A SIM card is not just “a memory chip.”
It is a secure microcontroller, with its own CPU, RAM, ROM, file system, crypto engine, access control rules, and operating system.

Its job:
✔ store your permanent identity (IMSI/SUPI)
✔ store the secret key K
✔ perform authentication algorithms
✔ prevent extraction of secrets at all costs

Even if you root your phone, jailbreak it, or physically remove the SIM, you cannot directly read IMSI/K because the SIM is designed with hardware-level isolation and cryptographic protections.

This article explains why.

A SIM is essentially a smartcard. Like a credit card chip, it contains:

• Executes crypto algorithms (MILENAGE, TUAK)
• Executes SIM OS instructions
   

• Temporary workspace for variables and encryption
   

• Stores SIM Operating System
• Contains permanent logic
   

• Stores:
  • IMSI / SUPI
  • Secret key K
  • Authentication counters
  • PLMN list
  • Operator public keys (for SUCI)
  • File system
     

• AES, DES, MILENAGE, ECIES
• ECC for SUCI
• Hardware random number generation
   

• Memory access firewall
• Tamper detection
• Side-channel attack protections
• Voltage/clock glitch protection
• Fuse protection
   

A SIM is not readable memory — it is an active microcontroller that decides when/if data may be read or written.

In the SIM file system:

• IMSI is stored under EF IMSI
• K (secret key) is stored in a secure file not readable by ANY external command
   

Access to these files is governed by:

• PIN protection
• Access Rule Files (ARF)
• Security Domain rules
• Crypto firewall
   

No APDU command exists to read K.
Even the IMSI is often locked or accessible only under strict conditions.

The secret key K has No Read permissions:

• Baseband cannot read K
• OS cannot read K
• A rooted Android cannot read K
• Even the operator cannot remotely read K
• Even physical chip probing cannot read K (due to tamper resistance)
   

This is intentional.

The SIM only performs operations using the key internally, such as generating RES, RES*, SUCI, but never releases the key.

When the network challenges the device:

• The SIM receives RAND
• UE sends the challenge to SIM via APDU
• SIM computes:
  • RES/RES*
  • CK (cipher key)
  • IK (integrity key)
• Only derived values are returned
• The secret key never leaves the SIM
   

Thus—even if you root the phone—the key never enters main memory.

SIM security depends on three layers of protection:

A SIM is a physically separate chip, isolated from:

• CPU
• GPU
• Baseband RAM
• Android OS
• Linux kernel
   

Root access only affects the OS, not external hardware.

This is the same protection model used in:

• credit cards
• banking tokens
• passports
   

The phone communicates with SIM using APDU commands over ISO 7816 protocol.

The command set does not include any instruction to read secret data.

APDU allows:

• READ BINARY (restricted files only)
• RUN GSM ALGO (authentication in SIM)
• GET RESPONSE
• SELECT FILE
   

IMSI might be readable only if SIM policy allows it.

K is NEVER readable.

The flow is:

Android Apps (root)  

        ↓

Android Framework  

        ↓

Radio Interface Layer (RIL)  

        ↓

Baseband Firmware  

        ↓

UICC (SIM Secure Microcontroller)

Rooted apps only reach the Android level.
They cannot bypass baseband firmware to send arbitrary low-level APDU commands.

Baseband vendors lock down:

• command sets
• allowed APDUs
• SIM I/O protections
   

You cannot send “read IMSI” or “read K” APDUs unless allowed.

It has privileges:

• talk directly to the SIM I/O line
• issue APDU commands
• manage radio stack
• handle NAS/RRC protocols
• perform authentication handshake
   

Baseband firmware is:

• signed
• secure-boot protected
• not modifiable without exploits
   

Even if rooted:

• Apps cannot patch baseband
• Apps cannot directly send APDUs to SIM
• Apps cannot snoop the SIM I/O buffers (protected by TrustZone / secure island)
   

Modern phones use:

• ARM TrustZone
• Qualcomm Secure Execution Environment (QSEE)
• Apple Secure Enclave
   

Where IMSI/K and authentication data flow inside secure memory inaccessible to the OS.

Even if the Linux kernel is compromised, TrustZone still isolates:

• SIM APDUs
• Key material
• Baseband–SIM messages
   

Reasons:

• Secret key K cannot be extracted
• Challenge–response authentication requires K
• Crypto hardware prevents faults
• SIM OS prevents read acces 
• Tamper mesh detects probing
• Cloning attempts produce incorrect RES/RES* responses
• Even IMSI cannot be reliably read on modern SIMs (protected EF-IMSI)
   

This makes SIM cards effectively unclonable.

eSIM = embedded UICC (eUICC), soldered into device.

Security improvements:

• Cannot be physically removed or probed
• Profile provisioning is encrypted end-to-end
• Secure hardware inside phone, isolated from OS
• Keys stored in secure element
• Same SIM file system rules (IMSI and K inaccessible)
   

eSIM strengthens the separation between OS and SIM.

Root allows:

• Reading software-level profiles (APN, PLMN settings)
• Reading IMEI (device identity)
• Reading TMSI/temporary identities in memory
• Monitoring RRC/NAS messages
   

BUT:

• IMSI often encrypted as SUCI
• Secret key K remains unreachable
• Baseband–SIM I/O path is not exposed
   

Apps cannot intercept SIM authentication because:

• APDUs channeled through protected drivers
• TrustZone prevents sniffing
• Baseband is sandboxed
   

Cannot read SIM files, because:

• SIM file system is not mapped into system memory
• All crypto happens internally
   

SIMs have:

• epoxy layers
• tamper mesh
• fuse boobytraps
• voltage glitch detectors
   

Even probing can destroy key storage.

Rare, extremely complex, often patched quickly.

• SIM = secure microcontroller
• Key K never leaves hardware
• IMSI protected via SUCI or read restrictions
• APDU command sets prohibit reading secrets
• Baseband is sandboxed and protected
• TrustZone enforces isolation
• eSIM increases tamper resistance
• Physical attacks are impractical
• Crypto challenge–response prevents cloning
   

Even with full root privileges, the OS cannot breach the hardware-level protections of the SIM.

A SIM card is one of the most secure consumer microcontrollers ever shipped. Its architecture is designed to:

• Hide permanent identities (IMSI/SUPI)
• Protect secret authentication keys
• Safeguard the challenge–response process
• Prevent duplication or extraction
   

This hardware–software isolation ensures that your mobile identity remains secure, your traffic encrypted, and your network access controlled—even if your smartphone’s OS is compromised.