Project

General

Profile

MagicSIM » History » Version 4

tnt, 02/19/2016 10:47 PM
USB reader switch description

1 2 laforge
[[PageOutline]]
2
3 1 laforge
When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known.
4
5
Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible.
6
7
Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki.
8
9 3 laforge
== Magic SIM / Super SIM 16-in-1 ==
10 1 laforge
11
Various stores around the world seem to be selling cheap so-called ''16-in-1'' SIM cards.  They are intended for COMP128v1 based cloning,
12
and enable the user to aggregate up to 16 SIM card identities on one card.  They include a SIM toolkit (STK) application for switching
13
the currently active identity from the Phone UI.
14
15
Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming.
16
17 2 laforge
We've spent some time reverse engineering those cards. Here is some information on how you can program them. 
18 1 laforge
19 2 laforge
Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification.
20
21
The traces have been generated using [http://svn.ploetzli.ch/cyberflex-shell/], but any tool that allows you to send and receive APDUs will work.
22
23 1 laforge
=== DF.ADMIN ===
24
25
DF.ADMIN is a dedicated file (directory) with the File ID '''7f 4d'''.  It contains EF's with the user-modifiable IMSI, Ki and other values.
26
27
You can change to DF.ADMIN using the SELECT sequence '''a0 a4 00 00 02 7f 4d'''
28
{{{
29
(GSM, ISO 7816-4) > a0 a4 00 00  02  7f 4d
30
0000:  00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18   ..`3.M..........
31
0010:  06 00 83 8a 83 8a 00                              .......         
32
Normal execution (SW 9000)
33
}}}
34
35 2 laforge
==== EF.OPN Operator Name ====
36 1 laforge
37
EF.OPN is a record-oriented file with the File ID '''8f 0c''' and a record-length of 0x12.
38
39
Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM.
40
41
You can select and read the records in this file using the following example APDU sequence:
42
{{{
43
(GSM, ISO 7816-4) > a0 a4 00 00  02  8f 0c
44
0000:  00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12      ...D......D.... 
45
Normal execution (SW 9000)
46
47
(GSM, ISO 7816-4) > a0 b2 02 04 12
48
0000:  4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff   Operator1.......
49
0010:  09 01                                             ..              
50
Normal execution (SW 9000)
51
}}}
52
In this example, the record 0x02 (i.e. the first record) is called "Operator1"
53
54
55 2 laforge
==== EF 8f 0d: Ki, IMSI, ICCID ====
56 1 laforge
57
This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number).
58
It is a record-oriented file with a record length of 0x4a bytes.  There is one record for each of the identities that
59
the card supports.  They are numbered from 0x01 up to 0x10.
60
61
The following sequence reads the contents of this EF:
62
{{{
63
(GSM, ISO 7816-4) > a0 a4 00 00  02  8f 0d
64
0000:  00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a      ..........D...J
65
Normal execution (SW 9000)
66
67
(GSM, ISO 7816-4) > a0 b2 01 04  4a
68
0000:  22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22   """"""""""""""""
69
0010:  3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f   ?./..DDDDDDDDDD.
70
0020:  20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18    o...........o0.
71
0030:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
72
0040:  ff ff ff ff ff ff ff ff ff ff                     ..........
73
Normal execution (SW 9000)
74
}}}
75
76
In this example, the following numbers have been added for illustration purpose:
77
 * 22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1)
78
 * 44 = ICCID, exported through EF.ICCID
79
 * 11 = IMSI, exported through EF.IMSI
80
 * ff = PLMN selector, exported through EF.PLMNsel
81
82
As you can also see, each of the file contents (except Ki) is prefixed with the file name + path
83
and the length.
84
{{{
85
DF DF    EF EF   LEN    File content
86
3f 00    2f e2    0a    44 44 44 44 44 44 44 44 44 44
87
7f 20    6f 07    09    11 11 11 11 11 11 11 11 11
88
         6f 30    18    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
89
}}}
90
it is thus likely that you can generate arbitrary files+content, as long as the format is correct.
91
92 2 laforge
==== DF 8f 0e: SMS parameters ====
93 1 laforge
94
The content of records in DF '''8f 0e''' is used to generate the EF.SMSP (short message service parameters).
95
It is a record-based file with a record length of 32 bytes.  Records are numbered from 0x01 through 0x10
96
97
Reading this file works as follows:
98
{{{
99
(GSM, ISO 7816-4) > a0 a4 00 00  02  8f 0e
100
0000:  00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32      ... ......D...2
101
Normal execution (SW 9000)
102
(GSM, ISO 7816-4) > a0 b2 01 04  32
103
0000:  3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff   ?...oB.(........
104
0010:  ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff   ................
105
0020:  ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff   ...3333333333...
106
0030:  ff ff                                             ..
107
Normal execution (SW 9000)
108
}}}
109
110
The content seems to be similar to the previous file:
111
 * 3f 00 is the MF
112
 * 7f 10 is DF.telecom
113
 * 6f 42 is EF.SMSP
114 2 laforge
115
116
=== The included USB Reader ===
117
118
The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case.
119
120
This reader follows a so-called ''Phoenix'' design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port.  The schematics are probably very close to [http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29]
121
122
The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter.  It will thus show up as a regular serial port on any operating system.
123
124 4 tnt
There's a small switch on the side of the key, it select between two crytal frequencies:
125
 * 3.579 MHz leading to a 9600 baudrate when the switch is ''away'' from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug)
126
 * 7.2 MHz leading to a 19200 baudrate when the switch is ''towards' the USB plug.
127
128
For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate.
129 2 laforge
130
You can use the following open source tools for using the reader:
131
 * [http://freshmeat.net/projects/sctk/] (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too)
132
 * [http://www.opensc-project.org/openct/wiki/smph] commandline tools
Add picture from clipboard (Maximum size: 48.8 MB)