https://lms.onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=MagicSIMMagicSIM - Revision history2026-04-20T03:41:39ZRevision history for this page on the wikiMediaWiki 1.45.1https://lms.onnocenter.or.id/wiki/index.php?title=MagicSIM&diff=40070&oldid=prevOnnowpurbo: New page: Sumber:http://openbsc.osmocom.org/trac/wiki/MagicSIM When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known. Extracting t...2014-03-26T02:27:54Z<p>New page: Sumber:http://openbsc.osmocom.org/trac/wiki/MagicSIM When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known. Extracting t...</p>
<p><b>New page</b></p><div>Sumber:http://openbsc.osmocom.org/trac/wiki/MagicSIM<br />
<br />
When you want to use OpenBSC with actual cryptographic authentication, then the secret Ki of the SIM needs to be known.<br />
<br />
Extracting the Ki of regular SIM cards issued by GSM operators is typically not possible.<br />
<br />
Therefore, we need some alternative solution: A SIM with a known A3/A8 algorithm, where we can program the actual Ki.<br />
Magic SIM / Super SIM 16-in-1<br />
<br />
Various stores around the world seem to be selling cheap so-called 16-in-1 SIM cards. They are intended for COMP128v1 based cloning, and enable the user to aggregate up to 16 SIM card identities on one card. They include a SIM toolkit (STK) application for switching the currently active identity from the Phone UI.<br />
<br />
Unfortunately those cards come without any documentation and only with a proprietary Windows-based tool for programming.<br />
<br />
We've spent some time reverse engineering those cards. Here is some information on how you can program them.<br />
<br />
Please note, this information assumes that you are generally familiar with ISO 7816-4 smart cards, as well as the GSM 11.11 specification.<br />
<br />
The traces have been generated using http://svn.ploetzli.ch/cyberflex-shell/, but any tool that allows you to send and receive APDUs will work.<br />
DF.ADMIN<br />
<br />
DF.ADMIN is a dedicated file (directory) with the File ID 7f 4d. It contains EF's with the user-modifiable IMSI, Ki and other values.<br />
<br />
You can change to DF.ADMIN using the SELECT sequence a0 a4 00 00 02 7f 4d<br />
<br />
(GSM, ISO 7816-4) > a0 a4 00 00 02 7f 4d<br />
0000: 00 00 60 33 7f 4d 02 00 00 00 00 00 0a 91 08 18 ..`3.M..........<br />
0010: 06 00 83 8a 83 8a 00 ....... <br />
Normal execution (SW 9000)<br />
<br />
EF.OPN Operator Name<br />
<br />
EF.OPN is a record-oriented file with the File ID 8f 0c and a record-length of 0x12.<br />
<br />
Records are numbered 0x02..0x11, one for each of the 16 identities that you can store on the SIM.<br />
<br />
You can select and read the records in this file using the following example APDU sequence:<br />
<br />
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0c<br />
0000: 00 00 01 44 8f 0c 04 00 00 f0 44 01 02 01 12 ...D......D.... <br />
Normal execution (SW 9000)<br />
<br />
(GSM, ISO 7816-4) > a0 b2 02 04 12<br />
0000: 4f 70 65 72 61 74 6f 72 31 ff ff ff ff ff ff ff Operator1.......<br />
0010: 09 01 .. <br />
Normal execution (SW 9000)<br />
<br />
In this example, the record 0x02 (i.e. the first record) is called "Operator1"<br />
EF 8f 0d: Ki, IMSI, ICCID<br />
<br />
This EF contains the Ki (secret A3/A8 key), the IMSI (subscriber identity number) and the ICCID (card serial number). It is a record-oriented file with a record length of 0x4a bytes. There is one record for each of the identities that the card supports. They are numbered from 0x01 up to 0x10.<br />
<br />
The following sequence reads the contents of this EF:<br />
<br />
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0d<br />
0000: 00 00 04 a0 8f 0d 04 00 00 f0 44 01 02 01 4a ..........D...J<br />
Normal execution (SW 9000)<br />
<br />
(GSM, ISO 7816-4) > a0 b2 01 04 4a<br />
0000: 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 """"""""""""""""<br />
0010: 3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44 7f ?./..DDDDDDDDDD.<br />
0020: 20 6f 07 09 11 11 11 11 11 11 11 11 11 6f 30 18 o...........o0.<br />
0030: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................<br />
0040: ff ff ff ff ff ff ff ff ff ff ..........<br />
Normal execution (SW 9000)<br />
<br />
In this example, the following numbers have been added for illustration purpose:<br />
<br />
22 = Ki, to be used for RUN GSM ALGORITHM (COMP128v1)<br />
44 = ICCID, exported through EF.ICCID<br />
11 = IMSI, exported through EF.IMSI<br />
ff = PLMN selector, exported through EF.PLMNsel <br />
<br />
As you can also see, each of the file contents (except Ki) is prefixed with the file name + path and the length.<br />
<br />
DF DF EF EF LEN File content<br />
3f 00 2f e2 0a 44 44 44 44 44 44 44 44 44 44<br />
7f 20 6f 07 09 11 11 11 11 11 11 11 11 11<br />
6f 30 18 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
<br />
it is thus likely that you can generate arbitrary files+content, as long as the format is correct.<br />
EF 8f 0e: SMS parameters<br />
<br />
The content of records in EF 8f 0e is used to generate the EF.SMSP (short message service parameters). It is a record-based file with a record length of 32 bytes. Records are numbered from 0x01 through 0x10<br />
<br />
Reading this file works as follows:<br />
<br />
(GSM, ISO 7816-4) > a0 a4 00 00 02 8f 0e<br />
0000: 00 00 03 20 8f 0e 04 00 00 f0 44 01 02 01 32 ... ......D...2<br />
Normal execution (SW 9000)<br />
(GSM, ISO 7816-4) > a0 b2 01 04 32<br />
0000: 3f 00 7f 10 6f 42 01 28 ff ff ff ff ff ff ff ff ?...oB.(........<br />
0010: ff ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ................<br />
0020: ff 08 91 33 33 33 33 33 33 33 33 33 33 ff ff ff ...3333333333...<br />
0030: ff ff ..<br />
Normal execution (SW 9000)<br />
<br />
The content seems to be similar to the previous file but targeted at record based EFs:<br />
<br />
3f 00 is the MF<br />
7f 10 is DF.telecom<br />
6f 42 is EF.SMSP<br />
01 is the record number<br />
28 is the record length <br />
<br />
The included USB Reader<br />
<br />
The 16-in-1 cards include a small USB-key SIM card reader in a transparent plastic case.<br />
<br />
This reader follows a so-called Phoenix design, in which a 3.579 MHz crystal is used in combination with two inverters of a 74HC08 to clock the card, while two other inverters and a transistor are used to connect the data line to a RS232 port. The schematics are probably very close to http://www.circuitsarchive.org/index.php/SmartCard_PC_Serial_Reader_/_Writer_%28Phoenix%29<br />
<br />
The reader included with the 16-in-1 SIM card also accomodates a Prolific PL-2303 USB to RS232 converter. It will thus show up as a regular serial port on any operating system.<br />
<br />
There's a small switch on the side of the key, it select between two crytal frequencies:<br />
<br />
3.579 MHz leading to a 9600 baudrate when the switch is away from the USB plug (i.e. the switch needs to be closer to the SIM than to the USB plug)<br />
7.2 MHz leading to a 19200 baudrate when the switch is towards' the USB plug. <br />
<br />
For best compatibility both with existing software and with 'slow' cards, select the 9600 baudrate.<br />
<br />
You can use the following open source tools for using the reader:<br />
<br />
http://freshmeat.net/projects/sctk/ (MacOS out of the box, hacking /dev/ttyUSB0 into the source makes it work on Linux, too)<br />
http://www.opensc-project.org/openct/wiki/smph commandline tools <br />
<br />
<br />
<br />
<br />
==Referensi==<br />
<br />
* http://openbsc.osmocom.org/trac/wiki/MagicSIM</div>Onnowpurbo