Sim ToolKit and Cloning

[ginomi]

How can I put a SIM ToolKit Apps in a cloned Sim?
I need to write my own sim simulator, or there is a way to do it without start from beginning?

tnx,

ginomi
www.napoliservice.com/sl45i

[Alf]

Versions of emulated sim cards (in silver) with SIM ATK already exist. Source is not available though

[ginomi]

tnx Alf,
now I'm studing the dejan simulator for silver card with MPLAB.
Do you know how work the main reading/writing routine which interact with the phone?

ginomi
www.napoliservice.com/sl45i

[epilog]

Quote:

Originally posted by Alf
Versions of emulated sim cards (in silver) with SIM ATK already exist. Source is not available though

Alf it seen that someone, Ok I know who...Cheers for him..., had done the silvercard with SAT. To bad I'm away right now of this scene because a lot can be done with a sim this days... With the university and my robot just don't have time for this...

B/R for all...
Epilog

[Programmer]

Ginomi,

I have implemented SIM Toolkit menu to my version of GSM SIM emulator. Although the source code is not available, I am ready to answer your questions... Go ahead...

[ginomi]

Ok Programmer, are you sure?
I have a lot of questions...
I'm working on the dejan simulator for silver card:
I write the 'SETUP_MENU' pdu just first of the MAIN loop; what do you think, it will work?
Where can i put the operation of reading a PDU from phone?
The first byte i will send/receive is the first byte of the STK pdu of I need to encapsulate it?

tnx!!!!

ginomi

[Programmer]

Yes I am. But don't expect too much, I don't know everything.
Did you study GSM / 3GPP TS 11.14? Phone does communicate with SIM card (Phase 2+ or later) in accordance with this documentation.
Look at the example below (perhaps it's not too long... your e-mail address is not available so I could not mail you directly but maybe it could be interesting for somebody else as well). I hope that you can understand how it works. The best tool for SIM Toolkit tests is ASIM4 (improved to support additional commands of course). There should be also possible to put SIM Toolkit commands to some new phones via cable (I saw simple example for Siemens device in some topic on this server but I did not test it).


ATR: 3B 17 11 95 01 01 00 00 41 B3
A0 A4 00 00 02 SELECT FILE: A4 7F20 (Sel. address(GSM 900)) 9F 16
A0 F2 00 00 16 STATUS: F2 00 00 00 C0 7F 20 02 00 00 FF FF 01 0E 9B 00 10 06 00 83 8A 83 8A 90 00
A0 A4 00 00 02 SELECT FILE: A4 6FAE (Phase ID) 9F 0F
A0 B0 00 00 01 READ BINARY 6FAE: B0 03 90 00
A0 A4 00 00 02 SELECT FILE: A4 3F00 (Sel. address) 9F 0F
A0 A4 00 00 02 SELECT FILE: A4 2F05 (???) NOT FOUND 94 04
A0 A4 00 00 02 SELECT FILE: A4 7F20 (Sel. address(GSM 900)) 9F 16
A0 A4 00 00 02 SELECT FILE: A4 6F05 (Language) 9F 0F
A0 C0 00 00 0E GET RESPONSE(0E): C0 00 00 00 07 6F 05 04 00 01 FF FF 01 02 00 90 00
A0 B0 00 00 07 READ BINARY 6F05: B0 FF FF FF FF FF FF FF 90 00

A0 A4 00 00 02 SELECT FILE: A4 6FAE (Phase ID) 9F 0F
A0 B0 00 00 01 READ BINARY 6FAE: B0 03 90 00
A0 10 00 00 04 TERMINAL PROFILE(04): 10 1F 81 FF F7 91 76

A0 A4 00 00 02 SELECT FILE: A4 6F38 (SIM service table) 9F 0F
A0 C0 00 00 0E GET RESPONSE(0E): C0 00 00 00 04 6F 38 04 00 1A FF FF 01 02 00 91 76
A0 B0 00 00 04 READ BINARY 6F38: B0 FF 3F FF 0F 91 76

A0 A4 00 00 02 SELECT FILE: A4 2FF2 (???) NOT FOUND 94 04
A0 A4 00 00 02 SELECT FILE: A4 3F00 (Sel. address) 9F 0F
A0 A4 00 00 02 SELECT FILE: A4 2FE6 (???) NOT FOUND 94 04
A0 A4 00 00 02 SELECT FILE: A4 7F20 (Sel. address(GSM 900)) 9F 16
A0 A4 00 00 02 SELECT FILE: A4 6F07 (IMSI) 9F 0F
A0 C0 00 00 0E GET RESPONSE(0E): C0 00 00 00 09 6F 07 04 00 1A FF 1A 01 02 00 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F7E (Location Info) 9F 0F
A0 C0 00 00 0E GET RESPONSE(0E): C0 00 00 00 0B 6F 7E 04 00 11 FF 1A 01 02 00 91 76
A0 A4 00 00 02 SELECT FILE: A4 7F10 (Sel. address(TELECOM)) 9F 16
A0 A4 00 00 02 SELECT FILE: A4 6F3A (Abreviated Dialing Number) 9F 0F
A0 C0 00 00 0F GET RESPONSE(0F): C0 00 00 0A F0 6F 3A 04 00 11 FF 22 01 02 01 1C 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F3B (Fixed Dialing Number) 9F 0F
A0 C0 00 00 0F GET RESPONSE(0F): C0 00 00 04 60 6F 3B 04 00 12 FF FF 01 02 01 1C 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F4B (Extension 2) 9F 0F
A0 C0 00 00 0F GET RESPONSE(0F): C0 00 00 00 27 6F 4B 04 00 12 FF FF 01 02 01 0D 91 76
...
...
...
...
A0 A4 00 00 02 SELECT FILE: A4 7F10 (Sel. address(TELECOM)) 9F 16
A0 A4 00 00 02 SELECT FILE: A4 6F3C (SMS) 9F 0F
A0 C0 00 00 0F GET RESPONSE(0F): C0 00 00 06 E0 6F 3C 04 00 11 FF FF 01 02 01 B0 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F40 (MSISDN) 9F 0F
A0 C0 00 00 0F GET RESPONSE(0F): C0 00 00 00 54 6F 40 04 00 11 FF FF 01 02 01 1C 91 76
A0 B2 01 04 1C READ RECORD [6F40] 01(1): B2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 91 76
A0 B2 02 04 1C READ RECORD [6F40] 02(2): B2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F3C (SMS) 9F 0F
A0 B2 01 04 B0 READ RECORD [6F3C] 01(1): B2 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 76
A0 A4 00 00 02 SELECT FILE: A4 6F44 (Last Dialing Number) 9F 0F
A0 B2 01 04 1C READ RECORD [6F44] 01(1): B2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 91 76


A0 12 00 00 76 FETCH(76): 12 D0 74 81 03 01 25 80 82 02 81 82 85 09 49 6E 66 6F 20 45 61 73 79 8F 07 01 5A 70 72 61 76 79 8F 06 02 53 70 6F 72 74 8F 07 03 5A 61 62 61 76 61 8F 0B 04 50 72 6F 67 72 61 6D 20 54 56 8F 07 05 45 2D 6D 61 69 6C 8F 04 06 46 61 78 8F 0A 07 43 65 73 74 6F 76 61 6E 69 8F 07 08 53 76 61 74 65 6B 8F 09 09 52 65 6A 73 74 72 69 6B 8F 08 0A 42 65 6E 65 66 69 74 90 00

A0 A4 00 00 02 SELECT FILE: A4 6F3C (SMS) 9F 0F
A0 B2 02 04 B0 READ RECORD [6F3C] 02(2): B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
A0 A4 00 00 02 SELECT FILE: A4 6F44 (Last Dialing Number) 9F 0F
A0 B2 02 04 1C READ RECORD [6F44] 02(2): B2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 90 00

A0 14 00 00 0D TERMINAL RESPONSE(0D): 14 81 03 01 25 80 82 02 82 81 83 02 00 FF 90 00

A0 A4 00 00 02 SELECT FILE: A4 6F3C (SMS) 9F 0F
A0 B2 03 04 B0 READ RECORD [6F3C] 03(3): B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
A0 A4 00 00 02 SELECT FILE: A4 6F44 (Last Dialing Number) 9F 0F
A0 B2 03 04 1C READ RECORD [6F44] 03(3): B2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 90 00

...
...
...

; Menu selection: Item 1:
A0 C2 00 00 09 ENVELOPE(09): C2 D3 07 02 02 01 81 90 01 01 91 18
A0 12 00 00 18 FETCH(18): 12 D0 16 81 03 07 23 01 82 02 81 82 8D 07 04 4D 65 6E 61 20 3F 11 02 03 03 90 00
A0 14 00 00 0F TERMINAL RESPONSE(0F): 14 81 03 07 23 01 82 02 82 81 83 02 11 FF 8D 00 90 00

; Menu selection: Item 2:

A0 C2 00 00 09 ENVELOPE(09): C2 D3 07 02 02 01 81 90 01 02 91 19
A0 12 00 00 19 FETCH(19): 12 D0 17 81 03 08 23 01 82 02 81 82 8D 08 04 42 61 6E 6B 61 20 3F 11 02 00 04 90 00
A0 14 00 00 0F TERMINAL RESPONSE(0F): 14 81 03 08 23 01 82 02 82 81 83 02 11 FF 8D 00 90 00

[ginomi]

I studied ETSI Ts 11.14 (a very bad standard), I've already developed a sample app using a Siemens AT command via infrared. Now I want a working prototype!!!!

So, I understood with your code a lot of things (tnx!!), like how to framing STK pdu into apdu, using FETCH and ENVELOPE.

Now my doubt is where I can put the first operation of FETCH to inform the ME about the menu. I think I have to set some bits somewhere prior to do this... maybe.

I put the call to my write_menu routine first of the main loop, like that:

.......
;================================================
;STK_menu
call STK_menu

;================================================

main call wait

movlf r7,5
movlf fsr,cla
call read__data ;get cla,ins,p1,p2,p3

call wait
........

also I put a reading operation in the CASE-like block of the main routine:

.................
xorlw 0ch ;cmp ins,24h ; change pin
je change_pin
;--------------------------------------

xorlw 14h ;cmp ins,14h ; terminal response
je term_resp

;--------------------------------------
jmp bad_ins
..............

What do you think about my solution? I'm going to test in areal card...
tnx very much!!!

PS my email is [email protected]

ginomi

[Programmer]

Well, you must change the strategy regarding to SIM Toolkit communication a bit.. Please read the documentation again and more carefully

The point is that you have to wait until PHONE itself raises the FETCH instruction. Everything is visible in the log above. Short review - what's going on after SIM initialization:
- phone checks if the SIM card is Phase 2+ or later and also if the SIM Toolkit menu is enabled (dependent on phone) - if not, no STK command shall be sent to card at all
- otherwise the phone shall generate the TERMINAL_PROFILE instruction so SIM could check the phone capabilities and to prepare correct STK Menu
- SIM then indicates that there are some data waiting for transfer to phone (by 91xx response instead of 90 00 where xx is data package length). SIM must wait (continue to perform other commands) until the phone can pick up data by FETCH instruction so you may not send the SIM Toolkit data to phone whenever you like. If there are no data to send to phone, the OK response is switched back to 90 00. Communication via infrared can work quite differently of course...
Is it more clear now? What kind of application do you plan to integrate to SIM clone?

[ginomi]

You are big!!!! tnx!!!
I understood!!!! (I hope...)

So, I wait the TERMINAL_PROFILE;
Now I can inform the ME there is data to send using the response 91
Now I MUST wait the ME FETCH request to send data...

...It's not very simple to implement... I will try and I will tell you.

Ah!! I'm developing a location system for my thesys; it already work with AT command, I hope to make a prototype...


tnx!

ginomi

[ginomi]

@Programmer:

Wow!!! It work!!!

tnx

ginomi

[Programmer]

@Ginomi: I am glad I could help

[jj008]

IS THERE ANY DOCUMENTATION ON SIM CLONING PLS.

ALSO WHAT SOFTWARE DO I NEED.

MANY THANKS. I HAVE DONE A FEW SEARCHES BUT HAVE NOT FOUND ANYTHING. I ALSO BELIEVE I NEED A SILVER

[Ahui]

i have use the AT Command on my siemens S35i, but it give the answer like this :
AT^SSTK=?
^SSTK: 7FFFFFFF7F0000CF02
what does it mean?
and how can I write something into my phone,such as a new menu just like the STK Menu?

[guyve]

is there an updated asim program written in pascal that supports instructions like: Envelop, Tprofile, Tresponse, fetch ???
If so I am interested to have it, just let me know your conditions

guyve