Some cellphones allow to access the SIM through AT commands which can be very useful to interrogate the SIM _while_ on the network, or if you don't have a SIM reader handy. Most of the time you need two commands, the first one selecting the proper directory or file on the SIM, then the second executing the command or doing the read.
Phone support:
Good
- iPhone: Works. Tried with minicom on /dev/tty.debug while ssh'd on the phone. (needs Jailbreak to get SSH access)
Bad
- OpenMoko: Apparently the TI calypso prevents the submission of APDU class 0xA4 (GSM).
NOTE: This depends on the firmware. There are firmware versions that explicitly do not have the APDU class check!
Commands
Run GSM algorithm
Commands:
AT+CSIM=14,"A0A40000027F20" AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
The 16 0xff are the RAND
Sample run:
AT+CSIM=14,"A0A40000027F20" +CSIM: 48,"000010247F20020000000000091100160800838A838A9000" OK AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" +CSIM: 28,"A5975E88E0940FC09AEFA0009000" OK
In the respond command response, you find:
- sres: A5 97 5E 88
- Kc: E0 94 0F C0 9A EF A0 00
Read EF files from the SIM
Some interesting parameters are saved on the SIM by the ME (for later use in case of reboot or something I guess).
Kc 0x6F20
Commands:
AT+CSIM=14,"A0A40000026F20" AT+CSIM=10,"A0B0000009"
Sample run:
AT+CSIM=14,"A0A40000026F20" +CSIM: 34,"000000096F2004001100BB010200009000" OK AT+CSIM=10,"A0B0000009" +CSIM: 22,"E0940FC09AEFA000009000" OK
Again, you find the last Kc used here: E0 94 0F C0 9A EF A0 00 and also the key sequence number: 00
IMSI 0x6F07
Commands:
AT+CSIM=14,"A0A40000026F07" AT+CSIM=10,"A0B0000009"
Sample run:
/* FIXME: Do one */
IMSI can be also read by another command:
AT+CIMI
Sample run:
AT+CIMI 250997001138203 OK
LOCI 0x6F7E
LOCI can be decomposed in:
- TMSI[0:3]
- LAI[4:8]
- TMSI Time![9]
- status![10]
Commands:
AT+CSIM=14,"A0A40000026F7E" AT+CSIM=10,"A0B000000B"
Sample run:
/* FIXME: Do one */
