How do SIM Cards work? – SIMtrace
Articles,  Blog

How do SIM Cards work? – SIMtrace

Have you ever looked at the chip of a credit
card and a mobile phone sim card and thought, wait… they look quite similar? And would you like to know what makes these
two old phones, a nokia and motorola, so special, even in 2018? In this series I want to talk about mobile
networks and mobile network security. And by that I don’t mean android or iOS
apps. I mean the networks. SIM Cards, Baseband and Basestations. Most of us know how the internet works. It’s so easy to setup a lab and use wireshark
to look at the traffic. But we basically don’t really learn about
how mobile networks work. You can’t just wireshark the radio network. I only learned about this a few years ago
in university, where I took a course on telecommunication security. And that was a great foundation that I will
obviously use for these video, but it’s really hard to do anything practical with
mobile networks for reasons you will see soon. But then Vadim Yanitskiy, @axilirator on twitter,
contacted me, if I would want to see some GSM osmocom demos and I could record it for
some videos. And of course I took this opportunity and
met up with him, and that was so awesome. So thanks to him I finally got some real hands-on
practical experience with this topic and I’m so excited to try to pass this on to you. I hope over the course of several videos you
will have a great basic understanding of how the mobile network works and you know where
to go to, in case you want to learn more. So I started this video showing you a credit
card and a sim card. And the reason why they look so similar, is
because both are so called smart cards. A smart card, or chip card, is any pocket-sized
card that has embedded integrated circuits. Many smart cards include a pattern of metal
contacts to electrically connect to the internal chip. Here on wikipedia you can see some great images. The actual chip is smaller than the gold connectors,
and they just connect with tiny bond wires to there. And all the outer stuff is just plastic. Here you see how they are connected, crazy
right? So when you look at your phone, and I would
ask you, how many computers are in there? What would you answer. That was actually an opening question in the
university class I had, and I think it’s a great question. Maybe some people would respond with one,
it’s a single small smartphone computer. But maybe you knew, that the sim card is actually
a tiny computer itself. Your phone computer communicates with the
tiny embedded sim card computer. And that computer can’t do much, but it
can do a lot more than some of you might think. In a very simple way you can imagine this
small computer just contains a private key. And with public-private key cryptography you
can use it to authenticate to something. And the idea is that it’s super hard to
extract that private key from the smart card. Not comparable to the simple magnetic strip
on a credit card. The private key never leaves the chip. If you want to do some crypto, your phone
will communicate with the sim card and ask it to do it. In the same way a credit card reader, using
the chip, will do so. Nobody can clone a sim card or credit card
that way. There are attacks on smart cards which I have
touched on before with power analysis and other crazy hardware hacks. But generally the cost is pretty high to do
that. But in theory if you could extract the private
key from it, you could clone a sim card or clone a credit card chip. So you can’t clone a sim card that easily,
but what if you just steal a sim card? Can you just use it? And that is why you need a pin for your credit
card when you use the chip or sim card. The small computer inside the sim card refuses
to do the crypto stuff you want, if you wont tell it the secret pin. That’s another protection. So how does this look like in practice? Vadim showed me SIMtrace. So Osmocom SIMtrace or SIMtrace 2 is a software
and hardware system for passively tracing the SIM mobile equipment communication. As you can see here, you have this basically
fake sim card that is connected with a flat flexi-pcb cable and connects to this board. And this is where you put the real SIM card. So basically the phone is still using the
real sim card, it’s just forwarded through that. But because the sim card is not inside the
phone anymore, you can now intercept and record that communication and forward that via USB
to your PC. And then you can observe all the messages
and commands the phone sends to the SIM card and see how the sim card responds. So when you turn on the phone, the phone asks
you to enter the PIN. Let’s enter the pin and then look what happened. Here is wireshark… wireshark you ask? How what? Okay… so wireshark is a convenient tool
to analyze packet based communication. And in this case you can see here the protocol
is GSM SIM. And wireshark is listening on localhost. So the simtrace software actually records
the SIM communication and then puts them into a UDP packet and send them onto localhost. That’s why you can use wireshark to then
collect all these packets. And it looks like they have an ethernet layer,
and an IP layer and the UDP layer. But that’s just to transport the data. The actual interesting payload is the GSM
SIM protocol. Somebody wrote a payload decoder for wireshark
to analyse that data. So ignore all the references to IPs and MAC
addresses, that’s not what is sent between the SIM card and the phone. You only focus on the GSM SIM layer. Anyway. When we look at the packets that were collected
after the pin was entered, we can see what the sim and phone did. The first important packet here is the VERIFY
CHV. The info also says something about ISO/IEC
7816-4. And when you look that up, you will learn
that this is a prtocol stadard. ISO 7816 is an international standard related
to electronic identification cards with contacts, especially smart cards. And sspecifically section 4 is about Organization,
security and commands for interchange. It was created in 1995 and According to its
abstract, it specifies things such as “contents of command-response pairs”, “access methods
to files and data in the card” (remember the sim card is a small computer, so the sim
card also has files). And also defines “access methods to the
algorithms processed by the card.”. So what does VERIFY CHV mean. Let’s peek into the GSM standard. Here CHV is described as “Card Holder Verification
information”; access condition used by the SIM for the
verification of the identity of the user. Can you guess what that is? That’s a fancy description for your pin. The user who knows the pin can verify that
they are the user, by presenting the pin to the simcard. And we can also check what VERIFY does. This function verifies the CHV (so the pin)
presented by the ME (the mobile equipment, the phone) by comparing it with the relevant
one stored in the SIM. The verification process is subject to the
following conditions being fulfilled: – CHV is not disabled;
– CHV is not blocked So either your pin is blocked because you
entered it too much. Or you had disabled the pin. And further we can read. If the CHV presented is false, the number
of remaining CHV attempts for that CHV shall be decremented. After 3 consecutive false CHV presentations,
not necessarily in the same card session, the respective CHV shall be blocked and the
access condition can never be fulfilled until the UNBLOCK CHV function has been
successfully performed on the respective CHV. So this is all fancy documentation language. But here is basically defined that you have
three attempts for your pin. And if you fail, the sim is locked, until
you use that other special longer code to unblock it again. Interesting, right? Anyway… after that we can see some SELECT
FILE commands. So the phone requested the content of files
stored on the SIM card. One file contains the IMSI. the international
mobile subscriber identity, which uniquely identifies this sim card. Also remember that you can store some contacts
on your sim card? W ell here you can see how the phone requested
the phonebook on the SIM card. There is one other cool thing. Vadim looked at the wireshark trace and saw
this. “Oh also very interesting thing, I will
show you. It is related to the sim card menu.” And I was like, sim card menu? I have never seen a sim card menu.
“you will, for example menu Vodafone services.”… ohhh that’s what this menu always was. It’s like a thing I never used. So this is a menu running on the simcard? “Exactly. it’s Probably java application.”. You heard right. Usually there is JAVA running on SIM cards. Java Card refers to a software technology
that allows Java-based applications to be run securely on smart cards. It is widely used in SIM cards (used in GSM
mobile phones) and ATM cards. Crazy right. And when we click around on that menu, the
phone obviously has to forward whatever we did in the menu to the sim card, and the sim
card has to respond what kind of text to show on the screen. “We can choose one. It’s in german I think. “
For example here. TERMINAL RESPONSE SELECT ITEM. we select an
item in the menu. And then the sim card responds with a new
text for the menu. FETCH. DISPLAY TEXT. “Simcard said, please display text. I’m not sure if wireshark is powerful.. OH OK. it is here.”. So Vadim wasn’t sure if that weird part
of the SIM protocol was actually implemented in wireshark, but it was. Here it shows the text “MMS-InfoServices
koennen nur mit MMS faehigen Handys empfangen werden”. So that’s german, its a german sim card,
so the menu was german and it translates to: “MMS infoServices can only be received with
phones that support MMS.” And I had pressed the back button on the phone. So the terminal response. So the response WE gave and the phone forwarded
to the SIM card was hex 11. Which stands for “backward move requested
by user”. Isn’t that awesome. We use these mobile phones every day, but
we have almost no understanding and insight into how they work. I hope you found this interesting, thanks
so much to Vadim and all the others in the OSMOCOM project for creating all those tools. stay tuned for the next videos. We will soon learn what makes these phones
so special.


  • LiveOverflow

    Small corrections:

    The SIM card does not typically store a private key. It has a secret key that is shared with your mobile operator. And that secret is used to derive session keys that will then be used in the actual encrypted communication.

  • RedLight GreenArrow

    No PIN son US Chip credit cards! In fact no PIN on US SIM cards either! I set one on mine though. Default SIM PINs on AT&T is 1111. You can change it in iOS settings and set a “real” SIM PIN. If anyone steals your sim, they can’t use your service.

  • Dark Kero

    What do you mean android not including? All about sim message, pin required, sim phone book, sim tool, and about puk1 & puk2 is have in my vivo y51 android..

  • ᖇᗩ乙0229

    02:37 YES! Now I believe people are gonna make videos about overclocking your SIM cards and playing high end games on 'em!

  • Moi 2926

    So the menu runs on the actual SIM card?
    Can't it just give the code of the application to the phone, would have been much simpler.

    Anyway, this blows my mind.

  • Lil Puff

    That's wrong because I can pop my SIM card in any phone that support micro SIM and it will work just fine
    For a "hacker", you sure don't know that much.

  • iCQ_www-SPCL-tk Special Take

    nice video, thanks… i not knew wireshark could also help analyze gsm protocol!! neat 🙂

  • Mohanachuth Varma

    THATs very clear………… can you do some work for me …… i want to change profile from silent to general without accesing internet bluetooh wifi etc only with the message is this possible

  • Jyt

    3:30 ' you can clone a credit card ' , wow ! more lowlifes traffic ici !!!! Educational, eh )
    I use sim for radio am sw detector, Ouii!

  • Mario

    Can you change your accent please? Go to England. It's like 2 hours away from where you are. Go there and try to pick up the accent. At the moment, your fake "American accent" is doing my head in. It's difficult to listen to

  • Pankaj Kumar

    When I was a kid, everytime I moved to a new school, I used to block my dad's SIM by entering SIM pin wrong thrice, forcing him to get a new number, so that my school teachers won't have any contact to complain about me, if I ended getting caught doing something crazy at school.
    Now I know which piece of code I was running at the time. Thank you!

  • PvtMadnage - Bro. Matthew

    According to the Bible, satan is the god of this world.
    All major institutions, corporations, media outlets, political factions, religious institutions and nations ultimately fall under his control.

    Isaiah 14:12-15 (KJV)
    How art thou fallen from heaven, O Lucifer, son of the morning! how art thou cut down to the ground, which didst weaken the nations!

    For thou hast said in thine heart, I will ascend into heaven, I will exalt my throne above the stars of God: I will sit also upon the mount of the congregation, in the sides of the north:

    I will ascend above the heights of the clouds; I will be like the most High.
    Yet thou shalt be brought down to hell, to the sides of the pit.

    As you can see, it is written that satan will be eventually cast into hell, along with his angels, false prophets and everyone else who rejects the Lord Jesus Christ.
    Please make sure you get saved before it is too late!

    Jesus saves you from an eternity spent in Hell, the awful consequence of sin. It is a FREE gift which you receive by believing in and trusting in the FINISHED WORK and the shed blood of the Lord Jesus Christ at the cross at Calvary for your sins!

    Romans 10:9-10 (KJV)
    That if thou shalt confess with thy mouth the Lord Jesus, and shalt believe in thine heart that God hath raised him from the dead, thou shalt be saved.

    John 3:16 (KJV)
    For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

    Romans 10:13 (KJV)
    For whosoever shall call upon the name of the Lord shall be saved.

    John 3:3 (KJV)
    Jesus answered and said unto him, Verily, verily, I say unto thee, Except a man be born again, he cannot see the kingdom of God.

    Romans 6:23 (KJV)
    For the wages of sin [is] death; but the gift of God [is] eternal life through Jesus Christ our Lord.

    Are You Saved?
    If you do not know for sure that you are saved, please settle this issue permanently.
    Satan does not want you to accept God's gift of eternal life with Him in Heaven.
    He wants to drag you into Hell with him, and the time for you to make a decision on your eternal destiny grows very short.

    The time will soon come when God will no longer offer his gift of eternal life.
    Making no decision is the same as rejecting God and choosing to spend eternity in Hell.

    Please do not put off making your decision for Jesus until it is too late.

    And they said, Believe on the Lord Jesus Christ, and thou shalt be saved, and thy house.
    Acts 16:31 KJV

    Neither is there salvation in any other: for there is none other name under heaven given among men, whereby we must be saved.
    Acts 4:12 KJV

    For the Son of man is come to seek and to save that which was lost.
    Luke 19:10 KJV

    You are not saved by your own righteousness but by what the Lord Jesus Christ has done for us on the cross.

    Ephesians 2:8-9 (KJV)
    For by grace are ye saved through faith; and that not of yourselves: it is the gift of God:
    Not of works, lest any man should boast.

    Galatians 5:4 (KJV)
    Christ is become of no effect unto you, whosoever of you are justified by the law; ye are fallen from grace.

    Galatians 3:10 (KJV)
    For as many as are of the works of the law are under the curse: for it is written, Cursed [is] every one that continueth not in all things which are written in the book of the law to do them.

    Romans 10:4 (KJV)
    For Christ is the end of the law for righteousness to every one that believeth.

  • FAMEforM

    the final question is, can you get access to a phone or decrypt the pin in a SIMcard…with this wireshark decoding tool…i just ask for a friend…he is very curious…

  • 501 4R

    wait so does that mean there is small java compiler and assembler inside that small little chip ?? or does the SIM card send the data that is required for compilation to the phone and the phone sends the machine code back to the SIM card for it to process the code ? please someone explain that part …


    finally a video that i can explain my dumbass friend why breaking some gold parts of his simcard wont give him free calls

  • Rupesh Mittal

    Sim cloning attacks are common now a day's
    What would you like to say on that as according to you we can't clone a sim

  • Damián "el Salsuero"

    Except I don't need a pin to use my credit card chip in a chip reader. It's the same as swiping the magnetic strip as far as ease goes… simply insert the card and wait. Then remove. That's it.

  • Manabender

    "How many 'computers' are on your phone?"

    This is a very poorly worded question. What is a "computer"? Does the CPU, in its entirety, count as only one computer? Or can we count each processor core as a computer? What about the components of the CPU? Surely, the ALUs are doing "computing". Do they count? What about all the other various components of the phone itself? Surely, some of them are doing "computing".

    No matter how you define "computer", the answer isn't helpful.

  • threeMetreJim

    Wow, I did this back in the late 90's using a serial port and a simple circuit. Watching a SIM update is very interesting. Also used for the TV viewing cards, which is how I got interested in it in the first place.

  • jerry Collins

    I have an older Samsung Avant works great awesome reception. when I take out the sim card and put it in my modded rom /rooted s5 I get reception issues/ missed, dropped calls. This recently has been happening. No issues for months. My techie buddy insists it's the sim card. Current sim is 5ears old. Your thoughts?

  • gerimeni

    This is one of your coolest video, i always wanted to know about sim card abd the information im getting in this video is amazing

  • Tom Servo

    It's crazy how 'black box' the SIM card compute is. Just another backdoor for the government. Just like Intel's IME 'computer' inside ever Intel CPU except for government computers.


    Yeah the good old and still best tool – Wireshark – for analyzing transporting packets. For long time ago, i used it to decrypt nagravision cryptocards.

  • Error

    I don't consider the SIM to be a "computer" in itself because it cannot load and execute random code. It is more of an embedded single solution. I wouldn't call that a computer. Just an average integrated circuit. Not even as useful as a PIC.

Leave a Reply

Your email address will not be published. Required fields are marked *