FreeCalypso > hg > fc-sim-tools

view doc/GrcardSIM1-notes @ 93:6041c601304d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fcsim1-mkprov: revert OTA key addition It appears that GrcardSIM2 cards (which is what we got for FCSIM1) do not support OTA after all, contrary to what we were previously led to believe by some tech support emails from Grcard - apparently those support emails and OTA descriptions referred to some other card model(s).
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 21 Apr 2021 05:38:39 +0000
parents 9de2d8b8951d
children
line wrap: on
line source

As of A.D. 2021, the GSM-only SIM card model (as opposed to USIM/ISIM for LTE/5G
users) sold by Grcard company is the one which we call GrcardSIM2 - our current
FCSIM1 cards are GrcardSIM2, and this card model goes back to some time around
2013, when it was sold by Sysmocom as sysmoSIM-GR2.  However, if we go back in
time a little further to around 2011, Grcard had an earlier card model which we
call GrcardSIM1 - it was sold by Sysmocom as sysmoSIM-GR1.  In the present day
these original GrcardSIM1 cards are extremely scarce: Mother Mychaela got one
card from Das Signal, there may be one or two other people on the planet who
have one or two cards, but that's it - an extreme rarity.

These GrcardSIM1 cards have one and only one special feature that makes them
interesting: supposedly they are freely reformattable, meaning that any
individual card owner can completely erase the card file system and then
recreate an entirely new one according to her liking: see our
Formatting-thoughts article.  However, I said "supposedly" in the previous
sentence, referring to GrcardSIM1 free reformatting ability, because the extreme
scarcity makes it too difficult to test this ability: I (Mother Mychaela) have
only one card to play with, I am not too keen on the idea of possibly bricking
this card via incorrectly-guessed formatting commands, and there does not seem
to be much point in developing formatting tools for a card model that is no
longer available.

Aside from their unique reformatting feature, GrcardSIM1 cards have two very
notable defects compared to current GrcardSIM2 or FCSIM1:

* GrcardSIM1 cards have a broken security model in that grcard1-set-pin1,
  grcard1-set-pin2, grcard1-set-adm1 and grcard1-set-adm2 commands (or rather
  the actual command APDUs sent by these fc-simtool commands) are completely
  unauthenticated, meaning that all PIN security is trivially bypassable: you
  can take a PIN-locked card for which you don't know the PIN, you can reset
  its PIN with grcard1-set-pin1, and bingo, you have access to all private data
  and the GSM authentication token which the hapless owner sought to protect
  with their PIN.  The same goes for ADM access: if someone set the card's ADM2
  key to some unknown secret, you can reset it back to the pySim default of
  4444444444444444 with grcard1-set-adm2 and give yourself full admin write
  access, without ever knowing the previous key.

* GrcardSIM2 (FCSIM1) cards support F=512 D=8 speed enhancement (the classic
  SIM speed enhancement specified in GSM 11.11 and supported by classic GSM/2G
  phones), but GrcardSIM1 cards don't support it - hence GR1 cards run in the
  slowest F=372 D=1 mode.

The only datum on GrcardSIM1 cards which appears to be secure against reading
is Ki.  grcard1-set-ki command is unauthenticated like the other grcard1-set-*,
thus anyone can overwrite Ki with their own, but it is a write-only datum on
this card model: it does not appear in the file system, and there is no command
for reading Ki.  Contrast with GrcardSIM2, sysmoUSIM-SJS1 and sysmoISIM-SJA2
cards: all of these cards store their Ki in a special file in their file system,
but this file requires ADM access (SUPER ADM on GrcardSIM2, ADM1 on Sysmocom
cards) for both reading and writing.