About a week ago, Phil T. & I finished and released our first video! Its called Citizen Engineer. We finally fixed a lingering audio codec problem and so I invite you to watch it.
Citizen Engineer is an online video series about open source hardware,
electronics, art and hacking by Limor (Ladyada) Fried of Adafruit
Industries & Phillip (pt) Torrone of MAKE magazine. The first video
debuts at “The Last HOPE” conference in New York City.
Volume 01 – Phones: SIM card & payphone hacking
Learn how a SIM card works (the small card inside GSM cell phones)
make a SIM card reader, view deleted messages, phone book entries and
clone/crack a SIM card.
Modify a “retired” payphone so it can be used as a home telephone and
for VoIP (Skype). Then learn how to modify the hacked payphone so it
accepts quarters – and lastly, use a Redbox to make “free phone” calls
from the modified coin-accepting payphone.
Basically its me messing around with electronics. I liked making these videos because I got to play around more than I normally do. Not having to design a ‘payphone kit’ means more time spent learning all about payphones. I’m already planning the next video
There’s a matching kit that goes with the video, its a basic SIM card interface. I modified some open source software for SIM interfaces and had a lot of fun reverse-engineering forensics software to figure out what data was hidden where.
Want to build your own SIM card reader? The SIM card reader/writer is available at Adafruit Industries, it is for experimentation and investigation of SIM & Smart cards. Once the kit is built, accompanying software can be used to read and write from the card. Together they can be used to backup stored SIM card data, recover deleted SMS’s and phone contacts, examine the last 10 phone numbers dialed, etc. (Despite being called a SIM reader, it can also write to SIM cards). Source, schematics and software included.
Update: We now a full text transcript, click more to read!
Our first project is going to be a SIM card reader. But before we dive into that, it’s useful to know all sorts of information about SIM cards, like how to interface with them, and what sort of data we can get out of a SIM card.
So, let’s begin with the fundamentals. What is a SIM card, and how does it attract with the GSM network? So, let’s go to the workbench.
MALE SPEAKER: GSM, or Global System for Mobile communication, originally called Group Special Mobile, is kind of interesting. It covers 82% of the world, it has about 3 billion people using it. and it operates in about 212 countries.
Now, if you take a normal GSM phone, one of the things you’ll notice if you pop off the battery or look on the side, you’ll see a SIM card, and these things pop out pretty easily.
FEMALE SPEAKER: SIM stands for Subscriber Identity Module — it’s this little guy here with some contacts and then usually a logo on the other side — and all the really important information about an account user is stored on this card, like the phone number, the carrier, the account number — stuff like that. There’s some other information stored on SIM card, like SMS’s, phone books, and sometimes the last phone numbers dialed. This means that upgrading a phone is really easy, just pop out and swap out SIM cards.
MALE SPEAKER: It’s sort of like a SD card that you’d see in a digital camera or an MP3 player. But this one has a little microcontroller and this microcontroller can control what goes in and out of the card and to the phone and to the network, and also, the secret key.
FEMALE SPEAKER: Before the cell phone can make a phone call, it has to be authenticated. Authentication works in a challenge/response scheme. Basically what that means is when the phone is turned on, it asks a SIM card for the unique identifier associated with this card, and that’s the account number. It then contacts the carrier through the cell tower and says, hey, please authenticate me. The carrier, which knows the account number, looks up a secret authentication code — that’s the code that’s stored in here that we can’t get to. It then generates a random number and sends it back to the phone and says, please, encrypt this random number with a secret key code. Now, the phone doesn’t know what the secret key code is, but it can ask the SIM card to please encrypt this random number. So, It takes that random number generated by the carrier, gets it encrypted by the SIM card, and then sends that response back. Since the carrier knows both the identifier and the secret key code, same as a SIM card, it can verify that the SIM card is the correct one — the phone’s authenticated, it can make a phone call.
Now, what if you had two SIM cards and they had the same unique identifier, as well as the same secret authentication code? Well, basically that means that the two phones using these SIM cards could both authenticate themselves and make phone calls, basically using two phones on one account, and that’s called SIM cloning.
Now, to clone the card, you need the unique identifier and the secret key code. Well, the unique identifier is easy to get, you just ask the SIM for it. The secret key code won’t give up.
So, how to get it out? Well, it turns out that in older SIM cards, there was a small problem with the encryption process, it wasn’t really perfect, and it’s susceptible to a brute force attack. What does that mean? Basically, instead of connecting the SIM card to a phone, connect the SIM card to a computer. The computer then asks the SIM card to encrypt 150,000 different messages are specially chosen and analyzes the responses. By analyzing the responses, it can deduce the secret key code.
So, I’ve got all my tools set up here. I’ve got my multimeter, my trusty multimeter, which will be used for testing the circuit. The fume sucker, which will be used to get rid of all the fumes from soldering. And my soldering iron. I also have a nice vice for holding the circuit board while I work on it — this is really useful, but you can use a third hand tool as well.
So, there’s three parts of a SIM card reader. There’s the power supply section, there’s the oscillator section, and then there’s the serial port and card interface section. So, for the power supply, you’ll need a 9 volt battery, and a 9 volt battery holder — that’s where you connect the battery up to the circuit board. A 1N4001 protection diode, and a 7805 — 7805′s come in two varieties, a mini version and big brother version, you can use either one.
The power supply should also have an LED that’ll indicate when the device is on, so an LED and a 1K resister. And then, to keep the power supply functioning well, a bypass capacitor’s necessary. This one is 100 microferret capacitor, and this is a small ceramic capacitor.
The second part of the circuit that we’re going to build is the oscillator section. That’s the part that generates the 3.57 megahertz signal that’s sent to the SIM card — that let’s it run at the correct BOD rate. You’ll need a 3.57 megahertz crystal, two 20 picoferret capacitors, a 1 megaohm resistor, a 2K resistor, and a 74HC04 NOT gate. You can also get a socket to put the gate into, it makes it fit nicely.
The third part of the circuitry is the serial port and SIM card interface. Now, the most important part here is to get a good SIM card holder. This allows you to put the SIM card in and lock it so you can create a good connection with it. And a female DB9 serial port connector. This is what you’ll be able to connect to the computer. You’ll also need two zener diodes — anywhere between 3.6 to 6 volt is perfectly fine. And three 10K resistors. This part is what allows a 10 volt serial port to contact with a 5 volt SIM card reader safely. You’ll also need an NPN transistor, any kind will do.
A SIM card has a bunch of contacts on the bottom that allows the SIM card reader to talk to it. Now, there’s eight or nine or ten contacts here, but only the six middle ones are really important. This is what the SIM card looks like on the bottom. Now, there’s the six contacts, and in the middle there’s one big contact, and that one big contact is connected to one of the side ones. That’s the ground contact — that’s used for a power and signal ground. Underneath that is the programming pin contact. That’s used by the manufacturer to program the SIM card when it comes out of the factory. We won’t be using that pin though, we’ll be using that serial IO pin that’s right beneath that — that’s how the computer talks the SIM card. On the other side is the clock pin. That’s where the reader sends a clock signal to the SIM card chip to tell it what the correct BOD rate is. Make sure to be using a 3.57 megahertz clock, which translate to a 9,600 BOD signal. Above that is the reset pin — that’s how the reader says, hey, wake up, we’re ready to talk to you. And above that is the 5 volt pin — that’s how you send power to SIM card.
Open up the cell phone and remove the SIM card and put the phone to the side. Now, turn over the SIM card reader and slide in the SIM card, so that it locks in. Plug in the 9 volt battery. The green LED should be lit. Now, connect up the serial port. Let’s run the software. Select the serial port that the SIM card is connected to — for Windows, it’s probably something like com port 1.
First thing we’ll do is extract the saved SMS’s from the SIM card. Now, some phones don’t overwrite old SIMs with 0′s or ff, so you can actually extract deleted SMS’s and undelete them. Every SMS message has the recipient, the sender, the message, and a time stamp so you can see when it was received. Next we’ll read the last dialed numbers — these are the last ten numbers that the cell phone tried to call. Next we’ll read the phone book — now this is all the contact and phone number information that’s stored on the SIM card. Sometimes it’s used as a backup, and sometimes it’s the primary phone book. Now it takes a long time to read the phone book because there’s 250 entries in this SIM card contact data. Each contact has a name and a phone number.
Finally, we’re going to look up the SIM information. Now this is sort of low level information — the serial number, the last location the phone was used in, pin statistics — stuff like that. When you’re done, you can just disconnect the reader. Finally, if you’re interested in the low level protocol data, you should look through the debug window where you can see what kind of information was sent and received from the SIM card.
MALE SPEAKER: Now, let’s say you wanted to clone a SIM card. Well, there’s no way the SIM card’s going to give up the unique identifier and the secret key. But what you can is perform a known-plaintext attack, and that’ll hit the SIM card tens of thousands of time using software, which I have running here, and if it works out you get the key, but most SIMs it doesn’t work on any longer, and also, it can disable some SIMs.
So, we’re going to run the software, it takes about six hours, so let’s give it a whirl.
All right, so let’s see how we made out. Looks like that we were able to correct the SIM card. Now all we would need to do is copy this information to a writable SIM. This project is done.
Due to various technological, social, and legislative changes, payphones are being phased out. That means it’s never been easier to get a payphone.
FEMALE SPEAKER: This is a Western Electric 1C2 payphone. It’s a little bit older, but pretty much any Telco owned payphone’s going to look similar. What you want to look for is Bell logos, Bell names, anything that says the local telephone company on it. Every brand of payphone has its own T-key that’s used to open it up. Put it in the side and turn, go move the handset, then pull the front off. Be careful, because inside there’s a plug from both halves.
Connecting up a payphone for home use is pretty easy. First you’ll need a telephone wire that has telephone spade lugs on one end, and a standard screwdriver. Feed the telephone spade lugs through the back of the phone, then connect the red wire, which is the ring, to this terminal block marked R.
Second, connect the green spade lug, which is the tip, to the terminal block marked T. Finally, take the black and yellow wire, which are not going to be used, and tie them to the ground connector. The coin counting circuitry has to be jumpered so that the phone doesn’t expect a coin to be inserted before it can make a call. Now that’s actually already been done here by jumpering pin 5 and pin 8 on this plug. Otherwise you can just solder a piece of wire in to connect the two.
Now simply plug the payphone in to your home phone line, or in this case, a VoIP box. Now’s a good time to test the wiring. It’s pretty easy, just call the phone from another line. There are many distinct parts to a payphone. On the left, there’s the coin sorting mechanism, which takes valid currency, and then below that is the coin hopper — that’s where coins are stored while the payphone makes a phone call. And then this is the coin relay. This controls whether coins in the hopper go into the coin box or into the return chute.
On the right side, there’s the bell, the phone line terminal block, the coin tone ocsillator, and the connectors and jumpers for the two halves of the payphone. Here’s where the totalizer would live. Now, unfortunately, the totalizer was ripped out of this payphone before we procured it. On the other half of the payphone, there’s the handset switch hook detector, the tone pad, which is on the back, and the DTF encoder and terminal block.
To remove the coin assembly, first flip this latch, then reach in and push on the wire ring, and this part just comes out. To open up the coin assembly, just flip it open, and then these magnets also flip open. When a coin is inserted into the payphone, it travels down this chute. Now in this case, a quarter will pass by the quarter separator. Only if it’s the correct size and weight, will it rotate the separator and cause it to pass past this magnet. This magnet sets up an edicurrent inside the conductive metal of the coin, which causes it to slow down a little bit and bypass this chute and continue into this one where the coin is accepted.
The coin then drops into the hopper where the payphone waits until the switch tells it whether to put the coin in the coin box or return it into the return chute. Now, this payphone’s ready to make calls from home, but that’s not really much fun. What I want to do is modify this payphone so it requires coins to make a phone call. Since there’s no totalizer, I’m going to have to add a sensor to eject coins. I’m going to put one here on this little flapper. The sensor I’m going to use is a brake beam sensor. There’s an emitter and a detector, and when an object goes in between, the sensor goes off. Cut a flap out of a piece of card. The flap will be glued onto the hopper trigger right here. Glue the flap onto the hopper trigger. The first part is the [INAUDIBLE].
So, this is the coin detector and phone controller that we started with. As a power supply, I’m using four double A batteries connected to the battery pack. This is the power supply — this is just a capacitor just to regulate the power and a little indicator LED to tell me it’s on. Then I’ve hooked up the sensor that will detect when a coin has gone down the slot. That’s connected to a latch, which will take the small pulse that comes from the sensor and convert it into a steady voltage, which then controls a telecom relay. That’s a relay that’s specifically designed to control the high telecom voltages. It’ll work off of 5 volts, that’s perfect.
So, testing the sensor by putting a card in front. Then I’m going to glue the sensor into the payphone. And then I’m going to glue the other side of the sensor, make two wires with spade lugs on the end. Connect one of the spade lugs to the phone line ring, and the other spade lug to the payphone ring. Now plug in those two jumper wires into the relay. Now click the coin relay open.
Now it’s time to test our system. Turn on the battery pack and pick up the phone. There won’t be a dial tone. Now press on coin hopper trigger, so that the sensor’s broken and you’ll hear a dial tone.
Now, I’m going to put the payphone back together. Insert the coin validator, close it up. Now nobody can make a phone call on my Skype payphone unless they put in a quarter. Now put in the coin validator — make sure to be careful of the sensor you placed in.
Finally, wire up a bum sensor between the power from the battery pack and the circuit board, so when the switch is depressed, power to the board gets cut. Glue the sensor so when the phone is on hook, the switch is depressed. To make wiring easier, I’m going to crimp on some lugs onto the switch contact. Thread these wires through the small hole in the payphone bottom, and throw the power connector up. This payphone didn’t come with a coin box, so I’m going to use a blue cup instead. Just put it in the back. Finally, stash the power supply and the circuit board right in front. Put the front of the coin box in, unlock it again with the T-key, slide it on, and lock. Now close up the big one. No dial tone. Insert a quarter, now I got a dial tone to make a phone call, this project is done.
So, my pay payphone project works pretty well, but I want to add a little bit of old school charm to It. Instead of the coin going directly into the coin box when you put it in, I want it to sit in the hopper. And then when the phone is hung up, the coin really will activate, and the coin will drop into the coin box, making that nice ka-chink sound. Time to crack open the payphone again.
This is that coin relay that we clipped open. Now, I’m going to unclip it. To activate this relay, I need 130 volts. But I don’t really have 130 volts kicking around here, because this isn’t hooked up to a payphone phone line. The phone line can generate 48 volts, but it doesn’t have enough current to drive the relay, so I’m going to have to build my own DC power supply from the battery pack in the coin box.
The first thing I’ll do is build the high voltage power supply.
This is a basic DC/DC boost converter based on the LT 1073 chip. This chip actually does almost all of the work. All that’s required is an inductor, a shot key diode and some capacitors for the input and output, and resistors to set the power voltage. The input battery pack power comes in here, and the output 30 volts comes out of these screen wires.
Before wiring this up to our existing circuit, I’m going to test the voltage. Just measure with the multimeter the voltage between the two green wires — should be around 30 volts. Now’s a good time to test the DC/DC boost converter. Connect up the converter to the switch so that it’s only powered when the phone is on hook. Remove the spring from the coin relay and then try testing the two prongs to the coin relay and make sure it activates. Plug in the power, so it’s only activated when this phone is on hook. Remove the coin relay return spring. This’ll make it easier to activate with [EDIT].
With the coin in the hopper, connect the 30 volt output to the two connectors for the relay — G, and this three here. The relay should activate. Once it’s been verified to work, attach the prongs permanently. Connecting them in one way makes the coin go into the coin box, kind of the other way, the coins will go into the return shoot.
One of the nice things about the Western Electric payphone designs is that there’s a little read relay right where the coin detector is. That means that once the coin relay activates, this disconnects and the relay automatically opens. I’m going to cut this board down a little bit, this’ll make it fit nicer, and I can use the extra scrap for another project. Then put the circuit board in a little baggie. This’ll protect the high voltages from touching some other part of the circuit board. OK, got everything back in the coin box, and we’re going to close up the payphone and test this last mod.
Time to try it out. Pick up the handset and deposit a coin. Now the coin is in the hopper, hang up, and the coin will be deposited in the coin box. So, I’ve got this payphone, it’s been modified for home use, and I’ve taken it and reverse-engineered it, and made it so that it now requires coins to make a phone call. And I’ve also added the coin hopper and coin relay activation. But there’s one more hack I want to do on this phone. But before I get into that, it’s important to understand how these dumb payphones keep track of how much money’s been inserted.
In this payphone the totalizer has been taken out. It normally sits here. And it has little arms that stick into the coin validator, so that when a coin falls through, it triggers and sets off the coin tone oscillator, this pink box here. The coin oscillator is a passive oscillator that generates 2,200 hertz and 1,700 hertz. You can trigger a coin tone oscillator pretty easily. Connect one diode to pin seven, and another diode to pin four of J2. Clip pin seven to the tip, and pin four to the ring.
Now, when a quarter’s inserted into this payphone, the totalizer detects that, and it triggers the coin tone oscillator, for a quarter it triggers it five times. Now, that tone goes down the phone line detected by the switch on the other side. The switch looks up the current call rates and determines how much money’s been deposited and how much money’s owed, and asks the user to please deposit more money, if necessary. In the late 80′s, some clever person either read the Bell system’s manual, or deduced how payphones work from observation, and determined that if you played those 2,200 plus 1,700 hertz tones into the microphone, it would go down the phone line and the switch on the other side would be fooled into thinking the totalizer and coin tone oscillator made those tones, and thus was red boxing born.
Red boxing became much more popular when it was noticed that the dual tone multifrequencies from the coin tone oscillator are directly proportional to the tones generated when you hit the star key on a phone. And those tones are directly proportional to whatever crystal oscillator is driving the DTMF encoder chip. So to make these special coin oscillator tones, you don’t need a coin tone oscillator box. You could just use a DTMF generator, like this old Radio Shack tone dialer. This one’s 16 years old, all you have to do is change the crystal. So, open it up and swap out the old crystal for this, a 6.5536 megahertz crystal. Now the dialer will emit the same tones necessary when you hit the star key.
Now, due to various anti-fraud measures, the emergence of COCOT, and AT&T discontinuing their payphone line service, red boxing is a rarity, it’s pretty much impossible to do anymore. That’s a real shame, because I’ve got one of these red box and I really like to use it. So, what I’m going to do is I’m going to modify this payphone so that I can red box out instead of putting coins in. So I have to build a circuit that detects when red box tones play into the microphone of the handset. To do that I’m going to use a DTF decoder chip. These were the chips that were used in old voicemail systems, like pressing 1 or 2 or 3 would open a mailbox or close it. I’m going to use this chip, and instead of using the crystal that’s supposed to used with it, I’m going to change it to a different crystal — this is the same one used to hack red boxes. So now both of them are listening for the same frequency tones. Now all I have to do is detect when the star key is pressed, that’s the same as a red box tone.
OK, now’s a good time to test the red box tone detector. Here is the circuitry for the red box detector. Now I’ve got the DTMF decoder with a new crystal, so it can detect red box tones. And I’ve got this selector latch, and that one makes sure that only when the star key is pressed will the latch go high. And here’s a little indicator LED, this will blink when it detects a red box tone, that’s very useful for debugging.
To connect up to handset and listen to the audio coming in from the microphone, I’m going to jack it into this terminal block. Now, this is the reference ground, number 11. And this red wire is from the handset and that comes from the microphone, so that’s going to be our audio input. I’ve just connected the ring line from our relay and jumpered it just so we can do this test without having to worry about the relay turning on and off.
OK, pick up the handset and there’ll be a dial tone, and you’ll see that this board is lit, but the green LED is not on. Now, red box, and you’ll see that the green LED lights up because it detected the star.
So, tested our system, system seems to work, but there’s one problem. Now, because the payphone is designed to be coin first, that is we don’t connect the phone line until we get money or a red box signal, there’s no power to the microphone. So, the circuit can’t actually listen in on the microphone because there’s no power. But we’re going to solve this pretty easily by biassing the handset ourselves by using a 5 volt power supply. Luckily, the internal power supply for the handset’s supposed to be 5 volts, so it’s kind of a lucky coincidence.
First I’ll connect my audio input to the circuit — that’ll come from here, the handset ring. Now I’ll connect the ground reference prong — that goes up here. Now I’m going to connect the bias power of the handset, that goes into the handset tip. Now, this telecom relay is a double throw. That means there’s actually two switches inside, and I’m going to use that second switch to connect and disconnect that bias power. So only when we don’t have the phone line connected here will there be power to the handset — this way our 5 volts won’t compete with the phone line 5 volts.
One more thing to do and that’s close up the payphone. OK, project’s done, I’m ready to use it. Pick up the phone, no dial tone, get my handy red box. Now I’m ready to call some comps.