Searching: TEST USIM CARD for Mobile Signalling Tester (Mobile Network)

[Bicurico]

Hi,

After receiving my gorgeous Anritsu MD8470A (TEA alert!), I am actually using it for the intended application: learning about Mobile Communications.

Actually, it amazes me how little I know about how mobile phones and their network work. Also, it is interesting that there seems to be very little information around.

Considering that this is probably the #1 electronics/computing/telehony/radio application worldwide, I definitely want to better understand how it works.

And here is the first obstacle:

With GSM (2G), I can use any active SIM card to connect to my test mobile network. If the provider of the SIM does not match the one I configured on my device, the mobile phone will show me the roaming symbol. This is easy to understand, it works, all OK. I have some basic experience with SIM cards: did the cloning, used FUN-Smartcards with the SimEmu v6.1 software, etc.

But trying to use WCDMA (3G), the SIM cards will not work, because a USIM card is expected. But I cannot use i.e. my own USIM card from my regular phone, because with WCDMA the communication is encrypted betweeb BOTH the mobile phone and mobile network. For this to work, the mobile network needs to "know" the USIM card's secret key (sorry if that is not the corrrect designation - remember I am still learning). Of course, I don't know this secret key of my official USIM card and it is protected against hacking attempts to extract it.

This means I cannot use the MD8470A with WCDMA!

I need a TEST USIM card. These TEST USIM cards have preconfigured provider ID's (001/01) and known secret keys, which are pre-configured on the test equipment. Each manufacturer apparently uses a slightly different test configuration, hence your TEST USIM card needs to match the test equipment: R&S CMU200/CRTU, Agilent, Anritsu, etc. Unless you know the contents of the card and set the test equipment accordingly.

Now the big question: how to obtain a TEST USIM card? Hardly from the manufacturer of the test equipment...

So, as usual, eBay is your friend and I found many listed TEST USIM cards. Unfortunatly the item description does not inspire too much confidence, as they seem to randomly list the supported test equipment (like: title says CMU200 and description mentions Anritsu). I ordered one such card from what seemed the most probable match. Waiting for it to arrive.

But meanwhile I found that there is one guy selling a kit with programmer, software and BLANK USIM cards! Yes, you can actually program them yourself! Unfortunately the kit is a bit expensive (around 80 Euro + risk of having to pay customs). The programmer itself is easily obtainable in EU for 30 Euro and each blank card can be bought for 2-4 Euro. The software is what makes it more expensive. I accept that, software deserves payment, of course.

My questions are:

1) Has anyone tried these kits? Do they work?
2) WHY would someone buy a kit to program blank USIM cards? I would want such a kit to play with my MD8470A, but that is not a serious application. Is there a way to CLONE USIM cards? Is that the reason for this kit? If so, I would buy it immediatly: I used to have many clones of my own SIM card, so that I could swap phones without having to switch the SIM card over. I wish I had the same for my current USIM (I actually have 2, which is the maximum the provider hands out).

Any comment is welcome! I know I sound nerdish, but then, this is why most hand around in the Test Equipment forum, right?

Reminds me of Douglas Adams: "A nerd is someone who uses a telephone to talk to other people about telephones."

Regards,
Vitor

[ZL1CVD]

Bicurico I think US FCC has restricted allot of information manufacturers will release about cellular systems - that and NDAs.

To learn way more, pick up a HackRF One and load up GNUradio. With these two and time, you ca learn and experiment to your hearts content. Lots on the web. Lots of examples. Lots of video. I have been ZL1CVD since 1987. I used this combination only 2 weeks ago and am amazed exactly how much I don't know!

73s om 

[Bicurico]

Hi,

Thanks for your feedback.

Here is an update:

Background
1) I already own a HackRF One and ADALM-PLUTO (second unit is on its way). I know I can setup a cell with GNU Radio and I am aware of the new cheap FL2K OSMO hack (TX for 6 Euro)
2) In this thread I was specifically looking for TEST USIM CARDS that would work with my Anritsu MD8470A Signaling Tester
3) In order to test a mobile phone, it needs to have a TEST SIM CARD. There are basically two modes: GSM and WCDMA. The first does NOT use any encryption (regular SIM card), the latter uses encryption (USIM card)
4) Mobile Signalling Tester come with test SIMCARDS, so that you can use the mobile phones with them. These cards have KNOWN cryptokeys, random numbers, etc. You can therefore configure this data on the Mobile Signalling Tester. Otherwise, the mobile phone will not be allowed to connect to the test network
5) Getting such SIM/USIM cards from the Mobile Signalling Tester's manufacturer is not easy (probably impossible), due to lack of maintenance contract and whatever.

Current status
1) The "TEST USIM FOR ANRITSU" I bought on eBay from Chinese seller worked indeed on my Anritsu! This is the cheapest solution.
2) Blank USIM cards sold on eBay do NOT work. They do not support the required XOR encryption --> my generation of Mobile Signalling Tester supports this simplified "encryption", but of course you need a matching SIM card
3) Blank USIM cards with support for XOR cards exist! Thanks to a friend I could get my hands on two. After programming those cards, they worked just fine. The problem is that I don't know any source that can provide these cards in small amounts regularily. These cards are sold in batches of 500-1.000 cards each. I guess there is not a big market for them...
4) While I was able to previously connect to my MD8470A using a programmable GSM SIM card, I can now connect via WCDMA using these USIM TEST CARDS. This allows me to test WDCMA with i.e. video calls!

Regards,
Vitor

[tmbinc]

ZL1CVD: I have to disagree. Almost all of GSM/WCDMA and especially newer stuff (LTE) is publicly documented (http://www.3gpp.org/specifications), _free of charge_. That's better than any ISO standard.

However, it's terribly obscure - WCDMA probably the most, GSM a bit less, LTE the least. I don't have a telco background, and for me, the data flow, the technical terms, ... are just very different from "modern" (say: IP, or other packet-oriented) communication. For example, unlike Ethernet->IP->TCP->HTTP (which are just layers stacked on top of each other, each of them being understandable with relative ease), telecommunication has a lot of dedicated complexity in the lower layers. While this makes clever use of available processing power and bandwidth, it significantly complicates understanding. Just look at how GSM modulation depends on the traffic type; unlike, say "tcpdump" on ethernet, you can't easily "capture all packets". Instead it takes a great knowledge of what's going on to even get a useful trace.

For GSM, there's a great deal to learn by using OsmocomBB (the open-source re-implementation for a GSM chipset). But WCDMA is one more step, and honestly, looking at some WCDMA traces in Wireshark... doesn't make me wanting to spend more time on this.

I don't think the RF part is necessarily the most difficult to understand part. Even more advanced modulation schemes are just that - modulation schemes that you can implement with a cookbook-style recipe (admittedly you have to be a well-experienced chef). But for me, the rest of the stuff is what makes it complicated.

For example - is a talk about running your own 3G base station.