[Simsec] Questions on interpreting SIMtester output

Park Shinjo alstom.vvvf at gmail.com
Mon Aug 18 16:58:58 CEST 2014


Hi again,

I have uploaded traces to gsmmap, and its filename should be
FUZZ_8982300811017188671_1408373639631.csv. This SIM card caused the
second bug in my original message, so I have monkey-patched
ResponsePacket.java in SIMLibrary to skip processing response packet
when exception has been occurred.

Regards,
Shinjo


2014-08-18 23:43 GMT+09:00 Karsten Nohl <nohl at srlabs.de>:
> Dear Shinjo,
>
> Thanks for your questions!
>
> Can you kindly either send us the .csv files or rerun the tests with the "-gsmmap" option that automatically sends the results to us? I'll then check whether the signatures can be cracked.
>
> One of the two bugs you reported is already fixed and will be removed in the next SIMtester release. We'll look into the other one and hopefully fix that, too.
>
> Cheers,
>
>      -Karsten
>
>
> On Aug 18, 2014, at 16:34 , Park Shinjo <alstom.vvvf at gmail.com> wrote:
>
>> Hi all,
>>
>> I am performing some experiments using SIMtester with my Korean SIM
>> cards. As some of my SIM cards shows weaknesses, I want to actually
>> crack the signing/encryption key to confirm the results. For signed
>> responses, there were 2 or 4 checksums for particular TAR/keyset. For
>> encrypted responses, there were 1 or 3 response packets. How can I get
>> information of encryption/signing method, cleartext to be
>> encrypted/signed to actually get the key?
>>
>> I also have some bug reports. One of my SIM card fails with following
>> error during reading IMSI:
>>
>> [de.srlabs.simlib.CommonFileReader, readRawIMSI] reading EF_IMSI file
>> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 3F00
>> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
>> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
>> 00007FFF3F0001000000000009B1021A0800838A838A9000
>> [de.srlabs.simlib.FileManagement, getResponse] file 3F00 selected;
>> [de.srlabs.simlib.FileManagement, selectPath] response:
>> 00007FFF3F0001000000000009B1021A0800838A838A
>> [de.srlabs.simlib.FileManagement, selectPath] selected MF 3F00, child
>> DFs: 2, child EFs: 26
>> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 7F20
>> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 22 bytes
>> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
>> 00007FFF7F2002000000000009B1002B0800838A838A9000
>> [de.srlabs.simlib.FileManagement, getResponse] file 7F20 selected;
>> [de.srlabs.simlib.FileManagement, selectPath] response:
>> 00007FFF7F2002000000000009B1002B0800838A838A
>> [de.srlabs.simlib.FileManagement, selectPath] selected DF 7F20, child
>> DFs: 0, child EFs: 43
>> [de.srlabs.simlib.FileManagement, selectFileById] selecting file: 6F07
>> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 15 bytes
>> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
>> 000000096F07040014F014000200009000
>> [de.srlabs.simlib.FileManagement, getResponse] file 6F07 selected;
>> [de.srlabs.simlib.FileManagement, selectPath] response:
>> 000000096F07040014F01400020000
>> [de.srlabs.simlib.FileManagement, selectPath] selected EF Transparent
>> 6F07, size: 9
>> Exception in thread "main" javax.smartcardio.CardException: an
>> unexpected error has occured during reading content of a file 6F07
>>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:39)
>>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:18)
>>        at de.srlabs.simlib.SimCardTransparentFile.getContent(SimCardTransparentFile.java:14)
>>        at de.srlabs.simlib.CommonFileReader.readRawIMSI(CommonFileReader.java:215)
>>        at de.srlabs.simtester.Main.readBasicInfo(Main.java:158)
>>        at de.srlabs.simtester.Main.main(Main.java:133)
>>
>> Another SIM card presents invalid RPL in its response packet, making
>> fuzzing process fail:
>>
>> [de.srlabs.simtester.Fuzzer, generateCommandPacket] called
>> generateCommandPacket(keyset = 1, counterManagement = 0, KICAlgo = 0,
>> KIDAlgo = 0, TAR = RAM:000000, cipherPoR = true
>> [de.srlabs.simtester.Fuzzer, fuzzCard] smsdeliver data:
>> 4405002143F57FF60000000000000000
>> [de.srlabs.simlib.SMSDeliverTPDU, setTPUD] raw data:
>> 02700000290D0011101000000000000000010080E60200160BA000000000123456789010000006EF04C602000000
>> [de.srlabs.simlib.APDUToolkit, getResponse] Getting response: 10 bytes
>> [de.srlabs.simlib.APDUToolkit, getResponse] Got response:
>> 027100000C0A000000009000
>> [de.srlabs.simlib.ResponsePacket, parse] Data provided don't seem to
>> be valid, data should be at least 16 bytes long for a valid
>> ResponsePacket (027100000C0A00000000)
>> [de.srlabs.simlib.ResponsePacket, parse] Response packet length (RPL)
>> doesn't correspond with the actual data length; real length = 5; RPL =
>> 12
>> Exception in thread "Thread-1" java.lang.ArrayIndexOutOfBoundsException
>>        at java.lang.System.arraycopy(Native Method)
>>        at de.srlabs.simlib.ResponsePacket.parse(ResponsePacket.java:103)
>>        at de.srlabs.simtester.Fuzzer.handleResponseData(Fuzzer.java:280)
>>        at de.srlabs.simtester.Fuzzer.logic(Fuzzer.java:260)
>>        at de.srlabs.simtester.Fuzzer.run(Fuzzer.java:127)
>>
>> Regards,
>> Shinjo
>> _______________________________________________
>> Simsec mailing list
>> Simsec at lists.srlabs.de
>> https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec
>
>
> _______________________________________________
> Simsec mailing list
> Simsec at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec
>


More information about the Simsec mailing list