This action might not be possible to undo. Are you sure you want to continue?
Trew & Co
GSM Mobile Phone & SIM Card
forensic examination & expert evidence SPECIAL ISSUE: B/2002
CLONING SIM CARDS
• • • • Overview of cloning Sources for SIM Cloning tools availability A review of cloning technique
Trew & Co/Trew MTE
We are now seeing in 2002 a host of websites selling SIM cloning hardware and software. may go well beyond the multi-million pounds mobile telephone cloning industry. One proposition mooted was that the time and expense it would take to clone just one SIM made it unlikely to see a spawning of cloning factories.A Perspective Report by Greg Smith Special Issue A/2002 looked at cloning of GSM digital mobile telephones and the multi-million pounds market that has been created in its wake. In order to protect the identity the SIM needs to keep its secret authentication key (Ki) secure. Readers should have regard to national laws and Trew & Co. See diagram below. If you have something to say or you would care to write an article for MTE please send an electronic copy along with any photos (JPG.com> . The information in issue was discovered on the Internet (in the public domain) and where possible the source of such discovery is identified. which one is included in the discussion. SIM (Subscriber Identity Module) cloning is the latest phenomena and potentially. in this report. the algorithm used to protect the identity inside the SIM. By processing the responses from arguments presented to it (A8 algorithm). Principal consulting forensic engineer Trew & Co. its editor and Trew MTE do not accept or agree expressly or implied responsibility in relation to how readers use the information contained herein. It is relevant though to briefly review the issue of cloning in context with GSM SIMs. Chief Training Officer Trew MTE Overview of Cloning . after a day's examination. in financial terms. It is up to the reader to research further in order to comprehend each issue. So what is SIM cloning? The abstract conceptualisation of cloning comprehended by most people is that of "duplication" of original information and so it may appear patronising and rather trite for this article to start extrapolating a semantic view of the word 'cloning'. of which rose to the challenge. SDA developed a system to exploit the flaw by repeatedly asking (150. The SDA candidly suggested that no practical over-the-air (OTA) attack was yet known. all around the world. Trew MTE is an electronic publication for those involved with mobile telephone examination or for whom have an interest in the evidence obtained following data acquisition. Berkeley researchers jointly announced. This flawed thinking though was an under-estimation of the hacking community.C. of a fatal cryptographic flaw in COMP128. This issue does not recommend installing programmes that have been identified during the research nor is it possible to indicate how such programmes might affect your computer.000 RAND challenges) the SIM to identify itself. Cloning of GSM digital mobile telephones was thought of as phenomenon. following examination of GSM security for SIM. The release of the security flaw discovery into the public domain generated reports in the various media. This edition of Trew MTE is published only for the purpose of research and it is not intended that readers enter into cloning SIMs. GIF etc) to Greg Smith email address: <trewCO@compuserve. The reality of their findings though is that once in possession of a SIM cloning could be possible. but such an attack could not be ruled out in the future. In April 1998 the Smartcard Developers Association (SDA) and two U. Hope you find the research of interest. Industry responded to allay fears and reassure users with respect to GSM's authentication security. Views expressed in articles by the authors are not necessarily those of the editor or Trew & Co. some websites now publish dummies guides to SIM cloning. the discovery. Welcome to this Special Issue edition of Trew MTE relating to Cloning of SIM. at its inception. Since 2000 there has been increasing discussions in the hacking web newsgroups and bulletin boards about SIM readers and writers. they were able to extract the secret from inside the SIM.________________________________________________________________________ Trew MTE Special INDEX No: B/2002 Greg Smith editor of Trew MTE. but now is so common that it hardly seems newsworthy any more. Moreover.
so the gossip went. and European sources.________________________________________________________________________ WHAT'S INSIDE SOURCES OF SIM A necessary commodity for those involved with SIM cloning is the obtaining of SIM cards for practise and to produce workable cloned SIMs. It is recalled that sometime back Kings Cross was an area where discarded mobiles could be found in alleys and other areas frequented by passers-through." Whatever the source for collecting original SIMs. sometimes 100 discarded mobiles and SIMs a week. Recycle for environmental and manufacturing appears another area where vast quantities of mobiles/SIMs may be obtained. It is not clear whether all mobiles/SIMs that are collected are actually returned to manufacturers or recycling plants. Road sweepers were picking up. . Theft of mobile/SIM is yet another. Cloning SIM Cards Greg Smith Consulting Forensic Engineer "Road sweepers were picking up. Also "Lost and Found" (Railways and Taxi firms) is another source. As an observation. so the gossip went.00 per handset can be reclaimed. When researching for sources that sold SIMs. such as Taiwan and China. there is still the requirement of obtaining SIMs needed for programming (cloning). there appear many places original SIMs can be obtained. The cost of Gold Wafer Cards offered @ US$5 and Silver Wafer cards @ US$15. Internet searches produced some interesting results for Goldwafer and Silverwafer Cards produced by Far East sources. that suggested Spain and Germany. Places such as. It is the fact of availability of programming tools and Cards that is precisely the issue being addressed at the beginning of this article that SIM cloning could well extend financially as an industry well beyond the industry created for cloning mobile telephones. Many stores and organisations operate mobile phone recycling collection facilities apparently as £35. through distribution chains or from cleansing and refurbishment of old SIMs. whether purchased directly from manufacturers. sometimes 100 discarded mobiles and SIMs a week. dustbins where old mobiles and SIMs have been thrown away. it was not clear how the distributors themselves obtained the SIMs.
the blurb by one supplier stated: "SIMCARD8 is a preprogrammed simcard that allow to store or make a backup of 8 different mobile phone sim cards in only 1 simcard. • Change mobile phone number without turning off mobile phone (this option is not compatible with all mobile phones) • Selection of the ratio of SMS/Phonebook entries in the mobile itself Cloning SIM Cards Greg Smith Consulting Forensic Engineer Text and images reproduced are as recorded from some web sites.com/ref/SIM-MASTER • • Compatible with all GSM Cellular phones Edit your phone book in your PC Edit SMS short messages in your PC Read IMSI and Ki codes of GSM simcards. to be sure that SIMCARD8 will be accepted at your mobile phone. to find out your will need our SIM-MASTER card reader/writer. • SIMEMU management through mobile menus. The cost of the cloning tools ranged from 35Euros to 57-Euros.________________________________________________________________________ WHAT'S INSIDE CLONING TOOLS AVAILABILITY Discovery of websites on the Internet selling SIM cloning tools was in fact quite a surprisingly easy research task to perform. Features: • • • • • • • • • Source web site URL: http://ucables. MITSUBISHI. SIEMENS. The websites ranged from auction (bidding) sites. to distributors and manufacturers sites. A fascinating part during research on SIM cloning was noting the packaging and point-of-sale presentation of the tools. PHILIPS. V8088. this codes are encrypted at your original simcard. SAMSUNG mobile phones. IMSI and Ki codes are the codes that identify a simcard at your network provider." [http://ucables. V7689) GSM SIM PIN code management Connect to Serial port (RS-232). very useful to use with our new SIMCARD8 to make simcard backups Edit and Change the personal ringtone for motorola cellular phone (Send as SMS function support needed. MOTOROLA. If this product were not massed-produced it would appear an expensive way of selling these tools to a low-demand market. Copy and Backup phone book and SMS messages between your SIM cards.21 . The SIMMASTER referred to above gave the illustration and feature description suggesting that there was a high demand for such a product and that point-of-sale presentation was as a result of massproduction. (3 PIN attempts + 10 PUK attempts) • Storage capacity between 125 and 250 phonebook entries (0 to 125 in EEPROM and 125 on FLASH) • SMS storage capacity configurable from 20 to 40 SMS • Individual SMS centre number for each of the 8 phone numbers • Storage of 10 last dialled numbers (Used only on some mobile brands) • Support for NOKIA. You will need to know IMSI and Ki codes of every simcard that you want to make backup. Interestingly the functional capability of the tools was a surprising factor also. NEC.com/ref/SIMCARD8] Features: • Support for 8 different provider names on the same card • PIN security management like original SIM cards. ALCATEL. ERICSSON. Convenience sorting functions Read IMSI and Ki codes from SIM Card with SIM-BACKUP or SIMscan 1. PANASONIC. MAXON. ex. no need external power Built-in hundreds of Midi ringtone for Ring Tone editing. Be sure that your phone is unlocked. For example.
The site was offering for sale SIM readers and writers but equally offered schematics from which a cloner could build each device. This is sharply brought into perspective when researching the issue how one website believes cloning could be applied in practise. only one of the active SIMs can make a phone call at any time. The Nokia 9210 rejects cloned SIMs as well as most new 3G phones (and even some old ones. a common statement was 8 hours. but it will take you at least 8 hours for the latest SIMs..anytimenow. Not all original SIMs can be "cloned" because "cloning" requires that you should extract the Ki and IMSI from the original SIM and today the new GSM SIM cards are built will tougher protection algorithms. [The length of time of extract Ki ranged from 10 minutes to 4-8 hours. You may be able to get the Ki and the IMSI. Obviously. Not all phones accept "cloned" SIMs. It could even take days..________________________________________________________________________ WHAT'S INSIDE A REVIEW OF CLONING TECHNIQUE The possibility that SIM cloning could be achieved by use of just two pieces of tooling (as above) is perhaps not the case.wafer-cards.com or http://www. However. only one of the SIMs will receive the message. However. Cloning SIM Cards Greg Smith Consulting Forensic Engineer GSM SIM Cloning for Dummies This guide will help you "clone" your GSM SIM card and make unlimited copies of it by using either Gold Wafer Cards or 16F84a + 24C16 DIL. as the author of the SIM cloning guide encouraged would-be cloners to use free software and provided the means to get the software from the site.. Regarding receiving SMS from other people.org and search for Nokia Flask Reverse Engineering > Hardware > SIM Cloning > Cloning] . It could be some websites exaggerated the capability of equipment available from them. [Have a look at website http://www. the bills for the "cloned" SIM will also be reflected to the bills of the original SIM. This website discovered illustrated that in fact six tools were required. See http://nokiafree.. The comments in parenthesis [" "] are those of the author indicating websites where the tools or components can be found or simply making an observation. The following is a website's 10 easy steps practical guide to cloning SIMs. Simultaneous calls are not allowed because the call will immediately be disconnected by your Network Provider. suggesting a ring of truth about the claims made at the site. Most hackers or cloners want to do the job at minimal cost to them by getting everyone else to pay for it. You can use the "cloned" SIM and the original SIM simultaneously meaning both of your SIMs will have network and both can send SMS at the same time. This is a "first-come-first-serve" basis and no bias is given to the original SIM.).com] The "cloned" SIM card will work just like the original meaning you can make a call. manage phonebook and SMS messages too. send an SMS.
anytimenow.htm] STEP 4 .anytimenow.anytimenow.ic.com] TwinSim 1.anytimenow.Smart Mouse Compatible .Building your own GSM SIM Reader/Writer Hardware SIM Reader = SIM SCAN . then select the COM port where SIM Reader is connected.anytimenow. Run and configure Sim Scan from c:\sim_scan\setup..anytimenow.Getting the Ki and IMSI of the original SIM Install Sim Scan 1.bat file.com] IC-Prog 1.anytimenow.anytimenow.com] HEX to BIN Converter [http://www./\/\/\/\ [http://www.com] /\/\/\/\Don't have time to build this? Buy ready-made here.com/icprog.com] STEP 2 ./\/\/\/\ Cloning SIM Cards Greg Smith Consulting Forensic Engineer [http://users. .bat file.zip] WinPhoenix 1.04 by Bonny Gijzen [http://www.Download software from the Internet: SIM Scan 1.21 by Dejan Kaljevic [http://www.com] SIM Writer = JDM Programmer -. SIM Scan will not work properly unless it is maximised to full screen.Schematics [http://www.com] /\/\/\/\Don't have time to build this? Buy Goldwafer cards here..anytimenow.anytimenow.com] WinPhoenix EEPROM Loader [http://www. Screen 1: Press Alt+Enter Key.0 by lotfi17 [http://www.prog.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: 10 easy steps to 'clone' your GSM SIM ! Let us begin. (This is only applicable to Goldwafer Cards not to Silverwafer Cards) STEP 1 .com] STEP 3 .Buying or making your own blank SIM cards Make your own 16F84A + 24C16 DIL .com/sid67b/GSMSIM3.Schematics [http://www.Schematics [http://www.06 by Paul Arnold and Joos [http://www.21 by running the install.
com/sid67b/GSMSIM3. For example.6 is for advanced users who want to faster and better performance in cloning GSM SIMs.anytimenow.57Mhz or 6.00Mhz option. Using the 6.00Mhz easily.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Screen 2: Select baud rate (choose 9600 bps 3.6 and states "U-GSR Advanced ver 1. The Dual Resonator option lets you switch from 3. you will lessen the time it will take you to get the Ki and the IMSI by 50%!].htm] it offers for sale the device called U-GSR Advanced ver 1." Cloning SIM Cards Greg Smith Consulting Forensic Engineer Screen 3: Put original SIM card to SIM Reader and press Enter . at [http://users.57 Mhz) [The baud rate should be considered in relation to the SIM functionality and the device reading the SIM.
This will take about 40 minutes on a fast computer. the implied situation here is that obtaining IMSI and Ki takes 40 minutes.bin file as part of installation. [Interestingly. although such a time-duration conflicts with the 4hrs-8hrs or couple of days. but it is slow. you can switch to 'F3'/\/\/\/\ . Sim Scan will automatically create par2. It could be more likely that the reference here to 40 minutes refers to the installation of program. 'F2' Retrieves 50% of SIMs even year 2001 GSM SIMs and it is faster.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Screen 4: Press 'F5' .Get IMSI and Ki.] Cloning SIM Cards Greg Smith Consulting Forensic Engineer Screen 5: Select 'F2' or 'F3' (Do not use 'F1' unless you know what you are doing.) 'F3' Retrieves 75% of SIMs even year 2001 GSM SIMs. /\/\/\/\If the Ki and IMSI cannot be retrieved using 'F2'.
You can exit at anytime and you can resume whenever you want.bin' will be created. Now a new file 'eeprom.exe and copy the settings from the screen below. Sim Scan will start from where you last finished. For 'PIN' enter any 4 digits and for 'PUC' enter any 8 digits.hex to eeprom. Step 6 . click 'Generate Picfile' and 'Generate Epromfile' then exit the program. After inputting all data needed.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: The process of getting the Ki and the IMSI from the original SIM usually takes from 4 hours to 3 days depending on the type of GSM SIM. a file named c:\Imsi_ki.exe files must be placed on the same directory.hex + eprom. Cloning SIM Cards Greg Smith Consulting Forensic Engineer Step 5 . Two HEX files will be generated in the folder where TwinSim is located (pic16f84.Creating the HEX files for the "clone" SIM Run TwinSim 1.hex). Run hex2bin. After the Ki and the IMSI has been retrieved.bin The eeprom.Converting the eeprom. .0 and select 'Single-Sim' then input the Ki and the IMSI that you got from the original SIM.dat will be created and by using Notepad to open it you will see similar to screen below.hex and hex2bin.
04 and configure it to work with the SIM Writer which is a JDM hardware.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Step 7 . put the blank Goldcard to the SIM Writer and select 16F84A from the chip list. Choose 'Settings' --> 'Hardware' then choose correct COM port where SIM Writer is connected. Cloning SIM Cards Greg Smith Consulting Forensic Engineer After setting up the hardware.Burning the EEPROM Loader to the Goldwafer. . Run IC-Prog 1.
click the program all button (the one with the thunder icon). .hex' by selecting 'File' --> "Open File'. This can be done using the 'File' --> 'Preferences' and selecting 'General' Tab. After loading the file. Put the Goldcard which you used from IC-Prog to the SIM Reader and then run WinPhoenix 1. Other versions of WinPhoenix might not work so make sure that you are using version 1. Cloning SIM Cards Greg Smith Consulting Forensic Engineer Step 8 .06.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Now load the 'Winphoenix Loader. Configure the COM port where the SIM reader is connected.bin to the Goldcard.06.Burning the eeprom.
hex to the Goldwafer. Follow the same steps as described in Step 7. You can program this card with 'CP' enabled or disabled.bin will be written to the Goldwafer's 24C16 Step 9 . Cloning SIM Cards Greg Smith Consulting Forensic Engineer Select 'Card' --> 'Program' and the eeprom. .________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Select 'File' --> 'Load' and choose eeprom.Burning the pic16f84. it does not matter. but this time load the pic16f84.04 again.hex file instead.bin. Put the Goldwafer to the SIM writer hardware and run IC-Prog 1.
During SIM examination there may be some clues by reference to Gold Wafer and Silver Wafer cards.g. It is suggested therefore that before any laboratory testing is carried out enquiries as to the legal implications and authorisation may need to be sought. • It appears inevitable that consideration must be given to the evidential impact of this topic. The discussion above does not represent all testing carried out by the author of this Special Issue report. Wait for the phone to register to the Network and now you are done:) [The author of Cloning for Dummies (c) X-Shadow 2001 GSM Technology. only one of the SIMs will receive the message. this could be another illustrator in determining a clone The plastic card material The contact pads as to shape and design.] Cloning SIM Cards Greg Smith Consulting Forensic Engineer OBSERVATIONS The discussion above represents a small proportion of information discovered by way of searching the Internet. There may be legal requirements too that might make cloning a SIM a civil wrong. who is the mobile network operator ? The SSN (SIM Serial Numbers) and the ICCID (Integrated Circuit/s Card Identity) numbers. In the article Cloning for Dummies guide it gave a clue that two identical SIMs could contain different data. it is understood is owned by the issuer and may be authorised only to be recorded into one SIM. IMSI. which have been identified above. Cloning for Dummies and tools. The review should extend to all pages of information captured during data acquisition from SIM. colour and alloy material Using SimiS. if you use PhoneBase. . where the person uses their own number (so to speak). Of course. some examples of things more obvious to look for would be: • • • • The printing on the card of the SIM might give some clues e." The clues are there if time is given to considering what they are. Here's one example "Regarding receiving SMS from other people. This could be relevant provided that the examiner is in possession of two cards with identical IMSI and Ki. The aim has been to highlight the growth in promotion of tools claiming that SIM cloning is possible and how it is done. If the assertions made by the claims are correct then forensic examiners need to be aware of this and it is hoped this special issue helps to some degree. During the Extended Mobile Telephone Evidence training course best endeavours will be made to include some discussion time on this topic.0 program. look at the Card Info Page and determine whether the SIMs produce identical information.Testing the 'cloned' SIM to your phone. Insert the 'cloned' SIM to your phone and enter the PIN code which you wrote earlier using the TwinSim 1. The same analysis should be conducted with PhoneBase. are accessible and available from the Internet.________________________________________________________________________ WHAT'S INSIDE GSM SIM Cloning for Dummies cont'd: Step 10 . If they do not match. The impact of this issue in relation to data acquisition from SIM cards might initially create concern as to what constitutes an original SIM and what constitutes a clone SIM. readers should be aware that it is unclear at this stage whether cloning a SIM is a crime. Finally.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.