[Simsec] Questions on interpreting SIMtester output

Park Shinjo alstom.vvvf at gmail.com
Mon Aug 18 16:34:24 CEST 2014


Hi all,

I am performing some experiments using SIMtester with my Korean SIM
cards. As some of my SIM cards shows weaknesses, I want to actually
crack the signing/encryption key to confirm the results. For signed
responses, there were 2 or 4 checksums for particular TAR/keyset. For
encrypted responses, there were 1 or 3 response packets. How can I get
information of encryption/signing method, cleartext to be
encrypted/signed to actually get the key?

I also have some bug reports. One of my SIM card fails with following
error during reading IMSI:

[de.srlabs.simlib.CommonFileReader, readRawIMSI] reading EF_IMSI file
[de.srlabs.simlib.FileManagement, selectFileById] selecting file: 3F00
[de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
[de.srlabs.simlib.APDUToolkit, getResponse] Got response:
00007FFF3F0001000000000009B1021A0800838A838A9000
[de.srlabs.simlib.FileManagement, getResponse] file 3F00 selected;
[de.srlabs.simlib.FileManagement, selectPath] response:
00007FFF3F0001000000000009B1021A0800838A838A
[de.srlabs.simlib.FileManagement, selectPath] selected MF 3F00, child
DFs: 2, child EFs: 26
[de.srlabs.simlib.FileManagement, selectFileById] selecting file: 7F20
[de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
[de.srlabs.simlib.APDUToolkit, getResponse] Got response:
00007FFF7F2002000000000009B1002B0800838A838A9000
[de.srlabs.simlib.FileManagement, getResponse] file 7F20 selected;
[de.srlabs.simlib.FileManagement, selectPath] response:
00007FFF7F2002000000000009B1002B0800838A838A
[de.srlabs.simlib.FileManagement, selectPath] selected DF 7F20, child
DFs: 0, child EFs: 43
[de.srlabs.simlib.FileManagement, selectFileById] selecting file: 6F07
[de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 15 bytes
[de.srlabs.simlib.APDUToolkit, getResponse] Got response:
000000096F07040014F014000200009000
[de.srlabs.simlib.FileManagement, getResponse] file 6F07 selected;
[de.srlabs.simlib.FileManagement, selectPath] response:
000000096F07040014F01400020000
[de.srlabs.simlib.FileManagement, selectPath] selected EF Transparent
6F07, size: 9
Exception in thread "main" javax.smartcardio.CardException: an
unexpected error has occured during reading content of a file 6F07
        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:39)
        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:18)
        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:14)
        at de.srlabs.simlib.CommonFileReader.readRawIMSI(CommonFileReader.java:215)
        at de.srlabs.simtester.Main.readBasicInfo(Main.java:158)
        at de.srlabs.simtester.Main.main(Main.java:133)

Another SIM card presents invalid RPL in its response packet, making
fuzzing process fail:

[de.srlabs.simtester.Fuzzer, generateCommandPacket] called
generateCommandPacket(keyset = 1, counterManagement = 0, KICAlgo = 0,
KIDAlgo = 0, TAR = RAM:000000, cipherPoR = true
[de.srlabs.simtester.Fuzzer, fuzzCard] smsdeliver data:
4405002143F57FF60000000000000000
[de.srlabs.simlib.SMSDeliverTPDU, setTPUD] raw data:
02700000290D0011101000000000000000010080E60200160BA000000000123456789010000006EF04C602000000
[de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 10 bytes
[de.srlabs.simlib.APDUToolkit, getResponse] Got response:
027100000C0A000000009000
[de.srlabs.simlib.ResponsePacket, parse] Data provided don't seem to
be valid, data should be at least 16 bytes long for a valid
ResponsePacket (027100000C0A00000000)
[de.srlabs.simlib.ResponsePacket, parse] Response packet length (RPL)
doesn't correspond with the actual data length; real length = 5; RPL =
12
Exception in thread "Thread-1" java.lang.ArrayIndexOutOfBoundsException
        at java.lang.System.arraycopy(Native Method)
        at de.srlabs.simlib.ResponsePacket.parse(ResponsePacket.java:103)
        at de.srlabs.simtester.Fuzzer.handleResponseData(Fuzzer.java:280)
        at de.srlabs.simtester.Fuzzer.logic(Fuzzer.java:260)
        at de.srlabs.simtester.Fuzzer.run(Fuzzer.java:127)

Regards,
Shinjo


More information about the Simsec mailing list