Inspecting a SIM card via MTM

Diving The Depths Of Ma Bell

The modern smartphone is a marvel of sensors, radios, inputs, outputs, and processing power. In particular, some of those radios, such as WiFi and cellular, have grown fiendishly complex over the years. Even when that complexity is compressed down for the user into the one-dimensional space of the signal strength bars at the top of your phone. So when [David Burgess] was asked to look at some cellphone records of text messages and figure out where some of the more mysterious messages were coming from, it led him down a rabbit hole into the dark arts behind the glowing phone screen.

The number in question was 1111340002, sent by a phone connected to AT&T at the time, and was crucial for a legal case around distracted driving. [David’s] tools in his investigation were YateBTS (a cellular network simulator), SimTrace2 (pictured above), and old reliable Wireshark. Since the number isn’t a specific phone number and is not reachable from the public phone network, it must be a unique number inside AT&T processed by one particular AT&T SMSC (Short Message service center). The SMSC in question is in Atlanta and isn’t a typical texting center, so it must have some particular purpose. The message’s payload is raw binary rather than text, and [David] has done a pretty good job of decoding the majority of the format.

The most exciting revelation in this journey is that the phone (in the traditional sense) does not send this message. The processor on the phone does not know this message and executes no code to send it. Instead, the SIM card itself sends it. The SIM card is connected directly to the baseband processor on the phone, and the baseband polls the sim every so often, asking for any commands. One of those commands is an SMS (though many other commands have worrying consequences).

The SMS that [David] was chasing is triggered whenever a SIM detects a new IMEI, and the message lets the network know what about the previous and current IMEI. However, in the case of this message, it was unlikely that the SIM changed phones, so what happened? After some additional lab work and the deposition of an AT&T employee, [David] showed that a baseband firmware update would also trigger this SMS.

It’s a fascinating journey into the fragmented world of a smartphone’s minds and [David] does a fantastic job on the writeup. If you’re interested in sniffing wireless accessories, you will enjoy this soundbar’s wireless protocol laid bare.

Unlocking SIM Cards With A Logic Analyzer

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

36C3: SIM Card Technology From A To Z

SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.

Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.

Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.

Continue reading “36C3: SIM Card Technology From A To Z”

Cramming Dual SIMs & A Micro SD Card Into Your Phone

There are plenty of dual SIM phones on the market these days, but most of them are a hamstrung by packaging issues. Despite their dual SIM capability, this usually comes at the expense of the microSD card slot. Of course, hackers don’t accept such nonsense, and [Tweepy] went about crafting a solution. Sadly the make and model of phone aren’t clear.

It’s a simple case of very carefully shaving both the microSD card and the nano-SIM down until both can fit in the card tray. The SIM is slimmed down with the application of a heat gun helping to remove its plastic backing, saving precious fractions of a millimeter. The SD card is then filed down to make just enough space for the SIM to fit in underneath. Thanks to the springiness of the contacts in the phone, it’s just barely possible to squeeze both in, along with some Kapton tape to hold everything in place.

Your mileage may vary, depending on the construction of your SD card. Overall though, it’s a tidy hack that should prove useful to anyone with a dual SIM phone and limited storage. We saw a similar hack a few years ago, too.

[Thanks to Timothy for the tip!]

SIM Card Connectors And White PCBs Make Huge LED Snowflakes Happen

[Mike Harrison] talked about designing and building a huge scale LED lighting installation in which PCBs were used as both electrical and mechanical elements, and presented at Electromagnetic Field 2016. The project involved 84,000 RGBW LEDs, 14,000 microcontrollers and 25,000 PCBs. It had some different problems to solve compared to small jobs, but [Mike] shared techniques that could be equally applied to smaller scale projects or applications. He goes into detail on designing for manufacture and assembly, sourcing the parts, and building the units on-site.

The installation itself was a snowflake display for a high-end shopping mall in Hong Kong in the 2015 Christmas season. [Mike] wanted a small number of modular boards that could be connected together on-site to make up the right shapes. In an effort to minimize the kinds of manufacturing and parts needed, he ended up using modular white PCBs as structural elements as well as electrical. With the exception of some minor hardware like steel wire supports, no part of the huge snowflakes required anything outside of usual PCB manufacturing processes to make. The fewer suppliers, the fewer potential problems. [Mike] goes into design detail at 6:28 in the video.

For the connections between the boards, he ended up using SIM card connectors intended for cell phones. Some testing led to choosing a connector that matched up well with the thickness of a 1.6mm PCB used as a spacer. About 28,000 of them were used, and for a while in 2015 it was very hard to get a hold of that particular part, because they had cleaned everyone out! Continue reading “SIM Card Connectors And White PCBs Make Huge LED Snowflakes Happen”

Snooping On SIM Cards

[Nils Pipenbrinck] has been working on a very interesting problem. The SIM card in your cellphone talks to the contactless near-field communication (NFC) chip through a cool protocol that we’d never hear of until reading his blog: single wire protocol (SWP).

The SIM card in your cellphone has only a limited number of physical connections — and by the time NFC technology came on the scene all but one of them was in use. But the NFC controller and the SIM need full-duplex communications. So the SWP works bi-directionally on just one wire; one device modulates the voltage on the line, while the other modulates the current, essentially by switching a load in and out.

This signalling protocol makes snooping on this data line tricky. So to start off his explorations with SWP, [Nils] built his own transceiver. That lead [Nils] to some very sensitive analog sniffer circuit design that he’s just come up with.

If you get interested in SWP, you’ll find the slides from this fantastic presentation (PDF) helpful, and they propose a solution very similar to the one that [Nils] ended up implementing. That’s not taking anything away from [Nils]’s amazing work: with tricky high-speed analog circuitry like this, the implementation can be more than half of the battle! And we’ll surely be following [Nils]’s blog to see where he takes this.

Banner image: An old version and a new version of the transceiver prototype.

Thanks to [Tim Riemann] for the tip!

Raspberry Pi GSM Hat

The Spark Electron was released a few days ago, giving anyone with the Arduino IDE the ability to send data out over a GSM network. Of course, the Electron is just a GSM module tied to a microcontroller, and you can do the same thing with a Pi, some components, and a bit of wire.

The build is fairly basic – just an Adafruit Fona, a 2000 mah LiPo battery, a charge controller, and a fancy Hackaday Perma-Proto Hat, although a piece of perf board would work just as well in the case of the perma-proto board. Connections were as simple as power, ground, TX and RX. With a few libraries, you can access a Pi over the Internet anywhere that has cell service, or send data from the Pi without a WiFi connection.

If you decide to replicate this project, be aware you have an option of soldering the Fona module right side up or upside down. The former gives you pretty blinking LEDs, while the latter allows you to access the SIM. Tough choices, indeed.