Extract Kc from Phone?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Extract Kc from Phone?

MATTHEW EVANS
Hi all,

Does anyone have any suggestions with regard to models of phone in which it is
easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630, Android
Desire, iPhone etc. I can get every everything from the in built field test
modes, however I really want to get the current session key so that I can
verify/analyse my captured bursts.

Thanks,

Matt.

Reply | Threaded
Open this post in threaded view
|

RE: Extract Kc from Phone?

Sebastian ---
I use smartcard reader for this.

I recommend http://nobbi.com/download/SIMspyII.zip for PC/SC readers (Towitoko) or http://www.endorasoft.es/download/xsim.zip for smartmouse / phoenix based readers.
You should find PC/SC Reader at most Computer-Shops.

Remove the Batterie from your phone, and read Kc from Sim-Card (Don't Switch off Phone or Kc will be deleted from SIM)

> Date: Wed, 16 Feb 2011 21:19:44 +0000
> From: [hidden email]
> Subject: Extract Kc from Phone?
> To: [hidden email]
>
> Hi all,
>
> Does anyone have any suggestions with regard to models of phone in which it is
> easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630, Android
> Desire, iPhone etc. I can get every everything from the in built field test
> modes, however I really want to get the current session key so that I can
> verify/analyse my captured bursts.
>
> Thanks,
>
> Matt.
>
Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

Dario Lombardo

On Wed, Feb 16, 2011 at 11:29 PM, Sebastian --- <[hidden email]> wrote:

I recommend http://nobbi.com/download/SIMspyII.zip for PC/SC readers (Towitoko) or http://www.endorasoft.es/download/xsim.zip for smartmouse / phoenix based readers.

How do they do that? As far as I know Kc shouldn't be extracted (except from very old cards). I would be better to know to have an open source sw that allow us to understand...

Another way is to use the "mobile" app from sylvain/testing. It associates with the network and makes calls. If I am not wrong it shows you the Kc, so it would be useful for the original poster.

Ciao.
Dario.
Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

dexter-2
Hi folks.
>
> How do they do that? As far as I know Kc shouldn't be extracted (except from
> very old cards). I would be better to know to have an open source sw that
> allow us to understand...
>  
The Kc is only the session key. The Ki is the key that you can not extract.

I had a similar problem some time ago. I wanted to get the current kc in
realtime. My solution was to sniff the kc from the data stream between
sim and phone. The kc occurs in 2 ways: 1. When RUN-GSM-ALGORITHM is
executed and when the phone stores the Kc back on the simcard.

You can download the sourcecode, layouts for my approach at:
http://www.runningserver.com/software/chipcardlab.tar

The hardest task is to sniff the data because the baudrate of the
communication is not a standard baudrate. You can also try to get
simtrace (http://bb.osmocom.org/trac/wiki/SIMtrace) running. I did not
test it yet but i think it can achieve the same.

You could also find a phone where you can read the Kc by sending APDUs
through AT-Commands. Some Blackberrys have a netmonitor mode that can
display the Kc.

regards.
Philipp



mad
Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

mad
In reply to this post by MATTHEW EVANS
 On Wed, 16 Feb 2011 21:19:44 +0000 (GMT), MATTHEW EVANS wrote:

> Does anyone have any suggestions with regard to models of phone in
> which it is
> easy to view the current Kc? I have a Motorola C115, Nokia 3310/6630,
> Android
> Desire, iPhone etc. I can get every everything from the in built
> field test
> modes, however I really want to get the current session key so that I
> can
> verify/analyse my captured bursts.
>

 If you have a phone with access to the AT command interface via cable
 or
 bluetooth you can use the +crsm command to read the kc file from the
 sim
 while the phone is operating.

 Try at+crsm=? to check if your phone supports this command, if it
 returns an
 error, it doesn't.

 at+crsm=176,28448,0,0,8

 reads the Kc file from sim and returns a 9 octet hex string of which
 the first
 8 ones are the actual Kc.

 I'm not sure which of your phones supports this, c115 and 3310 surely
 don't,
 iphone maybe depending on version, not sure, just test your phone zoo.
 BTW, most old Siemens phones support this.

 Regards,
   Mad


mad
Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

mad
In reply to this post by MATTHEW EVANS

 Forgot to mention a second method to extract kc from a running phone,
 using
 Nokias with netmonitor display 52. Again, only some phones have this
 specific display in their netmon, 3310 I've seen don't.
 Sim card phonebook entry no 34 has to contain the hex file number
 (6F20) and
 after running display 52 phonebook entry 35 should contain the file
 content.
 Better check the usual netmon docs for further instructions.


 Regards,
   Mad


Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

ste7an
For those having a Blackberry (I tried it for a Blackberry Torch and it really works:) the following link http://www.zibri.org/2009/08/hidden-things-are-usually-best.html enables Engineering mode. Follow the instructions and instead of the Help screen the engineering screen is displayed. Under Utilities there is a SIM monitor allowing to display SIM_Kc or USIM_Kc depinding on the type of SIM you use. There is an impressive set of tools and different monitor functions ranging from neigbour cells, System Information messages to Wifi and security related settings.

Regards,
Stefan
Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

MATTHEW EVANS
In reply to this post by mad
Thanks for the advice all. I purchased a cheap sim reader and used xsim to
retrieve the Kc. Funny thing is the 3310 doesn't seem to delete the Kc file if I
power down normally. Even funnier is the fact that the Kc doesn't change even
after power cycle! I guess the Kc change policy must be specific to the
operator. It will be interesting to see how often it gets changed! Probably not
that often :).

Matt.

Reply | Threaded
Open this post in threaded view
|

Re: Extract Kc from Phone?

Harald Welte-3
On 02/22/2011 07:26 AM, MATTHEW EVANS wrote:
> Thanks for the advice all. I purchased a cheap sim reader and used xsim to
> retrieve the Kc. Funny thing is the 3310 doesn't seem to delete the Kc file if I
> power down normally. Even funnier is the fact that the Kc doesn't change even
> after power cycle!

Of course, this is how GSM is specified. No suprise here

> I guess the Kc change policy must be specific to the
> operator.
Of course, it is pure operator policy.

Regards,
Harald