FreeCalypso > hg > fc-sim-tools
comparison doc/ADM-PIN-numbering @ 64:dba24129027e
doc/ADM-PIN-numbering article written
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Tue, 23 Mar 2021 23:30:00 +0000 |
| parents | |
| children | c9c2a8d954ba |
comparison
equal
deleted
inserted
replaced
| 63:f4eb486aab40 | 64:dba24129027e |
|---|---|
| 1 ADM access conditions | |
| 2 ===================== | |
| 3 | |
| 4 The response to SELECT of any EF in the classic GSM 11.11 SIM protocol carries | |
| 5 3 bytes that indicate access conditions for the selected file - or more | |
| 6 precisely, 5 nibbles that indicate access conditions plus one reserved nibble. | |
| 7 Each access condition nibble has the following encoding per standard specs | |
| 8 (GSM TS 11.11 and 3GPP TS 51.011): | |
| 9 | |
| 10 Code Meaning | |
| 11 --------------- | |
| 12 0 ALW | |
| 13 1 CHV1 | |
| 14 2 CHV2 | |
| 15 3 RFU | |
| 16 4-14 ADM | |
| 17 15 NEV | |
| 18 | |
| 19 Access condition codes 4 through 14 (0x4 through 0xE) are defined merely as ADM | |
| 20 by the standard specs, without further distinction. However, those of us who | |
| 21 work with SIM cards on a tinkering or reverse engineering level and thus need | |
| 22 to fully decode SIM SELECT responses for intelligent analysis need to somehow | |
| 23 distinguish between these 11 possible ADM access levels, thus we had to make up | |
| 24 some scheme of our own for naming different ADMn access levels. | |
| 25 | |
| 26 Unfortunately it just so happened that FC SIM tools and Grcard have come up with | |
| 27 two different ADMn naming conventions. I (Mother Mychaela) feel that it is too | |
| 28 late now to change our FC SIM tools ADMn naming convention, and of course it is | |
| 29 not our place to tell Grcard company to change theirs. Therefore, the only | |
| 30 remaining solution is to clearly document both naming conventions and just live | |
| 31 with there being two different ones. | |
| 32 | |
| 33 In the FC SIM tools convention, the 11 possible ADM access levels for EFs are | |
| 34 named ADM4 through ADM14 - the 'n' in ADMn directly matches the nibble value | |
| 35 carried in the SIM protocol. This convention is used by fc-simtool select and | |
| 36 readef commands when they display the access conditions returned by the SIM. | |
| 37 | |
| 38 The convention used by Grcard names these 11 possible ADM access levels ADM1 | |
| 39 through ADM11 instead. As a result of this number shift, what Grcard call ADM1 | |
| 40 is ADM4 to us, what Grcard call ADM2 is ADM5 to us, and so forth. | |
| 41 | |
| 42 ADM key IDs in VERIFY CHV commands | |
| 43 ================================== | |
| 44 | |
| 45 Standard specs are silent on the question of exactly how administrative entities | |
| 46 authenticate themselves to the card to gain various ADM access levels, but most | |
| 47 card vendors implement an extended form of the standard VERIFY CHV command in | |
| 48 which the key ID in P2 is not 1 or 2 (standard CHV1 and CHV2), but some other | |
| 49 code identifying ADM keys and corresponding access levels. | |
| 50 | |
| 51 There is no requirement that P2 key IDs in the extended VERIFY CHV command used | |
| 52 for ADM authentication have to correspond to the codes used to denote EF access | |
| 53 conditions. However, on the traditional SIM (not UICC/USIM/ISIM) cards made by | |
| 54 Grcard, these two separate places in the binary protocol do use the same codes: | |
| 55 for example, if a given EF has an access condition indicated as code 5 in the | |
| 56 protocol (called ADM5 by us or ADM2 by Grcard), then the corresponding ADM | |
| 57 authentication has to be done with a VERIFY CHV command with P2=05. | |
| 58 | |
| 59 ADM PIN numbers on Grcard SIM cards | |
| 60 =================================== | |
| 61 | |
| 62 We are aware of two different card models from Grcard that are specifically GSM | |
| 63 SIM, rather than UICC/USIM/ISIM. (The latter kind also exist of course, but we | |
| 64 have no interest in them.) The first such model is what we call GrcardSIM1 | |
| 65 (previously sold by Sysmocom as sysmoSIM-GR1), and the other model is what we | |
| 66 call GrcardSIM2 - previously sold by Sysmocom as sysmoSIM-GR2, and now being | |
| 67 reintroduced as FreeCalypso Community SIM model FCSIM1. | |
| 68 | |
| 69 GrcardSIM1 cards are currently understood very poorly because they are extremely | |
| 70 difficult to obtain in the present time (2021). However, they seem to have two | |
| 71 different ADM access levels which Grcard officially call ADM1 and ADM2. In our | |
| 72 FC SIM tools naming convention these ADM access levels become ADM4 and ADM5, | |
| 73 respectively. | |
| 74 | |
| 75 GrcardSIM2 cards are understood much better because unlike GrcardSIM1, they are | |
| 76 readily available from Grcard in the present time. They have two different ADM | |
| 77 access levels that are fully explained in the GrcardSIM2-security-model article, | |
| 78 and these two ADM levels are known by different names: | |
| 79 | |
| 80 * Osmocom wiki page for GrcardSIM2 calls them ADM and SUPER ADM; | |
| 81 | |
| 82 * For our FCSIM1 version of this card, we've named them ADM5 and ADM11, going | |
| 83 by the numbers that appear in the actual binary protocol; | |
| 84 | |
| 85 * Looking at Grcard's own documentation (see doc/vendor/grcard2-person-script), | |
| 86 one can see that Grcard engineers refer to them as ADM2 and ADM8, following | |
| 87 the numbering shift explained earlier in this article. |