Bastien Baranoff wrote:
> Hello all, the attack : you generate the rainbow tables for each possibles ki
> with a given rand set, send this rand (which is not random ;) the phone
> respond with sres you make the operation for 3 or 4 rand and meaningly
> decrease the possibility of ki. Do you think it is realisable ?
Someone please correct me if I'm wrong on this detail, but it is my
understanding that no mainstream commercial operator today (outside of
personal enthusiast tinkerers in Osmocom and similar communities)
issues native 2G SIM cards any more - instead all of their current SIM
cards are actually USIM/ISIM, and if GSM 11.11 SIM operation is
supported at all, it is only provided as a backward compatibility
mode. I reason that these "modern" SIMs must be using Milenage in
their native 3G/4G mode, thus their secret key material is not classic
Ki, but K/Ki (128 bits) plus OPc (another 128 bits), for a total of
256 bits of secret key material.
What happens when these "modern" SIMs are accessed via GSM 11.11 SIM
protocol, or when 2G authentication is requested in a USIM session?
I find it doubtful that they switch to COMP128 (any version) in this
mode, instead I reason that they use 2G mode of Milenage, which still
uses both K/Ki and OPc - thus the secret key material used even for 2G
Kc and SRES generation from RAND is still 256 bits rather than 128.
Again, someone please correct me if my reasoning is wrong here.
M~
Hello if I remember i have tested to telnet 192.168.0.1 8090 or if I
broadcast DHCP from my PC I have 192.168.0.142 but in both cases i have
connection refused :( you mean that if I buy sysmocell i will be able to
flash FW on my nano3G will check if I can have serial. Thank you for your
response I will keep the community in touch if I can go further. I will
only be able to make new tests in 10 days... :(
Le dim. 7 août 2022 à 16:09, Neels Hofmeyr <nhofmeyr(a)sysmocom.de> a écrit :
> I dimly remember that the nano3G have both serial console contacts you can
> solder onto, as well as an exploitable DHCP client (what i heard is that
> the
> DHCP client is a bash script that fails to properly escape the host name
> given
> to the DHCP client). With that you might be able to gain ssh access. Even
> then
> you may not have much of a chance to get it to run, depending on the
> installed
> firmware.
>
> A factoid is that a nano3G obtained from sysmocom.de will work with
> osmo-hnbgw.
> Not sure if it is still in the shop... Some of them have also been given
> away
> free of charge, to non-commercial users: research / hacker spaces. So if I
> needed one to play with, I guess I would ask sysmocom indicating my
> intended
> use, or ask some of the people that got one from Accelerate3g5 -- in case
> there's someone no longer using their nano3G:
> https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5
>
> HTH,
>
> ~N
>
Hello @osmocom i wonder something. I have bought IP. accès NANO 3 G S8
Modèle # 237BA UMTS Band 2/5 (800 Mhz) will i have a chance to make it work
with accelerate 3g5 software thanks, Bastien Baranoff