Jason Gin Reverse Engineers the SIM Lock PIN From ZTE WF721 Cellular Home Phone Base Stations

Engineer Jason Gin found himself with a problem after buying a ZTE WF721 cellular home phone base station that silently locked any SIM card inserted into its slot with an unknown PIN — and decided the best way to solve the problem, for himself and others, was to pull the secret PIN right out from the hardware.

"The previous summer I picked up a ZTE WF721 cellular home phone base station (that is, it’s a voice-only cell phone that a landline phone plugs into), which came with a Telus SIM card," Gin explains. "The issue is that the WF721 sets a SIM card PIN to essentially “lock” the card to the base station, and it wasn’t the default 1234 PIN; brute-forcing a SIM card is not possible as you get 3-5 attempts before the card needs to be unblocked using a PUK (PIN Unblock Key), failing that, the card is permanently rendered unusable.

"I decided to take the base station apart, and use my knowledge in electronics and previous research into smart cards to see if I could recover the PIN. (Yes, I went through all this work instead of just buying a prepaid SIM card from the dollar store. I’m weird like that.)"

Dismantling the base station — not an easy task, given hidden screws and a surprising number of plastic clips built into the housing — Gin was able to gain access to test pads for the SIM socket, identifying each of the five required lines — VCC, GND, CLK, IO, and RST — for connection to a logic analyzer. "I analysed the logic captures after turning the WF721 on and allowing it to initialize the SIM card and attempt to connect to the cellular network," he writes.

"The command I’m looking for is 0x20 (VERIFY PIN), and I had to sift through the command flow in the logic analyser until I found it. After a lot of preceding commands, I found the command I was looking for, and I found the PIN… and it’s in plaintext! As it turns out, it is sent as an ASCII string, but it’s not null terminated like a regular string. Instead, the data is always 8 bytes (allowing up to an 8-digit PIN), but a PIN shorter than 8 digits will have the end bytes padded with 0xFF (all binary ones). It was easy to determine that the bytes 0x32 33 37 36 is the ASCII representation of the PIN 2376, and after the card waited many tens of milliseconds, it acknowledged the PIN was correct as it gave the expected 0x9000 response code."

Gin was able to verify that the PIN he'd captured unlocked the SIM, and since publishing a write-up on his blog has had others confirm that their ZTE WF721 base stations use the very same pin — meaning, thanks to Gin's efforts, all ZTE WF721 owners can now unlock SIM cards without needing to go through the same reverse engineering process as Gin.