FreeCalypso > hg > fc-sim-tools
annotate doc/GrcardSIM1-notes @ 93:6041c601304d
fcsim1-mkprov: revert OTA key addition
It appears that GrcardSIM2 cards (which is what we got for FCSIM1)
do not support OTA after all, contrary to what we were previously
led to believe by some tech support emails from Grcard - apparently
those support emails and OTA descriptions referred to some other
card model(s).
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Wed, 21 Apr 2021 05:38:39 +0000 |
| parents | 9de2d8b8951d |
| children |
| rev | line source |
|---|---|
|
72
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
1 As of A.D. 2021, the GSM-only SIM card model (as opposed to USIM/ISIM for LTE/5G |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
2 users) sold by Grcard company is the one which we call GrcardSIM2 - our current |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
3 FCSIM1 cards are GrcardSIM2, and this card model goes back to some time around |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
4 2013, when it was sold by Sysmocom as sysmoSIM-GR2. However, if we go back in |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
5 time a little further to around 2011, Grcard had an earlier card model which we |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
6 call GrcardSIM1 - it was sold by Sysmocom as sysmoSIM-GR1. In the present day |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
7 these original GrcardSIM1 cards are extremely scarce: Mother Mychaela got one |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
8 card from Das Signal, there may be one or two other people on the planet who |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
9 have one or two cards, but that's it - an extreme rarity. |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
10 |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
11 These GrcardSIM1 cards have one and only one special feature that makes them |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
12 interesting: supposedly they are freely reformattable, meaning that any |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
13 individual card owner can completely erase the card file system and then |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
14 recreate an entirely new one according to her liking: see our |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
15 Formatting-thoughts article. However, I said "supposedly" in the previous |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
16 sentence, referring to GrcardSIM1 free reformatting ability, because the extreme |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
17 scarcity makes it too difficult to test this ability: I (Mother Mychaela) have |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
18 only one card to play with, I am not too keen on the idea of possibly bricking |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
19 this card via incorrectly-guessed formatting commands, and there does not seem |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
20 to be much point in developing formatting tools for a card model that is no |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
21 longer available. |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
22 |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
23 Aside from their unique reformatting feature, GrcardSIM1 cards have two very |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
24 notable defects compared to current GrcardSIM2 or FCSIM1: |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
25 |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
26 * GrcardSIM1 cards have a broken security model in that grcard1-set-pin1, |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
27 grcard1-set-pin2, grcard1-set-adm1 and grcard1-set-adm2 commands (or rather |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
28 the actual command APDUs sent by these fc-simtool commands) are completely |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
29 unauthenticated, meaning that all PIN security is trivially bypassable: you |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
30 can take a PIN-locked card for which you don't know the PIN, you can reset |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
31 its PIN with grcard1-set-pin1, and bingo, you have access to all private data |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
32 and the GSM authentication token which the hapless owner sought to protect |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
33 with their PIN. The same goes for ADM access: if someone set the card's ADM2 |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
34 key to some unknown secret, you can reset it back to the pySim default of |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
35 4444444444444444 with grcard1-set-adm2 and give yourself full admin write |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
36 access, without ever knowing the previous key. |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
37 |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
38 * GrcardSIM2 (FCSIM1) cards support F=512 D=8 speed enhancement (the classic |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
39 SIM speed enhancement specified in GSM 11.11 and supported by classic GSM/2G |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
40 phones), but GrcardSIM1 cards don't support it - hence GR1 cards run in the |
|
5f7377392211
doc/GrcardSIM1-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
41 slowest F=372 D=1 mode. |
|
74
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
42 |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
43 The only datum on GrcardSIM1 cards which appears to be secure against reading |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
44 is Ki. grcard1-set-ki command is unauthenticated like the other grcard1-set-*, |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
45 thus anyone can overwrite Ki with their own, but it is a write-only datum on |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
46 this card model: it does not appear in the file system, and there is no command |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
47 for reading Ki. Contrast with GrcardSIM2, sysmoUSIM-SJS1 and sysmoISIM-SJA2 |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
48 cards: all of these cards store their Ki in a special file in their file system, |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
49 but this file requires ADM access (SUPER ADM on GrcardSIM2, ADM1 on Sysmocom |
|
9de2d8b8951d
doc/GrcardSIM1-notes: add note about Ki
Mychaela Falconia <falcon@freecalypso.org>
parents:
72
diff
changeset
|
50 cards) for both reading and writing. |