25 Jan
2012
25 Jan
'12
8:50 p.m.
Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB
dongle) and has been able to trace the communication between the SIM
card and the device yet.
If so, it would be great to get some traces. Feel free to patch out
the IMSI, PIN number or any other private details (or simply filter
those messages, if you care to).
Thanks in advance,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
25 Jan
25 Jan
9:42 p.m.
Hello,
On Wed, Jan 25, 2012 at 21:50, Harald Welte <laforge(a)gnumonks.org> wrote:
Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB
dongle) and has been able to trace the communication between the SIM
card and the device yet.
Does it need to be in a 4G radio area or just with the
device?
Samsung GT-B3730 should be 4G.
If so, it would be great to get some traces. Feel
free to patch out
the IMSI, PIN number or any other private details (or simply filter
those messages, if you care to).
Is there some easy way to do this, like a
readymade filter? I usually
replace PIN codes with 1234 or similar, but how to strip
network-related bits?
Martin
10:10 p.m.
On Wed, Jan 25, 2012 at 10:42:55PM +0200, Martin Paljak wrote:
Hello,
On Wed, Jan 25, 2012 at 21:50, Harald Welte <laforge(a)gnumonks.org> wrote:
there is no ready-made filter. But then, there isn't much privacy
related detail apart from
* reading EF.ICCID
* reading EF.IMSI
* writing EF.Kc / EF.KcGPRS
* writing EF.LOCI (location area code)
* writing the TMSI
it shouldn't be too hard to filter those messages manually when looking
at the trace.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi all,
I was wondering if anyone has access to a LTE device (like a 4G USB
dongle) and has been able to trace the communication between the SIM
card and the device yet.
Does it need to be in a 4G radio area or just with the
device?
Samsung GT-B3730 should be 4G.
If so, it would be great to get some traces.
Feel free to patch out
the IMSI, PIN number or any other private details (or simply filter
those messages, if you care to).
Is there some easy way to do this, like a
readymade filter? I usually
replace PIN codes with 1234 or similar, but how to strip
network-related bits? 
26 Jan
26 Jan
12:45 a.m.
Hi,
I tried doing some traces but had some issues.
The first one was a missing entry in Fi_table. It's apparently used as
'64' in some reader and 'unsupported' in some other. For simtrace I
guess we should consider it 64.
diff --git a/firmware/src/simtrace/iso7816_uart.c
b/firmware/src/simtrace/iso7816_uart.c
index 17303ca..2a92042 100644
--- a/firmware/src/simtrace/iso7816_uart.c
+++ b/firmware/src/simtrace/iso7816_uart.c
@@ -119,7 +119,7 @@ static const u_int16_t fi_table[] = {
/* Table 7 from ISO 7816-3 */
static const u_int8_t di_table[] = {
- 0, 1, 2, 4, 8, 16, 32, 0,
+ 0, 1, 2, 4, 8, 16, 32, 64,
12, 20, 2, 4, 8, 16, 32, 64,
};
The second one is that that APDU split fails at some point :
simtrace - GSM SIM and smartcard tracing
(C) 2010 by Harald Welte <laforge(a)gnumonks.org>
Entering main loop
URB: 01 05 00 00
ATR APDU:
URB: 01 01 00 00 3b 9f 97 c0 0a 1f c7 80 31 e0 73 fe 21 1b 65 d0 01 10
09 22 81 00 f2
ATR APDU: 3b 9f 97 c0 0a 1f c7 80 31 e0 73 fe 21 1b 65 d0 01 10 09 22 81 00 f2
URB: 01 04 00 00 00 a4 00 04 02
URB: 01 04 00 00 a4 3f 00
URB: 01 04 00 00 61 38 00 c0 00 00 38 c0 62 36 82 02 78 21 83 02 3f 00
a5 0c 80 01 71 87 01 01 83 04 00 04 03 c0 8a 01 05 8b 03 2f 06 02 c6
12 90 01 78 83 01 01 83 01 0a 83 01 0b 83 01 0c 83 01 0d 81 02 ff ff
90 00 00 a4 08 04 02 a4 2f e2 61 1f 00 c0 00 00 1f c0 62 1d 82 02 41
21 83 02 2f e2 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 03 80 02 00 0a 81
02 00 1c 90 00 00 b0 00 00 0a
APDU: 00 a4 00 04 02 3f 00 61 38
APDU: 00 c0 00 00 38 62 36 82 02 78 21 83 02 3f 00 a5 0c 80 01 71 87
01 01 83 04 00 04 03 c0 8a 01 05 8b 03 2f 06 02 c6 12 90 01 78 83 01
01 83 01 0a 83 01 0b 83 01 0c 83 01 0d 81 02 ff ff 90 00
APDU: 00 a4 08 04 02 2f e2 61 1f
APDU: 00 c0 00 00 1f 62 1d 82 02 41 21 83 02 2f e2 a5 03 c0 01 40 8a
01 05 8b 03 2f 06 03 80 02 00 0a 81 02 00 1c 90 00
URB: 01 04 00 00 b0 98 41 08 00 00 00 32 55 22 63 90 00 00 a4 08 04 02
a4 2f 05 61 1f 00 c0 00 00 1f c0 62 1d 82 02 41 21 83 02 2f 05 a5 03
c0 01 40 8a 01 05 8b 03 2f 06 05 80 02 00 06 81 02 00 18 90 00 00 a4
08 04 02 a4 2f 06 61 22 00 c0 00 00 22 c0 62 20 82 05 42 21 00 3f 0e
83 02 2f 06 a5 03 c0 01 40 8a 01 05 8b 03 2f 06 01 80 02 03 72 81 02
03 86 90 00 00 b2 05 04 3f
APDU: 00 b0 00 00 0a 98 41 08 00 00 00 32 55 22 63 90 00
APDU: 00 a4 08 04 02 2f 05 61 1f
APDU: 00 c0 00 00 1f 62 1d 82 02 41 21 83 02 2f 05 a5 03 c0 01 40 8a
01 05 8b 03 2f 06 05 80 02 00 06 81 02 00 18 90 00
APDU: 00 a4 08 04 02 2f 06 61 22
APDU: 00 c0 00 00 22 62 20 82 05 42 21 00 3f 0e 83 02 2f 06 a5 03 c0
01 40 8a 01 05 8b 03 2f 06 01 80 02 03 72 81 02 03 86 90 00
URB: 01 04 00 00 b2 80 01 02 a4 06 83 01 01 95 01 08 80 01 18 a4 06 83
01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
90 00 00 a4 08 0c 02 a4 2f 05 90 00 00 b0 00 00 06
APDU: 00 b2 05 04 3f 80 01 02 a4 06 83 01 01 95 01 08 80 01 18 a4 06
83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff 90 00
APDU: 00 a4 08 0c 02 2f 05 90 00
URB: 01 04 00 00 b0 65 6e 65 73 ff ff 90 00 00 a4 08 04 02 a4 2f 00 61
25 00 c0 00 00 25 c0 62 23 82 05 42 21 00 26 04 83 02 2f 00 a5 03 c0
01 40 8a 01 05 8b 03 2f 06 06 80 02 00 98 81 02 00 ac 88 01 f0 90 00
00 a4 08 0c 02 a4 2f 06 90 00 00 b2 06 04 3f
APDU: 00 b0 00 00 06 65 6e 65 73 ff ff 90 00
APDU: 00 a4 08 04 02 2f 00 61 25
APDU: 00 c0 00 00 25 62 23 82 05 42 21 00 26 04 83 02 2f 00 a5 03 c0
01 40 8a 01 05 8b 03 2f 06 06 80 02 00 98 81 02 00 ac 88 01 f0 90 00
APDU: 00 a4 08 0c 02 2f 06 90 00
URB: 01 04 00 00 b2 80 01 1a a4 06 83 01 0a 95 01 08 80 01 40 a4 06 83
01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
90 00 00 a4 08 0c 02 a4 2f 00 90 00 00 b2 01 04 26
APDU: 00 b2 06 04 3f 80 01 1a a4 06 83 01 0a 95 01 08 80 01 40 a4 06
83 01 0a 95 01 08 80 01 01 90 00 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff 90 00
APDU: 00 a4 08 0c 02 2f 00 90 00
URB: 01 00 00 00 b2 61 18 4f 10 a0 00 00 00 87 10 02 f3 10 ff ff 89 08
00 00 ff 50 04 55 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00
00 b2 02 04 26 b2 61 18 4f 10 a0 00 00 00 87 10 04 f3 10 ff ff 89 08
00 00 ff 50 04 49 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90 00
00 b2 03 04 26 b2 61 18 4f 10 a0 00 00 03 43 10 02 f3 10 ff ff 89 02
00 00 ff 50 04 43 53 49 4d ff ff ff ff ff
APDU: 00 b2 01 04 26 61 18 4f 10 a0 00 00 00 87 10 02 f3 10 ff ff 89
08 00 00 ff 50 04 55 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90
00
APDU: 00 b2 02 04 26 61 18 4f 10 a0 00 00 00 87 10 04 f3 10 ff ff 89
08 00 00 ff 50 04 49 53 49 4d ff ff ff ff ff ff ff ff ff ff ff ff 90
00
URB: 01 04 00 00 ff ff ff ff ff 90 00 00 b2 04 04 26 b2 61 0f 4f 05 a0
00 00 00 63 50 06 50 4b 43 53 31 35 ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff 90 00 80 10 00 00 1e 10 37 09 e8 ce 11
9c 00 07 9c 00 00 1f e2 60 00 00 43 d0 00 07 00 00 20 00 50 00 00 00
00 08
APDU: 00 b2 03 04 26 61 18 4f 10 a0 00 00 03 43 10 02 f3 10 ff ff 89
02 00 00 ff 50 04 43 53 49 4d ff ff ff ff ff ff ff ff ff ff 90 00 00
b2
As you can see on that last APDU, the 90 00 is not at the end ... not
sure what happenned, why is the record 2 bytes shorter than what it
should be ?
Cheers,
Sylvain
12:56 a.m.
Hi Sylvain,
On Thu, Jan 26, 2012 at 12:45:46AM +0100, Sylvain Munaut wrote:
I tried doing some traces but had some issues.
thanks.
The first one was a missing entry in Fi_table.
It's apparently used as
'64' in some reader and 'unsupported' in some other. For simtrace I
guess we should consider it 64.
thanks a lot, I've applied that patch.
As you can see on that last APDU, the 90 00 is not at
the end ... not
sure what happenned, why is the record 2 bytes shorter than what it
should be ?
I have no idea right now, sorry.
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
4481
days inactive
4481
days old
4 comments
3 participants
participants (3)
-
Harald Welte -
Martin Paljak -
Sylvain Munaut