How can i read pin from card ? what do i have to have and what software plizz help.

For now is not possible to read the pin on a card, you can read Ki and Imsi...
To find Pin you could try brute force but only 3 tries avaiable so it's no good...
Unless someone could come out with a way to prevent the card from keeping track of the tries left....


hope this helps

do any of you understand basic principles of elecronics?

well I hope you do, I have had an idea.
we could restrict the CURRENT to a simcard so that each time it tries to program itself (to remind itself that the wrong pin was entered) then keep bombarding it with pin codes. The theory bieng that when you enter the pin its internal resistance falls therefore its voltage falls which means it cant program itself (and is forced to reset) each time until the correct pin is found and the sim does not require so much current, log the pin and viola, job done.
what do you think?
Dave

That's music to my hears mate...
Finally someone who also thinks it's possible!!!

listen to this

I made my sim reader adapting an mbus cable and a low power 5v source... so, in dejan sim reader I was getting some errors...
But I've entered the pin 4 or more times and when I putted the sim back on the phone it didn't asked for puk!! Instead it acted like if it was the first time...

Turns out that the problem with my cable was the power source...
I've fixed it now and dejan soft works fine but now sim keeps track of pin tries left...
But I'll try to make another source with a very high output impedance so that it limits the output current....

Now looking on another prespective...
The timming issue...
I don't know much about the sim communications protocol but if the "pin wrong" message is sent by the sim before it programs it self we could reset it before it has a chance to write.... what do you think??..

Sorry for my english, I'm just too excited to concentrate on what I'm writing! :)))

I mirror your sentiments exactly mate, from what I understand your bog standard sim draws as follows
Idle - 3ma
Working - 34ma
Programming - 50+ma

so I can design a current limited source (although a resistor and zener will do) which will stop dead (or even cut all power ) before the sim has a chance to program.

As for the wrong pin message, I think the designers would have thought of that one, there seems to be a short delay before this is displayed so I think we are out of luck.

Maybe we can also run the sim undervotage and bypass the pin, possibly confusing it? I dont know, I'm just thrashing out ideas. The current limiter interests me greatly though.

what is your knowlege in electronics? just to get an idea so we dont baffle each other with jargon.
I'm a uni student doing electrical+electronic engineering yr2.

cya, Dave.

Hi guys ! I have an ideea about all of this. First , someone sait before that SIM takes 50mA or more when pin wrong. I am thinking of powering up with a limited power suply ( 40mA max. )
and when the sim wants 50mA or more we give it only 40. Then we sent the reset command (unles it resets itself ) . What do you think ?

just have a look at old thread 'puk/pin retrieval' (or somthing sounds like) where i have succeed cloning a locked 'puked' card without any problem (i've reapeat this *exploit* in same configuration to be sure), like u seem to know, playing with voltage *should* work, in my case it was by a mere chance, just a particular combination with hardware/laptop voltage/SIMcard status... but it's an evidence that can work. But due to way i success i think i can't reapeat this manipulation each time i need, too much possibilitys and parameters i can't understand.

maybe ITSEC publication about security smartcard technology who describe all type of potential attack (chemical, electronical EMB etc..) can help u having more info about 'practical' ways to access data u want (imho its at high knowledge level or expensive and complex equipment in all case).

if u are interested by chronologik step by step manipulation and situation where my 'exception' has occur (sw & hardware.. timing etc..) i can try retrieve all details, coz i'm sure i haven't see 'all' interesting things due to my poor knowledge in electronics stuff.

I just put all ideas and experience here, i hope and want help this thread as much as possible, coz i'm very intersting too (since precedent -and dead- thread where i try explain that i've experienced a working clone with locked card)
excuse me for my fr-english =)

Yes very interesting!!! never thought about it!!!

And it's very easy to create a good current-limited source with few components... And I have 2 SIMs for which I forgot the PIN!

I'm also studying electronics, so if u need help I'm here!

Regards
Kilrah

can u explain method or draw a scheme of a sim scan r/w where we can have amperage control onto ? i have metrix to test mine but no idea to add componants who can reduce Amp (between 30 & 50mA) on it, can this be done at power supply 'source' or must the lateration be done just at SIM contact voltage?

I think it would be etter to limit the current for the sim only...
Bu I just had anoteher idea... What about a small circuit which sends a reset when the current rises above xx mA? maybe with a resistor in series with the card's power supply which is used to measure the current, and an analog comparator which sends a reset to the card when the cuttent is too big...

Thinking about it..

Regards
Kilrah

@ kilrah

apparently the sim will ignore any reset issued while a security operation is bieng performed, thats why I suggested cutting the power. The reset MUST be performed instantaneously, like as it tries to pull the extra current. the problem is that the the extra current the sim tries to pull may be only in the order of a few mA, which is why we have to create something which cuts all power at the second it attempts programming.

Becuase the sim is in fact a microprocessor we must realise that it will need extra current to do the comparing function (pin with proposed pin) but not too much so it can program.

Dave.

@ DaveGSM82

I'm also uni student of electronic/electrotecnic and computer engeneering year 3..

I think were on to something...
maybe undervoltage won't work, cause many micros have a configuration bit that makes the micro wait for a certain level of voltage before it starts to run...

your ideia of undervoltage gave me another idea, when the sim asks for pin, it keeps there until it is inserted, so w're maybe looking at a "for()" cycle.... If we apply a clock burst to the micro on the sim maybe the program counter would increase to fast, this is before the instructions [ for() ] could be executed, thus bypassing pin ask!!!

One other thing, could someone please guive some info about simcards comunication protocol. I've found somethings on the net but I can't get it to work...
Or... Can somebody make a program that bombards the sim with pins on a " *.txt " and returns the status, "accepted", "rejected", "puk needed", "tries left", etc... (source file would be nice)
or a script for Dexter's winexplorer....

Thanx in advance...

@Dave:

Yes maybe you're right, it won't accept a reset.
As I just started to work with PICs last friday (12F675 to be precise), it came up to me that we could use one to measure the current (with the integrated 10-bit ADC), and power the SIM through I/O ports :D:D As each pin can source 25 mA with a max total of 125 mA, we could use 3 outputs in parallel (75mA should be enough) so we don't need an extra transistor... This would allow very precise control, and very fast response... and it's much easier to change parameters in software than to change components to adapt for the current values of each SIM!
Of course we could also make an analog circuit after this for those who can't get PICs...

Well I'll post the scheme today when I've done it...

@Joker_hk:

Your solution won't work. In fact the SIM never waits for the PIN. Instead it refuses every command that needs identification before it has received a pin verification request with a correct pin.

Even if it was waiting for it, it would be completely stupid to do a for() statement... otherwise you would just have to wait for 10 mins and the sim would bypass the pin! It would more be a "do...while no PIN"!

Anyway, have a look at this, it's GSM11.11 specification, about SIM structure and SIM-ME interface. You will learn many things even if it's boring to read (specification language...)
It helped me understand when I was doing SIM emulation on my old motorola :P

Regards
Kilrah

OK here is a schematic. Tell me what you think about it. Of course without the software it doesn't mean many things, but here is the principle:
R1/R2 set the voltage reference of the ADC at 1V. GP0/GP2/GP5 are the 3 I/O lines that will power the SIM. R3 is used to measure the current that flows through the SIM. With R3 = 1 Ohm, we have 1mV on R3 for each mA flowing through it.
As the ADC in the PIC is 10 bit, with Vref=1V we have 1LSB =~1mV. So it is easy to enter the threshold in the software!
For example : If ADC value > 40 -> shut down power for 1 sec.
Min time and threshold can be determined by tests and adjusted.
The ENABLE switch allows to select current-limited or normal operation.


I had to put R3 between the card's GND and the power supply ground because the ADC's bottom reference is fixed to the PIC's Vss.

If someone has followed, give comments, otherwise ask for clarifications.. :grin:

Regards
Kilrah

:rolleyes: Oops... forgot the file

@ kilrah,

Exelent work, this looks like a good idea. just one thought though, the resistor R1 will create a voltage drop of say 50mv when 50ma is drawn. will the sim like this or not? it may have problems with the undervolt situation (doubtfull but its something to think about). Also what is the clock frequency of the 12c675? as i'm thinking the ADC runs from its internal clock, if its about 1mhz we may have probs with the ADC not scaling quick enough to catch the voltage spike. If this lets us down considder the PIC16C71 which has a max clock frequency of 20mHz which in my view would probably be ample for this application, speed is the essence.
4mHz @ 10bit adc =3906 conversions / sec max (plus routine code)
20mHz @ 10bit adc =19531 conversions / sec max (plus routine code)

These figures suggest that if the code is more than 20 or so lines long then we will need a faster chip, remember while in secure mode ALL processor power in the sim is given to the PIN compare action, which means if we catch this pulse we will have to be quick. theres one other thing we have possibly overlooked, the sim clock, lets slow it down as much as possible to allow greater time for the current limiter to take effect.

your comments please?
Dave.

working on that....
it will work almost as slow as you want...

maybe, the pic that controls the current supplied could also manage the clock and the comunications with the sim... what do ya think?

or just drop coms from 9600 to 1200 or less, thus guiving enough time for pic to catch up....

hmm... will they go down to 600 baud? as we need something quick enough to bombard the sim with enough hits per second so that it doesnt take hours to do. (there are 9999 different combinations for pin and 99999999 different combinations for PUK which we should also be able to crack by this method) maybe we could eventually produce something which could standalone and crack pins or puks without the need for a computer, once found it could reset pin to a default value or reset the entire sim in the case of a PUK finding expedition.

Dave.

Hi!

Ok I'll answer all these...
1) First the voltage drop. As it is 50 mV only, the SIM won't see anything. The min voltage (from the card's spec) is 4.5V.

2) I just calculated max sampling frequency of the ADC. Found about 35 kHz. By using interrupt-driven control, we can execute our program during the conversion, so we don't lose any time. (12F675 freq is 4MHz with internal RC oscillator, and up to 20 MHz with external crystal oscillator (but it takes 2 pins...)

3) Of course is easy to slow down the clock speed. But I just thought it would be already long enough at normal speed! We'll have to try, and if it doesn't work we can slow it down.

4) The all-in-one cracker would be perfect, if we don't need any pc any more. But I would need a pic with more pins to implemnt communications and I don't have any here... anyway the next time I order some electronics material I'll get a 16F84!
In this case the pic could control the clock only by inhibiting it, because otherwise all the pic's speed would go into driving the clock line! But the advantage of doing something like this would be that the pic can calibrate itself by finding the right current for each sim!

Hmmm.... In fact if we put a transistor to supply the sim we get 2 more pins on the pic... 1 data line and 1 reset line!
Will think about it...

Regards
Kilrah

Take a look at atmel avr's they work faster then microchip's pics...

Cause they execute an op on a single clock cycle instead of 4 as pics do...

They have very powerfull instructions, and come in any combination you'd like... ADC, I/O ports, UARTS....
just take a look at atmel webpage, in microcontrollers...

90s8515 is very used and its not too expensive compared to 16f84...

@kilrah

oh yea, I forgot that the pic will issue an interrupt when its finished its scaling. I thought you wiuld just be polling it till it finds the value.
I think the standalone may be far off as of now, it will take some doing to get all of the code functional. You may be able to help me with something else that I am doing, at uni we are programming the M68000, but our major project this year is actually PIC based. as you will know the architecture is different to conventional processor systems and I'm not yet accustomed to pic based systems or code. We are producing a device which monitors the temperature of specific points within a PC and reports back to the user (on 4x 7segment displays) any irregularities like overtemp etc and takes appropriate action such as switching on a fan or heat pump, now the deadline is not as far off as I had hoped so I may need some help with a few of the sections within the device.
we need,
1) some code which will allow us to use a port as serial (probably masking the port and addressing the 3 bits we need) instead of parallel.
2) basic help on initialising the ports etc
3) performing arithmetical operations such as multiplication ( which you will know is a pain in the arse with only 35 instructions)

any help or direction would be greatly appreciated.

@joker_hk

if the pic is no good then we could look at this, I only chose pic because its the only thing i'm semi-familiar with

Dave.

@joker_hk:

Already had a look on avr's before gettimg my pics, but they were difficult to get here. But the main reason for choosing PICs was that the assembler (MPLAB) is free, that I could easily build a programmer myself, and that I found a free programmer software. As easy as that. Oh and also the only 8-pin AVR with ADC runs @ 1.6 MHz, so it's not much faster than my PIC @ 4Mhz.

Oops I must go now will continue tomorrow sorry:(

can't/wouldn't use any max232 for COM i/o ?
or maybe use mplab samples source codes (at least for arithmetic operations, don't know for rs232 handling)

@brakk_

it will not use 232 i/o, kind of a standalone unit which will fit in a 5 1/4" bay. will have 4 x 7 segment displays which relay the info to the user, also the only i/o will be to adc (temp) and from digital outputs (fan controll and display) but what I really need help with is the display output side, like I said I need some code which will allow me to use the port as a serial device while still using the other 5 bits as parallel (basicly as high or low outputs to controll the fan or power switch)

Can anyone help me? it would be greatly appreciated believe me.

Dave.

Hi Dave.

Would gladly help you, but I need to know a bit more...
Have you already written a schematic? If yes, post it so I can make myself an idea of the hardware...
Do you already have your displays, and do you know what type of serial interface you have to implement (SPI, I2C,...)?
What PIC will you use? For init they are all different, and some have 1 or 2 more instructions...

For my current project I measure the signals which come out of 2 gyroscopic sensors with 2 ADC inputs (signal is a voltage proportional to the angular velocity of the sensor), then integrate it to have a position instead of a speed. Then I send the position information to a dual serial DAC to interface with a radio control system. The goal is to put a video camera on a pan/tilt mechanical assembly, and to control its position with head movements.
I've started writing the code a week ago (had never touched PICs before...) and I already have about 8 pages assembly code.... It's not finished yet but I have some code that could interest you.

My DAC has a SPI serial input, and I've already written the code for serial transfer (actually the 1st part I did..) and it works fine.
If you give me the specs of your project and tell me clearly where you have problems, I can help you.

One more thing: when is your deadline? :grin:

Regards
Kilrah

@dave
ok, serial & ports terms put my brain in a wrong way
i saw lot of 'standalone' *meters based on atmel AT90x chips, don't know if it's due to biggest soft source deelopment or MCU facilities, i will look at datsheet

@ kilrah

ok, the specs.
PIC- 16c71 or 73 Both have ADC's.
Display Driver- Motorolla MM14499 (4x7 segment)(attached datasheet)
Temperature Input- well, Whatever I can get my hands on.

Device takes readings from up to 4 separate inputs, check them to see whether they are within the set tolerance limits (simple arithmetic functions) and then displays the value to the user. If the read value of The display driver requires serial input of 1byte per segment, 20 bits must be clocked in (4 for the 4 displays, plus 4 bytes for the decimal point) each bit must be clocked in and also another pin must go low while the entire operation is going on. I want to be able to pass the entire 20 bit longword (8+8+4) to the section of code and have it automaticaly output it, (or I'll just store it in RAM and call the subroutine to get it from the specified location, i.e D0->D3, thats why i'd need the 16c73, more RAM). Are you familiar with C or C++?, Ive heard that some pics can be programed in C, dont know which tho.

The handin date? well the official date is exam time next summer but we need somthing which looks like it might work to hand in for our preliminary design.

What uni you at?

Thanks, Dave.

oops.... heres the attachment.

no, here it is. (arse)

you guys still there? its getting lonely here.

Dave.

Yeah I'm still here but not during the week-end... I always come on this forum from my work :D

btw I managed to get my project working yesterday evening... lots of assembly code! I just had a look at your PIC's daasheet will post when I have time to do more!

Regs
Kilrah

Do you want to use the decimal points?
In fact you don't need lots of RAM, max 5 bytes if you want to make it easily, and 3 if you want to be economic... but then it's more difficult to handle data :)
But if you are not restricted by room (16C73b has many pins), I would recommend this one because it already has hardware SPI interface. 16C71 would also work but the transmission must be software supported (small modifications on my procedure, easy to do). I leave you the choice...

As both PICs have PWM outputs, you could control the speed of a fan if you wanted to :D (even 2 for 16c73b)

btw, how many outputs do you want to implement, and what info exactly do you want to display?

Regards
Kilrah

U could also use 16f872, with the advantage of flash memory (I can ASSURE it's VERY useful for development, if you have to erase by UV everw time you change 1 bit in the code it's VERY ANNOYING !!:D ) and it's even cheaper!
5x 10 bit ADC, SPI, PWM, 22 I/O, 20 MHz, 128 bytes RAM and 2k code

Regs
Kilrah

still here sure..
but i can't help u with microchips ù-controller or maybe for display output coz a friend of mine had ever used it as simple e-doc reader, i'm just waiting for his new (or valid) email box to have more details.

Hi all!
I haven't been here for some time now cause I changed division at work and I don't have my permanent connection anymore...:(

Anyway, I just had time to make my PIC current limiter. I built it from the schematic I posted before, omitting the ENABLE switch, and adding a LED to view the card's power status.

I put it between the power supply of my card reader and the card connector. The limitation works fine, and I've written a soft which cuts the power for 500ms when the current overrides the programmed threshold.

BUT I found some problems when trying to use it. At first, I just powered everything without the pic to check everything was OK, inserted the sim into the reader, and the LED started to light. :confused: How!?!? there was absolutely no connection to the card's VCC pin! (apart from the LED).... I asked myself a lot of questions, and tried some things, to finally discover that the SIM was getting its power through the clock line! (found this by masking the contacts one by one with adhesive tape) ...amazing!
To confirm, I masked the VCC strip with tape, and put my SIM in my phones. First with a 3210, where it didn't work, and then in my 3330, where the sim works absolutely normally! (since about 4 hours now....) :confused: :confused:
Is this a protection, or just a coincidence??

I then tried with another sim, and this one worked normally, getting all its power from the VCC line. It must not be the same type...

So I could go a bit further... the next problem was that the current differences are MUCH smaller than Dave said.... about 4.1mA idle, 4.2 mA working, and 4.25 writing... this causes some problems to detect a writing! Practically, it's very difficult to calibrate, and also nothing is stable... sometimes with the same limit I can't even ask the card's status without a shutdown occurs, and without changing anything, I can read the whole sms directory without problems 1 min later.....

But for the positive side I've been able to enter wrong PINs 2-3 times, and the card didn't record it. The problem is that the limit must be very low, and half of the time the sim shuts down before letting me enter the pin....

I think the best thing would be to do an all-in-one cracker which could calibrate itself automatically by analyzing the sim's answers...

Could someone verify their SIM's current consumption in different states? maybe some of them have bigger differences...

If someone has any idea, please suggest!
I attached a picof the reader with the extension, notice the size!

Bye for now

Regards
Kilrah

it did't record your attempts to the correct pincode... very interesting! Exiting news!!

Hope you get things figured out!

-=K=-

@Kilrah

I've experienced the same problem with the clock line in my cards, to solve it I used 1Kohm resist. in series with all data lines (clock, reset and I/O) just to make sure all current is drained from vcc pin.. I don't think this problem is a protection, my guess is that its due to internal pull-ups...

I've "logged" the current in my sim during a pin verification, using my pc soundcard! It was pretty revealing, but I don't know if I'm interpreting it wright, so I'm planning on posting a full report this wekend of my experiment so that someone could comment my analisis... If my thoughts are correct then a new method could be appplied... i.e. :
Instead of monotoring the current all the time. We'd use a pattern witch is revealed (I think) in my report and cut only when a difference occurs from pin wright to pin wrong...

Sorry for my english, hope you'll understand it ...

I'm waiting!

Did you use this funny soundcard oscilloscope program that can be found on the net? I also have it but there is no voltage indication and it is much too slow for this, so I didn't use it...
I thought about putting resistors in series with the lines, but maybe even greater like 10 kOhm. Still haven't done it as I'm a bit short of time...
I'm looking forward to seeing your report as on the SIM I used the difference was so small that it could hardly be detected... I must change the measuring circuit to improve sensitivity. I had designed it for 50 mA, but it never gets over 5 mA... so I've got reserve! I'll change the scale to get a better resolution.

Well, bye for now!

Kilrah

No, I just used normal recording software, cause I wasn't looking for periodic signals... Ok, here's a preliminar:

-Built a current source using a general purpose transistor;
-Regulated the current to the point when the card sends an ATR so that the voltage drops would be best viewed...
-Built an amplifier to view the voltage drops better..
-Used Cool Edit Pro 1.1 to record the microphone input of the soundcard.
-Connected the input to my amplifier.
-Used dejan sim scan sftwr to insert PIN. And recorded ("logged") the voltage drops during verificacion...

And I think I got different patterns while inserting wright and wrong PIN..
It doesn't matter the amplitude of the signal, what is interesting is the current peaks that can be observed... If we could find out the peak that is responsable for the writing we don't want....
Thus solving the amplitude problem, all that would matter was the time when the peaks occured...

I'll post the pictures and all schematics later, hum.. posting a step response of my soundcard would be good. Sorry it as to be only in the weekend but all info's are at my home 'lab' :) and I'm only at home on weekends...

man, i wish i could understand any of that.

Well carry on u guys...

:-))

LOL! :P

Ok, here's the 'report' as promised, I've just wrote it a little bit of a hurry. Cause I've been busy. Anyway, please comment...

Hi!

Well, had a look at this, and it's very complete!
But I'm not very sure that the results are usable like this... like you suggested, your soundcard has a DC-cut filter, which is normal to cut the possible offset differences between the device connected and the pc. That's why I didn't want to use this....
On the attached image, I've marked the points where it can be clearly seen(waveform falling when current is supposed to be stable). That doesn't give any info about the intensity, only variations. But it's interesting to see that there is more "movement" when pin is right than when it's wrong...
Anyway, I'll try to get a digital oscilloscope and do a good DC analysis this week.
Also, I think the sampling freq must be a bit low with the 44,1kHz of the sound card...

And btw I've ordered a PIC16F876 with enough resources to do a stand-alone cracking device!
But of course we still need to get this current thing...

Bye for now!

Regards
Kilrah

thank you joker_hk,
your report shows some interesting things, allthough I notice that so far we have only been monitoring the current on the vcc line, however we also know that current is drawn via the clock and i/o etc... so why not make something with several op-amps etc which monitors the current on every pin of the sim and gives us an overall total for current drain? (SIM overall current - I/O current - clock Current) I think something like this would be quite easy (using summit like an LM234 quad op-amp and some resistors) this will mean that we can controll the card with full voltage levels on its i/o pins while still bieng able to accurately monitor the amount of current that the SIM is drawing, and not just the overall amount which is distributed to other things like the i/o pin.

also I notice that the waveforms in the report seem to be saturated? which means we cant see the absolute peaks of current drain, cant we use the line in port on our soundcards as these are less sensitive and i think they dont have DC blocking like the mic does? (also the mic port has frequency filters which block anything outside the human voice range).

your thoughts?
Dave.

oh yea, I noticed that some sim scanning progs (dejan I think) ask the card all of its information and it gives programming current as one variable. this could be usefull for our "cracker" or could it be our "christmas cracker"? haha,

Dave.

The DC cut, is a real problem to get a good ideia of the value. That's why i've only analized the peaks and even this may not be a good representation of reality, cause sampling frequency is not that high.

@Kilrah, if you could try it with a digital oscilloscope it would be great... And we could verify how accurate those recordings are.

I think their not too bad cause at 44.1 Khz we get samples of about 22.6 micro seconds, if the micro on the sim works at 1 micro second per instruction, we get samples after every 22 instructions set... And the sim will probably even need to execute more instruccions to write eeprom....

@DaveGSM, with the soundcard you can't get absolute informations about the amplitude, only relative. That's the major difference of this procedure, it doesn't matter the amplitude, only the time when peaks occur...It's normal for the waves to be saturated, cause I was measuring an almost digital signal, and I've used an amp to connect to the soundcard. though I could try to bypass the filters on my soundcard and connect a signal directly to the A/D...
I'll check your 'overall current' theory but I do think that the resistors in data lines are enought to ensure that there is very little current on these pins...
The information about programming voltage that cards send is probably a standard, which varies only with card type... and not from one card to another...

Thanks for your comments. Let's keep up the good work.

Hi to all,

here is my simple SIMcommand guide.
If you have any question ask me in this forum

ByEzZzZ

-=)(M457)(=-

has somebody succesfull results ¿?