Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Matthews Lab
Search
Search
Appearance
Log in
Personal tools
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
P2p mobile carriers
(section)
Page
Discussion
British English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== 10.1. A look at the Android code == [/platform/hardware/ril/+/refs/heads/master/rild/rild.c] <syntaxhighlight lang="cpp">//... funcs = rilInit(&s_rilEnv, argc, rilArgv); RLOGD("RIL_Init rilInit completed"); RIL_register(funcs); //...</syntaxhighlight> Everything starts in the rild.cpp file (RILD = radio interface layer daemon.) This code starts a service designed to handle response messages from the phones radio. The fragment above registers functions for handling responses for the different types of messages. [/platform/hardware/ril/+/refs/heads/master/libril/ril_commands.h] <syntaxhighlight lang="cpp"> {RIL_REQUEST_GET_IMSI, radio::getIMSIForAppResponse}, {RIL_REQUEST_ISIM_AUTHENTICATION, radio::requestIsimAuthenticationResponse}, {RIL_REQUEST_SIM_AUTHENTICATION, radio::requestIccSimAuthenticationResponse}, </syntaxhighlight> The RILD allows vendors to write their own libraries for responding to various radio messages [rild]. The required functions are defined in /platform/hardware/ril/+/refs/heads/master/include/telephony/ril.h. There is also a reference implementation in /platform/hardware/ril/+/refs/heads/master/reference-ril/reference-ril.c. From here on assume that’s what I’m talking about. [/platform/hardware/ril/+/refs/heads/master/reference-ril/reference-ril.c] <syntaxhighlight lang="cpp"> case RIL_REQUEST_GET_IMSI: p_response = NULL; err = at_send_command_numeric("AT+CIMI", &p_response); if (err < 0 || p_response->success == 0) { RIL_onRequestComplete(t, RIL_E_GENERIC_FAILURE, NULL, 0); } else { RIL_onRequestComplete(t, RIL_E_SUCCESS, p_response->p_intermediates->line, sizeof(char *)); } at_response_free(p_response); break;</syntaxhighlight> The MsC may send a message to request the phones T/IMSI number. To access the IMSI the phone uses AT commands to talk to the baseband processor - secret key extract is possible here [baseband-ki-extraction]. The baseband processor runs its own OS that interacts with the phones radio, GPS, and WIFI. It controls access to parts of the SIM. The SIM also has its own operating system that supports applications that can interact with the baseband, and hence the network [java-card][sim-os]. [/platform/frameworks/opt/telephony/+/refs/heads/master/src/java/com/android/internal/telephony/PhoneSubInfoController.java] <syntaxhighlight lang="java"> public String getIccSimChallengeResponse(int subId, int appType, int authType, String data) throws RemoteException { CallPhoneMethodHelper<String> toExecute = (phone)-> { UiccCard uiccCard = phone.getUiccCard(); if (uiccCard == null) { loge("getIccSimChallengeResponse() UiccCard is null"); return null; } UiccCardApplication uiccApp = uiccCard.getApplicationByType(appType); if (uiccApp == null) { loge("getIccSimChallengeResponse() no app with specified type -- " + appType); return null; } else { loge("getIccSimChallengeResponse() found app " + uiccApp.getAid() + " specified type -- " + appType); } if (authType != UiccCardApplication.AUTH_CONTEXT_EAP_SIM && authType != UiccCardApplication.AUTH_CONTEXT_EAP_AKA) { loge("getIccSimChallengeResponse() unsupported authType: " + authType); return null; } return uiccApp.getIccRecords().getIccSimChallengeResponse(authType, data); }; return callPhoneMethodWithPermissionCheck( subId, null, "getIccSimChallengeResponse", toExecute, (aContext, aSubId, aCallingPackage, aMessage)-> { enforcePrivilegedPermissionOrCarrierPrivilege(aSubId, aMessage); return true; }); } </syntaxhighlight> Heading back towards the official Android API functions you start to see the relevant functions for implementing the challenge-response authentication functions in various phone networks. This code makes a request to RILD -> baseband -> SIM card to retrieve a response to a challenge. [/platform/frameworks/opt/telephony/+/refs/heads/master/src/java/com/android/internal/telephony/uicc/IccRecords.java] <syntaxhighlight lang="java"> public String getIccSimChallengeResponse(int authContext, String data) { if (DBG) log("getIccSimChallengeResponse:"); try { synchronized(mLock) { CommandsInterface ci = mCi; UiccCardApplication parentApp = mParentApp; if (ci != null && parentApp != null) { ci.requestIccSimAuthentication(authContext, data, parentApp.getAid(), obtainMessage(EVENT_AKA_AUTHENTICATE_DONE)); try { mLock.wait(); } catch (InterruptedException e) { loge("getIccSimChallengeResponse: Fail, interrupted" + " while trying to request Icc Sim Auth"); return null; } } else { loge( "getIccSimChallengeResponse: " + "Fail, ci or parentApp is null"); return null; } } } catch(Exception e) { loge( "getIccSimChallengeResponse: " + "Fail while trying to request Icc Sim Auth"); return null; } if (auth_rsp == null) { loge("getIccSimChallengeResponse: No authentication response"); return null; } if (DBG) log("getIccSimChallengeResponse: return auth_rsp"); return android.util.Base64.encodeToString(auth_rsp.payload, android.util.Base64.NO_WRAP); }</syntaxhighlight> Remember the RILD mentioned earlier? Here is some client code that talks to that server. It will send a request to the radio interface layer daemon to request a response to an authentication challenge message. [/platform/frameworks/opt/telephony/+/refs/heads/master/src/java/com/android/internal/telephony/RIL.java] <syntaxhighlight lang="java"> @Override public void requestIccSimAuthentication(int authContext, String data, String aid, Message result) { IRadio radioProxy = getRadioProxy(result); if (radioProxy != null) { RILRequest rr = obtainRequest(RIL_REQUEST_SIM_AUTHENTICATION, result, mRILDefaultWorkSource); // Do not log function args for privacy if (RILJ_LOGD) riljLog(rr.serialString() + "> " + requestToString(rr.mRequest)); try { radioProxy.requestIccSimAuthentication(rr.mSerial, authContext, convertNullToEmptyString(data), convertNullToEmptyString(aid)); } catch (RemoteException | RuntimeException e) { handleRadioProxyExceptionForRR(rr, "requestIccSimAuthentication", e); } } }</syntaxhighlight> Here is the code in the client for sending requests to the RILD. It’s not very interesting- but the handler for that code is. [/platform/hardware/ril/+/refs/heads/master/libril/ril_service.cpp] <syntaxhighlight lang="cpp"> Return<void> RadioImpl::requestIccSimAuthentication(int32_t serial, int32_t authContext, const hidl_string& authData, const hidl_string& aid) { #if VDBG RLOGD("requestIccSimAuthentication: serial %d", serial); #endif **RequestInfo *pRI = android::addRequestToList(serial, mSlotId, RIL_REQUEST_SIM_AUTHENTICATION);** if (pRI == NULL) { return Void(); } RIL_SimAuthentication pf = {}; pf.authContext = authContext; if (!copyHidlStringToRil(&pf.authData, authData, pRI)) { return Void(); } if (!copyHidlStringToRil(&pf.aid, aid, pRI)) { memsetAndFreeStrings(1, pf.authData); return Void(); } **CALL_ONREQUEST(pRI->pCI->requestNumber, &pf, sizeof(pf), pRI, mSlotId);** memsetAndFreeStrings(2, pf.authData, pf.aid); return Void(); </syntaxhighlight> I’m afraid this is where the trail goes cold. The function CALL_ONREQUEST is a macro that replaces the function name with a call to a vendor-specific library. The vendor thus must supply the function that implements the code to talk to the baseband. Which is fitting really, because they’re the ones who have to manufacture the chip. So now we know some details about the relevant code in Android for writing hooks. We can use this information to pretend to have a third-parties SIM card by intercepting messages from the radio (more research is required here.) But to implement the full secret contracts there also needs to be a way to extract SIM secret keys, as well as implement the relevant authentication routines for a carrier network. Here are the options. <span id="full-usim-secrets-authentication-routines-or-see-backup-plans"></span>
Summary:
Please note that all contributions to Matthews Lab may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Matthews Lab:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
