OpenBSC, 16-in-1 SIM and COMP128v1 authentication

[Sylvain Munaut]

> Today I spent some time investigating the cheap 16-in-1 SIM cards on which
> we can set our own Ki.  This means that those cards can be used for
> cryptographic authentication with OpenBSC.  Finally, we will have not only
> IMSI-based identification, but actual authentication!

I tested some of those last week end and when I verified they work, I ordered a
100 bulk pack so that if anyone is interested I could re-distribute
them at events and such.

(They're the bare card, no reader included, I mostly wanted 10 or so
for myself to put in each of the test phone I use and didn't want to
pay for useless readers ...)


> I've created a page in the Wiki about those cards:
> http://openbsc.gnumonks.org/trac/wiki/MagicSIM

I have two models :
 - SuperSim 16-in-1
 - Magic SIM 6-in-1

But it's weird, I didn't program them using the same EF/DF ... Me I
just have a EF 3f00 / 000c that contains all the data and not in the
same format.


> Using this information, I could send the RUN GSM ALGORITHM APDU to the card and
> retreive SRES + Kc.  The result matched what I can also obtain using the
> COMP128v1 code from http://www.scard.org/gsm/a3a8.txt

Beware that in this code, the test software (main function) swapped Ki and RAND.


> By the way: It would really be great if somebody could hack up a small command
> line program that can be used to program the Operator Name, Ki, ICCID, IMSI and
> preferred PLMN into the 16-in-1 SIM.

I've written something like that but it's for the card model I have:
http://www.246tnt.com/files/pySim.py

It's not command line, I executed the function "format_sim" from an
interactive python shell, I just wanted something easy where I could
easily send manual command and quickly formats a bunch of cards.

I'll see if I can make it more easy and adapt it to support both card model.


    Sylvain