00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 after aprox. 3CC50 requests - GSM-Forum

joniGSM · 05-21-2002, 16:45

Hi,

I was trying to get KI from one old ('99) austrian max.mobil
SIM with Dejan's sim_scan (F5-F1), and after aproximately 3CC50
requests I got six**** red 00 on the screen.

Does that mean that this card is not clonable?
The SIM is still working after so many requests.....

IvanKrasnyj · 05-21-2002, 20:11

This could be due to another version of COMP128 algorithm being used for GSM authenticatin (A3A8). SimScan as well as Cardinal and FKI use "collisions" based methods for Ki extraction. It seems that your card do not use the compromised COMP128v1 algorithm.

I've got a similar card, which shows all 8 red 00 pairs. It has quite an easy version of A3A8 algorithm implemented. I can check out if the A3A8 algorithm used in your card is the same as mine.
(Mine permits another easy means for Ki extraction)

I need some diagnostic outputs from your card.
If you are still interested, could you, please, test RUN GSM ALGORITHM function on your card?

First, you need a tool for manual APDU issuing for your reader (Phoenix, MAKI, etc.) You can use this one: http://www.sendme.cz/mfg/software/gsexv201.zip
(GSM SIM Explorer 2.01)

- You need to disable PIN1 (from your phone)
- Configure and run GSM Sim Explorer and chose Manual Command mode.

Then type APDU commands to your SIM-card:

1. Select DFgsm: A0A40000027F20
2. RUN GSM ALGORITHM function for RAND=0000... :
A08800001000000000000000000000000000000000
3. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 1-st output)
4. RUN GSM ALGORITHM function for RAND=FFFF... :
A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
5. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 2-d output)
6. RUN GSM ALGORITHM function for RAND=1111... :
A08800001011111111111111111111111111111111
7. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 3-d output)

Post the 3 outputs to my e-mail address [email protected] (or to the Forum)

Thanks in advance
Ivan

sadia · 05-22-2002, 05:17

Hi,
whats is another easy means for Ki extraction ?

Thanks

joniGSM · 05-22-2002, 20:26

Is this gsexv tool working with dejan's reader?
I was trying various cmd line settings, but none of them work.

IvanKrasnyj · 05-22-2002, 23:05

I've tested dejan's reader with SIM Explorer. The reader is powered from COM-port signal lines. It hasn't light up the LED. This means that SIM Explorer do not provide required voltage to COM-port lines (I don't know exactly which ones )

The author has tested SIM Explorer only with MAKI. You can look for another APDU tool or another reader.

As for my case, I've got developer's Atmel AT90SC3232 card and flashed the card OS from Windows Powered SmartCard (WPSC) Toolkit (preconfigured for GSM applications). I've also wrote down to the card IMSI and Ki extracted from my original SIM. I've tested RUN GSM ALGORITHM function and found that WPSC's RUN GSM ALGORITHM function reply (SRES, Kc) differs from my original SIM's reply for the same Ki and RAND.

I've decided that it was not COMP128v1 implemented in WPSC Toolkit. First I thought that it was a COMP128v2...

) but a few APDU tests showed that it was not ... just a fake

A simple APDU request A088000010 00000000000000000000000000000000 strips down first 12 bytes for Ki in (SRES, Kc) responce. The rest 4 bytes of Ki do not affect anything. Plaing with RAND's request I've found that the algorithm performs just per byte operations. I doubt if any GSM operator will venture to use this algorithm for authentication. As for SimScan, - of course, it failed to discower any figure for Ki because of the different algorithm being used.

Now I'm going to dock COMP128v1 to WPSC as a run-time application.

achin_ji · 05-25-2006, 12:13

Hello sir
Sir I m sending APDU using WINEXPLORER to MY sim card
apdu:> A0 A4 00 00 02 7F 10
BUT IT IS NOT RESPOMDING WEEL
BUT IF I SEND
APDU:> A0 A4 00 00 02 R06 7F 10 R04
THEN IT IS RESPONDING WELL
SIR COULD U PLZ SPECIFY Y?
ACHIN JAIN

[email protected]

Nuken · 05-26-2006, 08:25

To Ivan: if last 10 bits from SRES+Kc are not 0000..0 it means you have not comp128v1.

CH@IN · 05-26-2006, 11:14

Quote:

Originally Posted by Nuken

To Ivan: if last 10 bits from SRES+Kc are not 0000..0 it means you have not comp128v1.

Ivan sent this question 4 years ago. I think he knows the answer meanwhile

05-21-2002, 16:45	#1 (permalink)
joniGSM Junior Member Join Date: Feb 2002 Location: Europe Posts: 10 Member: 9432 Status: Offline Thanks Meter: 0	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 after aprox. 3CC50 requests Hi, I was trying to get KI from one old ('99) austrian max.mobil SIM with Dejan's sim_scan (F5-F1), and after aproximately 3CC50 requests I got six**** red 00 on the screen. Does that mean that this card is not clonable? The SIM is still working after so many requests.....

05-21-2002, 20:11	#2 (permalink)
IvanKrasnyj Insane Poster Join Date: Apr 2002 Location: St.Petersburg, Russia Posts: 72 Member: 11297 Status: Offline Thanks Meter: 0	This could be due to another version of COMP128 algorithm being used for GSM authenticatin (A3A8). SimScan as well as Cardinal and FKI use "collisions" based methods for Ki extraction. It seems that your card do not use the compromised COMP128v1 algorithm. I've got a similar card, which shows all 8 red 00 pairs. It has quite an easy version of A3A8 algorithm implemented. I can check out if the A3A8 algorithm used in your card is the same as mine. (Mine permits another easy means for Ki extraction) I need some diagnostic outputs from your card. If you are still interested, could you, please, test RUN GSM ALGORITHM function on your card? First, you need a tool for manual APDU issuing for your reader (Phoenix, MAKI, etc.) You can use this one: http://www.sendme.cz/mfg/software/gsexv201.zip (GSM SIM Explorer 2.01) - You need to disable PIN1 (from your phone) - Configure and run GSM Sim Explorer and chose Manual Command mode. Then type APDU commands to your SIM-card: 1. Select DFgsm: A0A40000027F20 2. RUN GSM ALGORITHM function for RAND=0000... : A08800001000000000000000000000000000000000 3. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 1-st output) 4. RUN GSM ALGORITHM function for RAND=FFFF... : A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 5. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 2-d output) 6. RUN GSM ALGORITHM function for RAND=1111... : A08800001011111111111111111111111111111111 7. Read the response: A0C000000C ==> SRES,Kc (12 bytes, 3-d output) Post the 3 outputs to my e-mail address [email protected] (or to the Forum) Thanks in advance Ivan Last edited by IvanKrasnyj; 05-22-2002 at 06:24.

05-22-2002, 05:17	#3 (permalink)
sadia Junior Member Join Date: Feb 2002 Location: LT Posts: 4 Member: 9741 Status: Offline Thanks Meter: 0	to Ivankrasnyj Hi, whats is another easy means for Ki extraction ? Thanks

05-22-2002, 23:05	#5 (permalink)
IvanKrasnyj Insane Poster Join Date: Apr 2002 Location: St.Petersburg, Russia Posts: 72 Member: 11297 Status: Offline Thanks Meter: 0	I've tested dejan's reader with SIM Explorer. The reader is powered from COM-port signal lines. It hasn't light up the LED. This means that SIM Explorer do not provide required voltage to COM-port lines (I don't know exactly which ones ) The author has tested SIM Explorer only with MAKI. You can look for another APDU tool or another reader. As for my case, I've got developer's Atmel AT90SC3232 card and flashed the card OS from Windows Powered SmartCard (WPSC) Toolkit (preconfigured for GSM applications). I've also wrote down to the card IMSI and Ki extracted from my original SIM. I've tested RUN GSM ALGORITHM function and found that WPSC's RUN GSM ALGORITHM function reply (SRES, Kc) differs from my original SIM's reply for the same Ki and RAND. I've decided that it was not COMP128v1 implemented in WPSC Toolkit. First I thought that it was a COMP128v2... ) but a few APDU tests showed that it was not ... just a fake A simple APDU request A088000010 00000000000000000000000000000000 strips down first 12 bytes for Ki in (SRES, Kc) responce. The rest 4 bytes of Ki do not affect anything. Plaing with RAND's request I've found that the algorithm performs just per byte operations. I doubt if any GSM operator will venture to use this algorithm for authentication. As for SimScan, - of course, it failed to discower any figure for Ki because of the different algorithm being used. Now I'm going to dock COMP128v1 to WPSC as a run-time application. Last edited by IvanKrasnyj; 05-22-2002 at 23:17.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

05-22-2002, 20:26	#4 (permalink)
joniGSM Junior Member Join Date: Feb 2002 Location: Europe Posts: 10 Member: 9432 Status: Offline Thanks Meter: 0	Is this gsexv tool working with dejan's reader? I was trying various cmd line settings, but none of them work.

05-25-2006, 12:13	#6 (permalink)
achin_ji Junior Member Join Date: May 2006 Posts: 37 Member: 274583 Status: Offline Thanks Meter: 12	Hello sir Sir I m sending APDU using WINEXPLORER to MY sim card apdu:> A0 A4 00 00 02 7F 10 BUT IT IS NOT RESPOMDING WEEL BUT IF I SEND APDU:> A0 A4 00 00 02 R06 7F 10 R04 THEN IT IS RESPONDING WELL SIR COULD U PLZ SPECIFY Y? ACHIN JAIN [email protected]

05-26-2006, 08:25	#7 (permalink)
Nuken Major Poster Join Date: Feb 2004 Age: 43 Posts: 44 Member: 51941 Status: Offline Thanks Meter: 0	To Ivan: if last 10 bits from SRES+Kc are not 0000..0 it means you have not comp128v1.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
nokia 2600 short when connect with suppley metaer show 00.00--00.00	shani72	Nokia Hardware & Hardware Repair	4	02-09-2009 16:36
After 4 days request softbank unlock file not recive	Nasmi	SPT BOX	2	01-08-2009 14:07
@ub team,after 56 hour request log not recd....	Amit Tank	Universalbox	1	10-25-2007 05:36
after unlocking it requests security code	andres restrepo	Universalbox	2	09-14-2007 13:50
6210 no display after aprox. 30 min.	mobils	Nokia Hardware & Hardware Repair	3	04-13-2003 18:25