Tool to (re)configure the sysmoUSIM and sysmoISIM cards
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

457 lines
17 KiB

# -*- coding: UTF-8 -*-
"""
card: Library adapted to request (U)SIM cards and other types of telco cards.
Copyright (C) 2010 Benoit Michau
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
#################################
# Python library to work on
# SIM card
# communication based on ISO7816 card
#
# needs pyscard from:
# http://pyscard.sourceforge.net/
#################################
from card.ICC import ISO7816
from card.FS import SIM_FS, MF_FS
from card.utils import *
SIM_service_table = {
1 : "CHV1 disable function",
2 : "Abbreviated Dialling Numbers (ADN)",
3 : "Fixed Dialling Numbers (FDN)",
4 : "Short Message Storage (SMS)",
5 : "Advice of Charge (AoC)",
6 : "Capability Configuration Parameters (CCP)",
7 : "PLMN selector",
8 : "RFU",
9 : "MSISDN",
10 : "Extension1",
11 : "Extension2",
12 : "SMS Parameters",
13 : "Last Number Dialled (LND)",
14 : "Cell Broadcast Message Identifier",
15 : "Group Identifier Level 1",
16 : "Group Identifier Level 2",
17 : "Service Provider Name",
18 : "Service Dialling Numbers (SDN)",
19 : "Extension3",
20 : "RFU",
21 : "VGCS Group Identifier List (EFVGCS and EFVGCSS)",
22 : "VBS Group Identifier List (EFVBS and EFVBSS)",
23 : "enhanced Multi-Level Precedence and Pre-emption Service",
24 : "Automatic Answer for eMLPP",
25 : "Data download via SMS-CB",
26 : "Data download via SMS-PP",
27 : "Menu selection",
28 : "Call control",
29 : "Proactive SIM",
30 : "Cell Broadcast Message Identifier Ranges",
31 : "Barred Dialling Numbers (BDN)",
32 : "Extension4",
33 : "De-personalization Control Keys",
34 : "Co-operative Network List",
35 : "Short Message Status Reports",
36 : "Network's indication of alerting in the MS ",
37 : "Mobile Originated Short Message control by SIM ",
38 : "GPRS",
39 : "Image (IMG)",
40 : "SoLSA (Support of Local Service Area)",
41 : "USSD string data object supported in Call Control",
42 : "RUN AT COMMAND command",
43 : "User controlled PLMN Selector with Access Technology",
44 : "Operator controlled PLMN Selector with Access Technology",
45 : "HPLMN Selector with Access Technology",
46 : "CPBCCH Information",
47 : "Investigation Scan",
48 : "Extended Capability Configuration Parameters",
49 : "MExE",
50 : "RPLMN last used Access Technology",
51 : "PLMN Network Name",
52 : "Operator PLMN List",
53 : "Mailbox Dialling Numbers ",
54 : "Message Waiting Indication Status",
55 : "Call Forwarding Indication Status",
56 : "Service Provider Display Information",
}
class SIM(ISO7816):
"""
define attributes, methods and facilities for ETSI / 3GPP SIM card
check SIM specifications in ETSI TS 102.221 and 3GPP TS 51.011
inherit methods and objects from ISO7816 class
use self.dbg = 1 or more to print live debugging information
"""
def __init__(self, atr = None):
"""
initialize like an ISO7816-4 card with CLA=0xA0
can also be used for USIM working in SIM mode,
"""
ISO7816.__init__(self, atr, CLA=0xA0)
if self.dbg >= 2:
log(3, '(SIM.__init__) type definition: %s' % type(self))
log(3, '(SIM.__init__) CLA definition: %s' % hex(self.CLA))
@staticmethod
def sw_status(sw1, sw2):
"""
sw_status(sw1=int, sw2=int) -> string
extends SW status bytes interpretation from ISO7816
with ETSI / 3GPP SW codes
helps to speak with the smartcard!
"""
status = ISO7816.sw_status(sw1, sw2)
if sw1 == 0x91: status = 'normal processing, with extra info ' \
'containing a command for the terminal: length of the ' \
'response data %d' % sw2
elif sw1 == 0x9E: status = 'normal processing, SIM data download ' \
'error: length of the response data %d' % sw2
elif sw1 == 0x9F: status = 'normal processing: length of the ' \
'response data %d' % sw2
elif (sw1, sw2) == (0x93, 0x00): status = 'SIM application toolkit ' \
'busy, command cannot be executed at present'
elif sw1 == 0x92 :
status = 'memory management'
if sw2 < 16: status += ': command successful but after %d '\
'retry routine' % sw2
elif sw2 == 0x40: status += ': memory problem'
elif sw1 == 0x94:
status = 'referencing management'
if sw2 == 0x00: status += ': no EF selected'
elif sw2 == 0x02: status += ': out of range (invalid address)'
elif sw2 == 0x04: status += ': file ID or pattern not found'
elif sw2 == 0x08: status += ': file inconsistent with the command'
elif sw1 == 0x98:
status = 'security management'
if sw2 == 0x02: status += ': no CHV initialized'
elif sw2 == 0x04: status += ': access condition not fulfilled, ' \
'at least 1 attempt left'
elif sw2 == 0x08: status += ': in contradiction with CHV status'
elif sw2 == 0x10: status += ': in contradiction with ' \
'invalidation status'
elif sw2 == 0x40: status += ': unsuccessful CHV verification, ' \
'no attempt left'
elif sw2 == 0x50: status += ': increase cannot be performed, ' \
'max value reached'
elif sw2 == 0x62: status += ': authentication error, ' \
'application specific'
elif sw2 == 0x63: status += ': security session expired'
return status
def verify_pin(self, pin='', pin_type=1):
"""
verify CHV1 (PIN code) or CHV2 with VERIFY APDU command
call ISO7816 VERIFY method
"""
if pin_type in [1, 2] and type(pin) is str and \
len(pin) == 4 and 0 <= int(pin) < 10000:
PIN = [ord(i) for i in pin] + [0xFF, 0xFF, 0xFF, 0xFF]
self.coms.push( self.VERIFY(P2=pin_type, Data=PIN) )
else:
if self.dbg:
log(2, '(verify_pin) bad input parameters')
def disable_pin(self, pin='', pin_type=1):
"""
disable CHV1 (PIN code) or CHV2 with DISABLE_CHV APDU command
TIP: do it as soon as you can when you are working
with a SIM / USIM card for which you know the PIN!
call ISO7816 DISABLE method
"""
if pin_type in [1, 2] and type(pin) is str and \
len(pin) == 4 and 0 <= int(pin) < 10000:
PIN = [ord(i) for i in pin] + [0xFF, 0xFF, 0xFF, 0xFF]
self.coms.push( self.DISABLE_CHV(P2=pin_type, Data=PIN) )
else:
if self.dbg:
log(2, '(disable_pin) bad input parameters')
def enable_pin(self, pin='', pin_type=1):
"""
enable CHV1 (PIN code) or CHV2 with ENABLE_CHV APDU command
call ISO7816 ENABLE method
"""
if pin_type in [1, 2] and type(pin) is str and \
len(pin) == 4 and 0 <= int(pin) < 10000:
PIN = [ord(i) for i in pin] + [0xFF, 0xFF, 0xFF, 0xFF]
self.coms.push( self.ENABLE_CHV(P2=pin_type, Data=PIN) )
else:
if self.dbg:
log(2, '(enable_pin) bad input parameters')
def unblock_pin(self, pin_type=1, unblock_pin=''):
"""
WARNING: not correctly implemented!!!
and PUK are in general 8 nums...
TODO: make it correctly!
APDU Tx de-activated
unblock CHV1 (PIN code) or CHV2 with UNBLOCK_CHV APDU command
and set 0000 value for new PIN
call ISO7816 UNBLOCK_CHV method
"""
log(1, '(unblock_pin) not implemented: aborting')
return
#if pin_type == 1:
# pin_type = 0
if pin_type in [0, 2] and type(unblock_pin) is str and \
len(unblock_pin) == 4 and 0 <= int(unblock_pin) < 10000:
UNBL_PIN = [ord(i) for i in unblock_pin] + [0xFF, 0xFF, 0xFF, 0xFF]
#self.coms.push( self.UNBLOCK_CHV(P2=pin_type, Lc=0x10, \
# Data=UNBL_PIN + \
# [0x30, 0x30, 0x30, 0x30, 0xFF, 0xFF, 0xFF, 0xFF]) )
else:
if self.dbg:
log(2, '(unblock_pin) bad input parameters')
#return self.UNBLOCK_CHV(P2=pin_type)
def parse_file(self, Data=[]):
"""
parse_file(Data=[0x12, 0x34, 0x56, 0x89]) -> dict(file)
parses a list of bytes returned when selecting a file
interprets the content of some informative bytes for right accesses,
type / format of file... see TS 51.011
works over the SIM file structure
"""
fil = {}
fil['Size'] = Data[2]*0x100 + Data[3]
fil['File Identifier'] = Data[4:6]
fil['Type'] = ('RFU', 'MF', 'DF', '', 'EF')[Data[6]]
fil['Length'] = Data[12]
if fil['Type'] == 'MF' or fil['Type'] == 'DF':
fil['DF_num'] = Data[14]
fil['EF_num'] = Data[15]
fil['codes_num'] = Data[16]
fil['CHV1'] = ('not initialized','initialized')\
[Data[18] >> 7]\
+ ': %d attempts remain' % (Data[18] & 0x0F)
fil['unblock_CHV1'] = ('not initialized','initialized')\
[Data[19] >> 7]\
+ ': %d attempts remain' % (Data[19] & 0x0F)
fil['CHV2'] = ('not initialized','initialized')\
[Data[20] >> 7]\
+ ': %d attempts remain' % (Data[20] & 0x0F)
fil['unblock_CHV2'] = ('not initialized','initialized')\
[Data[21] >> 7]\
+ ': %d attempts remain' % (Data[21] & 0x0F)
if len(Data) > 23:
fil['Adm'] = Data[23:]
elif fil['Type'] == 'EF':
cond = ('ALW', 'CHV1', 'CHV2', 'RFU', 'ADM_4', 'ADM_5',
'ADM_6', 'ADM_7', 'ADM_8', 'ADM_9', 'ADM_A',
'ADM_B', 'ADM_C', 'ADM_D', 'ADM_E', 'NEW')
fil['UPDATE'] = cond[Data[8] & 0x0F]
fil['READ'] = cond[Data[8] >> 4]
fil['INCREASE'] = cond[Data[9] >> 4]
fil['INVALIDATE'] = cond[Data[10] & 0x0F]
fil['REHABILITATE'] = cond[Data[10] >> 4]
fil['Status'] = ('not read/updatable when invalidated',
'read/updatable when invalidated')\
[byteToBit(Data[11])[5]] \
+ (': invalidated',': not invalidated')\
[byteToBit(Data[11])[7]]
fil['Structure'] = ('transparent', 'linear fixed', '', 'cyclic')\
[Data[13]]
if fil['Structure'] == 'cyclic':
fil['INCREASE'] = byteToBit(Data[7])[1]
if len(Data) > 14:
fil['Record Length'] = Data[14]
return fil
def run_gsm_alg(self, RAND=16*[0x00]):
"""
self.run_gsm_alg( RAND ) -> ( SRES, Kc )
RAND : list of bytes, length 16
SRES : list of bytes, length 4
Kc : list of bytes, length 8
runs GSM authentication algorithm:
accepts any kind of RAND (old GSM fashion)
feed with RAND 16 bytes value
returns a list with SRES and Kc, or None on error
"""
if len(RAND) != 16:
if self.dbg:
log(1, '(run_gsm_alg) bad RAND value: aborting')
return None
# select DF_GSM directory
self.select([0x7F, 0x20])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(run_gsm_alg) %s' % self.coms())
return None
# run authentication
self.coms.push(self.INTERNAL_AUTHENTICATE(P1=0x00, P2=0x00, Data=RAND))
if self.coms()[2][0] != 0x9F:
if self.dbg >= 2:
log(3, '(run_gsm_alg) %s' % self.coms())
return None
# get authentication response
self.coms.push(self.GET_RESPONSE(Le=self.coms()[2][1]))
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(run_gsm_alg) %s' % self.coms())
return None
SRES, Kc = self.coms()[3][0:4], self.coms()[3][4:]
return [ SRES, Kc ]
def get_imsi(self):
"""
self.get_imsi() -> string(IMSI)
reads IMSI value at address [0x6F, 0x07]
returns IMSI string on success or None on error
"""
# select DF_GSM for SIM card
self.select([0x7F, 0x20])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_imsi) %s' % self.coms())
return None
# select IMSI file
imsi = self.select([0x6F, 0x07])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_imsi) %s' % self.coms())
return None
# and parse the received data into the IMSI structure
if 'Data' in imsi.keys() and len(imsi['Data']) == 9:
return decode_BCD(imsi['Data'])[3:]
# if issue with the content of the DF_IMSI file
if self.dbg >= 2:
log(3, '(get_imsi) %s' % self.coms())
return None
def get_services(self):
"""
self.get_services() -> None
reads SIM Service Table at address [0x6F, 0x38]
returns list of services allowed / activated
"""
# select DF_GSM for SIM card
self.select([0x7F, 0x20])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_services) %s' % self.coms())
return None
# select SST file
sst = self.select([0x6F, 0x38])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_services) %s' % self.coms())
return None
# parse data and prints corresponding services
if 'Data' in sst.keys() and len(sst['Data']) >= 2:
return self.get_services_from_sst(sst['Data'])
def read_services(self):
"""
self.read_services() -> None
reads SIM Service Table at address [0x6F, 0x38]
prints services allowed / activated
returns None
"""
serv = self.get_services()
for s in serv:
print(s)
def get_services_from_sst(self, sst=[0, 0]):
services = []
cnt = 0
for B in sst:
# 2 bits per service -> 4 services per byte
for i in range(0, 7, 2):
cnt += 1
if B & 2**i:
info = 'allocated'
if B & (2**i+1):
info += ' | activated'
if cnt in SIM_service_table:
services.append('%i : %s : %s' \
% (cnt, SIM_service_table[cnt], info))
else:
services.append('%i : %s' % (cnt, info))
return services
def explore_fs(self, filename='sim_fs', depth=True, emul=False):
"""
self.explore_fs(self, filename='sim_fs') -> void
filename: file to write in information found
depth: depth in recursivity, True=infinite
brute force all file addresses from MF recursively
(until no more DF are found)
write information on existing DF and file in the output file
"""
simfs_entries = MF_FS.keys()
if not emul:
self.explore_DF([], None, depth)
fd = open(filename, 'w')
fd.write('\n### MF ###\n')
f = self.select()
write_dict(f, fd)
fd.write('\n')
#
for f in self.FS:
path = tuple(f['Absolut Path'])
if path in simfs_entries:
f['Name'] = MF_FS[path]
write_dict(f, fd)
fd.write('\n')
fd.close()
def get_ICCID(self):
# select MF
self.select([0x3F, 0x0])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_ICCID) %s' % self.coms())
return None
# select IMSI file
iccid = self.select([0x2F, 0xE2])
if self.coms()[2] != (0x90, 0x00):
if self.dbg >= 2:
log(3, '(get_ICCID) %s' % self.coms())
return None
# and parse the received data into the IMSI structure
if 'Data' in iccid.keys() and len(iccid['Data']) >= 10:
return decode_BCD(iccid['Data'])
# if issue with the content of the ICCID file
if self.dbg >= 2:
log(3, '(get_ICCID) %s' % self.coms())
return None