<receiver android:name=”im.softs.softsim.receiver.SimStateChangeReceiver”>
<intent-filter>
<action android:name=”android.intent.action.SIM_STATE_CHANGED”/>
</intent-filter>
</receiver>
<receiver android:name=”.SoftSIMControlLaunch”>
<intent-filter android:priority=”100″>
<action android:name=”android.intent.action.BOOT_COMPLETED”/>
</intent-filter>
<intent-filter android:priority=”100″>
<action android:name=”android.intent.action.SIM_STATE_CHANGED”/>
</intent-filter>
</receiver>
EF MAXPRL (Maximum PRL)
第1-2字节 EF PRL 的 MAX_PR_LIST_SIZE
第3-4字节 EF EPRL 的 MAX_PR_LIST_SIZE (可选,如果 EPRL不存在, 此字段也不应该存在)
3GPP TS 11.11 version 8.14.0 Release 1999 / ETSI TS 100 977 V8.14.0 (2007-06)
第41页 Response parameters/data in case of an MF or DF
类似于 USIM卡中 Tag为0x62 的 FCP(File control parameters)
1-2 RFU 保留将来使用
3-4 在所选择的目录下的空闲空间大小
5-6 文件ID
7 文件类型:01=MF,02=DF
8-12 RFU
13 可选项目(从14字节开始到结束)的长度
14 文件特性:
b1 b3 b4
1 0 0 允许时钟停止, 无优先电平
1 1 0 允许时钟停止, 高电平优先
1 0 1 允许时钟停止, 低电平优先
0 0 0 不允许时钟停止
对于鉴权等耗时指令, 时钟是必须的, b2=0, 时钟至少是 13/8 MHz, b2=1时,至少 13/4 MHz
b8 表示CHV是否启用
15 当前目录的DF个数(直接DF,不含二级DF)
16 当前目录的EF个数
17 密码个数(CHV, Unblock CHV, ADM等)
18 RFU
19 CHV1状态
20 Unblock CHV1状态
21 CHV2状态
22 Unlock CHV2状态
23 RFU
24-34 保留给管理目的
一般的sim卡 selec会回 9F17, 也就是响应长度为 23个字节
A0A40000027F20 9F17
但是 MediaTek的基带 认为 这个响应内容 应该只有 0x16 (22)个字节
因为规范中明确说了:
Bytes 1 – 22 are mandatory and shall be returned by the SIM. Bytes 23 and following are optional and may not be
returned by the SIM.
前面22个字节是必须有SIM卡返回的.
23之后的是可选的.
EF的响应 (Response parameters/data in case of an EF)
1-2 RFU 3-4 文件大小(对于透明文件:没得说,就是整个大小,对于记录文件,也是整个大小:记录长度*记录数) 5-6 文件ID 7 文件类型: 04=EF 8 RFU 9 访问权限(0=ALW, 1=CHV1, 2=CHV2, 3=RFU, 4=ADM … E=ADM, F=NEVER): 高半字节为READ,SEEK权限, 低半字节为UPDATE权限 10 访问权限, 高半字节为INCREASE, 低半字节保留 11 高半字节为REHABILITATE, 低半字节为 INVALIDATE 12 文件状态: 01 有效 13 接下来的字段长度 14 文件结构: 00 =透明 01= 线性固定 02= RFU 03= 循环 15 记录长度 (如果为记录文件,单个记录的大小), 非记录文件,这个值为0
Bytes 1-14 are mandatory and shall be returned by the SIM.
前14个字节是所有文件都必须的
如果是记录文件, 那么第15个字节也必须有
实例:
DF_GSM:
0000 RFU
0000 剩余空间大小
7F20
02 类型:DF
0000000000 RFU
09
93 sim特性
00 子DF个数
18 子EF个数
06 密码个数
00 RFU
83
8A
83
8A
—————————
MF:
0000
0000
3F00
01
0000000000
09
93
04 子DF个数
08 子EF个数
06 密码个数
00
83
8A
83
8A
—————————
或者usim卡使用2G手机接入3G网络
从 XRES (3G USIM response) 生成 SRES (2G handset response)
参考 3GPP TS 33.102 version 14.1.0 Release 14 , 也就是ETSI TS 133 102 V14.1.0 (2017-03)
Interoperation and handover between UMTS and GSM
RAND [GSM] = RAND
SRES [GSM] = XRES* 1 xor XRES* 2 xor XRES* 3 xor XRES* 4
Kc [GSM] = CK 1 xor CK 2 xor IK 1 xor IK 2
改成Java版本
public static byte[] genKc(byte[] ck, byte[]ik) {
byte[] kc = new byte[8];
for(int i=0; i<8; i++) {
kc[i] = (byte)(ck[i] ^ ck[i+8] ^ ik[i] ^ ik[i+8]);
}
return kc;
}
public static byte[] genSRES(byte[] xres) {
byte[] sres = new byte[4];
byte[] pad = new byte[] {0, 0, 0, 0, 0, 0, 0, 0};
for(int i=0; i<4; i++) {
sres[i] = (byte)(xres[i] ^ xres[i+4] ^ pad[i] ^ pad[i+4]);
}
return sres;
}
Python版本
# Kc (2G handset ciphering key) from CK / IK (3G USIM keys)
def conv_C3(CK=16*'\x00', IK=16*'\x00'):
if len(CK) != 16 or len(IK) != 16:
_log('Your CK / IK are not the right length [16]')
return
return xor_string(xor_string(xor_string(CK[0:8], CK[8:16]), \
IK[0:8]), \
IK[8:16])
def conv_C2(XRES=16*b'\x00'):
# adapt XRES length
len_xres = len(XRES)
if len_xres < 4:
_log('Your XRES is damned too short [<4]')
return
elif 4 <= len_xres < 16:
XRES += (16-len_xres)*b'\x00'
elif len_xres > 16:
XRES = XRES[:16]
# xor the 4 parts of 4 bytes each
#sres[i] = res[i] ^ res[i + 4]
return xor_string(xor_string(xor_string(XRES[:4], XRES[4:8]),
XRES[8:12]),
XRES[12:16])
APDU分析
https://www.javacardos.com/tools/apdu-parser.html
ATR分析与合成
https://www.javacardos.com/tools/atr.html
Java Card Development Kit
https://javacardos.com/download/developmentkit/jckit.zip
JCKit_JAVACOS_Beta_2.0.6.2
http://javacardos.com/download/developmentkit/JCKit_JAVACOS_Beta_2.0.6.2.zip
EF_HPLMNwAcT (HPLMN selector with Access Technology)
文件标识符 ‘6F62′
短文件标识符 SFI: ’13’
文件大小: 5n (n ≥ 1)
编码规则 同 EF_PLMNwAcT (User controlled PLMN selector with Access Technology)
中国联通
64F010400064F090400064F010800064F0908000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000
中国移动
64F000400064F000800064F0000080
中国电信
FFFFFFFFFFFFFFFFFFFF
分析:
64F000 4000 中国移动 E-UTRAN 在WB-S1模式和NB-S1模式
64F000 8000 E-UTRAN not selected, 且选择了 UTRAN
64F000 0080 (0000 0000/1000 0000) GSM and EC-GSM-IoT
64F010 4000
64F090 4000
64F010 8000
64F090 8000
FFFFFF 0000
FFFFFF 0000
FFFFFF 0000
FFFFFF 0000
E-UTRAN UTRAN cdma2k1xRTT cdma2kHRPD gsmCompact gsm
64F000 4000 v
64F000 8000 v
64F000 0080 v
EF_EHPLMN (Equivalent HPLMN)
文件标识符: 6FD9
短文件标识符: 1D
文件大小: 3n (n>=1)
等效归属PLMN
当中国移动的IMSI为46000开头的用户, 注册到 460 02 的网络时, 如果没有设置 等效归属PLMN, 就会显示漫游状态
中国电信 64F01164F030FFFFFFFFFFFF ( 等效网络为 460 11 和 460 03)
中国移动 64F00064F07064F02064F080 ( 等效网络为 460 00 , 460 07, 460 02, 460 08)
中国联通 64F010FFFFFFFFFFFFFFFFFF ( 等效网络为 460 01)
其实联通还有一个 物联网网号为 460 06
EF_PL (3F00/2F05) Preferred languages
中国移动 FFFFFFFFFFFFFFFF
中国联通 FFFFFFFF
中国电信 FFFFFFFF
EF_LI (7FF0/6F05 或 7F20/6F05)
中国移动 FFFFFFFFFFFFFFFF
中国联通 7A68656E
中国电信 FFFFFFFFFFFFFFFF
PL和 LI编码标准 遵循 ISO 639 (1988): “Code for the representation of names of languages”.
中国联通的编码是 “zhen” 也就是中文和英文
UICC激活后, ME选择一个USIM应用.
如果不存在 EF_DIR文件, 或者 EF_DIR中没有USIM应用, 那么ME应该尝试去选择GSM应用(卡可能会被reset)
1) ME请求一个 紧急呼叫代码(ECC, emergency call codes) 参阅 TS 22.101
2) ME请求 语言提示(Language Indication).
优先选择的语言选择, 应该总是使用EF_LI, 而不是 MF下的EF_PL, 除非以下情况
1>> 如果EF_LI的最高优先级位置的值是 ‘FFFF’. 那么首选语言选择, 应该是 MF目录下的EF_PL文件 (按照 TS 31.101中的定义的过程)
2>> ME不支持EF_LI中指明的语言编码, 或者 EF_LI不存在.
3>> 如果EF_LI和EF_PL中的语言都不被ME支持, 那么终端应该使用它自己内部的默认选择.
3) ME执行用户验证过程. 如果验证失败, USIM初始化过程停止.
4) ME执行 管理信息 请求 (也就是读取EF_AD)
5) ME 执行 USIm Service Table请求
6) ME 执行 Enabled Service Table 请求
7) 在FDN启用的情况下, 不支持FDN的ME应该允许紧急呼叫, 而不应该允许MO呼叫和MO-SMS
8) 在BDN启用的情况下, 不支持呼叫控制(Call Control)的ME应该允许紧急呼叫, 而不允许MO呼叫
9) 如果ACL启用, 不支持ACL的ME不应该发送任何APN到网络
10) 上面所有过程成功执行完毕, 那么一个3G会话应该开始. 否在, 3G会话不应该开始
11) 如果ME和USIM支持相关的服务, ME应该执行如下过程:
1>> IMSI请求
2>> Access control information请求 (EF_ACC Access Control Class 本文件必须存在)
3>> Higher Priority PLMN search period请求 (EF_HPPLMN Higher Priority PLMN search period 本文件必须存在)
4>> EHPLMN
5>> HPLMN selector with Access Technology
6>> User controlled PLMN selector with Access Technology
7>> Operator controlled PLMN selector with Access Technology
8>> GSM initialisation
9>> Location Information request for CS-and/or PS-mode and/or EPS
10>> Cipher key and integrity key request for CS- and/or PS-mode
11>> EPS NAS Security Context request for EPS
12>> Forbidden PLMN
13>> Initialisation value for hyperframe number
14>> Maximum value of START
15>> CBMID
16>> 依赖于usim和me支持的服务, 更多的EF会被读取
在USIM初始化成功完成后, ME准备好了3G会话, 应该发出一个特殊的STATUS命令给usim, 告诉它这个事
——————
GSM相关的初始化过程
如果GSM接入启用, 如果可用的服务启用, ME也支持GSM复合接入技术, 那么下面的过程也会执行
1) Investigation Scan
2) CPBCCH信息
EF_OPLMNwACT (Operator controlled PLMN selector with Access Technology)
文件标识符: 6F61
SFI: ’11’
文件大小: 5n (n>=8)
中国移动: 64F000400064F000800064F000008054F421400054F421800054F421008014F040400014F040800014F0400080FFFFFF0000FFFFFF0000FFFFFF0000
中国移动
64F0004000
64F0204000
64F0704000
64F0804000
64F0008000
64F0208000
64F0708000
64F0808000
64F000 0080
64F020 0080
64F070 0080
64F080 0080
中国电信:
54F430C08054F440008054F491C08054F460C08025F040C08025F099808025F000808025F030800025F0100080130014C080130062C080130073C0801300744080130041808044F001C00044F002800064F629C08064F679808064F639008064F699008005F530C08005F501008005F510C08054F080C00054F050C00062F220C08062F210C08025F550408025F510408002F801C08002F802C08015F001C08015F0108080030216C000030222C000030227C08005F291C08005F221808022F201C08022F205008022F288808024F420808054F220008054F240808035F010C08035F050800032F451C08032F430808032F485808032F405808032F401808032
F433008012F410C08012F470808015F530408015F520C08004F411808004F431008004F402008004F403008004F472008004F450808004F410008004F468008004F464808004F448008004F488008004F406008004F434008004F451008004F566008004F576008052F010C08052F020408022F810C08022F830808082F620808082F640808082F630808002F440C08063F296008063F219008006F220808006F230808032F210C08032F250808056F510C08056F501008092F550808092F520808054F570400054F530808002F250C08002F201808002F610C08002F601808012F330C08012F607808012F610408012F809008012F850008012F901C08012F9
20808022F050808022F610C08022F630808032F030C08032F020808032F110808032F120808032F810808032F820408042F070C08042F080808042F210C08042F220808042F450C08042F441808042F620808042F630808042F750808042F720008042F820C08042F830008052F510008052F570800052F720808052F910808062F010808062F060C08062F610808062F810C08062F860808072F077C08072F010808072F210C08072F220808072F420408072F480008072F410808072F620008072F640008072F810C08072F812808082F010808082F001808082F220008082F350C08082F310808082F410808082F430008082F820808082F810008092F010
008092F304C08092F314808092F430008092F710C08092F730808033F010C0803304308080330420C0803308500080330881008043F002008043F08000804302060080430429008043064100804308718080430875008053F01000805300008000530211008053046800805308110080630011008063F49380806305480080630611808063F810808073F040008073F020808073F2308080730431008073F421008004F020008004F040808004F110008004F177008004F211008014F030008014F010008014F202008014F205808014F310C08014F330008014F410808014F530008014F610008014F677808014F802008014F803008014F804008014F92080
8014F930008014F940C08024F010C08024F040408024F120008024F110008024F220C08024F230008024F510C08024F520C08024F550008024F560008024F620808024F640C08024F720C08024F710008024F899008024F888008024F910008024F920808034F440808034F620808034F710008034F750808034F810808054F660C08054F620808054F610808054F730808074F010808074F070008074F210808074F220808015F420008025F820800025F811808035F730008035F988008045F020808045F150008045F210C08045F2208080450411008045F610008045F751808045F702008045F810008045F900008055F010008006F330008006F3200080
06F400008006F410808006F530008006F610008006F720808006F810008006F820008006F901008016F020008016F140008016F250008016F220008016F320008016F310808016F420008016F430008016F530008016F620008016F630008016F730008016F710C08016F810008016F870008016F910008026F020008026F010008026F106008026F103008026F210008026F310008026F320008026F420008026F410008026F510808026F520808026F610008026F730008026F710008026F830008026F820008026F910008036F010808036F020008036F120008036F220008036F301808036F541008036F610808036F810808036F920008036F930008046
F040008046F030808046F122008046F110008046F101808046F228008046F340008046F310008046F510808046F530008046F610008046F701008046F840008046F910008056F001008056F010008056F110008056F220008056F210008056F301008056F410008056F960808007F276808007F410808007F420008007F610008007F62000800708400080071800808007F820008017F012808017F003808017F230808017F240808017F430008017F440808017F601C08017F6718000270213008027F243808027F430808027F440808027F420808027F450C08037F010808037F03080803712118080371201808037F460808037F440808037F610008037F6
30008037F810008047F010808047F000808047F420808047F410008047F630008047F870808047F801808057F000008009F172008009F121008009F191008009F141008009F1510080FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
中国联通
64F010400064F090400064F010800064F0908000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FF
FFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000FFFFFF0000
中国联通
64F0 10 4000 (4G)
64F0 90 4000
64F0 10 8000 (3G)
64F0 90 8000