Project

General

Profile

Actions

MagicSIM » History » Revision 5

« Previous | Revision 5/7 (diff) | Next »
tnt, 02/19/2016 10:47 PM
EF vs DF typo


PageOutline

When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known.

Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible.

Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki.

Magic SIM / Super SIM 16-in-1

Various stores around the world seem to be selling cheap so-called ''16-in-1'' SIM cards. They are intended for COMP128v1 based cloning,
and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching
the currently active identity from the Phone UI.

Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming.

We've spent some time reverse engineering those cards. Here is some information on how you can program them.

Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification.

The traces have been generated using [http://svn.ploetzli.ch/cyberflex-shell/], but any tool that allows you to send and receive APDUs will work.

=== DF.ADMIN ===

DF.ADMIN is a dedicated file (directory) with the File ID '''7f 4d'''. It contains EF's with the user-modifiable IMSI, Ki and other values.

You can change to DF.ADMIN using the SELECT sequence '''a0 a4 00 00 02 7f 4d''' {{{
(GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d
0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M..........
0010: 06 00 83 8a 83 8a 00 .......
Normal execution (SW 9000)
}}}

==== EF.OPN Operator Name ====

EF.OPN is a record-oriented file with the File ID '''8f 0c''' and a record-length of 0x12.

Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM.

You can select and read the records in this file using the following example APDU sequence: {{{
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c
0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D....
Normal execution (SW 9000)

(GSM, ISO 7816-4) > a0 b2 02 04 12
0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1.......
0010: 09 01 ..
Normal execution (SW 9000)
}}}
In this example, the record 0x02 (i.e. the first record) is called "Operator1"

==== EF 8f 0d: Ki, IMSI, ICCID ====

This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number).
It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that
the card supports. They are numbered from 0x01 up to 0x10.

The following sequence reads the contents of this EF: {{{
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d
0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J
Normal execution (SW 9000)

(GSM, ISO 7816-4) > a0 b2 01 04 4a
0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """"""""""""""""
0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD.
0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0.
0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
0040: ff ff ff ff ff ff ff ff ff ff ..........
Normal execution (SW 9000)
}}}

In this example, the following numbers have been added for illustration purpose: * 22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1) * 44 = ICCID, exported through EF.ICCID * 11 = IMSI, exported through EF.IMSI * ff = PLMN selector, exported through EF.PLMNsel

As you can also see, each of the file contents (except Ki) is prefixed with the file name + path
and the length. {{{
DF DF EF EF LEN File content
3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44
7f 20 6f 07 09 11 11 11 11 11 11 11 11 11
6f 30 18 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
}}}
it is thus likely that you can generate arbitrary files+content, as long as the format is correct.

==== EF 8f 0e: SMS parameters ====

The content of records in EF '''8f 0e''' is used to generate the EF.SMSP (short message service parameters).
It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10

Reading this file works as follows: {{{
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e
0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2
Normal execution (SW 9000)
(GSM, ISO 7816-4) > a0 b2 01 04 32
0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........
0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................
0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333...
0030: ff ff ..
Normal execution (SW 9000)
}}}

The content seems to be similar to the previous file: * 3f 00 is the MF * 7f 10 is DF.telecom * 6f 42 is EF.SMSP

=== The included USB Reader ===

The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case.

This reader follows a so-called ''Phoenix'' design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port. The schematics are probably very close to [http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29]

The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter. It will thus show up as a regular serial port on any operating system.

There's a small switch on the side of the key, it select between two crytal frequencies: * 3.579 MHz leading to a 9600 baudrate when the switch is ''away'' from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug) * 7.2 MHz leading to a 19200 baudrate when the switch is ''towards' the USB plug.

For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate.

You can use the following open source tools for using the reader: * [http://freshmeat.net/projects/sctk/] (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too) * [http://www.opensc-project.org/openct/wiki/smph] commandline tools

Files (1)
SUPERSIM.jpg View SUPERSIM.jpg 111 KB Picture of Super SIM 16-in-1 laforge, 11/23/2009 07:14 PM

Updated by tnt about 8 years ago · 5 revisions

Add picture from clipboard (Maximum size: 48.8 MB)