MagicSIM » History » Version 4
tnt, 02/19/2016 10:47 PM
USB reader switch description
1 | 2 | laforge | [[PageOutline]] |
---|---|---|---|
2 | |||
3 | 1 | laforge | When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known. |
4 | |||
5 | Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible. |
||
6 | |||
7 | Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki. |
||
8 | |||
9 | 3 | laforge | == Magic SIM / Super SIM 16-in-1 == |
10 | 1 | laforge | |
11 | Various stores around the world seem to be selling cheap so-called ''16-in-1'' SIM cards. They are intended for COMP128v1 based cloning, |
||
12 | and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching |
||
13 | the currently active identity from the Phone UI. |
||
14 | |||
15 | Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming. |
||
16 | |||
17 | 2 | laforge | We've spent some time reverse engineering those cards. Here is some information on how you can program them. |
18 | 1 | laforge | |
19 | 2 | laforge | Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification. |
20 | |||
21 | The traces have been generated using [http://svn.ploetzli.ch/cyberflex-shell/], but any tool that allows you to send and receive APDUs will work. |
||
22 | |||
23 | 1 | laforge | === DF.ADMIN === |
24 | |||
25 | DF.ADMIN is a dedicated file (directory) with the File ID '''7f 4d'''. It contains EF's with the user-modifiable IMSI, Ki and other values. |
||
26 | |||
27 | You can change to DF.ADMIN using the SELECT sequence '''a0 a4 00 00 02 7f 4d''' |
||
28 | {{{ |
||
29 | (GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d |
||
30 | 0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M.......... |
||
31 | 0010: 06 00 83 8a 83 8a 00 ....... |
||
32 | Normal execution (SW 9000) |
||
33 | }}} |
||
34 | |||
35 | 2 | laforge | ==== EF.OPN Operator Name ==== |
36 | 1 | laforge | |
37 | EF.OPN is a record-oriented file with the File ID '''8f 0c''' and a record-length of 0x12. |
||
38 | |||
39 | Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM. |
||
40 | |||
41 | You can select and read the records in this file using the following example APDU sequence: |
||
42 | {{{ |
||
43 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c |
||
44 | 0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D.... |
||
45 | Normal execution (SW 9000) |
||
46 | |||
47 | (GSM, ISO 7816-4) > a0 b2 02 04 12 |
||
48 | 0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1....... |
||
49 | 0010: 09 01 .. |
||
50 | Normal execution (SW 9000) |
||
51 | }}} |
||
52 | In this example, the record 0x02 (i.e. the first record) is called "Operator1" |
||
53 | |||
54 | |||
55 | 2 | laforge | ==== EF 8f 0d: Ki, IMSI, ICCID ==== |
56 | 1 | laforge | |
57 | This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number). |
||
58 | It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that |
||
59 | the card supports. They are numbered from 0x01 up to 0x10. |
||
60 | |||
61 | The following sequence reads the contents of this EF: |
||
62 | {{{ |
||
63 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d |
||
64 | 0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J |
||
65 | Normal execution (SW 9000) |
||
66 | |||
67 | (GSM, ISO 7816-4) > a0 b2 01 04 4a |
||
68 | 0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """""""""""""""" |
||
69 | 0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD. |
||
70 | 0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0. |
||
71 | 0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ |
||
72 | 0040: ff ff ff ff ff ff ff ff ff ff .......... |
||
73 | Normal execution (SW 9000) |
||
74 | }}} |
||
75 | |||
76 | In this example, the following numbers have been added for illustration purpose: |
||
77 | * 22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1) |
||
78 | * 44 = ICCID, exported through EF.ICCID |
||
79 | * 11 = IMSI, exported through EF.IMSI |
||
80 | * ff = PLMN selector, exported through EF.PLMNsel |
||
81 | |||
82 | As you can also see, each of the file contents (except Ki) is prefixed with the file name + path |
||
83 | and the length. |
||
84 | {{{ |
||
85 | DF DF EF EF LEN File content |
||
86 | 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 |
||
87 | 7f 20 6f 07 09 11 11 11 11 11 11 11 11 11 |
||
88 | 6f 30 18 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
||
89 | }}} |
||
90 | it is thus likely that you can generate arbitrary files+content, as long as the format is correct. |
||
91 | |||
92 | 2 | laforge | ==== DF 8f 0e: SMS parameters ==== |
93 | 1 | laforge | |
94 | The content of records in DF '''8f 0e''' is used to generate the EF.SMSP (short message service parameters). |
||
95 | It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10 |
||
96 | |||
97 | Reading this file works as follows: |
||
98 | {{{ |
||
99 | (GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e |
||
100 | 0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2 |
||
101 | Normal execution (SW 9000) |
||
102 | (GSM, ISO 7816-4) > a0 b2 01 04 32 |
||
103 | 0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........ |
||
104 | 0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................ |
||
105 | 0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333... |
||
106 | 0030: ff ff .. |
||
107 | Normal execution (SW 9000) |
||
108 | }}} |
||
109 | |||
110 | The content seems to be similar to the previous file: |
||
111 | * 3f 00 is the MF |
||
112 | * 7f 10 is DF.telecom |
||
113 | * 6f 42 is EF.SMSP |
||
114 | 2 | laforge | |
115 | |||
116 | === The included USB Reader === |
||
117 | |||
118 | The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case. |
||
119 | |||
120 | This reader follows a so-called ''Phoenix'' design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port. The schematics are probably very close to [http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29] |
||
121 | |||
122 | The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter. It will thus show up as a regular serial port on any operating system. |
||
123 | |||
124 | 4 | tnt | There's a small switch on the side of the key, it select between two crytal frequencies: |
125 | * 3.579 MHz leading to a 9600 baudrate when the switch is ''away'' from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug) |
||
126 | * 7.2 MHz leading to a 19200 baudrate when the switch is ''towards' the USB plug. |
||
127 | |||
128 | For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate. |
||
129 | 2 | laforge | |
130 | You can use the following open source tools for using the reader: |
||
131 | * [http://freshmeat.net/projects/sctk/] (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too) |
||
132 | * [http://www.opensc-project.org/openct/wiki/smph] commandline tools |