From mychaela.falconia at gmail.com Sat Jan 23 19:44:47 2021 From: mychaela.falconia at gmail.com (Mychaela Falconia) Date: Sat, 23 Jan 2021 11:44:47 -0800 Subject: GSM/2G in USA tips and tricks, SIM card issues and tools Message-ID: Hello FreeCalypso community, Happy New Year to everyone! I don't know if I am the world's only GSM/2G-interested person who also happens to live in USA, or if there are any other GSM/2G users living in these lands - but if you are someone who cares about GSM and you live in USA, you know that the situation is bleak here. T-Mobile USA is the only remaining nationwide operator of a GSM/2G network here: there may be some local or regional operators in some parts of the country, but none where I live in Southern California, hence T-Mobile is all that exists where I live. I haven't been following any official updates since the 2020 world scamdemic hit the fan, but last I heard, they were threatening to shut their 2G service down at the end of 2020. Today is Jan 23 and my service still works - who knows, perhaps the scamdemic upheavals upset their plans somehow. In any case, I intend to keep using this network till its (and my own) last breath, generating some call traffic on it every single day. As a new development, over the last few months I have become active in the local Reopen San Diego group (www.reopensd.org), a group of local freedom lovers fighting against scamdemic tyranny and lockdowns. I have been proudly showing my 2G dumbphones (my own Pirelli DP-L10, Motorola C139, and my dear life partner's Nokia C3-00) to everyone in the group, and some people have expressed an interest in getting a phone similar to mine. Thus I've been looking into ways to onboard new users onto T-Mobile's unwanted GSM/2G network, the one they are itching to kill. One thing that the evil owners of T-Mobile have been doing is that they don't want any new 2G users signing up, only "grandfathered" ones who got their SIMs ages ago. Toward this end, all new SIMs which they currently issue have been maliciously hobbled: they have disabled the classic GSM 11.11 SIM application, leaving only USIM and ISIM. The symptom is when you issue a SELECT command to the SIM to select DF_GSM (a required step for accessing many essential SIM files like the IMSI, and for running GSM A3+A8 authentication and Kc generation), it returns 0x9404 (file ID not found) error. These evil SIMs, as I call them, are unusable in the vast majority of classic 2G phones - there are some very few 2G phones of very late era whose software stacks implement the USIM protocol in addition to classic SIM, and these super-late-era 2G phones (like Nokia C3-00) do work with the evil SIMs - but most classic 2G phones can never work. As far as I can tell, there is nothing in Calypso SIM interface hardware that would preclude our Calypso devices from being able to speak the USIM protocol in addition to classic SIM, if we were to do the massive rearchitecture work on our firmware that would be needed. However, it would be pointless to do this work right now: if we were to do this work now, our AT-command-controlled modems will gain the ability to work with USIM-only evil SIMs, but there would be no immediate benefit to the end user population. Right now we are still very far away from a practically usable FreeCalypso end user phone: all we have are toys to play with in a lab, but nothing that can be used as a "daily driver" phone yet. Hence those of us who desire a 2G dumbphone for everyday use still need to use Motorola's or Pirelli's original proprietary fw on their respective models, and those solid blob firmwares only support the classic SIM protocol, not USIM. However, I have found a workable solution for onboarding new users onto T-Mobile's 2G network, bypassing their evil SIMs - the trick is to use certain T-Mobile MVNOs whose SIMs are still good. There is a huge proliferation of MVNOs who resell services running on T-Mobile's network, I never previously paid much attention to them (my reasoning was "why deal with the extra layer of an MVNO, why not get service directly from the real network operator"), but right now some of these MVNOs are coming to our rescue - not that they have any desire to help us, of course, but they just happen to still issue non-evil SIMs. When T-Mobile's own customer service adamantly refused to sell me a batch of non-activated SIMs (for handing out to other people, for them to activate on their own service and billing accounts) with the classic SIM application enabled, I reached out to one of my contacts in Texas who also works with 2G phones (his business is in unlocking and reselling them), and I asked him if he knew of any solution. His recommendation was to try Speedtalk SIMs - Speedtalk is a T-Mobile- based MVNO - and lo and behold, these Speedtalk SIMs still work! Unactivated ("blank" as in can be given to other people to activate on their own account) Speedtalk SIMs are readily available on both Amazon and ebay, and these SIMs can be tested for 2G compatibility even before activation, i.e., you can test your SIM and make sure it is good *before* doing the activation step where you have to create your account and pay for service. If one inserts an unactivated SIM into a FreeCalypso device or some other functionally equivalent phone (such as Mot C139 or Pirelli DP-L10 running its original fw), the phone will successfully read the IMSI from the SIM, connect to the GSM network (with authentication as required), and everything will appear to be working - although you will have no phone number yet, and you won't be able to actually make any calls until the service is activated - but the phone display will show normal connection to the GSM network. I am also working on a new software tool that will allow this SIM testing to be done without any phone at all, instead inserting the SIM into a smart card "reader" device (CCID) connected to a computer - this alternate test path will allow newly acquired SIMs (especially those intended for distribution to other people) to be tested *without* breaking them out of the credit-card-sized carrier they come on! Because I haven't got this CCID-based SIM test framework implemented yet (I am just starting this work), when I got my first batch of "blank" (not yet activated, but available for activation) Speedtalk SIMs from Amazon, I took one of those SIMs and broke out the 2FF-sized part from the full credit-card-sized carrier. I then inserted this broken-out 2FF SIM card into an FCDEV3B, and gave it a spin - keep in mind, this is all being done prior to the card being activated as in account setup for service and billing. AT+CFUN=1 was successful, yay! In contrast, with T-Mobile-branded evil SIMs this AT+CFUN=1 operation immediately fails, and unfortunately we have poor error reporting currently, it says "SIM not inserted" instead of a more proper error about the SIM being evil and failing SELECT of DF_GSM. Back to these new-to-me Speedtalk SIMs, once AT+CFUN=1 succeeded, I started probing around. AT+CIMI successfully returned an IMSI, with the first 6 digits being 310260 - yup, that's T-Mobile USA. Then I gave our modem an AT+COPS=0 command, to actually connect to the network. And guess what: registration successful! AT+COPS? query returns some MVNO- modified string for the operator name instead of "T-Mobile", so it looks like the SIM has this MVNO display name programmed in it, and our TI-based software stack actually supports this silly gimmick - but it is just a cosmetic display issue. I then moved this still-unactivated Speedtalk SIM from the FCDEV3B into a Motorola C139 phone running an unlocked (no carrier branding) version of Motorola's official fw. Result: once again successful network registration, with the MVNO-modified network name (I forgot the exact spelling, something along the lines of "stk.mobi") appearing on the phone display where it says "T-Mobile" with my own legacy SIMs from many years ago. I then reached out to my friend from the Reopen San Diego group who wanted to be set up with a new 2G phone and service to replace her iPhone, gave her the good news, and gave her the go-ahead to create her service and billing account with Speedtalk. She activated the SIM which we put into the C139, and on Wednesday night at a Reopen SD group meeting, I gave her the phone with the SIM in it. We turned it on at the meeting place, it immediately found the GSM network, and it quickly received the usual "welcome" SMS which you typically get with a newly activated service. So we did it - we successfully onboarded an entirely new user onto T-Mobile's 2G network with a most traditional 2G phone, using SIM cards that are currently available from Amazon or ebay! As the next step, I am now working on a software tool for testing SIM cards without any phone at all, instead using smart card "reader" devices that connect to a computer via USB: http://shop.sysmocom.de/t/sim-card-related/card-readers I learned about their existence by way of Sysmocom's webshop product listings above, but as much as I would love to give more business to Sysmocom, there is currently some kind of snafu going on between German postal service and USPS, and the last item I ordered from Sysmocom back in November still hasn't arrived. (When I emailed them, they told me that all other USA customers are in the same situation, haven't received orders placed back in November!) Thus I have to source the hardware more locally, from USA-based ebay sellers. I already have an Omnikey 6121 CCID, the one that takes 2FF cards, and I recently placed an order (ebay, USA-based seller) for an Omnikey 3121, the one that takes full-size cards, now waiting for that one to arrive. I am using my current Omnikey 6121 CCID for development of my SIM testing tools. Osmocom people have a lot of tools that talk to SIMs, USIMs and ISIMs via these same USB CCIDs, so I am taking some inspiration from them. At the lowest level of the stack they use pcsc-lite, and I am using the same - getting it up and running under Slackware was quite a learning curve, but I got it working. But for the upper layers Osmocom people have chosen to use Python (with pyscard making the binding to pcsc-lite underneath), and this is where I and those Osmocom people have to diverge - as a devoted life-long C lover, I absolutely detest Python. (And the recent-to-me Python2 vs. Python3 dichotomy only makes it worse.) I got osmo-sim-auth.py working on my Slackware system, but I haven't braved pySim yet. But while I do need to have Osmocom/Sysmocom Python tools working in order to program Sysmocom SIMs (the two packs of SIMs with ADM1 keys are the item I am currently waiting for, the one I ordered in November), trying to learn enough Python to make my own functional additions to Osmocom SIM tools is not going to be my path - instead I am writing my own tools in C, talking directly to libpcsclite C API. I got a couple of test programs in freecalypso-hwlab Hg repository that test the basic functionality of connecting to a SIM via a USB CCID via libpcsclite and pcscd, and as my next step I will be writing a fancier program that will send various APDU commands to the SIM. My focus is strictly on the classic GSM 11.11 SIM protocol, no USIM or ISIM, and I am also focusing on standard SIM functionality, meaning functions that should be exercisable on any issuer's SIM: I want to be able to enable and disable CHV, read ID files like IMSI and MSISDN, read and maybe even write SIM-stored phonebook entries and SMS, that kind of thing. As for programmable SIMs and the special magic they need for programming operations, I gladly leave that functionality to existing Osmocom/Sysmocom tools, provided that I get them working when the time comes. So stay tuned for some new C-language SIM tools coming soon! Hasta la Victoria, Siempre, Mychaela aka The Mother From mychaela.falconia at gmail.com Tue Jan 26 05:10:53 2021 From: mychaela.falconia at gmail.com (Mychaela Falconia) Date: Mon, 25 Jan 2021 21:10:53 -0800 Subject: New SIM card testing and peek/poke tool Message-ID: Hello FC community, I am pleased to introduce a new FreeCalypso tool: fc-simtool. This program runs on a general-purpose computer (PC/laptop/etc) equipped with a smart card "reader" device like the HID Omnikey readers sold by Sysmocom, and it talks to a SIM card inserted into that "reader" device - a PC host program talking directly to a SIM card, *without* going through any kind of phone or other GSM device! Available functions are: * All spec-mandated SIM PIN operations are supported: verifying, enabling, disabling, changing and unblocking PINs. * One can read all data items (elementary files in spec terminology) that are stored on the SIM and are accessible via the standard protocol - basically everything other than the cryptographic keys which the SIM never reveals. Any EF (whether fc-simtool knows it or not) can be displayed in raw hex, but for some important SIM files there are higher-level decoding and display functions. The content of all 4 SIM phonebooks (ADN, FDN, SDN, MSISDN) can be dumped in fully decoded form and saved into a file. To read SMS stored on the SIM, use the savebin command to save EF_SMS into a binary file on your Unix host system, then use pcm-sms-decode (added to FC host tools a few releases ago) to fully decode. * If you know what you are doing, you can make some writes to the SIM too, to those files which the SIM will allow you to modify. You can restore a raw binary backup previously made with savebin, you can write to phonebooks in the same high-level format that is emitted by the pb-dump command (restoring backups or making new modifications, up to you), and if you really know what you are doing, you can write your own arbitrary bytes in hex. fc-simtool only speaks the classic GSM 11.11 SIM protocol, no USIM or ISIM support, nor does it support any of the beyond-the-standards proprietary commands used by various programmable SIMs - those other functions are already performed well by Osmocom SIM tools, no need to duplicate. fc-simtool can be used together with a card "reader" device like Omnikey 3121 to test SIMs for 2G compatibility (tell if a SIM is good or if it's an evil one like T-Mobile USA currently issues) without breaking the little SIM out of the credit-card-sized carrier, and if you are a truly devoted GSM/2G enthusiast and tinkerer in general, it is nice to be able to play with SIMs directly in their most native form. Because fc-simtool requires pcsc-lite (specifically libpcsclite and its C headers), it won't be included in the base FC host tools package which does not allow any weird dependencies. Instead it resides in the freecalypso-hwlab Hg repository, to be used by those who have the necessary hardware (smart card "reader" devices) and who will go through the pain of installing the necessary exotic software if they need this arguably esoteric functionality. Oh, and if anyone in our community besides me has any SysmoUSIM-SJS1 cards made by Sysmocom, you might find it interesting that they have their MSISDN record misprogrammed. This SIM has 34-byte records for EF_MSISDN, allowing 20 bytes of alpha tag (rarely used for MSISDN) before the required 14-byte structure, but it is misprogrammed in that the phone number record (the part that is supposed to be at the beginning of the standard 14-byte structure) starts at byte offset 0x12 instead of 0x14. The length and TON/NPI bytes are thus written into the last two bytes of the space allotted for the alpha tag instead of their proper place in the 14-byte structure, and the packed digit bytes that follow are shifted accordingly. Now I know why the number reported by AT+CFUN when I stick one of those SIMs into an FCDEV3B does not match what Sysmocom's manual says. :) But with fc-simtool this misprogramming can be trivially fixed by writing a new MSISDN record with whatever number you like, and no ADM keys are needed: GSM specs say that EF_MSISDN should be writable by ordinary users just like EF_ADN (only CHV1 required), and Sysmocom's SIM engineers apparently agreed, as I can write that file without ADM keys. Further on the subject of the MSISDN record stored in SIM cards, it is the record which all standard phones display when you select "Show my own phone number" or whatever it is called in the menu. As Osmocom people explain to newbies who are just starting to run their own GSM networks and issue their own SIMs, this MSISDN record is not needed for any actual functionality as in phones connecting to the network, making and receiving calls: when a network pages a phone to connect a mobile-terminated call, it does so by IMSI/TMSI, not by directory number, and the phone does NOT need to know its own number in order to answer that call. But of course life-long users of GSM/2G phones and services do expect to see the correct number when they select "Show my own phone number" in the menu, hence I argue that the MSISDN record in the SIM does need to be programmed correctly. Mainstream operators have some kind of OTA provisioning mechanism for it: unactivated SIM cards are shipped with this MSISDN record blank, and when you activate a line, they send some kind of special SMS to the SIM that causes a SIM-embedded OTAP application to write your newly activated phone number to the MSISDN record. The same procedure is repeated if you ask the phone company to give you a new number on an existing line without changing the SIM - the MSISDN record magically updates. Replicating this feat in our own indie networks will take some work, but in the meantime we can program the MSISDN record manually with fc-simtool. Hasta la Victoria, Siempre, Mychaela aka The Mother