summaryrefslogtreecommitdiff
path: root/2014/simtrace-openfest2014
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
committerHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
commitfca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch)
treea2011270df48d3501892ac1a56015c8be57e8a7d /2014/simtrace-openfest2014
import of old now defunct presentation slides svn repo
Diffstat (limited to '2014/simtrace-openfest2014')
-rw-r--r--2014/simtrace-openfest2014/bladox-turbosim.jpgbin0 -> 8304 bytes
-rw-r--r--2014/simtrace-openfest2014/isim-dir-struct.pngbin0 -> 29015 bytes
-rw-r--r--2014/simtrace-openfest2014/part-sim.tex410
-rw-r--r--2014/simtrace-openfest2014/rebelsim2.jpgbin0 -> 35929 bytes
-rw-r--r--2014/simtrace-openfest2014/section-simtrace.tex75
-rw-r--r--2014/simtrace-openfest2014/sim-mf-df_gsm.pngbin0 -> 53017 bytes
-rw-r--r--2014/simtrace-openfest2014/simtrace-schema.pngbin0 -> 21129 bytes
-rw-r--r--2014/simtrace-openfest2014/simtrace.pdfbin0 -> 337816 bytes
-rw-r--r--2014/simtrace-openfest2014/simtrace.snm0
-rw-r--r--2014/simtrace-openfest2014/simtrace.tex158
-rw-r--r--2014/simtrace-openfest2014/simtrace_and_phone.jpgbin0 -> 71804 bytes
-rw-r--r--2014/simtrace-openfest2014/usim-dir-structure.pngbin0 -> 59117 bytes
-rw-r--r--2014/simtrace-openfest2014/wireshark-sim.pngbin0 -> 69995 bytes
13 files changed, 643 insertions, 0 deletions
diff --git a/2014/simtrace-openfest2014/bladox-turbosim.jpg b/2014/simtrace-openfest2014/bladox-turbosim.jpg
new file mode 100644
index 0000000..02b6372
--- /dev/null
+++ b/2014/simtrace-openfest2014/bladox-turbosim.jpg
Binary files differ
diff --git a/2014/simtrace-openfest2014/isim-dir-struct.png b/2014/simtrace-openfest2014/isim-dir-struct.png
new file mode 100644
index 0000000..3c81156
--- /dev/null
+++ b/2014/simtrace-openfest2014/isim-dir-struct.png
Binary files differ
diff --git a/2014/simtrace-openfest2014/part-sim.tex b/2014/simtrace-openfest2014/part-sim.tex
new file mode 100644
index 0000000..a8f737a
--- /dev/null
+++ b/2014/simtrace-openfest2014/part-sim.tex
@@ -0,0 +1,410 @@
+\section{SIM Cards}
+
+\subsection{Smart Card Basics}
+
+\begin{frame}{Terminology}
+\begin{description}
+ \item[SIM] Subscriber Identity Module
+ \item[USIM] Universal Subscriber Identity Mdoule
+ \item[UICC] Universal Integrated Chip Card
+ \item[MS] GSM Mobile Station (phone, modem)
+ \item[UE] UMTS User Equipment
+ \item[ME] GSM Mobile Equipment (MS + SIM)
+ \item[OTA] Over The Air
+ \item[SAT] SIM Application Toolkit
+ \item[CAT] Card (UICC) Application Toolkit
+ \item[USAT] USIM Application Toolkit
+ \item[TAR] Toolkit Application Reference
+\end{description}
+\end{frame}
+
+\begin{frame}{Relevant Specification Bodies}
+\begin{itemize}
+ \item ISO (ISO 7816) smart cards
+ \item ETSI (Eurpoean Telecomms Standardisation Institute)
+ \begin{itemize}
+ \item Classic GSM SIM
+ \item UICC card as basis for various telecom ID purposes
+ \item Card Application Toolkit (CAT)
+ \end{itemize}
+ \item 3GPP (3rd Generation Partnership Project)
+ \begin{itemize}
+ \item USIM Application
+ \item USIM Application Toolkit (USAT)
+ \item API based applet interworking
+ \end{itemize}
+ \item Global Platform
+ \begin{itemize}
+ \item Overall spec for SIM/USIM with Java
+ \end{itemize}
+ \item Sun Microsystems (now Oracle)
+ \begin{itemize}
+ \item Java Card Virtual Machine
+ \item Java Card Runtime Environment
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The Subscriber Identity Module (SIM)}
+\begin{itemize}
+ \item Basic idea was to store cryptographic identity of subscriber inside smart card
+ \item User can thus migrate identity from one device to another
+ \item User can furthermore use different SIM in same device (e.g. local prepaid SIM while travelling)
+ \item Original SIM card design mostly ISO 7816-4 filesystem and single command to execute A3/A8 algorithm inside card
+ \begin{itemize}
+ \item This could even be done in logic, no processor required
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The modern SIM}
+The modern SIM is an entirely different beast
+\begin{itemize}
+ \item Cryptographic processor smart card
+ \begin{itemize}
+ \item Symmetric cryptography such as DES, 3DES, AES
+ \item Public key cryptography such as RSA, ECC
+ \end{itemize}
+ \item Java Card including a small Java VM and Java RE
+ \item Multiple application support
+ \item Ability to download applications (Applets) into card
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Smart Card Basics}
+\begin{itemize}
+ \item microprocessor with RAM, Flash and Operating System
+ \item Interface: Electrical + Logical Protocol (ISO7816-3, ISO7816-4)
+ \item File System based representation of information
+ \item Protocol describes remote operations on the file system
+ \item Few non-filesystem related commands for e.g. authentication
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Smart Card Filesystem}
+\begin{itemize}
+\item Hierarchical file system like on PC
+\begin{description}[MF]
+ \item[MF] (master file): root directory
+ \item[DF] (dedicated file): subdirectory
+ \item[EF] (entry file): actual file
+ \begin{itemize}
+ \item transparent or record oriented
+ \item record linear fixed/variable or record cyclic
+ \end{itemize}
+\end{description}
+\item File names don't exist on card. 16bit FID (File ID) or 8bit SFID used instead
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Smart Card Filesystem Hierarchy}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=110mm]{sim-mf-df_gsm.png}
+\end{figure}
+\end{frame}
+
+
+%\begin{frame}{Smart Card Filesystem Permissions}
+%\begin{itemize}
+% \item similar to 'permission bits' on Linux or other PC OS
+% \item each file can define separate read/write permissions
+% \item some cards are permanently read-only
+% \item other files can be written to after regular PIN verification
+% \item yet another set of files e.g. needs one of the ADM PINs
+%\end{itemize}
+%\end{frame}
+
+
+%\begin{frame}{Smart Card Logical Channels}
+%\begin{itemize}
+% \item Initially Smart Cards had only one interface (UART)
+% \item This means that only one application on the host side can interact with it, as there's sharde state
+% \item logical channels introduce a concept where this connection is virtualized, and multiple separate states (including with different access privileges) can exist in parallel
+%\end{itemize}
+%\end{frame}
+
+\begin{frame}{SIM Card APDU Commands}
+Classic SIM card commands include the following
+\begin{itemize}
+ \item SELECT (change directory / open file)
+ \item READ BINARY, UPDATE BINARY (read/write transparent EF)
+ \item READ RECORD, UPDATE RECORD (read/write record EF)
+ \item ENABLE CHV, DISABLE CHV, CHANGE CHV (enable, disable or change PIN)
+ \item VERIFY CHV, UNBLOCK CHV (verify or unblock PIN)
+ \item RUN GSM ALGORITHM (A3/A8 authentication)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Smart Card Filesystem}
+Typical operations of the phone include
+\begin{itemize}
+ \item navigating inside filesystem by SELECT on DF/EF
+ \item authenticating the user PIN
+ \item reading/updating files
+ \begin{itemize}
+ \item reading IMSI
+ \item old-school SMS and contact storage
+ \item storing session keys (Kc/KcGPRS, ...)
+ \item storing last cell on power-off
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Smart Card PINs}
+The level of access to the filesystem and other card features is
+determined by authentication using a shared secret, called 'PIN'.
+\begin{itemize}
+ \item Regular PIN for normal use of the card by the end user
+ \item PUK for resetting the pin after too many retries
+ \item ADM1..n PIN for access by the operator only
+\end{itemize}
+\end{frame}
+
+%\begin{frame}{Multi-Application Smart Cards}
+%\begin{itemize}
+% \item Classic SIM cards are single application, accessing the
+% GSM related files works by entering the known DF.GSM
+% directory with its well-known FID
+% \item Later the idea of multi-application smart cards entered
+% the market
+% \item A multi-application smart card contains an EF.DIR in the
+% MF
+% \item EF.DIR contains records with the AIDs of all applications
+% on the card.
+% \item AID prefix is well-known to the application, AID suffix is
+% manufacturer specific. Applications use prefix-match
+% \item application specific directory can be entered by SELECT on
+% the AID
+%\end{itemize}
+%\end{frame}
+
+%\begin{frame}{USIM Application Dedicated File (ADF.USIM)}
+%\begin{figure}[h]
+% \centering
+% \includegraphics[width=110mm]{usim-dir-structure.png}
+%\end{figure}
+%\end{frame}
+
+
+%\subsection{From SIM to UICC and USIM}
+
+%\begin{frame}{Evolution of the SIM}
+%\begin{itemize}
+% \item Classic GSM SIM cards
+% \begin{itemize}
+% \item initial GSM / ETSI TS 11.11 for classic GSM SIM, based on ISO 7816-2/3/4
+% \item small changes for GPRS support by introducing a few new optional files
+% \item Class byte 0xA0 used in GSM SIM
+% \end{itemize}
+% \item USIM cards
+% \begin{itemize}
+% \item Completely new approach based on ETSI UICC spec, multi-application capable
+% \item Selection of ADF.USIM by AID
+% \item Many new files
+% \item backwards compatibility achieved by placing DF.GSM
+% in MF and linking (think of symlink/hardlink) of
+% relevant files
+% \item Authentication for GSM and UMTS can be completely
+% different (algorithm, secret key used, ...)
+% \end{itemize}
+% \item Additional application profiles exist for GSM-R, TETRA and
+% other ETSI related communications systems.
+%\end{itemize}
+%\end{frame}
+
+%\begin{frame}{Evolution of Specifications}
+%\begin{itemize}
+% \item Classic SIM: ETSI TS 11.11 / 3GPP TS 51.011
+% \item UICC Card: 3GPP TS 31.101, 31.900, ETSI TS 102 221, 102 222
+% \item USIM application: 3GPP TS 31.102
+% \item ISIM application for IMS (VoIP for LTE): 3GPP TS 31.103
+%\end{itemize}
+%\end{frame}
+
+%\begin{frame}{ISIM Application Dedicated File (ADF.ISIM)}
+%\begin{figure}[h]
+% \centering
+% \includegraphics[width=110mm]{isim-dir-struct.png}
+%\end{figure}
+%\end{frame}
+
+\subsection{SIM Application Toolkit (SAT)}
+
+\begin{frame}{SIM Application Toolkit (SAT)}
+\begin{itemize}
+ \item Ability for card to run applications that have UI on the phone
+ \begin{itemize}
+ \item Display menu items on-screen
+ \item Get user input from keypad/touch-screen
+ \end{itemize}
+ \item Original Version Described in TS 11.14 and 11.11
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT -- Proactive SIM}
+The {\em Proactive SIM} features
+\begin{itemize}
+ \item Sending a short message
+ \item Setting up a voice call
+ \item Playback of a tone in earpiece
+ \item Providing location information from ME to SIM
+ \item Have ME execute timers on behalf of SIM
+ \item Sending DTMF to network
+ \item Running an AT command received from SIM, sending result back to SIM
+ \item Ask ME to launch browser to SIM-provided URL
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT -- Call and SMS Control}
+\begin{itemize}
+ \item ME passes MO call setup attempts to SIM for approval
+ \item SIM can then
+ \begin{itemize}
+ \item approve or decline the MO call
+ \item modify the call details such as phone number
+ \item replace the call with USSD message
+ \end{itemize}
+ \item ME passes USSD requests similar to Call Control
+ \item Similar mechanism exists for all MO SMS
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT -- Provide local information}
+The SIM can inquire the ME about
+\begin{itemize}
+ \item MCC / MNC / LAC / Cell ID
+ \item IMEI of ME
+ \item Network Measurement Results
+ \item BCCH channel list
+ \item Date, Time, Timezone
+ \item ME language setting
+ \item Timing Advance
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT -- Event download}
+The SIM is notified by ME about certain events such as
+\begin{itemize}
+ \item Call Connected / Disconnected
+ \item Location Status (Location Area change)
+ \item User activity (keyboard input)
+ \item Idle screen available
+ \item Browser termination
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT - Data download}
+\begin{itemize}
+ \item Enables Operator to exchange arbitrary data with the SIM
+ \item Could be RFM (Remote File Management)
+ \begin{itemize}
+ \item Read or modify phone book entries
+ \item Even change the IMSI of the SIM (!)
+ \end{itemize}
+ \item In case of Java Card, can be download of card applets
+ \begin{itemize}
+ \item Applets are stored permanently on SIM
+ \item Can later use SAT procedures to interact with ME
+ \item TS 03.19 specifies Java API to access SAT from Java RE
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT - Data download}
+SAT Data Download can happen via
+\begin{itemize}
+ \item via SMS or Cell Broadcast
+ \begin{itemize}
+ \item Uses TS 03.40 TP-PID {\em SIM DATA Download}
+ \item ME forwards such SMS to the SIM in {\tt ENVELOPE} APDU
+ \item Response from SIM is sent back as MO-SMS or DELIVERY REPORT
+ \end{itemize}
+ \item via BIP (Bearer Independent Protocol)
+ \begin{itemize}
+ \item Dedicated CSD call between network and SIM
+ \item GPRS session between network and SIM
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SAT - Data download}{Data download security}
+\begin{itemize}
+ \item GSM TS 03.48 specifies secure messaging for data download
+ \item Includes replay protection
+ \item Supports DES and 3DES
+ \item SMS chaining for long commands / large data
+\end{itemize}
+\end{frame}
+
+\subsection{SIM threat model}
+\begin{frame}{SIM card abuse by hostile operator}
+\begin{itemize}
+ \item Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator
+ \item Using SAT features, the operator can control many aspects of the phone
+ \item Examples
+ \begin{itemize}
+ \item Remotely reading address book / stored SMS
+ \item Monitor user behavior (browser termination, idle screen, ...)
+ \item Ask phone to establish packet data session
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SIM card re-programming by attacker}
+\begin{itemize}
+ \item If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets
+ \item The attacker can then
+ \begin{itemize}
+ \item Obtain detailed location information and send it via SMS
+ \item Intercept/log outgoing calls
+ \item Sending copies of incoming + outgoing SMS elsewhere
+ \end{itemize}
+ \item Even using SIM card channel to exploit baseband stack is feasible
+\end{itemize}
+\end{frame}
+
+\begin{frame}{SIM card proxy / MITM by attacker}
+As soon as an attacker has temporary physical access to a phone, he can
+\begin{itemize}
+ \item Insert a proxy-SIM between real SIM and phone
+ \item Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM
+ \item Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS
+ \item ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific)
+\end{itemize}
+Most users would never notice this as they rarely check their SIM slot
+\end{frame}
+
+%%%%%%
+\subsection{SIM attacks countermeasures}
+
+\begin{frame}{Defending against SIM based attacks}
+\begin{itemize}
+ \item SIM cards are Operator issued, Ki is on the SIM
+ \begin{itemize}
+ \item SIM card can thus not be replaced, but original SIM must be used
+ \end{itemize}
+ \item Configure telephone to not store contacts or SMS on SIM
+ \item Communication between SIM and ME is not encrypted/authenticated
+ \item Solution: Proxy SIM between SIM and ME to break STK / OTA
+ \begin{itemize}
+ \item Filter all STK/OTA/Proactive commands like ENVELOPE
+ \item Indicate lack of STK support to ME (EF.Phase)
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Proxy SIM with firewall}
+\begin{itemize}
+ \item There are no known commercial products that implement STK/OTA filtering
+ \item But there are a number of shim SIM cards that are plugged between SIM and SIM slot
+ \item Most of them are used for SIM unlocking modern phones
+ \item Some vendors produce freely (re)programmable proxy SIMs:
+\end{itemize}
+\begin{figure}[h]
+\subfigure{\includegraphics[width=40mm]{bladox-turbosim.jpg}}
+\subfigure{\includegraphics[width=25mm]{rebelsim2.jpg}}
+ \caption{Bladox TurboSIM (AVR) and RebelSIM II (8051)}
+ %\caption{Bladox Turbo SIM (AVR)}}
+\end{figure}
+\end{frame}
diff --git a/2014/simtrace-openfest2014/rebelsim2.jpg b/2014/simtrace-openfest2014/rebelsim2.jpg
new file mode 100644
index 0000000..0ba6247
--- /dev/null
+++ b/2014/simtrace-openfest2014/rebelsim2.jpg
Binary files differ
diff --git a/2014/simtrace-openfest2014/section-simtrace.tex b/2014/simtrace-openfest2014/section-simtrace.tex
new file mode 100644
index 0000000..0d6ffc4
--- /dev/null
+++ b/2014/simtrace-openfest2014/section-simtrace.tex
@@ -0,0 +1,75 @@
+\section{Osmocom SIMtrace}
+
+\subsection{Analyzing SIM drivers and STK apps}
+
+\begin{frame}{Analyzing SIM toolkit applications is hard}
+\begin{itemize}
+ \item Regular end-user phone does not give much debugging
+ \item SIM card itself has no debug interface for printing error messages, warnings, etc.
+ \item However, as SIM-ME interface is unencrypted, sniffing / tracing is possible
+ \item Commercial / proprietary solutions exist, but are expensive (USD 5,000 and up)
+ \item Technically, sniffing smard card interfaces is actually very simple
+\end{itemize}
+\end{frame}
+
+\subsection{Osmocom SIMtrace Introduction}
+
+\begin{frame}{Introducing Osmocom SIMtrace}
+\begin{itemize}
+ \item Osmocom SIMtrace is a passive (U)SIM-ME communication sniffer
+ \item Insert SIM adapter cable into actual phone
+ \item Insert (U)SIM into SIMtrace hardware
+ \item SIMtrace hardware provides USB interface to host PC
+ \item {\tt simtrace} host PC program encapsulates APDU in GSMTAP
+ \item GSMTAP is sent via UDP to localhost
+ \item wireshark dissector for GSM TS 11.11 decodes APDUs
+\end{itemize}
+\end{frame}
+
+\subsection{Osmocom SIMtrace Hardware}
+
+\begin{frame}{Osmocom SIMtrace Principle}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=70mm]{simtrace-schema.png}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Osmocom SIMtrace Hardware}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=105mm]{simtrace_and_phone.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Osmocom SIMtrace Hardware}
+\begin{itemize}
+ \item Hardware is based around AT91SAM7S controller
+ \item SAM7S Offers two ISO 7816-3 compatible USARTs
+ \item USARTs can be clock master (SIM reader) or slave (SIM card)
+ \item Open Source Firmware on SAM7S implementing APDU sniffing
+ \item Auto-bauding depending CLK signal, PPS supported
+ \item Schematics / layout is open source (CC-BY-SA)
+ \item Assembled + tested kits can be bought from {\url http://shop.sysmocom.de/}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{wireshark decoding}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=95mm]{wireshark-sim.png}
+\end{figure}
+\end{frame}
+
+
+\begin{frame}{SIMtrace TODO}
+SIMtrace hardware is capable, but no software yet for:
+\begin{itemize}
+ \item perform MITM (APDU filtering)
+ \item full software SIM card emulation
+ \item PC/SC compatible smart card reader
+ \item autonomous tracing operation (No PC / USB), store APDU logs {\em in the field} on integrated SPI flash
+\end{itemize}
+Firmware and host software all FOSS, anyone can extend and innovate!
+\end{frame}
+
diff --git a/2014/simtrace-openfest2014/sim-mf-df_gsm.png b/2014/simtrace-openfest2014/sim-mf-df_gsm.png
new file mode 100644
index 0000000..f953075
--- /dev/null
+++ b/2014/simtrace-openfest2014/sim-mf-df_gsm.png
Binary files differ
diff --git a/2014/simtrace-openfest2014/simtrace-schema.png b/2014/simtrace-openfest2014/simtrace-schema.png
new file mode 100644
index 0000000..c324255
--- /dev/null
+++ b/2014/simtrace-openfest2014/simtrace-schema.png
Binary files differ
diff --git a/2014/simtrace-openfest2014/simtrace.pdf b/2014/simtrace-openfest2014/simtrace.pdf
new file mode 100644
index 0000000..33aaea4
--- /dev/null
+++ b/2014/simtrace-openfest2014/simtrace.pdf
Binary files differ
diff --git a/2014/simtrace-openfest2014/simtrace.snm b/2014/simtrace-openfest2014/simtrace.snm
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/2014/simtrace-openfest2014/simtrace.snm
diff --git a/2014/simtrace-openfest2014/simtrace.tex b/2014/simtrace-openfest2014/simtrace.tex
new file mode 100644
index 0000000..c17c1b6
--- /dev/null
+++ b/2014/simtrace-openfest2014/simtrace.tex
@@ -0,0 +1,158 @@
+
+\newcommand{\degree}{\ensuremath{^\circ}}
+%\documentclass[handout]{beamer}
+\documentclass{beamer}
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice.
+
+
+\mode<presentation>
+{
+ \usetheme{CambridgeUS}
+ \usecolortheme{whale}
+
+%\setbeamercolor{titlelike}{parent=palette primary,fg=black}
+\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg}
+% from beamercolorthemeorchid.sty to make it look more like warsaw
+\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
+\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black}
+\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black}
+
+\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg}
+\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg}
+\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg}
+
+
+
+ % or ...
+
+ %\setbeamercovered{transparent}
+ % or whatever (possibly just delete it)
+}
+
+\mode<handout>{
+ \usepackage{misc/handoutWithNotes}
+ \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm]
+ \usecolortheme{seahorse}
+}
+
+% ensure the page number is printed in front of the author name in the footer
+%\newcommand*\oldmacro{}
+%\let\oldmacro\insertshortauthor% save previous definition
+%\renewcommand*\insertshortauthor{%
+% \leftskip=.3cm% before the author could be a plus1fill ...
+% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}
+
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+\usepackage{times}
+\usepackage[T1]{fontenc}
+
+\usepackage{subfigure}
+\usepackage{hyperref}
+\usepackage{textcomp,listings}
+%\usepackage{german}
+\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8}
+
+
+\title{Osmocom SIMtrace}
+
+\subtitle{SIM card protocol tracing - why and how}
+
+\author{Harald~Welte}
+
+%\institute{sysmocom - s.f.m.c. GmbH}
+
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[November 2014] % (optional, should be abbreviation of conference name)
+%{DeepSec Conference, November 2011, Vienna/Austria}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+% yourself) who are reading the slides online
+
+\subject{GSM}
+% This is only inserted into the PDF information catalog. Can be left
+% out.
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+% \begin{frame}<beamer>{Outline}
+% \tableofcontents[currentsection,currentsubsection]
+% \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command:
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+ \titlepage
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution:
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+% 15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+% are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+% enough. Leave out details, even if it means being less precise than
+% you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+% just say so once. Everybody will be happy with that.
+
+%\include{part-introduction}
+
+
+\part{Java SIM}
+\include{part-sim}
+
+\include{section-simtrace}
+
+%\include{part-ota}
+
+\end{document}
diff --git a/2014/simtrace-openfest2014/simtrace_and_phone.jpg b/2014/simtrace-openfest2014/simtrace_and_phone.jpg
new file mode 100644
index 0000000..7c53de2
--- /dev/null
+++ b/2014/simtrace-openfest2014/simtrace_and_phone.jpg
Binary files differ
diff --git a/2014/simtrace-openfest2014/usim-dir-structure.png b/2014/simtrace-openfest2014/usim-dir-structure.png
new file mode 100644
index 0000000..180be9f
--- /dev/null
+++ b/2014/simtrace-openfest2014/usim-dir-structure.png
Binary files differ
diff --git a/2014/simtrace-openfest2014/wireshark-sim.png b/2014/simtrace-openfest2014/wireshark-sim.png
new file mode 100644
index 0000000..e05f5b6
--- /dev/null
+++ b/2014/simtrace-openfest2014/wireshark-sim.png
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary