C-Netz SIM Emulator

Why emulating a SIM card? Maybe you got an a C-Netz phone from the attic, friend or Ebay? But the SIM card is missing. Without SIM card you cannot use your C-Netz phone at all. Then you buy a high price on Ebay to get a used SIM card. You find out that the SIM card requires a PIN that you don't know. Even if you find a SIM card with no PIN enabled, it may not work with newer phones. The emulator can help you in this case.

Also the emulator can be used to emulate service cards or special cards that enable cell monitoring. With this emulator you can modify all subscriber data without restrictions.

Emulating SIM Card

The easiest way to emulate a C-Netz SIM card is to use your Linux PC with a serial interface connected to the card reader of the phone. Connection can be made directly via wires or via ISO card PCB. You may also use an old ISO card an drill away the chip inside. Then solder thin wires close to the pads and connect them to a serial interface.

In order to connect the card to your Linux PC, you need a serial-to-USB interface. Don't use the 9 pin SUB-D type of interface, because they have level shifters and will brick your phone. Use TTL level interface as shown in the image above.

Because the SIM cards uses TTL level, we can connect a CP2102 controller directly to the card reader of a phone. Don't worry about 5 Volts level from the card reader. The CP2102 can handle it. In order to connect TX and RX together on one pad of the SIM card, we need to add a diode between the I/O pad and the TX output. The cathode must point towards the TX output, so that TX can only pull the I/O line low (0). Use a diode with a low forward voltage drop, like a Schottky diode. I use a simple 1n4148 Silicon diode and it works too.

Important: Some serial interfaces have wrong signal labels. TX and RX might be reversed, so that TX is actually an input and RX an output. You will find out when you connect an Milliamp meter between signal and ground. The output will have several Milliamps, but the input doesn't.

Important: Be sure to run your phone on battery and not via gounded power supply. If the output of the power supply is grounded, the ground of your power line is also connected to the phone's card reader. Voltage spikes on the power line's ground between your PC and your phone may kill the card reader or the USB port. Use an isolating transformer!

Important: The serial interface must support 8e2. (8 data bits, even parity, two stop bits) I suggest to use the CP2102. If you know other serial interfaces that work, let me know.

Connect Ground to GND.
Connect CTS input to RESET.
Connect RX input to I/O.
Connect TX output via diode to I/O.
(Place cathode towards TX output)

To run the emulator, use the "sim" keyword at the end of the command line. Use the '-s' option to give the correct serial interface:


# src/sim/cnetz_sim -s /dev/ttyUSB0 sim

...
FUTLN=23100001, Sicherungscode=3103, Kartekennung=3, Sonderheitenschluessel=0, Wartungsschluessel=65535
Telephone directory has 80 entries.
SIM emulator ready, please start the phone!
sim.c:1352 info   : Reset signal on (low)
sim.c:1352 info   : Reset signal off (high)
sim.c:1371 info   : Card has disabled PIN (system PIN '0000') Selecting card #1.
sim.c:1374 info   : Sending ATR
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=0 N(R)=0
sim.c: 473 info   :  SL-APPL app 3
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=0 N(R)=1
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=1 N(R)=1
sim.c: 558 info   :  RD-EBDT
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=1 N(R)=2
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=2 N(R)=2
sim.c: 473 info   :  SL-APPL app 4
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=2 N(R)=3
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=3 N(R)=3
sim.c: 473 info   :  SL-APPL app 3
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=3 N(R)=4
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=4 N(R)=4
sim.c: 558 info   :  RD-EBDT
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=4 N(R)=5
sim.c:1125 info   : RX message
sim.c:1135 info   :  control I: N(S)=5 N(R)=5
sim.c: 599 info   :  RD-RUFN (loc=0)
sim.c: 655 info   :  80 numbers can be stored in EEPROM
sim.c:1222 info   : TX response
sim.c:1228 info   :  control I: N(S)=5 N(R)=6
sim.c:1352 info   : Reset signal on (low)

Use '-h' command line option to get a list of all options.

Sniffing SIM Card

To run the sniffer, use the "sniff" keyword at the end of the command line. You only need to connect I/O line to the RX line of your serial interface. (And ground of course!) Use the '-s' option to give the correct serial interface:


# src/sim/cnetz_sim -s /dev/ttyUSB0 sniff

sniffer.c: 602 info   : ----------------------------------------
sniffer.c: 609 info   : Reading ATR normal bit order:
sniffer.c: 547 info   :  TD1 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info   : ----------------------------------------
sniffer.c: 547 info   :  TD2 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info   : ----------------------------------------
sniffer.c: 418 info   :  TA3 fsmin = 3 MHz
sniffer.c: 433 info   :  TA3 fsmax = 5 MHz (Default)
sniffer.c: 470 info   :  TB3 Maximum block size = 42
sniffer.c: 516 info   :  TC3 Character Waiting Time = 3
sniffer.c: 547 info   :  TD3 T=14: Refers to transmission protocols not standardized by ISO/IEC JTC 1/SC 17.
sniffer.c: 590 info   : ----------------------------------------
sniffer.c: 440 info   :  TA4 Block Waiting Time = 4
sniffer.c: 590 info   : ----------------------------------------
sniffer.c: 595 info   :  History byte #1: 0x92
sniffer.c: 595 info   :  History byte #2: 0x80
sniffer.c: 595 info   :  History byte #3: 0x00
sniffer.c: 595 info   :  History byte #4: 0x41
sniffer.c: 595 info   :  History byte #5: 0x32
sniffer.c: 595 info   :  History byte #6: 0x36
sniffer.c: 595 info   :  History byte #7: 0x01
sniffer.c: 595 info   :  History byte #8: 0x11
sniffer.c: 690 info   :  Checksum 0xe4 ok.
sniffer.c: 697 info   : ATR done!
sniffer.c: 715 info   : ----------------------------------------
sniffer.c: 734 info   : Layer 2:
sniffer.c: 735 info   :  source 3 -> to 1
sniffer.c: 737 info   :  control I: N(S)=0 N(R)=0
sniffer.c: 744 info   :  length 15
sniffer.c: 203 info   : Interface control layer ICB1:
sniffer.c: 207 info   :  ON-LINE-BIT:         0 = Off-line data
sniffer.c: 211 info   :  CONFIRM-BIT:         0 = No meaning
sniffer.c: 213 info   :  MASTER/SLAVE-BIT:    1 = Sender is master
sniffer.c: 219 info   :  WT-EXTENSION-BIT:    0 = No request for WT-Extension
sniffer.c: 223 info   :  ABORT/TERMINATE-BIT: 0 = No meaning
sniffer.c: 227 info   :  ERROR-BIT:           0 = No meaning
sniffer.c: 231 info   :  CHAINING-BIT:        0 = No more ICL data follows
sniffer.c: 235 info   :  ICB-EXTENSION-BIT:   0 = no ICB follows
sniffer.c:  48 info   : Layer 7:
sniffer.c:  50 info   :  I = Command
sniffer.c:  51 info   :  CLA = 0x02
sniffer.c:  54 info   :   -> CNTR (Control Class)
sniffer.c:  75 info   :  INS = 0xf1
sniffer.c:  80 info   :   -> SL-APPL (Select Application)
sniffer.c: 180 info   :  DLNG = 11
sniffer.c: 187 info   :  DATA(0) = 0x38 '8' 56
sniffer.c: 187 info   :  DATA(1) = 0x39 '9' 57
sniffer.c: 187 info   :  DATA(2) = 0x34 '4' 52
sniffer.c: 187 info   :  DATA(3) = 0x39 '9' 57
sniffer.c: 187 info   :  DATA(4) = 0x30 '0' 48
sniffer.c: 187 info   :  DATA(5) = 0x31 '1' 49
sniffer.c: 187 info   :  DATA(6) = 0x30 '0' 48
sniffer.c: 187 info   :  DATA(7) = 0x30 '0' 48
sniffer.c: 187 info   :  DATA(8) = 0x33 '3' 51
sniffer.c: 187 info   :  DATA(9) = 0x30 '0' 48
sniffer.c: 187 info   :  DATA(10) = 0x31 '1' 49
sniffer.c: 715 info   : ----------------------------------------
sniffer.c: 734 info   : Layer 2:
sniffer.c: 735 info   :  source 1 -> to 3
sniffer.c: 737 info   :  control I: N(S)=0 N(R)=1
sniffer.c: 744 info   :  length 4
sniffer.c: 203 info   : Interface control layer ICB1:
sniffer.c: 207 info   :  ON-LINE-BIT:         0 = Off-line data
sniffer.c: 211 info   :  CONFIRM-BIT:         0 = No meaning
sniffer.c: 215 info   :  MASTER/SLAVE-BIT:    0 = Sender is slave
sniffer.c: 219 info   :  WT-EXTENSION-BIT:    0 = No request for WT-Extension
sniffer.c: 223 info   :  ABORT/TERMINATE-BIT: 0 = No meaning
sniffer.c: 227 info   :  ERROR-BIT:           0 = No meaning
sniffer.c: 231 info   :  CHAINING-BIT:        0 = No more ICL data follows
sniffer.c: 235 info   :  ICB-EXTENSION-BIT:   0 = no ICB follows
sniffer.c:  48 info   : Layer 7:
sniffer.c: 142 info   :  I = Response
sniffer.c: 143 info   :  CCRC = 0x05
sniffer.c: 145 info   :   -> PIN-NOT-OK
sniffer.c: 149 info   :   -> APRC valid
sniffer.c: 158 info   :  APRC = 0x02
sniffer.c: 160 info   :   -> Bit 2 = 1:PIN-Check required
sniffer.c: 166 info   :   -> Bit 3 = 0:Application unlocked
sniffer.c: 170 info   :   -> Bit 5 = 0:GEBZ/RUFN unlocked
sniffer.c: 174 info   :   -> Bit 6 = 0:GEBZ not full
sniffer.c: 180 info   :  DLNG = 0
sniffer.c: 302 info   : Resetting sniffer

When the phone is switched on, the SIM card is powered up and outputs the ATR sequence (Answer To Reset).

The first message is a command message that is transmitted from the phone towards the SIM card. The layer 2 header indicates the direction and the length of 15 bytes. The ICR layer has no meaning with the C-Netz. Except for the MASTER/SLAVE-BIT, no other bit is used. The layer 7 (application) header indicates the command and the message type and length, followed by 11 bytes of data. This command tells the SIM card to select C-Netz application.

The second message is a response message that is transmitted from the SIM card towards the phone. The layer 2 header indicates the direction and the length of 4 bytes. The layer 7 header indicates the response and status bits and length, followed by 0 bytes of data. The response tells the SIM card that a PIN is required to complete the command. The user is prompted to enter the pin.

To read more about the protocol, and the meaning of messages, refer to FTZ 171 TR 60 - Anhang 1 Berechtigungskarte als Prozessorkarte.pdf

Build Your Own SIM Card

You find the PCB drawings inside the "layout" directory of the git repository. Be sure to print it without scaling! Check if the printed size matches an ISO card. Also there are the source files for the 'Eagle' and 'KiCad' layout programs.

You may use an "Arduino UNO" or "ATTINY85" to emulate a SIM card without a PC. In case of the Arduino, you still need wires to connect it to the card reader of the phone. If you use an ATTINY85, you can put the micro controller directly on a PCB card, as shown on top of this page.

To compile and run with Arduino, you need to open "src/sim/sim.ino" with Arduino software and select the "Arduino UNO" board. The RESET input is at pin 6 and the I/O line at pin 7. Connect these two lines together with ground line to the card reader or ISO card PCB. You don't need a diode this time, since pin 7 is automatically switched between input and output. The serial protocol is emulated in software. The status LED (pin 13) will flash whenever a message is received from the card reader.

To compile and run with ATTINY85, you need to open "src/sim/sim.ino" with Arduino software and select the "ATiny25/45/85" board and the "ATiny85" chip. Refer to the internet on how to compile and flash the ATTINY85 without boot-loader. It is beyond the scope of this documentation. This time you need 5 wires to connect (VCC and Clock also).

Important: After flashing you need to wait 10 seconds before removing power. During that time the EEPROM is initialized. If you would read out the EEPROM, you will notice the letter 'C' at address 0. Then you would know that the init process was finished with success.

If you use the DIP version of the ATTINY85, you cannot put it on the card itself. The PCB in the picture on top of this page shows the DIP socket next to the actual card area. Be sure to put the chip on the back side of the SIM card. This works only if the phone does not completely enclose the card.

If you use the SOIC version of the ATTINY85, you need to make it flat, so it fits into your phone. You may use the full size SIM or just the mini SIM. I prefer the mini SIM and use an adapter card for larger phones.

The original ATTINY85 (1) is shown upside down. Bend the legs straight and shorten them, so they still fit into a programmer's socket. (2) Use P400 sand paper to sand off the bottom of the chip's case, until you reach the copper plate. (3) Make a hole into the PBC and solder the chip upside down into that hole. Pin 1 is marked on the PCB.

Important: You need to change clock source to pin 1.

Change lower fuse of 0xc0. Note that you will not be able to do any further programming unless you apply clock signal to pin 1. Use a crystal oscillator connected to pin 1 when you like to update the firmware in the future. You may also use other type of clock signal. Try something between 1 and 8 MHz. I recommend to use the USBasp or a clone of that. It is cheap and easy and works with USB. To set the fuses using "avrdude" in conjunction with "usbasp" flash tool, use:

avrdude -c usbasp-clone -p t85 -U lfuse:w:0xc0:m -U hfuse:w:0xdf:m -U efuse:w:0xff:m

If you run it again, you might notice that there is no response without a clock applied. Apply a clock to pin 1 and see if you get a response again.

Using the SIM Card

After powering up the phone with SIM adapter/emulator attached, the phone should show the default subscriber number (FUTLN) on the display. (Not all phones do. Read the manual to get the key code on how to show the subscriber number.) There is no PIN enabled by default, so the SIM card is ready after inserting or poweing up the phone. Now you can make calls, add telephone numbers or change PIN.

The SIM card can emulate 8 different cards. They share the same telephone directory, but have different subscriber data. Subscriber data can be changed to anything you like. This way it is possible to even emulate service cards ("Wartungskarten"), to put phones into service mode or special cell monitor mode.

If the PIN is disabled (default), the first card with first subscriber data is emulates. To select different card with dfferent subscriber data, change the PIN to 0001 .. 0008. Refer to the phone's manual on how to enable, disable or change the PIN. E.g. if you store the PIN 0000 or 0001, the first card with the first subscriber data is emulated. E.g. if you store the PIN 0005, the fifth card with the fifth subscriber data is emulated. In all cases, there is no PIN required when you turn on the phone.

PINFUTLN =
Subscriber
Sicherungs-
code
Karten-
kennung
Sonderheiten-
schlüssel
Wartungs-
schlüssel
0000 or 0001222200131033065535
0002222200231033065535
0003222200331033065535
0004222200431033065535
0005222200531033065535
0006222200631033065535
0007222200731033065535
0008222200831033065535

You may want to use a PIN to select the card whenever you turn on the phone. Use the phone to enable a PIN that does not start with "000", "888", "999". When you restart your phone, you may enter that PIN, to select the first card. Alternatively you may enter the PIN 0000 or 0001, to select the first card, no matter what the PIN was. Or you may enter the PIN 0002 .. 0008, to select second to eighth card.

You may also alter each of the 8 different subscriber data store on the SIM. In order to do that, you need to set a PIN, so the phone will ask for a PIN whenever it is turned on. Choose any PIN you like, but not a PIN that startw with "000", "888", "999". Reset the phone and you will be asked for a PIN.

Altering subscriber data via phonebook funcion:
Enter the PIN 9991 to alter the first subscriber data. Enter the PIN 9992 .. 9998 to alter second to eighth subscriber data. The subscriber data is shown in the telephone directory and can be altered by changing the numbers in that directory. Also the SIM software version is shown on entry 06 of the telephone directory, but it cannot be changed. The Bosch OF 7 does not like to store numbers less than 3 digits. Put zeroes in front, if you want to store a value less than 1000.

Altering subscriber data via PIN input:
Enter the PIN 8881 to alter the first subscriber data. Enter the PIN 8882 .. 8888 to alter second to eighth subscriber data. After that the phone displays that the PIN was wrong and prompts for another PIN. With this trick the PIN prompt is used to input the subscriber data. Now enter all 5 values of subscriber data, value by value. Whenever you entered one value, the phone display that the PIN was wrong and prompts for the next value. If the value is less than 4 digits, add zeros in front of it to make it at least 4 digits long. After all 5 values have been entered, the SIM starts emulating that subscriber data. If one of the input values is out of range, the SIM card will emulate a fictitious number "3333333". This is displayed on the phone. This means that the input was wrong. Check the values and start over again.

Example for PIN input:
Miniporty monitor mode: 8881, 2222002, 0001, 0001, 0900, 1728

The default subscriber data and SIM version and where to change them in the telephone directory:

EntryNameNumber
01FUTLN2222001 *
02Sicherungscode3103
03Kartenkennung3
04Sonderheitsschl.0
05Wartungsschl.65535
06SIM software versionxxx **

(*) When PIN 9991 was entered.
(**) This value represents the software version and cannot be changed.

Service Cards

To program one of the following service cards, change the subscriber data to the indicated values.

TypeFUTLN =
Subscriber
Sicherungs-
code
Karten-
kennung
Sonderheiten-
schlüssel
Wartungs-
schlüssel
Siemens C5
service mode
---9001000
Philips Miniporty
service mode
---9001000
Philips Miniporty
restricted cell monitor
---9001728
Philips Miniporty
extended cell monitor
---9002729
Philips Porty
service mode
0002304-
Philips Porty
cell monitor
---898-
AEG Telecar C
service mode
---144 or 911-
AEG Telecar C
cell monitor
---899-


[Back to main page]