Hi!
Today I spent some time investigating the cheap 16-in-1 SIM cards on which we can set our own Ki. This means that those cards can be used for cryptographic authentication with OpenBSC. Finally, we will have not only IMSI-based identification, but actual authentication!
I've created a page in the Wiki about those cards: http://openbsc.gnumonks.org/trac/wiki/MagicSIM
Using this information, I could send the RUN GSM ALGORITHM APDU to the card and retreive SRES + Kc. The result matched what I can also obtain using the COMP128v1 code from http://www.scard.org/gsm/a3a8.txt
I will add Comp128v1 support to OpenBSC as soon as I have tested acutal authentication using this 16-in-1 SIM card.
By the way: It would really be great if somebody could hack up a small command line program that can be used to program the Operator Name, Ki, ICCID, IMSI and preferred PLMN into the 16-in-1 SIM.
Regards, Harald
Hi Harald.
By the way: It would really be great if somebody could hack up a small command line program that can be used to program the Operator Name, Ki, ICCID, IMSI and preferred PLMN into the 16-in-1 SIM.
I know how to do that with SCRIPTOR. Should not be that difficult if the PCSC-Bugs will not spoilt it all. (Have seen the strangest things, APDUs with more than 8 byte payload do not transmit !?!? Lets hope the best ;-)
I have done the development of my SIM-Sniffer / Protocol dissector. And i will start an own very basic SIM-Card implementation soon for experimental use with openBSC
Do you have documentation of the card? We also can do some protocol traces.
regards. Philipp
Today I spent some time investigating the cheap 16-in-1 SIM cards on which we can set our own Ki. This means that those cards can be used for cryptographic authentication with OpenBSC. Finally, we will have not only IMSI-based identification, but actual authentication!
I tested some of those last week end and when I verified they work, I ordered a 100 bulk pack so that if anyone is interested I could re-distribute them at events and such.
(They're the bare card, no reader included, I mostly wanted 10 or so for myself to put in each of the test phone I use and didn't want to pay for useless readers ...)
I've created a page in the Wiki about those cards: http://openbsc.gnumonks.org/trac/wiki/MagicSIM
I have two models : - SuperSim 16-in-1 - Magic SIM 6-in-1
But it's weird, I didn't program them using the same EF/DF ... Me I just have a EF 3f00 / 000c that contains all the data and not in the same format.
Using this information, I could send the RUN GSM ALGORITHM APDU to the card and retreive SRES + Kc. The result matched what I can also obtain using the COMP128v1 code from http://www.scard.org/gsm/a3a8.txt
Beware that in this code, the test software (main function) swapped Ki and RAND.
By the way: It would really be great if somebody could hack up a small command line program that can be used to program the Operator Name, Ki, ICCID, IMSI and preferred PLMN into the 16-in-1 SIM.
I've written something like that but it's for the card model I have: http://www.246tnt.com/files/pySim.py
It's not command line, I executed the function "format_sim" from an interactive python shell, I just wanted something easy where I could easily send manual command and quickly formats a bunch of cards.
I'll see if I can make it more easy and adapt it to support both card model.
Sylvain
Hi folks,
Is here anybody in Berlin who would lend me his 16in1 Sim for a 2 or 3 days? I want to do some tests and maybe want to add functionality to set the operator parameters to my sim protocol analyser.
btw.: I am really looking forward to meet you all at the congress.
regards. Philipp
-
dexter -
Harald Welte -
Sylvain Munaut