# HG changeset patch # User Mychaela Falconia # Date 1617772697 0 # Node ID 5f73773922113f21aa57679032c387fbdd44a859 # Parent 7c9a3130fb668253f0c9c839d22c245955ed5acf doc/GrcardSIM1-notes article written diff -r 7c9a3130fb66 -r 5f7377392211 doc/GrcardSIM1-notes --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/GrcardSIM1-notes Wed Apr 07 05:18:17 2021 +0000 @@ -0,0 +1,41 @@ +As of A.D. 2021, the GSM-only SIM card model (as opposed to USIM/ISIM for LTE/5G +users) sold by Grcard company is the one which we call GrcardSIM2 - our current +FCSIM1 cards are GrcardSIM2, and this card model goes back to some time around +2013, when it was sold by Sysmocom as sysmoSIM-GR2. However, if we go back in +time a little further to around 2011, Grcard had an earlier card model which we +call GrcardSIM1 - it was sold by Sysmocom as sysmoSIM-GR1. In the present day +these original GrcardSIM1 cards are extremely scarce: Mother Mychaela got one +card from Das Signal, there may be one or two other people on the planet who +have one or two cards, but that's it - an extreme rarity. + +These GrcardSIM1 cards have one and only one special feature that makes them +interesting: supposedly they are freely reformattable, meaning that any +individual card owner can completely erase the card file system and then +recreate an entirely new one according to her liking: see our +Formatting-thoughts article. However, I said "supposedly" in the previous +sentence, referring to GrcardSIM1 free reformatting ability, because the extreme +scarcity makes it too difficult to test this ability: I (Mother Mychaela) have +only one card to play with, I am not too keen on the idea of possibly bricking +this card via incorrectly-guessed formatting commands, and there does not seem +to be much point in developing formatting tools for a card model that is no +longer available. + +Aside from their unique reformatting feature, GrcardSIM1 cards have two very +notable defects compared to current GrcardSIM2 or FCSIM1: + +* GrcardSIM1 cards have a broken security model in that grcard1-set-pin1, + grcard1-set-pin2, grcard1-set-adm1 and grcard1-set-adm2 commands (or rather + the actual command APDUs sent by these fc-simtool commands) are completely + unauthenticated, meaning that all PIN security is trivially bypassable: you + can take a PIN-locked card for which you don't know the PIN, you can reset + its PIN with grcard1-set-pin1, and bingo, you have access to all private data + and the GSM authentication token which the hapless owner sought to protect + with their PIN. The same goes for ADM access: if someone set the card's ADM2 + key to some unknown secret, you can reset it back to the pySim default of + 4444444444444444 with grcard1-set-adm2 and give yourself full admin write + access, without ever knowing the previous key. + +* GrcardSIM2 (FCSIM1) cards support F=512 D=8 speed enhancement (the classic + SIM speed enhancement specified in GSM 11.11 and supported by classic GSM/2G + phones), but GrcardSIM1 cards don't support it - hence GR1 cards run in the + slowest F=372 D=1 mode.