Remote File Management (RFM) on SIMCard
What is the thing sold by GSM Operator to subscriber?
The answer is: SIMCard, a smartcard that personalized for telecommunication purpose. Yes, as we know physically GSM operator sell a SIMCard, the rest are services upon it including SMS, call service, MMS, Voice Mailbox and many things.
The next question, since SIMcard will be hold by customer inside their mobile phone, how could GSM operator manage the SIMcard remotely? Things like managing javacard applet & filesystem inside the SIMCard. The answer is by OTA (over the air) using SMS and or CAT-TP bearer (GPRS based), but we will focus on the one using SMS (short message protocol).
GSM 03.48 define RFM and also RAM as standard mechanism for doing remote file management (RFM) and remote applet management. We are now focus on RFM, please note the implementation for this feature is vendor specific.
OK, let me give an example as our case study, one day we as operator need to do OTA campaign for updating file EF_SMSP (7F10/6F42) since the address of SMSC is now changed. As we know, based on 3GPP TS 31.102 document, EF_SMSP contains SMSC information that will be used by mobile phone for sending mobile originated (MO) SMS. For example the content of file EF_SMSP (7F10/6F42) is now
534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F1FFFFFFFF0000A9
You can refer to TS 31.102 document for the structure of EF_SMSP, but simply said the SMSC address defined here is: 85292040031. Now, operator want to change it to 85292040034 over the air.
So, technically we need to:
1. Prepare APDU for updating the file
2. Construct appropriate 03.48 + 03.40 APDU command
3. Send it over the air to customer
The result is, the file on customer SIMcard is updated silenty without user intervention.
Let us, go deeply with APDU for updating the file. Sequence for updating EF 7F10/6F42 record 1 from
534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F1FFFFFFFF0000A9
to
534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9
is by executing these 4 APDU(s):
A0A40000023F00 A0A40000027F10 A0A40000026F42 A0DC010428534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9
Details of each APDU is:
1) APDU for select 3F00 ==> A0 A4 00 00 02 3F 00 2) APDU for select DF 7F10 under MF 3F00 ==> A0 A4 00 00 02 7F 10 3) APDU to select EF 6F42 under DF 7F10 ==> A0 A4 00 00 02 6F 42 4) APDU to update record 1 of EF 6F42 to 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9: A0 DC 01 04 28 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9
Now, we need to construct 03.48 SMS, means we need to ask our card vendor about these parameters:
1. TAR (toolkit application reference) of RFM applet
2. MSL (minimum security level setting)
3. Depend on MSL, maybe we need to know KiC & KiD of the card for RFM
4. Depend on how RFM implemented by card vendor, need to know how to pass APDU for updating the
filesystem. I assume we simply need to pass the APDU to RFM applet.
Let say,
1. the TAR is B0 00 10, please note this value is very specific to card vendor.
2. MSL is 0×25 means content must be encrypted and use CHryptographic CHecksum
3. Keyset to use is keyset 2 with algo Triple DES using outer CBC-Mode with 2 different keys and
KiC: 00112233445566778899AABBCCDDEEFF
KiD: 00112233445566778899AABBCCDDEEFF
Then we can generate APDU SMS-PP Download like this:
A0 C2 00 00 7B D1 79 02 02 83 81 06 04 00 21 43 F5 0B 6D 63 05 00 99 40 F1 7F F6 01 01 01 01 01 01 00 5D 02 70 00 00 58 15 06 01 25 25 B0 00 10 25 4E 56 31 DF D0 4D 77 DC 9C 64 90 30 E6 E8 97 DF 57 49 4B FC 45 11 71 56 2B 5E D3 FF C0 11 AA 62 CA 46 B6 4A 51 B0 A8 52 B3 CC 9F D0 6B 0D 95 C0 E8 DB E7 BF 44 25 39 67 90 B6 E2 22 BE C3 3F EF 5B 35 2D 9D F7 97 22 15 08 67 F4 AA 29 A5 73 00
Next step is send this APDU over the air using SMS and the file inside SIMCard will be updated without user intervention.
Good luck 
hore nomer 1…
ngga paham aku ilmunya terlalu tinggi tulisan sampeyan…
muhnur
June 26, 2008 at 9:07 am
Hi,
We are currently doing research at Stanford on remote file management using SIM OTA. This was very helpful for us. We still have some questions though so we wish if the author of this can send us a reply to samirsel@stanford.edu so that we can further communicate with him. Compensation is surely not a problem.
Regards,
Samir
July 14, 2008 at 8:32 am
hi ; i am exploring the file structure of SIM right now i wanna read
MF 3F00 –> DF GSM –>BCCH which contains RX vals through a java card gemalto applet can some body assist me; my code throws exception on
gsmFile.readRecord((short) 1, (byte) 0×04, (short) 0, tempBuffer,
(short) 0, (short) 1);
it throws ISOException here…. any help will be appriciateable…
Waqar Ahmed
July 16, 2008 at 12:37 pm
Hi ahmed
Have you select the file properly?
what’s the file type? linier, record file?
Thanks
adywicaksono
July 16, 2008 at 1:40 pm
well i found it … lol… i done it through read Binary method…[;)]
Waqar Ahmed
July 17, 2008 at 5:57 am
Thanx! for your response….
Waqar Ahmed
July 17, 2008 at 5:59 am
great
if file is transparent, obviously readRecord() will throw exception
ady wicaksono
July 17, 2008 at 6:33 am
Hi Ady;
Man!…. actaully i want to get two type of information or parameters….
1. BCCH
2. TA -timing Advance
from the applet, before this file reading approach i was trying it through commands; but simulator reponds that “Command is Beyond simulators Capabilty”
not even AT commands are supportedby Simulator….
So; than i switched to reading thi information through reading GSM Files….
but i dont know which file contains the
I got the BCCH values… yet…
value of “timing advance” secondly if some one has some info about decding the values i got from BCCH file and TA…. please share it… that will really be helpful for me….
i saw this code on gemaltos forums but it is of no use…
proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, code, DEV_ID_TERMINAL);
proHdlr.send();
Only code = 0×00 (local info) -supported
= 0×01 (IMEI) -suppotred
code = 0×02 (NMR) -Not Supported By Simulator
code = 0×03 (Date-Time) –Not Supported By Simulator
code = 0×05 (Timing Advance) -Not Supported By Simulator
.
…………………………
…….
.
.My Code…………………………………………
Pliz review if its wrong
.
ProactiveHandler proHdlr = ProactiveHandler.getTheHandler();
ProactiveResponseHandler rspHdlr = ProactiveResponseHandler
.getTheHandler();
// Send Provide IMEI Information – IMEI Info command to the mobile
// proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0×02, DEV_ID_ME); // for NMR
// proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0×03, DEV_ID_ME); // for Date & Time
// proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0×04, DEV_ID_ME); // for Unknown
proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0×05, DEV_ID_ME); // for Timing Advance
proHdlr.send();
// Clear the tempBuffer[] area reserved for Local Information
Util.arrayFillNonAtomic(tempBuffer, OFFSET_LOCATION_INFO,
LENGTH_LOCATION_INFO, (byte) 0×00);
rspHdlr.findAndCopyValue(TAG_LOCATION_INFORMATION, tempBuffer,
OFFSET_LOCATION_INFO);
//~~~~~~~~~~~~~~~~~~~~~DECODER~~~~~~~~~~~~~~~~~~~~~~~~
decodeLocationIDs(tempBuffer, (short) 10); // just a hex2Asci convertor..
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//tempBuffer[0] = ‘Waqar’;
proHdlr.initDisplayText((byte) 0, DCS_8_BIT_DATA, tempBuffer,
(short) 0, (short) 12);
proHdlr.send();
………………… my code runs f9 but simulator does not support commands as i ststed befroe….. that why i am trying to read files to have info whichis needed…. got Bcch but Timing advanced TA is still which i didnt got..
if can help or guide or give suggestions; !
..
dath will be great as i am stucked here for since last weak…
Waqar Ahmed
July 17, 2008 at 11:47 am
I suggest you read about CARD Application Toolkit as your reference
Thanks
adywicaksono
July 19, 2008 at 9:14 am
Regards;
WaqarAhmed
Waqar Ahmed
July 29, 2008 at 8:04 am