June 21, 2013

How do you get the Kc from a SIM card?

domi007 Ethical Hacking extract kc, get kc, gsm, kc, session key, sim, sim card 16 Comments

Sounds kind of like a magical question, right? It is interesting that there are pretty much no guides on this topic, because for any GSM-debugging you need to have the so called Kc (pretty much a session key) that was used to encrypt the traffic sent over the air.

So let’s get started: there are as many as 4 ways to do this, and some other that I tried and don’t actually work, so let’s see:

Ways that work:

1. BlackBerry Engineering Screen

This is quite an easy catch: pretty much on all of the BlackBerries you can enable the so called “Engineering Mode” which will simply show you the current Kc. Not much of fun, but a reliable, good way to do it.
TESTED: YES (as shown by Karsten Nohl for example at BlackHat 2010)
WORKS: YES

2. OsmocomBB Mobile App

Now, this one is quite a tricky one, because setting up OsmocomBB already requires quite an amount of work, but once you have it up and running AND you are lucky with the cables and the code (which is not usually the case) you can simply run the mobile app and then use the telnet interface to get the Kc:
1. Upload layer1 to your phone
2. Run mobile -i 127.0.0.1
3. telnet 127.0.0.1 4247

After that simply say:
show subscriber 1
At the top you should see the Kc printed.
TESTED: YES
WORKS: PARTIALLY (I was able to get the Kc, but the mobile app itself wasn’t working for me, so I couldn’t place a call or send an SMS just to try out if I have the right Kc or not)

3. AT+CSIM Command

This one is the eldest and most well-known command: some phones allow you to use one of Â the standard-defined-but-not-always-implemented AT command AT+CSIM which let’s you to send raw APDUs (=”commands”) to the SIM-card via the modem. The amount of phones supporting this is very limited, according to some people older Siemens and Alcatel phones let you do this. Also older iPhone’s (3GS/3G/2G) let you do this if you are jailbroken (you need to install minicom from Cydia then connect to the device /dev/tty.debug). Newer iPhone’s don’t really let you do this, iPhone 5 owners – we all are out of luck.

The command you would like to send is something like this:

Â Sample run:

AT+CSIM=14,"A0A40000026F20"
+CSIM: 34,"000000096F2004001100BB010200009000"

OK
AT+CSIM=10,"A0B0000009"
+CSIM: 22,"E0940FC09AEFA000009000"

OK

Again, you find the last Kc used here: E0 94 0F C0 9A EF A0 00 and also the key sequence number: 00

From:Â http://openbsc.osmocom.org/trac/wiki/A5_GSM_AT_tricks

TESTED: NO
WORKS: PROBABLY

4. Using a SIM-card reader/Smart Card Reader

Some people said on the A51 mailing list that by using a simple SIM card reader they were able to extract the last used Kc from the card. I am not sure about this, but it sounds reasonable and the people who wrote about were quite convincing.

UPDATE: I tried this method using a simple PC/SC cardreader (exact model: Omnikey CardMan 5321 – it is great because it has both RFID and contact-smart card reading interfaces) and I am happy to tell you it works! Running SIMspyII after I inserted the SIM-card into the reader revealed the Kc and also everything else stored on the SIM card (I already turned off PIN-code verification for the card, not sure however how having a PIN code would change the procedure, but I assume the SIMspyII program has support for PIN-codes).

The only interesting part is that the SIM-card itself is a lot smaller than a standard smart card, so you need to either take the reader apart and insert the card alone, or use the plastic card the SIM-card came with, or use an old credit card.

Also there are some rumors that you can’t power down your phone because it would erase the Kc from the SIM card so you need to pull the battery out. According to this mailing list threadÂ you don’t need to do that because according to GSM specification the Kc should remain on the SIM card even if the phone is poweered down (Harald Welte). According to my experience this is true.

TESTED: YES
WORKS: YES

Other ways which don’t work:

1. Nokia DCT3 FBUS Connection:

Sounds like an ideal setup: you use an old Nokia DCT3 (3310/3410 etc.) and an FBUS cable. Using dct3-gsmtap from OsmocomBB you would be able to sniff all the packets the phone receves/sends, and also all communication between the phone and the SIM-card. Since we know the command we are looking for (see above, A0 A4 …) we can easily find the Kc – one would think. Sadly that’s not the case, Nokia’s engineers closed this possibility: after the command the next packet we can see coming from the SIM card is an empty packet. This causes Wireshark to say Malformed packet and shows no data in it – which is totally right, after looking at dct3-gsmtap’s output you can observe the following:

SIM: 0xA0 0xA4 0x00 0x00 0x02 0x7F 0x20
SIM:

So, empty message coming back.
TESTED: YES (Nokia 3410 + FBUS cable)
WORKS: NO

I will update this list as soon as I find new ways to extract the KC.

16 Comments

Anna
June 26, 2013 @ 04:24

Melyik progival sniffelted le a levegÅ‘t? MÃ¡snak a hÃvÃ¡saibÃ³l vagy Ã¼zeneteibÅ‘l a KC-t ki tudod nyerni a levegÅ‘bÅ‘l?
Egy GSM gatewaybÅ‘l hogy lehet kinyerni? van rajta soros port, rj 11, meg rj45, egy doboz amiben van egy GSM telefon Ã©s Ã¶ssze lehet kÃ¶tni a vezetÃ©kes hÃ¡lÃ³zattal meg pc-vel is.

- domi007
  June 26, 2013 @ 09:32
  
  Minden le van Ãrva az rtl-sdr honlapjÃ¡n (is).
  
  GSM gatewayhez nem Ã©rtek.
  
cybergibbons
October 14, 2013 @ 15:58

I’m just trying method 4 (SIM card reader with SIMspy II) and I’m getting “The key is not available”.
http://i.imgur.com/1eOZY2L.png

These are UK Vodafone MTM SIM cards, not sure if that is why.

- cybergibbons
  October 14, 2013 @ 16:17
  
  Odd – some have it, some don’t. Need to try and work out why.
  
  - domi007
    October 14, 2013 @ 17:41
    
    Hi,
    Interesting find, I too used a Vodafone UK SIM card. Did you try pulling the battery instead of powering the phone down?
    
    I just checked on my SIM card and it showed the same for me too – but I have used it on a network without any encryption (test network at Camp0). Right after I turned on my phone and let it do a transaction (it received a welcome SMS from Vodafone) it actually showed me the Kc.
    
    So maybe you can call your SIM card and then see if it has the key in it or not.
    
    - cybergibbons
      October 22, 2013 @ 12:01
      
      These are all M2M cards (I typoed MTM above) which can’t make voice calls – I think this might be why.
      
      - domi007
        October 22, 2013 @ 19:43
        
        In that case you can probably recover the Kc GPRS (if they could be used for data).
Joel
December 31, 2013 @ 21:09

I was looking around and found that you can access Field Test Mode on the iPhone by calling *3001#12345#*
There is a section called SIM Info. I see a lot of info there. Can the key be gathered from any of these lines? I was on this web site: http://www.cellmapper.net/arfcn.

- domi007
  December 31, 2013 @ 21:24
  
  Afaik no, the property is called EF_Kc.
  I don’t see such propery on my iPhone.
  
  - Joel
    December 31, 2013 @ 22:25
    
    Couldn’t be so easy, thanks! (-;
    
    - Niclas
      January 3, 2014 @ 01:01
      
      But I think you can get the TMSI! That’s also nice! It’s stored in the EF_LOCI. The first 4 Bytes of it are the TMSI. (http://www.etsi.org/deliver/etsi_gts/11/1111/05.03.00_60/gsmts_1111v050300p.pdf (page 63))
      
      It would be nice if anyone can confirm that. I think to get the KC out of it you need to go into the baseband processor which is very hard… P.S.: is there any chat/irc to discuss?
      
      Cheers!
      
      - domi007
        January 3, 2014 @ 09:24
        
        Hi,
        
        I think you are right with the TMSI, it could probably be extracted the way you described it.
        To get the Kc however you don’t necessary need to go into the baseband: simply pull out the SIM-card and read the value with a smartcard reader. If you don’t want to get a smartcard reader just use any old BlackBerry, they are really cheap (like 10-20 USD afaik) and their Engineering Screen shows all the stuff you would need.
        
        There is no IRC that I set up to address this topic, but all the projects I use have IRC channels (osmocom-bb does have one for sure). However I need to mention that for example the osmocom-bb channel isn’t really friendly if you are just interested about “cracking, eavesdropping, etc.” since they had a huge amount of script kiddies begging for some sniffing code and they got tired of them because the project’s main goal isn’t sniffing.
ajay
August 25, 2014 @ 13:37

Hey Dom,

I was looking to find the Kc on my blackberry, I got to the Engineering Mode screen. I can find TSMI and other details there, where do I find Kc ? Is it referred to by some other name in the BB Engineering Mode ?

Thanks

- domi007
  August 26, 2014 @ 21:28
  
  Go to SIM browser, then there is Kc and USIM_Kc if I remember correctly, either one of them will contain the value (the other will be just zeroes)
  
mahmoudshakra
January 17, 2016 @ 21:21

i am wondering how to give commands to my lenovo phone and where i type this commands ?

- domi007
  April 18, 2017 @ 11:39
  
  You can’t I think.

Going on my way...