From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2014/simtrace-openfest2014/bladox-turbosim.jpg | Bin 0 -> 8304 bytes 2014/simtrace-openfest2014/isim-dir-struct.png | Bin 0 -> 29015 bytes 2014/simtrace-openfest2014/part-sim.tex | 410 ++++++++++++++++++++++ 2014/simtrace-openfest2014/rebelsim2.jpg | Bin 0 -> 35929 bytes 2014/simtrace-openfest2014/section-simtrace.tex | 75 ++++ 2014/simtrace-openfest2014/sim-mf-df_gsm.png | Bin 0 -> 53017 bytes 2014/simtrace-openfest2014/simtrace-schema.png | Bin 0 -> 21129 bytes 2014/simtrace-openfest2014/simtrace.pdf | Bin 0 -> 337816 bytes 2014/simtrace-openfest2014/simtrace.snm | 0 2014/simtrace-openfest2014/simtrace.tex | 158 +++++++++ 2014/simtrace-openfest2014/simtrace_and_phone.jpg | Bin 0 -> 71804 bytes 2014/simtrace-openfest2014/usim-dir-structure.png | Bin 0 -> 59117 bytes 2014/simtrace-openfest2014/wireshark-sim.png | Bin 0 -> 69995 bytes 13 files changed, 643 insertions(+) create mode 100644 2014/simtrace-openfest2014/bladox-turbosim.jpg create mode 100644 2014/simtrace-openfest2014/isim-dir-struct.png create mode 100644 2014/simtrace-openfest2014/part-sim.tex create mode 100644 2014/simtrace-openfest2014/rebelsim2.jpg create mode 100644 2014/simtrace-openfest2014/section-simtrace.tex create mode 100644 2014/simtrace-openfest2014/sim-mf-df_gsm.png create mode 100644 2014/simtrace-openfest2014/simtrace-schema.png create mode 100644 2014/simtrace-openfest2014/simtrace.pdf create mode 100644 2014/simtrace-openfest2014/simtrace.snm create mode 100644 2014/simtrace-openfest2014/simtrace.tex create mode 100644 2014/simtrace-openfest2014/simtrace_and_phone.jpg create mode 100644 2014/simtrace-openfest2014/usim-dir-structure.png create mode 100644 2014/simtrace-openfest2014/wireshark-sim.png (limited to '2014/simtrace-openfest2014') diff --git a/2014/simtrace-openfest2014/bladox-turbosim.jpg b/2014/simtrace-openfest2014/bladox-turbosim.jpg new file mode 100644 index 0000000..02b6372 Binary files /dev/null and b/2014/simtrace-openfest2014/bladox-turbosim.jpg differ diff --git a/2014/simtrace-openfest2014/isim-dir-struct.png b/2014/simtrace-openfest2014/isim-dir-struct.png new file mode 100644 index 0000000..3c81156 Binary files /dev/null and b/2014/simtrace-openfest2014/isim-dir-struct.png differ diff --git a/2014/simtrace-openfest2014/part-sim.tex b/2014/simtrace-openfest2014/part-sim.tex new file mode 100644 index 0000000..a8f737a --- /dev/null +++ b/2014/simtrace-openfest2014/part-sim.tex @@ -0,0 +1,410 @@ +\section{SIM Cards} + +\subsection{Smart Card Basics} + +\begin{frame}{Terminology} +\begin{description} + \item[SIM] Subscriber Identity Module + \item[USIM] Universal Subscriber Identity Mdoule + \item[UICC] Universal Integrated Chip Card + \item[MS] GSM Mobile Station (phone, modem) + \item[UE] UMTS User Equipment + \item[ME] GSM Mobile Equipment (MS + SIM) + \item[OTA] Over The Air + \item[SAT] SIM Application Toolkit + \item[CAT] Card (UICC) Application Toolkit + \item[USAT] USIM Application Toolkit + \item[TAR] Toolkit Application Reference +\end{description} +\end{frame} + +\begin{frame}{Relevant Specification Bodies} +\begin{itemize} + \item ISO (ISO 7816) smart cards + \item ETSI (Eurpoean Telecomms Standardisation Institute) + \begin{itemize} + \item Classic GSM SIM + \item UICC card as basis for various telecom ID purposes + \item Card Application Toolkit (CAT) + \end{itemize} + \item 3GPP (3rd Generation Partnership Project) + \begin{itemize} + \item USIM Application + \item USIM Application Toolkit (USAT) + \item API based applet interworking + \end{itemize} + \item Global Platform + \begin{itemize} + \item Overall spec for SIM/USIM with Java + \end{itemize} + \item Sun Microsystems (now Oracle) + \begin{itemize} + \item Java Card Virtual Machine + \item Java Card Runtime Environment + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The Subscriber Identity Module (SIM)} +\begin{itemize} + \item Basic idea was to store cryptographic identity of subscriber inside smart card + \item User can thus migrate identity from one device to another + \item User can furthermore use different SIM in same device (e.g. local prepaid SIM while travelling) + \item Original SIM card design mostly ISO 7816-4 filesystem and single command to execute A3/A8 algorithm inside card + \begin{itemize} + \item This could even be done in logic, no processor required + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The modern SIM} +The modern SIM is an entirely different beast +\begin{itemize} + \item Cryptographic processor smart card + \begin{itemize} + \item Symmetric cryptography such as DES, 3DES, AES + \item Public key cryptography such as RSA, ECC + \end{itemize} + \item Java Card including a small Java VM and Java RE + \item Multiple application support + \item Ability to download applications (Applets) into card +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Basics} +\begin{itemize} + \item microprocessor with RAM, Flash and Operating System + \item Interface: Electrical + Logical Protocol (ISO7816-3, ISO7816-4) + \item File System based representation of information + \item Protocol describes remote operations on the file system + \item Few non-filesystem related commands for e.g. authentication +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem} +\begin{itemize} +\item Hierarchical file system like on PC +\begin{description}[MF] + \item[MF] (master file): root directory + \item[DF] (dedicated file): subdirectory + \item[EF] (entry file): actual file + \begin{itemize} + \item transparent or record oriented + \item record linear fixed/variable or record cyclic + \end{itemize} +\end{description} +\item File names don't exist on card. 16bit FID (File ID) or 8bit SFID used instead +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem Hierarchy} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{sim-mf-df_gsm.png} +\end{figure} +\end{frame} + + +%\begin{frame}{Smart Card Filesystem Permissions} +%\begin{itemize} +% \item similar to 'permission bits' on Linux or other PC OS +% \item each file can define separate read/write permissions +% \item some cards are permanently read-only +% \item other files can be written to after regular PIN verification +% \item yet another set of files e.g. needs one of the ADM PINs +%\end{itemize} +%\end{frame} + + +%\begin{frame}{Smart Card Logical Channels} +%\begin{itemize} +% \item Initially Smart Cards had only one interface (UART) +% \item This means that only one application on the host side can interact with it, as there's sharde state +% \item logical channels introduce a concept where this connection is virtualized, and multiple separate states (including with different access privileges) can exist in parallel +%\end{itemize} +%\end{frame} + +\begin{frame}{SIM Card APDU Commands} +Classic SIM card commands include the following +\begin{itemize} + \item SELECT (change directory / open file) + \item READ BINARY, UPDATE BINARY (read/write transparent EF) + \item READ RECORD, UPDATE RECORD (read/write record EF) + \item ENABLE CHV, DISABLE CHV, CHANGE CHV (enable, disable or change PIN) + \item VERIFY CHV, UNBLOCK CHV (verify or unblock PIN) + \item RUN GSM ALGORITHM (A3/A8 authentication) +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem} +Typical operations of the phone include +\begin{itemize} + \item navigating inside filesystem by SELECT on DF/EF + \item authenticating the user PIN + \item reading/updating files + \begin{itemize} + \item reading IMSI + \item old-school SMS and contact storage + \item storing session keys (Kc/KcGPRS, ...) + \item storing last cell on power-off + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card PINs} +The level of access to the filesystem and other card features is +determined by authentication using a shared secret, called 'PIN'. +\begin{itemize} + \item Regular PIN for normal use of the card by the end user + \item PUK for resetting the pin after too many retries + \item ADM1..n PIN for access by the operator only +\end{itemize} +\end{frame} + +%\begin{frame}{Multi-Application Smart Cards} +%\begin{itemize} +% \item Classic SIM cards are single application, accessing the +% GSM related files works by entering the known DF.GSM +% directory with its well-known FID +% \item Later the idea of multi-application smart cards entered +% the market +% \item A multi-application smart card contains an EF.DIR in the +% MF +% \item EF.DIR contains records with the AIDs of all applications +% on the card. +% \item AID prefix is well-known to the application, AID suffix is +% manufacturer specific. Applications use prefix-match +% \item application specific directory can be entered by SELECT on +% the AID +%\end{itemize} +%\end{frame} + +%\begin{frame}{USIM Application Dedicated File (ADF.USIM)} +%\begin{figure}[h] +% \centering +% \includegraphics[width=110mm]{usim-dir-structure.png} +%\end{figure} +%\end{frame} + + +%\subsection{From SIM to UICC and USIM} + +%\begin{frame}{Evolution of the SIM} +%\begin{itemize} +% \item Classic GSM SIM cards +% \begin{itemize} +% \item initial GSM / ETSI TS 11.11 for classic GSM SIM, based on ISO 7816-2/3/4 +% \item small changes for GPRS support by introducing a few new optional files +% \item Class byte 0xA0 used in GSM SIM +% \end{itemize} +% \item USIM cards +% \begin{itemize} +% \item Completely new approach based on ETSI UICC spec, multi-application capable +% \item Selection of ADF.USIM by AID +% \item Many new files +% \item backwards compatibility achieved by placing DF.GSM +% in MF and linking (think of symlink/hardlink) of +% relevant files +% \item Authentication for GSM and UMTS can be completely +% different (algorithm, secret key used, ...) +% \end{itemize} +% \item Additional application profiles exist for GSM-R, TETRA and +% other ETSI related communications systems. +%\end{itemize} +%\end{frame} + +%\begin{frame}{Evolution of Specifications} +%\begin{itemize} +% \item Classic SIM: ETSI TS 11.11 / 3GPP TS 51.011 +% \item UICC Card: 3GPP TS 31.101, 31.900, ETSI TS 102 221, 102 222 +% \item USIM application: 3GPP TS 31.102 +% \item ISIM application for IMS (VoIP for LTE): 3GPP TS 31.103 +%\end{itemize} +%\end{frame} + +%\begin{frame}{ISIM Application Dedicated File (ADF.ISIM)} +%\begin{figure}[h] +% \centering +% \includegraphics[width=110mm]{isim-dir-struct.png} +%\end{figure} +%\end{frame} + +\subsection{SIM Application Toolkit (SAT)} + +\begin{frame}{SIM Application Toolkit (SAT)} +\begin{itemize} + \item Ability for card to run applications that have UI on the phone + \begin{itemize} + \item Display menu items on-screen + \item Get user input from keypad/touch-screen + \end{itemize} + \item Original Version Described in TS 11.14 and 11.11 +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Proactive SIM} +The {\em Proactive SIM} features +\begin{itemize} + \item Sending a short message + \item Setting up a voice call + \item Playback of a tone in earpiece + \item Providing location information from ME to SIM + \item Have ME execute timers on behalf of SIM + \item Sending DTMF to network + \item Running an AT command received from SIM, sending result back to SIM + \item Ask ME to launch browser to SIM-provided URL +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Call and SMS Control} +\begin{itemize} + \item ME passes MO call setup attempts to SIM for approval + \item SIM can then + \begin{itemize} + \item approve or decline the MO call + \item modify the call details such as phone number + \item replace the call with USSD message + \end{itemize} + \item ME passes USSD requests similar to Call Control + \item Similar mechanism exists for all MO SMS +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Provide local information} +The SIM can inquire the ME about +\begin{itemize} + \item MCC / MNC / LAC / Cell ID + \item IMEI of ME + \item Network Measurement Results + \item BCCH channel list + \item Date, Time, Timezone + \item ME language setting + \item Timing Advance +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Event download} +The SIM is notified by ME about certain events such as +\begin{itemize} + \item Call Connected / Disconnected + \item Location Status (Location Area change) + \item User activity (keyboard input) + \item Idle screen available + \item Browser termination +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download} +\begin{itemize} + \item Enables Operator to exchange arbitrary data with the SIM + \item Could be RFM (Remote File Management) + \begin{itemize} + \item Read or modify phone book entries + \item Even change the IMSI of the SIM (!) + \end{itemize} + \item In case of Java Card, can be download of card applets + \begin{itemize} + \item Applets are stored permanently on SIM + \item Can later use SAT procedures to interact with ME + \item TS 03.19 specifies Java API to access SAT from Java RE + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download} +SAT Data Download can happen via +\begin{itemize} + \item via SMS or Cell Broadcast + \begin{itemize} + \item Uses TS 03.40 TP-PID {\em SIM DATA Download} + \item ME forwards such SMS to the SIM in {\tt ENVELOPE} APDU + \item Response from SIM is sent back as MO-SMS or DELIVERY REPORT + \end{itemize} + \item via BIP (Bearer Independent Protocol) + \begin{itemize} + \item Dedicated CSD call between network and SIM + \item GPRS session between network and SIM + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download}{Data download security} +\begin{itemize} + \item GSM TS 03.48 specifies secure messaging for data download + \item Includes replay protection + \item Supports DES and 3DES + \item SMS chaining for long commands / large data +\end{itemize} +\end{frame} + +\subsection{SIM threat model} +\begin{frame}{SIM card abuse by hostile operator} +\begin{itemize} + \item Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator + \item Using SAT features, the operator can control many aspects of the phone + \item Examples + \begin{itemize} + \item Remotely reading address book / stored SMS + \item Monitor user behavior (browser termination, idle screen, ...) + \item Ask phone to establish packet data session + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM card re-programming by attacker} +\begin{itemize} + \item If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets + \item The attacker can then + \begin{itemize} + \item Obtain detailed location information and send it via SMS + \item Intercept/log outgoing calls + \item Sending copies of incoming + outgoing SMS elsewhere + \end{itemize} + \item Even using SIM card channel to exploit baseband stack is feasible +\end{itemize} +\end{frame} + +\begin{frame}{SIM card proxy / MITM by attacker} +As soon as an attacker has temporary physical access to a phone, he can +\begin{itemize} + \item Insert a proxy-SIM between real SIM and phone + \item Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM + \item Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS + \item ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific) +\end{itemize} +Most users would never notice this as they rarely check their SIM slot +\end{frame} + +%%%%%% +\subsection{SIM attacks countermeasures} + +\begin{frame}{Defending against SIM based attacks} +\begin{itemize} + \item SIM cards are Operator issued, Ki is on the SIM + \begin{itemize} + \item SIM card can thus not be replaced, but original SIM must be used + \end{itemize} + \item Configure telephone to not store contacts or SMS on SIM + \item Communication between SIM and ME is not encrypted/authenticated + \item Solution: Proxy SIM between SIM and ME to break STK / OTA + \begin{itemize} + \item Filter all STK/OTA/Proactive commands like ENVELOPE + \item Indicate lack of STK support to ME (EF.Phase) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Proxy SIM with firewall} +\begin{itemize} + \item There are no known commercial products that implement STK/OTA filtering + \item But there are a number of shim SIM cards that are plugged between SIM and SIM slot + \item Most of them are used for SIM unlocking modern phones + \item Some vendors produce freely (re)programmable proxy SIMs: +\end{itemize} +\begin{figure}[h] +\subfigure{\includegraphics[width=40mm]{bladox-turbosim.jpg}} +\subfigure{\includegraphics[width=25mm]{rebelsim2.jpg}} + \caption{Bladox TurboSIM (AVR) and RebelSIM II (8051)} + %\caption{Bladox Turbo SIM (AVR)}} +\end{figure} +\end{frame} diff --git a/2014/simtrace-openfest2014/rebelsim2.jpg b/2014/simtrace-openfest2014/rebelsim2.jpg new file mode 100644 index 0000000..0ba6247 Binary files /dev/null and b/2014/simtrace-openfest2014/rebelsim2.jpg differ diff --git a/2014/simtrace-openfest2014/section-simtrace.tex b/2014/simtrace-openfest2014/section-simtrace.tex new file mode 100644 index 0000000..0d6ffc4 --- /dev/null +++ b/2014/simtrace-openfest2014/section-simtrace.tex @@ -0,0 +1,75 @@ +\section{Osmocom SIMtrace} + +\subsection{Analyzing SIM drivers and STK apps} + +\begin{frame}{Analyzing SIM toolkit applications is hard} +\begin{itemize} + \item Regular end-user phone does not give much debugging + \item SIM card itself has no debug interface for printing error messages, warnings, etc. + \item However, as SIM-ME interface is unencrypted, sniffing / tracing is possible + \item Commercial / proprietary solutions exist, but are expensive (USD 5,000 and up) + \item Technically, sniffing smard card interfaces is actually very simple +\end{itemize} +\end{frame} + +\subsection{Osmocom SIMtrace Introduction} + +\begin{frame}{Introducing Osmocom SIMtrace} +\begin{itemize} + \item Osmocom SIMtrace is a passive (U)SIM-ME communication sniffer + \item Insert SIM adapter cable into actual phone + \item Insert (U)SIM into SIMtrace hardware + \item SIMtrace hardware provides USB interface to host PC + \item {\tt simtrace} host PC program encapsulates APDU in GSMTAP + \item GSMTAP is sent via UDP to localhost + \item wireshark dissector for GSM TS 11.11 decodes APDUs +\end{itemize} +\end{frame} + +\subsection{Osmocom SIMtrace Hardware} + +\begin{frame}{Osmocom SIMtrace Principle} +\begin{figure}[h] + \centering + \includegraphics[width=70mm]{simtrace-schema.png} +\end{figure} +\end{frame} + +\begin{frame}{Osmocom SIMtrace Hardware} +\begin{figure}[h] + \centering + \includegraphics[width=105mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmocom SIMtrace Hardware} +\begin{itemize} + \item Hardware is based around AT91SAM7S controller + \item SAM7S Offers two ISO 7816-3 compatible USARTs + \item USARTs can be clock master (SIM reader) or slave (SIM card) + \item Open Source Firmware on SAM7S implementing APDU sniffing + \item Auto-bauding depending CLK signal, PPS supported + \item Schematics / layout is open source (CC-BY-SA) + \item Assembled + tested kits can be bought from {\url http://shop.sysmocom.de/} +\end{itemize} +\end{frame} + +\begin{frame}{wireshark decoding} +\begin{figure}[h] + \centering + \includegraphics[width=95mm]{wireshark-sim.png} +\end{figure} +\end{frame} + + +\begin{frame}{SIMtrace TODO} +SIMtrace hardware is capable, but no software yet for: +\begin{itemize} + \item perform MITM (APDU filtering) + \item full software SIM card emulation + \item PC/SC compatible smart card reader + \item autonomous tracing operation (No PC / USB), store APDU logs {\em in the field} on integrated SPI flash +\end{itemize} +Firmware and host software all FOSS, anyone can extend and innovate! +\end{frame} + diff --git a/2014/simtrace-openfest2014/sim-mf-df_gsm.png b/2014/simtrace-openfest2014/sim-mf-df_gsm.png new file mode 100644 index 0000000..f953075 Binary files /dev/null and b/2014/simtrace-openfest2014/sim-mf-df_gsm.png differ diff --git a/2014/simtrace-openfest2014/simtrace-schema.png b/2014/simtrace-openfest2014/simtrace-schema.png new file mode 100644 index 0000000..c324255 Binary files /dev/null and b/2014/simtrace-openfest2014/simtrace-schema.png differ diff --git a/2014/simtrace-openfest2014/simtrace.pdf b/2014/simtrace-openfest2014/simtrace.pdf new file mode 100644 index 0000000..33aaea4 Binary files /dev/null and b/2014/simtrace-openfest2014/simtrace.pdf differ diff --git a/2014/simtrace-openfest2014/simtrace.snm b/2014/simtrace-openfest2014/simtrace.snm new file mode 100644 index 0000000..e69de29 diff --git a/2014/simtrace-openfest2014/simtrace.tex b/2014/simtrace-openfest2014/simtrace.tex new file mode 100644 index 0000000..c17c1b6 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace.tex @@ -0,0 +1,158 @@ + +\newcommand{\degree}{\ensuremath{^\circ}} +%\documentclass[handout]{beamer} +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{CambridgeUS} + \usecolortheme{whale} + +%\setbeamercolor{titlelike}{parent=palette primary,fg=black} +\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg} +% from beamercolorthemeorchid.sty to make it look more like warsaw +\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} +\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} +\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} + +\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} +\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} +\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} + + + + % or ... + + %\setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + +\mode{ + \usepackage{misc/handoutWithNotes} + \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +%\newcommand*\oldmacro{} +%\let\oldmacro\insertshortauthor% save previous definition +%\renewcommand*\insertshortauthor{% +% \leftskip=.3cm% before the author could be a plus1fill ... +% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + +\usepackage[english]{babel} +\usepackage[latin1]{inputenc} +\usepackage{times} +\usepackage[T1]{fontenc} + +\usepackage{subfigure} +\usepackage{hyperref} +\usepackage{textcomp,listings} +%\usepackage{german} +\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8} + + +\title{Osmocom SIMtrace} + +\subtitle{SIM card protocol tracing - why and how} + +\author{Harald~Welte} + +%\institute{sysmocom - s.f.m.c. GmbH} + +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[November 2014] % (optional, should be abbreviation of conference name) +%{DeepSec Conference, November 2011, Vienna/Austria} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{GSM} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +%\include{part-introduction} + + +\part{Java SIM} +\include{part-sim} + +\include{section-simtrace} + +%\include{part-ota} + +\end{document} diff --git a/2014/simtrace-openfest2014/simtrace_and_phone.jpg b/2014/simtrace-openfest2014/simtrace_and_phone.jpg new file mode 100644 index 0000000..7c53de2 Binary files /dev/null and b/2014/simtrace-openfest2014/simtrace_and_phone.jpg differ diff --git a/2014/simtrace-openfest2014/usim-dir-structure.png b/2014/simtrace-openfest2014/usim-dir-structure.png new file mode 100644 index 0000000..180be9f Binary files /dev/null and b/2014/simtrace-openfest2014/usim-dir-structure.png differ diff --git a/2014/simtrace-openfest2014/wireshark-sim.png b/2014/simtrace-openfest2014/wireshark-sim.png new file mode 100644 index 0000000..e05f5b6 Binary files /dev/null and b/2014/simtrace-openfest2014/wireshark-sim.png differ -- cgit v1.2.3