How to clone a SIM chip has been a hot topic here on TechTraction since early 2008. It all got started on January 28 when I posted an article detailing why cloning a SIM chip was impossible. Then, on October 1, 2008 I followed up with another article offering one possible cloning solution based on a reader’s comments. Both articles have generated a long list of comments and now I’m back with yet another follow up article based on another readers comments explaining why it is still IMPOSSIBLE to clone a SIM chip.

Why clone a SIM chip in the first place

If you have a PDA/phone device like a Blackberry, then you know these devices are big and bulky. Most of the time their functional benefit outweighs their inconvenient size. Other times the benefit does not justify the bulk. The simple solution to this dilemma is to get a basic cell phone and swap the SIM chip between the phone and your PDA/phone depending on your needs. While the manual chip swapping works, the process becomes very annoying very quick. Wouldn’t it be great to have a copy of your original SIM chip so you could leave one chip in each device? If you could duplicate or “clone” your current SIM chip, the problem would be solved.

Why you can’t clone a SIM chip — in my opinion

Explained in my original article on this subject, SIM chip cloning was only possible with the early V1 SIM chips.  Cell providers quickly put a stop to V1 cloning by introducing the next generation SIM chip. Yes, you can purchase chip duplicators but if you read the fine print you’ll see that they only work with V1 chips. Furthermore, if SIM chip duplication (beyond V1) was truly possible, how-to information would be as easy to find as jail breaking an iPhone.

Some have said cloning can be done

Despite the assertion in my first article, some readers claimed they had successfully cloned a SIM chip beyond V1. After several requests for more details one reader, DonJuan, finally offered a detailed explanation of how he successfully cloned his SIM chip. With high hopes I began to follow his instructions only to give up when I found a virus in the required software. I was determined to try DonJuan’s cloning process but free time was limited and when I saw a recent comment I finally gave up.

CyberDemon’s explantion for why you can’t clone a SIM chip

At last we arrive at the latest “why you can’t clone a SIM chip” explanation from TechTraction visitor CyberDemon. The explanation is long, very detailed but very much worth the read if you’ve struggled with an answer for how to clone a SIM chip. The final conclusion does give hope for chip cloning but at present it is NOT possible or at the very least not something for mere mortals:

“Years back I looked into doing this ( right after the v1 swap ) and found that it was not possible “yet”.

At the time I even purchased all of the equipment available and found that it would read the contacts , sms messages and was even able to display other folders and files on the SIM. The ki was stored in a different portion of the card (not readable via any reader as it is hard coded into an unaccessable ROM)

The way I understand it the data request from the phone works like this

A typical smart card has three separate memory banks, two of which are ROMs (read only memory) and one is RAM (random access memory) – 8 kilobytes of RAM, 346 kilobytes of ROM and an additional programmable ROM with 256 kilobytes of memory, controlled through a 16-bit microprocessor.

1. The phone query’s Network to look up subscriber information based on IMEI and ESN numbers.

2. The network sends a authorization packet back to the phone so it can prove it is authorized for the known network account. (or checks if it is roaming in which case stores all information / keys to forward to original provider to request remuneration)

1. The phone then query’s the SIM with this request (stores request and data to be processed into RAM)

2. The SIM then passes this request to the embedded microprocessor (The microprocessor has its own built in algorithms for calculating data)

3. The microprocessor processes this information against the data stored in one of the ROM Banks. The one you can not read with a card reader. (second cipher?)

4. Then calculates the decrypted data against the second ROM (where your number is stored and data is readable)

5. It then sends this data back to the phone which then sends the data back to the network to verify.

6. If the network verifies everything is correct. Sends provider information to the phone ( Network ID, Signal strength, etc…)and a new key to authorize the SIM. It is now when data decryption takes place.

7. The process starts off all over again at intervals specified in your phones settings.

This all happens in a mater of nanoseconds.

The only way you can clone a SIM card is if you could read both sets of ROM (current readers can only access one) and the calculating algorithms stored inside the microprocessor. Currently this is not possible to read the second ROM nor is the microprocessor architecture known.

What older V1 SIM’s allowed was multiple BAD requests be sent to the microprocessor. thus enabling the SIM itself to decrypt the ki from one of the ROM banks. (the one not readable by card readers.) via a brute force method. (sending multiple random requests until it got a good answer and using that “key” to dump the ki)

In newer SIM’s the microprocessor will shut itself off after so many simultaneous BAD requests. Therefore shutting down all access to the card. (e.g. the need to get another from the provider)

I do not believe there is a way to shut off this kill switch and here is why.

Disabling this protection would be suicide for smart card manufactures. The same technology is used for bank cards, satellite systems, military security and numerous other securities.

If anyone were to divulge this information they would have to reinvent billions upon billions worth of new technologies including; hardware, software, smart cards, people etc…

There is however the possibility of circumventing the protection (as seen in the satellite industry in the past)

The satellite smart card was never “hacked” like some are led to believe. The code in one of the ROM banks was used to pass keys from the receiver to the microprocessor before account activation was verified. Since no one (not even the satellite company or the hackers) had access to the second ROM bank data was re pushed to the first ROM bank to change how the information was passed to the microprocessor. Thereby thwarting the hackers attempts to get free TV. There has since been several safeguards to prevent this form of piracy from happening again. If you search Google for “Black Friday” you can see how one of thoes attempts went. Ultimately the security on the current cards (same design as V1 SIM cards) had been so easily circumvented that the satellite company was forced to do a “card swap”.

The satellite industry swapped out all of the smart cards to every paid customer with Smart Cards that have much stronger security. This card has yet to be “hacked” and still the satellite industry continues to build more secure cards and swapping them out periodically as a preventive measure.

How many SIM card “swaps” have there been since the V1’s vulnerability? Granted most of these swaps were due to new technologies but surly they took the time to beef up security while they were at it.

If a method to clone a SIM card exists it would have to be done on a card with an identical microprocessor (one from same provider), the KI stored into the first ROM bank (if there is room), and the check for ki re-routed from the second ROM bank to the new location on the first ROM.

Don’t get me wrong it can be done it just is not an easy task. I was kind of hoping that someone had done it already. e.g. me at this forum.

But alas it has not been done and I haven’t the energy to put to the task. Just no real incentive.

I don’t think it would work all that well if we did clone a sim as the network will only allow the first phone that registered itself to stay active on the network. the other phone would simply be rejected. (unless connected to a different tower / network) or one phone would have to be turned off for the other to work. This may not be the case with data networks as they do operate differently and on other frequencies simultaneously (on the same phone)

In short unless someone posts a “How to clone a SIM to one identical to original provider without querying the microprocessor”. Well, it cant be done.”

Someday it might be possible

Where there is a will, there is a way. Therefore I do believe that someday cloning the current version of SIM chips will be possible with inexpensive tools. Unfortunately, technology keeps driving forward at break-neck speed and just when a solution is found the cell providers will undoubtedly find another way to break the hack.

The only real solution will come when the cell providers change their policy regarding multiple copies of the same SIM chip. And while it’s unlikely their policy will ever change, the providers did finally make available an “all-you-can-eat” phone/data plan. Such new plans demonstrates the willingness of cell providers to make significant changes but probably only when they see it as a way to make more money or gain marketshare. In the meantime, my fingers are crossed, but I’m NOT holding my breath.

Share, Bookmark, or Email this post

If you liked this post, subscribe to TechTraction's RSS feed or TechTraction's email feed

Filed under: How-To & Tech Tips