Hello,
We would like to do some active manipulation between our ME and the SIM card. As I understood correctly, the hardware SIMtrace project is just about passive monitoring the traffic in between, am I right? So this seems to be inappropriate for our aims.
So we thought about a solution more like the RebelSIM card, which is documented as well in the osmocomBB wiki. Unfortunately, the information given there are also very vague. So maybe it is just outdated: Does anybody worked with the RebelSIM card in a way that they try to manipulate the responses from the SIM (or do something else, except from unlocking their phone)? Is it possible to flash it via SIM card interface?!
What we actually want to do is to replace same values, e.g. we want to provide another Kc than the SIM card in fact has (this is solely a research project). So maybe there is some other way to do is, except the approach based on RebelSIM? If so I would be grateful for your valuable feedback.
Cheers, Dirk
We would like to do some active manipulation between our ME and the SIM card. As I understood correctly, the hardware SIMtrace project is just about passive monitoring the traffic in between, am I right? So this seems to be inappropriate for our aims.
No, the HW can do man-in-the-middle.
Cheers,
Sylvain
Thats great news!
So (I guess that ones for Harald Welte) when will the HW be publicly available? You wrote in your last mail to this list on 27C3 - Am I just missing something or wasn't this last December? Did you mean instead 28C3? But this is in December, which is still quite some time... So is there maybe a possibility to get the HW earlier, especially if you already get them in the next week(s)?
Cheers, Dirk
On Thu, 14 Jul 2011 16:08:57 +0200, Sylvain Munaut 246tnt@gmail.com wrote:
We would like to do some active manipulation between our ME and the SIM card. As I understood correctly, the hardware SIMtrace project is just about passive monitoring the traffic in between, am I right? So this seems to be inappropriate for our aims.
No, the HW can do man-in-the-middle.
Cheers,
Sylvain
Yeah that was how I read it also. While he said 27C3, based on the rest of his email I made the assumption he meant the CCC as well.
A friend of mine will be attending, and I'm hoping they are available at the even as well.
The MITM should be fairly easy with the hardware solution based on what I've seen go through this list as of late.
Cheers!
On Thu, Jul 14, 2011 at 10:27 AM, Sylvain Munaut 246tnt@gmail.com wrote:
Hi,
So (I guess that ones for Harald Welte) when will the HW be publicly available? You wrote in your last mail to this list on 27C3 - Am I just missing something or wasn't this last December? Did you mean instead
28C3?
He meant CCC camp which is mid-August.
Cheers,
Sylvain
Hi,
On 14.07.2011 16:26, Dirk Kirsten wrote:
Thats great news!
So (I guess that ones for Harald Welte) when will the HW be publicly available? You wrote in your last mail to this list on 27C3 - Am I just missing something or wasn't this last December? Did you mean instead 28C3? But this is in December, which is still quite some time...
He will sell SIMtrace at the CCC Camp (10th-15th august). The schematic and pcb drawing are also available in git. You can produce your own if you want it earlier.
Search in the mailing list and wiki for more information.
Kevin
Hi Dirk and others,
yes, the hardware is capable of full MITM. We haven't yet written the software (both firmware and host software) for it, but we are confident that it will work.
The 100 unit hardware manufacturing is scheduled for mid next week, which should give us ample time for testing, flashing and possibly debugging any issues that may arise during that production run before the camp.
And yes, I was referring to the camp as availability time.
The price is not fixed yet, but I would expect somewhere in the order of 75 EUR, including a set of four SIM card adapters. This may seem a lot given the BOM cost, but it's actually "just" the production cost plus the hardware cost we had for doing the two prototype runs, plus some amount that we need as a safeguard for dealing with warranty related issues (mandatory legal warranty for products is 2 years in the EU). Also, the SIM card dummy adapters are surprisingly expensive to get hold of :/
All time spent in doing the hardware design (schematics, layout, firmware, host software) is volunteer work by Kevin and me.
Regards, Harald
Hi,
Here some corrections :
On 14.07.2011 15:37, Dirk Kirsten wrote:
Hello,
We would like to do some active manipulation between our ME and the SIM card. As I understood correctly, the hardware SIMtrace project is just about passive monitoring the traffic in between, am I right? So this seems to be inappropriate for our aims.
The hardware can co MitM. Only the software has to implement it.
So we thought about a solution more like the RebelSIM card, which is documented as well in the osmocomBB wiki. Unfortunately, the information given there are also very vague. So maybe it is just outdated: Does anybody worked with the RebelSIM card in a way that they try to manipulate the responses from the SIM (or do something else, except from unlocking their phone)? Is it possible to flash it via SIM card interface?!
The rebelSIM can only sniff, even that is very unstable. This is why we built SIMtrace.
What we actually want to do is to replace same values, e.g. we want to provide another Kc than the SIM card in fact has (this is solely a research project). So maybe there is some other way to do is, except the approach based on RebelSIM? If so I would be grateful for your valuable feedback.
You can also try the softSIM project. Compile osmocomBB with the SAP support from nion, and use the SAP server. Then you can change everything in software.
Cheers, Dirk
Kevin
Hello Kevin,
On Thu, 14 Jul 2011 16:45:02 +0200, "tsaitgaist" ml@mail.tsaitgaist.info wrote:
The rebelSIM can only sniff, even that is very unstable.
The Rebel SIM card (the device which goes between the SIM card holder and the SIM card) can do MITM. However one has to write its own firmware for the microcontroller and the hardware is limited (e.g. there is no interface to a PC).
Another device is from Bladox, the hardware is quite nice however the full source code of the firmware is not available.
Best regards, Dieter
True the Bladox product doesn't provide the full source code. But the nice thing is that the creator seems allow for easy hooks and API mechanisms to do do simple MITM things. The issue I have with the Bladox product is that you others enhance the capabilities of the firmware. Even if you wanted to the Atmel chip used has some pretty decent security mechanisms.
Regardless, I think that the SIMtrace hardware is going to be a great addition to the space, and I'm looking forward to it.
On Fri, Jul 15, 2011 at 4:45 AM, Dieter Spaar spaar@mirider.augusta.dewrote:
Hello Kevin,
On Thu, 14 Jul 2011 16:45:02 +0200, "tsaitgaist" ml@mail.tsaitgaist.info wrote:
The rebelSIM can only sniff, even that is very unstable.
The Rebel SIM card (the device which goes between the SIM card holder and the SIM card) can do MITM. However one has to write its own firmware for the microcontroller and the hardware is limited (e.g. there is no interface to a PC).
Another device is from Bladox, the hardware is quite nice however the full source code of the firmware is not available.
Best regards, Dieter -- Dieter Spaar, Germany spaar@mirider.augusta.de
-
Adam Helbling -
Dieter Spaar -
Dirk Kirsten -
Harald Welte -
Sylvain Munaut -
tsaitgaist