A5 GSM AT tricks » History » Revision 1
Revision 1/7
| Next »
tnt, 02/19/2016 10:47 PM
Some cellphones allow to access the SIM through AT commands which can be very useful to interrogate the SIM while on the network, or if you don't have a SIM reader handy. Most of the time you need two commands, the first one selecting the proper directory or file on the SIM, then the second executing the command or doing the read.
= Phone support: =Good
- '''iPhone''': Works. Tried with minicom on /dev/tty.debug while ssh'd on the phone.
= Commands =
Run GSM algorithmCommands:
{{{
AT+CSIM=14,"A0A40000027F20"
AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
}}}
''The 16 0xff are the RAND''
Sample run:
{{{
AT+CSIM=14,"A0A40000027F20"
+CSIM: 48,"000010247F20020000000000091100160800838A838A9000"
OK
AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+CSIM: 28,"A5975E88E0940FC09AEFA0009000"
OK
}}}
- '''sres''': A5 97 5E 88
- '''Kc''': E0 94 0F C0 9A EF A0 00
Some interesting parameters are saved on the SIM by the ME (for later use in case of reboot or something I guess).
=== Kc ''0x6F20'' ===
Commands:
{{{
AT+CSIM=14,"A0A40000026F20"
AT+CSIM=10,"A0B0000009"
}}}
Sample run:
{{{
AT+CSIM=14,"A0A40000026F20"
+CSIM: 34,"000000096F2004001100BB010200009000"
OK
AT+CSIM=10,"A0B0000009"
+CSIM: 22,"E0940FC09AEFA000009000"
OK
}}}
Again, you find the last Kc used here: E0 94 0F C0 9A EF A0 00
and also the key sequence number: 00
=== IMSI ''0x6F07'' ===
Commands:
{{{
AT+CSIM=14,"A0A40000026F07"
AT+CSIM=10,"A0B0000009"
}}}
Sample run:
{{{
/* FIXME: Do one */
}}}
=== LOCI ''0x6F7E'' ===
LOCI can be decomposed in:Commands:
{{{
AT+CSIM=14,"A0A40000026F7E"
AT+CSIM=10,"A0B000000B"
}}}
Sample run:
{{{
/* FIXME: Do one */
}}}
Updated by tnt over 8 years ago · 1 revisions