Subscriber Identity Module
1 like20,176 views
The document describes scanning a smart card reader connected to the system. It detects one card, a Gemalto PC Twin Reader, and outputs the card's ATR string and other identifying information. It then decodes some of the ATR fields including transmission protocols and historical bytes. Finally, it provides a possible match to the card based on the ATR in a local list of known cards.
Subscriber Identity Module
- 3. 💸
- 11. $ pcsc_scan PC/SC device scanner V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.8.11 Using reader plug'n play mechanism Scanning present readers... 0: Gemalto PC Twin Reader 00 00 Wed Oct 5 21:45:38 2016 Reader 0: Gemalto PC Twin Reader 00 00 Card state: Card inserted, ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C + TS = 3B --> Direct Convention + T0 = 9D, Y(1): 1001, K: 13 (historical bytes) TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 ----- TD(2) = 3F --> Y(i+1) = 0011, Protocol T = 15 - Global interface bytes following ----- TA(3) = C7 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V TB(3) = A0 --> + Historical bytes: 80 31 A0 73 BE 21 13 51 05 83 05 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: A0 - Application selection: by full DF name - BER-TLV data objects available in EF.DIR - EF.DIR and EF.ATR access services: by GET RECORD(s) command - Card with MF Tag: 7, len: 3 (card capabilities) Selection methods: BE - DF selection by full DF name - DF selection by path - DF selection by file identifier - Implicit DF selection - Short EF identifier supported - Record number supported Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: 13 - Logical channel number assignment: by the card - Maximum number of logical channels: 4 Tag: 5, len: 1 (card issuer's data) Card issuer data: 05 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 05 (Operational state (activated)) SW: 9000 (Normal processing.) + TCK = 7C (correct checksum) Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt): 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)
- 12. - Maximum number of logical channels: 4 Tag: 5, len: 1 (card issuer's data) Card issuer data: 05 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 05 (Operational state (activated)) SW: 9000 (Normal processing.) + TCK = 7C (correct checksum) Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt): 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)
- 14. thanks!!
- 18. 3GPP 3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999 MF '3F00' DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP '7F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E' DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31' see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK '5F3C' '4F40' '4F41' '4F42' '4F43' EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax '6F05' '6F07' '6F20' '6F30' '6F31' '6F37' EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI '6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45' EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI '6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E' EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS '6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4' EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS '6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52' EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH '6F53' '6F54' '6F60' '6F61' '6F62' '6F63' EFINVSCAN '6F64' Figure 8: File identifiers and directory structures of GSM
- 19. ./pySim-read.py -p 0 Reading ... 8981100004402791051 440103152044102 SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9 ACC: 0004 MSISDN: 07817040919843f3ffffffffffff Done ! ICCID: IMSI:
- 20. ./pySim-read.py -p 0 Reading ... 8981100004402791051 440103152044102 SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9 ACC: 0004 MSISDN: 07817040919843f3ffffffffffff Done ! ICCID: IMSI:
- 22. 3GPP TS 11.11 V8.14.0 (200118se 1999 MF '3F00' FGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E'
- 23. 19 bytes 2bytes 2bytes 2bytes 12bytes 1byte MII CC II 12bytes CS 89 81 10 000440279105 1
- 27. 3GPP TS 11.11 V8.14.0 (20118Release 1999 MF '3F00' DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP '7F20' '7F10' '7F22' '7F23' '2FE2' '2F05 see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISD '6F3A' '6F3B' '6F3C' '6F3D' '6F40 EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49 EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E DFGRAPHICS EFIMG '5F50' '4F20' EFADN EFFDN EFSMS EFCCP EFMSISD '6F3A' '6F3B' '6F3C' '6F3D' '6F40 EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49 EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31 see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRP '5F3C' '4F40' '4F41' '4F42' '4F43 EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMma '6F05' '6F07' '6F20' '6F30' '6F31' '6F37 EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI
- 28. ~ 16 bytes 3bytes 2 ~ 3bytes ~ 10bytes MCC MNC MSIN 440 10 3152044102 HNI
- 32. Peer Peer Authenticator Authenticator EAP-Request/Identity EAP-Response/Identity EAP-Request/SIM/Start (AT_VERSION_LIST) EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION) EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) Peer runs GSM algorithms, verifies AT_MAC and derives session keys EAP-Response/SIM/Challenge (AT_MAC) EAP-Success
- 34. Peer Peer Authenticator Authenticator EAP-Request/Identity EAP-Response/Identity (Includes user’s NAI) Server runs AKA algorithms, generates RAND and AUTN. EAP-Request/AKA-Challenge (AT_RAND, AT_AUTN, AT_MAC) Peer runs AKA algorithms, verifies AUTN and MAC, derives RES and session key EAP-Response/AKA-Challenge (AT_RES, AT_MAC) Server checks the given RES, and MAC and finds them correct. EAP-Success
- 39. COMMAND CLASS INS P1 P2 P3 INVALIDATE 'A0' '04' '00' '00' '00' 9.2.15 REHABILITATE COMMAND CLASS INS P1 P2 P3 REHABILITATE 'A0' '44' '00' '00' '00' 9.2.16 RUN GSM ALGORITHM COMMAND CLASS INS P1 P2 P3 RUN GSM ALGORITHM 'A0' '88' '00' '00' '10' Command parameters/data: Byte(s) Description Length 1 - 16 RAND 16 Response parameters/data: Byte(s) Description Length 1 - 4 SRES 4 5 - 12 Cipher Key Kc 8 The most significant bit of SRES is coded on bit 8 of byte 1. The most significant bit of Kc is coded on bit 8 of byte 5. 9.2.17 SLEEP COMMAND CLASS INS P1 P2 P3 3GPP TS 11.11
- 41. $ cat /etc/freeradius/simtriplets.dat # IMSI RAND SRES Kc 440103152044102,02bbdd69578d11057f3534539d61c3e1,9b93ab20,38a74d32f6334018 440103152044102,38279ae1b4ca5d63e93fcdbc2722b216,f8f9e5fe,9952db0411e0ac54 440103152044102,f35f71777ccfd21aec28913fc3fbe3bc,31452835,752a8baa96fa7dbf