[Simsec] Questions on interpreting SIMtester output

Karsten Nohl nohl at srlabs.de
Mon Aug 18 16:43:43 CEST 2014


Dear Shinjo,

Thanks for your questions!

Can you kindly either send us the .csv files or rerun the tests with the "-gsmmap" option that automatically sends the results to us? I'll then check whether the signatures can be cracked.

One of the two bugs you reported is already fixed and will be removed in the next SIMtester release. We'll look into the other one and hopefully fix that, too.

Cheers,

     -Karsten


On Aug 18, 2014, at 16:34 , Park Shinjo <alstom.vvvf at gmail.com> wrote:

> Hi all,
> 
> I am performing some experiments using SIMtester with my Korean SIM
> cards. As some of my SIM cards shows weaknesses, I want to actually
> crack the signing/encryption key to confirm the results. For signed
> responses, there were 2 or 4 checksums for particular TAR/keyset. For
> encrypted responses, there were 1 or 3 response packets. How can I get
> information of encryption/signing method, cleartext to be
> encrypted/signed to actually get the key?
> 
> I also have some bug reports. One of my SIM card fails with following
> error during reading IMSI:
> 
> [de.srlabs.simlib.CommonFileReader, readRawIMSI] reading EF_IMSI file
> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 3F00
> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
> 00007FFF3F0001000000000009B1021A0800838A838A9000
> [de.srlabs.simlib.FileManagement, getResponse] file 3F00 selected;
> [de.srlabs.simlib.FileManagement, selectPath] response:
> 00007FFF3F0001000000000009B1021A0800838A838A
> [de.srlabs.simlib.FileManagement, selectPath] selected MF 3F00, child
> DFs: 2, child EFs: 26
> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 7F20
> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
> 00007FFF7F2002000000000009B1002B0800838A838A9000
> [de.srlabs.simlib.FileManagement, getResponse] file 7F20 selected;
> [de.srlabs.simlib.FileManagement, selectPath] response:
> 00007FFF7F2002000000000009B1002B0800838A838A
> [de.srlabs.simlib.FileManagement, selectPath] selected DF 7F20, child
> DFs: 0, child EFs: 43
> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 6F07
> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 15 bytes
> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
> 000000096F07040014F014000200009000
> [de.srlabs.simlib.FileManagement, getResponse] file 6F07 selected;
> [de.srlabs.simlib.FileManagement, selectPath] response:
> 000000096F07040014F01400020000
> [de.srlabs.simlib.FileManagement, selectPath] selected EF Transparent
> 6F07, size: 9
> Exception in thread "main" javax.smartcardio.CardException: an
> unexpected error has occured during reading content of a file 6F07
>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:39)
>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:18)
>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:14)
>        at de.srlabs.simlib.CommonFileReader.readRawIMSI(CommonFileReader.java:215)
>        at de.srlabs.simtester.Main.readBasicInfo(Main.java:158)
>        at de.srlabs.simtester.Main.main(Main.java:133)
> 
> Another SIM card presents invalid RPL in its response packet, making
> fuzzing process fail:
> 
> [de.srlabs.simtester.Fuzzer, generateCommandPacket] called
> generateCommandPacket(keyset = 1, counterManagement = 0, KICAlgo = 0,
> KIDAlgo = 0, TAR = RAM:000000, cipherPoR = true
> [de.srlabs.simtester.Fuzzer, fuzzCard] smsdeliver data:
> 4405002143F57FF60000000000000000
> [de.srlabs.simlib.SMSDeliverTPDU, setTPUD] raw data:
> 02700000290D0011101000000000000000010080E60200160BA000000000123456789010000006EF04C602000000
> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 10 bytes
> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
> 027100000C0A000000009000
> [de.srlabs.simlib.ResponsePacket, parse] Data provided don't seem to
> be valid, data should be at least 16 bytes long for a valid
> ResponsePacket (027100000C0A00000000)
> [de.srlabs.simlib.ResponsePacket, parse] Response packet length (RPL)
> doesn't correspond with the actual data length; real length = 5; RPL =
> 12
> Exception in thread "Thread-1" java.lang.ArrayIndexOutOfBoundsException
>        at java.lang.System.arraycopy(Native Method)
>        at de.srlabs.simlib.ResponsePacket.parse(ResponsePacket.java:103)
>        at de.srlabs.simtester.Fuzzer.handleResponseData(Fuzzer.java:280)
>        at de.srlabs.simtester.Fuzzer.logic(Fuzzer.java:260)
>        at de.srlabs.simtester.Fuzzer.run(Fuzzer.java:127)
> 
> Regards,
> Shinjo
> _______________________________________________
> Simsec mailing list
> Simsec at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4166 bytes
Desc: not available
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20140818/440ebc20/attachment.bin>


More information about the Simsec mailing list