I already wrote a SIM phone book dumper program in 2004. This first version was in Perl and was presented in "SIM card phone book listing".
You can also find more advanced tools in articles with the SIM label, like cardpeek, monosim or PSSI.
I now present a version in Python using the PySCard wrapper.
Source code
The source code is in 2 parts:
#!/usr/bin/env python3 from smartcard.System import readers from smartcard.util import toBytes from smartcard.CardConnectionObserver import ConsoleCardConnectionObserver debug = True def usim(reader_nb): # get all the available readers r = readers() print("Available readers:") for reader in r: print("-", reader) reader = r[reader_nb] print("Using:", reader) connection = reader.createConnection() if debug: observer = ConsoleCardConnectionObserver() connection.addObserver(observer) connection.connect() SELECT = "A0 A4 00 00 02 " GET_RESPONSE = "A0 C0 00 00 " # Select MF print("Select MF") data, sw1, sw2 = connection.transmit(toBytes(SELECT + "3F 00")) if sw1 != 0x9F: raise(Exception("Error")) # Select DF Telecom print("Select DF Telecom") data, sw1, sw2 = connection.transmit(toBytes(SELECT + "7F 10")) if sw1 != 0x9F: raise(Exception("Error")) # Select EF ADN print("Select EF ADN") data, sw1, sw2 = connection.transmit(toBytes(SELECT + "6F 3A")) if (sw1, sw2) != (0x9F, 0x0F): raise(Exception("Error")) # Get Response print("Get Response") data, sw1, sw2 = connection.transmit(toBytes(GET_RESPONSE) + [sw2]) if (sw1, sw2) != (0x90, 0x00): raise(Exception("Error")) size = data[-1] pin = None if pin: print(pin) pin = list(map(ord, pin)) padd(pin, 8) # Verify CHV VERIFY = "A0 20 00 01 08" cmd = toBytes(VERIFY) + pin data, sw1, sw2 = connection.transmit(cmd) if (sw1, sw2) != (0x90, 0x00): raise(Exception("Wrong PIN:" + pin)) return size, connection if __name__ == "__main__": usim(0)
#!/usr/bin/env python3 from smartcard.util import toBytes, toASCIIString import usim def decode_record(record): """ decode_record(toBytes("43 75 73 74 6F 6D 65 72 20 43 61 72 65 FF 06 A1 80 00 07 70 00 FF FF FF FF FF FF FF")) >> ['Customer Care', '0800700700'] """ X = len(record) - 14 name = toASCIIString(record[0:X - 1]).replace("ΓΏ", "") # number of bytes for the phone number tel_size = record[X] phone = record[X + 2:X + tel_size + 1] decoded = "" for n in phone: hex = "%02X" % n high = hex[0] low = hex[1] decoded += low + high # if the number of digits is odd we suppress the padding if decoded[-1] == "F": decoded = decoded[:-1] phone = decoded return name, phone def usim_read(reader_nb): # Select the EF ADN (size, connection) = usim.usim(reader_nb) for nbr in range(1, 250): # Read record header = [0xA0, 0xB2] record_idx = nbr cmd = header + [record_idx, 0x04, size] data, sw1, sw2 = connection.transmit(cmd) if (sw1, sw2) != (0x90, 0x00): return name, phone = decode_record(data) if name != "": print(f"{record_idx}: Name: {name}, phone: {phone}") if __name__ == "__main__": import sys if 2 == len(sys.argv): reader_nb = int(sys.argv[1]) else: reader_nb = 0 usim_read(reader_nb)
Comments
The debug is enabled. So you can see the communication between the application
and the card.
You ned to change only one line to remove the APDU log if
needed.
The phone book record size is not fixed for all the SIM cards. The record size is returned in the last byte of the GET RESPONSE command after the SELECT EF (Elementary File) ADN (Abbreviated dialling numbers).
You can get more details about the EF ADN and the record coding in the document ETSI TS 131 102 V16.6.0 (2021-01) chapter "4.4.2.3 EF_ADN (Abbreviated dialling numbers)". It is important to note that ETSI (European Telecommunications Standards Institute) standards are public and free.
By default the first PC/SC reader is used. But you can select another reader by passing a number as argument to the program. We will use this feature later.
No PIN is defined and verified. I am using a
sysmocom sysmoUSIM-SJS1
card. This card has the user PIN disabled by default.
You can enable PIN
verification by defining a PIN in
USIM (Universal Subscriber Identity Module) is a new application
introduced for GSM version 3 (3G) to replace/improve the SIM
(subscriber identity/identification) application. The code should work
the same with a SIM card or a USIM card (but untested).
Output
$ ./usim_read.py Available readers: - Gemalto PC Twin Reader Using: Gemalto PC Twin Reader connecting to Gemalto PC Twin Reader Select MF > A0 A4 00 00 02 3F 00 < [] 9F 22 Select DF Telecom > A0 A4 00 00 02 7F 10 < [] 9F 22 Select EF ADN > A0 A4 00 00 02 6F 3A < [] 9F 0F Get Response > A0 C0 00 00 0F < 00 00 21 34 6F 3A 04 00 11 FF 22 01 02 01 22 90 00 > A0 B2 01 04 22 < 4C 61 75 72 65 20 46 72 61 6E E7 6F 69 73 65 20 59 76 6F 6E 06 A1 24 66 85 10 22 FF FF FF FF FF FF FF 90 00 1: Name: Laure Francoise Yvo, phone: 4266580122 > A0 B2 02 04 22 < 4C 75 63 69 65 6E 6E 65 20 48 65 6C 65 6E 65 20 4C 75 63 69 06 A1 76 45 65 28 77 FF FF FF FF FF FF FF 90 00 2: Name: Lucienne Helene Luc, phone: 6754568277 > A0 B2 03 04 22 < 55 72 62 61 69 6E 20 47 69 6C 6C 65 73 20 4A 75 73 74 65 FF 06 A1 80 38 74 16 54 FF FF FF FF FF FF FF 90 00 3: Name: Urbain Gilles Juste, phone: 0883476145 > A0 B2 04 04 22 < 4A 65 72 6F 6D 65 20 50 61 73 63 61 6C 20 46 65 72 6E 61 6E 06 A1 80 53 42 10 86 FF FF FF FF FF FF FF 90 00 4: Name: Jerome Pascal Ferna, phone: 0835240168 [...]
The output is truncated. I do not want to include all the 255 phone numbers.
Note that the names and numbers are random. More on that later.
Conclusion
It is easy to dump the phone book from a SIM card.
The SIM phone book is very limited (no birthday, no email address). The real phone book is, in general, in the phone itself and synchronised using CardDav with a server like Nextcloud.