WIP.. EF.auth changes

The PIN-ADM has to given on the command line as it is provisioned
different for each card.
Currently only Ki, Op and IMSI are provisioned.

pySim-prog.py

@@ -62,6 +62,9 @@ def parse_options():
 			help="Card type (user -t list to view) [default: %default]",
 			default="auto",
 		)
+	parser.add_option("-a", "--pin-adm", dest="pin_adm",
+			help="ADM PIN used for provisioning (overwrites default)",
+		)
 	parser.add_option("-e", "--erase", dest="erase", action='store_true',
 			help="Erase beforehand [default: %default]",
 			default=False,
@@ -105,6 +108,9 @@ def parse_options():
 	parser.add_option("--op", dest="op",
 			help="Set OP to derive OPC from OP and KI",
 		)
+	parser.add_option("--acc", dest="acc",
+			help="Set ACC bits (Access Control Code). not all card types are supported",
+		)
 
 
 	parser.add_option("-z", "--secret", dest="secret", metavar="STR",
@@ -221,7 +227,7 @@ def derive_milenage_opc(ki_hex, op_hex):
 	return b2h(strxor(opc_bytes, h2b(op_hex)))
 
 def gen_parameters(opts):
-	"""Generates Name, ICCID, MCC, MNC, IMSI, SMSP, Ki from the
+	"""Generates Name, ICCID, MCC, MNC, IMSI, SMSP, Ki, PIN-ADM from the
 	options given by the user"""
 
 	# MCC/MNC
@@ -316,6 +322,17 @@ def gen_parameters(opts):
 			'00'			# TP-Validity period
 		)
 
+	# ACC
+	if opts.acc is not None:
+		acc = opts.acc
+		if not _ishex(acc):
+			raise ValueError('ACC must be hex digits only !')
+		if len(acc) != 2*2:
+			raise ValueError('ACC must be exactly 2 bytes')
+
+	else:
+		acc = None
+
 	# Ki (random)
 	if opts.ki is not None:
 		ki = opts.ki
@@ -335,6 +352,14 @@ def gen_parameters(opts):
 	else:
 		opc = ''.join(['%02x' % random.randrange(0,256) for i in range(16)])
 
+	if opts.pin_adm is not None:
+		if len(opts.pin_adm) > 8:
+			raise ValueError("PIN-ADM needs to be <=8 digits")
+		pin_adm = ''.join(['%02x'%(ord(x)) for x in opts.pin_adm])
+		pin_adm = rpad(pin_adm, 16)
+	else:
+		pin_adm = None
+
 
 	# Return that
 	return {
@@ -346,6 +371,8 @@ def gen_parameters(opts):
 		'smsp'	: smsp,
 		'ki'	: ki,
 		'opc'	: opc,
+		'acc'	: acc,
+		'pin_adm' : pin_adm,
 	}
 
 
@@ -359,6 +386,7 @@ def print_parameters(params):
  > IMSI    : %(imsi)s
  > Ki      : %(ki)s
  > OPC     : %(opc)s
+ > ACC     : %(acc)s
 """	% params
 
 

pySim-read.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+
+#
+# Utility to display some informations about a SIM card
+#
+#
+# Copyright (C) 2009  Sylvain Munaut <tnt@246tNt.com>
+# Copyright (C) 2010  Harald Welte <laforge@gnumonks.org>
+# Copyright (C) 2013  Alexander Chemeris <alexander.chemeris@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import hashlib
+from optparse import OptionParser
+import os
+import random
+import re
+import sys
+
+try:
+	import json
+except ImportError:
+	# Python < 2.5
+	import simplejson as json
+
+from pySim.commands import SimCardCommands
+from pySim.utils import h2b, swap_nibbles, rpad, dec_imsi, dec_iccid
+
+
+def parse_options():
+
+	parser = OptionParser(usage="usage: %prog [options]")
+
+	parser.add_option("-d", "--device", dest="device", metavar="DEV",
+			help="Serial Device for SIM access [default: %default]",
+			default="/dev/ttyUSB0",
+		)
+	parser.add_option("-b", "--baud", dest="baudrate", type="int", metavar="BAUD",
+			help="Baudrate used for SIM access [default: %default]",
+			default=9600,
+		)
+	parser.add_option("-p", "--pcsc-device", dest="pcsc_dev", type='int', metavar="PCSC",
+			help="Which PC/SC reader number for SIM access",
+			default=None,
+		)
+
+	(options, args) = parser.parse_args()
+
+	if args:
+		parser.error("Extraneous arguments")
+
+	return options
+
+
+if __name__ == '__main__':
+
+	# Parse options
+	opts = parse_options()
+
+	# Connect to the card
+	if opts.pcsc_dev is None:
+		from pySim.transport.serial import SerialSimLink
+		sl = SerialSimLink(device=opts.device, baudrate=opts.baudrate)
+	else:
+		from pySim.transport.pcsc import PcscSimLink
+		sl = PcscSimLink(opts.pcsc_dev)
+
+	# Create command layer
+	scc = SimCardCommands(transport=sl)
+
+	# Wait for SIM card
+	sl.wait_for_card()
+
+	# Program the card
+	print("Reading ...")
+
+	# EF.ICCID
+	(res, sw) = scc.read_binary(['3f00', '2fe2'])
+	if sw == '9000':
+		print("ICCID: %s" % (dec_iccid(res),))
+	else:
+		print("ICCID: Can't read, response code = %s" % (sw,))
+
+	# EF.IMSI
+	(res, sw) = scc.read_binary(['3f00', '7f20', '6f07'])
+	if sw == '9000':
+		print("IMSI: %s" % (dec_imsi(res),))
+	else:
+		print("IMSI: Can't read, response code = %s" % (sw,))
+
+	# EF.SMSP
+	(res, sw) = scc.read_record(['3f00', '7f10', '6f42'], 1)
+	if sw == '9000':
+		print("SMSP: %s" % (res,))
+	else:
+		print("SMSP: Can't read, response code = %s" % (sw,))
+
+	# EF.HPLMN
+#	(res, sw) = scc.read_binary(['3f00', '7f20', '6f30'])
+#	if sw == '9000':
+#		print("HPLMN: %s" % (res))
+#		print("HPLMN: %s" % (dec_hplmn(res),))
+#	else:
+#		print("HPLMN: Can't read, response code = %s" % (sw,))
+	# FIXME
+
+	# EF.ACC
+	(res, sw) = scc.read_binary(['3f00', '7f20', '6f78'])
+	if sw == '9000':
+		print("ACC: %s" % (res,))
+	else:
+		print("ACC: Can't read, response code = %s" % (sw,))
+
+	# EF.MSISDN
+	try:
+	#	print(scc.record_size(['3f00', '7f10', '6f40']))
+		(res, sw) = scc.read_record(['3f00', '7f10', '6f40'], 1)
+		if sw == '9000':
+			if res[1] != 'f':
+				print("MSISDN: %s" % (res,))
+			else:
+				print("MSISDN: Not available")
+		else:
+			print("MSISDN: Can't read, response code = %s" % (sw,))
+	except:
+		print "MSISDN: Can't read. Probably not existing file"
+
+	# Done for this card and maybe for everything ?
+	print "Done !\n"

pySim/cards.py

@@ -22,7 +22,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-from pySim.utils import b2h, h2b, swap_nibbles, rpad, lpad
+from pySim.utils import b2h, h2b, swap_nibbles, rpad, lpad, enc_imsi, enc_iccid, enc_plmn
 
 
 class Card(object):
@@ -30,20 +30,6 @@ class Card(object):
 	def __init__(self, scc):
 		self._scc = scc
 
-	def _e_iccid(self, iccid):
-		return swap_nibbles(rpad(iccid, 20))
-
-	def _e_imsi(self, imsi):
-		"""Converts a string imsi into the value of the EF"""
-		l = (len(imsi) + 1) // 2	# Required bytes
-		oe = len(imsi) & 1			# Odd (1) / Even (0)
-		ei = '%02x' % l + swap_nibbles(lpad('%01x%s' % ((oe<<3)|1, imsi), 16))
-		return ei
-
-	def _e_plmn(self, mcc, mnc):
-		"""Converts integer MCC/MNC into 6 bytes for EF"""
-		return swap_nibbles(lpad('%d' % mcc, 3) + lpad('%d' % mnc, 3))
-
 	def reset(self):
 		self._scc.reset_card()
 
@@ -103,7 +89,7 @@ class _MagicSimBase(Card):
 		self._scc.select_file(['3f00', '7f4d'])
 
 		# Home PLMN in PLMN_Sel format
-		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		hplmn = enc_plmn(p['mcc'], p['mnc'])
 
 		# Operator name ( 3f00/7f4d/8f0c )
 		self._scc.update_record(self._files['name'][0], 2,
@@ -118,10 +104,10 @@ class _MagicSimBase(Card):
 			v += p['ki']
 
 			# ICCID
-		v += '3f00' + '2fe2' + '0a' + self._e_iccid(p['iccid'])
+		v += '3f00' + '2fe2' + '0a' + enc_iccid(p['iccid'])
 
 			# IMSI
-		v += '7f20' + '6f07' + '09' + self._e_imsi(p['imsi'])
+		v += '7f20' + '6f07' + '09' + enc_imsi(p['imsi'])
 
 			# Ki
 		if self._ki_file:
@@ -130,6 +116,12 @@ class _MagicSimBase(Card):
 			# PLMN_Sel
 		v+= '6f30' + '18' +  rpad(hplmn, 36)
 
+			# ACC
+			# This doesn't work with "fake" SuperSIM cards,
+			# but will hopefully work with real SuperSIMs.
+		if p.get('acc') is not None:
+			v+= '6f78' + '02' + lpad(p['acc'], 4)
+
 		self._scc.update_record(self._files['b_ef'][0], 1,
 			rpad(v, self._files['b_ef'][1]*2)
 		)
@@ -141,7 +133,7 @@ class _MagicSimBase(Card):
 		r = self._scc.select_file(['3f00', '7f20', '6f30'])
 		tl = int(r[-1][4:8], 16)
 
-		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		hplmn = enc_plmn(p['mcc'], p['mnc'])
 		self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3))
 
 	def erase(self):
@@ -227,7 +219,7 @@ class FakeMagicSim(Card):
 		r = self._scc.select_file(['3f00', '7f20', '6f30'])
 		tl = int(r[-1][4:8], 16)
 
-		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		hplmn = enc_plmn(p['mcc'], p['mnc'])
 		self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3))
 
 		# Get total number of entries and entry size
@@ -237,8 +229,8 @@ class FakeMagicSim(Card):
 		entry = (
 			'81' +								#  1b  Status: Valid & Active
 			rpad(b2h(p['name'][0:14]), 28) +	# 14b  Entry Name
-			self._e_iccid(p['iccid']) +			# 10b  ICCID
-			self._e_imsi(p['imsi']) +			#  9b  IMSI_len + id_type(9) + IMSI
+			enc_iccid(p['iccid']) +				# 10b  ICCID
+			enc_imsi(p['imsi']) +				#  9b  IMSI_len + id_type(9) + IMSI
 			p['ki'] +							# 16b  Ki
 			lpad(p['smsp'], 80)					# 40b  SMSP (padded with ff if needed)
 		)
@@ -253,6 +245,7 @@ class FakeMagicSim(Card):
 		for i in range(0, rec_cnt):
 			self._scc.update_record('000c', 1+i, entry)
 
+
 class GrcardSim(Card):
 	"""
 	Greencard (grcard.cn) HZCOS GSM SIM
@@ -271,19 +264,23 @@ class GrcardSim(Card):
 		#self._scc.verify_chv(4, h2b("4444444444444444"))
 
 		# Authenticate using ADM PIN 5
-		self._scc.verify_chv(5, h2b("4444444444444444"))
+		if p['pin_adm']:
+			pin = p['pin_adm']
+		else:
+			pin = h2b("4444444444444444")
+		self._scc.verify_chv(5, pin)
 
 		# EF.ICCID
 		r = self._scc.select_file(['3f00', '2fe2'])
-		data, sw = self._scc.update_binary('2fe2', self._e_iccid(p['iccid']))
+		data, sw = self._scc.update_binary('2fe2', enc_iccid(p['iccid']))
 
 		# EF.IMSI
 		r = self._scc.select_file(['3f00', '7f20', '6f07'])
-		data, sw = self._scc.update_binary('6f07', self._e_imsi(p['imsi']))
+		data, sw = self._scc.update_binary('6f07', enc_imsi(p['imsi']))
 
 		# EF.ACC
-		#r = self._scc.select_file(['3f00', '7f20', '6f78'])
-		#self._scc.update_binary('6f78', self._e_imsi(p['imsi'])
+		if p.get('acc') is not None:
+			data, sw = self._scc.update_binary('6f78', lpad(p['acc'], 4))
 
 		# EF.SMSP
 		r = self._scc.select_file(['3f00', '7f10', '6f42'])
@@ -296,7 +293,7 @@ class GrcardSim(Card):
 		# EF.HPLMN
 		r = self._scc.select_file(['3f00', '7f20', '6f30'])
 		size = int(r[-1][4:8], 16)
-		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		hplmn = enc_plmn(p['mcc'], p['mnc'])
 		self._scc.update_binary('6f30', hplmn + 'ff' * (size-3))
 
 		# EF.SPN (Service Provider Name)
@@ -317,7 +314,6 @@ class SysmoSIMgr1(GrcardSim):
 	"""
 	name = 'sysmosim-gr1'
 
-	# In order for autodetection ...
 
 class SysmoUSIMgr1(Card):
 	"""
@@ -338,14 +334,141 @@ class SysmoUSIMgr1(Card):
 
 		# TODO: move into SimCardCommands
 		par = ( p['ki'] +			# 16b  K
-			p['opc'] +			# 32b  OPC
-			self._e_iccid(p['iccid']) +	# 10b  ICCID
-			self._e_imsi(p['imsi'])		#  9b  IMSI_len + id_type(9) + IMSI
+			p['opc'] +				# 32b  OPC
+			enc_iccid(p['iccid']) +	# 10b  ICCID
+			enc_imsi(p['imsi'])		#  9b  IMSI_len + id_type(9) + IMSI
 			)
 		data, sw = self._scc._tp.send_apdu_checksw("0099000033" + par)
 
 	def erase(self):
 		return
 
+
+class SysmoSIMgr2(Card):
+	"""
+	sysmocom sysmoSIM-GR2
+	"""
+
+	name = 'sysmoSIM-GR2'
+
+	@classmethod
+	def autodetect(kls, scc):
+		# TODO: look for ATR 3B 7D 94 00 00 55 55 53 0A 74 86 93 0B 24 7C 4D 54 68
+		return None
+
+	def program(self, p):
+
+		# select MF 
+		r = self._scc.select_file(['3f00'])
+		
+		# authenticate as SUPER ADM using default key
+		self._scc.verify_chv(0x0b, h2b("3838383838383838"))
+
+		# set ADM pin using proprietary command
+		# INS: D4
+		# P1: 3A for PIN, 3B for PUK
+		# P2: CHV number, as in VERIFY CHV for PIN, and as in UNBLOCK CHV for PUK
+		# P3: 08, CHV length (curiously the PUK is also 08 length, instead of 10)
+		if p['pin_adm']:
+			pin = p['pin_adm']
+		else:
+			pin = h2b("4444444444444444")
+
+		pdu = 'A0D43A0508' + b2h(pin)
+		data, sw = self._scc._tp.send_apdu(pdu)
+		
+		# authenticate as ADM (enough to write file, and can set PINs)
+
+		self._scc.verify_chv(0x05, pin)
+
+		# write EF.ICCID
+		data, sw = self._scc.update_binary('2fe2', enc_iccid(p['iccid']))
+
+		# select DF_GSM
+		r = self._scc.select_file(['7f20'])
+		
+		# write EF.IMSI
+		data, sw = self._scc.update_binary('6f07', enc_imsi(p['imsi']))
+
+		# write EF.ACC
+		if p.get('acc') is not None:
+			data, sw = self._scc.update_binary('6f78', lpad(p['acc'], 4))
+
+		# get size and write EF.HPLMN
+		r = self._scc.select_file(['6f30'])
+		size = int(r[-1][4:8], 16)
+		hplmn = enc_plmn(p['mcc'], p['mnc'])
+		self._scc.update_binary('6f30', hplmn + 'ff' * (size-3))
+
+		# set COMP128 version 0 in proprietary file
+		data, sw = self._scc.update_binary('0001', '001000')
+
+		# set Ki in proprietary file
+		data, sw = self._scc.update_binary('0001', p['ki'], 3)
+
+		# select DF_TELECOM
+		r = self._scc.select_file(['3f00', '7f10'])
+		
+		# write EF.SMSP
+		data, sw = self._scc.update_record('6f42', 1, lpad(p['smsp'], 80))
+
+	def erase(self):
+		return
+
+class SysmoUSIMSJS1(Card):
+	"""
+	sysmocom sysmoUSIM-SJS1
+	"""
+
+	name = 'sysmoUSIM-SJS1'
+
+	def __init__(self, ssc):
+		super(SysmoUSIMSJS1, self).__init__(ssc)
+		self._scc.cla_byte = "00"
+
+	@classmethod
+	def autodetect(kls, scc):
+		# TODO: look for ATR 3B 9F 96 80 1F C7 80 31 A0 73 BE 21 13 67 43 20 07 18 00 00 01 A5
+		return None
+
+	def program(self, p):
+
+
+		# select MF
+		r = self._scc.select_file(['3f00'])
+
+		# select DF_GSM
+		r = self._scc.select_file(['7f20'])
+
+		# authenticate as ADM using default key (written on the card..)
+		if not p['pin_adm']:
+			raise ValueError("Please provide a PIN-ADM as there is no default one")
+
+		self._scc.verify_chv(0x0A, h2b(p['pin_adm']))
+
+
+		# set Ki in proprietary file
+		data, sw = self._scc.update_binary('00FF', p['ki'])
+
+		# set Ki in proprietary file
+		content = "01" + p['opc']
+		data, sw = self._scc.update_binary('00F7', content)
+
+		# write EF.IMSI
+		data, sw = self._scc.update_binary('6f07', enc_imsi(p['imsi']))
+
+		# write EF.AUTH
+		content = "0101"
+		r = self._scc.select_file(['7FCC', '6f00'])
+		data, sw = self._scc.update_binary('6f00', content)
+
+
+
+	def erase(self):
+		return
+
+
+
+	# In order for autodetection ...
 _cards_classes = [ FakeMagicSim, SuperSim, MagicSim, GrcardSim,
-		   SysmoSIMgr1, SysmoUSIMgr1 ]
+		   SysmoSIMgr1, SysmoSIMgr2, SysmoUSIMgr1, SysmoUSIMSJS1 ]

pySim/commands.py

@@ -28,11 +28,20 @@ from pySim.utils import rpad, b2h
 class SimCardCommands(object):
 	def __init__(self, transport):
 		self._tp = transport;
+		self._cla_byte = "a0"
+
+	@property
+	def cla_byte(self):
+		return self._cla_byte
+	@cla_byte.setter
+	def cla_byte(self, value):
+		self._cla_byte = value
+
 
 	def select_file(self, dir_list):
 		rv = []
 		for i in dir_list:
-			data, sw = self._tp.send_apdu_checksw("a0a4000002" + i)
+			data, sw = self._tp.send_apdu_checksw(self.cla_byte + "a4000C02" + i)
 			rv.append(data)
 		return rv
 
@@ -42,14 +51,14 @@ class SimCardCommands(object):
 		r = self.select_file(ef)
 		if length is None:
 			length = int(r[-1][4:8], 16) - offset
-		pdu = 'a0b0%04x%02x' % (offset, (min(256, length) & 0xff))
+		pdu = self.cla_byte + 'b0%04x%02x' % (offset, (min(256, length) & 0xff))
 		return self._tp.send_apdu(pdu)
 
 	def update_binary(self, ef, data, offset=0):
 		if not hasattr(type(ef), '__iter__'):
 			ef = [ef]
 		self.select_file(ef)
-		pdu = 'a0d6%04x%02x' % (offset, len(data)/2) + data
+		pdu = self.cla_byte + 'd6%04x%02x' % (offset, len(data)/2) + data
 		return self._tp.send_apdu_checksw(pdu)
 
 	def read_record(self, ef, rec_no):
@@ -57,7 +66,7 @@ class SimCardCommands(object):
 			ef = [ef]
 		r = self.select_file(ef)
 		rec_length = int(r[-1][28:30], 16)
-		pdu = 'a0b2%02x04%02x' % (rec_no, rec_length)
+		pdu = self.cla_byte + 'b2%02x04%02x' % (rec_no, rec_length)
 		return self._tp.send_apdu(pdu)
 
 	def update_record(self, ef, rec_no, data, force_len=False):
@@ -70,7 +79,7 @@ class SimCardCommands(object):
 				raise ValueError('Invalid data length (expected %d, got %d)' % (rec_length, len(data)/2))
 		else:
 			rec_length = len(data)/2
-		pdu = ('a0dc%02x04%02x' % (rec_no, rec_length)) + data
+		pdu = (self.cla_byte + 'dc%02x04%02x' % (rec_no, rec_length)) + data
 		return self._tp.send_apdu_checksw(pdu)
 
 	def record_size(self, ef):
@@ -85,11 +94,11 @@ class SimCardCommands(object):
 		if len(rand) != 32:
 			raise ValueError('Invalid rand')
 		self.select_file(['3f00', '7f20'])
-		return self._tp.send_apdu('a088000010' + rand)
+		return self._tp.send_apdu(self.cla_byte + '88000010' + rand)
 
 	def reset_card(self):
 		return self._tp.reset_card()
 
 	def verify_chv(self, chv_no, code):
 		fc = rpad(b2h(code), 16)
-		return self._tp.send_apdu_checksw('a02000' + ('%02x' % chv_no) + '08' + fc)
+		return self._tp.send_apdu_checksw(self.cla_byte + '2000' + ('%02X' % chv_no) + '08' + fc)

pySim/utils.py

@@ -42,3 +42,34 @@ def rpad(s, l, c='f'):
 
 def lpad(s, l, c='f'):
 	return c * (l - len(s)) + s
+
+def enc_imsi(imsi):
+	"""Converts a string imsi into the value of the EF"""
+	l = (len(imsi) + 1) // 2	# Required bytes
+	oe = len(imsi) & 1			# Odd (1) / Even (0)
+	ei = '%02x' % l + swap_nibbles(lpad('%01x%s' % ((oe<<3)|1, imsi), 16))
+	return ei
+
+def dec_imsi(ef):
+	"""Converts an EF value to the imsi string representation"""
+	if len(ef) < 4:
+		return None
+	l = int(ef[0:2]) * 2			# Length of the IMSI string
+	swapped = swap_nibbles(ef[2:])
+	oe = (int(swapped[0])>>3) & 1	# Odd (1) / Even (0)
+	if oe:
+		l = l-1
+	if l+1 > len(swapped):
+		return None
+	imsi = swapped[1:l+2]
+	return imsi
+
+def dec_iccid(ef):
+	return swap_nibbles(ef).strip('f')
+
+def enc_iccid(iccid):
+	return swap_nibbles(rpad(iccid, 20))
+
+def enc_plmn(mcc, mnc):
+	"""Converts integer MCC/MNC into 6 bytes for EF"""
+	return swap_nibbles(lpad('%d' % mcc, 3) + lpad('%d' % mnc, 3))