Hi all,
Does anyone have any suggestions with regard to models of phone in which it is easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630, Android Desire, iPhone etc. I can get every everything from the in built field test modes, however I really want to get the current session key so that I can verify/analyse my captured bursts.
Thanks,
Matt.
I use smartcard reader for this.
I recommend http://nobbi.com/download/SIMspyII.zip for PC/SC readers (Towitoko) or http://www.endorasoft.es/download/xsim.zip for smartmouse / phoenix based readers. You should find PC/SC Reader at most Computer-Shops.
Remove the Batterie from your phone, and read Kc from Sim-Card (Don't Switch off Phone or Kc will be deleted from SIM)
Date: Wed, 16 Feb 2011 21:19:44 +0000 From: mattjevans@btinternet.com Subject: Extract Kc from Phone? To: baseband-devel@lists.osmocom.org
Hi all,
Does anyone have any suggestions with regard to models of phone in which it is easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630, Android Desire, iPhone etc. I can get every everything from the in built field test modes, however I really want to get the current session key so that I can verify/analyse my captured bursts.
Thanks,
Matt.
On Wed, Feb 16, 2011 at 11:29 PM, Sebastian --- seppel18@hotmail.comwrote:
I recommend http://nobbi.com/download/SIMspyII.zip for PC/SC readers (Towitoko) or http://www.endorasoft.es/download/xsim.zip for smartmouse / phoenix based readers.
How do they do that? As far as I know Kc shouldn't be extracted (except from very old cards). I would be better to know to have an open source sw that allow us to understand...
Another way is to use the "mobile" app from sylvain/testing. It associates with the network and makes calls. If I am not wrong it shows you the Kc, so it would be useful for the original poster.
Ciao. Dario.
Hi folks.
How do they do that? As far as I know Kc shouldn't be extracted (except from very old cards). I would be better to know to have an open source sw that allow us to understand...
The Kc is only the session key. The Ki is the key that you can not extract.
I had a similar problem some time ago. I wanted to get the current kc in realtime. My solution was to sniff the kc from the data stream between sim and phone. The kc occurs in 2 ways: 1. When RUN-GSM-ALGORITHM is executed and when the phone stores the Kc back on the simcard.
You can download the sourcecode, layouts for my approach at: http://www.runningserver.com/software/chipcardlab.tar
The hardest task is to sniff the data because the baudrate of the communication is not a standard baudrate. You can also try to get simtrace (http://bb.osmocom.org/trac/wiki/SIMtrace) running. I did not test it yet but i think it can achieve the same.
You could also find a phone where you can read the Kc by sending APDUs through AT-Commands. Some Blackberrys have a netmonitor mode that can display the Kc.
regards. Philipp
On Wed, 16 Feb 2011 21:19:44 +0000 (GMT), MATTHEW EVANS wrote:
Does anyone have any suggestions with regard to models of phone in which it is easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630, Android Desire, iPhone etc. I can get every everything from the in built field test modes, however I really want to get the current session key so that I can verify/analyse my captured bursts.
If you have a phone with access to the AT command interface via cable or bluetooth you can use the +crsm command to read the kc file from the sim while the phone is operating.
Try at+crsm=? to check if your phone supports this command, if it returns an error, it doesn't.
at+crsm=176,28448,0,0,8
reads the Kc file from sim and returns a 9 octet hex string of which the first 8 ones are the actual Kc.
I'm not sure which of your phones supports this, c115 and 3310 surely don't, iphone maybe depending on version, not sure, just test your phone zoo. BTW, most old Siemens phones support this.
Regards, Mad
Forgot to mention a second method to extract kc from a running phone, using Nokias with netmonitor display 52. Again, only some phones have this specific display in their netmon, 3310 I've seen don't. Sim card phonebook entry no 34 has to contain the hex file number (6F20) and after running display 52 phonebook entry 35 should contain the file content. Better check the usual netmon docs for further instructions.
Regards, Mad
For those having a Blackberry (I tried it for a Blackberry Torch and it really works:) the following link http://www.zibri.org/2009/08/hidden-things-are-usually-best.html enables Engineering mode. Follow the instructions and instead of the Help screen the engineering screen is displayed. Under Utilities there is a SIM monitor allowing to display SIM_Kc or USIM_Kc depinding on the type of SIM you use. There is an impressive set of tools and different monitor functions ranging from neigbour cells, System Information messages to Wifi and security related settings.
Regards, Stefan
Thanks for the advice all. I purchased a cheap sim reader and used xsim to retrieve the Kc. Funny thing is the 3310 doesn't seem to delete the Kc file if I power down normally. Even funnier is the fact that the Kc doesn't change even after power cycle! I guess the Kc change policy must be specific to the operator. It will be interesting to see how often it gets changed! Probably not that often :).
Matt.
On 02/22/2011 07:26 AM, MATTHEW EVANS wrote:
Thanks for the advice all. I purchased a cheap sim reader and used xsim to retrieve the Kc. Funny thing is the 3310 doesn't seem to delete the Kc file if I power down normally. Even funnier is the fact that the Kc doesn't change even after power cycle!
Of course, this is how GSM is specified. No suprise here
I guess the Kc change policy must be specific to the operator.
Of course, it is pure operator policy.
Regards, Harald
baseband-devel@lists.osmocom.org
-
Dario Lombardo -
dexter -
Harald Welte -
Mad -
MATTHEW EVANS -
Sebastian --- -
ste7an