FreeCalypso > hg > fc-pcsc-tools

changeset 224:80fc2b2f83c2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc: admin programming articles added
author Mychaela Falconia <falcon@freecalypso.org>
date Wed, 10 Mar 2021 06:56:32 +0000
parents 74d4246d6c45
children 208ae1633f6c
files doc/Admin-write-commands doc/GrcardSIM2-programming
diffstat 2 files changed, 266 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/Admin-write-commands	Wed Mar 10 06:56:32 2021 +0000
@@ -0,0 +1,184 @@
+Using fc-simtool for admin-level SIM card programming
+=====================================================
+
+fc-simtool is a layered tool, and its repertoire of available commands needs to
+be viewed as consisting of 3 primary conceptual layers:
+
+* At the bottom layer there are low-level commands that correspond directly to
+  GSM 11.11 protocol operations of first SELECTing files, then reading or
+  writing those files in whole or in part with READ BINARY, READ RECORD, UPDATE
+  BINARY and UPDATE RECORD protocol commands.  This functional layer of
+  fc-simtool is documented in the Low-level-commands article.
+
+* As the next layer up, we implement higher-level commands for ordinary users
+  without special admin privileges.  SIM card specs GSM 11.11 and 3GPP TS 51.011
+  define many files such as phonebooks which ordinary users can both read and
+  write, and we provide high-level user-friendly commands for reading and
+  writing many of these files.  The same specs also define many files which
+  ordinary users can read but not write, giving ICCID, IMSI, SST and so forth -
+  we provide high-level user-friendly commands for reading many of these files.
+  These commands are documented in the User-oriented-commands article, plus a
+  few additional ones in the PLMN-list-commands article.
+
+* As the most advanced layer, we implement some high-level write commands that
+  can only work if you have admin-level access to your card, i.e., if you have
+  authenticated with the appropriate ADM key in a card-vendor-dependent manner.
+  The present article describes these advanced commands.
+
+Authentication with ADM credentials
+===================================
+
+Before you can write to any of the admin-write-only files, you first need to
+authenticate with the right credentials.  The commands for doing so are card-
+vendor-dependent, but most cards implement a non-standard extension to the
+standard VERIFY CHV command, presenting various kinds of ADM keys instead of
+basic PIN1 or PIN2.  fc-simtool verify-ext and verify-chv commands provide
+access to these extended forms of VERIFY CHV in our command shell environment;
+they are defined as follows:
+
+verify-ext P2 XXXXXXXX
+verify-hex P2 xxxxxxxxxxxxxxxx
+
+The first argument to both commands is the value to be put into the P2 field of
+the VERIFY CHV command APDU; numbers are interpreted as decimal by default
+unless preceded with 0x for hex.  verify-ext should be used if the key material
+takes the same ASCII-decimal form as is used for standard PINs and PUKs, whereas
+verify-hex allows arbitrary 64-bit keys to be given as a hex string of 8 bytes.
+
+If your card is FCSIM1 or any other branded variant of GrcardSIM2 and the
+default ADM11 (aka SUPER ADM) key hasn't been changed, you need to authenticate
+as follows:
+
+select MF
+verify-ext 11 88888888
+
+(select MF can be omitted if verify-ext 11 is the very first command in your
+ fc-simtool session.)
+
+If your card is sysmoISIM-SJA2, you need to look up the right ADM1 key in the
+key material email from Sysmocom webshop, and then authenticate as follows:
+
+verify-ext 10 XXXXXXXX
+
+If your card is sysmoUSIM-SJS1, you need to use the following special command,
+and it must be the very first command in your fc-simtool session:
+
+verify-sjs1-adm1 XXXXXXXX
+
+Actual admin file writes
+========================
+
+The few specific admin write commands implemented in fc-simtool are listed
+below.  However, please keep the following points in mind:
+
+* If there is no specific high-level write command for the file you are
+  interested in, you can always use low-level select, update-bin and update-rec
+  commands to write any file - see the Low-level-commands article.
+
+* Some files that need to be written as part of provision-time programming
+  procedures are actually writable by ordinary users, hence those write commands
+  are documented in the User-oriented-commands article.  This situation applies
+  to EF_MSISDN and EF_SMSP.  Commands for writing EF_PLMNsel and EF_FPLMN (also
+  writable by ordinary users) are documented in the PLMN-list-commands article.
+
+Finally, here are the dedicated commands for writing a few specific
+admin-write-only files:
+
+write-acc XXXX
+
+This command writes EF_ACC.  The argument must be a 4-digit hexadecimal number.
+
+write-iccid full_digits
+
+This command programs EF_ICCID with whatever string of digits you specify.  This
+fc-simtool command provides mechanism rather than policy, hence it does not
+enforce any particular number of digits (the record is padded with 'F' hex
+digits per the spec if the number string is shorter than 20 digits), nor is the
+number required to end in a matching Luhn check digit.
+
+write-iccid-sh18 shorthand-digits
+
+This command provides a higher-level user-friendly way to write ICCIDs of the
+most commonly used 18+1 format, meaning 18 content digits plus Luhn check digit.
+The shorthand entry form allows any number of 0 digits in the middle to be
+replaced with a single dash - for example, the following command:
+
+write-iccid-sh18 8988211-3
+
+will set ICCID to:
+
+8988211000000000037
+
+As the first step, the shorthand entry is expanded to 18 digits, and as the
+next step, the correct Luhn check digit is appended.
+
+write-iccid-sh19 shorthand-digits
+
+This command is similar to write-iccid-sh18, but it takes shorthand ICCIDs that
+already include the Luhn check digit at the end.  The previous example ICCID
+would be entered as:
+
+write-iccid-sh19 8988211-37
+
+After the shorthand entry is expanded to 19 digits, the Luhn formula is checked,
+and mismatching entries are rejected.  This command is intended for use cases
+where the ICCID to be programmed is printed on the plastic and needs to be
+entered as-is, but the pain of entering all those zeros in the middle is
+eliminated.
+
+write-imsi full_digits
+
+This command programs EF_IMSI with any arbitrary IMSI, which by spec may be 15
+digits or shorter.  15-digit IMSIs are most common, but shorter ones are allowed
+too, and this fc-simtool command provides mechanism rather than policy.
+
+write-imsi-sh shorthand-digits
+
+This command programs EF_IMSI with a 15-digit IMSI that can be entered in
+shorthand.  For example, the following command:
+
+write-imsi-sh 90170-001
+
+is equivalent to:
+
+write-imsi 901700000000001
+
+write-spn display_cond name
+
+The display condition code is given in hex, the name field is given in the
+FreeCalypso standard ASCII representation for GSM7 strings defined in the
+SIM-data-formats document in the freecalypso-docs repository.
+
+write-sst sst-file
+
+This command writes the SIM Service Table (SST) from the specified data file.
+The data file needs to contain service numbers separated by white space, either
+one per line or multiple numbers per line; '#' character introduces comments
+which continue to the end of the line.  If a service number is given with '^'
+suffix, that service is indicated as allocated but not activated.
+
+pnn-write rec long-name [short-name]
+
+This command writes a single EF_PNN record.  The record index and the long name
+must always be specified, the short name is optional.  Network name fields are
+given in the FreeCalypso standard ASCII representation for GSM7 strings.
+
+pnn-erase start-rec [end-rec]
+
+This command erases (fills with all FF bytes) either a single record or a range
+of records in EF_PNN.  If only one argument is specified, only one record is
+erased.  To erase a range of records, the second argument may be either a number
+or the "end" keyword.  Use 'pnn-erase 1 end' to erase the entire EF_PNN.
+
+opl-write rec mcc-mnc start-lac end-lac pnn-index
+
+This command writes a single EF_OPL record.  rec is the EF_OPL record index to
+write into, the remaining arguments give the content of the record exactly per
+3GPP TS 51.011.
+
+opl-erase start-rec [end-rec]
+
+This command erases (fills with all FF bytes) either a single record or a range
+of records in EF_OPL.  If only one argument is specified, only one record is
+erased.  To erase a range of records, the second argument may be either a number
+or the "end" keyword.  Use 'opl-erase 1 end' to erase the entire EF_OPL.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/GrcardSIM2-programming	Wed Mar 10 06:56:32 2021 +0000
@@ -0,0 +1,82 @@
+The card model which we call GrcardSIM2 is one of the many smart card models
+made and sold by Grcard in China.  As of this writing (2021-03) and going back
+to somewhere around 2013, it is the card model they sell when a customer asks
+for a GSM-only SIM card, as opposed to USIM cards for UMTS/LTE/etc.  This card
+model was once resold by Sysmocom as sysmoSIM-GR2, and we are hoping to get a
+batch of our own FreeCalypso-branded version which we call FCSIM1.
+
+Our fc-simtool supports full programming of these cards: you can take a card
+whose initial state is "blank" or unprogrammed, or a card with some previous
+programming, and you can program it to your own liking using fc-simtool.  For
+the purpose of programming this particular card model (as opposed to USIM/ISIM
+cards), our fc-simtool offers the following advantages over well-known
+competitor pySim-prog:
+
+* These cards support all 3 versions of COMP128 algorithm (v1, v2 and v3), but
+  pySim-prog unconditionally selects COMP128v1.  Our grcard2-set-comp128 command
+  allows any of the 3 algorithm versions to be selected, and in the Mother's
+  opinion it makes no sense to select any version other than COMP128v3 for new
+  GSM network deployments.
+
+* These cards have a fairly sophisticated security model with two different ADM
+  access levels: see GrcardSIM2-security-model article for the details.
+  pySim-prog support for this security model is fundamentally broken: it
+  authenticates with ADM11 as required for writing Ki, but does not support any
+  option of changing this key to a secure one, as would be required in any
+  application where traditional SIM security is desired.  OTOH, pySim-prog
+  needlessly resets ADM5, even though they could have left it alone - ADM11 by
+  itself is sufficient for writing to all files.
+
+* Further on the security model, GrcardSIM2 cards allow admins to reset
+  PIN1/PIN2/PUK1/PUK2 secret codes after authenticating with ADM5 or ADM11 -
+  this mechanism is the only way to reset PUK1 and PUK2 if the previous codes
+  are unknown.  pySim-prog provides no support for setting PIN/PUK codes.
+
+* fc-simtool allows every single file in the card file system to be written as
+  you like.  Absolutely any file can be read and written in raw hex, and we also
+  provide high-level read and write commands for most files.  In contrast,
+  pySim-prog implements a rigid and inflexible programming model, writing only
+  a few files and only in one very limited way.
+
+Using fc-simtool to program GrcardSIM2 cards
+============================================
+
+To begin with, you must know the ADM11 (aka SUPER ADM) secret code for your
+card.  If you got your card directly from Grcard factory or from a reseller such
+as FreeCalypso who leaves this default ADM11 key unchanged, your ADM11 key is
+ASCII-decimal 88888888, and you need to authenticate as follows:
+
+verify-ext 11 88888888
+
+If the previous owner of your card changed this ADM11 key to something else, or
+if you had Grcard factory program cards for you with different ADM keys, then
+you need to know what the ADM11 secret is - if it is lost, there is no recovery,
+and you have to get a new card.  If you have a non-default ADM11 key, you need
+to enter it using either verify-ext 11 or verify-hex 11 command, depending on
+whether the key falls into the restricted ASCII-decimal subset or not.  In any
+case, this verify-ext 11 or verify-hex 11 command should ideally be the first
+command in your fc-simtool session; if it is not the first command in the
+session, then it needs to be preceded with select MF.
+
+Once you have authenticated with ADM11, you are ready to run your programming
+scripts.  Because fc-simtool is not a "one size fits all" tool like pySim-prog,
+but rather a fully generalized command shell that allows you to poke at whatever
+files you like in whatever order and manner you like, practical SIM programming
+should be done with customized command scripts.  Furthermore, we recommend that
+you split your custom programming scripts into two levels:
+
+1) You should have one command script which you install under
+   /opt/freecalypso/sim-scripts that programs SIMs appropriately for your GSM
+   network.  This script should be the same for all of your cards, programming
+   SST, PLMN selection (PLMNsel and FPLMN) and branding files SPN, PNN and OPL.
+   See our fcsim1-defprog script for a starting point.
+
+2) Per-card settings like ICCID, IMSI, ACC and Ki can only be set either
+   manually (OK for one or two cards, but doesn't scale), or by way of custom
+   front end or wrapper programs that generate and execute one-time fc-simtool
+   command scripts.  We plan on implementing one such front end tool once we
+   get our FCSIM1 card batch made.
+
+Please refer to Admin-write-commands, GrcardSIM2-WEKI-file and
+GrcardSIM2-security-model articles for commands to be used in crafting your
+custom programming scripts.