Monday, May 30, 2011

Answer To Reset (ATR)

Answer To Reset (ATR)

It is an endless investigation when dealing with SIM/USIM. The intention of this discussion is to highlight discoveries that you may not be aware. In this instance ATR is the first data read from every SIM/USIM and can provide potentially useful information to an investigation or when making analysis about end-to-end (SIM to Network) mobile telephone evidence.  

What might be interpreted from first eight bytes of an ATR recovered? From research, this is an interpretation of the ATR from a particular manufacturer's GSM SIM:


Byte 6 - options
3B 34 11 00 6B C2 16 0? normal SIM+OTA
3B 34 11 00 6B C3 16 0? SIM-Toolkit (STK) SIM

Byte 7
16 EEPROM size (16K)

Byte 8 - options
3B 34 11 00 6B C? 16 01 GSM security algorithm
3B 34 11 00 6B C? 16 02
3B 34 11 00 6B C? 16 03
3B 34 11 00 6B C? 16 0A

As interpretation of the ATR can be possible, do all SIM ATRs follow the same identification process or when personalised uniquely characterise the ATR to instruct the handset/network with similar information about the SIM's technical profiling but identified at different byte locations in the ATR string?

No comments: