view doc/User-oriented-commands @ 186:c925f7808285

doc/GrcardSIM2-security-model article written
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 06 Mar 2021 20:59:23 +0000
parents 5494795406e0
children
line wrap: on
line source

This document describes those commands and functions of fc-simtool which can be
exercised by end users on any regular operator-issued SIM, without requiring a
special programmable SIM with admin privileges.  The Mother's plans for future
development include a companion fc-simint utility that will operate on SIM cards
inside Calypso phones; the intent is that all of the end-user-oriented commands
of fc-simtool described in this document will also be replicated in fc-simint.

Understanding SIM PIN1
======================

Every standard SIM card has a secret code called PIN1; this secret code can be
anywhere between 4 and 8 digits in length, with 4-digit PINs being most common.
In terms of persistent non-volatile state, SIM PIN1 can be enabled or disabled.
When SIM PIN1 is disabled, all regular functions of the card are enabled, as in
being able to power up the phone with the SIM in it and connect to the GSM
network with your subscriber identity, and being able to read and write SIM user
data content like phonebooks and stored messages - all of these functions are
enabled from the moment you turn on the phone with the SIM in it (or power the
SIM up by itself in a smart card "reader" driven by fc-simtool), without the
user ever being asked for a PIN, such that you can forget that the PIN even
exists - this situation in very common nowadays.  But when SIM PIN1 is enabled,
the smart chip in the SIM will not allow you access to any of the data stored
on the card and will not allow any GSM authentication operations until and
unless you send the correct PIN to the SIM in the VERIFY CHV command.

If you forgot your PIN1, the only way to reset it is to enter another secret
code (always 8 digits in length) called PUK1.  If the SIM is made according to
standards, then its PUK1 is set to a random number during either physical
manufacturing or administrative programming of the card and then remains
unchangeable afterward.  Therefore, in an ideal world if someone forgot their
PIN1 and don't have their PUK1 either, they should be able to obtain PUK1 from
the cellular operator who issued the SIM - but whether or not today's operators
will actually help such hapless users (without forcing them to get a new SIM)
is another question altogether.  PUK1 is often printed on the big (credit-card-
sized) plastic piece on which SIM cards are initially delivered - but it doesn't
help if you originally got your SIM many ages ago and no longer have that
souvenir plastic piece.

The standard protocol for communicating with SIM cards provides 5 special
commands that are dedicated to working with PIN1, and so does fc-simtool:

verify-pin1 XXXX

This command tells the SIM that you are attempting to prove knowledge
of PIN1, presenting a string of digits.  If the PIN digits you specify match
the PIN1 secret code stored inside the SIM, the card unlocks access to its
primary functions.  If the digits you send are wrong, the SIM decrements its
non-volatile attempt counter, giving you a total of 3 attempts (irrespective of
card power-downs between attempts) to enter the correct PIN.  If PIN1 is entered
incorrectly 3 times in a row, this PIN is blocked, and the only way to unblock
it is via PUK1.

enable-pin1 XXXX

This command changes the non-volatile state of the PIN1 enable/disable flag,
such that from now on the SIM will require PIN1 to be provided on every card
power-up before it will allow GSM authentication and access to user data.  The
enable-pin1 operation itself requires correct PIN1 digits to be provided.

disable-pin1 XXXX

This command changes the non-volatile state of the PIN1 enable/disable flag,
such that from now on the SIM will NOT require PIN1 to be provided on every
card power-up, and will instead be live immediately without needing proof of
card owner's identity.  The disable-pin1 operation itself requires correct PIN1
digits to be provided.

change-pin1 old-PIN new-PIN

This command tells the SIM that you wish to change PIN1 secret code to some new
digits.  Knowledge of the old PIN1 is required for this operation to succeed.

unblock-pin1 PUK1-secret-code new-PIN1

This command tells the SIM that you are attempting to prove knowledge
of PUK1 and to set new PIN1.  If PUK1 is given correctly, the new PIN1 will be
set.  If you enter wrong PUK1, the SIM decrements its non-volatile attempt
counter, giving you a total of 10 attempts (irrespective of card power-downs
between attempts) to enter the correct code.  If PUK1 is entered incorrectly 10
times in a row, it is blocked and the card should be considered bricked beyond
recovery.

Understanding SIM PIN2
======================

GSM standards provide support for a very rarely used feature that works in the
spirit of "parental controls": if you authenticate to the SIM with PIN2 secret
code (which has to be different from PIN1 for meaningful security), you can
edit a SIM-resident list of so-called Fixed Dialing Numbers (FDN), and then all
standard phones that implement this feature per the spec will refuse to allow
ordinary users (authenticated with PIN1 or with no PIN at all) to call any
numbers other than those programmed in FDN.

This whole "parental control" feature is totally silly and is not expected to be
of any practical use, but the whole purpose of fc-simtool is to allow every
feature of SIM cards to be exercised, hence we provide the necessary support.
The following commands work just like their PIN1 counterparts:

verify-pin2 XXXX
change-pin2 old-PIN new-PIN
unblock-pin2 PUK2-secret-code new-PIN2

Unlike PIN1, PIN2 cannot be disabled per traditional SIM card standards.

Getting basic info from the SIM
===============================

The following commands are available for retrieving basic info from the SIM:

iccid

This command retrieves the ICCID (Integrated Circuit Card ID) record from the
SIM - it is a number of up to 20 digits (although 19-digit ICCIDs are most
common) that identifies the SIM card as a physical artifact.  If your SIM is of
the traditional operator-issued kind, as opposed to a developer-oriented
programmable SIM from vendors like Sysmocom who have different ideas, this ICCID
will usually be the SIM card ID number printed on the physical plastic, along
with a barcode representation of the same number.

imsi

This command retrieves the IMSI (International Mobile Subscriber Identity) from
the SIM - it is the most fundamental ID token by which GSM phones present
themselves to networks, and they even use the first 5 or 6 digits of the IMSI
to decide which network they should try connecting to first.

It should also be noted that if your SIM has FDN (Fixed Dialing Numbers) enabled
and the card implements GSM SIM specs to the letter, including the idiotic
parts, then you will need to issue a rehab-imsi command before you can read the
IMSI record - see the FDN section further in this document.

sst

Every SIM card is required to have an essential data record (an EF in technical
terms) called the SIM Service Table, or SST.  This SST indicates which services
are allocated and activated on the given SIM.  Our sst command lists all
allocated service numbers, listing just a plain number if the service is both
allocated and activated (the usual case), or a number with a '^' suffix if the
service is allocated but not activated.  You will need to look in the 3GPP TS
51.011 spec to make sense of these service numbers.

user-sum

This command displays a user-friendly summary of user-oriented services present
on the SIM.  It reads SST to get the list of available and activated services,
but it considers only user-oriented ones (as opposed to SIM services dealing
with GSM network functions or serving operators' interests rather than users'),
and it displays them in a user-friendly manner.  For each present SIM phonebook
(ADN, FDN, SDN) and for the SMS store, user-sum displays the storage capacity
provided by the SIM (number of phonebook entries or messages), and for each of
the various phonebooks, the allocated number of alpha tag bytes is also
displayed.

The number of bytes allocated for the alpha tag in SIM phonebooks determines
the maximum length of the name field in each phonebook entry.  These name fields
can be written either in GSM7 encoding (GSM 03.38 aka 3GPP 23.038) or in UCS-2;
when GSM7 encoding is used, no SMS-style septet packing is applied - instead the
high bit of each byte is simply cleared.  Therefore, the maximum number of
characters in a phonebook entry name field usually equals the number of bytes
allocated for the alpha tag on the SIM, except for names containing ASCII
characters [\]^ and {|}~ which get expanded to 2-character escape sequences in
GSM7 encoding.

uicc-dir

If your SIM card functions not only as a classic GSM 11.11 SIM, but also as a
UICC with USIM/ISIM or other UICC-based applications, it will have a file named
EF_DIR in its file system, listing those applications.  fc-simtool uicc-dir
command dumps the content of this file in a human-readable form - but please
note that fc-simtool only speaks the classic GSM 11.11 protocol to the SIM, and
not the UICC protocol.  EF_DIR does not officially exist in the classic GSM SIM
spec, hence the dir command in fc-uicc-tool (speaking the UICC protocol) is the
official way to read and dump the content of EF_DIR.

Manipulating SIM phonebooks
===========================

GSM SIM specs allow for several different phonebooks to be present on the card:

* ADN (Abbreviated Dialing Numbers) is the main SIM phonebook.  Each SIM card
  issuer decides how much storage space they allocate to ADN (how many records);
  the SIM spec maximum is 254 records, and many issuers' SIMs do provide this
  many records or close to this limit.

* FDN (Fixed Dialing Numbers) is the "parental control" phonebook.  The FDN
  phonebook can only be written to after authenticating with PIN2, and when it
  is enabled (enabling FDN is done by "invalidating" ADN, an operation which
  also requires PIN2), spec-compliant phones allow only numbers in FDN to be
  called.

* SDN (Service Dialing Numbers) is a service-provider-controlled phonebook: it
  can only be written if you have special admin privileges (ADM authentication
  method is card-vendor-dependent), and it is read-only to ordinary users.

* MBDN (Mailbox Dialing Numbers) is a late addition to GSM SIM specs - it is a
  special phonebook that stores the number for Voice Mail and other related
  esoteric services.

* MSISDN is a phonebook-like file that stores the subscriber's own phone
  number(s).  Most classic GSM phones have a menu command for showing your own
  number, usually called "My number" or something like that; this menu command
  displays the first record stored in the MSISDN phonebook.  Most network
  operators update this MSISDN record over the air (using special SMS-encoded
  commands) when you activate service or get a new phone number without changing
  your SIM, but this MSISDN store in the SIM also has some interesting
  properties:

  + Per the spec the MSISDN phonebook is writable by ordinary users, not just
    admins, and the Mother's experience with real T-Mobile SIMs is that they do
    indeed allow the user to write anything into MSISDN.

  + Most SIM card issuers allocate multiple records for MSISDN, not just one.
    It is not clear if ordinary end user phones would do anything useful with
    the extra records if one were to write something there.

fc-simtool provides a unified set of commands and data formats for working with
all SIM phonebooks: all pb-* commands take the name of the phonebook to be
operated on as their first argument.  The following commands are available:

pb-dump PBNAME

This command dumps the full content of the selected phonebook on the terminal.
The data format for representing SIM phonebook content in UNIX-based text files
and dumps is described in the SIM-data-formats document in the freecalypso-docs
repository.

pb-dump PBNAME > outfile

This form of the pb-dump command dumps the full content of the selected
phonebook, but saves it in the named file instead of sending it to the terminal.
This form is ideal for making backups of large SIM phonebooks.

pb-dump-rec PBNAME rec

This command dumps a single record from a potentially large phonebook.

pb-dump-rec PBNAME start-rec end-rec

This command dumps the specified range of records from a potentially large
phonebook.

pb-restore PBNAME filename

This command reads a phonebook data file in the format described in the
SIM-data-formats document and uploads it into the named SIM phonebook.  Every
record in the SIM phonebook is overwritten with an UPDATE RECORD command; those
record indices which do not appear in the data file being restored get blank
records (0xFF in every byte) written into them.

pb-update PBNAME filename

This command reads a phonebook data file in the format described in the
SIM-data-formats document and uploads it into the named SIM phonebook, writing
only those record indices which appear in the data file - each record from the
data file gets written into the SIM with an UPDATE RECORD command, while all
other record locations remain untouched.

pb-update-imm PBNAME rec phone-number [alpha-tag]

This command writes a single phonebook entry directly from the command line,
without going through a data file.  The specific record index to write into must
always be specified (there is no built-in "find first empty record" function),
and the entry format for both the phone number and the alpha tag is more relaxed
compared to the very strict format required in data files:

* The phone number can begin with a '+' character for international format;

* The comma-separated TON/NPI byte is optional and will usually be omitted in
  ordinary usage - this byte will default to 0x91 if the number begins with '+'
  or to 0x81 otherwise;

* Double-quotes around the alpha tag argument are required only if it contains
  spaces or other problematic characters, and can be omitted otherwise;

* If the alpha tag is empty, the last argument can be omitted altogether.

pb-update-imm-hex PBNAME rec phone-number alpha-tag-hex

This command is like pb-update-imm, but the alpha tag argument (required for
this command) is given in hex - intended for creating phonebook entries with
UCS-2 alpha tags.

pb-erase PBNAME

This command fully erases the named phonebook.

pb-erase-one PBNAME rec

This command erases the specified individual record in the named phonebook.

pb-erase-range PBNAME start-rec end-rec

This command erases the specified range of records in the named phonebook.  The
starting record must be identified by number (SIM record numbers are 1-based);
the ending record argument may be either a number or the "end" keyword.

Enabling and disabling FDN
==========================

The Fixed Dialing Numbers (FDN) mechanism is normally disabled.  The protocol
prescribed by GSM SIM specs is that FDN is enabled when the regular ADN
phonebook is invalidated, and is disabled (unrestricted dialing allowed)
otherwise.  fc-simtool provides commands for invalidating and rehabilitating
ADN, thereby enabling and disabling FDN:

inval-adn

This command invalidates ADN and thereby enables FDN.

rehab-adn

This command rehabilitates ADN and thereby disables FDN.

The SIM will only allow inval-adn and rehab-adn operations after you have
successfully authenticated with PIN2 - see verify-pin2 command description.

GSM SIM specs also stipulate a certain hack to prevent FDN-ignorant phones from
making "forbidden" unrestricted calls: the specs stipulate that when a SIM
powers up in an FDN-enabled state (ADN is invalidated), the "smart" logic in
the SIM invalidates two essential files EF_IMSI and EF_LOCI (needed for GSM
operation), requiring the phone (ME) to rehabilitate these two files at the
beginning of every SIM session when FDN is in use.  The thinking must have been
that if a given ME knows how to do these extra rehab-imsi, rehab-loci steps,
then it also knows about FDN and will honor it.  Our answer: OK, whatever - but
we do provide rehab-imsi and rehab-loci commands in fc-simtool.  These
operations require only CHV1 access, thus PIN1 or no PIN at all depending on
whether or not PIN1 is enabled - no need for PIN2.

Last Number Dialed (LND)
========================

Traditional SIMs include a cyclic file that is intended to be updated whenever
an outgoing call is dialed - but it is up to individual phone designs whether
they actually update this LND cyclic store or not.  This SIM LND store has the
same record format as phonebooks, carrying only phone numbers and optional alpha
tags - there are no fields for date & time, call duration or status as in call
answered or not.  Because of the limitations of this SIM LND store, most phone
designs do not use it, and instead go with their own implementation of call
history lists.

Because this LND store is a cyclic file, not linear fixed like phonebooks, it
does not allow random access writes: it allows random access reads like all
regular record-based files, but the only write operation allowed by the SIM
interface protocol and the SIM file system architecture is writing a new record
that becomes the new #1, shifting all previous records down and losing the
oldest one.  Because of this write access limitation, we do not provide the same
set of operations on LND as for regular phonebooks - but we still provide good
tinkering ability.  The following commands are available:

lnd-dump

This command dumps the content of the LND store on the terminal, in the same
format as pb-dump for regular phonebooks.

If you have had your SIM for a very long time, having used it in different
phones with different firmwares, it may be interesting to look at the output of
lnd-dump - you may have LND records that were generated ages ago by other
phones if your current one does not write into SIM LND.

lnd-dump > outfile

This form of the lnd-dump command produces the same dump format, but saves it
in the named file instead of sending it to the terminal.

lnd-restore filename

This command reads the named phonebook data file (presumably written previously
with lnd-dump) and writes it into EF_LND on the SIM.  This command works by
first constructing a full binary image of the desired EF_LND content, then
writing every record in the reverse order from the last index to the first.

lnd-write phone-number [alpha-tag]

This command writes a new record into the LND cyclic store just like a standard
phone would do when making a record of a new outgoing call.  The two arguments
(one required and one optional) are the same as for pb-update-imm.

lnd-erase

This command erases the EF_LND cyclic store, making it appear as if no outgoing
calls have ever been recorded.  It works by writing a blank record (0xFF in
every byte) N times, where N is the size of the cyclic store in records.

Manipulating stored SMS
=======================

The fundamental operating model of all message stores for SMS (whether SIM or
phone-based) is that received messages accumulate (and possibly sent ones too,
if they are stored in this manner), the limited available memory fills up, and
then the user needs to clean out the accumulated messages, preferably also
archiving them by transferring to a larger computer for longer-term storage.
Given this fundamental operating model, we only need to provide commands for
dumping the content of the message store and for cleaning it out - there is no
real need to implement commands for writing messages into the store.

The extent of special support for the SIM SMS store in fc-simtool is rather
minimal because it just so happened that we already have external tools that do
a major part of the work.  Some phone firmwares, particularly that of the
Pirelli DP-L10 phone currently used by the Mother, implement their on-the-phone
SMS storage by way of a file in their local flash file system whose binary
format just happens to be exactly the same as the binary format of SIM-based
EF_SMS if all 176-byte records are simply abutted together in the host-based
binary representation.  A few release cycles ago we added a new utility named
pcm-sms-decode to our FreeCalypso host tools suite; this utility reads a binary
file in this "EF_SMS records concat" format and performs the quite involved job
of fully decoding all messages into human-readable form.  Given that we have
this external pcm-sms-decode utility, all we need to do in fc-simtool is save
all records of EF_SMS into a single concatenated binary file, and let
pcm-sms-decode do the rest.

Our dedicated commands for working with the SIM SMS store are as follows:

save-sms-bin host-filename

This command saves the full content of EF_SMS in the named file in the host file
system in binary format, suitable for further decoding with pcm-sms-decode.

sms-erase-all

This command erases every record entry in EF_SMS.

sms-erase-one rec

This command erases the specified individual record in EF_SMS.

sms-erase-range start-rec end-rec

This command erases the specified range of records in EF_SMS.  The starting
record must be identified by number (SIM record numbers are 1-based); the
ending record argument may be either a number or the "end" keyword.

Manipulating SMS parameters
===========================

SIM cards have an SMS parameter store in the form of record-based file EF_SMSP.
Its most essential function is to specify the Service Centre Address for
outgoing SMS, but it can also be put to a few other uses:

* The primary SMSP record that gives the SC address also typically includes PID
  and DCS parameters.  The only sensible settings that can function as a
  general-purpose default are PID=0x00 and DCS=0x00, but some SIMs have been
  seen in the field that set bogus PID and DCS via their SMSP.  It appears that
  most end user phones ignore these settings, and they have no effect when
  outgoing SMS are submitted to an AT command modem in PDU mode, but these
  settings do affect our TI-based AT command modem in text mode - if they are
  bogus on the SIM, they need to be fixed, either with fc-simtool or in the
  actual AT modem session with AT+CSMP.

* The same primary SMSP record can also specify a default validity period in
  one-byte relative VP format.

* Just like the situation with MSISDN, even though only the first record of
  EF_SMSP is used in practice, most SIM issuers allocate room for a few records.
  These extra SMSP records are almost always blank,

fc-simtool provides the following commands for working with EF_SMSP:

smsp-dump

This command dumps the full content of EF_SMSP (all records) on the terminal,
using a lossless text-based format similar to the one we use for phonebooks.
To illustrate our smsp format by way of examples, here is the output of
smsp-dump from old T-Mobile USA SIMs that have classic GSM 11.11 SIM
functionality:

#1: SC=12063130004,0x91 PID=0x00 DCS=0x00 "T-Mobile"
#2: ""
#3: ""
#4: ""

Here is the output from an Austrian S-Budget Mobile SIM from circa-2017:

#1: SC=4365009000000,0x91 PID=0xFF DCS=0xFF VP=173 ""
#2: ""

As one can see from these examples, T-Mobile allocated 4 records for their
EF_SMSP, whereas S-Budget Mobile allocated only 2 records for theirs.
(Sysmocom webshop SIMs sysmoUSIM-SJS1 and sysmoISIM-SJA2 also have 2 records in
their EF_SMSP.)  Yet only the first record is actually used, and the remaining
ones are blank.  Note that unlike pb-dump, smsp-dump does not skip blank
records: it displays every record (the design rationale is that the total number
of EF_SMSP records is expected to be small), and a blank record is simply one
that has no parameters present and has an empty alpha tag.

The following parameters may be present in each SMSP record, appearing in the
smsp-dump output in the same order in which they appear in the SIM binary
record:

DA=	TP-Destination_Address
SC=	TS-Service_Centre_Address
PID=	TP-Protocol_Identifier
DCS=	TP-Data_Coding_Scheme
VP=	TP-Validity_Period

The phone numbers in DA= and SC= parameters are emitted in the same format as
in pb-dump, PID= and DCS= are emitted in hexadecimal with a 0x prefix, and VP=
is emitted in decimal.  The alpha tag is always emitted at the end of the ASCII
line, just like in pb-dump.

smsp-dump > outfile

This form of the smsp-dump command produces the same dump of EF_SMSP, but saves
it in the named file instead of sending it to the terminal.

smsp-restore filename

This command reads a file written by smsp-dump and writes it back to the SIM.
Both decimal and 0x-prefixed hexadecimal forms are accepted for all 3 of PID=,
DCS= and VP= parameters.

smsp-set rec params

This command writes a single record into SMSP directly from the command line,
without going through a data file.  The record index to write to must be given,
followed by one or more parameters as in DA=, SC=, PID=, DCS= or VP=.  DA= and
SC= phone numbers can be entered in the same relaxed form as in the
pb-update-imm command, and the remaining 3 parameters can be either decimal or
0x-prefixed hexadecimal.  This command leaves the alpha tag field blank.

smsp-set-tag rec alpha-tag params

This command is just like smsp-set, but adds an alpha tag argument.

smsp-erase-all

This command erases every record entry in EF_SMSP.

smsp-erase-one rec

This command erases the specified individual record in EF_SMSP.

smsp-erase-range start-rec end-rec

This command erases the specified range of records in EF_SMSP.  The starting
record must be identified by number (SIM record numbers are 1-based); the
ending record argument may be either a number or the "end" keyword.

Identifying MVNO SIMs
=====================

Many SIMs, particularly those from MVNOs, are programmed by their issuers to
cause phones to display the name of the MVNO or some other party rather than
the standard PLMN name decoded from the connected network's MCC-MNC.  This
"personalization" programming can appear in EF_SPN (old style) or in EF_PNN and
EF_OPL (newer style).  fc-simtool provides commands to display the content of
these SIM files in human-readable form:

spn
pnn-dump
opl-dump

These commands take no arguments, and their human-readable output is not
explained in detail here.  If you need to understand the meaning of various
fields in detail, please refer to 3GPP TS 51.011.