MagicSIM

From OnnoWiki
Jump to navigation Jump to search

Sumber:http://openbsc.osmocom.org/trac/wiki/MagicSIM

When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known.

Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible.

Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki. Magic SIM / Super SIM 16-in-1

Various stores around the world seem to be selling cheap so-called 16-in-1 SIM cards. They are intended for COMP128v1 based cloning, and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching the currently active identity from the Phone UI.

Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming.

We've spent some time reverse engineering those cards. Here is some information on how you can program them.

Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification.

The traces have been generated using ​http://svn.ploetzli.ch/cyberflex-shell/, but any tool that allows you to send and receive APDUs will work. DF.ADMIN

DF.ADMIN is a dedicated file (directory) with the File ID 7f 4d. It contains EF's with the user-modifiable IMSI, Ki and other values.

You can change to DF.ADMIN using the SELECT sequence a0 a4 00 00 02 7f 4d

(GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d 0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M.......... 0010: 06 00 83 8a 83 8a 00 ....... Normal execution (SW 9000)

EF.OPN Operator Name

EF.OPN is a record-oriented file with the File ID 8f 0c and a record-length of 0x12.

Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM.

You can select and read the records in this file using the following example APDU sequence:

(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c 0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D.... Normal execution (SW 9000)

(GSM, ISO 7816-4) > a0 b2 02 04 12 0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1....... 0010: 09 01 .. Normal execution (SW 9000)

In this example, the record 0x02 (i.e. the first record) is called "Operator1" EF 8f 0d: Ki, IMSI, ICCID

This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number). It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that the card supports. They are numbered from 0x01 up to 0x10.

The following sequence reads the contents of this EF:

(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d 0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J Normal execution (SW 9000)

(GSM, ISO 7816-4) > a0 b2 01 04 4a 0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """""""""""""""" 0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD. 0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0. 0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0040: ff ff ff ff ff ff ff ff ff ff .......... Normal execution (SW 9000)

In this example, the following numbers have been added for illustration purpose:

   22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1)
   44 = ICCID, exported through EF.ICCID
   11 = IMSI, exported through EF.IMSI
   ff = PLMN selector, exported through EF.PLMNsel 

As you can also see, each of the file contents (except Ki) is prefixed with the file name + path and the length.

DF DF EF EF LEN File content 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f 20 6f 07 09 11 11 11 11 11 11 11 11 11

        6f 30    18    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

it is thus likely that you can generate arbitrary files+content, as long as the format is correct. EF 8f 0e: SMS parameters

The content of records in EF 8f 0e is used to generate the EF.SMSP (short message service parameters). It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10

Reading this file works as follows:

(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e 0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2 Normal execution (SW 9000) (GSM, ISO 7816-4) > a0 b2 01 04 32 0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........ 0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................ 0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333... 0030: ff ff .. Normal execution (SW 9000)

The content seems to be similar to the previous file but targeted at record based EFs:

   3f 00 is the MF
   7f 10 is DF.telecom
   6f 42 is EF.SMSP
   01 is the record number
   28 is the record length 

The included USB Reader

The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case.

This reader follows a so-called Phoenix design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port. The schematics are probably very close to ​http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29

The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter. It will thus show up as a regular serial port on any operating system.

There's a small switch on the side of the key, it select between two crytal frequencies:

   3.579 MHz leading to a 9600 baudrate when the switch is away from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug)
   7.2 MHz leading to a 19200 baudrate when the switch is towards' the USB plug. 

For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate.

You can use the following open source tools for using the reader:

http://freshmeat.net/projects/sctk/ (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too)
   ​http://www.opensc-project.org/openct/wiki/smph commandline tools 



Referensi