A5 GSM AT tricks » History » Version 3
ipse, 02/19/2016 10:47 PM
Add command to read IMSI
| 1 | 1 | tnt | Some cellphones allow to access the SIM through AT commands which can be very useful to interrogate the SIM _while_ on the network, or if you don't have a SIM reader handy. Most of the time you need two commands, the first one selecting the proper directory or file on the SIM, then the second executing the command or doing the read. |
|---|---|---|---|
| 2 | |||
| 3 | = Phone support: = |
||
| 4 | == Good == |
||
| 5 | 2 | tnt | * '''iPhone''': Works. Tried with minicom on /dev/tty.debug while ssh'd on the phone. |
| 6 | 1 | tnt | |
| 7 | == Bad == |
||
| 8 | 2 | tnt | * '''!OpenMoko''': Apparently the TI calypso prevents the submission of APDU class 0xA4 (GSM). |
| 9 | 1 | tnt | |
| 10 | = Commands = |
||
| 11 | |||
| 12 | == Run GSM algorithm == |
||
| 13 | |||
| 14 | Commands: |
||
| 15 | {{{ |
||
| 16 | AT+CSIM=14,"A0A40000027F20" |
||
| 17 | AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |
||
| 18 | }}} |
||
| 19 | |||
| 20 | ''The 16 0xff are the RAND'' |
||
| 21 | |||
| 22 | Sample run: |
||
| 23 | |||
| 24 | {{{ |
||
| 25 | AT+CSIM=14,"A0A40000027F20" |
||
| 26 | +CSIM: 48,"000010247F20020000000000091100160800838A838A9000" |
||
| 27 | |||
| 28 | OK |
||
| 29 | AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |
||
| 30 | +CSIM: 28,"A5975E88E0940FC09AEFA0009000" |
||
| 31 | |||
| 32 | OK |
||
| 33 | }}} |
||
| 34 | |||
| 35 | In the respond command response, you find: |
||
| 36 | 2 | tnt | * '''sres''': A5 97 5E 88 |
| 37 | * '''Kc''': E0 94 0F C0 9A EF A0 00 |
||
| 38 | 1 | tnt | |
| 39 | |||
| 40 | == Read EF files from the SIM == |
||
| 41 | |||
| 42 | Some interesting parameters are saved on the SIM by the ME (for later use in case of reboot or something I guess). |
||
| 43 | |||
| 44 | === Kc ''0x6F20'' === |
||
| 45 | |||
| 46 | Commands: |
||
| 47 | {{{ |
||
| 48 | AT+CSIM=14,"A0A40000026F20" |
||
| 49 | AT+CSIM=10,"A0B0000009" |
||
| 50 | }}} |
||
| 51 | |||
| 52 | Sample run: |
||
| 53 | {{{ |
||
| 54 | AT+CSIM=14,"A0A40000026F20" |
||
| 55 | +CSIM: 34,"000000096F2004001100BB010200009000" |
||
| 56 | |||
| 57 | OK |
||
| 58 | AT+CSIM=10,"A0B0000009" |
||
| 59 | +CSIM: 22,"E0940FC09AEFA000009000" |
||
| 60 | |||
| 61 | OK |
||
| 62 | }}} |
||
| 63 | |||
| 64 | Again, you find the last Kc used here: E0 94 0F C0 9A EF A0 00 |
||
| 65 | and also the key sequence number: 00 |
||
| 66 | |||
| 67 | |||
| 68 | === IMSI ''0x6F07'' === |
||
| 69 | |||
| 70 | Commands: |
||
| 71 | {{{ |
||
| 72 | AT+CSIM=14,"A0A40000026F07" |
||
| 73 | AT+CSIM=10,"A0B0000009" |
||
| 74 | }}} |
||
| 75 | |||
| 76 | Sample run: |
||
| 77 | {{{ |
||
| 78 | /* FIXME: Do one */ |
||
| 79 | }}} |
||
| 80 | |||
| 81 | 3 | ipse | IMSI can be also read by another command: |
| 82 | {{{ |
||
| 83 | AT+CIMI |
||
| 84 | }}} |
||
| 85 | |||
| 86 | Sample run: |
||
| 87 | {{{ |
||
| 88 | AT+CIMI |
||
| 89 | 250997001138203 |
||
| 90 | |||
| 91 | OK |
||
| 92 | }}} |
||
| 93 | 1 | tnt | |
| 94 | === LOCI ''0x6F7E'' === |
||
| 95 | |||
| 96 | LOCI can be decomposed in: |
||
| 97 | 2 | tnt | * TMSI![0:3] |
| 98 | * LAI![4:8] |
||
| 99 | * TMSI Time![9] |
||
| 100 | * status![10] |
||
| 101 | 1 | tnt | |
| 102 | Commands: |
||
| 103 | {{{ |
||
| 104 | AT+CSIM=14,"A0A40000026F7E" |
||
| 105 | AT+CSIM=10,"A0B000000B" |
||
| 106 | }}} |
||
| 107 | |||
| 108 | Sample run: |
||
| 109 | {{{ |
||
| 110 | /* FIXME: Do one */ |
||
| 111 | }}} |
