FreeCalypso > hg > fc-sim-tools

view doc/GrcardSIM1-notes @ 99:97ba63d9361a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
scripts/fcsim1-sst: turn off STK & OTA services In the initial unprogrammed state of the cards from Grcard, SST has services 25 through 29 set to allocated and activated. However, these cards appear to not actually support OTA, ENVELOPE commands do nothing (just return SW 9000), and they were never observed issuing any proactive SIM commands, even after a feature-generous TERMINAL PROFILE. Therefore, let's list these STK & OTA services as allocated, but not activated in our FCSIM1 SST.
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 05 May 2021 04:26:07 +0000
parents 9de2d8b8951d
children
line wrap: on
line source

As of A.D. 2021, the GSM-only SIM card model (as opposed to USIM/ISIM for LTE/5G
users) sold by Grcard company is the one which we call GrcardSIM2 - our current
FCSIM1 cards are GrcardSIM2, and this card model goes back to some time around
2013, when it was sold by Sysmocom as sysmoSIM-GR2.  However, if we go back in
time a little further to around 2011, Grcard had an earlier card model which we
call GrcardSIM1 - it was sold by Sysmocom as sysmoSIM-GR1.  In the present day
these original GrcardSIM1 cards are extremely scarce: Mother Mychaela got one
card from Das Signal, there may be one or two other people on the planet who
have one or two cards, but that's it - an extreme rarity.

These GrcardSIM1 cards have one and only one special feature that makes them
interesting: supposedly they are freely reformattable, meaning that any
individual card owner can completely erase the card file system and then
recreate an entirely new one according to her liking: see our
Formatting-thoughts article.  However, I said "supposedly" in the previous
sentence, referring to GrcardSIM1 free reformatting ability, because the extreme
scarcity makes it too difficult to test this ability: I (Mother Mychaela) have
only one card to play with, I am not too keen on the idea of possibly bricking
this card via incorrectly-guessed formatting commands, and there does not seem
to be much point in developing formatting tools for a card model that is no
longer available.

Aside from their unique reformatting feature, GrcardSIM1 cards have two very
notable defects compared to current GrcardSIM2 or FCSIM1:

* GrcardSIM1 cards have a broken security model in that grcard1-set-pin1,
  grcard1-set-pin2, grcard1-set-adm1 and grcard1-set-adm2 commands (or rather
  the actual command APDUs sent by these fc-simtool commands) are completely
  unauthenticated, meaning that all PIN security is trivially bypassable: you
  can take a PIN-locked card for which you don't know the PIN, you can reset
  its PIN with grcard1-set-pin1, and bingo, you have access to all private data
  and the GSM authentication token which the hapless owner sought to protect
  with their PIN.  The same goes for ADM access: if someone set the card's ADM2
  key to some unknown secret, you can reset it back to the pySim default of
  4444444444444444 with grcard1-set-adm2 and give yourself full admin write
  access, without ever knowing the previous key.

* GrcardSIM2 (FCSIM1) cards support F=512 D=8 speed enhancement (the classic
  SIM speed enhancement specified in GSM 11.11 and supported by classic GSM/2G
  phones), but GrcardSIM1 cards don't support it - hence GR1 cards run in the
  slowest F=372 D=1 mode.

The only datum on GrcardSIM1 cards which appears to be secure against reading
is Ki.  grcard1-set-ki command is unauthenticated like the other grcard1-set-*,
thus anyone can overwrite Ki with their own, but it is a write-only datum on
this card model: it does not appear in the file system, and there is no command
for reading Ki.  Contrast with GrcardSIM2, sysmoUSIM-SJS1 and sysmoISIM-SJA2
cards: all of these cards store their Ki in a special file in their file system,
but this file requires ADM access (SUPER ADM on GrcardSIM2, ADM1 on Sysmocom
cards) for both reading and writing.