Category Archives: Smart Cards

Recovering the SIM card PIN from the ZTE WF721 cellular home phone

Posted on by
18

As seen on Hackaday!

TL;DR – If you have a ZTE WF721 that’s PIN-locked your SIM card, try 2376.

Recently I picked up a used Samsung Galaxy Core LTE smartphone from a relative after they upgraded to an iPhone. As the Core LTE is a low-end smartphone, I suspected that the phone was SIM locked to its original carrier (Virgin Mobile), but in order to test this I needed a different SIM card. My personal phone was on the same carrier, so I wasn’t able to use that to test it.

However, the previous summer I picked up a ZTE WF721 cellular home phone base station (that is, it’s a voice-only cell phone that a landline phone plugs into), which came with a Telus SIM card. The issue is that the WF721 sets a SIM card PIN to essentially “lock” the card to the base station, and it wasn’t the default 1234 PIN; brute-forcing a SIM card is not possible as you get 3-5 attempts before the card needs to be unblocked using a PUK (PIN Unblock Key), failing that, the card is permanently rendered unusable. I decided to take the base station apart, and use my knowledge in electronics and previous research into smart cards to see if I could recover the PIN.

(Yes, I went through all this work instead of just buying a prepaid SIM card from the dollar store. I’m weird like that.)

Test Pads & Signals

After a bit of disassembly work involving removing screws hidden under rubber non-slip feet and a lot of spudgering open plastic clips, I got access to the four test pads that connect to the SIM card, accessible on the opposite side of the PCB from the SIM card socket.

ZTE WF721 Opened

The ZTE WF721 opened, with test pads broken out and connected to DSLogic for reverse engineering.

An ISO 7816-compliant smart card (and a SIM card is one) require 5 different lines to work: Vcc (power), ground, clock, I/O (data), and reset. The I/O is an asynchronous half-duplex UART-type interface, whose baud rate is determined by the card’s characteristics and the clock frequency that it is given by the reader (in this case, the WF721). The details of how the interface work can be obtained for free in their TS 102 221 specification from the ETSI (European Telecommunications Standards Institute).

ZTE WF721 SIM Card Test Pads

The test pads that connect to the WF721’s SIM card socket.

I then soldered the ground wire to a free test pad elsewhere on the board, whereas the four other wires were soldered to the test pads near the SIM card socket. I then connected these wires to a pin header and plugged it into my DSLogic Plus logic analyzer. I analyzed the logic captures after turning the WF721 on and allowing it to initialize the SIM card and attempt to connect to the cellular network (the service to it has been disconnected so it doesn’t actually succeed).

Command Analysis

After looking at the raw logic capture, there was a lot that I had to sift through. I needed to create a custom setting for the UART decoder as the serial output isn’t your traditional “9600-8-N-1” setting. Rather, the interface uses 8 data bits, even parity, and 2 stop bits. The baud rate is determined by a parameter in the card’s initial identification, the ATR (Answer to Reset). I parsed the card’s ATR that I previously captured on the PC using the SpringCard PC/SC Diagnostic tool using Ludovic Rousseau’s online tool, I determined I needed to use a baud rate of 250 kbit/s, since the card was being fed a 4 MHz clock.

T=0 Smart Card Command (APDU) Structure

The smart card communicates to and from the host through APDUs (Application Protocol Data Units). The command header for a T=0 smart card (character-based I/O, which most cards use) is made up of 5 bytes: class, instruction, 2 parameter bytes and a length/3rd parameter byte. To acknowledge the command, the card sends the instruction byte back to the reader and the data is transferred to/from the card, depending on the command used. The card then sends two status bytes that indicate whether the command is successful; if it is, the response is 0x9000. A graphical representation of this process can be seen in the next section.

VERIFY PIN Command Decoding

The raw data structure of a SIM card's VERIFY PIN command. Each part of the flow is labeled for ease of understanding.

The raw data structure of a SIM card’s VERIFY PIN command. Each part of the flow is labeled for ease of understanding (click image to see full size).

The command I’m looking for is 0x20 (VERIFY PIN), and I had to sift through the command flow in the logic analyzer until I found it. After a lot of preceding commands, I found the command I was looking for, and I found the PIN… and it’s in plaintext! As it turns out, it is sent as an ASCII string, but it’s not null terminated like a regular string. Instead, the data is always 8 bytes (allowing up to an 8-digit PIN), but a PIN shorter than 8 digits will have the end bytes padded with 0xFF (all binary ones). It was easy to determine that the bytes 0x32 33 37 36 is the ASCII representation of the PIN 2376, and after the card waited many tens of milliseconds, it acknowledged the PIN was correct as it gave the expected 0x9000 response code.

PIN Testing & Unlocking

SIM Opened in Dekart SIM Manager

Dekart SIM Manager showing the phone number programmed into the SIM card (censored for privacy).

I tried the PIN in the Dekart SIM Manager software on my computer, and it worked! I was able to read out the contents of the SIM and find out what phone number it used to have, although no other useful information was found.

By using the legacy GSM class 0xA0, I was able to manually verify the PIN by directly communicating with the SIM card using the same command syntax in PC/SC Diagnostic:

SIM Card VERIFY PIN Test

Testing the VERIFY PIN command directly in SpringCard PC/SC Diagnostic.

I took the SIM card out and put it in my Galaxy Core LTE phone, entered the PIN, and as expected it brought up the network unlock prompt. I was able to contact my carrier to get the phone unlocked, and they did it for free (as legally required in Canada) – it turned out to be helpful I was on the same network, as they needed an account to authenticate the request against, even if the phone is registered to another account holder. After entering the 8-digit unlock PIN they provided, the phone was successfully unlocked!

The WF721 is in all likelihood also network locked, but that’s a bridge I haven’t crossed yet.

Conclusion

After a bit of sleuthing into how SIM cards communicate with a cell phone, I was able to decipher the exact command used to authenticate a SIM card PIN inside a disused cellular home phone, all to check if a hand-me-down smartphone was network-locked to its original carrier. Was it a lot of effort just to do that? Maybe, but where’s the fun in buying a prepaid SIM card? 🙂

 

Advertisement

Pick a Card, Any Card: Fast and easy Windows logon using any NFC smart card

Posted on by
1

UPDATE (September 27, 2018): Fixed a broken link to the article on bypassing MSI installer checks.

After finally reinstalling Windows on my main PC (the smart card components in the old install were trashed), I dusted off the old smart card reader and started looking into smart card-based logon options again.

Windows logon screen using a smart card

Windows logon screen using a smart card

After finding a way to force convince the installer for EIDAuthenticate, a program that lets you use smart cards to log on a Windows computer without the use of domains and Active Directory, to run on Windows 7 Professional (Microsoft DreamSpark only lets me obtain the Professional editions of Windows), I found a program called NFC Connector Light that lets you use any NFC-compatible smart card as a means of authentication.

Virtual smart card with certificate installed

Virtual smart card with certificate installed

NFC Connector Light links the unique identifier in an NFC-based smart card to create a virtual smart card on the local computer (no data is stored in the card itself), and that virtual card can be used like a real smart card within Windows. When paired with EIDAuthenticate, logging on is as simple as placing the smart card on the NFC reader and entering a PIN. This is especially useful when you set the Windows smart card policy to lock the computer when the card is removed (and it feels kind of cool to be able to lock your computer simply by taking your card off the reader).

Update: How to install Windows x64 drivers for the Schlumberger Reflex USB smart card reader

Posted on by
6

Update (December 11, 2017): For those on Windows 10, click HERE for the SCR300 driver package – digitally signed to ensure compatibility. Extract the files, right-click the appropriate x86/x64 .INF file and select “Install”. Proceed with the installation as shown below.

A viewer requested help on installing the drivers for the Schlumberger Reflex USB smart card reader, so I’ve created a step-by-step instruction guide on doing so.

1. Plug in the smart card reader into an available USB port. Windows should attempt to install a driver but won’t succeed.

 

2. Open Device Manager, and select the “SLB ReflexUSB SmartCard Reader” in the list.

 

3. Follow the wizard and opt to install the drivers manually.

 

4. Enjoy your now-functional smart card reader.

 

Making use of a Schlumberger Reflex USB Smart Card Reader in Windows 7 x64

Posted on by
4

2013-05-08 01.31.41 2013-05-08 01.34.57For a tutorial on how to install the drivers, click here.

A while back a friend of mine gave me an old smart card reader that was of no use to him; he had no need to use smart cards at home and the reader he gave me, a Schlumberger Reflex USB reader, had no support in 64-bit Windows 7, or so it seemed.

I cracked open the reader (didn’t take any effort, there are no screws nor snap-clips holding the case together) and found the internal part number: an SCM Microsystems SCR301 reader. Forcing Windows to use the SCM Microsystems SCR300 driver was successful in getting the reader to show up in Windows, meaning that I had a free, usable smart card reader to tinker around with. Awesome.

scr300 reflex usbUpdate on June 20, 2013: Added a screenshot of the reader in Device Manager.

Making Use of a Motorola Smart Card (Part 3)

Posted on by
Reply

(Disclaimer: As stated in previous posts, this blog is not intended to further piracy of paid TV and such. This is merely a personal blog outlining my recreational research.)

I seem to have finally stumbled across some potential information on the background of this smart card. A very old (dating back to 1997!) article from CNET showed that Motorola sent out a press release about their “new” M-Smart Combination Card, which combined a contact card with an RFID interface. However, the information track stops there. There is no picture of what their cards looked like, nor did they have a link to any sort of info from Motorola themselves (although I believe their smart card division was bought out a while ago.)

Might be a good time to email Motorola and see if they didn’t burn their old smart card documentation 🙂
EDIT: I asked my professor if he’d be alright with me taking a look at the chip under the microscope. He’s fine with it; hopefully I’ll have some pictures of the silicon die this week.

Making Use of a Motorola Smart Card – Part 2

Posted on by
Reply

(Disclaimer: Smart card piracy is a very bad thing. This set of blog posts is NOT intended to further illegal hacking of paid services, but is merely a personal record of my research, which is not being done for any financial reasons but is only done for personal leisure. Besides, these cards won’t help you break scrambled TV signals, so don’t bother trying it :))

In between pulling all-nighters goofing off doing college homework and trying to stay marginally sane and/or healthy, I’ve been doing some more research into the cards. This time, I was a bit more invasive with my approach. However, I’ve found out a bit more about the card’s brains this way.

I’ve torn open one of the cards and taken a peek inside. The chip itself is a bit different in that the epoxy backing is molded much like a regular chip as opposed to the drop of epoxy used in many newer cards. The chip itself is pretty big, at 6mm x 4mm and with 0.1 mm thickness; the center gold pad is the entire area of the card.

There are many methods of getting the plastic off of a chip, and the more professional labs use fuming nitric acid (very nasty stuff) but one easy way to do so at home is using a blowtorch to burn the epoxy and simply chip it off with a toothpick. If it’s burnt thoroughly enough, the epoxy will just fall off the chip, revealing the pretty silicon underneath. I used a small butane torch to heat up the chip, which was done outside and on a piece of ceramic tile (safety first! :)) After a bit of picking at the chip, I was able to see the inner workings of the smart card’s chip.

I see 4 large blocks on the die but can’t tell much more without a microscope, and a 10x jewelry loupe only goes so far. My best guess is that the 4 blocks encompass the CPU, RAM, program ROM and maybe some EEPROM storage. There’s 14 pads on the chip; 5 pins are used for the contacts, maybe 2-3 for the radio interface, and the others might be for factory testing or programming  but it’s speculation at best.

Now hopefully my college prof won’t mind me using the classroom microscope later this week 🙂

Making Use of a Motorola Smart Card (part 1 of ???)

Posted on by
Reply

(Disclaimer: Trying to pirate satellite TV using hacked smart cards is dumb and wrong; I am writing this article merely to explore the card and the field of smart cards in general, and to provide some sort of documentation on this otherwise unknown card.)

Back in the summer I bought four generic, blank (I assume) Motorola brand smart cards from Active Surplus during my vacation to Toronto. Over the past few weeks I’ve been doing some research and hands-on testing of what this card is (in)capable of doing.

The card itself is an ISO 7816-compliant smart card that uses the asynchronous (UART) T=0 byte-wise protocol and communicates using industry standard APDU (application protocol data unit) commands.

The card is a dual-interface card; it has the standard six-contact chip and also has an antenna for RFID. There is an antenna coil 3 windings wide around the perimeter of the card and connects to the chip itself. So far I have not had any progress in getting it to contact an RFID reader, but hooking up an LED from the chip’s Vcc to ground causes it to flash when brought up to a BlackBerry Bold’s NFC antenna.

The chip has an answer-to-reset of 3B 76 13 00 00 80 62 07 41 81 80. When parsing this via the PysCard smart card library (http://smartcard-atr.appspot.com/parse?ATR=3B76130000806207418180) the site identifies it as a “Generic mass produced Motorola smart card” which doesn’t get me any further than what I already know; the Motorola logo is in the center of the darn chip!

Current attempts to make use of the card have been unsuccessful. It responds with 0x6D00 (unknown command) on pretty much every industry-standard command I try. The only command that doesn’t give this is 0xC0 00 00 00, which is the “GET RESPONSE” command which returns 0x6F00 (generic error, no details available).

Attempts to get the card running with PC/SC have not gone far. The system will acknowledge its existence and with a bit of work in the Registry, I can get it to register as a “Generic Motorola SmartCard”. That said, this still doesn’t get anywhere. Attempts to use it to store credential certificates causes Windows to say that ‘the card is not the one required for the current operation.’

I think that the card may simply be unprogrammed and is merely running a bootloader to install firmware on, but since many smart cards have mask ROM, there is a chance that the card is of pretty much no use. But hey, for 50 cents for a smart card it’s no big loss.
If you know anything else about this smart card, gimme a shout in the comments section. I’ll be posting more updates as I find out more about this peculiar piece of plastic.