Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB dongle) and has been able to trace the communication between the SIM card and the device yet.
If so, it would be great to get some traces. Feel free to patch out the IMSI, PIN number or any other private details (or simply filter those messages, if you care to).
Thanks in advance, Harald
Hello,
On Wed, Jan 25, 2012 at 21:50, Harald Welte laforge@gnumonks.org wrote:
Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB dongle) and has been able to trace the communication between the SIM card and the device yet.
Does it need to be in a 4G radio area or just with the device?
Samsung GT-B3730 should be 4G.
If so, it would be great to get some traces. Feel free to patch out the IMSI, PIN number or any other private details (or simply filter those messages, if you care to).
Is there some easy way to do this, like a readymade filter? I usually replace PIN codes with 1234 or similar, but how to strip network-related bits?
Martin
On Wed, Jan 25, 2012 at 10:42:55PM +0200, Martin Paljak wrote:
Hello,
On Wed, Jan 25, 2012 at 21:50, Harald Welte laforge@gnumonks.org wrote:
Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB dongle) and has been able to trace the communication between the SIM card and the device yet.
Does it need to be in a 4G radio area or just with the device?
Samsung GT-B3730 should be 4G.
If so, it would be great to get some traces. Feel free to patch out the IMSI, PIN number or any other private details (or simply filter those messages, if you care to).
Is there some easy way to do this, like a readymade filter? I usually replace PIN codes with 1234 or similar, but how to strip network-related bits?
there is no ready-made filter. But then, there isn't much privacy related detail apart from * reading EF.ICCID * reading EF.IMSI * writing EF.Kc / EF.KcGPRS * writing EF.LOCI (location area code) * writing the TMSI
it shouldn't be too hard to filter those messages manually when looking at the trace.
Regards, Harald
Hi,
I tried doing some traces but had some issues.
The first one was a missing entry in Fi_table. It's apparently used as '64' in some reader and 'unsupported' in some other. For simtrace I guess we should consider it 64.
diff --git a/firmware/src/simtrace/iso7816_uart.c b/firmware/src/simtrace/iso7816_uart.c index 17303ca..2a92042 100644 --- a/firmware/src/simtrace/iso7816_uart.c +++ b/firmware/src/simtrace/iso7816_uart.c @@ -119,7 +119,7 @@ static const u_int16_t fi_table[] = {
/* Table 7 from ISO 7816-3 */ static const u_int8_t di_table[] = { - 0, 1, 2, 4, 8, 16, 32, 0, + 0, 1, 2, 4, 8, 16, 32, 64, 12, 20, 2, 4, 8, 16, 32, 64, };
The second one is that that APDU split fails at some point :
simtrace - GSM SIM and smartcard tracing (C) 2010 by Harald Welte laforge@gnumonks.org
Entering main loop URB: 01 05 00 00 ATR APDU: URB: 01 01 00 00 3b 9f 97 c0 0a 1f c7 80 31 e0 73 fe 21 1b 65 d0 01 10 09 22 81 00 f2 ATR APDU: 3b 9f 97 c0 0a 1f c7 80 31 e0 73 fe 21 1b 65 d0 01 10 09 22 81 00 f2 URB: 01 04 00 00 00 a4 00 04 02 URB: 01 04 00 00 a4 3f 00 URB: 01 04 00 00 61 38 00 c0 00 00 38 c0 62 36 82 02 78 21 83 02 3f 00 a5 0c 80 01 71 87 01 01 83 04 00 04 03 c0 8a 01 05 8b 03 2f 06 02 c6 12 90 01 78 83 01 01 83 01 0a 83 01 0b 83 01 0c 83 01 0d 81 02 ff ff 90 00 00 a4 08 04 02 a4 2f e2 61 1f 00 c0 00 00 1f c0 62 1d 82 02 41 21 83 02 2f e2 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 03 80 02 00 0a 81 02 00 1c 90 00 00 b0 00 00 0a APDU: 00 a4 00 04 02 3f 00 61 38 APDU: 00 c0 00 00 38 62 36 82 02 78 21 83 02 3f 00 a5 0c 80 01 71 87 01 01 83 04 00 04 03 c0 8a 01 05 8b 03 2f 06 02 c6 12 90 01 78 83 01 01 83 01 0a 83 01 0b 83 01 0c 83 01 0d 81 02 ff ff 90 00 APDU: 00 a4 08 04 02 2f e2 61 1f APDU: 00 c0 00 00 1f 62 1d 82 02 41 21 83 02 2f e2 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 03 80 02 00 0a 81 02 00 1c 90 00 URB: 01 04 00 00 b0 98 41 08 00 00 00 32 55 22 63 90 00 00 a4 08 04 02 a4 2f 05 61 1f 00 c0 00 00 1f c0 62 1d 82 02 41 21 83 02 2f 05 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 05 80 02 00 06 81 02 00 18 90 00 00 a4 08 04 02 a4 2f 06 61 22 00 c0 00 00 22 c0 62 20 82 05 42 21 00 3f 0e 83 02 2f 06 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 01 80 02 03 72 81 02 03 86 90 00 00 b2 05 04 3f APDU: 00 b0 00 00 0a 98 41 08 00 00 00 32 55 22 63 90 00 APDU: 00 a4 08 04 02 2f 05 61 1f APDU: 00 c0 00 00 1f 62 1d 82 02 41 21 83 02 2f 05 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 05 80 02 00 06 81 02 00 18 90 00 APDU: 00 a4 08 04 02 2f 06 61 22 APDU: 00 c0 00 00 22 62 20 82 05 42 21 00 3f 0e 83 02 2f 06 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 01 80 02 03 72 81 02 03 86 90 00 URB: 01 04 00 00 b2 80 01 02 a4 06 83 01 01 95 01 08 80 01 18 a4 06 83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 00 a4 08 0c 02 a4 2f 05 90 00 00 b0 00 00 06 APDU: 00 b2 05 04 3f 80 01 02 a4 06 83 01 01 95 01 08 80 01 18 a4 06 83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 APDU: 00 a4 08 0c 02 2f 05 90 00 URB: 01 04 00 00 b0 65 6e 65 73 ff ff 90 00 00 a4 08 04 02 a4 2f 00 61 25 00 c0 00 00 25 c0 62 23 82 05 42 21 00 26 04 83 02 2f 00 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 06 80 02 00 98 81 02 00 ac 88 01 f0 90 00 00 a4 08 0c 02 a4 2f 06 90 00 00 b2 06 04 3f APDU: 00 b0 00 00 06 65 6e 65 73 ff ff 90 00 APDU: 00 a4 08 04 02 2f 00 61 25 APDU: 00 c0 00 00 25 62 23 82 05 42 21 00 26 04 83 02 2f 00 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 06 80 02 00 98 81 02 00 ac 88 01 f0 90 00 APDU: 00 a4 08 0c 02 2f 06 90 00 URB: 01 04 00 00 b2 80 01 1a a4 06 83 01 0a 95 01 08 80 01 40 a4 06 83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 00 a4 08 0c 02 a4 2f 00 90 00 00 b2 01 04 26 APDU: 00 b2 06 04 3f 80 01 1a a4 06 83 01 0a 95 01 08 80 01 40 a4 06 83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 APDU: 00 a4 08 0c 02 2f 00 90 00 URB: 01 00 00 00 b2 61 18 4f 10 a0 00 00 00 87 10 02 f3 10 ff ff 89 08 00 00 ff 50 04 55 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00 00 b2 02 04 26 b2 61 18 4f 10 a0 00 00 00 87 10 04 f3 10 ff ff 89 08 00 00 ff 50 04 49 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00 00 b2 03 04 26 b2 61 18 4f 10 a0 00 00 03 43 10 02 f3 10 ff ff 89 02 00 00 ff 50 04 43 53 49 4d ff ff ff ff ff APDU: 00 b2 01 04 26 61 18 4f 10 a0 00 00 00 87 10 02 f3 10 ff ff 89 08 00 00 ff 50 04 55 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00 APDU: 00 b2 02 04 26 61 18 4f 10 a0 00 00 00 87 10 04 f3 10 ff ff 89 08 00 00 ff 50 04 49 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00 URB: 01 04 00 00 ff ff ff ff ff 90 00 00 b2 04 04 26 b2 61 0f 4f 05 a0 00 00 00 63 50 06 50 4b 43 53 31 35 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 90 00 80 10 00 00 1e 10 37 09 e8 ce 11 9c 00 07 9c 00 00 1f e2 60 00 00 43 d0 00 07 00 00 20 00 50 00 00 00 00 08 APDU: 00 b2 03 04 26 61 18 4f 10 a0 00 00 03 43 10 02 f3 10 ff ff 89 02 00 00 ff 50 04 43 53 49 4d ff ff ff ff ff ff ff ff ff ff 90 00 00 b2
As you can see on that last APDU, the 90 00 is not at the end ... not sure what happenned, why is the record 2 bytes shorter than what it should be ?
Cheers,
Sylvain
Hi Sylvain,
On Thu, Jan 26, 2012 at 12:45:46AM +0100, Sylvain Munaut wrote:
I tried doing some traces but had some issues.
thanks.
The first one was a missing entry in Fi_table. It's apparently used as '64' in some reader and 'unsupported' in some other. For simtrace I guess we should consider it 64.
thanks a lot, I've applied that patch.
As you can see on that last APDU, the 90 00 is not at the end ... not sure what happenned, why is the record 2 bytes shorter than what it should be ?
I have no idea right now, sorry.
-
Harald Welte -
Martin Paljak -
Sylvain Munaut