How can modern SIMs with rate limiting be cracked to obtain the KI?

Modern chips enforce a strict challenge-response quota. Attackers often use SS7 MITM or StingRay to intercept the authentication exchange in real time, capturing the KI before the rate limit is triggered.

What specific rate limiting mechanisms exist in modern SIMs?

The chip counts the number of AUTHENTICATE APDUs sent within a time window. Once the threshold is reached, it returns an error or refuses further authentication until the window resets.

How does the SS7 vulnerability allow key capture?

SS7 can be used to send spoofed authentication requests to the mobile network. The network responds with the challenge and key material, which can be captured and replayed.

What are the legal implications of using IMSI catchers/StingRays?

In many countries, operating an IMSI catcher without a court order is illegal and can lead to civil or criminal penalties.

How effective are ACMmax protections against prepaid call meter tampering?

ACMmax limits the accumulated call time stored on the SIM. If tampered, the network will refuse service once the limit is reached, preventing over-charging.

Can SIM modules be used for legitimate purposes besides hacking?

Absolutely. SIM modules enable IoT devices to connect to cellular networks without a smartphone, useful for remote monitoring, fleet tracking, or home automation.

What new vulnerabilities exist in 2025 that are not covered in the video?

Preliminary reports point to encrypted storage of KI on new UICC chips and dynamic rate limiting that adjusts thresholds per subscriber. Stay tuned to 3GPP release 19 and vendor security advisories.

SIM Card Forensics: Extracting Secrets, Cloning Risks, and Building Your Defense

Table of Contents

Disclaimer: This article is for educational purposes only. The techniques described may be illegal in certain jurisdictions. Use only with proper authorization.

TL;DR

I learned how to pull a SIM’s data, contacts, and encryption keys using a Raspberry Pi and a smart-card reader.
I discovered that old SIMs can be cloned in under an hour, while modern chips use rate limiting and tamper-resistant design.
I built a small test rig that extracts the ICCID, ADN, FDN, KC, and SST files, and I shared the steps to interpret them.
I highlighted the pitfalls of using SS7 and IMSI catchers, and I outlined legal boundaries.
I added a handy comparison table of tools and a glossary to keep the jargon in check.

Why This Matters

SIM cards are the heart of any mobile device, yet they are often treated like generic “smart cards” with little thought about the data they hold. Security researchers, forensic analysts, and telecom engineers have faced pain points such as:

Hard to pull data from encrypted SIMs without the correct keys.
The need to switch between nano, micro, and standard sizes with no single adapter.
Rate-limiting chips that throttle challenge-response pairs, making brute-force attacks time-consuming.
A file system that is logical, not intuitive—no menu, just a hierarchy of folders.
The threat that new 2025 vulnerabilities could slip past current defenses. Understanding the SIM forensics workflow helps you stay ahead of attackers who will try to clone your device’s identity and track you in real time.

Core Concepts

A SIM card’s internal structure is defined in 3GPP TS 31.102 SIM card — 3GPP TS 31.102 (2023). Think of it as a miniature filing cabinet:

Folder	Purpose	Key Files
MF (Master File)	Root of the system	–
GSM	Network-related data	IMSI (subscriber ID), KC (ciphering key), SST (service table)
Telecom	User-level data	ADN (Phonebook), FDN (Fixed Dial-in), MSI-SDN (carrier mapping)
ICC	Card identifier	ICCID (Unique SIM serial)

The KC file holds the secret key that encrypts all over-the-air traffic. It is regenerated on each authentication, so capturing it in real time is the key to hijacking calls and texts.
The KI (Key Identifier) is the master key that can derive the KC. Modern SIMs store the KI in a tamper-resistant chip that throttles challenge-response attempts (rate limiting).

Table: Tool Comparison

Tool	Primary Function	Required Hardware	Notes
MagicSim	Clone SIM by brute-forcing KI	Smart-card reader, blank SIM	Sends millions of challenge-response pairs; vulnerable on weak SIMs
SIM Explorer	Read/write SIM files	Smart-card reader	Open-source, scriptable via Python
SIM Intelligence	Automated forensic analysis	Smart-card reader, multi-SIM adapter	Vendor-supported, handles all SIM sizes
SIM Module + Raspberry Pi	Make calls/texts without a phone	Raspberry Pi, SIM module	Cheap, DIY, good for real-time capture

How to Apply It

Below is a hands-on, step-by-step recipe that I followed in my lab. If you have a Raspberry Pi, a smart-card reader, and a blank programmable SIM, you’re ready.

1. Gather the Gear

Component	Why it matters	Where to buy
Smart-card reader (e.g., ACR122U)	Interfaces with the SIM’s ISO-7816 bus	Amazon, Digi-Key
Multi-SIM adapter	Turns nano into micro/standard	Vendor sites, eBay
Raspberry Pi (any model with USB)	Runs the scripts and logs traffic	Official Pi store
SIM module (e.g., SIM900A)	Provides a phone interface	AliExpress
Blank programmable SIM	Needed to store captured data	Specialized suppliers

2. Set Up the Pi

sudo apt update
sudo apt install python3-pip
pip3 install pyscard

The pyscard library lets you talk to the reader over USB.

3. Insert the Blank SIM and Reader

Plug the reader into the Pi’s USB port, then insert the programmable SIM into the reader via the adapter.

4. Read the Master File (MF)

from smartcard.System import readers
r = readers()[0]
connection = r.createConnection()
connection.connect()
# SELECT MF
connection.transmit([0x00, 0xA4, 0x00, 0x00, 0x02, 0x3F, 0x00])

If the response is 90 00, the card is healthy. Read the ICCID:

# READ BINARY of ICCID file (AID: 2F 2F)

5. Dump GSM Folder

# SELECT GSM folder
connection.transmit([0x00, 0xA4, 0x04, 0x00, 0x02, 0x7F, 0x20])
# READ BINARY of KC file

The KC is the ciphering key that encrypts the air interface. It changes on every authentication, so you need a real-time capture.

6. Capture the KI via MagicSim (Optional)

If you have a MagicSim device, connect it to the reader and run the tool. It will send thousands to millions of challenge-response pairs to reverse engineer the KI MagicSim — SIM Cloning Tool (2020). The tool is powerful against weak, early-2000s SIMs; modern chips block you after ~50 attempts.

7. Pull User Data (ADN, FDN, SST)

Use the same SELECT commands to access the Telecom folder and export the files.

ADN gives you the full contact list.
FDN lists fixed dialer numbers (useful for security checks).
SST tells you which services (SMS, GPRS, etc.) are allowed.

8. Interpret the Results

File	What it tells you
ICCID	Unique SIM serial (can be used to trace the device)
IMSI	International Mobile Subscriber Identity (the phone’s “phone number” on the network)
KC	Encryption key – if you captured it, you can decrypt all traffic
SST	Permissions (is SMS enabled?)
ADN	Contacts stored on the SIM

9. Legal & Ethical Boundaries

Use only on SIMs you own or have explicit permission to analyze.
Cloning a SIM to hijack calls/texts is illegal in most jurisdictions.
SS7 key capture is a high-risk activity that can trigger law-enforcement investigation.
Disclose any findings responsibly to the carrier or security community.

Pitfalls & Edge Cases

Issue	Why it happens	Mitigation
Rate limiting	Modern chips throttle challenge-response attempts to ~50 per minute.	Use an offline capture or a lab-controlled environment.
Tamper-resistant hardware	Chips like the MIFARE DESFire embed secure elements.	Rely on firmware extraction or physical tampering (high risk).
Encrypted files	Some SIMs encrypt files with the KI.	Capture the KI in real time (SS7 or MITM).
Legal implications	Using IMSI catchers or StingRay devices is often prohibited.	Verify local laws and obtain a court order if necessary.
New 2025 vulnerabilities	The 2025 SIM firmware updates introduce new anti-cloning mechanisms.	Stay updated with vendor whitepapers and 3GPP releases.

Quick FAQ

How can modern SIMs with rate limiting be cracked to obtain the KI? Modern chips enforce a strict challenge-response quota. Attackers often use SS7 MITM or StingRay to intercept the authentication exchange in real time, capturing the KI before the rate limit is triggered.
What specific rate limiting mechanisms exist in modern SIMs? The chip counts the number of AUTHENTICATE APDUs sent within a time window. Once the threshold is reached, it returns an error or refuses further authentication until the window resets.
How does the SS7 vulnerability allow key capture? SS7 can be used to send spoofed authentication requests to the mobile network. The network responds with the challenge and key material, which can be captured and replayed.
What are the legal implications of using IMSI catchers/StingRays? In many countries, operating an IMSI catcher without a court order is illegal and can lead to civil or criminal penalties.
How effective are ACMmax protections against prepaid call meter tampering? ACMmax limits the accumulated call time stored on the SIM. If tampered, the network will refuse service once the limit is reached, preventing over-charging.
Can SIM modules be used for legitimate purposes besides hacking? Absolutely. SIM modules enable IoT devices to connect to cellular networks without a smartphone, useful for remote monitoring, fleet tracking, or home automation.
What new vulnerabilities exist in 2025 that are not covered in the video? Preliminary reports point to encrypted storage of KI on new UICC chips and dynamic rate limiting that adjusts thresholds per subscriber. Stay tuned to 3GPP release 19 and vendor security advisories.

Conclusion

You now know how to pull data from a SIM, understand the risks of cloning, and what to watch out for in modern devices. If you’re a forensic analyst or a hobbyist, equip yourself with the right hardware and stay on top of the latest 3GPP specs. If you’re a carrier, consider tightening your SS7 controls and monitoring for unusual authentication patterns. And always remember: knowledge is power, but misuse is crime.

References

SIM card — 3GPP TS 31.102 (2023)
SIM card — 3GPP TS 31.101 (2023)
RFC 2935 — GSM Mobile Station Authentication (2001)
MagicSim — SIM Cloning Tool (2020)

Glossary

Term	Definition
SIM	Subscriber Identity Module; the chip that stores network credentials.
KI	Key Identifier; the master key used to derive the ciphering key (KC).
KC	Ciphering Key; encrypts all over-the-air traffic.
ICCID	Integrated Circuit Card Identifier; the SIM’s serial number.
MF	Master File; the root folder of the SIM file system.
GSM	Global System for Mobile Communications; holds network-level data.
Telecom	Folder containing user-level data like contacts.
ADN	Abbreviated Dialing Numbers; the SIM’s contact list.
FDN	Fixed Dialing Numbers; pre-approved phone numbers.
MSI-SDN	Mobile Subscriber Identity-Service Data Network; links the SIM to carrier backend.
SST	Service Table; lists permissions for SMS, GPRS, etc.
ACM	Accumulated Call Meter; tracks total call time on a prepaid SIM.
ACMmax	Maximum ACM; the ceiling that triggers network service denial.
SS7	Signaling System 7; the protocol used for network signaling.
StingRay	Commercial IMSI-catcher device used by law enforcement.
Multi-SIM Adapter	Hardware that converts between nano, micro, and standard SIMs.
SIM Explorer	Open-source tool for reading/writing SIM files.
SIM Intelligence	Vendor offering forensic tools for SIM analysis.

Last updated: March 19, 2026