SIM 编程②

SIM 卡,用户身份模块(Subscriber Identity Module,SIM),是主要用于存储用户身份识别数据、短信数据和电话号码的智能卡。

USIM 卡:UMTS 用户身份模块(UMTS Subscriber Identity Module),是用于 UMTS 网络中的用户身份识别模块。USIM 卡还可以储存使用者资料、电话号码、认证资料、密钥、加密算法以及为短信提供储存空间。USIM 卡通常被认为是 SIM 卡的升级版,在 LTE(4G)网络中必须使用 USIM 卡,同时 USIM 卡向下兼容 2G、3G 网络。

ICCID:
Integrated Circuit Card Identification,智能卡识别序列号码,用以标识 USIM 卡;
IMSI:
International Mobile Subscriber Identity,国际用户识别码,全球唯一的用户识别码;

Ki:鉴权密钥,用于用户身份的鉴权。

OP:鉴权密钥,用于用户身份的鉴权。

OPc:鉴权密钥,使用 OP 和 Ki 分散计算得出。

在osmocom购买的测试卡,发货时还会提供 IMSI、ICCID、ACC、PIN1、PUK1、PIN2、PUK2、Ki、OPC、ADM1、KIC1、KID1、KIK1等参数

将SIM密钥写入MME数据库后,当基站启动、SIM卡入网鉴权时,核心网将对数据库中的密钥采用特定算法进行运算,如果运算结果与SIM卡侧运算结果相同,则正常入网使用,反之,则入网失败。

Linux pysim

git clone https://github.com/osmocom/pysim
sudo apt-get install python3-pyscard python3-serial python3-cmd2 python3-pip python3-yaml
sudo pip3 install pytlv jsonpath-ng construct bidict gsm0338
cd pysim
sudo pip3 install -r requirements.txt
sudo apt install pcsc-tools pcscd  #安装PCSC 智能卡软件

sudo systemctl start pcscd
sudo systemctl enable pcscd

lsusb

Bus 001 Device 012: ID 076b:6632 OmniKey AG

sudo pcsc_scan
PC/SC device scanner
V 1.5.2 (c) 2001-2017, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: HID Global OMNIKEY 6121 Smart Card Reader [OMNIKEY 6121 Smart Card Reader] 00 00

Thu Jul 22 16:54:49 2021
 Reader 0: HID Global OMNIKEY 6121 Smart Card Reader [OMNIKEY 6121 Smart Card Reader] 00 00
  Card state: Card inserted,
  ATR: 3B 9F 96 80 1F C7 80 31 A0 73 BE 21 13 67 43 20 07 18 00 00 01 A5

ATR: 3B 9F 96 80 1F C7 80 31 A0 73 BE 21 13 67 43 20 07 18 00 00 01 A5
+ TS = 3B --> Direct Convention
+ T0 = 9F, Y(1): 1001, K: 15 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
  TD(2) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
  TA(3) = C7 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V
+ Historical bytes: 80 31 A0 73 BE 21 13 67 43 20 07 18 00 00 01
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: A0
        - Application selection: by full DF name
        - BER-TLV data objects available in EF.DIR
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 7, len: 3 (card capabilities)
      Selection methods: BE
        - DF selection by full DF name
        - DF selection by path
        - DF selection by file identifier
        - Implicit DF selection
        - Short EF identifier supported
        - Record number supported
      Data coding byte: 21
        - Behaviour of write functions: proprietary
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 13
        - Logical channel number assignment: by the card
        - Maximum number of logical channels: 4
    Tag: 6, len: 7 (pre-issuing data)
      Data: 43 20 07 18 00 00 01
+ TCK = A5 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 9F 96 80 1F C7 80 31 A0 73 BE 21 13 67 43 20 07 18 00 00 01 A5
	sysmoUSIM-SJS1 (Telecommunication)
	http://www.sysmocom.de/products/sysmousim-sjs1-sim-usim
 \

操作

读取SIM卡信息

sudo ./pySim-read.py --pcsc-device=0

Using PC/SC reader interface
Reading ...
Autodetected card type: sysmoUSIM-SJS1
ICCID: 8988211000000268030
IMSI: 901700000026803
GID1: ffffffffffffffffffff
GID2: ffffffffffffffffffff
SMSP: ffffffffffffffffffffffffffffffffffffffffffffffffe1ffffffffffffffffffffffff0581005155f5ffffffffffff000000
SPN: Not available
Show in HPLMN: False
Hide in OPLMN: False
PLMNsel: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
PLMNwAcT:
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused

OPLMNwAcT:
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused

HPLMNAcT:
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused
	ffffffffff # unused

ACC: 0008
MSISDN: Can't read file -- Length of MSISDN (136 bytes) is out of range
Administrative data: 00000002
	MS operation mode: normal
	Ciphering Indicator: disabled
SIM Service Table: ff3fffff3f003f1ff00c00c0f00000
	Service 1 - CHV1 disable function
	Service 2 - Abbreviated Dialling Numbers (ADN)
	Service 3 - Fixed Dialling Numbers (FDN)
	Service 4 - Short Message Storage (SMS)
	Service 5 - Advice of Charge (AoC)
	Service 6 - Capability Configuration Parameters (CCP)
	Service 7 - PLMN selector
	Service 8 - RFU
	Service 9 - MSISDN
	Service 10 - Extension1
	Service 11 - Extension2
	Service 12 - SMS Parameters
	Service 13 - Last Number Dialled (LND)
	Service 14 - Cell Broadcast Message Identifier
	Service 17 - Service Provider Name
	Service 18 - Service Dialling Numbers (SDN)
	Service 19 - Extension3
	Service 20 - RFU
	Service 21 - VGCS Group Identifier List (EFVGCS and EFVGCSS)
	Service 22 - VBS Group Identifier List (EFVBS and EFVBSS)
	Service 23 - enhanced Multi-Level Precedence and Pre-emption Service
	Service 24 - Automatic Answer for eMLPP
	Service 25 - Data download via SMS-CB
	Service 26 - Data download via SMS-PP
	Service 27 - Menu selection
	Service 28 - Call control
	Service 29 - Proactive SIM
	Service 30 - Cell Broadcast Message Identifier Ranges
	Service 31 - Barred Dialling Numbers (BDN)
	Service 32 - Extension4
	Service 33 - De-personalization Control Keys
	Service 34 - Co-operative Network List
	Service 35 - Short Message Status Reports
	Service 36 - Network's indication of alerting in the MS
	Service 37 - Mobile Originated Short Message control by SIM
	Service 38 - GPRS
	Service 49 - MExE
	Service 50 - Reserved and shall be ignored
	Service 51 - PLMN Network Name
	Service 52 - Operator PLMN List
	Service 53 - Mailbox Dialling Numbers
	Service 54 - Message Waiting Indication Status
	Service 57 - Multimedia Messaging Service (MMS)
	Service 58 - Extension 8
	Service 59 - MMS User Connectivity Parameters

USIM Service Table: 9e6b1dfc67f6580000
	Service 2 - Fixed Dialling Numbers (FDN)
	Service 3 - Extension 2
	Service 4 - Service Dialling Numbers (SDN)
	Service 5 - Extension3
	Service 8 - Outgoing Call Information (OCI and OCT)
	Service 9 - Incoming Call Information (ICI and ICT)
	Service 10 - Short Message Storage (SMS)
	Service 12 - Short Message Service Parameters (SMSP)
	Service 14 - Capability Configuration Parameters 2 (CCP2)
	Service 15 - Cell Broadcast Message Identifier
	Service 17 - Group Identifier Level 1
	Service 19 - Service Provider Name
	Service 20 - User controlled PLMN selector with Access Technology
	Service 21 - MSISDN
	Service 27 - GSM Access
	Service 28 - Data download via SMS-PP
	Service 29 - Data download via SMS-CB
	Service 30 - Call Control by USIM
	Service 31 - MO-SMS Control by USIM
	Service 32 - RUN AT COMMAND command
	Service 33 - shall be set to 1
	Service 34 - Enabled Services Table
	Service 35 - APN Control List (ACL)
	Service 38 - GSM security context
	Service 39 - CPBCCH Information
	Service 42 - Operator controlled PLMN selector with Access Technology
	Service 43 - HPLMN selector with Access Technology
	Service 45 - PLMN Network Name
	Service 46 - Operator PLMN List
	Service 47 - Mailbox Dialling Numbers
	Service 48 - Message Waiting Indication Status
	Service 52 - Multimedia Messaging Service (MMS)
	Service 53 - Extension 8
	Service 55 - MMS User Connectivity Parameters

Done !

sudo ./pySim-prog.py --pcsc-device=0 --type sysmoUSIM-SJS1 --pin-adm=60971626 --mcc=901 --mnc=71 --imsi=901700000026803    --iccid=8988211000000268030 --opc=6435204EA840E6BFA826A34E2AEE26DE --ki=D284801D28866964BE90D51EAFAC1555;

Pysim-shell

Windows

SIM Explorer 、 USIM_Explorer、SIM Personalize tools

参考:

https://cyberloginit.com/2018/05/14/eastcompeace-usim-exploit-and-notes-on-smart-card-pentest-for-linux.html

https://github.com/cn0xroot/BTS_Research

发表评论

Please log in using one of these methods to post your comment:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s