MagicSIM
Sumber:http://openbsc.osmocom.org/trac/wiki/MagicSIM
When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known.
Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible.
Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki. Magic SIM / Super SIM 16-in-1
Various stores around the world seem to be selling cheap so-called 16-in-1 SIM cards. They are intended for COMP128v1 based cloning, and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching the currently active identity from the Phone UI.
Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming.
We've spent some time reverse engineering those cards. Here is some information on how you can program them.
Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification.
The traces have been generated using http://svn.ploetzli.ch/cyberflex-shell/, but any tool that allows you to send and receive APDUs will work. DF.ADMIN
DF.ADMIN is a dedicated file (directory) with the File ID 7f 4d. It contains EF's with the user-modifiable IMSI, Ki and other values.
You can change to DF.ADMIN using the SELECT sequence a0 a4 00 00 02 7f 4d
(GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d 0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M.......... 0010: 06 00 83 8a 83 8a 00 ....... Normal execution (SW 9000)
EF.OPN Operator Name
EF.OPN is a record-oriented file with the File ID 8f 0c and a record-length of 0x12.
Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM.
You can select and read the records in this file using the following example APDU sequence:
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c 0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D.... Normal execution (SW 9000)
(GSM, ISO 7816-4) > a0 b2 02 04 12 0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1....... 0010: 09 01 .. Normal execution (SW 9000)
In this example, the record 0x02 (i.e. the first record) is called "Operator1" EF 8f 0d: Ki, IMSI, ICCID
This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number). It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that the card supports. They are numbered from 0x01 up to 0x10.
The following sequence reads the contents of this EF:
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d 0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J Normal execution (SW 9000)
(GSM, ISO 7816-4) > a0 b2 01 04 4a 0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """""""""""""""" 0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD. 0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0. 0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0040: ff ff ff ff ff ff ff ff ff ff .......... Normal execution (SW 9000)
In this example, the following numbers have been added for illustration purpose:
22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1) 44 = ICCID, exported through EF.ICCID 11 = IMSI, exported through EF.IMSI ff = PLMN selector, exported through EF.PLMNsel
As you can also see, each of the file contents (except Ki) is prefixed with the file name + path and the length.
DF DF EF EF LEN File content 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f 20 6f 07 09 11 11 11 11 11 11 11 11 11
6f 30 18 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
it is thus likely that you can generate arbitrary files+content, as long as the format is correct. EF 8f 0e: SMS parameters
The content of records in EF 8f 0e is used to generate the EF.SMSP (short message service parameters). It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10
Reading this file works as follows:
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e 0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2 Normal execution (SW 9000) (GSM, ISO 7816-4) > a0 b2 01 04 32 0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........ 0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................ 0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333... 0030: ff ff .. Normal execution (SW 9000)
The content seems to be similar to the previous file but targeted at record based EFs:
3f 00 is the MF 7f 10 is DF.telecom 6f 42 is EF.SMSP 01 is the record number 28 is the record length
The included USB Reader
The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case.
This reader follows a so-called Phoenix design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port. The schematics are probably very close to http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29
The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter. It will thus show up as a regular serial port on any operating system.
There's a small switch on the side of the key, it select between two crytal frequencies:
3.579 MHz leading to a 9600 baudrate when the switch is away from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug) 7.2 MHz leading to a 19200 baudrate when the switch is towards' the USB plug.
For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate.
You can use the following open source tools for using the reader:
http://freshmeat.net/projects/sctk/ (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too) http://www.opensc-project.org/openct/wiki/smph commandline tools