GSM/2G in USA tips and tricks, SIM card issues and tools

Mychaela Falconia mychaela.falconia at gmail.com
Sat Jan 23 19:44:47 UTC 2021


Hello FreeCalypso community,

Happy New Year to everyone!

I don't know if I am the world's only GSM/2G-interested person who
also happens to live in USA, or if there are any other GSM/2G users
living in these lands - but if you are someone who cares about GSM and
you live in USA, you know that the situation is bleak here.  T-Mobile
USA is the only remaining nationwide operator of a GSM/2G network
here: there may be some local or regional operators in some parts of
the country, but none where I live in Southern California, hence
T-Mobile is all that exists where I live.  I haven't been following
any official updates since the 2020 world scamdemic hit the fan, but
last I heard, they were threatening to shut their 2G service down at
the end of 2020.  Today is Jan 23 and my service still works - who
knows, perhaps the scamdemic upheavals upset their plans somehow.  In
any case, I intend to keep using this network till its (and my own)
last breath, generating some call traffic on it every single day.

As a new development, over the last few months I have become active in
the local Reopen San Diego group (www.reopensd.org), a group of local
freedom lovers fighting against scamdemic tyranny and lockdowns.  I
have been proudly showing my 2G dumbphones (my own Pirelli DP-L10,
Motorola C139, and my dear life partner's Nokia C3-00) to everyone in
the group, and some people have expressed an interest in getting a
phone similar to mine.  Thus I've been looking into ways to onboard
new users onto T-Mobile's unwanted GSM/2G network, the one they are
itching to kill.

One thing that the evil owners of T-Mobile have been doing is that
they don't want any new 2G users signing up, only "grandfathered" ones
who got their SIMs ages ago.  Toward this end, all new SIMs which they
currently issue have been maliciously hobbled: they have disabled the
classic GSM 11.11 SIM application, leaving only USIM and ISIM.  The
symptom is when you issue a SELECT command to the SIM to select DF_GSM
(a required step for accessing many essential SIM files like the IMSI,
and for running GSM A3+A8 authentication and Kc generation), it
returns 0x9404 (file ID not found) error.  These evil SIMs, as I call
them, are unusable in the vast majority of classic 2G phones - there
are some very few 2G phones of very late era whose software stacks
implement the USIM protocol in addition to classic SIM, and these
super-late-era 2G phones (like Nokia C3-00) do work with the evil SIMs
- but most classic 2G phones can never work.

As far as I can tell, there is nothing in Calypso SIM interface
hardware that would preclude our Calypso devices from being able to
speak the USIM protocol in addition to classic SIM, if we were to do
the massive rearchitecture work on our firmware that would be needed.
However, it would be pointless to do this work right now: if we were
to do this work now, our AT-command-controlled modems will gain the
ability to work with USIM-only evil SIMs, but there would be no
immediate benefit to the end user population.  Right now we are still
very far away from a practically usable FreeCalypso end user phone:
all we have are toys to play with in a lab, but nothing that can be
used as a "daily driver" phone yet.  Hence those of us who desire a 2G
dumbphone for everyday use still need to use Motorola's or Pirelli's
original proprietary fw on their respective models, and those solid
blob firmwares only support the classic SIM protocol, not USIM.

However, I have found a workable solution for onboarding new users
onto T-Mobile's 2G network, bypassing their evil SIMs - the trick is
to use certain T-Mobile MVNOs whose SIMs are still good.  There is a
huge proliferation of MVNOs who resell services running on T-Mobile's
network, I never previously paid much attention to them (my reasoning
was "why deal with the extra layer of an MVNO, why not get service
directly from the real network operator"), but right now some of these
MVNOs are coming to our rescue - not that they have any desire to help
us, of course, but they just happen to still issue non-evil SIMs.

When T-Mobile's own customer service adamantly refused to sell me a
batch of non-activated SIMs (for handing out to other people, for them
to activate on their own service and billing accounts) with the
classic SIM application enabled, I reached out to one of my contacts
in Texas who also works with 2G phones (his business is in unlocking
and reselling them), and I asked him if he knew of any solution.  His
recommendation was to try Speedtalk SIMs - Speedtalk is a T-Mobile-
based MVNO - and lo and behold, these Speedtalk SIMs still work!

Unactivated ("blank" as in can be given to other people to activate on
their own account) Speedtalk SIMs are readily available on both Amazon
and ebay, and these SIMs can be tested for 2G compatibility even
before activation, i.e., you can test your SIM and make sure it is
good *before* doing the activation step where you have to create your
account and pay for service.  If one inserts an unactivated SIM into a
FreeCalypso device or some other functionally equivalent phone (such
as Mot C139 or Pirelli DP-L10 running its original fw), the phone will
successfully read the IMSI from the SIM, connect to the GSM network
(with authentication as required), and everything will appear to be
working - although you will have no phone number yet, and you won't be
able to actually make any calls until the service is activated - but
the phone display will show normal connection to the GSM network.  I
am also working on a new software tool that will allow this SIM
testing to be done without any phone at all, instead inserting the SIM
into a smart card "reader" device (CCID) connected to a computer -
this alternate test path will allow newly acquired SIMs (especially
those intended for distribution to other people) to be tested
*without* breaking them out of the credit-card-sized carrier they come
on!

Because I haven't got this CCID-based SIM test framework implemented
yet (I am just starting this work), when I got my first batch of
"blank" (not yet activated, but available for activation) Speedtalk
SIMs from Amazon, I took one of those SIMs and broke out the 2FF-sized
part from the full credit-card-sized carrier.  I then inserted this
broken-out 2FF SIM card into an FCDEV3B, and gave it a spin - keep in
mind, this is all being done prior to the card being activated as in
account setup for service and billing.  AT+CFUN=1 was successful, yay!
In contrast, with T-Mobile-branded evil SIMs this AT+CFUN=1 operation
immediately fails, and unfortunately we have poor error reporting
currently, it says "SIM not inserted" instead of a more proper error
about the SIM being evil and failing SELECT of DF_GSM.  Back to these
new-to-me Speedtalk SIMs, once AT+CFUN=1 succeeded, I started probing
around.  AT+CIMI successfully returned an IMSI, with the first 6
digits being 310260 - yup, that's T-Mobile USA.  Then I gave our modem
an AT+COPS=0 command, to actually connect to the network.  And guess
what: registration successful!  AT+COPS? query returns some MVNO-
modified string for the operator name instead of "T-Mobile", so it
looks like the SIM has this MVNO display name programmed in it, and
our TI-based software stack actually supports this silly gimmick - but
it is just a cosmetic display issue.

I then moved this still-unactivated Speedtalk SIM from the FCDEV3B
into a Motorola C139 phone running an unlocked (no carrier branding)
version of Motorola's official fw.  Result: once again successful
network registration, with the MVNO-modified network name (I forgot
the exact spelling, something along the lines of "stk.mobi") appearing
on the phone display where it says "T-Mobile" with my own legacy SIMs
from many years ago.  I then reached out to my friend from the Reopen
San Diego group who wanted to be set up with a new 2G phone and
service to replace her iPhone, gave her the good news, and gave her
the go-ahead to create her service and billing account with Speedtalk.
She activated the SIM which we put into the C139, and on Wednesday
night at a Reopen SD group meeting, I gave her the phone with the SIM
in it.  We turned it on at the meeting place, it immediately found the
GSM network, and it quickly received the usual "welcome" SMS which you
typically get with a newly activated service.  So we did it - we
successfully onboarded an entirely new user onto T-Mobile's 2G network
with a most traditional 2G phone, using SIM cards that are currently
available from Amazon or ebay!

As the next step, I am now working on a software tool for testing SIM
cards without any phone at all, instead using smart card "reader"
devices that connect to a computer via USB:

http://shop.sysmocom.de/t/sim-card-related/card-readers

I learned about their existence by way of Sysmocom's webshop product
listings above, but as much as I would love to give more business to
Sysmocom, there is currently some kind of snafu going on between
German postal service and USPS, and the last item I ordered from
Sysmocom back in November still hasn't arrived.  (When I emailed them,
they told me that all other USA customers are in the same situation,
haven't received orders placed back in November!)  Thus I have to
source the hardware more locally, from USA-based ebay sellers.  I
already have an Omnikey 6121 CCID, the one that takes 2FF cards, and I
recently placed an order (ebay, USA-based seller) for an Omnikey 3121,
the one that takes full-size cards, now waiting for that one to
arrive.  I am using my current Omnikey 6121 CCID for development of my
SIM testing tools.

Osmocom people have a lot of tools that talk to SIMs, USIMs and ISIMs
via these same USB CCIDs, so I am taking some inspiration from them.
At the lowest level of the stack they use pcsc-lite, and I am using
the same - getting it up and running under Slackware was quite a
learning curve, but I got it working.  But for the upper layers
Osmocom people have chosen to use Python (with pyscard making the
binding to pcsc-lite underneath), and this is where I and those
Osmocom people have to diverge - as a devoted life-long C lover, I
absolutely detest Python.  (And the recent-to-me Python2 vs. Python3
dichotomy only makes it worse.)  I got osmo-sim-auth.py working on my
Slackware system, but I haven't braved pySim yet.  But while I do need
to have Osmocom/Sysmocom Python tools working in order to program
Sysmocom SIMs (the two packs of SIMs with ADM1 keys are the item I am
currently waiting for, the one I ordered in November), trying to learn
enough Python to make my own functional additions to Osmocom SIM tools
is not going to be my path - instead I am writing my own tools in C,
talking directly to libpcsclite C API.

I got a couple of test programs in freecalypso-hwlab Hg repository
that test the basic functionality of connecting to a SIM via a USB
CCID via libpcsclite and pcscd, and as my next step I will be writing
a fancier program that will send various APDU commands to the SIM.  My
focus is strictly on the classic GSM 11.11 SIM protocol, no USIM or
ISIM, and I am also focusing on standard SIM functionality, meaning
functions that should be exercisable on any issuer's SIM: I want to be
able to enable and disable CHV, read ID files like IMSI and MSISDN,
read and maybe even write SIM-stored phonebook entries and SMS, that
kind of thing.  As for programmable SIMs and the special magic they
need for programming operations, I gladly leave that functionality to
existing Osmocom/Sysmocom tools, provided that I get them working when
the time comes.  So stay tuned for some new C-language SIM tools
coming soon!

Hasta la Victoria, Siempre,
Mychaela aka The Mother


More information about the Community mailing list