23 Nov
2009
23 Nov
'09
8:19 p.m.
Hi!
Today I spent some time investigating the cheap 16-in-1 SIM cards on which
we can set our own Ki. This means that those cards can be used for
cryptographic authentication with OpenBSC. Finally, we will have not only
IMSI-based identification, but actual authentication!
I've created a page in the Wiki about those cards:
http://openbsc.gnumonks.org/trac/wiki/MagicSIM
Using this information, I could send the RUN GSM ALGORITHM APDU to the card and
retreive SRES + Kc. The result matched what I can also obtain using the
COMP128v1 code from http://www.scard.org/gsm/a3a8.txt
I will add Comp128v1 support to OpenBSC as soon as I have tested acutal
authentication using this 16-in-1 SIM card.
By the way: It would really be great if somebody could hack up a small command
line program that can be used to program the Operator Name, Ki, ICCID, IMSI and
preferred PLMN into the 16-in-1 SIM.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
23 Nov
23 Nov
8:37 p.m.
Hi Harald.
By the way: It would really be great if somebody could
hack up a small
command
line program that can be used to program the Operator Name, Ki, ICCID,
IMSI and
preferred PLMN into the 16-in-1 SIM.
I know how to do that with SCRIPTOR. Should not be that difficult if the
PCSC-Bugs will not spoilt it all. (Have seen the strangest things, APDUs
with more than 8 byte payload do not transmit !?!? Lets hope the best ;-)
I have done the development of my SIM-Sniffer / Protocol dissector. And
i will start an own very basic SIM-Card implementation soon for
experimental use with openBSC
Do you have documentation of the card? We also can do some protocol traces.
regards.
Philipp
8:38 p.m.
Today I spent some time investigating the cheap
16-in-1 SIM cards on which
we can set our own Ki. This means that those cards can be used for
cryptographic authentication with OpenBSC. Finally, we will have not only
IMSI-based identification, but actual authentication!
I tested some of those last week end and when I verified they work, I ordered a
100 bulk pack so that if anyone is interested I could re-distribute
them at events and such.
(They're the bare card, no reader included, I mostly wanted 10 or so
for myself to put in each of the test phone I use and didn't want to
pay for useless readers ...)
I've created a page in the Wiki about those
cards:
http://openbsc.gnumonks.org/trac/wiki/MagicSIM
I have two models :
- SuperSim 16-in-1
- Magic SIM 6-in-1
But it's weird, I didn't program them using the same EF/DF ... Me I
just have a EF 3f00 / 000c that contains all the data and not in the
same format.
Using this information, I could send the RUN GSM
ALGORITHM APDU to the card and
retreive SRES + Kc. The result matched what I can also obtain using the
COMP128v1 code from http://www.scard.org/gsm/a3a8.txt
Beware that in this code, the test software (main function) swapped Ki and RAND.
By the way: It would really be great if somebody could
hack up a small command
line program that can be used to program the Operator Name, Ki, ICCID, IMSI and
preferred PLMN into the 16-in-1 SIM.
I've written something like that but it's for the card model I have:
http://www.246tnt.com/files/pySim.py
It's not command line, I executed the function "format_sim" from an
interactive python shell, I just wanted something easy where I could
easily send manual command and quickly formats a bunch of cards.
I'll see if I can make it more easy and adapt it to support both card model.
Sylvain
28 Nov
28 Nov
11:12 a.m.
Hi folks,
Is here anybody in Berlin who would lend me his 16in1 Sim for a 2 or 3
days? I want to do some tests and maybe want to add functionality to set
the operator parameters to my sim protocol analyser.
btw.: I am really looking forward to meet you all at the congress.
regards.
Philipp
5270
days inactive
5275
days old
3 comments
3 participants
participants (3)
-
dexter -
Harald Welte -
Sylvain Munaut