FreeCalypso > hg > fc-sim-tools
diff doc/Low-level-commands @ 18:da6e9d0b2ee6
data, doc, scripts: import from previous fc-pcsc-tools repo
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sun, 14 Mar 2021 07:57:09 +0000 (2021-03-14) |
parents | |
children | 871281cb0555 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Low-level-commands Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,196 @@ +fc-simtool is a tool built from the bottom up: at the foundation there is a set +of low-level commands that provide raw access to the actual SIM protocol APDU +commands, these low-level commands can be used to do everything that the SIM +protocol allows, and all higher-level commands merely provide user-friendly +utilities for the most common particular use cases. This document describes +these low-level commands. Readers of this document are expected to know the +SIM interface protocol as defined in GSM TS 11.11 and its successor 3GPP TS +51.011. + +Exploring and reading commands +============================== + +atr + +This command displays the ATR (Answer To Reset) byte string which the SIM sent +to the reader when it powered up. + +select File_ID + +This fc-simtool command sends a SELECT command to the SIM, follows up with a +GET RESPONSE command as expected in the T=0 protocol, and provides some human- +readable parsing of the most important fields in the SIM response structure. +If a correctly formed response was received from the SIM and this response +structure indicates that a record-based EF has been selected, the indicated +record length is saved in an internal variable used by readrec and update-rec +commands. + +The file ID can be specified either in hexadecimal (exactly 4 hex digits, *no* +0x prefix) or as a symbolic name. fc-simtool knows the following symbolic +names: + +* MF +* DF_GSM, DF_DCS1800 and DF_TELECOM +* "gsm" and "telecom" as shorthand names for DF_GSM and DF_TELECOM +* Some of the most classic EFs, but not all + +Important note: regardless of whether you specify the file ID in raw hex or +symbolically, this low-level select command will send only one SELECT command +to the SIM. Per the SIM protocol, in order to successfully select an EF, you +have to be in the right directory first, i.e., select MF, DF_GSM or DF_TELECOM +as appropriate before the EF of interest. Our low-level select command does +NOT do this extra step on its own, you have to do it explicitly, even if you +use symbolic names for EFs. + +sim-resp + +This command displays in raw hex the content of the internal buffer that holds +the last response received from the SIM. This internal buffer is filled by the +GET RESPONSE command that follows up after SELECT or RUN GSM ALGORITHM, and by +the READ BINARY or READ RECORD commands, whether they are invoked directly as +low-level commands (select, readbin, readrec or a38) or internally as part of +higher-level fc-simtool commands. + +readbin offset len + +This fc-simtool command sends a READ BINARY command to the SIM and displays the +SIM response in raw hex, internally invoking the same function as sim-resp. +The two arguments are exactly as in the READ BINARY protocol command; each +number is interpreted as decimal by default or as hex if preceded by 0x. + +readrec record-index [len] + +This fc-simtool command sends a READ RECORD command to the SIM (absolute +addressing mode) and displays the SIM response in raw hex, internally invoking +the same function as sim-resp. The arguments are decimal or hex as in the +readbin command. + +If no explicit length argument is given, readrec uses the internal variable set +by the last select operation. This one-argument form is almost always used in +practice, as the SIM will normally reject any requested length that does not +match the current EF record length. + +readef File_ID + +This fc-simtool command provides a slightly higher-level facility for examining +the content of EFs, combining select and readbin or readrec operations. The +sole File_ID argument is the same as for the low-level select command; the SIM +response to SELECT is then parsed to decide what to do next. Transparent EFs +are read using as many READ BINARY commands as necessary (up to 256 bytes can +be read in one APDU exchange) and displayed as a continuous hex dump. For +record-based EFs (linear fixed and cyclic), readef reads and separately +hex-dumps every record. + +Just like with the low-level select command, there is no built-in MF/DF +selection. + +savebin File_ID out-bin-file + +This command selects the specified EF (just like with low-level select and +readef, you need to be in the right MF/DF directory) and saves its complete +content in a raw binary file on the UNIX host file system. This command +supports all 3 types of EF (transparent, linear fixed and cyclic) and uses the +correct READ BINARY or READ RECORD commands based on the SELECT response. +Record-based EFs are read in the order of increasing record number and are saved +in the host binary file with all records simply abutted together. + +Writing commands +================ + +update-bin offset hexfile + +This fc-simtool command reads a hex data file (an ASCII text file containing +only hex byte values and nothing else, with or without white space between +bytes, newlines treated as any other white space) and sends this byte content +to the SIM in an UPDATE BINARY command. The offset argument is the same as in +the readbin command. The length is the number of bytes read from the hex data +file. + +update-bin-imm offset hex-string + +This command works like update-bin, but the bytes to be written are given as a +hex string direct argument (like an immediate operand in assembly languages), +rather than via a hex data file. + +update-rec record-index hexfile + +This fc-simtool command reads a hex data file (just like update-bin) and sends +this byte content to the SIM in an UPDATE RECORD command, using either absolute +or PREVIOUS addressing mode. The record-index argument is the same as in the +readrec command for the absolute addressing mode, or 'prev' keyword to use the +PREVIOUS addressing mode for writing to cyclic EFs. The number of bytes in the +hex data file must equal the EF record length. + +update-rec-imm record-index hex-string + +This command works like update-rec, but the bytes to be written are given as a +hex string direct argument (like an immediate operand in assembly languages), +rather than via a hex data file. + +update-rec-fill record-index fill-byte + +This fc-simtool command sends an UPDATE RECORD command to the SIM with payload +equal to the specified fill byte, replicated to the record length. The fill +byte argument is always interpreted as hexadecimal. + +restore-file File_ID host-bin-file + +This command restores a binary backup previously made with savebin back to the +SIM, or writes new bits into the EF if you can construct the necessary binary +image with tools like xxd. The arguments are the same as for the savebin +command. This command supports all 3 types of EF (transparent, linear fixed +and cyclic) and uses the correct UPDATE BINARY or UPDATE RECORD commands based +on the SELECT response. Cyclic files are restored by writing every record in +the reverse order from the last index to the first. + +erase-file File_ID [fill-byte] + +This command erases the specified EF by overwriting its content with the +specified fill byte, which defaults to 0xFF if the second argument is omitted. +All 3 EF types (transparent, linear fixed and cyclic) are supported: for +transparent EFs fc-simtool issues as many UPDATE BINARY commands as needed to +overwrite the whole file, whereas for record-based EFs every record is +overwritten with UPDATE RECORD. + +INVALIDATE and REHABILITATE +=========================== + +cur-ef-inval will send an INVALIDATE command to the SIM; cur-ef-rehab will send +a REHABILITATE command. The naming of these low-level fc-simtool commands +reflects the fact that you have to manually select the EF of interest first. + +GSM authentication testing +========================== + +a38 RAND + +This fc-simtool command exercises the SIM card's RUN GSM ALGORITHM command. +The user-specified RAND value (a hex string of 16 bytes) is sent to the SIM, +and the SIM response is parsed to display SRES and Kc. + +Per SIM specs GSM TS 11.11 and 3GPP TS 51.011, RUN GSM ALGORITHM can only be +executed when DF_GSM is selected. fc-simtool a38 command does NOT include a +built-in SELECT of DF_GSM, hence you need to manually issue 'select DF_GSM' +first. + +This a38 command can be used to verify if the SIM card's Ki and A38 algorithm +match what you expect them to be. To perform this test, issue an a38 command +to the SIM with some made-up RAND and note the SRES and Kc response. Then use +the osmo-auc-gen utility from Osmocom to run the expected algorithm with the +expected Ki (and the expected OPc if MILENAGE is used) and the same RAND, and +see if SRES and Kc match. + +Exploring proprietary APDUs +=========================== + +If the SIM you are working with is known or suspected to implement some +non-standard or proprietary APDUs for which there is no explicit support in +fc-simtool, you can use this low-level debug command to send arbitrary APDUs: + +apdu "xx xx xx xx xx ..." + +The sole argument is a raw string of bytes (quotes are needed if there are +spaces between bytes), and the APDU needs to be given exactly as it is sent in +the T=0 protocol: 5 bytes of header (including the length byte) followed by +data bytes, if any. After executing the APDU exchange, the apdu command simply +prints the SW response code from the SIM.