The Truth About SIM Card Cloning

There have been some really great responses on possible alternate ways to getting your Ki number. Including, voltage glitching your SIM to get it to read out unintended memory addresses. Physical extraction and/or reading the chip's die directly using a Scanning Electron Microscope. Or bribing an engineer working in your local network to access your Ki database entry.
Wikipedia is a wonderful collaborative information resource. This video provides a quality example of the way collaborative effort promptly fixes these errors. I demonstrate the truth, and within just a couple of hours, editors rush in to check and fix the accuracy of Wikipedia. Keep up the great work everyone :)

JanusCycle

The Phone Cloning Wikipedia page has been updated. Thank you to whoever did that so quickly, less than two hours after release!

JanusCycle

Reminds me of the time when I used to play with SIM emulators. They used to run on a small microcontroller (A PIC variety). Gold cards, silver cards, wafer cards (and others) usually used for decrypting the old analogue satellite pay TV. But could be used as clone phone-cards in payphones and something called a yes-card (a fake bank card that used a flaw that meant it wasn't checked online) where you could enter any PIN on the PIN pad.

threeMetreJim

Typically, music on most educational / research videos is misplaced and annoying, IMO. You Sir...are the exception. Beautiful and brilliant song and version selection. Perfect application and execution. Thanks for making this video, the content was info I've been curious about for years. Depeche Mode was the cherry on top!

nickmashek

Amazing nostalgia trip :) Cloning SIMs to wafer or "12in1" cards was quite popular in the Balkans before multisim phones came out. It was more convenient to restart your phone and select the active SIM with a code than juggling a few actual cards of different providers. Due to 64k inquiry limit, it worked only on some cards ofcourse. However there was a horror story that most of the phone repair shops (and enthusiasts) unknowingly used a "backdoored" version of Woron scan that was sending all the KI numbers to some Russian hacker group that made the clones as well, and then used them to call ultra premium numbers they set up :)

batica

Back in the day, Satellite TV access cards were hacked by 'glitching'. That's resetting the card, counting clock cycles, and then glitching the power supply. Repeated thousands of times (with variable parameters) until the card responded out of spec, and spilled its secrets, or (at the user end) allowed access to adjust the available channels.

JxH

Pretty crazy seeing all this out in the open all these years later. I use to see a lot of this stuff and the systems Telstra used when I worked for them back in the day. Everything you said was correct.

fujitsubo

Speaking about SIM card vendors sending card data to mobile operators. I used to work for a GSMoperator in one of the former Soviet republics in the early 2000s, being responsible for interaction with SIM makers, among other things. We used PGP for any sensitive information sent via email, but even if you did get the plain-text output files, you wouldn’t get Ki from them, as it was additionally encrypted with a transport key (which was delivered separately and entered in the switch for decrypting the Ki information inside the AUC). Different keys were used for different SIM vendors (and sometimes several keys for the same vendor), and these were only referenced in the output files by their numbers, which means the actual Ki value was pretty much never available to anyone on the operator's side. I don’t think this was much different in the UK or elsewhere, at least post-2000.

KPbICMAH

Oh I spent so much time back when I was young in the early 2000's playing with SIM cards, phone cards, SIM card emulators.
I've built a serial port scanner, and used it with Dejan Kaljevic's software. Lots of fun. (R.I.P.)

worroSfOretsevraH

Would be interesting to see if you could run a low power GSM base station to get these devices online and play with this a bit more in depth.

JCLoony

What a blast from the past. I was playing with this 20-30 years ago and it was really fun. One interesting thing was that first mobile operator in my country didn't use KI authentication for quite some time, and phone numbers were correlating with IMSI numbers, so you would be able to easily guess IMSI number of any phone number and clone it.

grajzer

It's been a long time, so I don't remember all the details, but I remember the days at Research In Motion developing the Tachyon, aka The BlackBerry 5810/20... It had a number of problems. An important one was that they SIM card slot was prone to bad electrical connections and static discharge. One (entirely temporary and never shipped IIRC) solution was to get the Ki and program it into the phone, so that the phone could emulate the SIM card rather than use it... It made the phone far more reliable. My memory was that it was possible to have the phone work out the Ki by passively gathering challenges, actively get it (which took a day or so if it didn't crash, and was tough on the battery), or asking nicely and getting it from the carrier. Our SIMs at work were weird special SIMs meant for testing and devellopment, so the Ki's were not treated with the same care as normal SIMs. I think it's possible that they didn't have protected ROM on some of them, so if you had the right tools, you could just read the Ki off of it.

RichardBetel

About 20 years ago a family friend claimed to be able to do this alongside hacking the cards in cable boxes and such. Of course, he wasn't open about his process but some of the things he talked about were mentioned here. Maybe he wasn't actually doing anything but its neat to see he wasn't totally blowing smoke. He did eventually get caught up in a casino machine cheating scandal so its not hard to imagine he was up to something.

mikeyjohnson

Your voice fits perfectly for the topic. An obscure, niche topic in electronic enthusiast community. I remember my dad used to get gold cards from ebay back in the day and programmed them to work as a car wash card. The first time he tried it, the cashier said he had 50k on it. Can’t imagine what went through his mind at that point

jvinsnes

Incredibly interesting, informative and entertaining! Your choice of music was nothing short of genius! Thank you for taking the time to put this together.

anthony

one of my simcards (bought around 2003) was cloned over 10 years ago (same simmax 16-in-one), and it still works perfectly in 2G and 3G networks after all this years. No need to swap cards in my old phones :-) Just switch it on and ready-to-go! By the way, should I switch more than one phone at the same time, they both (or all 3) can make calls, but only last-one-online will receive the incoming call. However I do not turn on more than one phone simultaneously.

Auberge

I knew some guys who kept a 2G tower unit in their bathroom and were slowly hacking it, I think they were able to span a little network of their own but they didn't run it very often. Perhaps you can find some enthusiasts like that where you live.

SianaGearz

In a lot of places, SIM cloning is an insider job that is done by someone inside the phone company who has all the tools to "port" the number to a new SIM. These days it is a compromised human rather than hardware.

ckm-mkc

I used to work at a Telecom (security) and in fact manufactures would send IMSI and the keys to the Mobile team side-by-side in plain text. We made some changes to the process and one of them was sharing a public key with the manufacture so they could encrypt the key files but they didn't know what to do with it hahaha

costaht

Very interesting! I always wanted to know the details of how SIM cards worked. I actually built a SIM card reader when I was younger but it just bricked the SIM cards, it must have been hitting the limit!. However as a teenager everyone at school had a Nokia 5110 (without sim), you could enter a secret technician menu and change the phone number to a friends phone number and then receive their text messages and calls! it only worked when you were on the same cell tower and more of a funny prank as it diverted calls and messages and their phone would stop working.

thetankie