Hello esteemed masters of Osmocom,
(asking here because Harald's proposed osmocom-simcard list hasn't been created yet)
I have some questions and experience-based corrections related to the gold nuggets contained in this wiki page:
https://osmocom.org/projects/cellular-infrastructure/wiki/GrcardSIM2
First let me establish relevance: even though Sysmocom stopped selling these GR2 cards ages ago and it looks like the wider Osmocom community also stopped playing with them once sysmoUSIM-SJS1 came out, these same GrcardSIM2 cards are still available from Grcard in the present day. A week and a half ago I received 5 sample cards (plain white, no printing, unprogrammed) from Grcard that return the same ATR as is listed for sysmoSIM-GR2, and all of the card-model-specific proprietary commands described on the above wiki page work exactly the same on these cards as they once worked on sysmoSIM-GR2. I am now in the process of ordering a batch of 200 of these cards from Grcard, with my own custom printing applied (so they will look pretty, not plain white and not black like sysmoISIM-SJA2) - essentially I am bringing back an exact equivalent of the discontinued sysmoSIM-GR2.
With relevance thus established, let's move on technical questions:
* The wiki page describes a file named EF.WEKI, file ID 0001 under DF.GSM. Whoever wrote this wiki page, how did you get this fancy name EF.WEKI? Was there some kind of document from Grcard that described this card-model-specific proprietary file? Does that document still exist somewhere? Can there be some way for mere mortals like me to see that document?
* The wiki page describes byte 3 of EF.WEKI as selecting COMP128 algorithm version. It lists 0 as selecting COMP128v1 and 1 as selecting COMP128v2, and these two codes are correct - confirmed by programming these codes, doing a RUN GSM ALGO command, and comparing returned SRES and Kc against osmo-auc-gen. However, the page lists 3 as selecting COMP128v3, and this part is not correct - writing 3 in there results in COMP128v2 being selected, just like code 1. Instead I need to write 2 into the lower nibble of this byte in order to get COMP128v3 SRES and Kc in response to RUN GSM ALGO.
* The COMP128 selection code is just the lower nibble of byte 3 of EF.WEKI - the upper nibble is something else that currently eludes my understanding. The wiki page instructs users to write 0 into the upper nibble, and so does pySim-prog - yet in the initial "unprogrammed" state of the cards I received from Grcard, this upper nibble is set to 2, not 0. I could not see any observable difference in card behaviour whether the upper nibble is set to 0 or 2 - either way the lower nibble selects COMP128 version for RUN GSM ALGO operations.
* The wiki page gives the impression that EF.WEKI is 19 bytes long in total. However, the actual size of this transparent EF on the card is 35 bytes, i.e., there is another 16-byte field (some other key?) after Ki. Of the people who were once privileged with proper official documentation for these cards, might anyone be able to tell what this other key is for? Could it perhaps be some kind of key for OTA?
Before someone tells me that I should direct these questions to Grcard, given that I am buying cards from them, let me assure everyone that yes, of course I am doing everything I can to pry this information out of them. However, they seem to have the same attitude as most Chinese companies where they just want you to buy their product and not ask any technical questions, and whatever answers they do give are so terse that they feel like non-answers. But there is also the undeniable fact that once upon a time these cards were resold by Sysmocom, once upon a time this Osmocom community right here worked with these cards, and someone in this community (or on Sysmocom staff) must have gotten enough documentation to write the wiki page and pySim-prog support for them. Thus I feel at least somewhat justified in asking this community for help with bringing back this lost knowledge.
On a happier note, my fc-pcsc-tools suite (fc-simtool and its limited- function companion fc-uicc-tool) is advancing quite a bit in functionality. I don't know how it compares to pysim-shell since I gave up trying to get the latter to run under Slackware (just too many difficult dependencies), but from what I read in mailing list posts, pysim-shell seems to be rather UICC-centric - I couldn't tell if it is supposed to work on non-UICC GSM 11.11 protocol cards or not. In contrast, my fc-simtool (written in C, zero dependencies beyond libpcsclite) speaks the classic GSM 11.11 SIM protocol and does everything that is possible within this protocol, including innovative hacks like brute force search of the file ID space. This tool should be ideal for cards like GrcardSIM2 which are non-UICC and for which the classic GSM 11.11 SIM protocol is native. The companion utility fc-uicc-tool for the UICC protocol is quite minimal in functionality, just enough to satisfy the few areas of curiosity I had in relation to that protocol and the cards I have around that speak it. These new C-language SIM tools live here:
https://www.freecalypso.org/hg/fc-pcsc-tools/
The code is 100% my own original work and there is a LICENSE file at the top of the repository declaring it as public domain, so there should be no problem with Free Software status of the work.
In hacking fellowship, Mother Mychaela
Hi Mychaela,
On Mon, Mar 08, 2021 at 12:00:06AM -0800, Mychaela Falconia wrote:
- The wiki page describes a file named EF.WEKI, file ID 0001 under
DF.GSM. Whoever wrote this wiki page, how did you get this fancy name EF.WEKI? Was there some kind of document from Grcard that described this card-model-specific proprietary file? Does that document still exist somewhere? Can there be some way for mere mortals like me to see that document?
AFAICT there never was any documentation from GRcard, everything had to be reverse engineered from their proprietary windows programming software.
When they at some point started to ship cards with pre-installed SIM toolkit applets that we never ordered, sysmocom ceased all contact with that supplier.
But there is also the undeniable fact that once upon a time these cards were resold by Sysmocom, once upon a time this Osmocom community right here worked with these cards, and someone in this community (or on Sysmocom staff) must have gotten enough documentation to write the wiki page and pySim-prog support for them.
See above. I'm not aware of anyone getting actual documentation.
Hi Harald,
AFAICT there never was any documentation from GRcard, everything had to be reverse engineered from their proprietary windows programming software.
Aha, so instead of docs you got their proprietary sw. I never got the latter, but then I never asked them for it, as I was using the Osmocom wiki page and pySim code as my starting-point sources of knowledge. Now I need to ask Grcard for a copy of the same Winblows sw they gave you, so I can play with it, see what settings it allows to be programmed, and then see what it actually writes to the card. A couple of questions regarding this Grcard programming sw:
* Do you know if WinXP is good enough for it, or if it needs something newer? I have an air-gapped WinXP machine which I set up a couple of years ago for similar purpose of knowledge extraction from proprietary sw - in that case the proprietary sw was TI CCS and the knowledge to be extracted was Calypso JTAG.
* Does their sw work with USB CCID readers, or does it require a Phoenix-style serial reader instead? In either case, what drivers or other extra gunk does it require besides a bare Windows installation and Grcard sw itself?
When they at some point started to ship cards with pre-installed SIM toolkit applets that we never ordered, sysmocom ceased all contact with that supplier.
Ouch! How did you discover the presence of those pre-installed STK applets, i.e., what was the visible symptom? Were the cards telling phones to add STK menus? So far I have tried inserting one of the sample cards I got into Mot C139 and Pirelli DP-L10 phones, both running their respective original firmwares, and on neither phone did I see anything STK-originating added to their menu structure. I have not yet tried inserting one of these cards into a board running UI- enabled FreeCalypso fw - I have tested a card in an FCDEV3B and proved it working (AT command modem), but I haven't tried the UI-enabled version yet.
M~
Hi Mychaela,
On Mon, Mar 08, 2021 at 07:11:38AM -0800, Mychaela Falconia wrote:
- Do you know if WinXP is good enough for it, or if it needs something
newer?
I don't recall anything about it. But given that this was 2012, I'd assume XP would be sufficient.
- Does their sw work with USB CCID readers, or does it require a
Phoenix-style serial reader instead?
no clue. It was a long time ago.
Ouch! How did you discover the presence of those pre-installed STK applets,
we noticed some Chinese-language pop-up message showing up on the display.
Hi Harald,
I don't recall anything about it. But given that this was 2012, I'd assume XP would be sufficient.
Thank you for the encouragement. I just found a copy of GRSIMWrite version 3.10 on the Internet (to those whom I emailed off-list asking for a copy, that request can now be scratched :), so I will try running it on that WinXP machine.
we noticed some Chinese-language pop-up message showing up on the display.
Hmm, such visual observation seems to be only possible with a phone handset whose fw includes a Chinese font (how can a device display something in Chinese if it has no font for it), and AFAIK none of the Western-market classic GSM dumbphones I play with support Chinese characters. It looks like I will need to invest in a SIMtrace setup (hardware + learning curve) in order to truly confirm for sure what these cards do and don't do in terms of STK. Adding to my long to-do list.
Now the big question in need of answering - just *why* am I messing with these Grcard SIMs instead of embracing the latest offerings from Sysmocom like the rest of this community? Two reasons:
1) As a general principle, I feel severe displeasure whenever something (anything really) that was available in the recent past gets discontinued and taken away. It is a well-known trait in human psychology, called loss aversion. Thus I see good moral value in bringing a discontinued product back from the grave just for its own sake, regardless of how poor that product may actually be.
2) Cost: this Grcard deal seems to be the only way to get programmable SIM cards in 2FF-only cut with a GSM-only file system (no USIM/ISIM) at an affordable price (a few hundred USD for 100 to 200 cards), without spending 3-4 kUSD on an MOQ-based custom order from The Premier Vendor. Spending 3-4 kUSD just on the SIM cards alone, on top of all other costs like BTS hardware and everything else, is simply not justifiable unless there is absolutely no other way.
So I am trudging along...
M~
Argh, now I know where I knew those cards from... GRSIMWrite 3.10, and the cheap Chinese cards. So I really had them, just not with Osmocom-label.
I searched all places for the Osmocom cards, and the China cards just were in a box to my left.
Ralph.
-----Original Message----- From: OpenBSC [mailto:openbsc-bounces@lists.osmocom.org] On Behalf Of Mychaela Falconia Sent: Monday, March 8, 2021 9:00 AM To: openbsc openbsc@lists.osmocom.org Subject: Bringing back GrcardSIM2
Hello esteemed masters of Osmocom,
(asking here because Harald's proposed osmocom-simcard list hasn't been created yet)
I have some questions and experience-based corrections related to the gold nuggets contained in this wiki page:
https://osmocom.org/projects/cellular-infrastructure/wiki/GrcardSIM2
First let me establish relevance: even though Sysmocom stopped selling these GR2 cards ages ago and it looks like the wider Osmocom community also stopped playing with them once sysmoUSIM-SJS1 came out, these same GrcardSIM2 cards are still available from Grcard in the present day. A week
-
Harald Welte -
Mychaela Falconia -
Ralph A. Schmid, dk5ras