Update on the quest for programmable SIMs

[Mychaela Falconia]

Hello FC community,

I finally have a share-worthy update on my quest to get programmable
SIM cards (for running our own GSM networks) that are GSM-centric,
rather than newer-tech-centric.  Earlier today I received the sample
cards from Grcard in China, the ones I've been anxiously waiting for
since before Lunar New Year, and they are quite interesting:

* As far as I can tell, these cards appear to be exactly the same
model that was resold by Sysmocom aeons ago as sysmoSIM-GR2.  The
cards I just got give the same ATR as the one listed for the
historical GR2, all of the ADM authentication and PIN setting commands
listed on the GrcardSIM2 Osmocom wiki page work on these cards exactly
as described, and the non-standard file for writing Ki and COMP128
algorithm selection also works: I tried writing my own Ki and all 3
COMP128 selections, sent a RUN GSM ALGO test command to the SIM, and
the output matches osmo-auc-gen in every test case.

* These cards are truly native GSM SIMs, *not* UICCs that merely support
the GSM SIM protocol as a backward compatibility mode: the cards
respond to UICC protocol commands (CLA=0x00) with SW 6E00 (unsupported
CLA), and there is no EF.DIR file.

* Compared to Grcard1 version (sysmoSIM-GR1), these Grcard2 SIMs have
two improvements that I can see:

1) Grcard1 had a hole in its PIN security: the commands for resetting
PIN1/PIN2/PUK1/PUK2 were completely unauthenticated, thus anyone who
knows the non-standard proprietary commands (which are now documented
in Osmocom wiki and implemented in fc-simtool) can trivially blow away
all PIN security.  This hole has been plugged in Grcard2: it has
different proprietary command APDUs for resetting PIN1/PIN2/PUK1/PUK2,
but the important difference is not the APDU change, but the security
change: the new commands work only if you have authenticated as ADM
or SUPER ADM.  The default SUPER ADM PIN is 88888888, and if you keep
this default, there is no security - but if you need PIN security, you
can reset all PINs including ADM and SUPER ADM to your own per-card
secrets.

2) Decoding the ATRs for Grcard1 and Grcard2, it appears that Grcard1
does not support any speed enhancement (only F=372 D=1), whereas
Grcard2 supports F=512 D=8.  I have yet to test one of these cards in
a FreeCalypso modem, though.

So far these cards look good, and if Grcard folks hold to their word
in terms of the prices they quoted me earlier, then we should be able
to get a few hundred of these cards made with custom printing (I am
shooting for the same level of aesthetic quality as the beautiful
peach and mint SJS1 cards Sysmocom made before switching to SJA2), and
essentially bring back the discontinued sysmoSIM-GR2 product!

I will be doing a lot more back-and-forth email exchanges with Grcard
folks before placing the big order, though:

* The formatting these cards came with (which EFs have been created
and with what allocated sizes) is not exactly to my liking: some files
I am interested in are missing, others are too small.  I asked Grcard
folks to change this formatting, i.e., change some sizes and add some
missing files.  We'll see if they cooperate; if they refuse, I will
probably still order a small batch (maybe 100 or 200 cards) just to
bring sysmoSIM-GR2 back from the grave, but if they cooperate with my
file system change requests, I would be inclined to give them a lot
more of my business.

* Using Sysmocom cards (SJS1 and SJA2), I was able to get OTA file
programming via SMS-PP to work: I can send a properly authenticated
and encrypted over-the-air message to the SIM and program the MSISDN
record with a new phone number, just like traditional GSM networks do.
I would really like to be able to do the same trick with these Grcard2
SIMs - hence I am asking Grcard if this capability exists and how to
work it.

It is also worth noting that these Grcard2 SIMs have the full set of 8
contacts rather than just the usual 6.  Naturally I have no way of
knowing if the extra C4 and C8 contacts actually do anything on these
cards, or if they are just non-functional contact pads.  Of course it
doesn't matter one bit in practice as all standard phones leave C4 and
C8 unconnected, but a SIM with 8 contacts is a rare sight.  I will be
getting our cards made in 2FF-only cut, with the 2FF piece being fully
solid.  If someone needs to cut their card down to 3FF, they should be
able to do it by manual cutting - but if someone wishes to cut down to
4FF, doing so would involve cutting through those non-understood C4
and C8 contacts - and I have no idea if doing so would ruin the actual
IC, depending on how big it is and where it is located below the
visible parts.

Hasta la Victoria, Siempre,
Mychaela aka The Mother

P.S. Given that the cards I just got appear to be exactly the same as
sysmoSIM-GR2, I don't think I will need the remote access to the last
GR2 card from 30C3 which Harald graciously offered earlier this week
on the openbsc mailing list.