usim卡手机接入2G网络

或者usim卡使用2G手机接入3G网络

从 XRES (3G USIM response) 生成 SRES (2G handset response)

参考 3GPP TS 33.102 version 14.1.0 Release 14 , 也就是ETSI TS 133 102 V14.1.0 (2017-03)

Interoperation and handover between UMTS and GSM

RAND [GSM] = RAND
SRES [GSM] = XRES* 1 xor XRES* 2 xor XRES* 3 xor XRES* 4
Kc [GSM] = CK 1 xor CK 2 xor IK 1 xor IK 2

改成Java版本

    public static byte[] genKc(byte[] ck, byte[]ik) {
        byte[] kc = new byte[8];
        for(int i=0; i<8; i++) {
            kc[i] = (byte)(ck[i] ^ ck[i+8] ^ ik[i] ^ ik[i+8]);
        }
        return kc;
    }


    public static byte[] genSRES(byte[] xres) {
        byte[] sres = new byte[4];
        byte[] pad = new byte[] {0, 0, 0, 0,  0, 0, 0, 0};
        for(int i=0; i<4; i++) {
            sres[i] = (byte)(xres[i] ^ xres[i+4] ^ pad[i] ^ pad[i+4]);
        }
        return sres;
    }

Python版本

# Kc (2G handset ciphering key) from CK / IK (3G USIM keys)
def conv_C3(CK=16*'\x00', IK=16*'\x00'):
    if len(CK) != 16 or len(IK) != 16:
        _log('Your CK / IK are not the right length [16]')
        return
    return xor_string(xor_string(xor_string(CK[0:8], CK[8:16]), \
                                  IK[0:8]), \
                       IK[8:16])


def conv_C2(XRES=16*b'\x00'):
    # adapt XRES length
    len_xres = len(XRES)
    if len_xres < 4:
        _log('Your XRES is damned too short [<4]')
        return
    elif 4 <= len_xres < 16:
        XRES += (16-len_xres)*b'\x00'
    elif len_xres > 16:
        XRES = XRES[:16]
    # xor the 4 parts of 4 bytes each
    #sres[i] = res[i] ^ res[i + 4] 
    return xor_string(xor_string(xor_string(XRES[:4], XRES[4:8]), 
                                        XRES[8:12]),
                        XRES[12:16])

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注