]]> http://tetalab.org/pg/2009/11/09/getting-pcap-files-from-openbts/feed/ 0 http://tetalab.org/pg/2009/11/08/an-overview-of-the-subscriber-identity-module-file-system-part-1/ http://tetalab.org/pg/2009/11/08/an-overview-of-the-subscriber-identity-module-file-system-part-1/#comments Sun, 08 Nov 2009 04:56:21 +0000 pong http://tetalab.org/pg/?p=6 The  Suscriber Identity Module (aka SIM for shorter) is nothing more but a smartcard with specific files and directories on it. It is defined in GSM 11.11 or ETS 300 977 in the ETSI denomination. As a smartcard, the way to communicate with it goes thru ADPU. You can either use a card reader or ( less in fact ) directly use a gsm modem to issue commands.

The standard command set for GSM modem is defined in   “AT Command set for GSM Mobile Equipment (ME) ” (TS 07.07) or just ETS 100 916. It defines a lot of command to interecact with the network or the simcard. As I just want explore the filesystem of my SIM, we’ll just use a command to issue raw adpu directly.

8.17 Generic SIM access +CSIM

     Command               Possible response(s)
+CSIM=<length>,<command> +CSIM: <length>,<response>
                         +CME ERROR: <err>
+CSIM=?

Description
Set command transmits to the ME the <command> it then shall send as it is to the SIM. In the same manner the SIM
<response> shall be sent back by the ME to the TA as it is. Refer subclause 9.2 for <err> values.
This command allows a direct control of the SIM by an distant application on the TE. The TE shall then take care of
processing SIM information within the frame specified by GSM.

Using +CSIM command, you can directly issue the ADPU defined in GSM 11.11. It basically contains the following subset.

SELECT             'A4'      '00'         '00'   '02' S/R
STATUS             'F2'      '00'         '00'   lgth  R
READ BINARY        'B0'  offset high  offset low lgth  R
UPDATE BINARY     'D6'   offset high  offset low lgth  S
READ RECORD        'B2'   rec No.       mode     lgth  R
UPDATE RECORD     'DC'    rec No.       mode     lgth  S
SEEK               'A2'      '00'    type/mode   lgth S/R
INCREASE           '32'      '00'         '00'   '03' S/R
VERIFY CHV         '20'      '00'     CHV No.    '08'  S
CHANGE CHV         '24'      '00'     CHV No.    '10'  S
DISABLE CHV        '26'      '00'         '01'   '08'  S
ENABLE CHV         '28'      '00'         '01'   '08'  S
UNBLOCK CHV       '2C'       '00'     see note   '10'  S
INVALIDATE         '04'      '00'         '00'   '00'  -
REHABILITATE       '44'      '00'         '00'   '00'  -
RUN GSM ALGORITHM  '88'      '00'         '00'   '10' S/R
SLEEP             'FA'       '00'         '00'   '00'  -
GET RESPONSE      'C0'       '00'         '00'   lgth  R
TERMINAL PROFILE    '10'     '00'         '00'   lgth  S
ENVELOPE          '#C2'       '00'         '00'   lgth S/R
FETCH              '12'      '00'         '00'   lgth  R
TERMINAL RESPONSE  '14'      '00'         '00'   lgth  S

As we’ll just have a look in the filesystem of the SIM, we’ll just focus on the SELECT, READ BINARY, READ RECORD and GET RESPONSE command. Just to summarize the other are either dedicated to write to the sim (UPDATE family),related to the card holder (CHV family), we’ll discuss on the RUN GSM ALGORITHM and the Sim Application Toolkit command (ENVELOPE, FETCH, TERMINAL PROFILE…) later.

Here is an overview of the filesystem that is implemented in all SIM card

Basically, all file belong to the Master File (you can think about / on unix) there are mainly 2 subsets : DF (dedicated file ) a kind of directory which contains EF (elementary file) where datas are stored.

There are 3 kinds of EF :

• Transparent EF : binary file, you mainly access its contain by specify its relative address (offset) the total length is specified in the header. The first byte of a transparent EF has the relative address ‘00 00′.
• Linear fixed EF :  consists of a sequence of records all having the same (fixed) length. It is not possible to have more than 255 records in a file of this type, and each record cannot be greater than 255 bytes. The first record is record number 1.
• Cyclic EF  : Cyclic files are used for storing records in chronological order. When all records have been used for storage, then the next storage of data shall overwrite the oldest information. An EF with a cyclic structure consists of a fixed number of records with the same (fixed) length.

Just a word on Access Right, as i play with deactivated simcard issued by an operator, i can only grant myself to CHV1 or CHV2 level not ADM (no root dance this night :p). This mean that some file may not be updated. For example EFIMSI (which hold the IMSI number) has the following access condition :

10.3.2      EFIMSI (IMSI)
This EF contains the International Mobile Subscriber Identity (IMSI).
                   Identifier: '6F07'            Structure: transparent             Mandatory
                        File size: 9 bytes                        Update activity: low
                   Access Conditions:
                    READ                        CHV1
                    UPDATE                      ADM
                    INVALIDATE                  ADM
                    REHABILITATE                CHV1
                   Bytes                        Description                 M/O          Length
                   1          length of IMSI                                M           1 byte
                   2-9           IMSI                                       M           8 bytes

so when you’re granted to CHV1 (ie you entered your PIN code) you can read its value but neither change it nor deactivate it.

Despite the fact you can simply get its value by issueing the AT+CIMI command, here is the process to access it with adpu .

1 Select the Master File (3F00)

2 Select DF_GSM (7F20)

3 Select EF_IMSI (6F07)

4 Read  9 bytes with READ BINARY

 root@ret:~# socat - file:/dev/ttyUSB0,crtscts,crnl
 AT+CSIM=14,A0A40000023F00
 +CSIM: 4,"9F22"
 OK
 AT+CSIM=14,A0A40000027F20
 +CSIM: 4,"9F22"
 OK
 AT+CSIM=14,A0A40000026F07
 +CSIM: 4,"9F0F"
 OK
 AT+CSIM=10,A0B0000009
 +CSIM: 22,"08298002xxxxx49039000"
 OK

the last 4 bytes are the return value of the command ‘9000′ signifing success . you may notice that on SELECT opereation, the return value is 9FXX which mean sucess whth XX bytes of response data. you can pull the response with GET RESPONSE command ‘C0′

here there are :

 AT+CSIM=14,A0A40000026F07
 +CSIM: 4,"9F0F"
 OK
 AT+CSIM=10,A0C000000F
 +CSIM: 34,"000000096F07040015F515010200009000"
 OK

which is decoded as :

0000 0009 6F07 04 00 15F515 01 02 0000 9000
|    |    |    |  |  |      |   | |    |_status
|    |    |    |  |  |      |   | |
|    |    |    |  |  |      |   | structure
|    |    |    |  |  |      |  len of data following
|    |    |    |  |  |    status
|    |    |    |  | access
|    |    |    |
|    |    | file type
|    |  file id  
|   size
RFU

file type 04 = EF
structure 00 = transparent
the file access is coded as follow READ|UPDATE INCREASE|RFU REHABILITATE|INVALIDATE
knowning that '0' means always , '1'  CHV1 'F' never and '4'...'E' ADM.

In case of DF or MF the response is slightly different. 

AT+CSIM=14,A0A40000027F10
+CSIM: 4,"9F22"
OK
AT+CSIM=10,A0C0000022
+CSIM: 72,"000002407F1002001F55FF01151100050500838A838A008A000000000000000000009000"
OK
0000 0240 7F20 02 000F55FF01 15 11 00 19 05 00 83 8A 83 8A 00 8A00 000000000000000000 9000
|    |    |    |  |          |  |  |  |  |  |  |  |  |  |  |  |                       |       
|    |    |    |  |          |  |  |  |  |  |  |  |  |  |  |  |                       return value      
|    |    |    |  |          |  |  |  |  |  |  |  |  |  |  |  |                              
|    |    |    |  |          |  |  |  |  |  |  |  |  |  |  |  reserved for admin                                
|    |    |    |  |          |  |  |  |  |  |  |  |  |  |  rfu                                  
|    |    |    |  |          |  |  |  |  |  |  |  |  |   unblock CHV2 status                                   
|    |    |    |  |          |  |  |  |  |  |  |  |  CHV2 status                                      
|    |    |    |  |          |  |  |  |  |  |  |  unblock CHv1 status                                        
|    |    |    |  |          |  |  |  |  |  |  CHV status                                          
|    |    |    |  |          |  |  |  |  |  RFU                                            
|    |    |    |  |          |  |  |  |  number of CHV and admin code                                              
|    |    |    |  |          |  |  |  number of EF direct child of current dir                                               
|    |    |    |  |          |  |  number of DF direct child of current dir                                                
|    |    |    |  |          |  file caracteristic                                                    
|    |    |    |  |        len of data                                                       
|    |    |    |  RFU                                                                
|    |    |   file type                                                                  
|    |    file ID                                                                      
|    total amount NOT allocated                                                                          
RFU

Well that’s all for this night in an UNIX world we would have learn 3 fondamentals command : cd, ls and cat I would write a crappy python script to gather such infos, it’s stacked on my todolist, so it may be popped (or not).

On a next post i’ll have a deeper look on data contained on the sim.

The recent releases of Openbts, OpenBSC and the Airprobe projects are openning new area of technological study. More than the political considerations of free the more than widely spreaded GSM technology, it’s just an amazing playground of protocols and devices.

Among the networking parts, there’s also an effort on opening the handset, as demonstrated by Openmoko and Android platform. I’ll sometimes play with these “toys” that are most visible part of the “opensource mobile movment”.

PS: I’m not an engineer of these topics, just another geek hobbyist, so I may omit things or do some mistakes. Sorry in advance.