A5 GSM AT tricks » History » Version 7
zecke, 02/07/2017 04:41 PM
| 1 | 1 | tnt | Some cellphones allow to access the SIM through AT commands which can be very useful to interrogate the SIM _while_ on the network, or if you don't have a SIM reader handy. Most of the time you need two commands, the first one selecting the proper directory or file on the SIM, then the second executing the command or doing the read. |
|---|---|---|---|
| 2 | |||
| 3 | |||
| 4 | 7 | zecke | h1. Phone support: |
| 5 | |||
| 6 | h2. Good |
||
| 7 | |||
| 8 | 6 | laforge | * *iPhone*: Works. Tried with minicom on /dev/tty.debug while ssh'd on the phone. (needs Jailbreak to get SSH access) |
| 9 | 1 | tnt | |
| 10 | 6 | laforge | |
| 11 | h2. Bad |
||
| 12 | |||
| 13 | * *!OpenMoko*: Apparently the TI calypso prevents the submission of APDU class 0xA4 (GSM). |
||
| 14 | |||
| 15 | 1 | tnt | NOTE: This depends on the firmware. There are firmware versions that explicitly do not have the APDU class check! |
| 16 | |||
| 17 | |||
| 18 | 6 | laforge | h1. Commands |
| 19 | 1 | tnt | |
| 20 | 6 | laforge | |
| 21 | |||
| 22 | h2. Run GSM algorithm |
||
| 23 | |||
| 24 | |||
| 25 | 1 | tnt | Commands: |
| 26 | 6 | laforge | <pre> |
| 27 | 1 | tnt | AT+CSIM=14,"A0A40000027F20" |
| 28 | AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |
||
| 29 | 6 | laforge | </pre> |
| 30 | 1 | tnt | |
| 31 | 6 | laforge | _The 16 0xff are the RAND_ |
| 32 | 1 | tnt | |
| 33 | Sample run: |
||
| 34 | |||
| 35 | 6 | laforge | <pre> |
| 36 | 1 | tnt | AT+CSIM=14,"A0A40000027F20" |
| 37 | +CSIM: 48,"000010247F20020000000000091100160800838A838A9000" |
||
| 38 | |||
| 39 | OK |
||
| 40 | AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" |
||
| 41 | +CSIM: 28,"A5975E88E0940FC09AEFA0009000" |
||
| 42 | |||
| 43 | OK |
||
| 44 | 6 | laforge | </pre> |
| 45 | 1 | tnt | |
| 46 | In the respond command response, you find: |
||
| 47 | 6 | laforge | * *sres*: A5 97 5E 88 |
| 48 | * *Kc*: E0 94 0F C0 9A EF A0 00 |
||
| 49 | 1 | tnt | |
| 50 | 2 | tnt | |
| 51 | |||
| 52 | 6 | laforge | h2. Read EF files from the SIM |
| 53 | |||
| 54 | |||
| 55 | 1 | tnt | Some interesting parameters are saved on the SIM by the ME (for later use in case of reboot or something I guess). |
| 56 | |||
| 57 | |||
| 58 | 6 | laforge | h3. Kc _0x6F20_ |
| 59 | |||
| 60 | |||
| 61 | 1 | tnt | Commands: |
| 62 | 6 | laforge | <pre> |
| 63 | 1 | tnt | AT+CSIM=14,"A0A40000026F20" |
| 64 | AT+CSIM=10,"A0B0000009" |
||
| 65 | 6 | laforge | </pre> |
| 66 | 1 | tnt | |
| 67 | Sample run: |
||
| 68 | 6 | laforge | <pre> |
| 69 | 1 | tnt | AT+CSIM=14,"A0A40000026F20" |
| 70 | +CSIM: 34,"000000096F2004001100BB010200009000" |
||
| 71 | |||
| 72 | OK |
||
| 73 | AT+CSIM=10,"A0B0000009" |
||
| 74 | +CSIM: 22,"E0940FC09AEFA000009000" |
||
| 75 | |||
| 76 | OK |
||
| 77 | 6 | laforge | </pre> |
| 78 | 1 | tnt | |
| 79 | Again, you find the last Kc used here: E0 94 0F C0 9A EF A0 00 |
||
| 80 | and also the key sequence number: 00 |
||
| 81 | |||
| 82 | |||
| 83 | |||
| 84 | 6 | laforge | h3. IMSI _0x6F07_ |
| 85 | |||
| 86 | |||
| 87 | 1 | tnt | Commands: |
| 88 | 6 | laforge | <pre> |
| 89 | 1 | tnt | AT+CSIM=14,"A0A40000026F07" |
| 90 | AT+CSIM=10,"A0B0000009" |
||
| 91 | 6 | laforge | </pre> |
| 92 | 1 | tnt | |
| 93 | Sample run: |
||
| 94 | 6 | laforge | <pre> |
| 95 | 1 | tnt | /* FIXME: Do one */ |
| 96 | 6 | laforge | </pre> |
| 97 | 3 | ipse | |
| 98 | IMSI can be also read by another command: |
||
| 99 | 6 | laforge | <pre> |
| 100 | 3 | ipse | AT+CIMI |
| 101 | 6 | laforge | </pre> |
| 102 | 3 | ipse | |
| 103 | Sample run: |
||
| 104 | 6 | laforge | <pre> |
| 105 | 3 | ipse | AT+CIMI |
| 106 | 250997001138203 |
||
| 107 | |||
| 108 | OK |
||
| 109 | 6 | laforge | </pre> |
| 110 | 1 | tnt | |
| 111 | |||
| 112 | 6 | laforge | h3. LOCI _0x6F7E_ |
| 113 | |||
| 114 | |||
| 115 | 2 | tnt | LOCI can be decomposed in: |
| 116 | 6 | laforge | * TMSI![0:3] |
| 117 | * LAI![4:8] |
||
| 118 | * TMSI Time!r9 |
||
| 119 | * status!r10 |
||
| 120 | 1 | tnt | |
| 121 | Commands: |
||
| 122 | 6 | laforge | <pre> |
| 123 | 1 | tnt | AT+CSIM=14,"A0A40000026F7E" |
| 124 | AT+CSIM=10,"A0B000000B" |
||
| 125 | 6 | laforge | </pre> |
| 126 | 1 | tnt | |
| 127 | Sample run: |
||
| 128 | 6 | laforge | <pre> |
| 129 | 1 | tnt | /* FIXME: Do one */ |
| 130 | 6 | laforge | </pre> |
