eSIM (eUICC) forens...
 
Notifications
Clear all

eSIM (eUICC) forensics

23 Posts
3 Users
0 Likes
4,143 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Who has experience in Samsung Gear S2 Classic 3G with eSIM chip-off
forensics? The CSP (Communications Service Provider) runs a cloud-based
customer profile configurable over an Android app.

Which eSIM manufacturer is in-designed in this model? Opening and
probably damaging the device may cause harm, so 1st trying to image
data for evidence out, but how to get the eSIM profile out of the eSIM?
Asking the CSP is 2nd choice we want to collect the profile out ourselfs.

Here a chinese teardown site
http//www.eepw.com.cn/article/284647.htm

Inside a Qualcomm Snapdragon 400 chip with LTE cpability
http//www.qualcomm.com/media/documents/files/snapdragon-400-processor-product-brief.pdf

Running OS should be Tizen OS
https://www.tizen.org/

Which forensics suite can dump Tizen OS?

Mainboard side with Qualcomm WTR2605 LTE. Kind of confused LTE in Snapdragon or WTR now? Who knows?
http//www.ewisetech.com/Device/SmartWearable/2304/PartCollection/Substrate-10853

Any advice very appreciated.

 
Posted : 23/05/2016 3:36 pm
(@kuiper)
Posts: 7
Active Member
 

This chip is supported by our systems - http//www.ewisetech.com/Device/SmartWearable/2304/PartCollection/Substrate-10853/Component-23311- and we can do a chip-off on the watch if you wish.

As for Tizen, I'll be honest - we haven't had anything in running it, so I don't know which forensic tools will or won't parse data from it. We've got a wide range of tools that we could try though…

Let me know if you want our help - zj@3ef.co.uk )

 
Posted : 24/05/2016 12:57 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Great offer and thank you! To understand the DeepTech and train our own skills we fight daily )

 
Posted : 24/05/2016 12:43 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

The setup changed finally to Tizen OS and Samsung Exynos CPU dual core. As VoLTE is possible standalone (in opposite Apple Watch requires iPhone 6/6S/plus's for calling) how does the Tizen OS logs the calling process?

From the Communications Service Provider (CSP) side the eSIM on-board how looks the User Agent String (transmitted) besides the IMEI? The IMSI will not reveal the eSIM as MCC, MNC and MSISDN as triple ingredients give no hint.

Who has Tizen OS artifacts investigated profoundly?

 
Posted : 05/06/2016 11:22 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

By scanning the QR-code on the eSIM voucher the linked URL behind downloads the eSIM profile and transmits it from the Android phone over bluetooth to the eSIM in-watch. Will the artifacts of the profile be found in the bluetooth log?

Here the gsma provisioning architecture

http//www.gsma.com/connectedliving/wp-content/uploads/2014/01/1.-GSMA-Embedded-SIM-Remote-Provisioning-Architecture-Version-1.1.pdf

For Vodafone (D) Giesecke & Devrient reported to deliver the eSIM chip with asym crypto. See here

https://www.gi-de.com/en/about_g_d/press/press_releases/eSIM-technology-by-G%26D-supports-Vodafones-implementation-of-eSIM-specification-g40512.jsp

Vodafone explained the secure packet in short here on slideshare (be aware Vodafone slides!

http//www.slideshare.net/zahidtg/embedded-sims

The ETSI TS 102 225 for secure packet provisioning here

http//www.etsi.org/deliver/etsi_ts/102200_102299/102225/12.00.00_60/ts_102225v120000p.pdf

 
Posted : 06/06/2016 1:21 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

profile activation on the eUICC (embedded Universal Integrated Circuit Card) is specified in ETSI TS (Technical Specification) 103 383 V13.0.0 (2015-10). Is this the most accurate doc for the Subscription Management (SM)?

See page 22 for best overview graphically

http//www.etsi.org/deliver/etsi_ts/103300_103399/103383/13.00.00_60/ts_103383v130000p.pdf

 
Posted : 09/06/2016 11:09 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Remote Provisioning Architecture for Embedded UICC Technical Specification Version 3.1 27 May 2016

http//www.gsma.com/newsroom/wp-content/uploads//SGP.02_v3.1.pdf

Embedded UICC Protection Profile Version 1.1 25/08/2015

http//www.gsma.com/connectedliving/wp-content/uploads/2015/11/SGP.05-v1.1.pdf

 
Posted : 09/06/2016 12:45 pm
(@trewmte)
Posts: 1877
Noble Member
 

Good connections to the technical background…thanks Rolf

 
Posted : 10/06/2016 1:36 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Best piece of beacon comes here! 524 pages eUICC Test Specification (now I can relax)

SGP.11_v3.1 31 May 2016

http//www.gsma.com/newsroom/wp-content/uploads//SGP.11_v3.1.pdf

 
Posted : 10/06/2016 12:23 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

On the voucher the QR code and the the SIM-PIN or SIM S/N is the appropriate authentication. We googled the voucher QR codes of Vodafone and tried to open with the Samsung Gear app the URL related to. How many attempts are possible to enter the PIN or S/N until the application Backend closes?

Who has a Gear S2 3G in lab too?

 
Posted : 10/06/2016 7:25 pm
Page 1 / 3
Share: