Ady Wicaksono Daily Activities

Sometime we need to disable a javacard applet inside the SIMCard without remove it.
Once disabled, later we may want to activate it again. Global Platform spec define
a way to do this.

Let say we have javacard application with AID A00000001840840000, to lock it simply
this command through GSM 03.48 envelope command to SIMcard:

80F0408309A00000001840840000

Meanwhile, once locked/disabled, simply send this GP command to enable it:

80F0400309A00000001840840000

Detail:
0x80: CLA
0xF0: INS for SET STATUS command
0x40: To indicate that this is a javacard applet application
0x83: Set to locked meanwhile 0x03: set to unlocked (state: SELECTABLE)
0x09: Length of AID to disabled/enabled is 9 bytes
A00000001840840000: this is the AID of applet

What is the thing sold by GSM Operator to subscriber?

The answer is: SIMCard, a smartcard that personalized for telecommunication purpose. Yes, as we know physically GSM operator sell a SIMCard,  the rest are services upon it including SMS, call service, MMS, Voice Mailbox  and many things.

The next question, since SIMcard will be hold by customer inside their mobile phone, how could GSM operator manage the SIMcard remotely?  Things like managing javacard applet & filesystem inside the SIMCard. The answer is by OTA (over the air) using SMS and or CAT-TP bearer (GPRS based), but we will focus on the one using SMS (short message protocol).

GSM 03.48 define RFM and also RAM as standard mechanism for doing remote file management (RFM) and remote applet management. We are now focus on RFM, please note the implementation for this feature is vendor specific.

OK, let me give an example as our case study, one day we as operator need to do OTA campaign for updating file EF_SMSP (7F10/6F42) since the address of SMSC is now changed. As we know, based on 3GPP TS 31.102 document, EF_SMSP contains SMSC information that will be used by mobile phone for sending mobile originated  (MO) SMS. For example the content of file EF_SMSP (7F10/6F42) is now

534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F1FFFFFFFF0000A9

You can refer to TS 31.102 document for the structure of EF_SMSP, but simply said the SMSC address defined here is: 85292040031. Now, operator want to change it to 85292040034 over the air.

So, technically we need to:
1. Prepare APDU for updating the file
2. Construct appropriate 03.48 + 03.40 APDU command
3. Send it over the air to customer

The result is, the file on customer SIMcard is updated silenty without user intervention.

---

Let us, go deeply with APDU for updating the file. Sequence for updating EF 7F10/6F42 record 1 from

534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F1FFFFFFFF0000A9

to

534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9

is by executing these 4 APDU(s):

A0A40000023F00
A0A40000027F10
A0A40000026F42
A0DC010428534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9

Details of each APDU is:

1) APDU for select 3F00 ==> A0 A4 00 00 02 3F 00
2) APDU for select DF 7F10 under MF 3F00 ==> A0 A4 00 00 02 7F 10
3) APDU to select EF 6F42 under DF 7F10 ==> A0 A4 00 00 02 6F 42
4) APDU to update record 1 of EF 6F42 to 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9:

A0 DC 01 04 28 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9

---

Now, we need to construct 03.48 SMS, means we need to ask our card vendor about these parameters:
1. TAR (toolkit application reference) of RFM applet
2. MSL (minimum security level setting)
3. Depend on MSL, maybe we need to know KiC & KiD of the card for RFM
4. Depend on how RFM implemented by card vendor, need to know how to pass APDU for updating the
filesystem. I assume we simply need to pass the APDU to RFM applet.

Let say,
1. the TAR is B0 00 10, please note this value is very specific to card vendor.
2. MSL is 0×25 means content must be encrypted and use CHryptographic CHecksum
3. Keyset to use is keyset 2 with algo Triple DES using outer CBC-Mode with 2 different keys and

KiC: 00112233445566778899AABBCCDDEEFF
KiD: 00112233445566778899AABBCCDDEEFF

Then we can generate APDU SMS-PP Download like this:

A0 C2 00 00 7B D1 79 02 02 83 81 06 04 00 21 43
F5 0B 6D 63 05 00 99 40 F1 7F F6 01 01 01 01 01
01 00 5D 02 70 00 00 58 15 06 01 25 25 B0 00 10
25 4E 56 31 DF D0 4D 77 DC 9C 64 90 30 E6 E8 97
DF 57 49 4B FC 45 11 71 56 2B 5E D3 FF C0 11 AA
62 CA 46 B6 4A 51 B0 A8 52 B3 CC 9F D0 6B 0D 95
C0 E8 DB E7 BF 44 25 39 67 90 B6 E2 22 BE C3 3F
EF 5B 35 2D 9D F7 97 22 15 08 67 F4 AA 29 A5 73
00

Next step is send this APDU over the air using SMS and the file inside SIMCard will be updated without user intervention.

Good luck

The structure of SMS-PP APDU including GSM 03.40 & GSM 03.48 header is defined in this structure:

The 3GPP TS 23.048 standard specifies the structure of Secure Packets in a general format and implementation using in particular Short Message Service Point to Point (SMS-PP).

The 3GPP TS 23.048 format is contained in the TP-UD (TP-User-Data) field in the 3GPP TS 03.40 format.

In the 3GPP TS 03.40 header, the TP-UDHI (User Data Header Indicator) bit value must be set to 1 to indicate that the initial bytes in the TP-User-Data field contain a header, and in particular, a 3GPP TS 23.048 header.

Please note that TS-SCA (Service Center Address) is optional

The TP-UD of SMS contains GSM 03.48 header and secure data, there’s 2 type of secure data:

• Command Packet

Is a secured packet transmitted by sending entity to the receiving entity, containing secured application message.

• Response Packet

Is a secured packet transmitted by receiving entity to the sending entity, containing secured response and possibly application data.

For Command Packet, the structure is like picture below:

As seen GSM 03.48 data include:

• CPL (Command Packet Length): 2 octet

Indicate the number of bytes from and including the command header identifier to the end of the secured data, including any padding bytes

• CHL (Command Header Length): 1 octet

Indicate the length of command header of packet data, means the number of bytes from and including the SPI to the end of RC/CC/DS.

• SPI (Security Parameter Indicator): 2 octet

These 2 bytes define the security level applied to the input and output message, this include if counter verification and PoR (proof of receipt) are required along with the associated security level. If the SPI indicates that a specific field is unused, the sending entity sets the contens of this field to zero and the receiving entity ignores the contents. For example, if there is no counter check, the counter value is set to 0×00.

If the SPI indicates that no RC, CC, or DS is present in the command header then the RC/CC/DS field is not present (length of zero)

First byte of SPI is described in picture below:

Second byte of SPI is:

• Ciphering Key Identifer (KiC): 1 octet

Keyset Identifier and algorithm for encryption for data.

• Key Identifer (KiD): 1 octet

Keyset Identifier and algorithm for encryption for RS/CC/DS.

The coding for KiC and KiD is shown below:

• Toolkit Application Reference (TAR): 3 octets

The TAR is part of the 23.048 header that identifies and triggers the Over The Air (OTA) feature, which is an application on the Java Card™. Each application

has its own TAR, which cannot be duplicated on the same card.

The TAR of a SIM toolkit applet is coded on three bytes and is defined in ETSI

TS 101 220 as the 13th, 14th and 15^th byte of the applet’s AID.

If these bytes are not present in the AID, the TAR is not defined for the SIM toolkit applet and cannot be triggered on a formatted SMS PP Envelope.

The remote applet management TAR is standardised in 3GPP TS 23.048 and

ETSI TS 101 220 as 00h 00h 00h. All card manufacturers must support this value. Since the TAR value for RFM is not yet standardised, operators should

Inform the card manufacturers as to which TAR value is required for RFM.

To offer interoperability, all card manufacturers must obviously provide the

same value for referencing applets. The SIM Alliance suggests that operators

define their own TAR values.

• CNTR (Counter): 5 octets

This counter is used for replay detection and sequence integrity. The presence and verification of this information are defined in the SPI bytes. Even if the SPI bytes require no counter available, the five counter bytes must be present in the TS 23.048 header

The following rules apply to counter management, with the aim of preventing replay and synchronization attack:

- The SE sets the counter value; it is only to be incremented

- When the counter value reaches its maximum value, the counter is blocked

If the security checks on an incoming command packet are successful and the counter mode used is mode 3 or 4 (b5b4 = 10 or b5b4 = 11), the card counter is updated using the counter of the incoming command packet.

If the security checks on an incoming command packet are successful and the counter mode used is mode 0 (No counter available mode: b5b4 = 00h), the five-byte counter must be present in the message, but is not checked and the card

• For mode 1 (Counter available: no replay or sequence checking: b5b4 = 01h), behavior depends on the application.

Example SMS-PP APDU:

A0C200004ED14C820283818B46400881556677887FF600112912000004350270000030150E19252
5000000010E0A8A0E1BD80CABB2C3F3903D80EF579BAEECBE6941A6DC0D437D553FE120026765CF
497DEE5D

Please note that this secure data & RS/CC/DS is encrypted with KiC & KiD:

KiC: 30 42 30 42 30 44 30 44 30 45 30 45 30 46 30 46
KiD: 01 23 45 67 89 AB CD EF 10 02 76 FE DC BA 01 23

Details:

A0C20000: This is the APDU command for SMS-PP (Point to Point) Download
^^ ->  0xA0: CLA of APDU
  ^^ -> 0xC2: INS of APDU
    ^^ -> 0x00: P1 of APDU
      ^^ -> 0x00: P2 of APDU

4ED14C82028381:
^^ -> 0x4E is length of data followed
  ^^ -> 0xD1 is a TAG of APDU data
    ^^ -> 0x4C is length of data followed
      ^^ -> 0x82 is a TAG that indicate Device Identities
        ^^ -> 0x02 is a TAG that indicate length of data
          ^^ -> 0x83 is a source device (Network)
            ^^ -> 0x81 is a destination device (UICC/SIMCard)

This now is is GSM 03.40 header

8B46400881556677887F
^^ -> 0x8B is TAG that indicate starting of SMS-TPDU data
  ^^ -> 0x46 is length of data followed
    ^^ -> 0x40 or in binary 01000000
          The bit structure numbering is like this
          TP-MTI  is bit no. 1 & bit no. 0 = 00 = type MS-Delivery
          TP-MMS  is bit no. 2 = 0 = no more message to send
          TP-UDHI is bit no. 6 = 1 = there’s header in TP-UD
          TP-RP   is bit no. 7 = 0 = no reply path 

      ^^ -> 0x08: Length of TP-OA is 8 digit
        ^^ -> 0x81: TON/NPI
          ^^^^^^^^ -> 55667788: TP-OA in BCD swapped format (8 digit)
                  ^^ -> 0x7F: TP-PID SIM data download

F60011291200000435
^^ -> 0xF6: TP-DCS
  ^^^^^^^^^^^^^^ -> TP-SCTS:
                ^^ -> 0x35: TP-UDL: User Data Length 53 octet

Now the TP-UD of SMS

0270000030150E192525000000010E0A8A0E1BD80CABB2C3F3903D80EF579BAEECBE6941A6DC0D437D553FE120026765CF497DEE5D

027000
^^ -> 0x02: UDHL
  ^^ -> 0x70: IEI (Information Element Identifier)
    ^^ -> 0x00: IEDL (Information Element Identifier Data Length)

0030150E192525000000
^^^^ -> 0x00 0x30: CPL (Command Packet Length) -> 48 octet
    ^^ -> 0x15: CHL (Command Header Length) -> 21 octet
      ^^^^ -> 0x0E 0x19: SPI (Security Parameter Indicator)
              0x0E = 01110 (in binary form) means:
		-	Cryptographic Checksum
		-	Encryption applied
		-	Counter Available, replay or sequence not checked

              0x19 = 11001 (in binary form) means:
		-	PoR required to be sent to sending entity
		-	PoR response with CC Applied
		-	PoR to be encrypted

          ^^ -> 0x25: KiC Identifier
                0x25 = 100101 (in binary form) means:
		-	DES
		-	Triple DES in outer CBC-Mode using 2 different keys
		-	Keyset to be used is 0x02

            ^^ -> 0x25: KiD Identifier
                  0x25 = 100101 (in binary form) means:
		-	DES
		-	Triple DES in outer CBC-Mode using 2 different keys
		-	Keyset to be used is 0x02

              ^^^^^^ -> 0x000000: TAR (Toolkit Application Reference)
                        This is the default TAR for Remote Applet
                        Management 

010E0A8A0E1BD80CABB2C3F3903D
^^^^^^^^^^ -> 5 octets of CNTR
          ^^ -> 0x1B: 1 octet of PCNTR
            ^^^^^^^^^^^^^^^^ -> D80CABB2C3F3903D: 8 octets of RS/CC/DS

And this is the secure data:
80EF579BAEECBE6941A6DC0D437D553FE120026765CF497DEE5D

I believe many of you ever receive this kind of SMS, normally content provider send java games, midi ringtone, or any multimedia content usin this type of SMS.

Actually how they send it is normally like picture below:

At first stage Push Initiator will send Service Indication in XML format (process 1) into Push Proxy Gateway (PPG) and then PPG will build a WAP Push SMS and send it to user (2).

When User receive it (3), it will be simply like normal SMS but contains a URL that could be simply opened. If user try to open it, then the rest is normally WAP session or TCP/IP session (4) and it’s actually like normal mobile browsing (5)

The algorithm use by mobile phone when receiving WAP Push Service Indication is like this:

Now I don’t want to discuss about how SI XML is sent by push initiator, but how PPG build WAP Push Service Indication. Actually the SI XML sent by push initiator is like this:

<?xml version="1.0"?>
<!DOCTYPE si PUBLIC "-//WAPFORUM//DTD SI 1.0//EN"
"http://www.wapforum.org/DTD/si.dtd">
<si>
<indication href="http://www.xyz.com/email/123/abc.wml"
created="1999-06-25T15:23:15Z"
si-expires="2099-06-30T00:00:00Z">
You have 4 new emails
</indication>
</si>

PPG will then build WBXML or Wireless Binary format for that XML data, and it’s like this

02056A0045C60D0378797A008503656D61696C2F3132332F6162632E776D6C000AC307199906251
5231510C304209906030103596F7520686176652034206E657720652D6D61696C73000101

That code above is hexadecimal code where 2 digit represented 1 byte hexadecimal digit range from 0×00 to 0xFF.

The detail of this encoding is:

02056A0045C60D0378797A00
^^ -> 0x02: Version of WBXML is 1.2
  ^^ -> 0x05: SI 1.0 Public Identifier, this indicated that document is a SI version 1.0 document
    ^^ -> 0x6A: Character Set is UTF-8
      ^^ -> 0x00: Table string length is 0x00
        ^^ -> 0x45: This is a WBXML coding for tag <SI> with content only (No attribute)
	  ^^ -> 0xC6: This is a WBXML coding for tag <indication> with content & attribute
	    ^^ -> 0x0D: This is a WBXML coding for attribute href="http://www."
	      ^^ -> 0x03: This is an indicator that a string is following ended with 0x00 (NULL)
	        ^^^^^^^^ -> 0x78 0x79 0x7A 0x00: This is a hex value of string "xyz" ended with 0x00 (NULL)

8503656D61696C2F3132332F6162632E776D6C00
^^ -> 0x85: This is a WBXML coding for string ".com/"
  ^^ -> 0x03: This is an indicator that a string is following ended with 0x00 (NULL)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -> 0x656D61696C2F3132332F6162632E776D6C000
                                             Hex representation of string "email/123/abc.wml"
					     ended with 0x00 (NULL)

0AC30719990625152315
^^ -> 0x0A: This is a WBXML coding for attribute "created="
  ^^ -> 0xC3: This is an indicator that an OPAQUE data (data with Length Value format)
    ^^ -> 0x07: Length of OPAQUE data
      ^^^^^^^^^^^^^^ -> 0x19990625152315 (7 octet) this is represent date "1999-06-25 15:23:15"

10C3042099060301
^^ -> 0x10: This is a WBXML coding for attribute "expires="
  ^^ -> 0xC3: This is an indicator that an OPAQUE data (data with Length Value format)
    ^^ -> 0x04: Length of OPAQUE data
      ^^^^^^^^ -> 0x20990603 (4 octet) this is to represent date "2099-06-30 00:00:00"
              ^^ -> 0x01: This is to indicate end of attribute for current TAG
	                  so no more attribute inside tag <indication>

03596F7520686176652034206E657720652D6D61696C7300
^^ -> 0x03: This is an indicator that a string is following ended with 0x00 (NULL)
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -> 0x596F7520686176652034206E657720652D6D61696C73000
                                       This is a hex representation of string:
				       "You have 4 emails" ended with 0x00 (NULL)
0101
^^ -> 0x01: this is to indicate end of attribute for current TAG (should refer to </indication> )
  ^^ -> 0x01: this is to indicate end of attribute for current TAG (should refer to </si> )

Now, PPG will generate WSP (Wireless Session Protocol) header as defined in WAP spec (www.openmobilealliance.org) like this:

01060403AE81EA

01060403AE81EA

This WSP header is actually encoded like this:

01060403AE81EA
^^ -> 0x01: This is Push Identifier
  ^^ -> 0x06: WSP PDU Type = Push
    ^^ -> 0x04: Length of octet followed 4 bytes
      ^^^^^^^^ -> 03AE81EA

03AE81EA itself is encoded like this:
^^ -> Length of content-type + header (3 octets)
  ^^ -> This is the content type of WAP Push (application/vnd.wap.sic)
        generated by doing OR operation with 0x80 like this
	1. Value of application/vnd.wap.sic is 0x2E
	   0x2E = 00101110
	   0x80 = 10000000
	   ------------------ OR
	   0xAE = 10101110

    ^^ -> 0x81: This is a header "Accept-Charset" (0x01) -> become 0x81
                since 0x81 = 0x01 | 0x80
      ^^ -> 0xEA: This is a value of header "Accept-Charset" which is UTF-8 (hexa code 0x6A)
                become 0xEA since 0xEA = 0x6A|0x80

The job is not done yet, PPG will now build WDP (Wireless Datagram Protocol) like this

05040B8423F0

Where actually this WDP is refer to this encoding:

05040B8423F0
^^ -> 0x05: IEI (Application Port Schema Addressing, 16 bit), see GSM 03.40
  ^^ -> 0x04: Length of octet following (4 bytes)
    ^^^^ -> 0x0B84: Destination Port of datagram = 2948 in decimal
                    Mobile phone which support WAP Push will normally listen
		    on WDP port 2948 to receive WAP Push 

		    This is the standard port for WAP Push connectionless
		    session service
        ^^^^ -> 0x23F0: Source port of datagram: the value here
	                is refer to Connectionless WAP Browser Proxy Server

So now we have combination WSP+WDP+SI layer to send as WAP Push:

05040B8423F0 (WDP Layer)
01060403AE81EA (WSP Layer)
02056A0045C60D0378797A008503656D61696C2F3132332F6162632E776D6C000AC307199906251
5231510C304209906030103596F7520686176652034206E657720652D6D61696C73000101 (SI layer)

If you try to calculate the number of octet there is 89 octets,means we can send it using 1 SMS only no need for sending long sms, since 1 SMS can contains 140 octets of data.

Now PPG will send it to end user by completing GSM 03.40 header for this data, like this

55010C9126582602680800F5A75A0605040B8423F001060403AE81EA02056A0045C60D0378797A0
08503656D61696C2F3132332F6162632E776D6C000AC3071999062515231510C304209906030103
596F7520686176652034206E657720652D6D61696C73000101

Where:

55010C9126582602680800F5A75A   --> GSM 03.40 Header
06                             --> UDHI Length
05040B8423F0                   --> WDP Layer
01060403AE81EA                 --> WSP Layer

-------------------------------------------------
02056A0045C60D0378797A0085036
56D61696C2F3132332F6162632E77
6D6C000AC3071999062515231510C    ==> SI Layer
304209906030103596F7520686176
652034206E657720652D6D61696C7
3000101
-------------------------------------------------

Now if send it using AT command like this:

AT+CMGF=0[ENTER]
OK

AT+CMGS=104[ENTER]
>0055010C9126582602680800F5A75A0605040B8423F001060403AE81EA02056A00
45C60D0378797A008503656D61696C2F3132332F6162632E776D6C000AC30719990
62515231510C304209906030103596F7520686176652034206E657720652D6D61696
C73000101[CTRL-Z]
OK

Our mobile phone will receive the WAP Push like this:

Please note, the WAP Push application behaviour for each mobile phone may different each others.