SCF Advanced Search

  • Total Posts: 41270
  • Total Topics: 14828
  • Online Today: 810
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Crack and find bugs in your SIM card: SIMtester (Java)  (Read 3718 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 3611
  • KARMA: 157
  • Gender: Female
Crack and find bugs in your SIM card: SIMtester (Java)
« on: 24. January 2014., 14:49:36 »

Leads to:

The provided tools assess SIM card security in two dimensions:

Cryptanalytic attack surface.
Collect cryptographic signatures and encryptions of known plaintexts

Application attack surface.
Generate a list of all application identifiers (TAR) and find "unprotected" (MSL=0) applications

Java 1.7 (code can be easily tweaked to compile under Java 1.6 or even lower if needed)
PC/SC reader (via pcsc daemon) –or–
Osmocom phone (via libosmosim)

Pre-compiled .jar with libraries:
Source code:

Running SIMTester on LiveISO
Choose "Run Test" -> "SIM" from main menu, follow instructions.

Running SIMTester by hand
SIMTester is a Java application (JAR archive), both sources and binaries are accessible under SIMTester git (


You can either compile your own JAR from sources or run the pre-compiled JAR in "binaries/" directory like this:
java -jar SIMTester.jar <arguments>

General options
command line option    description
-vp, --verify-pin <pin>   verifies the PIN, works for CHV1
-sp, --skip-pin   skips verification of a PIN and ignore permission errors (may produce incomplete results!)
-dp, --disable-pin <pin>   disables PIN, works for CHV1 (ideal for testing cards so no PIN database in needed)
-tf, --terminal-factory <PCSC/OsmocomBB>   what are you using as SIM card reader
-ri, --reader-index <index of a reader>   multiple PC/SC readers can be connected, first is 0
-gsmmap, --gsmmap   Automatically contribute data to

SIMTester contains 3 main functionalities:

Fuzzer Has its own intelligent logic, fuzzes ~120 chosen TARs, is divided into 3 modes:

Full fuzzing (default) - all 15 keysets with all 16 fuzzing mechanisms

Quick fuzzing (-qf option) - keysets 1 to 6, only 4 most successful fuzzing mechanisms

Poke the card (-poke option) - same as quick fuzzing but only fuzzes 3 most common TARs (000000, B00001, B00010)

Custom keysets and TARs can be specified via -t and -k parameters (space being a delimiter between multiple values).

TAR Scanner Scans for valid TAR values by sending messages to them, has 2 modes:
- Full scan (-st option) - scans for all possible TAR values (0x000000 - 0xFFFFFF) - may take a few hours or several days depending on your SIM card speed
- Ranged scan (-str option) - scans for valid TAR values in pre-specified ranges to optimise the scanning duration
A starting value for Full scan can be specified using -t option.
A keyset used for sending messages can be specified using -k option (for both Full and Ranged scans).

Tip: run fuzzer first, see what keysets seem responsive (give answers other than none) and use one of those for TAR scanning, because if you use an inactive keyset it's very probable the card will NOT answer even on a valid TAR which makes TAR scanning non-functional.

APDU Scanner Scans for valid APDU values (think of APDUs as of commands to the card) on TARs without any public APDU reference, it has 2 modes:
- LEVEL 1 scan (performed automatically after Fuzzer finishes and has found unprotected TARs with responses) - only scans for valid CLA 0x00 - 0xFF - it is performed via OTA messages.
- LEVEL 2 scan (-sa option) - scans for both CLA 0x00 - 0xFF and INS 0x00 - 0xFF - it is performed locally on card I/O on initially selected application

Using OsmocomBB phone as a SIM reader
This requires a patched firmware and a library. Patched sources can be found in luca/libosmosim branch in OsmocomBB git tree:
git clone git://
cd osmocom-bb/
git checkout luca/libosmosim

once compiled use the layer1.compalram.bin firmware and copy (layer23/src/libosmosim/.libs/) to your java.library.path folder (usually /usr/lib/jni/ on Linux).

then just use -tf OsmocomBB to turn your Osmocom phone into a SIM card reader for SIMTester.

Contribution to
a new option -gsmmap has been introduced in version 1.5 in order to provide upload functionality to even for users not using the Live-System

Tor can be also used by specifying:
java -jar SIMTester.jar -gsmmap -socksProxyHost= -socksProxyPort=<tor_port> ... other options ...

If you already have scanned your cards without -gsmmap option, you can use the web form here: to upload your CSV results SIMTester provided.

Software uses several libraries, if compiled from source the following libraries are needed:

Apache Common CLI 1.3
Apache HttpClient 4.3.x
CombinatoricsLib 2.0
SIMLibrary - available in the git along with SIMTester


More information about bitcoin, altcoin & crypto in general? GO TO

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist

Samker's Computer Forum -

Crack and find bugs in your SIM card: SIMtester (Java)
« on: 24. January 2014., 14:49:36 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising