14 Jul
2011
14 Jul
'11
3:37 p.m.
Hello,
We would like to do some active manipulation between our ME and the SIM
card. As I understood correctly, the hardware SIMtrace project is just
about passive monitoring the traffic in between, am I right? So this seems
to be inappropriate for our aims.
So we thought about a solution more like the RebelSIM card, which is
documented as well in the osmocomBB wiki. Unfortunately, the information
given there are also very vague. So maybe it is just outdated: Does
anybody worked with the RebelSIM card in a way that they try to manipulate
the responses from the SIM (or do something else, except from unlocking
their phone)? Is it possible to flash it via SIM card interface?!
What we actually want to do is to replace same values, e.g. we want to
provide another Kc than the SIM card in fact has (this is solely a
research project). So maybe there is some other way to do is, except the
approach based on RebelSIM? If so I would be grateful for your valuable
feedback.
Cheers,
Dirk
14 Jul
14 Jul
4:08 p.m.
We would like to do some active manipulation between
our ME and the SIM
card. As I understood correctly, the hardware SIMtrace project is just about
passive monitoring the traffic in between, am I right? So this seems to be
inappropriate for our aims.
No, the HW can do man-in-the-middle.
Cheers,
Sylvain
4:26 p.m.
Thats great news!
So (I guess that ones for Harald Welte) when will the HW be publicly
available? You wrote in your last mail to this list on 27C3 - Am I just
missing something or wasn't this last December? Did you mean instead 28C3?
But this is in December, which is still quite some time... So is there
maybe a possibility to get the HW earlier, especially if you already get
them in the next week(s)?
Cheers,
Dirk
On Thu, 14 Jul 2011 16:08:57 +0200, Sylvain Munaut <246tnt(a)gmail.com>
wrote:
We would like
to do some active manipulation between our ME and the SIM
card. As I understood correctly, the hardware SIMtrace project is just
about
passive monitoring the traffic in between, am I right? So this seems to
be
inappropriate for our aims.
No, the HW can do man-in-the-middle.
Cheers,
Sylvain 
8:07 p.m.
Yeah that was how I read it also. While he said 27C3, based on the rest of
his email I made the assumption he meant the CCC as well.
A friend of mine will be attending, and I'm hoping they are available at the
even as well.
The MITM should be fairly easy with the hardware solution based on what I've
seen go through this list as of late.
Cheers!
On Thu, Jul 14, 2011 at 10:27 AM, Sylvain Munaut <246tnt(a)gmail.com> wrote:
Hi,
So (I guess that ones for Harald Welte) when will
the HW be publicly
available? You wrote in your last mail to this list on 27C3 - Am I just
missing something or wasn't this last December? Did you mean instead
28C3?
He meant CCC camp which is mid-August.
Cheers,
Sylvain
4:48 p.m.
Hi,
On 14.07.2011 16:26, Dirk Kirsten wrote:
Thats great news!
So (I guess that ones for Harald Welte) when will the HW be publicly
available? You wrote in your last mail to this list on 27C3 - Am I just
missing something or wasn't this last December? Did you mean instead
28C3? But this is in December, which is still quite some time...
He will sell SIMtrace at the CCC Camp (10th-15th august).
The schematic and pcb drawing are also available in git.
You can produce your own if you want it earlier.
Search in the mailing list and wiki for more information.
Kevin
9:14 p.m.
Hi Dirk and others,
yes, the hardware is capable of full MITM. We haven't yet written the
software (both firmware and host software) for it, but we are confident
that it will work.
The 100 unit hardware manufacturing is scheduled for mid next week,
which should give us ample time for testing, flashing and possibly
debugging any issues that may arise during that production run before
the camp.
And yes, I was referring to the camp as availability time.
The price is not fixed yet, but I would expect somewhere in the order of
75 EUR, including a set of four SIM card adapters. This may seem a lot
given the BOM cost, but it's actually "just" the production cost plus
the hardware cost we had for doing the two prototype runs, plus some
amount that we need as a safeguard for dealing with warranty related
issues (mandatory legal warranty for products is 2 years in the EU).
Also, the SIM card dummy adapters are surprisingly expensive to get hold
of :/
All time spent in doing the hardware design (schematics, layout,
firmware, host software) is volunteer work by Kevin and me.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
4:45 p.m.
Hi,
Here some corrections :
On 14.07.2011 15:37, Dirk Kirsten wrote:
Hello,
We would like to do some active manipulation between our ME and the SIM
card. As I understood correctly, the hardware SIMtrace project is just
about passive monitoring the traffic in between, am I right? So this
seems to be inappropriate for our aims.
The hardware can co MitM. Only the software
has to implement it.
So we thought about a solution more like the RebelSIM card, which is
documented as well in the osmocomBB wiki. Unfortunately, the information
given there are also very vague. So maybe it is just outdated: Does
anybody worked with the RebelSIM card in a way that they try to
manipulate the responses from the SIM (or do something else, except from
unlocking their phone)? Is it possible to flash it via SIM card
interface?!
The rebelSIM can only sniff, even that is very unstable.
This is why we built SIMtrace.
What we actually want to do is to replace same values, e.g. we want to
provide another Kc than the SIM card in fact has (this is solely a
research project). So maybe there is some other way to do is, except the
approach based on RebelSIM? If so I would be grateful for your valuable
feedback.
You can also try the softSIM project.
Compile osmocomBB with the SAP support from nion, and use the SAP server.
Then you can change everything in software.
Cheers,
Dirk
Kevin
15 Jul
15 Jul
1:45 p.m.
Hello Kevin,
On Thu, 14 Jul 2011 16:45:02 +0200, "tsaitgaist" <ml(a)mail.tsaitgaist.info>
wrote:
The rebelSIM can only sniff, even that is very unstable.
The Rebel SIM card (the device which goes between the SIM card holder
and the SIM card) can do MITM. However one has to write its own firmware
for the microcontroller and the hardware is limited (e.g. there is no
interface to a PC).
Another device is from Bladox, the hardware is quite nice however the full
source code of the firmware is not available.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
6:14 p.m.
True the Bladox product doesn't provide the full source code. But the nice
thing is that the creator seems allow for easy hooks and API mechanisms to
do do simple MITM things. The issue I have with the Bladox product is that
you others enhance the capabilities of the firmware. Even if you wanted to
the Atmel chip used has some pretty decent security mechanisms.
Regardless, I think that the SIMtrace hardware is going to be a great
addition to the space, and I'm looking forward to it.
On Fri, Jul 15, 2011 at 4:45 AM, Dieter Spaar <spaar(a)mirider.augusta.de>wrote;wrote:
Hello Kevin,
On Thu, 14 Jul 2011 16:45:02 +0200, "tsaitgaist"
<ml(a)mail.tsaitgaist.info>
wrote:
The rebelSIM can only sniff, even that is very unstable.
The Rebel SIM card (the device which goes between the SIM card holder
and the SIM card) can do MITM. However one has to write its own firmware
for the microcontroller and the hardware is limited (e.g. there is no
interface to a PC).
Another device is from Bladox, the hardware is quite nice however the full
source code of the firmware is not available.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
4676
days inactive
4677
days old
9 comments
6 participants
participants (6)
-
Adam Helbling -
Dieter Spaar -
Dirk Kirsten -
Harald Welte -
Sylvain Munaut -
tsaitgaist