FreeCalypso > hg > fc-sim-tools
comparison doc/Sysmocom-SIM-notes @ 18:da6e9d0b2ee6
data, doc, scripts: import from previous fc-pcsc-tools repo
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sun, 14 Mar 2021 07:57:09 +0000 |
parents | |
children | b9fc7022f9ac |
comparison
equal
deleted
inserted
replaced
17:372ecc4aa2c4 | 18:da6e9d0b2ee6 |
---|---|
1 The present suite of tools (fc-simtool and fc-uicc-tool) is NOT a good fit for | |
2 programming sysmoUSIM-SJS1 and sysmoISIM-SJA2 cards made by Sysmocom and sold | |
3 in their webshop, because of the following combination of factors: | |
4 | |
5 1) These cards are primarily USIM/ISIM, with classic GSM 11.11 SIM support | |
6 regarded as "backward compatibility" - thus they have a lot of important | |
7 files under ADF.USIM and ADF.ISIM which are not accessible via the classic | |
8 GSM 11.11 SIM protocol. | |
9 | |
10 2) Our main feature-rich tool is fc-simtool, but this tool speaks only the | |
11 classic GSM 11.11 SIM protocol, hence it cannot access any of the USIM/ISIM | |
12 files. | |
13 | |
14 3) We have fc-uicc-tool which speaks the UICC protocol that is native to these | |
15 Sysmocom cards, but it is only a low-level debug tool, not a feature match | |
16 to fc-simtool. | |
17 | |
18 The proper long-term solution for our 2G-centric GSM community is to get our own | |
19 SIMs made, either by paying big bucks to Sysmocom to produce a run of custom | |
20 cards (presumably based on their current SJA2 platform) with USIM and ISIM | |
21 removed, leaving only the file system tree under MF that can be fully | |
22 manipulated via the classic SIM protocol, or preferably by resurrecting the | |
23 older Grcard SIM-only platform if possible - it may take a long time to find out | |
24 if the latter option is possible or not. But in the meantime, if someone needs | |
25 to program a SIM right now, when Sysmocom webshop cards are the only available | |
26 option, we do have limited support for programming these SIMs: | |
27 | |
28 * It is possible to authenticate with the ADM1 key from within fc-simtool on | |
29 both sysmoUSIM-SJS1 and sysmoISIM-SJA2, as explained below. | |
30 | |
31 * Once you have authenticated with ADM1, you can use fc-simtool admin write | |
32 commands (write-imsi, SDN phonebook write operations, manual update-bin-imm | |
33 on various small transparent EFs) just as if you were working with a Grcard | |
34 SIM. | |
35 | |
36 * You can also use fc-uicc-tool to access and program every file on Sysmocom | |
37 cards, including files under ADF.USIM and ADF.ISIM - but in this case you will | |
38 have to do everything manually in raw hex, with a hex data file for every | |
39 update-bin and update-rec command. | |
40 | |
41 Authenticating with ADM1 | |
42 ======================== | |
43 | |
44 The method for sending your ADM1 key to the card varies depending on whether | |
45 you are in an fc-simtool or fc-uicc-tool session, and whether your card is | |
46 sysmoUSIM-SJS1 or sysmoISIM-SJA2. There are 3 possibilities: | |
47 | |
48 * If you are in an fc-uicc-tool session with either type of card, the command | |
49 to authenticate with ADM1 is as follows: | |
50 | |
51 verify-pin 10 xxxxxxxx | |
52 | |
53 where xxxxxxxx are the 8 digits of the ADM1 secret code. There are no | |
54 restrictions as to when this command may be given in an fc-uicc-tool session. | |
55 | |
56 * If you are in an fc-simtool session with sysmoISIM-SJA2, the command becomes: | |
57 | |
58 verify-ext 10 xxxxxxxx | |
59 | |
60 There are no restrictions as to when this command may be given in an | |
61 fc-simtool session. | |
62 | |
63 * If you are in an fc-simtool session with sysmoUSIM-SJS1, the command becomes: | |
64 | |
65 verify-sjs1-adm1 xxxxxxxx | |
66 | |
67 Unlike the other two cases, this command must be issued at the very beginning | |
68 of your fc-simtool session, before any other commands. If you issue this | |
69 command later, after some GSM 11.11 SIM APDUs have already been exchanged, it | |
70 won't work. | |
71 | |
72 Changing the ADM1 PIN | |
73 ===================== | |
74 | |
75 Experiments show that when speaking the UICC protocol to the card, the standard | |
76 CHANGE PIN command does work on ADM1 on both sysmoUSIM-SJS1 and sysmoISIM-SJA2, | |
77 thus you can do the following in fc-uicc-tool: | |
78 | |
79 change-pin 10 old-ADM1 new-ADM1 | |
80 | |
81 However, given that Sysmocom already assigns individual per-card random ADM1 and | |
82 communicates these secret codes securely to webshop customers, there does not | |
83 seem to be any practical need for changing ADM1 further downstream. Thus our | |
84 recommendation is that if you are going to change your ADM1 PIN just to prove | |
85 that you can do it, you should then change it back to the original. | |
86 | |
87 We can only surmise that there probably exist some secret commands that can | |
88 reset PUK1 and PUK2 after you've authenticated with ADM1, but they will probably | |
89 remain forever proprietary to Sysmocom, especially given the lack of any | |
90 practical need for such downstream changing of PUK1/PUK2. | |
91 | |
92 Thoughts on card (re)formatting | |
93 =============================== | |
94 | |
95 ETSI and 3GPP specs give many more degrees of freedom to SIM card issuers than | |
96 just the content of various EFs: the card issuer gets to decide which DFs and | |
97 EFs will be present vs. which ones won't be present at all, and for many EFs | |
98 the size (allocated space) is variable per the specs and up to the card issuer. | |
99 In the case of record-based EFs, both the record size and the number of records | |
100 are often left up to card issuers to tune as desired. | |
101 | |
102 In the Mother's opinion, a truly programmable SIM would be one where every | |
103 downstream owner of each card (not just the initial factory or the party putting | |
104 up big bucks for a large custom production run) can do a full reformat: erase | |
105 the file system and then create whatever tree of DFs and EFs she desires, with | |
106 full control over each file's allocated size, structure and access conditions. | |
107 | |
108 In the case of Sysmocom webshop SIMs, we (FreeCalypso) are not aware of any | |
109 publicly available documents describing how to perform such a reformat - it | |
110 appears that Sysmocom keeps this knowledge proprietary. In contrast, the older | |
111 Grcard-based SIMs had some publicly documented commands for erasing the card | |
112 and creating new directories and files: | |
113 | |
114 https://osmocom.org/projects/cellular-infrastructure/wiki/GrcardSIM | |
115 | |
116 It remains to be seen whether we (FreeCalypso) can get new SIMs from Grcard | |
117 which are also freely formattable. | |
118 | |
119 MSISDN misprogramming on early sysmoUSIM-SJS1 cards | |
120 =================================================== | |
121 | |
122 Referring to the previous section regarding formatting degrees of freedom, | |
123 Sysmocom webshop cards have their EF_MSISDN file allocated as 6 records of 34 | |
124 bytes each. Record length of 34 bytes translates into 20 bytes of alpha tag | |
125 plus the required 14-byte structure at the end of each record. | |
126 | |
127 When Sysmocom made their early sysmoUSIM-SJS1 cards, they intended to program | |
128 the first record of EF_MSISDN as +882110xxxxx, where xxxxx are equal to the last | |
129 5 digits of their 901-70 IMSI and also to the last 5 content digits (before the | |
130 Luhn check digit) of their 8988211 ICCID. A correctly structured EF_MSISDN | |
131 phonebook record with a +882110xxxxx phone number would look like this, for the | |
132 record size of 34 bytes: | |
133 | |
134 00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | |
135 10: FF FF FF FF 07 91 88 12 01 xx xx Fx FF FF FF FF | |
136 20: FF FF | |
137 | |
138 The first 20 bytes are all FF because that is the space reserved for the alpha | |
139 tag, then the phone number is encoded in 8 bytes as 07 91 88 12 01 xx xx Fx, | |
140 and the rest of the required 14-byte structure is filled with FF bytes. | |
141 However, the actual programming of this MSISDN record on early sysmoUSIM-SJS1 | |
142 cards (at least on the 10-pack I bought in 2017) looks like this: | |
143 | |
144 00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF | |
145 10: FF FF 07 91 88 12 01 xx xx Fx FF FF FF FF FF FF | |
146 20: FF FF | |
147 | |
148 The not-all-FF field of 8 bytes is written into the wrong location, two bytes | |
149 earlier than where it should be. When I saw this misprogramming early in the | |
150 course of developing fc-simtool, I finally understood why the AT+CNUM command | |
151 on a FreeCalypso modem with this SIM inserted reported a 10xxxxx number instead | |
152 of the +882110xxxxx listed in the sysmoUSIM manual. :-) | |
153 | |
154 When I saw this misprogramming, I also added a fix-sysmo-msisdn command to | |
155 fc-simtool: this command checks for this particular misprogramming, and if it | |
156 finds such, it rewrites the MSISDN record with the 8-byte phone number field | |
157 moved to its correct place. However, this fix-sysmo-msisdn command probably | |
158 won't get much use: the factory-programmed EF_MSISDN is now completely blank on | |
159 Sysmocom's current sysmoISIM-SJA2 cards, and also on the late sysmoUSIM-SJS1 | |
160 cards - or at least it is blank on the last-stock cards I bought in 2020-11. | |
161 EF_MSISDN is writable without needing ADM1 - it only needs CHV1. |