Reading KI and IMSI

In order to create the SIM-emulator, first of all you need to delivery from original SIM-card the following keys:
IMSI — International Mobile Subscriber Identification (this is user’s international mobile number)
KI — Key Identification (individual key, which is unique for each IMSI, in other words this is a password for IMSI).
Registration of a subscriber in GSM performs with IMSI and KI.

For extracting these keys you need SIM-Reader device and Smart_Scan computer program.

Smart_Scan allows to perform full functional analyze of your GSM SIM-card. In SIM-card processing its possible to read such parameters, as IMSI, KI, ICCID, ADN records, work with ADPU. Program is a Win32 application; it works stably in Windows 98, Me, 2000, XP and 2003 operating systems. The interface is similar to well-known Woron Scan, because the interface of this program was taken for Smart_Scan as most successful. Many things we borrowed from SIM-Scan 2.01 by Dejan. The program requires for its work not less that 64 Mb free RAM memory, processor 700 MHz or higher, it is desirable to support by processor set of extended commands MMX / SSE (Pentium, Athlon). For motherboards, assembled on non-Intel chipsets it is necessarily to setup a driver packet from vendor (for example, VIA needs packet “4 in 1”). Download and run the Smart_Scan

Before work you should setup the program. Enter to menu “CardReader”, set type of your device to “ESR/Phoneix”. Next, in menu “CardReader” select “Settings”. 

Enter the following parameters:

COM Port Selection - select the COM port number, where you have connect the SIM-Reader or ESR device. 
Speed/Frequency - how reader will work with your SIM, select the speed in bytes or frequency in kilohertz. Your selection must depend on quartz frequency of reader (as usual, 3.57 or 7.14 MHz). If you use ESR 12-58, you can select the item “ESR Auto detection”.
Custom Speed - you can enter manually the speed of working with your SIM-Reader. The standards values are 9600 and 19200 bit per second. 
Custom Frequency - you can enter manually the quartz frequency of your SIM-Reader. The standards values are 3'574'700 θ 7'140'000 Hertz. The option can be useful when you use non-standard quartz, which could placed on the circuit. When SIM-Reader suddenly stops in scanning process and shows an error, you should try to tune custom frequency, it allows to stabilize work of your reader.

ESR Device settings - parameters of Energy Sensitive Reader. The settings should enter according to instruction for ESR. The option is enabled, when ESR is properly connected to COM-port. The program detects automatically optimal mode of work. When all options were entered, click Ok button.

Insert a SIM card in SIM-reader and connect it to COM-port of computer. Before reading, you must enter PIN1. The ESR has a function which allows reading PINs from special area of memory of card, and then it displays PINs. When ESR is properly connected, the additional menu items become enable (menu “Security Codes”, Reading PIN1, PIN2, PUK1, PUK2). In this menu user can change PINs, enable/disable it, or read their state. 

Some SIM-cards of new models may be destroyed because of KI reading. Everything depends of type of microchip, which uses in SIM. Mainly, it apply to prepaid cards, because they have A38 limitation of count cycles usage up to 65’535, and when the resource expires, SIM card is turn to blocked state. In order to avoid it, you need to use only new software and equipment.

Research experience of all new SIM–cards, which manufactured during 2000-2004, demonstrates: more and more SIM cards use A38 limitation up to 65’535 cycles. Authors of ESR discovered absolutely new method of searching KI, which based on analyzing of energy consumption and wave radiation of SIM, and now this method is realized in the program Smart_Scan.

In order that extract essential SIM keys, which are necessary for emulator, press button “KI” (Tasks\ KI Search). 


The windows will appear; it indicates scanning process. 
“Start” button launches scanning process. 
“Pause” button allows temporary suspend the program. At this time, COM-port will opened and it will impossibly to access to COM from other application. 
“Stop” button interrupts scanning process. When you press “Stop”, the program resets to zero all counters and it halts. The COM port releases for access from other applications. We advise to save (Ctrl+S) your project before you click “Stop”. 
“Check Pairs” button tests for correctness pairs of KI in the edit fields. The program puts values in these fields during scanning process, but user may manually enters the pair in some of fields. In our opinion, the feature might be used only in case, when user got to know part of KI at operator, other he wants to scan by program. 
“Priority” - combo box, which allows to set priority of the program. 
“5R Start Pair” – definition of algorithm of the program (what a pair will be first). Only for experienced users. 
“2R Buffer Reordering 0” – additional settings of scanning process. 

The field “GSM Algorithm Steps” indicates a count of access to SIM in reading process, using A38 algorithm. The smaller count of reading attempts, the safety it for SIM, plus saving time of scanning. Often exceeding of reading attempts turns into blocked state your SIM for forever (limit up to 64000). If started SIM scanning, the work should be done up to end, because counter of authentications attempts is not depends of count of session of working with SIM. The counter could not be zeroize by user. So, if you made 20’000 attempts the day before yesterday, then made 15000 yesterday and 25000 today, it means that the counter is set about 60’000 (plus your count of call, which were made from this SIM). By the word, there is a TMSI parameter in GSM network, which was created with purpose to minimize count of authentication procedures between SIM and a base station mobile operator. Therefore, you should do not allow any interruption of scanning process in order to do not scan your SIM again. The meaning of this field likes to field in SIM-Scan 2.01, A38 Limit (not more that 64000). The program controls this limit automatically. 

The field “Software Steps” indicates a count of mathematic calculation in the scanning process. It have not any influence on SIM, as against of “GSM Algorithm Steps”.

Users give an estimate, that Smart_Scan works faster on 30% that SIM-Scan 2.01. There is a possibility in the program to test KI, which was read previously, in orders to see algorithm of it decoding. Before KI reading, you can see IMSI and ICCID of SIM. They stored in the SIM in public area, and the program will read it at one moment. Also, there is presented Russian version of Smart_Scan.     

The buttons "<===" θ "===>" determine beginning of attack, from the up or from the bottom. It is desirable to press button right "===>", because keys will read for a short time. The slider defines mechanism of attack. The attack could be started not only from the first pair (as usually), but from the any other pair, for that switch Radio Group “Start Pairs”. To show the known pairs, use checkboxes. 
Searching method for KI of SIM Comp 2, using ESR device is the fastest and the most safely. Necessary time for extracting KI is not more than 3 hours. With all this there is a great possibility of finding KI for SIM Comp2 with A38 limitation up to 65535. When the key will found, the result displays on your screen.

Everybody who wishes to use SIM-Scan 2.01, can download it:

sim_scan21.zip

sim_scan133.zip

par2.bin (place alongside with sim_scan.exe)

Woron_Scan 1.08 eng

Next