Ramble: 2019 in review

As the year of 2019 (and the decade we like to call the 2010s) draws to a close, it’s amazing how fast time has gone by. I first started this blog in September of 2012, mainly as a “brain dump” of whatever electronics stuff I wanted to talk about – and at its heart, it still is… and I have no intent to change that.

Pretty Popular Posts

Fresh off the (Word)Press

Some of this year’s posts have gotten a good handful of views. The top 5 of my posts each managed to snag at least a couple thousand views:

Post Views
Resurrecting a dead MacBook Pro 5,416
Adding external PCI Express to the Atomic Pi 3,081
Running Doom on a Magellan GPS receiver 2,819
Damaged eMMC data recovery 2,374
SIM card PIN recovery with a logic analyzer 2,229

The fifth in the list is different in that none of its views came from Hackaday (they haven’t responded to the e-mail tip I sent to them on December 21st); rather, the views came from Twitter when a security researcher found my blog post after I put it on Reddit. Hopefully Hackaday gets around to featuring that post in the near future.

Old Classics

Some of my previous posts just can’t be put down by readers, with some posts proving to be unexpectedly popular:

Post Views
Building my own eMMC-based SD card 5,474
Running Doom on a Keysight oscilloscope 6,399
KitchenAid induction cooktop service manual 3,541
Kentli PH5 Li-ion AA battery teardown 2,716
Kentli PH5 Li-ion AA battery review 2,566

What’s interesting is how many of these older posts managed to outclass this year’s big hits – one that I found to be surprising was the Kitchenaid service manual! Looks like their induction cooktops (still) have widespread design problems that cause their power transistors to blow up. Additionally, the Kentli PH5 Li-ion AA batteries still manage to pique people’s curiosities, even five years after I first published that post!

Views? Views.

This year wasn’t as popular as previous years, with this one ranking 4th out of the 7 years I’ve run this blog. This year garnered over 116,000 views by over 56,450 visitors, with the most views coming from the United States (32,600), the United Kingdom (6,500), Canada (6,200), Germany (5,850), and Russia (3,390). However, if I discount last year’s 15,000 views that came from Hacker News (I wasn’t able to get any significant attention on that site this year), then this puts me a fair bit ahead of last year, which would have otherwise had only 110,000 views.

Regardless, this satisfies my (personal) goal of at least 100,000 views per year, and I’m still glad that my blog still gets people’s attention.

WordAd¢ (I can’t call it WordAd$ this year)

This year’s ad revenue has been pretty paltry compared to last year. My previous update that tallied revenue from January to September 2019 revealed that my ad rates have fallen by almost two-thirds compared to last year. This year served up approximately 552,000 ads and yielded $130 USD, with an average of 24 cents per 1,000 ad views (aka CPM). If I used last year’s average CPM figure of 57 cents, I would have received almost $315 USD! Hopefully 2020 turns out better, but I’m not feeling too optimistic about it.

Looking Forward

This year represents some significant changes to my personal and professional life. I’ve finished my time in post-secondary, and have graduated from a network-specialized information technology (IT) program at my local college; I then took some time off to meet with new and old friends at smaller get-togethers and larger conventions. This leads me to the next phase in my life – get some stable full-time work in the real world (and hopefully still have time to do fun electronics projects that I can share with you on this blog).

Buckle up – it’s going to be one heck of a ride into the new decade! With all that said…

Happy New Year! Thanks to everyone who views and shares my work – you make all of this worthwhile! –Jason

 

Recovering the SIM card PIN from the ZTE WF721 cellular home phone

As seen on Hackaday!

TL;DR – If you have a ZTE WF721 that’s PIN-locked your SIM card, try 2376.

Recently I picked up a used Samsung Galaxy Core LTE smartphone from a relative after they upgraded to an iPhone. As the Core LTE is a low-end smartphone, I suspected that the phone was SIM locked to its original carrier (Virgin Mobile), but in order to test this I needed a different SIM card. My personal phone was on the same carrier, so I wasn’t able to use that to test it.

However, the previous summer I picked up a ZTE WF721 cellular home phone base station (that is, it’s a voice-only cell phone that a landline phone plugs into), which came with a Telus SIM card. The issue is that the WF721 sets a SIM card PIN to essentially “lock” the card to the base station, and it wasn’t the default 1234 PIN; brute-forcing a SIM card is not possible as you get 3-5 attempts before the card needs to be unblocked using a PUK (PIN Unblock Key), failing that, the card is permanently rendered unusable. I decided to take the base station apart, and use my knowledge in electronics and previous research into smart cards to see if I could recover the PIN.

(Yes, I went through all this work instead of just buying a prepaid SIM card from the dollar store. I’m weird like that.)

Test Pads & Signals

After a bit of disassembly work involving removing screws hidden under rubber non-slip feet and a lot of spudgering open plastic clips, I got access to the four test pads that connect to the SIM card, accessible on the opposite side of the PCB from the SIM card socket.

ZTE WF721 Opened

The ZTE WF721 opened, with test pads broken out and connected to DSLogic for reverse engineering.

An ISO 7816-compliant smart card (and a SIM card is one) require 5 different lines to work: Vcc (power), ground, clock, I/O (data), and reset. The I/O is an asynchronous half-duplex UART-type interface, whose baud rate is determined by the card’s characteristics and the clock frequency that it is given by the reader (in this case, the WF721). The details of how the interface work can be obtained for free in their TS 102 221 specification from the ETSI (European Telecommunications Standards Institute).

ZTE WF721 SIM Card Test Pads

The test pads that connect to the WF721’s SIM card socket.

I then soldered the ground wire to a free test pad elsewhere on the board, whereas the four other wires were soldered to the test pads near the SIM card socket. I then connected these wires to a pin header and plugged it into my DSLogic Plus logic analyzer. I analyzed the logic captures after turning the WF721 on and allowing it to initialize the SIM card and attempt to connect to the cellular network (the service to it has been disconnected so it doesn’t actually succeed).

Command Analysis

After looking at the raw logic capture, there was a lot that I had to sift through. I needed to create a custom setting for the UART decoder as the serial output isn’t your traditional “9600-8-N-1” setting. Rather, the interface uses 8 data bits, even parity, and 2 stop bits. The baud rate is determined by a parameter in the card’s initial identification, the ATR (Answer to Reset). I parsed the card’s ATR that I previously captured on the PC using the SpringCard PC/SC Diagnostic tool using Ludovic Rousseau’s online tool, I determined I needed to use a baud rate of 250 kbit/s, since the card was being fed a 4 MHz clock.

T=0 Smart Card Command (APDU) Structure

The smart card communicates to and from the host through APDUs (Application Protocol Data Units). The command header for a T=0 smart card (character-based I/O, which most cards use) is made up of 5 bytes: class, instruction, 2 parameter bytes and a length/3rd parameter byte. To acknowledge the command, the card sends the instruction byte back to the reader and the data is transferred to/from the card, depending on the command used. The card then sends two status bytes that indicate whether the command is successful; if it is, the response is 0x9000. A graphical representation of this process can be seen in the next section.

VERIFY PIN Command Decoding

The raw data structure of a SIM card's VERIFY PIN command. Each part of the flow is labeled for ease of understanding.

The raw data structure of a SIM card’s VERIFY PIN command. Each part of the flow is labeled for ease of understanding (click image to see full size).

The command I’m looking for is 0x20 (VERIFY PIN), and I had to sift through the command flow in the logic analyzer until I found it. After a lot of preceding commands, I found the command I was looking for, and I found the PIN… and it’s in plaintext! As it turns out, it is sent as an ASCII string, but it’s not null terminated like a regular string. Instead, the data is always 8 bytes (allowing up to an 8-digit PIN), but a PIN shorter than 8 digits will have the end bytes padded with 0xFF (all binary ones). It was easy to determine that the bytes 0x32 33 37 36 is the ASCII representation of the PIN 2376, and after the card waited many tens of milliseconds, it acknowledged the PIN was correct as it gave the expected 0x9000 response code.

PIN Testing & Unlocking

SIM Opened in Dekart SIM Manager

Dekart SIM Manager showing the phone number programmed into the SIM card (censored for privacy).

I tried the PIN in the Dekart SIM Manager software on my computer, and it worked! I was able to read out the contents of the SIM and find out what phone number it used to have, although no other useful information was found.

By using the legacy GSM class 0xA0, I was able to manually verify the PIN by directly communicating with the SIM card using the same command syntax in PC/SC Diagnostic:

SIM Card VERIFY PIN Test

Testing the VERIFY PIN command directly in SpringCard PC/SC Diagnostic.

I took the SIM card out and put it in my Galaxy Core LTE phone, entered the PIN, and as expected it brought up the network unlock prompt. I was able to contact my carrier to get the phone unlocked, and they did it for free (as legally required in Canada) – it turned out to be helpful I was on the same network, as they needed an account to authenticate the request against, even if the phone is registered to another account holder. After entering the 8-digit unlock PIN they provided, the phone was successfully unlocked!

The WF721 is in all likelihood also network locked, but that’s a bridge I haven’t crossed yet.

Conclusion

After a bit of sleuthing into how SIM cards communicate with a cell phone, I was able to decipher the exact command used to authenticate a SIM card PIN inside a disused cellular home phone, all to check if a hand-me-down smartphone was network-locked to its original carrier. Was it a lot of effort just to do that? Maybe, but where’s the fun in buying a prepaid SIM card? 🙂

Quick Update: Jumping Back On the (Free)wagon

After trying out the WordPress Personal plan earlier this year, I was curious as to whether upgrading to a paid plan would result in improved earnings when using the WordAds revenue program.

It doesn’t. If you’re making money on the Free plan, stick to it.

Considering it’s 4:10 AM at the time of this blog post, I should be already in bed but I was up doing some repair work. I got an email saying my subscription for my blog was expiring and I instinctively paid for it, but realized it was for the WordPress Personal plan I was planning to ditch once it lapsed. Immediately after paying I cancelled the subscription, thus ending the plan earlier than I intended. At least the refund process was quick and easy.

WordPress Personal Plan Cancelled

Ever complete a purchase and immediately think “Wait, this isn’t what I intended to buy”? That was me just now.