81 | 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 |
||
82 | 7f 20 6f 07 09 11 11 11 11 11 11 11 11 11 |
||
83 | 6f 30 18 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
||
84 | }}} |
||
85 | it is thus likely that you can generate arbitrary files+content, as long as the format is correct. |
||
86 | |||
87 | === DF 8f 0e: SMS parameters === |
||
88 | |||
89 | The content of records in DF '''8f 0e''' is used to generate the EF.SMSP (short message service parameters). |
||
90 | It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10 |
||
91 | |||
92 | Reading this file works as follows: |
||
93 | {{{ |
||
94 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e |
||
95 | 0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2 |
||
96 | Normal execution (SW 9000) |
||
97 | (GSM, ISO 7816-4) > a0 b2 01 04 32 |
||
98 | 0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........ |
||
99 | 0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................ |
||
100 | 0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333... |
||
101 | 0030: ff ff .. |
||
102 | Normal execution (SW 9000) |
||
103 | }}} |
||
104 | |||
105 | The content seems to be similar to the previous file: |
||
106 | * 3f 00 is the MF |
||
107 | * 7f 10 is DF.telecom |
||
108 | * 6f 42 is EF.SMSP |