FreeCalypso > hg > fc-sim-tools
changeset 18:da6e9d0b2ee6
data, doc, scripts: import from previous fc-pcsc-tools repo
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Sun, 14 Mar 2021 07:57:09 +0000 |
| parents | 372ecc4aa2c4 |
| children | 9ff94f80fcb5 |
| files | data/grcard2-blank-state data/grcard2-fs-tree data/sja2-mf-tree data/sja2-usim-tree doc/Admin-write-commands doc/Brute-force-search doc/GrcardSIM2-WEKI-file doc/GrcardSIM2-programming doc/GrcardSIM2-security-model doc/Low-level-commands doc/PLMN-list-commands doc/Simtool-command-shell doc/Sysmocom-SIM-notes doc/User-oriented-commands scripts/fcsim1-default-pins scripts/fcsim1-defprog scripts/fcsim1-sst scripts/grcard2-read-all |
| diffstat | 18 files changed, 3075 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/data/grcard2-blank-state Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,798 @@ +# The following data capture is the output of the grcard2-read-all +# script when run on a completely "blank" GrcardSIM2 card, i.e., +# a card that has been sold by Grcard without any custom programming, +# like the sample cards which Mother Mychaela received in 2021-02. +# +# Note the garbage in PLMNsel, FPLMN, LOCI and OPL files, and note +# that the programming of SST is bogus (does not match the actually +# present set of EFs). + +Script command: select MF +File type: MF +File characteristics: BB +Number of DF children: 3 +Number of EF children: 3 +Number of secret codes: 4 +Status of PIN1: initialized, 3 attempts left +Status of PUK1: initialized, 10 attempts left +Status of PIN2: initialized, 3 attempts left +Status of PUK2: initialized, 10 attempts left +Script command: verify-ext 11 88888888 +Script command: readef 2F01 # EF.ATR +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 18 byte(s) +0000: 11 7D 94 00 00 55 55 53 0A 74 86 93 0B 24 7C 4D .}...UUS.t...$|M +0010: 54 68 Th +Script command: readef 2FE2 # ICCID +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 10 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF .......... +Script command: select 8A9B # READ BINARY fails! +File type: EF +File size: 112 +Structure: transparent +File status: 01 +Access condition for UPDATE: NEV +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ALW +Access condition for REHABILITATE: ALW +Script command: select 2700 +File type: DF +File characteristics: BB +Number of DF children: 0 +Number of EF children: 1 +Number of secret codes: 4 +Status of PIN1: initialized, 2 attempts left +Status of PUK1: initialized, 2 attempts left +Status of PIN2: initialized, 2 attempts left +Status of PUK2: initialized, 2 attempts left +Script command: readef 6F00 +Access condition for UPDATE: ALW +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ALW +Access condition for REHABILITATE: ALW +File status: 01 +Transparent EF of 336 byte(s) +0000: 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0010: 00 00 00 00 00 00 00 00 00 00 00 02 06 00 00 02 ................ +0020: 06 00 00 02 06 00 00 02 06 00 00 02 06 00 00 02 ................ +0030: 06 00 00 02 06 00 00 02 06 00 00 02 06 00 00 02 ................ +0040: 06 00 00 02 06 00 00 02 06 00 00 02 06 00 00 02 ................ +0050: 06 00 00 02 06 00 00 02 06 00 00 02 06 00 FF FF ................ +0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +Script command: select DF_TELECOM +File type: DF +File characteristics: BB +Number of DF children: 0 +Number of EF children: 17 +Number of secret codes: 4 +Status of PIN1: initialized, 3 attempts left +Status of PUK1: initialized, 10 attempts left +Status of PIN2: initialized, 3 attempts left +Status of PUK2: initialized, 10 attempts left +Script command: select 0000 # READ BINARY fails! +File type: EF +File size: 20 +Structure: transparent +File status: 01 +Access condition for UPDATE: NEV +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ALW +Access condition for REHABILITATE: ALW +Script command: readef 5F00 +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: ADM11 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 2 byte(s) +0000: FF FF .. +Script command: readef 5F01 +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 62 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Script command: select 6F3A # ADN +File type: EF +File size: 7000 +Structure: linear fixed +Record length: 28 +Number of records: 250 +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: CHV2 +Access condition for REHABILITATE: CHV2 +Script command: pb-dump adn +Script command: select 6F3B # FDN +File type: EF +File size: 280 +Structure: linear fixed +Record length: 28 +Number of records: 10 +File status: 01 +Access condition for UPDATE: CHV2 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: pb-dump fdn +Script command: select 6F3C # SMS +File type: EF +File size: 8800 +Structure: linear fixed +Record length: 176 +Number of records: 50 +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: readef 6F3D # CCP +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +5 records of 14 bytes (linear fixed) +Record #1: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Record #2: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Record #3: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Record #4: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Record #5: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Script command: select 6F40 # MSISDN +File type: EF +File size: 56 +Structure: linear fixed +Record length: 28 +Number of records: 2 +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: pb-dump msisdn +Script command: select 6F42 # SMSP +File type: EF +File size: 200 +Structure: linear fixed +Record length: 40 +Number of records: 5 +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: smsp-dump +#1: "" +#2: "" +#3: "" +#4: "" +#5: "" +Script command: readef 6F43 # SMSS +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 2 byte(s) +0000: FF FF .. +Script command: select 6F44 # LND +File type: EF +File size: 280 +Structure: cyclic +Record length: 28 +Number of records: 10 +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: lnd-dump +Script command: readef 6F4A # EXT1 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +10 records of 13 bytes (linear fixed) +Record #1: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #2: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #3: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #4: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #5: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #6: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #7: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #8: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #9: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #10: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Script command: readef 6F4B # EXT2 +Access condition for UPDATE: CHV2 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +3 records of 13 bytes (linear fixed) +Record #1: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #2: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Record #3: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF ............. +Script command: readef 6FFB +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: ADM11 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +5 records of 116 bytes (linear fixed) +Record #1: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +70: FF FF FF FF .... +Record #2: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +70: FF FF FF FF .... +Record #3: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +70: FF FF FF FF .... +Record #4: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +70: FF FF FF FF .... +Record #5: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +70: FF FF FF FF .... +Script command: readef 6FFC +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 51 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF ... +Script command: readef 6FFD +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 62 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF .............. +Script command: readef 6FFE +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 66 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0040: FF FF .. +Script command: select DF_GSM +File type: DF +File characteristics: BB +Number of DF children: 0 +Number of EF children: 30 +Number of secret codes: 4 +Status of PIN1: initialized, 3 attempts left +Status of PUK1: initialized, 10 attempts left +Status of PIN2: initialized, 3 attempts left +Status of PUK2: initialized, 10 attempts left +Script command: select 0000 # READ BINARY fails! +File type: EF +File size: 20 +Structure: transparent +File status: 01 +Access condition for UPDATE: NEV +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ALW +Access condition for REHABILITATE: ALW +Script command: readef 0001 +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: ADM11 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 35 byte(s) +0000: 00 10 20 FF FF FF FF FF FF FF FF FF FF FF FF FF .. ............. +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF ... +Script command: readef 000A +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ADM5 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 384 byte(s) +0000: 1E 84 80 FF 00 21 B6 FF FF FF FF FF FF FF FF FF .....!.......... +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0150: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +Script command: readef 000B +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ADM5 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 1024 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +00F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0130: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0150: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +01F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0200: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0210: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0220: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0230: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0240: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0250: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0260: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0270: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0280: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0290: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +02F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0300: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0310: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0320: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0330: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0340: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0350: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0360: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0370: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0380: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0390: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +03F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +Script command: readef 6F05 # LP +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 4 byte(s) +0000: FF FF FF FF .... +Script command: readef 6F07 # IMSI +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: CHV1 +File status: 01 +Transparent EF of 9 byte(s) +0000: FF FF FF FF FF FF FF FF FF ......... +Script command: readef 6F20 # Kc +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 9 byte(s) +0000: FF FF FF FF FF FF FF FF 07 ......... +Script command: select 6F30 # PLMNsel +File type: EF +File size: 240 +Structure: transparent +File status: 01 +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +Script command: plmnsel-dump +460-00 460-02 525-01 440-10 310-170 234-15 222-10 502-12 455-01 214-01 +520-01 240-01 244-91 250-99 404-10 238-01 206-20 232-01 450-08 242-01 +286-01 420-03 452-02 272-01 602-02 410-04 230-01 401-02 724-02 231-01 +276-02 +Script command: readef 6F31 # HPLMN +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 1 byte(s) +0000: 50 P +Script command: readef 6F37 # ACMmax +Access condition for UPDATE: CHV2 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 3 byte(s) +0000: 00 00 00 ... +Script command: readef 6F38 # SST +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 15 byte(s) +0000: FF 3F FF FF 03 00 FF F3 00 00 00 0F F0 C0 00 .?............. +Script command: sst +1 2 3 4 5 6 7 9 10 11 12 13 14 15 16 17 25 26 27 28 29 31 32 45 46 51 52 56 +Script command: readef 6F39 # ACM +Access condition for UPDATE: CHV2 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: CHV1 +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +15 records of 3 bytes (cyclic) +Record #1: +00: 00 00 00 ... +Record #2: +00: 00 00 00 ... +Record #3: +00: 00 00 00 ... +Record #4: +00: 00 00 00 ... +Record #5: +00: 00 00 00 ... +Record #6: +00: 00 00 00 ... +Record #7: +00: 00 00 00 ... +Record #8: +00: 00 00 00 ... +Record #9: +00: 00 00 00 ... +Record #10: +00: 00 00 00 ... +Record #11: +00: 00 00 00 ... +Record #12: +00: 00 00 00 ... +Record #13: +00: 00 00 00 ... +Record #14: +00: 00 00 00 ... +Record #15: +00: 00 00 00 ... +Script command: readef 6F3E # GID1 +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 4 byte(s) +0000: FF FF FF FF .... +Script command: readef 6F3F # GID2 +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 4 byte(s) +0000: FF FF FF FF .... +Script command: readef 6F41 # PUCT +Access condition for UPDATE: CHV2 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 5 byte(s) +0000: FF FF FF 00 00 ..... +Script command: readef 6F45 # CBMI +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 40 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0020: FF FF FF FF FF FF FF FF ........ +Script command: readef 6F46 # SPN +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 17 byte(s) +0000: 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF . +Script command: readef 6F48 # CBMID +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 20 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +0010: FF FF FF FF .... +Script command: readef 6F52 # KcGPRS +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: CHV1 +File status: 01 +Transparent EF of 9 byte(s) +0000: FF FF FF FF FF FF FF FF 07 ......... +Script command: readef 6F53 # LOCIGPRS +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: CHV1 +File status: 01 +Transparent EF of 14 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FE FF 01 .............. +Script command: readef 6F54 # SUME +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ADM5 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 23 byte(s) +0000: 85 07 46 6F 72 74 65 73 74 FF FF FF FF FF FF FF ..Fortest....... +0010: FF FF FF FF FF FF FF ....... +Script command: readef 6F74 # BCCH +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 16 byte(s) +0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +Script command: readef 6F78 # ACC +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 2 byte(s) +0000: FF FF .. +Script command: readef 6F7B # FPLMN +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 12 byte(s) +0000: 64 F0 10 64 F0 40 FF FF FF FF FF FF d..d.@...... +Script command: fplmn-dump +460-01 460-04 -blank- -blank- +Script command: readef 6F7E # LOCI +Access condition for UPDATE: CHV1 +Access condition for READ & SEEK: CHV1 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: CHV1 +File status: 01 +Transparent EF of 11 byte(s) +0000: FF FF FF FF 64 F0 00 00 00 FF 01 ....d...... +Script command: readef 6FAD # AD +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 3 byte(s) +0000: 00 00 00 ... +Script command: readef 6FAE # PHASE +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM5 +Access condition for REHABILITATE: ADM5 +File status: 01 +Transparent EF of 1 byte(s) +0000: 03 . +Script command: readef 6FAF # proprietary? +Access condition for UPDATE: ADM11 +Access condition for READ & SEEK: ADM11 +Access condition for INCREASE: NEV +Access condition for INVALIDATE: ADM11 +Access condition for REHABILITATE: ADM11 +File status: 01 +Transparent EF of 113 byte(s) +0000: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0070: 00 . +Script command: readef 6FC5 # PNN +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: CHV1 +Access condition for REHABILITATE: ADM5 +File status: 01 +1 records of 32 bytes (linear fixed) +Record #1: +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +10: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ +Script command: pnn-dump +Script command: select 6FC6 # OPL +File type: EF +File size: 64 +Structure: linear fixed +Record length: 8 +Number of records: 8 +File status: 01 +Access condition for UPDATE: ADM5 +Access condition for READ & SEEK: ALW +Access condition for INCREASE: NEV +Access condition for INVALIDATE: CHV1 +Access condition for REHABILITATE: ADM5 +Script command: opl-dump +#1: 640-04 0000-FFFE 1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/data/grcard2-fs-tree Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,92 @@ +# The following data capture is the output of a brute force search +# (fc-simtool bfsearch-mf command) of the file system tree +# of a GrcardSIM2 card (the name by which this card model is known +# in the Osmocom community, believed to be the same card as sysmoSIM-GR2 +# from 2013) which Mother Mychaela received as a sample from grcard.cn +# in 2021-02. + +3F00/2700: DF +3F00/2F01: EF, transparent, length 18 +3F00/2FE2: EF, transparent, length 10 +3F00/7F10: DF +3F00/7F20: DF +3F00/7F21: DF +3F00/8A9B: EF, transparent, length 112 +3F00/2700/6F00: EF, transparent, length 336 +3F00/7F10/0000: EF, transparent, length 20 +3F00/7F10/5F00: EF, transparent, length 2 +3F00/7F10/5F01: EF, transparent, length 62 +3F00/7F10/6F3A: EF, linear fixed, record length 28, 250 records +3F00/7F10/6F3B: EF, linear fixed, record length 28, 10 records +3F00/7F10/6F3C: EF, linear fixed, record length 176, 50 records +3F00/7F10/6F3D: EF, linear fixed, record length 14, 5 records +3F00/7F10/6F40: EF, linear fixed, record length 28, 2 records +3F00/7F10/6F42: EF, linear fixed, record length 40, 5 records +3F00/7F10/6F43: EF, transparent, length 2 +3F00/7F10/6F44: EF, cyclic, record length 28, 10 records +3F00/7F10/6F4A: EF, linear fixed, record length 13, 10 records +3F00/7F10/6F4B: EF, linear fixed, record length 13, 3 records +3F00/7F10/6FFB: EF, linear fixed, record length 116, 5 records +3F00/7F10/6FFC: EF, transparent, length 51 +3F00/7F10/6FFD: EF, transparent, length 62 +3F00/7F10/6FFE: EF, transparent, length 66 +3F00/7F20/0000: EF, transparent, length 20 +3F00/7F20/0001: EF, transparent, length 35 +3F00/7F20/000A: EF, transparent, length 384 +3F00/7F20/000B: EF, transparent, length 1024 +3F00/7F20/6F05: EF, transparent, length 4 +3F00/7F20/6F07: EF, transparent, length 9 +3F00/7F20/6F20: EF, transparent, length 9 +3F00/7F20/6F30: EF, transparent, length 240 +3F00/7F20/6F31: EF, transparent, length 1 +3F00/7F20/6F37: EF, transparent, length 3 +3F00/7F20/6F38: EF, transparent, length 15 +3F00/7F20/6F39: EF, cyclic, record length 3, 15 records +3F00/7F20/6F3E: EF, transparent, length 4 +3F00/7F20/6F3F: EF, transparent, length 4 +3F00/7F20/6F41: EF, transparent, length 5 +3F00/7F20/6F45: EF, transparent, length 40 +3F00/7F20/6F46: EF, transparent, length 17 +3F00/7F20/6F48: EF, transparent, length 20 +3F00/7F20/6F52: EF, transparent, length 9 +3F00/7F20/6F53: EF, transparent, length 14 +3F00/7F20/6F54: EF, transparent, length 23 +3F00/7F20/6F74: EF, transparent, length 16 +3F00/7F20/6F78: EF, transparent, length 2 +3F00/7F20/6F7B: EF, transparent, length 12 +3F00/7F20/6F7E: EF, transparent, length 11 +3F00/7F20/6FAD: EF, transparent, length 3 +3F00/7F20/6FAE: EF, transparent, length 1 +3F00/7F20/6FAF: EF, transparent, length 113 +3F00/7F20/6FC5: EF, linear fixed, record length 32, 1 records +3F00/7F20/6FC6: EF, linear fixed, record length 8, 8 records +3F00/7F21/0000: EF, transparent, length 20 +3F00/7F21/0001: EF, transparent, length 35 +3F00/7F21/000A: EF, transparent, length 384 +3F00/7F21/000B: EF, transparent, length 1024 +3F00/7F21/6F05: EF, transparent, length 4 +3F00/7F21/6F07: EF, transparent, length 9 +3F00/7F21/6F20: EF, transparent, length 9 +3F00/7F21/6F30: EF, transparent, length 240 +3F00/7F21/6F31: EF, transparent, length 1 +3F00/7F21/6F37: EF, transparent, length 3 +3F00/7F21/6F38: EF, transparent, length 15 +3F00/7F21/6F39: EF, cyclic, record length 3, 15 records +3F00/7F21/6F3E: EF, transparent, length 4 +3F00/7F21/6F3F: EF, transparent, length 4 +3F00/7F21/6F41: EF, transparent, length 5 +3F00/7F21/6F45: EF, transparent, length 40 +3F00/7F21/6F46: EF, transparent, length 17 +3F00/7F21/6F48: EF, transparent, length 20 +3F00/7F21/6F52: EF, transparent, length 9 +3F00/7F21/6F53: EF, transparent, length 14 +3F00/7F21/6F54: EF, transparent, length 23 +3F00/7F21/6F74: EF, transparent, length 16 +3F00/7F21/6F78: EF, transparent, length 2 +3F00/7F21/6F7B: EF, transparent, length 12 +3F00/7F21/6F7E: EF, transparent, length 11 +3F00/7F21/6FAD: EF, transparent, length 3 +3F00/7F21/6FAE: EF, transparent, length 1 +3F00/7F21/6FAF: EF, transparent, length 113 +3F00/7F21/6FC5: EF, linear fixed, record length 32, 1 records +3F00/7F21/6FC6: EF, linear fixed, record length 8, 8 records
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/data/sja2-mf-tree Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,252 @@ +# The following data capture is the output of a brute force search +# (fc-uicc-tool bfsearch-mf command) of the main (MF-based) file +# system tree of a sysmoISIM-SJA2 card, bought from Sysmocom webshop +# in 2021-02. + +3F00/0001: file desc 0x41, total size 112 +3F00/2F00: file desc 0x42, total size 344, 8 records of 43 bytes +3F00/2F05: file desc 0x41, total size 10 +3F00/2F06: file desc 0x42, total size 550, 5 records of 110 bytes +3F00/2F07: file desc 0x41, total size 8 +3F00/2F08: file desc 0x41, total size 5 +3F00/2FE2: file desc 0x41, total size 10 +3F00/7F10: file desc 0x78, DF +3F00/7F11: file desc 0x78, DF +3F00/7F20: file desc 0x78, DF +3F00/7F25: file desc 0x78, DF +3F00/7F90: file desc 0x78, DF +3F00/A515: file desc 0x78, DF +3F00/ABCD: file desc 0x78, DF +3F00/FF01: file desc 0x78, DF +3F00/7F10/5F3A: file desc 0x78, DF +3F00/7F10/5F3C: file desc 0x78, DF +3F00/7F10/5F3D: file desc 0x78, DF +3F00/7F10/5F3E: file desc 0x78, DF +3F00/7F10/6F06: file desc 0x42, total size 1760, 16 records of 110 bytes +3F00/7F10/6F3A: file desc 0x42, total size 8500, 250 records of 34 bytes +3F00/7F10/6F3B: file desc 0x42, total size 560, 20 records of 28 bytes +3F00/7F10/6F3C: file desc 0x42, total size 5280, 30 records of 176 bytes +3F00/7F10/6F40: file desc 0x42, total size 204, 6 records of 34 bytes +3F00/7F10/6F42: file desc 0x42, total size 104, 2 records of 52 bytes +3F00/7F10/6F43: file desc 0x41, total size 2 +3F00/7F10/6F44: file desc 0x46, total size 680, 20 records of 34 bytes +3F00/7F10/6F47: file desc 0x42, total size 600, 20 records of 30 bytes +3F00/7F10/6F49: file desc 0x42, total size 680, 20 records of 34 bytes +3F00/7F10/6F4A: file desc 0x42, total size 130, 10 records of 13 bytes +3F00/7F10/6F4B: file desc 0x42, total size 208, 16 records of 13 bytes +3F00/7F10/6F4C: file desc 0x42, total size 208, 16 records of 13 bytes +3F00/7F10/6F4D: file desc 0x42, total size 290, 10 records of 29 bytes +3F00/7F10/6F4F: file desc 0x42, total size 300, 20 records of 15 bytes +3F00/7F10/6F54: file desc 0x41, total size 21 +3F00/7F10/6F58: file desc 0x42, total size 110, 10 records of 11 bytes +3F00/7F10/6FE0: file desc 0x42, total size 128, 8 records of 16 bytes +3F00/7F10/6FE1: file desc 0x42, total size 256, 4 records of 64 bytes +3F00/7F10/6FE5: file desc 0x42, total size 64, 1 records of 64 bytes +3F00/7F10/5F3A/4F09: file desc 0x42, total size 500, 250 records of 2 bytes +3F00/7F10/5F3A/4F11: file desc 0x42, total size 4250, 250 records of 17 bytes +3F00/7F10/5F3A/4F21: file desc 0x42, total size 500, 250 records of 2 bytes +3F00/7F10/5F3A/4F22: file desc 0x41, total size 4 +3F00/7F10/5F3A/4F23: file desc 0x41, total size 2 +3F00/7F10/5F3A/4F24: file desc 0x41, total size 2 +3F00/7F10/5F3A/4F30: file desc 0x42, total size 69, 1 records of 69 bytes +3F00/7F10/5F3A/4F32: file desc 0x42, total size 500, 250 records of 2 bytes +3F00/7F10/5F3A/4F3A: file desc 0x42, total size 8500, 250 records of 34 bytes +3F00/7F10/5F3A/4F4A: file desc 0x42, total size 130, 10 records of 13 bytes +3F00/7F10/5F3A/4F4B: file desc 0x42, total size 100, 10 records of 10 bytes +3F00/7F10/5F3A/4F4F: file desc 0x42, total size 300, 20 records of 15 bytes +3F00/7F10/5F3A/4F50: file desc 0x42, total size 7500, 150 records of 50 bytes +3F00/7F10/5F3A/4F52: file desc 0x42, total size 750, 250 records of 3 bytes +3F00/7F10/5F3A/4F53: file desc 0x42, total size 80, 5 records of 16 bytes +3F00/7F10/5F3A/4F54: file desc 0x42, total size 4500, 250 records of 18 bytes +3F00/7F10/5F3C/4F20: file desc 0x41, total size 18 +3F00/7F10/5F3C/4F21: file desc 0x41, total size 18 +3F00/7F10/5F3C/4F22: file desc 0x41, total size 1 +3F00/7F10/5F3D/4F01: file desc 0x41, total size 4 +3F00/7F10/5F3D/4F02: file desc 0x41, total size 256 +3F00/7F10/5F3E/4F01: file desc 0x41, total size 3 +3F00/7F10/5F3E/4F02: file desc 0x41, total size 100 +3F00/7F20/5F30: file desc 0x78, DF +3F00/7F20/5F31: file desc 0x78, DF +3F00/7F20/5F32: file desc 0x78, DF +3F00/7F20/5F33: file desc 0x78, DF +3F00/7F20/5F40: file desc 0x78, DF +3F00/7F20/5F70: file desc 0x78, DF +3F00/7F20/6F05: file desc 0x41, total size 5 +3F00/7F20/6F06: file desc 0x42, total size 1320, 12 records of 110 bytes +3F00/7F20/6F07: file desc 0x41, total size 9 +3F00/7F20/6F20: file desc 0x41, total size 9 +3F00/7F20/6F2C: file desc 0x41, total size 16 +3F00/7F20/6F30: file desc 0x41, total size 60 +3F00/7F20/6F31: file desc 0x41, total size 1 +3F00/7F20/6F32: file desc 0x41, total size 24 +3F00/7F20/6F37: file desc 0x41, total size 3 +3F00/7F20/6F38: file desc 0x41, total size 15 +3F00/7F20/6F39: file desc 0x46, total size 60, 20 records of 3 bytes +3F00/7F20/6F3E: file desc 0x41, total size 10 +3F00/7F20/6F3F: file desc 0x41, total size 10 +3F00/7F20/6F41: file desc 0x41, total size 5 +3F00/7F20/6F45: file desc 0x41, total size 20 +3F00/7F20/6F46: file desc 0x41, total size 17 +3F00/7F20/6F48: file desc 0x41, total size 20 +3F00/7F20/6F50: file desc 0x41, total size 20 +3F00/7F20/6F51: file desc 0x42, total size 105, 5 records of 21 bytes +3F00/7F20/6F52: file desc 0x41, total size 9 +3F00/7F20/6F53: file desc 0x41, total size 14 +3F00/7F20/6F54: file desc 0x41, total size 21 +3F00/7F20/6F60: file desc 0x41, total size 60 +3F00/7F20/6F61: file desc 0x41, total size 60 +3F00/7F20/6F62: file desc 0x41, total size 60 +3F00/7F20/6F64: file desc 0x41, total size 1 +3F00/7F20/6F74: file desc 0x41, total size 16 +3F00/7F20/6F78: file desc 0x41, total size 2 +3F00/7F20/6F7B: file desc 0x41, total size 12 +3F00/7F20/6F7E: file desc 0x41, total size 11 +3F00/7F20/6FAD: file desc 0x41, total size 4 +3F00/7F20/6FAE: file desc 0x41, total size 1 +3F00/7F20/6FB1: file desc 0x41, total size 40 +3F00/7F20/6FB2: file desc 0x41, total size 7 +3F00/7F20/6FB3: file desc 0x41, total size 40 +3F00/7F20/6FB4: file desc 0x41, total size 7 +3F00/7F20/6FB5: file desc 0x41, total size 2 +3F00/7F20/6FB6: file desc 0x41, total size 1 +3F00/7F20/6FB7: file desc 0x41, total size 15 +3F00/7F20/6FC5: file desc 0x42, total size 240, 10 records of 24 bytes +3F00/7F20/6FC6: file desc 0x42, total size 8, 1 records of 8 bytes +3F00/7F20/6FC7: file desc 0x42, total size 240, 10 records of 24 bytes +3F00/7F20/6FC8: file desc 0x42, total size 130, 10 records of 13 bytes +3F00/7F20/6FC9: file desc 0x42, total size 40, 10 records of 4 bytes +3F00/7F20/6FCA: file desc 0x42, total size 20, 4 records of 5 bytes +3F00/7F20/6FCB: file desc 0x42, total size 64, 4 records of 16 bytes +3F00/7F20/6FCC: file desc 0x42, total size 52, 4 records of 13 bytes +3F00/7F20/6FCD: file desc 0x41, total size 33 +3F00/7F20/6FCE: file desc 0x42, total size 96, 4 records of 24 bytes +3F00/7F20/6FCF: file desc 0x42, total size 256, 4 records of 64 bytes +3F00/7F20/6FD0: file desc 0x41, total size 32 +3F00/7F20/6FD1: file desc 0x42, total size 256, 4 records of 64 bytes +3F00/7F20/6FD2: file desc 0x41, total size 256 +3F00/7F20/5F70/4F01: file desc 0x42, total size 500, 5 records of 100 bytes +3F00/7F20/5F70/4F30: file desc 0x41, total size 32 +3F00/7F20/5F70/4F31: file desc 0x42, total size 150, 5 records of 30 bytes +3F00/7F25/6F06: file desc 0x42, total size 1320, 12 records of 110 bytes +3F00/7F25/6F21: file desc 0x46, total size 20, 10 records of 2 bytes +3F00/7F25/6F22: file desc 0x41, total size 10 +3F00/7F25/6F23: file desc 0x41, total size 10 +3F00/7F25/6F24: file desc 0x41, total size 16 +3F00/7F25/6F25: file desc 0x41, total size 2 +3F00/7F25/6F26: file desc 0x41, total size 1 +3F00/7F25/6F27: file desc 0x41, total size 7 +3F00/7F25/6F28: file desc 0x42, total size 40, 8 records of 5 bytes +3F00/7F25/6F29: file desc 0x42, total size 8, 1 records of 8 bytes +3F00/7F25/6F2A: file desc 0x41, total size 7 +3F00/7F25/6F2B: file desc 0x41, total size 8 +3F00/7F25/6F2C: file desc 0x41, total size 1 +3F00/7F25/6F2D: file desc 0x41, total size 1 +3F00/7F25/6F2E: file desc 0x41, total size 1 +3F00/7F25/6F2F: file desc 0x41, total size 7 +3F00/7F25/6F30: file desc 0x41, total size 1024 +3F00/7F25/6F31: file desc 0x41, total size 8 +3F00/7F25/6F32: file desc 0x41, total size 12 +3F00/7F25/6F33: file desc 0x41, total size 3 +3F00/7F25/6F34: file desc 0x41, total size 1 +3F00/7F25/6F35: file desc 0x41, total size 1 +3F00/7F25/6F36: file desc 0x41, total size 17 +3F00/7F25/6F37: file desc 0x41, total size 1 +3F00/7F25/6F38: file desc 0x41, total size 8 +3F00/7F25/6F39: file desc 0x41, total size 1 +3F00/7F25/6F3A: file desc 0x41, total size 2 +3F00/7F25/6F3C: file desc 0x42, total size 7650, 30 records of 255 bytes +3F00/7F25/6F3D: file desc 0x42, total size 65, 1 records of 65 bytes +3F00/7F25/6F3E: file desc 0x41, total size 5 +3F00/7F25/6F3F: file desc 0x41, total size 117 +3F00/7F25/6F41: file desc 0x41, total size 35 +3F00/7F25/6F42: file desc 0x41, total size 1 +3F00/7F25/6F43: file desc 0x41, total size 3 +3F00/7F25/6F44: file desc 0x42, total size 11, 1 records of 11 bytes +3F00/7F25/6F45: file desc 0x41, total size 2 +3F00/7F25/6F46: file desc 0x41, total size 1 +3F00/7F25/6F47: file desc 0x41, total size 15 +3F00/7F25/6F48: file desc 0x41, total size 1 +3F00/7F25/6F49: file desc 0x41, total size 1 +3F00/7F25/6F4A: file desc 0x41, total size 4 +3F00/7F25/6F4C: file desc 0x41, total size 36 +3F00/7F25/6F4E: file desc 0x41, total size 1 +3F00/7F25/6F50: file desc 0x41, total size 36 +3F00/7F25/6F55: file desc 0x41, total size 3 +3F00/7F25/6F56: file desc 0x41, total size 3 +3F00/7F25/6F57: file desc 0x41, total size 257 +3F00/7F25/6F59: file desc 0x41, total size 1 +3F00/7F25/6F70: file desc 0x41, total size 23 +3F00/7F25/6F71: file desc 0x41, total size 50 +3F00/7F25/6F72: file desc 0x41, total size 50 +3F00/7F25/6F73: file desc 0x41, total size 50 +3F00/7F25/6F74: file desc 0x41, total size 7 +3F00/7F25/6F76: file desc 0x41, total size 4 +3F00/7F25/6F79: file desc 0x41, total size 2 +3F00/7F25/6F7A: file desc 0x41, total size 3 +3F00/7F25/6F7B: file desc 0x41, total size 348 +3F00/7F25/6F7C: file desc 0x41, total size 500 +3F00/7F25/6F7D: file desc 0x41, total size 7 +3F00/7F25/6F7F: file desc 0x41, total size 70 +3F00/7F25/6F81: file desc 0x41, total size 207 +3F00/7F25/6F82: file desc 0x41, total size 4 +3F00/7F25/6F83: file desc 0x41, total size 32 +3F00/7F25/6F84: file desc 0x41, total size 4 +3F00/7F25/6F85: file desc 0x41, total size 300 +3F00/7F25/6F86: file desc 0x41, total size 1 +3F00/7F25/6F87: file desc 0x42, total size 100, 1 records of 100 bytes +3F00/7F25/6F88: file desc 0x42, total size 100, 1 records of 100 bytes +3F00/7F25/6F89: file desc 0x41, total size 1 +3F00/7F25/6F90: file desc 0x41, total size 126 +3F00/7F25/6F92: file desc 0x41, total size 132 +3F00/7F25/AF01: file desc 0x41, total size 24 +3F00/7F25/AF02: file desc 0x41, total size 200 +3F00/7F25/AF03: file desc 0x41, total size 69 +3F00/7F25/AF04: file desc 0x41, total size 200 +3F00/7F25/AF05: file desc 0x41, total size 56 +3F00/7F25/AF06: file desc 0x41, total size 96 +3F00/7F25/AF07: file desc 0x41, total size 44 +3F00/7F25/AF08: file desc 0x41, total size 90 +3F00/7F25/AF09: file desc 0x41, total size 16 +3F00/7F25/AF0A: file desc 0x42, total size 150, 1 records of 150 bytes +3F00/7F25/AF20: file desc 0x41, total size 33 +3F00/7F25/AF21: file desc 0x41, total size 85 +3F00/7F25/AF30: file desc 0x41, total size 206 +3F00/7F25/EF30: file desc 0x41, total size 1024 +3F00/A515/6F01: file desc 0x41, total size 21 +3F00/A515/6F0A: file desc 0x41, total size 11 +3F00/A515/6F0B: file desc 0x41, total size 11 +3F00/A515/6F20: file desc 0x41, total size 33 +3F00/A515/6F21: file desc 0x41, total size 85 +3F00/A515/6F22: file desc 0x42, total size 420, 12 records of 35 bytes +3F00/A515/6F23: file desc 0x42, total size 28, 4 records of 7 bytes +3F00/A515/6F24: file desc 0x41, total size 4 +3F00/A515/6F26: file desc 0x42, total size 15, 3 records of 5 bytes +3F00/A515/6F27: file desc 0x42, total size 12, 1 records of 12 bytes +3F00/A515/6F2C: file desc 0x41, total size 200 +3F00/A515/6F40: file desc 0x41, total size 4 +3F00/A515/6F81: file desc 0x41, total size 21 +3F00/ABCD/6F06: file desc 0x42, total size 200, 4 records of 50 bytes +3F00/ABCD/6F07: file desc 0x41, total size 9 +3F00/ABCD/6FAD: file desc 0x41, total size 4 +3F00/ABCD/AF20: file desc 0x41, total size 33 +3F00/ABCD/AF21: file desc 0x41, total size 85 +3F00/ABCD/AF22: file desc 0x41, total size 33 +3F00/ABCD/AF30: file desc 0x41, total size 206 +3F00/FF01/6F02: file desc 0x41, total size 128 +3F00/FF01/6F03: file desc 0x41, total size 50 +3F00/FF01/6F04: file desc 0x42, total size 1024, 8 records of 128 bytes +3F00/FF01/6F06: file desc 0x42, total size 200, 4 records of 50 bytes +3F00/FF01/6F07: file desc 0x41, total size 3 +3F00/FF01/6F09: file desc 0x42, total size 1024, 8 records of 128 bytes +3F00/FF01/6FAD: file desc 0x41, total size 3 +3F00/FF01/6FD5: file desc 0x41, total size 64 +3F00/FF01/6FD7: file desc 0x42, total size 1024, 8 records of 128 bytes +3F00/FF01/6FDD: file desc 0x42, total size 1024, 8 records of 128 bytes +3F00/FF01/6FE7: file desc 0x42, total size 512, 8 records of 64 bytes +3F00/FF01/6FF7: file desc 0x41, total size 1 +3F00/FF01/6FF8: file desc 0x41, total size 255 +3F00/FF01/6FFC: file desc 0x41, total size 255 +3F00/FF01/AF20: file desc 0x41, total size 33 +3F00/FF01/AF21: file desc 0x41, total size 85 +3F00/FF01/AF22: file desc 0x41, total size 33 +3F00/FF01/AF30: file desc 0x41, total size 206
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/data/sja2-usim-tree Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,167 @@ +# The following data capture is the output of a brute force search +# (fc-uicc-tool bfsearch-adf command) of the ADF.USIM file system tree +# of a sysmoISIM-SJA2 card, bought from Sysmocom webshop in 2021-02. + +7FFF/5F3B: file desc 0x78, DF +7FFF/5F40: file desc 0x78, DF +7FFF/5F50: file desc 0x78, DF +7FFF/5F60: file desc 0x78, DF +7FFF/5F70: file desc 0x78, DF +7FFF/5F80: file desc 0x78, DF +7FFF/5F90: file desc 0x78, DF +7FFF/5FA0: file desc 0x78, DF +7FFF/5FB0: file desc 0x78, DF +7FFF/5FC0: file desc 0x78, DF +7FFF/6F05: file desc 0x41, total size 10 +7FFF/6F06: file desc 0x42, total size 1320, 12 records of 110 bytes +7FFF/6F07: file desc 0x41, total size 9 +7FFF/6F08: file desc 0x41, total size 33 +7FFF/6F09: file desc 0x41, total size 33 +7FFF/6F2C: file desc 0x41, total size 16 +7FFF/6F31: file desc 0x41, total size 1 +7FFF/6F32: file desc 0x41, total size 24 +7FFF/6F37: file desc 0x41, total size 3 +7FFF/6F38: file desc 0x41, total size 20 +7FFF/6F39: file desc 0x46, total size 60, 20 records of 3 bytes +7FFF/6F3B: file desc 0x42, total size 560, 20 records of 28 bytes +7FFF/6F3C: file desc 0x42, total size 5280, 30 records of 176 bytes +7FFF/6F3E: file desc 0x41, total size 10 +7FFF/6F3F: file desc 0x41, total size 10 +7FFF/6F40: file desc 0x42, total size 204, 6 records of 34 bytes +7FFF/6F41: file desc 0x41, total size 5 +7FFF/6F42: file desc 0x42, total size 104, 2 records of 52 bytes +7FFF/6F43: file desc 0x41, total size 2 +7FFF/6F45: file desc 0x41, total size 20 +7FFF/6F46: file desc 0x41, total size 17 +7FFF/6F47: file desc 0x42, total size 600, 20 records of 30 bytes +7FFF/6F48: file desc 0x41, total size 20 +7FFF/6F49: file desc 0x42, total size 680, 20 records of 34 bytes +7FFF/6F4B: file desc 0x42, total size 208, 16 records of 13 bytes +7FFF/6F4C: file desc 0x42, total size 208, 16 records of 13 bytes +7FFF/6F4D: file desc 0x42, total size 290, 10 records of 29 bytes +7FFF/6F4E: file desc 0x42, total size 130, 10 records of 13 bytes +7FFF/6F4F: file desc 0x42, total size 75, 5 records of 15 bytes +7FFF/6F50: file desc 0x41, total size 20 +7FFF/6F56: file desc 0x41, total size 9 +7FFF/6F57: file desc 0x41, total size 256 +7FFF/6F58: file desc 0x42, total size 110, 10 records of 11 bytes +7FFF/6F5B: file desc 0x41, total size 6 +7FFF/6F5C: file desc 0x41, total size 3 +7FFF/6F60: file desc 0x41, total size 60 +7FFF/6F61: file desc 0x41, total size 60 +7FFF/6F62: file desc 0x41, total size 60 +7FFF/6F73: file desc 0x41, total size 14 +7FFF/6F78: file desc 0x41, total size 2 +7FFF/6F7B: file desc 0x41, total size 12 +7FFF/6F7E: file desc 0x41, total size 11 +7FFF/6F80: file desc 0x46, total size 30, 1 records of 30 bytes +7FFF/6F81: file desc 0x46, total size 30, 1 records of 30 bytes +7FFF/6F82: file desc 0x46, total size 3, 1 records of 3 bytes +7FFF/6F83: file desc 0x46, total size 3, 1 records of 3 bytes +7FFF/6FAD: file desc 0x41, total size 4 +7FFF/6FB1: file desc 0x41, total size 40 +7FFF/6FB2: file desc 0x41, total size 7 +7FFF/6FB3: file desc 0x41, total size 40 +7FFF/6FB4: file desc 0x41, total size 7 +7FFF/6FB5: file desc 0x41, total size 2 +7FFF/6FB6: file desc 0x41, total size 1 +7FFF/6FB7: file desc 0x42, total size 80, 5 records of 16 bytes +7FFF/6FC3: file desc 0x41, total size 4 +7FFF/6FC4: file desc 0x41, total size 64 +7FFF/6FC5: file desc 0x42, total size 240, 10 records of 24 bytes +7FFF/6FC6: file desc 0x42, total size 8, 1 records of 8 bytes +7FFF/6FC7: file desc 0x42, total size 240, 10 records of 24 bytes +7FFF/6FC8: file desc 0x42, total size 130, 10 records of 13 bytes +7FFF/6FC9: file desc 0x42, total size 40, 10 records of 4 bytes +7FFF/6FCA: file desc 0x42, total size 20, 4 records of 5 bytes +7FFF/6FCB: file desc 0x42, total size 64, 4 records of 16 bytes +7FFF/6FCC: file desc 0x42, total size 52, 4 records of 13 bytes +7FFF/6FCD: file desc 0x41, total size 33 +7FFF/6FCE: file desc 0x42, total size 96, 4 records of 24 bytes +7FFF/6FCF: file desc 0x42, total size 256, 4 records of 64 bytes +7FFF/6FD0: file desc 0x41, total size 32 +7FFF/6FD1: file desc 0x42, total size 256, 4 records of 64 bytes +7FFF/6FD2: file desc 0x41, total size 256 +7FFF/6FD3: file desc 0x42, total size 84, 4 records of 21 bytes +7FFF/6FD4: file desc 0x41, total size 20 +7FFF/6FD5: file desc 0x41, total size 20 +7FFF/6FD6: file desc 0x41, total size 64 +7FFF/6FD7: file desc 0x42, total size 200, 10 records of 20 bytes +7FFF/6FD8: file desc 0x42, total size 40, 1 records of 40 bytes +7FFF/6FD9: file desc 0x41, total size 12 +7FFF/6FDA: file desc 0x42, total size 256, 2 records of 128 bytes +7FFF/6FDB: file desc 0x41, total size 1 +7FFF/6FDC: file desc 0x41, total size 1 +7FFF/6FDD: file desc 0x42, total size 64, 2 records of 32 bytes +7FFF/6FDE: file desc 0x41, total size 30 +7FFF/6FDF: file desc 0x42, total size 90, 3 records of 30 bytes +7FFF/6FE2: file desc 0x42, total size 300, 3 records of 100 bytes +7FFF/6FE3: file desc 0x41, total size 18 +7FFF/6FE4: file desc 0x42, total size 54, 1 records of 54 bytes +7FFF/6FE6: file desc 0x41, total size 64 +7FFF/6FE8: file desc 0x41, total size 128 +7FFF/6FEC: file desc 0x41, total size 3 +7FFF/6FED: file desc 0x42, total size 1280, 10 records of 128 bytes +7FFF/6FEE: file desc 0x42, total size 1280, 10 records of 128 bytes +7FFF/6FEF: file desc 0x42, total size 1280, 10 records of 128 bytes +7FFF/6FF0: file desc 0x42, total size 320, 10 records of 32 bytes +7FFF/6FF1: file desc 0x46, total size 20, 5 records of 4 bytes +7FFF/6FF2: file desc 0x42, total size 80, 5 records of 16 bytes +7FFF/6FF3: file desc 0x41, total size 60 +7FFF/6FF4: file desc 0x41, total size 21 +7FFF/6FF5: file desc 0x41, total size 60 +7FFF/6FF6: file desc 0x41, total size 21 +7FFF/6FF7: file desc 0x41, total size 1 +7FFF/6FF9: file desc 0x41, total size 4 +7FFF/6FFA: file desc 0x42, total size 192, 3 records of 64 bytes +7FFF/6FFB: file desc 0x42, total size 160, 5 records of 32 bytes +7FFF/6FFD: file desc 0x41, total size 128 +7FFF/AF20: file desc 0x41, total size 33 +7FFF/AF21: file desc 0x41, total size 85 +7FFF/AF22: file desc 0x41, total size 33 +7FFF/AF2C: file desc 0x41, total size 200 +7FFF/AF30: file desc 0x41, total size 206 +7FFF/AF31: file desc 0x41, total size 33 +7FFF/AF32: file desc 0x41, total size 200 +7FFF/AF33: file desc 0x42, total size 32, 1 records of 32 bytes +7FFF/5F3B/4F20: file desc 0x41, total size 9 +7FFF/5F3B/4F52: file desc 0x41, total size 9 +7FFF/5F3B/4F63: file desc 0x41, total size 16 +7FFF/5F3B/4F64: file desc 0x41, total size 1 +7FFF/5F40/4F41: file desc 0x41, total size 20 +7FFF/5F40/4F42: SW response 0x6283 +7FFF/5F40/4F43: file desc 0x41, total size 60 +7FFF/5F40/4F44: file desc 0x42, total size 330, 10 records of 33 bytes +7FFF/5F40/4F45: file desc 0x42, total size 330, 10 records of 33 bytes +7FFF/5F50/4F81: file desc 0x42, total size 50, 1 records of 50 bytes +7FFF/5F50/4F82: file desc 0x42, total size 30, 1 records of 30 bytes +7FFF/5F50/4F83: file desc 0x42, total size 30, 1 records of 30 bytes +7FFF/5F50/4F84: file desc 0x42, total size 50, 1 records of 50 bytes +7FFF/5F50/4F85: file desc 0x42, total size 30, 1 records of 30 bytes +7FFF/5F50/4F86: file desc 0x42, total size 30, 1 records of 30 bytes +7FFF/5F60/4F00: file desc 0x42, total size 38, 1 records of 38 bytes +7FFF/5F60/4F01: file desc 0x41, total size 132 +7FFF/5F60/4F02: file desc 0x41, total size 1 +7FFF/5F60/4F03: file desc 0x41, total size 10 +7FFF/5F60/4F04: file desc 0x41, total size 1 +7FFF/5F60/4F05: file desc 0x41, total size 10 +7FFF/5F60/4F06: file desc 0x42, total size 660, 6 records of 110 bytes +7FFF/5F60/4F21: file desc 0x41, total size 6 +7FFF/5F60/4F22: file desc 0x41, total size 2 +7FFF/5F60/4FE2: file desc 0x41, total size 10 +7FFF/5F60/4FFA: file desc 0x41, total size 55 +7FFF/5F60/4FFB: file desc 0x41, total size 500 +7FFF/5F70/4F01: file desc 0x42, total size 500, 5 records of 100 bytes +7FFF/5F70/4F30: file desc 0x41, total size 32 +7FFF/5F70/4F31: file desc 0x42, total size 150, 5 records of 30 bytes +7FFF/5FB0/4F01: file desc 0x41, total size 100 +7FFF/5FC0/4F01: file desc 0x41, total size 20 +7FFF/5FC0/4F02: file desc 0x41, total size 20 +7FFF/5FC0/4F03: file desc 0x42, total size 64, 1 records of 64 bytes +7FFF/5FC0/4F04: file desc 0x42, total size 64, 1 records of 64 bytes +7FFF/5FC0/4F05: file desc 0x41, total size 68 +7FFF/5FC0/4F06: file desc 0x41, total size 4 +7FFF/5FC0/4F07: file desc 0x41, total size 100 +7FFF/5FC0/4F08: file desc 0x42, total size 100, 10 records of 10 bytes +7FFF/5FC0/4F09: file desc 0x41, total size 100 +7FFF/5FC0/4F0A: file desc 0x41, total size 4
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Admin-write-commands Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,184 @@ +Using fc-simtool for admin-level SIM card programming +===================================================== + +fc-simtool is a layered tool, and its repertoire of available commands needs to +be viewed as consisting of 3 primary conceptual layers: + +* At the bottom layer there are low-level commands that correspond directly to + GSM 11.11 protocol operations of first SELECTing files, then reading or + writing those files in whole or in part with READ BINARY, READ RECORD, UPDATE + BINARY and UPDATE RECORD protocol commands. This functional layer of + fc-simtool is documented in the Low-level-commands article. + +* As the next layer up, we implement higher-level commands for ordinary users + without special admin privileges. SIM card specs GSM 11.11 and 3GPP TS 51.011 + define many files such as phonebooks which ordinary users can both read and + write, and we provide high-level user-friendly commands for reading and + writing many of these files. The same specs also define many files which + ordinary users can read but not write, giving ICCID, IMSI, SST and so forth - + we provide high-level user-friendly commands for reading many of these files. + These commands are documented in the User-oriented-commands article, plus a + few additional ones in the PLMN-list-commands article. + +* As the most advanced layer, we implement some high-level write commands that + can only work if you have admin-level access to your card, i.e., if you have + authenticated with the appropriate ADM key in a card-vendor-dependent manner. + The present article describes these advanced commands. + +Authentication with ADM credentials +=================================== + +Before you can write to any of the admin-write-only files, you first need to +authenticate with the right credentials. The commands for doing so are card- +vendor-dependent, but most cards implement a non-standard extension to the +standard VERIFY CHV command, presenting various kinds of ADM keys instead of +basic PIN1 or PIN2. fc-simtool verify-ext and verify-chv commands provide +access to these extended forms of VERIFY CHV in our command shell environment; +they are defined as follows: + +verify-ext P2 XXXXXXXX +verify-hex P2 xxxxxxxxxxxxxxxx + +The first argument to both commands is the value to be put into the P2 field of +the VERIFY CHV command APDU; numbers are interpreted as decimal by default +unless preceded with 0x for hex. verify-ext should be used if the key material +takes the same ASCII-decimal form as is used for standard PINs and PUKs, whereas +verify-hex allows arbitrary 64-bit keys to be given as a hex string of 8 bytes. + +If your card is FCSIM1 or any other branded variant of GrcardSIM2 and the +default ADM11 (aka SUPER ADM) key hasn't been changed, you need to authenticate +as follows: + +select MF +verify-ext 11 88888888 + +(select MF can be omitted if verify-ext 11 is the very first command in your + fc-simtool session.) + +If your card is sysmoISIM-SJA2, you need to look up the right ADM1 key in the +key material email from Sysmocom webshop, and then authenticate as follows: + +verify-ext 10 XXXXXXXX + +If your card is sysmoUSIM-SJS1, you need to use the following special command, +and it must be the very first command in your fc-simtool session: + +verify-sjs1-adm1 XXXXXXXX + +Actual admin file writes +======================== + +The few specific admin write commands implemented in fc-simtool are listed +below. However, please keep the following points in mind: + +* If there is no specific high-level write command for the file you are + interested in, you can always use low-level select, update-bin and update-rec + commands to write any file - see the Low-level-commands article. + +* Some files that need to be written as part of provision-time programming + procedures are actually writable by ordinary users, hence those write commands + are documented in the User-oriented-commands article. This situation applies + to EF_MSISDN and EF_SMSP. Commands for writing EF_PLMNsel and EF_FPLMN (also + writable by ordinary users) are documented in the PLMN-list-commands article. + +Finally, here are the dedicated commands for writing a few specific +admin-write-only files: + +write-acc XXXX + +This command writes EF_ACC. The argument must be a 4-digit hexadecimal number. + +write-iccid full_digits + +This command programs EF_ICCID with whatever string of digits you specify. This +fc-simtool command provides mechanism rather than policy, hence it does not +enforce any particular number of digits (the record is padded with 'F' hex +digits per the spec if the number string is shorter than 20 digits), nor is the +number required to end in a matching Luhn check digit. + +write-iccid-sh18 shorthand-digits + +This command provides a higher-level user-friendly way to write ICCIDs of the +most commonly used 18+1 format, meaning 18 content digits plus Luhn check digit. +The shorthand entry form allows any number of 0 digits in the middle to be +replaced with a single dash - for example, the following command: + +write-iccid-sh18 8988211-3 + +will set ICCID to: + +8988211000000000037 + +As the first step, the shorthand entry is expanded to 18 digits, and as the +next step, the correct Luhn check digit is appended. + +write-iccid-sh19 shorthand-digits + +This command is similar to write-iccid-sh18, but it takes shorthand ICCIDs that +already include the Luhn check digit at the end. The previous example ICCID +would be entered as: + +write-iccid-sh19 8988211-37 + +After the shorthand entry is expanded to 19 digits, the Luhn formula is checked, +and mismatching entries are rejected. This command is intended for use cases +where the ICCID to be programmed is printed on the plastic and needs to be +entered as-is, but the pain of entering all those zeros in the middle is +eliminated. + +write-imsi full_digits + +This command programs EF_IMSI with any arbitrary IMSI, which by spec may be 15 +digits or shorter. 15-digit IMSIs are most common, but shorter ones are allowed +too, and this fc-simtool command provides mechanism rather than policy. + +write-imsi-sh shorthand-digits + +This command programs EF_IMSI with a 15-digit IMSI that can be entered in +shorthand. For example, the following command: + +write-imsi-sh 90170-001 + +is equivalent to: + +write-imsi 901700000000001 + +write-spn display_cond name + +The display condition code is given in hex, the name field is given in the +FreeCalypso standard ASCII representation for GSM7 strings defined in the +SIM-data-formats document in the freecalypso-docs repository. + +write-sst sst-file + +This command writes the SIM Service Table (SST) from the specified data file. +The data file needs to contain service numbers separated by white space, either +one per line or multiple numbers per line; '#' character introduces comments +which continue to the end of the line. If a service number is given with '^' +suffix, that service is indicated as allocated but not activated. + +pnn-write rec long-name [short-name] + +This command writes a single EF_PNN record. The record index and the long name +must always be specified, the short name is optional. Network name fields are +given in the FreeCalypso standard ASCII representation for GSM7 strings. + +pnn-erase start-rec [end-rec] + +This command erases (fills with all FF bytes) either a single record or a range +of records in EF_PNN. If only one argument is specified, only one record is +erased. To erase a range of records, the second argument may be either a number +or the "end" keyword. Use 'pnn-erase 1 end' to erase the entire EF_PNN. + +opl-write rec mcc-mnc start-lac end-lac pnn-index + +This command writes a single EF_OPL record. rec is the EF_OPL record index to +write into, the remaining arguments give the content of the record exactly per +3GPP TS 51.011. + +opl-erase start-rec [end-rec] + +This command erases (fills with all FF bytes) either a single record or a range +of records in EF_OPL. If only one argument is specified, only one record is +erased. To erase a range of records, the second argument may be either a number +or the "end" keyword. Use 'opl-erase 1 end' to erase the entire EF_OPL.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Brute-force-search Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,68 @@ +Brute force search of card file system file ID space +==================================================== + +The two protocols for accessing the file system of SIM cards (the original GSM +11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting +directories and elementary files (EFs) by file IDs, but there is no provision +in either protocol for listing or enumerating what file IDs exist - there is no +'ls' operation. + +I (Mother Mychaela) really wanted to see the complete file system tree (all +directories and files) on SIM and UICC cards that are sold as programmable, made +by vendors such as Grcard and Sysmocom - my philosophy is that customers of such +programmable SIMs have a natural right to know about every file on those cards +and to exercise full control over the file system. But the unfortunate reality +with all currently available "programmable" SIMs on the market (or at least all +known ones) is that not only are their vendors not giving us a way to reformat +their cards and to recreate an entirely new file system layout as we like it, +but they don't even document the complete file system content their cards are +shipped with - and because there is no 'ls' operation in either of the two +standard protocols, there is no trivial way for us to just see it. + +In order to see the true undocumented file system content of both Grcard and +Sysmocom SIMs, I have implemented a brute force search of the file ID space. +This brute force search works as follows: + +* Starting with MF (file ID 3F00), try selecting every possible file ID from + 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command + returns something other than "file ID not found" error (SW 9404 for SIM or + 6A82 for UICC), follow up with GET RESPONSE and report what is found. For + every found file ID that turns out to be a DF when the full response is + parsed, the brute force search code takes note of it for further descent. + +* For every found DF, repeat the same brute force search inside that DF. File + IDs to be skipped at this search level include MF, the DF being searched, and + siblings of the current DF. If there are further nested DFs, the search has + to continue recursively. + +In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only +one bfsearch-mf command, performing the search from MF - in this protocol there +is only one file system tree. In the case of UICC-architecture cards, there are +multiple file system trees that are independent and disjoint: there is the main +file system tree starting at MF, and then each application of the USIM/ISIM kind +has its own ADF and a separate file system tree under that ADF, practically +meaning ADF.USIM, ADF.ISIM and whatever other applications are present. + +bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this +command takes no arguments and should work the same way irrespective of any +prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf +command for searching ADF-based directory trees; in order to use bfsearch-adf, +you have to first select the desired application (select-aid, select-usim or +select-isim) in the same card session. + +Please note that these brute force searches are very slow - in the Mother's +experience with Grcard and Sysmocom cards, each bfsearch run took about an hour. + +Findings on GrcardSIM2 and sysmoISIM-SJA2 +========================================= + +The data directory in this code repository contains some findings that have been +captured with brute force searches. As one can see from these data captures, +both Grcard and Sysmocom cards have plenty of additional directories and files +beyond the standard ones called for SIM/USIM/ISIM, and we can only guess at what +purpose all those extra proprietary directories and files may be serving. There +is one proprietary file on GrcardSIM2 and a few on sysmoISIM-SJA2 that are +documented, but what we have found with bfsearch goes far beyond these few +documented proprietary files. I wonder if perhaps various card-resident +applications are using some of these proprietary files for their internal +purposes.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/GrcardSIM2-WEKI-file Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,63 @@ +GrcardSIM2 cards have a proprietary EF under DF_GSM with file ID 0x0001; +Osmocom wiki page for this card model gives EF.WEKI as the name for this +proprietary file. We (FreeCalypso) have no idea as to where this name came +from, and where and how the people who wrote that wiki page (Sysmocom staff or +not - unknown) got this knowledge. This file is important because it stores Ki +and the selection of COMP128 algorithm version, but the same file also appears +to have other fields serving other purposes which are not currently understood. + +The total length of this transparent EF is 35 bytes, out of which only the first +19 bytes are documented in the Osmocom wiki page and written by their pySim-prog +tool. Let us now break down this file according to our currently available +limited understanding: + +* The first two bytes are always 00 10 - these byte values appear in "blank" + unprogrammed cards as shipped by Grcard, they also appear in the Osmocom wiki + page, and are programmed by pySim-prog. The purpose and meaning of these two + bytes are completely unknown, and we have never tried writing anything + different into them. + +* The next byte gives COMP128 algorithm selection plus something else that is + not understood: + + - The low 2 bits of this byte select COMP128 algorithm version as follows: + + 0b00 = COMP128v1 + 0b01 = COMP128v2 + 0b10 = COMP128v3 + + Note that the Osmocom wiki page is wrong in its description of these bits: + setting these two bits to 0b11 ends up selecting COMP128v2 rather than v3. + (pySim-prog is unaffected because it always writes 00 into the whole byte, + selecting COMP128v1.) + + - The remaining 6 bits of this byte are not understood. Osmocom wiki page + tells people to write zeros into the upper 6 bits and so does pySim-prog, + but the "blank" unprogrammed cards we got from Grcard have this byte set to + 0x20. Setting the upper nibble to either 0 or 2 does not seem to affect + the result of RUN GSM ALGORITHM operations, thus it probably controls + something else. + +* The next 16 bytes store Ki - this part is straightforward. + +* The last 16 bytes are not understood; our "blank" unprogrammed cards from + Grcard have all FFs in these bytes. + +fc-simtool support for programming Ki and COMP128 algorithm selection +===================================================================== + +Even if we never learn the function of the other mysterious fields of EF.WEKI, +we must be able to program our own Ki and make our own selection of COMP128 +algorithm version in order to use these programmable SIM cards with our own GSM +networks. The following solution has been implemented for immediate use: + +* Our grcard2-set-comp128 command takes a single argument of 1, 2 or 3, + selecting COMP128 algorithm version. The implementation of this command + selects EF.WEKI, reads the previous content of the magic byte at offset 2, + keeps the upper 6 bits unchanged, and writes the new COMP128 algorithm + selection into the low 2 bits. If we ever learn the meaning of other bits, + we'll be able to add new orthogonal commands that manipulate those other bits, + but leave COMP128 selection unchanged. + +* Our grcard2-set-ki command writes 16 bytes at offset 3, leaving all other + bytes untouched.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/GrcardSIM2-programming Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,82 @@ +The card model which we call GrcardSIM2 is one of the many smart card models +made and sold by Grcard in China. As of this writing (2021-03) and going back +to somewhere around 2013, it is the card model they sell when a customer asks +for a GSM-only SIM card, as opposed to USIM cards for UMTS/LTE/etc. This card +model was once resold by Sysmocom as sysmoSIM-GR2, and we are hoping to get a +batch of our own FreeCalypso-branded version which we call FCSIM1. + +Our fc-simtool supports full programming of these cards: you can take a card +whose initial state is "blank" or unprogrammed, or a card with some previous +programming, and you can program it to your own liking using fc-simtool. For +the purpose of programming this particular card model (as opposed to USIM/ISIM +cards), our fc-simtool offers the following advantages over well-known +competitor pySim-prog: + +* These cards support all 3 versions of COMP128 algorithm (v1, v2 and v3), but + pySim-prog unconditionally selects COMP128v1. Our grcard2-set-comp128 command + allows any of the 3 algorithm versions to be selected, and in the Mother's + opinion it makes no sense to select any version other than COMP128v3 for new + GSM network deployments. + +* These cards have a fairly sophisticated security model with two different ADM + access levels: see GrcardSIM2-security-model article for the details. + pySim-prog support for this security model is fundamentally broken: it + authenticates with ADM11 as required for writing Ki, but does not support any + option of changing this key to a secure one, as would be required in any + application where traditional SIM security is desired. OTOH, pySim-prog + needlessly resets ADM5, even though they could have left it alone - ADM11 by + itself is sufficient for writing to all files. + +* Further on the security model, GrcardSIM2 cards allow admins to reset + PIN1/PIN2/PUK1/PUK2 secret codes after authenticating with ADM5 or ADM11 - + this mechanism is the only way to reset PUK1 and PUK2 if the previous codes + are unknown. pySim-prog provides no support for setting PIN/PUK codes. + +* fc-simtool allows every single file in the card file system to be written as + you like. Absolutely any file can be read and written in raw hex, and we also + provide high-level read and write commands for most files. In contrast, + pySim-prog implements a rigid and inflexible programming model, writing only + a few files and only in one very limited way. + +Using fc-simtool to program GrcardSIM2 cards +============================================ + +To begin with, you must know the ADM11 (aka SUPER ADM) secret code for your +card. If you got your card directly from Grcard factory or from a reseller such +as FreeCalypso who leaves this default ADM11 key unchanged, your ADM11 key is +ASCII-decimal 88888888, and you need to authenticate as follows: + +verify-ext 11 88888888 + +If the previous owner of your card changed this ADM11 key to something else, or +if you had Grcard factory program cards for you with different ADM keys, then +you need to know what the ADM11 secret is - if it is lost, there is no recovery, +and you have to get a new card. If you have a non-default ADM11 key, you need +to enter it using either verify-ext 11 or verify-hex 11 command, depending on +whether the key falls into the restricted ASCII-decimal subset or not. In any +case, this verify-ext 11 or verify-hex 11 command should ideally be the first +command in your fc-simtool session; if it is not the first command in the +session, then it needs to be preceded with select MF. + +Once you have authenticated with ADM11, you are ready to run your programming +scripts. Because fc-simtool is not a "one size fits all" tool like pySim-prog, +but rather a fully generalized command shell that allows you to poke at whatever +files you like in whatever order and manner you like, practical SIM programming +should be done with customized command scripts. Furthermore, we recommend that +you split your custom programming scripts into two levels: + +1) You should have one command script which you install under + /opt/freecalypso/sim-scripts that programs SIMs appropriately for your GSM + network. This script should be the same for all of your cards, programming + SST, PLMN selection (PLMNsel and FPLMN) and branding files SPN, PNN and OPL. + See our fcsim1-defprog script for a starting point. + +2) Per-card settings like ICCID, IMSI, ACC and Ki can only be set either + manually (OK for one or two cards, but doesn't scale), or by way of custom + front end or wrapper programs that generate and execute one-time fc-simtool + command scripts. We plan on implementing one such front end tool once we + get our FCSIM1 card batch made. + +Please refer to Admin-write-commands, GrcardSIM2-WEKI-file and +GrcardSIM2-security-model articles for commands to be used in crafting your +custom programming scripts.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/GrcardSIM2-security-model Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,142 @@ +GrcardSIM2 cards (previously sold as sysmoSIM-GR2 and now being reintroduced as +FCSIM1) have two different ADM access levels, each guarded by a separate secret +code. These two ADM access levels are referred to as ADM and SUPER ADM in the +Osmocom wiki page for GrcardSIM2, but they can also be called ADM5 and ADM11, +as the access level numbers appear in the actual APDUs. + +If you successfully authenticate with ADM5 secret code, you gain the following +abilities: + +* You can change the ADM5 secret code itself; +* You can reset PIN1, PIN2, PUK1 and PUK2 to new codes without having to know + any previous ones. + +If you successfully authenticate with ADM11 secret code, you gain the following +abilities: + +* You can change the ADM11 secret code itself; +* You can reset PIN1, PIN2, PUK1, PUK2 and ADM5 to new codes without having to + know any previous ones. + +Most admin-write-only files are writable after either ADM5 or ADM11 +authentication, but some files (particularly EF.WEKI that holds Ki) can only be +read and written with ADM11. More precisely, if a given access condition +(returned in response to SELECT) is listed as ADM11, then you need to +authenticate with ADM11, but if it is listed as ADM5, then either ADM5 or ADM11 +is acceptable. Because of this permissive design whereby ADM11 alone is +sufficient, one can typically ignore ADM5 altogether for programming purposes. + +Both ADM5 and ADM11 can be set to any arbitrary string of 8 bytes, i.e., each +is effectively a 64-bit key. However, it is common for users to treat ADM5 +and/or ADM11 as being a string of 8 ASCII-encoded decimal digits like standard +PUK1/PUK2 - the initial default ADM11 secret code from Grcard factory is set to +64-bit hex string 3838383838383838, which corresponds to PIN/PUK-style decimal +88888888. + +fc-simtool provides commands to set and verify ADM5 and ADM11 secret codes in +either full hex or ASCII-encoded decimal representation; the former allows any +arbitrary 64-bit key to be entered, whereas the latter is restricted to those +64-bit keys which correspond to 8 ASCII-encoded decimal digits. The commands +are: + +verify-ext 5 XXXXXXXX # authenticate as ADM5, decimal format +verify-hex 5 xxxxxxxxxxxxxxxx # authenticate as ADM5, arbitrary hex format + +verify-ext 11 XXXXXXXX # authenticate as ADM11, decimal format +verify-hex 11 xxxxxxxxxxxxxxxx # authenticate as ADM11, arbitrary hex format + +grcard2-set-adm5 XXXXXXXX # set new ADM5, decimal format +grcard2-set-adm5-hex xxxxxxxxxxxxxxxx # set new ADM5, arbitrary hex format + +grcard2-set-super XXXXXXXX # set new ADM11, decimal format +grcard2-set-super-hex xxxxxxxxxxxxxxxx # set new ADM11, arbitrary hex format + +ADM11 MF quirk +============== + +The operation of authenticating with ADM11 (verify-ext 11 or verify-hex 11) is +only allowed when the currently selected directory is MF - either as the very +first command in an fc-simtool session, or after an explicit 'select MF'. If +the current directory is DF_GSM or DF_TELECOM, the command to authenticate with +ADM11 (VERIFY CHV with P2=0x0B) fails with SW of 0x9802. + +Setting PIN1/PIN2/PUK1/PUK2 +=========================== + +The following commands reset standard PIN and PUK secret codes after +authenticating with either ADM5 or ADM11: + +grcard2-set-pin1 XXXX +grcard2-set-pin2 XXXX +grcard2-set-puk1 XXXXXXXX +grcard2-set-puk2 XXXXXXXX + +These 4 commands take decimal string arguments and send them to the card in +ASCII encoding per standard SIM spec definition of PIN1/PIN2/PUK1/PUK2. + +The underlying command APDUs sent by fc-simtool grcard2-set-* commands are +proprietary to Grcard. If you craft the right APDUs manually in hex (which our +low-level apdu command allows), you can set PIN1/PIN2/PUK1/PUK2 to arbitrary +64-bit hex strings which do not correspond to ASCII-encoded decimal - however, +doing so would produce a SIM that violates the public interface definition for +standard PIN1/PIN2/PUK1/PUK2, hence we do not provide such ability in our +high-level grcard2-set-* command set. + +FCSIM1 default PINs +=================== + +The initial default ADM11 secret code from Grcard factory is decimal 88888888, +meaning that you need to authenticate as follows: + +select MF +verify-ext 11 88888888 + +If your card is unprogrammed (if you haven't programmed it yourself with +fc-simtool), all other secret codes should be regarded as unknown - you need to +reset them yourself in your own card programming or provisioning operation. +Our fcsim1-default-pins command script sets the following FCSIM1 official +defaults: + +grcard2-set-pin1 1234 +grcard2-set-pin2 6666 +grcard2-set-puk1 00099933 +grcard2-set-puk2 00099944 +grcard2-set-adm5 55501234 + +For as long as you keep the ADM11 secret code at its default of 88888888, there +is no PIN security - even if you set PIN1/PIN2/PUK1/PUK2 to your own secrets, +anyone can authenticate with the unchanged default ADM11 and then freely reset +all lower PINs. However, in the Mother's opinion there is very little need for +PIN security in actual operational usage in this day and age - almost no one +enables their PIN1, making it moot, and no one ever uses SIM "parental control" +features controlled by PIN2. In the present circumstances, the only real use +for knowing SIM PINs is to exercise and test phone firmware code paths dealing +with these PINs - and for this purpose having known fixed "secret" codes is +very convenient. + +However, if someone does desire real PIN security, it *is* possible on FCSIM1 +cards - but then you have to not only set PIN1/PIN2/PUK1/PUK2 to your own +secrets, but also set both ADM5 and ADM11 to your own truly-secret codes as +well. But be careful - if you set your own ADM11 secret code and then forget +it, there is no recovery! Maintaining a database of per-card secret codes is a +development job which the Mother gladly leaves to other programmers, to be +undertaken if and when someone actually needs such added complexity. + +How to (not) brick your card +============================ + +The following actions will brick your card beyond recovery: + +* If you enter ADM11 incorrectly 3 times in a row, ADM11 access is lost with no + possibility of recovery - this bricking mode is generally expected, there can + be no other way. + +* If you enter ADM5 incorrectly 3 times in a row, you unrecoverably lose the + ability to use ADM5 ever again - even if you successfully authenticate with + ADM11 and reset ADM5 with grcard2-set-adm5, the attempt counter does not get + reset, and ADM5 remains blocked. + +* If you enter standard PUK1 or PUK2 incorrectly 10 times in a row, it is + similarly blocked beyond recovery, with no help from ADM5 or ADM11 - + grcard2-set-puk[12] commands reset the secret code, but not the associated + attempt counter.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Low-level-commands Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,196 @@ +fc-simtool is a tool built from the bottom up: at the foundation there is a set +of low-level commands that provide raw access to the actual SIM protocol APDU +commands, these low-level commands can be used to do everything that the SIM +protocol allows, and all higher-level commands merely provide user-friendly +utilities for the most common particular use cases. This document describes +these low-level commands. Readers of this document are expected to know the +SIM interface protocol as defined in GSM TS 11.11 and its successor 3GPP TS +51.011. + +Exploring and reading commands +============================== + +atr + +This command displays the ATR (Answer To Reset) byte string which the SIM sent +to the reader when it powered up. + +select File_ID + +This fc-simtool command sends a SELECT command to the SIM, follows up with a +GET RESPONSE command as expected in the T=0 protocol, and provides some human- +readable parsing of the most important fields in the SIM response structure. +If a correctly formed response was received from the SIM and this response +structure indicates that a record-based EF has been selected, the indicated +record length is saved in an internal variable used by readrec and update-rec +commands. + +The file ID can be specified either in hexadecimal (exactly 4 hex digits, *no* +0x prefix) or as a symbolic name. fc-simtool knows the following symbolic +names: + +* MF +* DF_GSM, DF_DCS1800 and DF_TELECOM +* "gsm" and "telecom" as shorthand names for DF_GSM and DF_TELECOM +* Some of the most classic EFs, but not all + +Important note: regardless of whether you specify the file ID in raw hex or +symbolically, this low-level select command will send only one SELECT command +to the SIM. Per the SIM protocol, in order to successfully select an EF, you +have to be in the right directory first, i.e., select MF, DF_GSM or DF_TELECOM +as appropriate before the EF of interest. Our low-level select command does +NOT do this extra step on its own, you have to do it explicitly, even if you +use symbolic names for EFs. + +sim-resp + +This command displays in raw hex the content of the internal buffer that holds +the last response received from the SIM. This internal buffer is filled by the +GET RESPONSE command that follows up after SELECT or RUN GSM ALGORITHM, and by +the READ BINARY or READ RECORD commands, whether they are invoked directly as +low-level commands (select, readbin, readrec or a38) or internally as part of +higher-level fc-simtool commands. + +readbin offset len + +This fc-simtool command sends a READ BINARY command to the SIM and displays the +SIM response in raw hex, internally invoking the same function as sim-resp. +The two arguments are exactly as in the READ BINARY protocol command; each +number is interpreted as decimal by default or as hex if preceded by 0x. + +readrec record-index [len] + +This fc-simtool command sends a READ RECORD command to the SIM (absolute +addressing mode) and displays the SIM response in raw hex, internally invoking +the same function as sim-resp. The arguments are decimal or hex as in the +readbin command. + +If no explicit length argument is given, readrec uses the internal variable set +by the last select operation. This one-argument form is almost always used in +practice, as the SIM will normally reject any requested length that does not +match the current EF record length. + +readef File_ID + +This fc-simtool command provides a slightly higher-level facility for examining +the content of EFs, combining select and readbin or readrec operations. The +sole File_ID argument is the same as for the low-level select command; the SIM +response to SELECT is then parsed to decide what to do next. Transparent EFs +are read using as many READ BINARY commands as necessary (up to 256 bytes can +be read in one APDU exchange) and displayed as a continuous hex dump. For +record-based EFs (linear fixed and cyclic), readef reads and separately +hex-dumps every record. + +Just like with the low-level select command, there is no built-in MF/DF +selection. + +savebin File_ID out-bin-file + +This command selects the specified EF (just like with low-level select and +readef, you need to be in the right MF/DF directory) and saves its complete +content in a raw binary file on the UNIX host file system. This command +supports all 3 types of EF (transparent, linear fixed and cyclic) and uses the +correct READ BINARY or READ RECORD commands based on the SELECT response. +Record-based EFs are read in the order of increasing record number and are saved +in the host binary file with all records simply abutted together. + +Writing commands +================ + +update-bin offset hexfile + +This fc-simtool command reads a hex data file (an ASCII text file containing +only hex byte values and nothing else, with or without white space between +bytes, newlines treated as any other white space) and sends this byte content +to the SIM in an UPDATE BINARY command. The offset argument is the same as in +the readbin command. The length is the number of bytes read from the hex data +file. + +update-bin-imm offset hex-string + +This command works like update-bin, but the bytes to be written are given as a +hex string direct argument (like an immediate operand in assembly languages), +rather than via a hex data file. + +update-rec record-index hexfile + +This fc-simtool command reads a hex data file (just like update-bin) and sends +this byte content to the SIM in an UPDATE RECORD command, using either absolute +or PREVIOUS addressing mode. The record-index argument is the same as in the +readrec command for the absolute addressing mode, or 'prev' keyword to use the +PREVIOUS addressing mode for writing to cyclic EFs. The number of bytes in the +hex data file must equal the EF record length. + +update-rec-imm record-index hex-string + +This command works like update-rec, but the bytes to be written are given as a +hex string direct argument (like an immediate operand in assembly languages), +rather than via a hex data file. + +update-rec-fill record-index fill-byte + +This fc-simtool command sends an UPDATE RECORD command to the SIM with payload +equal to the specified fill byte, replicated to the record length. The fill +byte argument is always interpreted as hexadecimal. + +restore-file File_ID host-bin-file + +This command restores a binary backup previously made with savebin back to the +SIM, or writes new bits into the EF if you can construct the necessary binary +image with tools like xxd. The arguments are the same as for the savebin +command. This command supports all 3 types of EF (transparent, linear fixed +and cyclic) and uses the correct UPDATE BINARY or UPDATE RECORD commands based +on the SELECT response. Cyclic files are restored by writing every record in +the reverse order from the last index to the first. + +erase-file File_ID [fill-byte] + +This command erases the specified EF by overwriting its content with the +specified fill byte, which defaults to 0xFF if the second argument is omitted. +All 3 EF types (transparent, linear fixed and cyclic) are supported: for +transparent EFs fc-simtool issues as many UPDATE BINARY commands as needed to +overwrite the whole file, whereas for record-based EFs every record is +overwritten with UPDATE RECORD. + +INVALIDATE and REHABILITATE +=========================== + +cur-ef-inval will send an INVALIDATE command to the SIM; cur-ef-rehab will send +a REHABILITATE command. The naming of these low-level fc-simtool commands +reflects the fact that you have to manually select the EF of interest first. + +GSM authentication testing +========================== + +a38 RAND + +This fc-simtool command exercises the SIM card's RUN GSM ALGORITHM command. +The user-specified RAND value (a hex string of 16 bytes) is sent to the SIM, +and the SIM response is parsed to display SRES and Kc. + +Per SIM specs GSM TS 11.11 and 3GPP TS 51.011, RUN GSM ALGORITHM can only be +executed when DF_GSM is selected. fc-simtool a38 command does NOT include a +built-in SELECT of DF_GSM, hence you need to manually issue 'select DF_GSM' +first. + +This a38 command can be used to verify if the SIM card's Ki and A38 algorithm +match what you expect them to be. To perform this test, issue an a38 command +to the SIM with some made-up RAND and note the SRES and Kc response. Then use +the osmo-auc-gen utility from Osmocom to run the expected algorithm with the +expected Ki (and the expected OPc if MILENAGE is used) and the same RAND, and +see if SRES and Kc match. + +Exploring proprietary APDUs +=========================== + +If the SIM you are working with is known or suspected to implement some +non-standard or proprietary APDUs for which there is no explicit support in +fc-simtool, you can use this low-level debug command to send arbitrary APDUs: + +apdu "xx xx xx xx xx ..." + +The sole argument is a raw string of bytes (quotes are needed if there are +spaces between bytes), and the APDU needs to be given exactly as it is sent in +the T=0 protocol: 5 bytes of header (including the length byte) followed by +data bytes, if any. After executing the APDU exchange, the apdu command simply +prints the SW response code from the SIM.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/PLMN-list-commands Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,50 @@ +GSM SIM specs define EF_PLMNsel and EF_FPLMN as containing lists of preferred +and forbidden PLMNs, respectively. Both files are defined as writable by +ordinary users, requiring only CHV1 access for both reading and writing - and +both files are indeed user-writable on Grcard and Sysmocom SIMs. However, some +operator-issued SIMs (specifically T-Mobile USA) implement an underhanded trick: +whenever we try to write anything to either of these two files, the write +operation appears to succeed (SW 0x9000), but the byte content of the SIM file +remains unchanged. Therefore, writability of these files by ordinary end users +on regular operator-issued SIMs should be regarded as questionable. + +fc-simtool provides high-level commands for both dumping (reading) and writing +both EF_PLMNsel and EF_FPLMN. Here are the commands for EF_PLMNsel: + +plmnsel-dump + +This command dumps the full content of EF_PLMNsel. + +plmnsel-write index mcc-mnc + +This command writes a single entry into EF_PLMNsel. The first argument is the +0-based index of the entry position to write into, and the second argument is +the PLMN code as in MCC-MNC. + +plmnsel-write-list plmn-list-file + +This command overwrites the entire EF_PLMNsel SIM file with a user-specified +PLMN list given in an ASCII data file. The file must contain PLMN codes +(MCC-MNC) separated by white space; any lines or line tails beginning with '#' +are treated as comments. Output from a previous plmnsel-dump is acceptable +input to plmnsel-write-list. PLMN codes are written into EF_PLMNsel from index +0 onward; any unused space at the end is filled with FF bytes. + +plmnsel-erase start-index [end-index] + +This command erases a single entry position or a range of entry positions in +EF_PLMNsel. Because EF_PLMNsel is a transparent EF (not record-based) at the +SIM protocol level, our numbering of entry positions in this file is 0-based, +rather than the 1-based convention used for record-based SIM files. Keyword +"end" may be specified instead of the final index, meaning erase to the end of +the file. + +plmnsel-erase-all + +This command overwrites the entire EF_PLMNsel SIM file with FF bytes, +corresponding to fully erased state. This command is more efficient than +'plmnsel-erase 0 end', as the operation is performed with a single UPDATE BINARY +SIM protocol command. + +The commands for EF_FPLMN parallel those for EF_PLMNsel: simply replace +plmnsel-* with fplmn-*; all arguments are the same.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Simtool-command-shell Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,124 @@ +Our fc-simtool and fc-uicc-tool operate as interactive shells. When you run +either program, it selects the "card reader" device it will use and connects to +the card via pcsc-lite facilities, and then it gives you an interactive command +shell. The communication session with the card (including vital volatile state +like PIN authentication and currently selected directory and EF) remains +unbroken until you exit the shell, at which point our tools tell pcsc-lite to +power down the card. + +The actual useful commands available in fc-simtool and fc-uicc-tool are +described in other documents; this document describes program invokation and +the command shell itself. + +Program invokation +================== + +Both tools share the same command line structure: + +fc-simtool [-p num] [batch-command] +fc-uicc-tool [-p num] [batch-command] + +If you run either tool without any options or arguments, it will select the +first reader supported by pcsc-lite (reader number 0, same as if -p0 was +specified), and if the card connection is successful, it will enter the +interactive command shell. Use the -p num option to select a different reader +number; to tell which reader number is which, use fc-pcsc-list to list all +available readers. + +Aside from the -p num option, any arguments given on the command line suppress +the default interactive shell and select the tool's batch mode instead - the +arguments specify the command to be executed. For example, the following +invokation will read and display the inserted card's ICCID, and immediately +exit: + +fc-simtool iccid + +This batch mode is particularly useful with the exec command described further +in this document. + +Command shell basic features +============================ + +The interactive command shell prompt is "simtool> " in fc-simtool and "uicc> " +in fc-uicc-tool. In this interactive command shell mode commands are entered +naturally, with white space separating the command keyword and any arguments. +Arguments containing spaces need to be enclosed in double-quotes as in +"quoted string"; our tools have two main instances where such complex arguments +are used: + +* Many of our commands, particularly low-level ones, take hexadecimal byte + strings as arguments. In such hex byte strings each byte must be given as + exactly two hex digits (no 0x and no single-digit bytes for small values), + but spaces between bytes for human readability are optional. If these + optional spaces are included, the whole argument needs to be included in + double-quotes. + +* Some of our commands take arguments that represent GSM 03.38 text strings, + using our ASCII representation format for such strings that is defined in the + SIM-data-formats document in the freecalypso-docs repository. If these + arguments contain spaces, they need to be enclosed in double-quotes, and any + embedded '"' characters need to be entered as \". + +Output redirection +================== + +Most of our information retrieval and dumping commands support output +redirection at the tool-internal command shell level. For example, the +following command will list the SIM Service Table (SST) on the terminal and +redisplay the "simtool> " prompt: + +simtool> sst + +The following form of the same command will write the output to the named file +and not send anything to the terminal: + +simtool> sst > sst-list-file + +If you try the '>' output redirection construct on a command that does not +support it, you will get an error message. + +Working with the local host file system +======================================= + +Because our tools provide a lot of commands for saving SIM data into host files +(the above output redirection mechanism and some binary file writes) as well as +reading data and command scripts from host files, having a sensible interaction +with the local host file system is important. Users should have a convenient +way to see what directory they are in, change their current directory, and +invoke other local host commands like mkdir from inside their fc-simtool session +- hence the following features are provided: + +* Any command beginning with '!' is passed to the system shell /bin/sh - the + primary use of this feature is to be able to run !pwd to see what directory + you are in, and more rarely do other things like !mkdir mysimdata. + +* The built-in cd command changes the current directory of the running + fc-simtool process - because of the way UNIX works, cd is one command that + cannot be usefully executed via the '!' shell invokation mechanism. + +Command script facility +======================= + +Both fc-simtool and fc-uicc-tool implement an exec command: + +exec script-file + +This command opens the named file, reads it line by line, and executes each +read line as a command. Whitespace-only lines are skipped, and any lines +beginning with '#' are treated as comments. exec scripts can be nested. If +the execution of any command encounters an error, all nested scripts are +stopped: we implement the "stop on first error" policy. + +If the given script file name contains any slashes, it is used as-is. If there +are no slashes in the requested script file name, the file is sought first in +the script installation directory /opt/freecalypso/sim-scripts, and if it is +not found there, then in the current directory. + +Data file sourcing +================== + +All fc-simtool and fc-uicc-tool commands that read from ASCII-based data files +named as arguments implement the same search logic as the exec command. This +design allows complex SIM programming scripts to be installed in +/opt/freecalypso/sim-scripts along with their data files, ready to be invoked +as needed.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/Sysmocom-SIM-notes Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,161 @@ +The present suite of tools (fc-simtool and fc-uicc-tool) is NOT a good fit for +programming sysmoUSIM-SJS1 and sysmoISIM-SJA2 cards made by Sysmocom and sold +in their webshop, because of the following combination of factors: + +1) These cards are primarily USIM/ISIM, with classic GSM 11.11 SIM support + regarded as "backward compatibility" - thus they have a lot of important + files under ADF.USIM and ADF.ISIM which are not accessible via the classic + GSM 11.11 SIM protocol. + +2) Our main feature-rich tool is fc-simtool, but this tool speaks only the + classic GSM 11.11 SIM protocol, hence it cannot access any of the USIM/ISIM + files. + +3) We have fc-uicc-tool which speaks the UICC protocol that is native to these + Sysmocom cards, but it is only a low-level debug tool, not a feature match + to fc-simtool. + +The proper long-term solution for our 2G-centric GSM community is to get our own +SIMs made, either by paying big bucks to Sysmocom to produce a run of custom +cards (presumably based on their current SJA2 platform) with USIM and ISIM +removed, leaving only the file system tree under MF that can be fully +manipulated via the classic SIM protocol, or preferably by resurrecting the +older Grcard SIM-only platform if possible - it may take a long time to find out +if the latter option is possible or not. But in the meantime, if someone needs +to program a SIM right now, when Sysmocom webshop cards are the only available +option, we do have limited support for programming these SIMs: + +* It is possible to authenticate with the ADM1 key from within fc-simtool on + both sysmoUSIM-SJS1 and sysmoISIM-SJA2, as explained below. + +* Once you have authenticated with ADM1, you can use fc-simtool admin write + commands (write-imsi, SDN phonebook write operations, manual update-bin-imm + on various small transparent EFs) just as if you were working with a Grcard + SIM. + +* You can also use fc-uicc-tool to access and program every file on Sysmocom + cards, including files under ADF.USIM and ADF.ISIM - but in this case you will + have to do everything manually in raw hex, with a hex data file for every + update-bin and update-rec command. + +Authenticating with ADM1 +======================== + +The method for sending your ADM1 key to the card varies depending on whether +you are in an fc-simtool or fc-uicc-tool session, and whether your card is +sysmoUSIM-SJS1 or sysmoISIM-SJA2. There are 3 possibilities: + +* If you are in an fc-uicc-tool session with either type of card, the command + to authenticate with ADM1 is as follows: + + verify-pin 10 xxxxxxxx + + where xxxxxxxx are the 8 digits of the ADM1 secret code. There are no + restrictions as to when this command may be given in an fc-uicc-tool session. + +* If you are in an fc-simtool session with sysmoISIM-SJA2, the command becomes: + + verify-ext 10 xxxxxxxx + + There are no restrictions as to when this command may be given in an + fc-simtool session. + +* If you are in an fc-simtool session with sysmoUSIM-SJS1, the command becomes: + + verify-sjs1-adm1 xxxxxxxx + + Unlike the other two cases, this command must be issued at the very beginning + of your fc-simtool session, before any other commands. If you issue this + command later, after some GSM 11.11 SIM APDUs have already been exchanged, it + won't work. + +Changing the ADM1 PIN +===================== + +Experiments show that when speaking the UICC protocol to the card, the standard +CHANGE PIN command does work on ADM1 on both sysmoUSIM-SJS1 and sysmoISIM-SJA2, +thus you can do the following in fc-uicc-tool: + +change-pin 10 old-ADM1 new-ADM1 + +However, given that Sysmocom already assigns individual per-card random ADM1 and +communicates these secret codes securely to webshop customers, there does not +seem to be any practical need for changing ADM1 further downstream. Thus our +recommendation is that if you are going to change your ADM1 PIN just to prove +that you can do it, you should then change it back to the original. + +We can only surmise that there probably exist some secret commands that can +reset PUK1 and PUK2 after you've authenticated with ADM1, but they will probably +remain forever proprietary to Sysmocom, especially given the lack of any +practical need for such downstream changing of PUK1/PUK2. + +Thoughts on card (re)formatting +=============================== + +ETSI and 3GPP specs give many more degrees of freedom to SIM card issuers than +just the content of various EFs: the card issuer gets to decide which DFs and +EFs will be present vs. which ones won't be present at all, and for many EFs +the size (allocated space) is variable per the specs and up to the card issuer. +In the case of record-based EFs, both the record size and the number of records +are often left up to card issuers to tune as desired. + +In the Mother's opinion, a truly programmable SIM would be one where every +downstream owner of each card (not just the initial factory or the party putting +up big bucks for a large custom production run) can do a full reformat: erase +the file system and then create whatever tree of DFs and EFs she desires, with +full control over each file's allocated size, structure and access conditions. + +In the case of Sysmocom webshop SIMs, we (FreeCalypso) are not aware of any +publicly available documents describing how to perform such a reformat - it +appears that Sysmocom keeps this knowledge proprietary. In contrast, the older +Grcard-based SIMs had some publicly documented commands for erasing the card +and creating new directories and files: + +https://osmocom.org/projects/cellular-infrastructure/wiki/GrcardSIM + +It remains to be seen whether we (FreeCalypso) can get new SIMs from Grcard +which are also freely formattable. + +MSISDN misprogramming on early sysmoUSIM-SJS1 cards +=================================================== + +Referring to the previous section regarding formatting degrees of freedom, +Sysmocom webshop cards have their EF_MSISDN file allocated as 6 records of 34 +bytes each. Record length of 34 bytes translates into 20 bytes of alpha tag +plus the required 14-byte structure at the end of each record. + +When Sysmocom made their early sysmoUSIM-SJS1 cards, they intended to program +the first record of EF_MSISDN as +882110xxxxx, where xxxxx are equal to the last +5 digits of their 901-70 IMSI and also to the last 5 content digits (before the +Luhn check digit) of their 8988211 ICCID. A correctly structured EF_MSISDN +phonebook record with a +882110xxxxx phone number would look like this, for the +record size of 34 bytes: + +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +10: FF FF FF FF 07 91 88 12 01 xx xx Fx FF FF FF FF +20: FF FF + +The first 20 bytes are all FF because that is the space reserved for the alpha +tag, then the phone number is encoded in 8 bytes as 07 91 88 12 01 xx xx Fx, +and the rest of the required 14-byte structure is filled with FF bytes. +However, the actual programming of this MSISDN record on early sysmoUSIM-SJS1 +cards (at least on the 10-pack I bought in 2017) looks like this: + +00: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +10: FF FF 07 91 88 12 01 xx xx Fx FF FF FF FF FF FF +20: FF FF + +The not-all-FF field of 8 bytes is written into the wrong location, two bytes +earlier than where it should be. When I saw this misprogramming early in the +course of developing fc-simtool, I finally understood why the AT+CNUM command +on a FreeCalypso modem with this SIM inserted reported a 10xxxxx number instead +of the +882110xxxxx listed in the sysmoUSIM manual. :-) + +When I saw this misprogramming, I also added a fix-sysmo-msisdn command to +fc-simtool: this command checks for this particular misprogramming, and if it +finds such, it rewrites the MSISDN record with the 8-byte phone number field +moved to its correct place. However, this fix-sysmo-msisdn command probably +won't get much use: the factory-programmed EF_MSISDN is now completely blank on +Sysmocom's current sysmoISIM-SJA2 cards, and also on the late sysmoUSIM-SJS1 +cards - or at least it is blank on the last-stock cards I bought in 2020-11. +EF_MSISDN is writable without needing ADM1 - it only needs CHV1.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/User-oriented-commands Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,554 @@ +This document describes those commands and functions of fc-simtool which can be +exercised by end users on any regular operator-issued SIM, without requiring a +special programmable SIM with admin privileges. The Mother's plans for future +development include a companion fc-simint utility that will operate on SIM cards +inside Calypso phones; the intent is that all of the end-user-oriented commands +of fc-simtool described in this document will also be replicated in fc-simint. + +Understanding SIM PIN1 +====================== + +Every standard SIM card has a secret code called PIN1; this secret code can be +anywhere between 4 and 8 digits in length, with 4-digit PINs being most common. +In terms of persistent non-volatile state, SIM PIN1 can be enabled or disabled. +When SIM PIN1 is disabled, all regular functions of the card are enabled, as in +being able to power up the phone with the SIM in it and connect to the GSM +network with your subscriber identity, and being able to read and write SIM user +data content like phonebooks and stored messages - all of these functions are +enabled from the moment you turn on the phone with the SIM in it (or power the +SIM up by itself in a smart card "reader" driven by fc-simtool), without the +user ever being asked for a PIN, such that you can forget that the PIN even +exists - this situation in very common nowadays. But when SIM PIN1 is enabled, +the smart chip in the SIM will not allow you access to any of the data stored +on the card and will not allow any GSM authentication operations until and +unless you send the correct PIN to the SIM in the VERIFY CHV command. + +If you forgot your PIN1, the only way to reset it is to enter another secret +code (always 8 digits in length) called PUK1. If the SIM is made according to +standards, then its PUK1 is set to a random number during either physical +manufacturing or administrative programming of the card and then remains +unchangeable afterward. Therefore, in an ideal world if someone forgot their +PIN1 and don't have their PUK1 either, they should be able to obtain PUK1 from +the cellular operator who issued the SIM - but whether or not today's operators +will actually help such hapless users (without forcing them to get a new SIM) +is another question altogether. PUK1 is often printed on the big (credit-card- +sized) plastic piece on which SIM cards are initially delivered - but it doesn't +help if you originally got your SIM many ages ago and no longer have that +souvenir plastic piece. + +The standard protocol for communicating with SIM cards provides 5 special +commands that are dedicated to working with PIN1, and so does fc-simtool: + +verify-pin1 XXXX + +This command tells the SIM that you are attempting to prove knowledge +of PIN1, presenting a string of digits. If the PIN digits you specify match +the PIN1 secret code stored inside the SIM, the card unlocks access to its +primary functions. If the digits you send are wrong, the SIM decrements its +non-volatile attempt counter, giving you a total of 3 attempts (irrespective of +card power-downs between attempts) to enter the correct PIN. If PIN1 is entered +incorrectly 3 times in a row, this PIN is blocked, and the only way to unblock +it is via PUK1. + +enable-pin1 XXXX + +This command changes the non-volatile state of the PIN1 enable/disable flag, +such that from now on the SIM will require PIN1 to be provided on every card +power-up before it will allow GSM authentication and access to user data. The +enable-pin1 operation itself requires correct PIN1 digits to be provided. + +disable-pin1 XXXX + +This command changes the non-volatile state of the PIN1 enable/disable flag, +such that from now on the SIM will NOT require PIN1 to be provided on every +card power-up, and will instead be live immediately without needing proof of +card owner's identity. The disable-pin1 operation itself requires correct PIN1 +digits to be provided. + +change-pin1 old-PIN new-PIN + +This command tells the SIM that you wish to change PIN1 secret code to some new +digits. Knowledge of the old PIN1 is required for this operation to succeed. + +unblock-pin1 PUK1-secret-code new-PIN1 + +This command tells the SIM that you are attempting to prove knowledge +of PUK1 and to set new PIN1. If PUK1 is given correctly, the new PIN1 will be +set. If you enter wrong PUK1, the SIM decrements its non-volatile attempt +counter, giving you a total of 10 attempts (irrespective of card power-downs +between attempts) to enter the correct code. If PUK1 is entered incorrectly 10 +times in a row, it is blocked and the card should be considered bricked beyond +recovery. + +Understanding SIM PIN2 +====================== + +GSM standards provide support for a very rarely used feature that works in the +spirit of "parental controls": if you authenticate to the SIM with PIN2 secret +code (which has to be different from PIN1 for meaningful security), you can +edit a SIM-resident list of so-called Fixed Dialing Numbers (FDN), and then all +standard phones that implement this feature per the spec will refuse to allow +ordinary users (authenticated with PIN1 or with no PIN at all) to call any +numbers other than those programmed in FDN. + +This whole "parental control" feature is totally silly and is not expected to be +of any practical use, but the whole purpose of fc-simtool is to allow every +feature of SIM cards to be exercised, hence we provide the necessary support. +The following commands work just like their PIN1 counterparts: + +verify-pin2 XXXX +change-pin2 old-PIN new-PIN +unblock-pin2 PUK2-secret-code new-PIN2 + +Unlike PIN1, PIN2 cannot be disabled per traditional SIM card standards. + +Getting basic info from the SIM +=============================== + +The following commands are available for retrieving basic info from the SIM: + +iccid + +This command retrieves the ICCID (Integrated Circuit Card ID) record from the +SIM - it is a number of up to 20 digits (although 19-digit ICCIDs are most +common) that identifies the SIM card as a physical artifact. If your SIM is of +the traditional operator-issued kind, as opposed to a developer-oriented +programmable SIM from vendors like Sysmocom who have different ideas, this ICCID +will usually be the SIM card ID number printed on the physical plastic, along +with a barcode representation of the same number. + +imsi + +This command retrieves the IMSI (International Mobile Subscriber Identity) from +the SIM - it is the most fundamental ID token by which GSM phones present +themselves to networks, and they even use the first 5 or 6 digits of the IMSI +to decide which network they should try connecting to first. + +It should also be noted that if your SIM has FDN (Fixed Dialing Numbers) enabled +and the card implements GSM SIM specs to the letter, including the idiotic +parts, then you will need to issue a rehab-imsi command before you can read the +IMSI record - see the FDN section further in this document. + +sst + +Every SIM card is required to have an essential data record (an EF in technical +terms) called the SIM Service Table, or SST. This SST indicates which services +are allocated and activated on the given SIM. Our sst command lists all +allocated service numbers, listing just a plain number if the service is both +allocated and activated (the usual case), or a number with a '^' suffix if the +service is allocated but not activated. You will need to look in the 3GPP TS +51.011 spec to make sense of these service numbers. + +user-sum + +This command displays a user-friendly summary of user-oriented services present +on the SIM. It reads SST to get the list of available and activated services, +but it considers only user-oriented ones (as opposed to SIM services dealing +with GSM network functions or serving operators' interests rather than users'), +and it displays them in a user-friendly manner. For each present SIM phonebook +(ADN, FDN, SDN) and for the SMS store, user-sum displays the storage capacity +provided by the SIM (number of phonebook entries or messages), and for each of +the various phonebooks, the allocated number of alpha tag bytes is also +displayed. + +The number of bytes allocated for the alpha tag in SIM phonebooks determines +the maximum length of the name field in each phonebook entry. These name fields +can be written either in GSM7 encoding (GSM 03.38 aka 3GPP 23.038) or in UCS-2; +when GSM7 encoding is used, no SMS-style septet packing is applied - instead the +high bit of each byte is simply cleared. Therefore, the maximum number of +characters in a phonebook entry name field usually equals the number of bytes +allocated for the alpha tag on the SIM, except for names containing ASCII +characters [\]^ and {|}~ which get expanded to 2-character escape sequences in +GSM7 encoding. + +uicc-dir + +If your SIM card functions not only as a classic GSM 11.11 SIM, but also as a +UICC with USIM/ISIM or other UICC-based applications, it will have a file named +EF_DIR in its file system, listing those applications. fc-simtool uicc-dir +command dumps the content of this file in a human-readable form - but please +note that fc-simtool only speaks the classic GSM 11.11 protocol to the SIM, and +not the UICC protocol. EF_DIR does not officially exist in the classic GSM SIM +spec, hence the dir command in fc-uicc-tool (speaking the UICC protocol) is the +official way to read and dump the content of EF_DIR. + +Manipulating SIM phonebooks +=========================== + +GSM SIM specs allow for several different phonebooks to be present on the card: + +* ADN (Abbreviated Dialing Numbers) is the main SIM phonebook. Each SIM card + issuer decides how much storage space they allocate to ADN (how many records); + the SIM spec maximum is 254 records, and many issuers' SIMs do provide this + many records or close to this limit. + +* FDN (Fixed Dialing Numbers) is the "parental control" phonebook. The FDN + phonebook can only be written to after authenticating with PIN2, and when it + is enabled (enabling FDN is done by "invalidating" ADN, an operation which + also requires PIN2), spec-compliant phones allow only numbers in FDN to be + called. + +* SDN (Service Dialing Numbers) is a service-provider-controlled phonebook: it + can only be written if you have special admin privileges (ADM authentication + method is card-vendor-dependent), and it is read-only to ordinary users. + +* MBDN (Mailbox Dialing Numbers) is a late addition to GSM SIM specs - it is a + special phonebook that stores the number for Voice Mail and other related + esoteric services. + +* MSISDN is a phonebook-like file that stores the subscriber's own phone + number(s). Most classic GSM phones have a menu command for showing your own + number, usually called "My number" or something like that; this menu command + displays the first record stored in the MSISDN phonebook. Most network + operators update this MSISDN record over the air (using special SMS-encoded + commands) when you activate service or get a new phone number without changing + your SIM, but this MSISDN store in the SIM also has some interesting + properties: + + + Per the spec the MSISDN phonebook is writable by ordinary users, not just + admins, and the Mother's experience with real T-Mobile SIMs is that they do + indeed allow the user to write anything into MSISDN. + + + Most SIM card issuers allocate multiple records for MSISDN, not just one. + It is not clear if ordinary end user phones would do anything useful with + the extra records if one were to write something there. + +fc-simtool provides a unified set of commands and data formats for working with +all SIM phonebooks: all pb-* commands take the name of the phonebook to be +operated on as their first argument. The following commands are available: + +pb-dump PBNAME + +This command dumps the full content of the selected phonebook on the terminal. +The data format for representing SIM phonebook content in UNIX-based text files +and dumps is described in the SIM-data-formats document in the freecalypso-docs +repository. + +pb-dump PBNAME > outfile + +This form of the pb-dump command dumps the full content of the selected +phonebook, but saves it in the named file instead of sending it to the terminal. +This form is ideal for making backups of large SIM phonebooks. + +pb-dump-rec PBNAME rec + +This command dumps a single record from a potentially large phonebook. + +pb-dump-rec PBNAME start-rec end-rec + +This command dumps the specified range of records from a potentially large +phonebook. + +pb-restore PBNAME filename + +This command reads a phonebook data file in the format described in the +SIM-data-formats document and uploads it into the named SIM phonebook. Every +record in the SIM phonebook is overwritten with an UPDATE RECORD command; those +record indices which do not appear in the data file being restored get blank +records (0xFF in every byte) written into them. + +pb-update PBNAME filename + +This command reads a phonebook data file in the format described in the +SIM-data-formats document and uploads it into the named SIM phonebook, writing +only those record indices which appear in the data file - each record from the +data file gets written into the SIM with an UPDATE RECORD command, while all +other record locations remain untouched. + +pb-update-imm PBNAME rec phone-number [alpha-tag] + +This command writes a single phonebook entry directly from the command line, +without going through a data file. The specific record index to write into must +always be specified (there is no built-in "find first empty record" function), +and the entry format for both the phone number and the alpha tag is more relaxed +compared to the very strict format required in data files: + +* The phone number can begin with a '+' character for international format; + +* The comma-separated TON/NPI byte is optional and will usually be omitted in + ordinary usage - this byte will default to 0x91 if the number begins with '+' + or to 0x81 otherwise; + +* Double-quotes around the alpha tag argument are required only if it contains + spaces or other problematic characters, and can be omitted otherwise; + +* If the alpha tag is empty, the last argument can be omitted altogether. + +pb-update-imm-hex PBNAME rec phone-number alpha-tag-hex + +This command is like pb-update-imm, but the alpha tag argument (required for +this command) is given in hex - intended for creating phonebook entries with +UCS-2 alpha tags. + +pb-erase PBNAME + +This command fully erases the named phonebook. + +pb-erase-one PBNAME rec + +This command erases the specified individual record in the named phonebook. + +pb-erase-range PBNAME start-rec end-rec + +This command erases the specified range of records in the named phonebook. The +starting record must be identified by number (SIM record numbers are 1-based); +the ending record argument may be either a number or the "end" keyword. + +Enabling and disabling FDN +========================== + +The Fixed Dialing Numbers (FDN) mechanism is normally disabled. The protocol +prescribed by GSM SIM specs is that FDN is enabled when the regular ADN +phonebook is invalidated, and is disabled (unrestricted dialing allowed) +otherwise. fc-simtool provides commands for invalidating and rehabilitating +ADN, thereby enabling and disabling FDN: + +inval-adn + +This command invalidates ADN and thereby enables FDN. + +rehab-adn + +This command rehabilitates ADN and thereby disables FDN. + +The SIM will only allow inval-adn and rehab-adn operations after you have +successfully authenticated with PIN2 - see verify-pin2 command description. + +GSM SIM specs also stipulate a certain hack to prevent FDN-ignorant phones from +making "forbidden" unrestricted calls: the specs stipulate that when a SIM +powers up in an FDN-enabled state (ADN is invalidated), the "smart" logic in +the SIM invalidates two essential files EF_IMSI and EF_LOCI (needed for GSM +operation), requiring the phone (ME) to rehabilitate these two files at the +beginning of every SIM session when FDN is in use. The thinking must have been +that if a given ME knows how to do these extra rehab-imsi, rehab-loci steps, +then it also knows about FDN and will honor it. Our answer: OK, whatever - but +we do provide rehab-imsi and rehab-loci commands in fc-simtool. These +operations require only CHV1 access, thus PIN1 or no PIN at all depending on +whether or not PIN1 is enabled - no need for PIN2. + +Last Number Dialed (LND) +======================== + +Traditional SIMs include a cyclic file that is intended to be updated whenever +an outgoing call is dialed - but it is up to individual phone designs whether +they actually update this LND cyclic store or not. This SIM LND store has the +same record format as phonebooks, carrying only phone numbers and optional alpha +tags - there are no fields for date & time, call duration or status as in call +answered or not. Because of the limitations of this SIM LND store, most phone +designs do not use it, and instead go with their own implementation of call +history lists. + +Because this LND store is a cyclic file, not linear fixed like phonebooks, it +does not allow random access writes: it allows random access reads like all +regular record-based files, but the only write operation allowed by the SIM +interface protocol and the SIM file system architecture is writing a new record +that becomes the new #1, shifting all previous records down and losing the +oldest one. Because of this write access limitation, we do not provide the same +set of operations on LND as for regular phonebooks - but we still provide good +tinkering ability. The following commands are available: + +lnd-dump + +This command dumps the content of the LND store on the terminal, in the same +format as pb-dump for regular phonebooks. + +If you have had your SIM for a very long time, having used it in different +phones with different firmwares, it may be interesting to look at the output of +lnd-dump - you may have LND records that were generated ages ago by other +phones if your current one does not write into SIM LND. + +lnd-dump > outfile + +This form of the lnd-dump command produces the same dump format, but saves it +in the named file instead of sending it to the terminal. + +lnd-restore filename + +This command reads the named phonebook data file (presumably written previously +with lnd-dump) and writes it into EF_LND on the SIM. This command works by +first constructing a full binary image of the desired EF_LND content, then +writing every record in the reverse order from the last index to the first. + +lnd-write phone-number [alpha-tag] + +This command writes a new record into the LND cyclic store just like a standard +phone would do when making a record of a new outgoing call. The two arguments +(one required and one optional) are the same as for pb-update-imm. + +lnd-erase + +This command erases the EF_LND cyclic store, making it appear as if no outgoing +calls have ever been recorded. It works by writing a blank record (0xFF in +every byte) N times, where N is the size of the cyclic store in records. + +Manipulating stored SMS +======================= + +The fundamental operating model of all message stores for SMS (whether SIM or +phone-based) is that received messages accumulate (and possibly sent ones too, +if they are stored in this manner), the limited available memory fills up, and +then the user needs to clean out the accumulated messages, preferably also +archiving them by transferring to a larger computer for longer-term storage. +Given this fundamental operating model, we only need to provide commands for +dumping the content of the message store and for cleaning it out - there is no +real need to implement commands for writing messages into the store. + +The extent of special support for the SIM SMS store in fc-simtool is rather +minimal because it just so happened that we already have external tools that do +a major part of the work. Some phone firmwares, particularly that of the +Pirelli DP-L10 phone currently used by the Mother, implement their on-the-phone +SMS storage by way of a file in their local flash file system whose binary +format just happens to be exactly the same as the binary format of SIM-based +EF_SMS if all 176-byte records are simply abutted together in the host-based +binary representation. A few release cycles ago we added a new utility named +pcm-sms-decode to our FreeCalypso host tools suite; this utility reads a binary +file in this "EF_SMS records concat" format and performs the quite involved job +of fully decoding all messages into human-readable form. Given that we have +this external pcm-sms-decode utility, all we need to do in fc-simtool is save +all records of EF_SMS into a single concatenated binary file, and let +pcm-sms-decode do the rest. + +Our dedicated commands for working with the SIM SMS store are as follows: + +save-sms-bin host-filename + +This command saves the full content of EF_SMS in the named file in the host file +system in binary format, suitable for further decoding with pcm-sms-decode. + +sms-erase-all + +This command erases every record entry in EF_SMS. + +sms-erase-one rec + +This command erases the specified individual record in EF_SMS. + +sms-erase-range start-rec end-rec + +This command erases the specified range of records in EF_SMS. The starting +record must be identified by number (SIM record numbers are 1-based); the +ending record argument may be either a number or the "end" keyword. + +Manipulating SMS parameters +=========================== + +SIM cards have an SMS parameter store in the form of record-based file EF_SMSP. +Its most essential function is to specify the Service Centre Address for +outgoing SMS, but it can also be put to a few other uses: + +* The primary SMSP record that gives the SC address also typically includes PID + and DCS parameters. The only sensible settings that can function as a + general-purpose default are PID=0x00 and DCS=0x00, but some SIMs have been + seen in the field that set bogus PID and DCS via their SMSP. It appears that + most end user phones ignore these settings, and they have no effect when + outgoing SMS are submitted to an AT command modem in PDU mode, but these + settings do affect our TI-based AT command modem in text mode - if they are + bogus on the SIM, they need to be fixed, either with fc-simtool or in the + actual AT modem session with AT+CSMP. + +* The same primary SMSP record can also specify a default validity period in + one-byte relative VP format. + +* Just like the situation with MSISDN, even though only the first record of + EF_SMSP is used in practice, most SIM issuers allocate room for a few records. + These extra SMSP records are almost always blank, + +fc-simtool provides the following commands for working with EF_SMSP: + +smsp-dump + +This command dumps the full content of EF_SMSP (all records) on the terminal, +using a lossless text-based format similar to the one we use for phonebooks. +To illustrate our smsp format by way of examples, here is the output of +smsp-dump from old T-Mobile USA SIMs that have classic GSM 11.11 SIM +functionality: + +#1: SC=12063130004,0x91 PID=0x00 DCS=0x00 "T-Mobile" +#2: "" +#3: "" +#4: "" + +Here is the output from an Austrian S-Budget Mobile SIM from circa-2017: + +#1: SC=4365009000000,0x91 PID=0xFF DCS=0xFF VP=173 "" +#2: "" + +As one can see from these examples, T-Mobile allocated 4 records for their +EF_SMSP, whereas S-Budget Mobile allocated only 2 records for theirs. +(Sysmocom webshop SIMs sysmoUSIM-SJS1 and sysmoISIM-SJA2 also have 2 records in +their EF_SMSP.) Yet only the first record is actually used, and the remaining +ones are blank. Note that unlike pb-dump, smsp-dump does not skip blank +records: it displays every record (the design rationale is that the total number +of EF_SMSP records is expected to be small), and a blank record is simply one +that has no parameters present and has an empty alpha tag. + +The following parameters may be present in each SMSP record, appearing in the +smsp-dump output in the same order in which they appear in the SIM binary +record: + +DA= TP-Destination_Address +SC= TS-Service_Centre_Address +PID= TP-Protocol_Identifier +DCS= TP-Data_Coding_Scheme +VP= TP-Validity_Period + +The phone numbers in DA= and SC= parameters are emitted in the same format as +in pb-dump, PID= and DCS= are emitted in hexadecimal with a 0x prefix, and VP= +is emitted in decimal. The alpha tag is always emitted at the end of the ASCII +line, just like in pb-dump. + +smsp-dump > outfile + +This form of the smsp-dump command produces the same dump of EF_SMSP, but saves +it in the named file instead of sending it to the terminal. + +smsp-restore filename + +This command reads a file written by smsp-dump and writes it back to the SIM. +Both decimal and 0x-prefixed hexadecimal forms are accepted for all 3 of PID=, +DCS= and VP= parameters. + +smsp-set rec params + +This command writes a single record into SMSP directly from the command line, +without going through a data file. The record index to write to must be given, +followed by one or more parameters as in DA=, SC=, PID=, DCS= or VP=. DA= and +SC= phone numbers can be entered in the same relaxed form as in the +pb-update-imm command, and the remaining 3 parameters can be either decimal or +0x-prefixed hexadecimal. This command leaves the alpha tag field blank. + +smsp-set-tag rec alpha-tag params + +This command is just like smsp-set, but adds an alpha tag argument. + +smsp-erase-all + +This command erases every record entry in EF_SMSP. + +smsp-erase-one rec + +This command erases the specified individual record in EF_SMSP. + +smsp-erase-range start-rec end-rec + +This command erases the specified range of records in EF_SMSP. The starting +record must be identified by number (SIM record numbers are 1-based); the +ending record argument may be either a number or the "end" keyword. + +Identifying MVNO SIMs +===================== + +Many SIMs, particularly those from MVNOs, are programmed by their issuers to +cause phones to display the name of the MVNO or some other party rather than +the standard PLMN name decoded from the connected network's MCC-MNC. This +"personalization" programming can appear in EF_SPN (old style) or in EF_PNN and +EF_OPL (newer style). fc-simtool provides commands to display the content of +these SIM files in human-readable form: + +spn +pnn-dump +opl-dump + +These commands take no arguments, and their human-readable output is not +explained in detail here. If you need to understand the meaning of various +fields in detail, please refer to 3GPP TS 51.011.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/fcsim1-default-pins Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,11 @@ +# This fc-simtool command script sets the default PINs for FCSIM1 cards. + +grcard2-set-pin1 1234 +grcard2-set-pin2 6666 +grcard2-set-puk1 00099933 +grcard2-set-puk2 00099944 +grcard2-set-adm5 55501234 + +# Set PIN1 non-volatile state to disabled. + +disable-pin1-rpt 1234
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/fcsim1-defprog Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,12 @@ +# This fc-simtool command script defines our default programming +# for FCSIM1 cards. + +exec fcsim1-default-pins + +write-sst fcsim1-sst +plmnsel-erase-all +fplmn-erase-all +pnn-erase 1 end +opl-erase 1 end + +grcard2-set-comp128 3
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/fcsim1-sst Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,31 @@ +# This data file gives the default SIM Service Table (SST) +# for FCSIM1 cards. + +1 # CHV1 disable function +2 # ADN +3 # FDN +4 # SMS +5 # AoC +6 # CCP +7 # PLMNsel + +9 # MSISDN +10 # EXT1 +11 # EXT2 +12 # SMSP +13 # LND +14 # CBMI +15 # GID1 +16 # GID2 +17 # SPN + +25 # data download via SMS-CB +26 # data download via SMS-PP +27 # menu selection +28 # call control +29 # proactive SIM + +38 # GPRS + +51 # PNN +52 # OPL
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/grcard2-read-all Sun Mar 14 07:57:09 2021 +0000 @@ -0,0 +1,88 @@ +# This fc-simtool command script reads the content of all EFs +# on GrcardSIM2 that are known (found with bfsearch-mf) and readable. +# Both low-level and high-level read commands are used. +# +# Some files are readable only to SUPER ADM, hence authentication +# with the default SUPER ADM PIN is included. + +select MF +verify-ext 11 88888888 + +readef 2F01 # EF.ATR +readef 2FE2 # ICCID +select 8A9B # READ BINARY fails! + +# proprietary DF? +select 2700 +readef 6F00 + +select DF_TELECOM + +# proprietary files +select 0000 # READ BINARY fails! +readef 5F00 +readef 5F01 + +# standard files +select 6F3A # ADN +pb-dump adn +select 6F3B # FDN +pb-dump fdn +select 6F3C # SMS +readef 6F3D # CCP +select 6F40 # MSISDN +pb-dump msisdn +select 6F42 # SMSP +smsp-dump +readef 6F43 # SMSS +select 6F44 # LND +lnd-dump +readef 6F4A # EXT1 +readef 6F4B # EXT2 + +# proprietary files +readef 6FFB +readef 6FFC +readef 6FFD +readef 6FFE + +select DF_GSM + +# proprietary files +select 0000 # READ BINARY fails! +readef 0001 +readef 000A +readef 000B + +# standard files +readef 6F05 # LP +readef 6F07 # IMSI +readef 6F20 # Kc +select 6F30 # PLMNsel +plmnsel-dump +readef 6F31 # HPLMN +readef 6F37 # ACMmax +readef 6F38 # SST +sst +readef 6F39 # ACM +readef 6F3E # GID1 +readef 6F3F # GID2 +readef 6F41 # PUCT +readef 6F45 # CBMI +readef 6F46 # SPN +readef 6F48 # CBMID +readef 6F52 # KcGPRS +readef 6F53 # LOCIGPRS +readef 6F54 # SUME +readef 6F74 # BCCH +readef 6F78 # ACC +readef 6F7B # FPLMN +fplmn-dump +readef 6F7E # LOCI +readef 6FAD # AD +readef 6FAE # PHASE +readef 6FAF # proprietary? +readef 6FC5 # PNN +pnn-dump +select 6FC6 # OPL +opl-dump