Notifications
Clear all

SIM PIN Challenge

5 Posts
3 Users
0 Likes
537 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.

The presentation had reached the part "Verifying the CHV" and went on to record

~ To verify PIN, the verifyCHV APDU is used….

A0 20 00 CHVNum 08 PINValue

~ The message sent from the phone to the SIM in order to check your PIN number 1111, is

A0 20 00 01 08 313131FFFFFFFF

This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.

So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?

Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an addess 3F00 0000.

Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.

To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.

As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough -). However, the first person who posts the correct answer at Forensic Focus, I am sure we can sort out some sort of prize.

However, there are some rules (there is always something like this)

1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2012.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.

GOOD LUCK

PHASE 1 SIM Card
3F00
——————————————————————————–
Response 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
—————————————-
Allocated memory 1A47
File ID 3F00
Type of file MF
Number of DF 2
Number of EF 3
Number of CHV's 4
CHV1(PIN1) Disabled
CHV1(PIN1) Status 2 Tries left
CHV1(PIN1) Status 10 Tries left
CHV1(PIN1) Status 0 Tries left
CHV1(PIN1) Status 0 Tries left
——————————————————————————–

3F000000
——————————————————————————–
Response 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
—————————————-
File ID 0000
Type of file RFU
Structure of file Transparent
File Size 0018
Read Access CHV (PIN) 15
Write Access CHV (PIN) 15
Increase Access CHV (PIN) 15
Rehabilitate CHV (PIN) 15
Invalidate Access CHV (PIN) 15
File Status Not Invalidated
——————————————————————————–

Phase 2 SIM Card
3F00
——————————————————————————–
Response 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
—————————————-
Allocated memory 639C
File ID 3F00
Type of file MF
Number of DF 2
Number of EF 7
Number of CHV's 2
CHV1(PIN1) Disabled
CHV1(PIN1) Status 3 Tries left
CHV1(PIN1) Status 10 Tries left
CHV1(PIN1) Status 0 Tries left
CHV1(PIN1) Status 0 Tries left
——————————————————————————–

3F000000
——————————————————————————–
Response 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
—————————————-
File ID 0000
Type of file EF
Structure of file Transparent
File Size 0012
Read Access CHV (PIN) 15
Write Access CHV (PIN) 10
Increase Access CHV (PIN) 15
Rehabilitate CHV (PIN) 15
Invalidate Access CHV (PIN) 15
File Status Not Invalidated
——————————————————————————–

Phase 3 (2+) SIM Card
3F00
——————————————————————————–
Response 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
—————————————-
Allocated memory 0001
File ID 3F00
Type of file MF
Number of DF 4
Number of EF 18
Number of CHV's 10
CHV1(PIN1) Disabled
CHV1(PIN1) Status 3 Tries left
CHV1(PIN1) Status 10 Tries left
CHV1(PIN1) Status 3 Tries left
CHV1(PIN1) Status 10 Tries left
——————————————————————————–

3F000000
——————————————————————————–
Response 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
—————————————-
File ID 0000
Type of file EF
Structure of file Transparent
File Size 0017
Read Access CHV (PIN) 15
Write Access CHV (PIN) 11
Increase Access CHV (PIN) 15
Rehabilitate CHV (PIN) 15
Invalidate Access CHV (PIN) 15
File Status Not Invalidated
——————————————————————————–

 
Posted : 08/01/2009 1:30 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

A reminder that this challenge ends on the 15th February 2009.

 
Posted : 02/02/2009 2:07 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

No pressure here guys, but we have had the first written response to the SIM PIN Challenge from a Challenge Entrant who has just started in mobile telephone forensics. This Challenge should therefore be a walk in the park for all you mobile phone and computer forensic examiners who have given evidence about SIM Cards in Court.

As a brief history about SIM Cards, the requirement for *Personal Identity Number (PIN) to be available in a SIM Card is defined by way of the GSM Standard GSM11.11. Moreover, GSM11.11 v3 1995 standard and onwards can be downloaded free of charge. So at least we know there is over 13 years of technical knowledge about SIM Card PIN that is traceable. Furthermore, there are other standards that are used to test for allocation and activation of PIN and the mandated execution of the function between the mobile phone and SIM Card.

*Do remember that PIN is only used because it is comon language now, but has been made obsolete from the standards and replaced by CHV (Card Holder Verification).

Finally, many ten of thousands of SIM Cards have been examined and their evidence, along with examiners' testimonies/experts' opinions, have been presented in criminal proceedings at Court for well over a decade. A large number of the SIM Cards presented for examination had PIN enabled, thus understanding the fundamental operation of PIN is vital to forensic investigation understanding and the evidence presented about it.

I thought you might like to know I have sent copies of this Challenge and MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE
(http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3388) to the following who have the responsibility for innovation, universities and skills; and regulation of forensic sciences

- Rt Hon John Denham Secretary of State for the Department of Innovation, Universities and Skills (DIUS)
- Mr Andrew Rennison UK Forensic Science Regulator

 
Posted : 02/02/2009 4:13 pm
(@halil)
Posts: 1
New Member
 

We have studied a lot but could not find anything. Would you give more details/hints about the solution.

 
Posted : 17/02/2009 3:54 pm
Ninja
(@ninja)
Posts: 23
Eminent Member
 

? Permit me call you teacher, I ve been going thru your lesson series and am quiet impressed at the way things are going in the forum.
Am in a country with a lot of kidnapping which needs alot of knoweldge to despair. Though, my little field knowledge has been carrying me through various investigations. Am aquited with knowledge of Mobile foerensic via self research and person field challenges that has seen me thru sovling some Kidnap & murder cases in my country. I ve faint knowledge of IMEI, SIM, Blacklist, CDR etc. I really know i need to get to a Mobile forensic school to be a professional. I also want to enlist your support in solving some cases arising from kidnaps.
Thank you!

 
Posted : 09/07/2009 3:48 am
Share: