FreeCalypso > hg > fc-sim-tools
diff doc/ADM-PIN-numbering @ 64:dba24129027e
doc/ADM-PIN-numbering article written
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Tue, 23 Mar 2021 23:30:00 +0000 |
parents | |
children | c9c2a8d954ba |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/ADM-PIN-numbering Tue Mar 23 23:30:00 2021 +0000 @@ -0,0 +1,87 @@ +ADM access conditions +===================== + +The response to SELECT of any EF in the classic GSM 11.11 SIM protocol carries +3 bytes that indicate access conditions for the selected file - or more +precisely, 5 nibbles that indicate access conditions plus one reserved nibble. +Each access condition nibble has the following encoding per standard specs +(GSM TS 11.11 and 3GPP TS 51.011): + +Code Meaning +--------------- +0 ALW +1 CHV1 +2 CHV2 +3 RFU +4-14 ADM +15 NEV + +Access condition codes 4 through 14 (0x4 through 0xE) are defined merely as ADM +by the standard specs, without further distinction. However, those of us who +work with SIM cards on a tinkering or reverse engineering level and thus need +to fully decode SIM SELECT responses for intelligent analysis need to somehow +distinguish between these 11 possible ADM access levels, thus we had to make up +some scheme of our own for naming different ADMn access levels. + +Unfortunately it just so happened that FC SIM tools and Grcard have come up with +two different ADMn naming conventions. I (Mother Mychaela) feel that it is too +late now to change our FC SIM tools ADMn naming convention, and of course it is +not our place to tell Grcard company to change theirs. Therefore, the only +remaining solution is to clearly document both naming conventions and just live +with there being two different ones. + +In the FC SIM tools convention, the 11 possible ADM access levels for EFs are +named ADM4 through ADM14 - the 'n' in ADMn directly matches the nibble value +carried in the SIM protocol. This convention is used by fc-simtool select and +readef commands when they display the access conditions returned by the SIM. + +The convention used by Grcard names these 11 possible ADM access levels ADM1 +through ADM11 instead. As a result of this number shift, what Grcard call ADM1 +is ADM4 to us, what Grcard call ADM2 is ADM5 to us, and so forth. + +ADM key IDs in VERIFY CHV commands +================================== + +Standard specs are silent on the question of exactly how administrative entities +authenticate themselves to the card to gain various ADM access levels, but most +card vendors implement an extended form of the standard VERIFY CHV command in +which the key ID in P2 is not 1 or 2 (standard CHV1 and CHV2), but some other +code identifying ADM keys and corresponding access levels. + +There is no requirement that P2 key IDs in the extended VERIFY CHV command used +for ADM authentication have to correspond to the codes used to denote EF access +conditions. However, on the traditional SIM (not UICC/USIM/ISIM) cards made by +Grcard, these two separate places in the binary protocol do use the same codes: +for example, if a given EF has an access condition indicated as code 5 in the +protocol (called ADM5 by us or ADM2 by Grcard), then the corresponding ADM +authentication has to be done with a VERIFY CHV command with P2=05. + +ADM PIN numbers on Grcard SIM cards +=================================== + +We are aware of two different card models from Grcard that are specifically GSM +SIM, rather than UICC/USIM/ISIM. (The latter kind also exist of course, but we +have no interest in them.) The first such model is what we call GrcardSIM1 +(previously sold by Sysmocom as sysmoSIM-GR1), and the other model is what we +call GrcardSIM2 - previously sold by Sysmocom as sysmoSIM-GR2, and now being +reintroduced as FreeCalypso Community SIM model FCSIM1. + +GrcardSIM1 cards are currently understood very poorly because they are extremely +difficult to obtain in the present time (2021). However, they seem to have two +different ADM access levels which Grcard officially call ADM1 and ADM2. In our +FC SIM tools naming convention these ADM access levels become ADM4 and ADM5, +respectively. + +GrcardSIM2 cards are understood much better because unlike GrcardSIM1, they are +readily available from Grcard in the present time. They have two different ADM +access levels that are fully explained in the GrcardSIM2-security-model article, +and these two ADM levels are known by different names: + +* Osmocom wiki page for GrcardSIM2 calls them ADM and SUPER ADM; + +* For our FCSIM1 version of this card, we've named them ADM5 and ADM11, going + by the numbers that appear in the actual binary protocol; + +* Looking at Grcard's own documentation (see doc/vendor/grcard2-person-script), + one can see that Grcard engineers refer to them as ADM2 and ADM8, following + the numbering shift explained earlier in this article.