view doc/GrcardSIM1-notes @ 96:a5cfe5135701

simtool: grcard2.c split into grcard2ki.c and grcard2pins.c
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 05 May 2021 03:55:23 +0000
parents 9de2d8b8951d
children
line wrap: on
line source

As of A.D. 2021, the GSM-only SIM card model (as opposed to USIM/ISIM for LTE/5G
users) sold by Grcard company is the one which we call GrcardSIM2 - our current
FCSIM1 cards are GrcardSIM2, and this card model goes back to some time around
2013, when it was sold by Sysmocom as sysmoSIM-GR2.  However, if we go back in
time a little further to around 2011, Grcard had an earlier card model which we
call GrcardSIM1 - it was sold by Sysmocom as sysmoSIM-GR1.  In the present day
these original GrcardSIM1 cards are extremely scarce: Mother Mychaela got one
card from Das Signal, there may be one or two other people on the planet who
have one or two cards, but that's it - an extreme rarity.

These GrcardSIM1 cards have one and only one special feature that makes them
interesting: supposedly they are freely reformattable, meaning that any
individual card owner can completely erase the card file system and then
recreate an entirely new one according to her liking: see our
Formatting-thoughts article.  However, I said "supposedly" in the previous
sentence, referring to GrcardSIM1 free reformatting ability, because the extreme
scarcity makes it too difficult to test this ability: I (Mother Mychaela) have
only one card to play with, I am not too keen on the idea of possibly bricking
this card via incorrectly-guessed formatting commands, and there does not seem
to be much point in developing formatting tools for a card model that is no
longer available.

Aside from their unique reformatting feature, GrcardSIM1 cards have two very
notable defects compared to current GrcardSIM2 or FCSIM1:

* GrcardSIM1 cards have a broken security model in that grcard1-set-pin1,
  grcard1-set-pin2, grcard1-set-adm1 and grcard1-set-adm2 commands (or rather
  the actual command APDUs sent by these fc-simtool commands) are completely
  unauthenticated, meaning that all PIN security is trivially bypassable: you
  can take a PIN-locked card for which you don't know the PIN, you can reset
  its PIN with grcard1-set-pin1, and bingo, you have access to all private data
  and the GSM authentication token which the hapless owner sought to protect
  with their PIN.  The same goes for ADM access: if someone set the card's ADM2
  key to some unknown secret, you can reset it back to the pySim default of
  4444444444444444 with grcard1-set-adm2 and give yourself full admin write
  access, without ever knowing the previous key.

* GrcardSIM2 (FCSIM1) cards support F=512 D=8 speed enhancement (the classic
  SIM speed enhancement specified in GSM 11.11 and supported by classic GSM/2G
  phones), but GrcardSIM1 cards don't support it - hence GR1 cards run in the
  slowest F=372 D=1 mode.

The only datum on GrcardSIM1 cards which appears to be secure against reading
is Ki.  grcard1-set-ki command is unauthenticated like the other grcard1-set-*,
thus anyone can overwrite Ki with their own, but it is a write-only datum on
this card model: it does not appear in the file system, and there is no command
for reading Ki.  Contrast with GrcardSIM2, sysmoUSIM-SJS1 and sysmoISIM-SJA2
cards: all of these cards store their Ki in a special file in their file system,
but this file requires ADM access (SUPER ADM on GrcardSIM2, ADM1 on Sysmocom
cards) for both reading and writing.