FreeCalypso > hg > fc-sim-tools
view doc/GrcardSIM2-WEKI-file @ 99:97ba63d9361a
scripts/fcsim1-sst: turn off STK & OTA services
In the initial unprogrammed state of the cards from Grcard, SST has
services 25 through 29 set to allocated and activated. However,
these cards appear to not actually support OTA, ENVELOPE commands
do nothing (just return SW 9000), and they were never observed
issuing any proactive SIM commands, even after a feature-generous
TERMINAL PROFILE. Therefore, let's list these STK & OTA services
as allocated, but not activated in our FCSIM1 SST.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Wed, 05 May 2021 04:26:07 +0000 |
parents | 526193acfb3f |
children | dc772132b5c9 |
line wrap: on
line source
GrcardSIM2 cards have a proprietary EF under DF_GSM with file ID 0x0001; Osmocom wiki page for this card model gives EF.WEKI as the name for this proprietary file. We (FreeCalypso) have no idea as to where this name came from, and where and how the people who wrote that wiki page (Sysmocom staff or not - unknown) got this knowledge. This file is important because it stores Ki and the selection of COMP128 algorithm version, but the same file also appears to have other fields serving other purposes which are not currently understood. When we (FreeCalypso) asked Grcard about this proprietary file, they sent us a "personalization" command script which we have archived in this code repository under doc/vendor/grcard2-person-script; this script is a sequence of command APDUs (raw hex with minimal comments) for an example card programming. The proprietary file in question is named GSM_KI in this script; the origin of the name EF.WEKI that appears in the Osmocom wiki page is still unknown. The total length of this transparent EF is 35 bytes, out of which only the first 19 bytes are documented in the Osmocom wiki page and written by their pySim-prog tool. Interestingly enough, Grcard's "personalization" command script also writes only the first 19 bytes. Let us now break down this file according to our currently available limited understanding: * The first two bytes are always 00 10 - these byte values appear in "blank" unprogrammed cards as shipped by Grcard, they also appear in the Osmocom wiki page, and are programmed by pySim-prog. The "personalization" script we got from Grcard also programs the same 00 10 in these two bytes. The purpose and meaning of these two bytes are completely unknown, and we have never tried writing anything different into them. * The next byte gives COMP128 algorithm selection plus something else that is not understood: - The low 2 bits of this byte select COMP128 algorithm version as follows: 0b00 = COMP128v1 0b01 = COMP128v2 0b10 = COMP128v3 Note that the Osmocom wiki page is wrong in its description of these bits: setting these two bits to 0b11 ends up selecting COMP128v2 rather than v3. (pySim-prog is unaffected because it always writes 00 into the whole byte, selecting COMP128v1.) - The remaining 6 bits of this byte are not understood. Osmocom wiki page tells people to write zeros into the upper 6 bits and so does pySim-prog; the "personalization" command script we got from Grcard also writes zeros into these upper 6 bits. However, if one orders "blank" or unprogrammed cards from Grcard like we do, the initial "unprogrammed" state of this byte is 0x20, as one can see in the data/grcard2-blank-state dump. Setting the upper nibble to either 0 or 2 does not seem to affect the result of RUN GSM ALGORITHM operations, thus it probably controls something else - or perhaps that bit controls nothing at all, and the "unprogrammed" state is merely a bogon - we have no way of knowing. * The next 16 bytes store Ki - this part is straightforward. * The last 16 bytes are not understood; our "blank" unprogrammed cards from Grcard have all FFs in these bytes. fc-simtool support for programming Ki and COMP128 algorithm selection ===================================================================== Even if we never learn the function of the other mysterious fields of EF.WEKI, we must be able to program our own Ki and make our own selection of COMP128 algorithm version in order to use these programmable SIM cards with our own GSM networks. The following solution has been implemented for immediate use: * Our grcard2-set-comp128 command takes a single argument of 1, 2 or 3, selecting COMP128 algorithm version. The implementation of this command selects EF.WEKI, reads the previous content of the magic byte at offset 2, keeps the upper 6 bits unchanged, and writes the new COMP128 algorithm selection into the low 2 bits. If we ever learn the meaning of other bits, we'll be able to add new orthogonal commands that manipulate those other bits, but leave COMP128 selection unchanged. * Our grcard2-set-ki command writes 16 bytes at offset 3, leaving all other bytes untouched.