The Rise And (Eventual) Fall Of The SIM Card

March 20, 2023 by 107 Comments

There are few devices that better exemplify the breakneck pace of modern technical advancement than the mobile phone. In the span of just a decade, we went from flip phones and polyphonic ringtones to full-fledged mobile computers with quad-core processors and gigabytes of memory.

While rapid advancements in computational power are of course nothing new, the evolution of mobile devices is something altogether different. The Razr V3 of 2003 and the Nexus 5 of 2013 are so vastly different that it’s hard to reconcile the fact they were (at least ostensibly) designed to serve the same purpose — with everything from their basic physical layout to the way the user interacts with them having undergone dramatic changes in the intervening years. Even the network technology they use to facilitate voice and data communication are different.

Two phones, a decade apart.

Yet, there’s at least one component they share: the lowly SIM card. In fact, if you don’t mind trimming a bit of unnecessary plastic away, you could pull the SIM out of the Razr and slap it into the Nexus 5 without a problem. It doesn’t matter that the latter phone wasn’t even a twinkling in Google’s eye when the card was made, the nature of the SIM card means compatibility is a given.

Indeed there’s every reason to believe that very same card, now 20 years old, could be installed in any number of phones on the market today. Although, once again, some minor surgery would be required to pare it down to size.

Such is the beauty of the SIM, or Subscriber Identity Module. It allows you to easily transfer your cellular service from one phone to another, with little regard to the age or manufacturer of the device, and generally without even having to inform your carrier of the swap. It’s a simple concept that has served us well for almost as long as cellular telephones have existed, and separates the phone from the phone contract.

So naturally, there’s mounting pressure in the industry to screw it up.

Continue reading “The Rise And (Eventual) Fall Of The SIM Card”

Unlocking SIM Cards With A Logic Analyzer

January 2, 2020 by 20 Comments

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

36C3: SIM Card Technology From A To Z

December 30, 2019 by 1 Comment

SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.

Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.

Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.

Continue reading “36C3: SIM Card Technology From A To Z”

SIM Card Connectors And White PCBs Make Huge LED Snowflakes Happen

September 28, 2016 by 18 Comments

[Mike Harrison] talked about designing and building a huge scale LED lighting installation in which PCBs were used as both electrical and mechanical elements, and presented at Electromagnetic Field 2016. The project involved 84,000 RGBW LEDs, 14,000 microcontrollers and 25,000 PCBs. It had some different problems to solve compared to small jobs, but [Mike] shared techniques that could be equally applied to smaller scale projects or applications. He goes into detail on designing for manufacture and assembly, sourcing the parts, and building the units on-site.

The installation itself was a snowflake display for a high-end shopping mall in Hong Kong in the 2015 Christmas season. [Mike] wanted a small number of modular boards that could be connected together on-site to make up the right shapes. In an effort to minimize the kinds of manufacturing and parts needed, he ended up using modular white PCBs as structural elements as well as electrical. With the exception of some minor hardware like steel wire supports, no part of the huge snowflakes required anything outside of usual PCB manufacturing processes to make. The fewer suppliers, the fewer potential problems. [Mike] goes into design detail at 6:28 in the video.

For the connections between the boards, he ended up using SIM card connectors intended for cell phones. Some testing led to choosing a connector that matched up well with the thickness of a 1.6mm PCB used as a spacer. About 28,000 of them were used, and for a while in 2015 it was very hard to get a hold of that particular part, because they had cleaned everyone out! Continue reading “SIM Card Connectors And White PCBs Make Huge LED Snowflakes Happen”

Snooping On SIM Cards

February 2, 2016 by 23 Comments

[Nils Pipenbrinck] has been working on a very interesting problem. The SIM card in your cellphone talks to the contactless near-field communication (NFC) chip through a cool protocol that we’d never hear of until reading his blog: single wire protocol (SWP).

The SIM card in your cellphone has only a limited number of physical connections — and by the time NFC technology came on the scene all but one of them was in use. But the NFC controller and the SIM need full-duplex communications. So the SWP works bi-directionally on just one wire; one device modulates the voltage on the line, while the other modulates the current, essentially by switching a load in and out.

This signalling protocol makes snooping on this data line tricky. So to start off his explorations with SWP, [Nils] built his own transceiver. That lead [Nils] to some very sensitive analog sniffer circuit design that he’s just come up with.

If you get interested in SWP, you’ll find the slides from this fantastic presentation (PDF) helpful, and they propose a solution very similar to the one that [Nils] ended up implementing. That’s not taking anything away from [Nils]’s amazing work: with tricky high-speed analog circuitry like this, the implementation can be more than half of the battle! And we’ll surely be following [Nils]’s blog to see where he takes this.

Banner image: An old version and a new version of the transceiver prototype.

Thanks to [Tim Riemann] for the tip!

Adding A SIM Card To The Photon Q 4G LTE

December 2, 2013 by 6 Comments

[Charles] is a big fan of phones that have physical keyboards. He thinks they are better suited for writing lengthy emails, but unfortunately his HTC Desire Z was getting old so he had to replace it. [Charles] therefore decided to import the Motorola Photon Q from the USA which exposed one major problem. The Verizon phone uses CDMA so there is nowhere to put a GSM SIM. But a bit of hacking allowed him to add a SIM card slot to it. Even though he’s not the one who originally found this hack (XDA thread here), his write-up is definitely an interesting read. To perform this modification, he needed a hot air reflow station, a soldering iron, a Dremel with the appropriate cutting wheel and several SIM card slot assemblies from the Galaxy S3 (as the first ones usually get burned during the disassembly process).

Obviously the first steps involved opening the phone, which may have taken a while. Using hot air, [Charles] removed the EMI shield covering the SIM card IC . He then extracted the latter using the same technique. Finally, he removed another EMI shield covering the contacts to which the SIM card slot should be connected. A few minutes/hours of delicate soldering and case modding later, [Charles] could use his SIM card on his brand new phone.

SIM Card Carrying Traffic Lights

January 28, 2011 by 47 Comments

Apparently some of the traffic lights in Johannesburg, South Africa have SIM cards in them to help maintain the network without a physical connection. Now that’s some and not all, but apparently thieves have learned that the SIMs can be used in cell phones to make anonymous and unlimited calls. Officials are convinced that the thieves have inside information because they only crack open the lights that DO contain a card.

We’re white hats here at Hackaday and certainly don’t want to give out information that aids criminals. But since this is already a huge problem we have an idea of how thieves might be identifying which lights to rob. Sure, they probably do have inside information, but wouldn’t it be fairly simple to track down which lights use cellular communication by using a home made spectrum analyzer? We guess it would depend on how often the lights send out communications bursts. Does anyone have insight on this? Leave you thoughts in the comments.

[Thanks Bob]