Free WiFi with EAP-SIM on a desktop computer

EAP-SIM on a mobile phone

Following its roll-out as a new authentication method to the WiFi community network of a major mobile operator in France in 2012, EAP-SIM has attracted quite some attention over there.

Yet the limited level of support of this technology in mobile devices available on the market has left many users struggling to get it to work effectively.

EAP-SIM is supported on the iPhone and the iPad since iOS 5 — and there are reports that it can be made to work on iOS 4.

On the other hand, it has taken Google 3 years to acknowledge and react to the lack of official EAP-SIM support on Android. After hundreds of sometimes infuriated messages, it looks like they started to work on implementing it in June 2013!
In Google’s defense, one can say that EAP-SIM can work on Android — as long as your phone manufacturer or mobile operator has implemented it in the phone’s software.
Still, it is unacceptable that Google’s Android flagship devices, the Nexus family, don’t support EAP-SIM natively.
Especially when there isn’t much work to do to implement properly.

Windows Phone 8+ and BlackBerry are reported to support EAP-SIM as far as I could gather.

EAP-SIM on a desktop computer

But this article isn’t about EAP-SIM on mobile devices. Instead it will show how to connect to a WiFi network using EAP-SIM on a desktop computer running Linux.

Hardware

The requirements are:

  1. a SIM card of an operator supporting EAP-SIM (e.g. Free)
  2. a computer with a WiFi adapter
  3. a SIM card reader (or “smartcard reader”)

I suppose that items 1. and 2. are already in your possession.
Regarding the SIM card reader, many models can be used, ranging from high-end devices to dirt cheap readers.

Let’s say that we want to do this experiment on a shoestring: we’ll settle on a $2 SIM card reader that is just good enough.
Go to eBay and grab one of these transparent blue SIM readers (don’t know if the other models are compatible).

This is a very low-tech smartcard reader, based on the so-called Phoenix architecture. Because of — or in spite of — this simplicity, it can be quite tricky to get it to work at times. (Or is it the OpenCT driver that is at fault?)

Wait for a couple of weeks for the little package from eBay to arrive and now you’ve got everything needed to proceed 🙂

Software

First, we’ll set up the software for the SIM card reader:

  1. Install the following packages (on Ubuntu):
    openct pcscd pcsc-tools libpcsclite-dev libnl-dev
  2. Plug in the SIM reader and run dmesg to determine the associated TTY:
    [85418.604327] usb 7-2: new full-speed USB device number 2 using uhci_hcd
    [85419.040763] USB Serial support registered for pl2303
    [85419.040824] pl2303 7-2:1.0: pl2303 converter detected
    [85419.052517] usb 7-2: pl2303 converter now attached to ttyUSB0
    [85419.052552] usbcore: registered new interface driver pl2303
    [85419.052556] pl2303: Prolific PL2303 USB to serial adaptor driver
  3. Add this piece of configuration to /etc/openct.conf (with the right TTY device):
    reader phoenix {
        driver = phoenix;
        device = serial:/dev/ttyUSB0;
    };
  4. Restart OpenCT:
    /etc/init.d/openct restart
  5. Insert the SIM card into the reader and check that it is correctly detected by OpenCT:
    root@desktop:~# openct-tool atr
    Detected Phoenix reader
    Card present, status changed
    ATR: 3b 9f 95 80 1f c7 80 31 e0 73 fe 21 1b 64 07 54 61 00 82 90 00 f0
  6. Check that it is also correctly detected by PCSC-Lite:
    root@desktop:~# pcsc_scan 
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.7.4
    Using reader plug'n play mechanism
    Scanning present readers...
    0: OpenCT 00 00
    Wed Aug 28 17:55:25 2013
    Reader 0: OpenCT 00 00
     Card state: Card inserted, 
     ATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 1B 64 07 54 61 00 82 90 00 F0

At this point, you’ve confirmed that your $2 SIM reader works fine on your computer. Let’s continue to the core of the EAP-SIM set-up: the so-called “WPA supplicant”, which handles all the WiFi authentication phases.

  1. Download the latest release of hostapd:
    user@desktop:~$ wget http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz
  2. Extract the archive and and go the the wpa_supplicant folder:
    user@desktop:wpa_supplicant$ cp defconfig .config
  3. Edit the newly created .config file so that it contains:
    # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
    CONFIG_EAP_SIM=y
    # PC/SC interface for smartcards (USIM, GSM SIM)
    # Enable this if EAP-SIM or EAP-AKA is included
    CONFIG_PCSC=y
  4. Build the WPA supplicant program:
    user@desktop:wpa_supplicant$ make
  5. Create a configuration file wpa_supplicant_eap-sim.conf, with the correct PIN number:
    cred={
      imsi="none" # anything but blank value
    }
    network={
      ssid="FreeWifi_secure"
      key_mgmt=WPA-EAP IEEE8021X
      eap=SIM
      pin="1234"
      pcsc=""
    }
  6. Disconnect from any WiFi network, make sure that no other wpa_supplicant is running on your computer at the same time and run (wlan0 being the WiFi interface):
    root@desktop:wpa_supplicant# iwconfig wlan0 essid "FreeWifi_secure" && ./wpa_supplicant -i wlan0 -c wpa_supplicant_eap-sim.conf
  7. On the output, you will see that it worked correctly if it says:
    Successfully initialized wpa_supplicant
    wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='FreeWifi_secure' freq=2417 MHz)
    wlan0: Associated with xx:xx:xx:xx:xx:xx
    wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
    EAP: buildIdentity: identity configuration was not available
    wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=18
    wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 18 (SIM) selected
    wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    wlan0: WPA: Key negotiation completed with xx:xx:xx:xx:xx:xx [PTK=CCMP GTK=TKIP]
    wlan0: CTRL-EVENT-CONNECTED - Connection to xx:xx:xx:xx:xx:xx completed (auth) [id=0 id_str=]
  8. On another terminal, run a DHCP client for the WiFi interface:
    root@desktop:~# dhclient wlan0

Ta da, success!

You’re now connected to the FreeWifi_secure network, with an IP address giving access to the Internet.
Total cost: $2 for the SIM reader + €2 per month for the mobile phone subscription.

Advertisements

50 thoughts on “Free WiFi with EAP-SIM on a desktop computer

    • You have to use a SIM card reader which is supported by PC/SC lite, either directly or via OpenCT.
      I don’t think USB modems qualify as they probably don’t expose their SIM card reader to the USB host.

  1. The SIM is necessary all the time or not? Can I authenticate and the put the sim back on my phone?

    Does this work on raspberry pi?

    Please help!!

    • I reckon that the remote EAP-SIM authenticator will periodically ask to renew the authentication.
      So you have to have a dedicated SIM in practice.

      As for the question whether it works on a Raspberry Pi: yes, it does, simply run Linux on it and install the required packages.

      • Hello, thanks for your help, I got the adapter, I am at point 5, but on point 6 I am stuck at:
        pcsc_scan
        PC/SC device scanner
        V 1.4.20 (c) 2001-2011, Ludovic Rousseau
        Compiled with PC/SC lite version: 1.8.3
        Using reader plug’n play mechanism
        Scanning present readers…
        Waiting for the first reader…

        dmesg: usbcore: registered new interface driver usbserial
        [ 293.103520] usbcore: registered new interface driver usbserial_generic
        [ 293.103642] usbserial: USB Serial support registered for generic
        [ 293.108591] usbcore: registered new interface driver pl2303
        [ 293.108771] usbserial: USB Serial support registered for pl2303
        [ 293.108914] pl2303 1-1.4:1.0: pl2303 converter detected
        [ 293.115223] usb 1-1.4: pl2303 converter now attached to ttyUSB0

        any ideas? Thanks again

  2. How about making it work without the reader?
    What I have in mind is extracting some sort of password from the SIM card and then using some emulator to make it work. The first question is whether it is possible in principle. That is, whther the necessary data can be extracted from the SIM. If yes then the second question would be how.
    (It’s not 2$ that is the problem, it’s the fact that I have to take it out of the phone.)

    • No, you definitely can’t “extract” any secret from the SIM card, that’s exactly the purpose of this “security token”.
      Or ask the NSA / GCHQ for the Ki secret key for your SIM card, I’m pretty sure that they have it — in addition to your telecom operator 🙂

      As I said to Michael previously, in practice the EAP-SIM WPA supplicant needs to have a direct access to the SIM, in order to send the proper APDU commands.
      In theory, one could think of the phone acting as a “SIM proxy”, relaying APDU to/from an external component.

      The Bluetooth SIM Access Profile (aka SAP, SIM, rSAP) would be a perfect match for this task. Unfortunately, hardly any phone support this Bluetooth profile.
      I have an idea how to overcome that (using some kind of *hardware* SIM proxy) but i don’t have the time to work on this.

      • For the record, I do confirm that a SAP-enabled phone *can* be used to authenticate to a EAP-SIM network.
        So the SIM card doesn’t have to leave your phone, as you mentioned @xi.

        Test environment: homemade PS/SC driver for pcsclite, connected to a Nokia C1-01.
        The source code of the driver still has rough edges but it worked as a proof of concept!

  3. Hi gadgetlemming,
    I’m trying to configure a Raspberry to acces FreeWifi_secure. Its the second SIM Reader I buy but the dont seem to support PCSC-Lite.
    I can acces then with “openct-tool attr” but not with pscs_scan.
    Can you give me the exact type of reader you bought please?
    Than you for this tuto and best regards

    • Hi! I think we have the same problem, maybe its something about the config of that tool, but I didnt found anything useful on the internet.. 😦

  4. To get the card working with pcsc_scan you have to uncomment the following lines in /etc/reader.conf.d/reader.conf:

    #FRIENDLYNAME “OpenCT”
    #DEVICENAME /dev/null
    #LIBPATH /usr/lib/openct-ifd.so
    #CHANNELID 0

    Change DEVICENAME to the correct tty (i.e.: /dev/ttyUSB0).

    Do all of this before restarting openct (step 4) or restart openct afterwards.

    Thats what I had to do on a Ubuntu 14.4.1.

    Also there are two different kind of ~$2 transparent blue sim card readers on ebay: One is dark blue and the other is light blue. I ordered both of them, the dark one is working with exactly the same output as in this tutorial. The lighter one did not arrive until now.

  5. I try with my 2 sim:

    # openct-tool atr
    Detected Phoenix reader
    Card not present
    ATR: 3b 18 11 e4 43 01 10 09 05 07 77

    # openct-tool atr
    Detected Phoenix reader
    Card not present
    ATR: 3b 7d 94 00 00 57 44 53 26 50 86 93 00 00 00 00 00 00

    Give me “Card not present” message
    There are some other configuration I miss?

  6. Hi all,
    I’ve configured a Raspberry to acces FreeWifi_secure. If you want I can send you a doc (in french) which explain all steps to do that.
    Just ask me!

  7. @Michael: if you got the same card I got, there’s a bug in the card reader: it doesn’t report the SIM inserted even when it is and it can be read. Maybe it’s the driver, but I suspect it’s some wire not connected on the chip. I had to patch openct to force it to always report the card as inserted. Here’s the patch I made last year (sorry you’ll have to figure it out from this, and have the whitespaces corrected). Worked perfectly after (but you have to insert the SIM, restart openct, then restart pcscd then continue with wpa_supplicant ):

    — openct-0.6.20/src/ifd/ifd-smph.c.old 2007-06-21 09:20:36.000000000 +0200
    +++ openct-0.6.20/src/ifd/ifd-smph.c 2014-06-19 21:51:51.679347762 +0200
    @@ -233,7 +233,9 @@
    return -1;

    *status = 0;
    – *status |= ((tmp & TIOCM_CTS) != TIOCM_CTS) ? IFD_CARD_PRESENT : 0;
    +/* HACK: always return card present to work around hardware defect */
    +/* *status |= ((tmp & TIOCM_CTS) != TIOCM_CTS) ? IFD_CARD_PRESENT : 0; */
    + *status |= IFD_CARD_PRESENT;
    return 0;
    }

    • You patched the c file and I guess you had to rebuild openct again. Did you miss that in the instructions?
      Did you have problem running wpa_supplicant without this patch or this patch is just to remove the print “Card not present” before responding ATR?

      • Used at the time Debian wheezy. openct doesn’t appear to be available on newer Debian (jessie). Shouldn’t be a problem with Ubuntu if the package exists. The patch is really a one liner telling to anything that queries openct (applications too) that the card is always inserted. Else pcscd (querying openct, and in turn queried by wpa_supplicant) will tell there’s no card on my device so EAP-SIM will obviously fail.
        I rebuilt the package the usual debian way (well there’s more that one way so…).
        Of course you have to have the package sources repositories updated if Ubuntu doesn’t have it. Then:
        as root:
        apt-get build-dep openct

        as normal user:
        apt-get source openct
        cd openct-0.6.20
        dch -i # to bump the package version avoiding reinstallation of the official package. This command is part of the devscripts package.

        dpkg-buildpackage -us -uc -b -rfakeroot

        as root again: dpkg -i ../openct_*.deb

        This patch is independent of anything needed for wpa_supplicant (at the time I had to rebuild it too I think following more or less the instructions on this thread)

      • @Adel, Thank you very much for your reply. I manage to install the patch the with instructions you have given below. After your patch and @LesPetitesSuisse fix in /etc/reader.conf.d/openct, it was possible to perform pcsc_scan.
        The pcsc_scan print do not who prompt unless i press CTRL+C. Please let me know if it is normal?

        I see other problem with this SIM card reader that if we remove and insert then nothing work even will kill openct and pcscd. The only way I found that purge and autoremove all the packages and restart the PC and then follow the instructions again.

        Now, I also get error while after using iwconfig with wpa_supplicant with eap-sim but that be related since I am using my own enterprise authentication with my own SIM triplets not the freewifi that you are using.

        iwconfig wlan0 essid “myinterprise_wifi” && ./wpa_supplicant -i wlan0 -c wpa_supplicant_eap-sim.conf

        I want to know how can I debug openct and pcsc tools and pcscd source. I think then I can try fixing the problems reading with these SIM card readers and also know more about my setup.

        Thanks.

  8. Hi @gadgetlemming, thank you for this article! Along with your comment about SIM Access Profile, this is exactly what I hoped could be done. Did you publish your experimental PC/SC driver somewhere? I’d like to do the same with my Nokia… Thanks again and please continue blogging, this is nice.

    • Hi Vincent, sorry for getting back to you so late. Yeah, I do intend to publish it, but that’s only a proof of concept for the moment.

  9. Hi @gadgetlemming. i live in France (but am English) and would love to set this up but technically this looks to be rather beyond my technical expertise. I was wondering if you know of a pre-configured commercial WiFi modem that could be used to achieve this? Alternatively can you see any problem with buying a cheap mobile phone that supports EAP and using that in conjunction with the 2€ free.fr subscription?

  10. Same problem on Ubuntu 14.04.3 LTS 64 bit as Michael is facing here. Which Ubuntu version did you use? I guess you did not use sudo with the command then you have perhaps used other distribution.

  11. Pingback: SIM reader issue - ubuntutextbook

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s