Ady Wicaksono Daily Activities

Archive for June 2008

Remote File Management (RFM) on SIMCard

with 14 comments

What is the thing sold by GSM Operator to subscriber?

The answer is: SIMCard, a smartcard that personalized for telecommunication purpose. Yes, as we know physically GSM operator sell a SIMCard,  the rest are services upon it including SMS, call service, MMS, Voice Mailbox  and many things.

The next question, since SIMcard will be hold by customer inside their mobile phone, how could GSM operator manage the SIMcard remotely?  Things like managing javacard applet & filesystem inside the SIMCard. The answer is by OTA (over the air) using SMS and or CAT-TP bearer (GPRS based), but we will focus on the one using SMS (short message protocol).

GSM 03.48 define RFM and also RAM as standard mechanism for doing remote file management (RFM) and remote applet management. We are now focus on RFM, please note the implementation for this feature is vendor specific.

OK, let me give an example as our case study, one day we as operator need to do OTA campaign for updating file EF_SMSP (7F10/6F42) since the address of SMSC is now changed. As we know, based on 3GPP TS 31.102 document, EF_SMSP contains SMSC information that will be used by mobile phone for sending mobile originated  (MO) SMS. For example the content of file EF_SMSP (7F10/6F42) is now


You can refer to TS 31.102 document for the structure of EF_SMSP, but simply said the SMSC address defined here is: 85292040031. Now, operator want to change it to 85292040034 over the air.

So, technically we need to:
1. Prepare APDU for updating the file
2. Construct appropriate 03.48 + 03.40 APDU command
3. Send it over the air to customer

The result is, the file on customer SIMcard is updated silenty without user intervention.

Let us, go deeply with APDU for updating the file. Sequence for updating EF 7F10/6F42 record 1 from




is by executing these 4 APDU(s):


Details of each APDU is:

1) APDU for select 3F00 ==> A0 A4 00 00 02 3F 00
2) APDU for select DF 7F10 under MF 3F00 ==> A0 A4 00 00 02 7F 10
3) APDU to select EF 6F42 under DF 7F10 ==> A0 A4 00 00 02 6F 42
4) APDU to update record 1 of EF 6F42 to 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9:

A0 DC 01 04 28 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9

Now, we need to construct 03.48 SMS, means we need to ask our card vendor about these parameters:
1. TAR (toolkit application reference) of RFM applet
2. MSL (minimum security level setting)
3. Depend on MSL, maybe we need to know KiC & KiD of the card for RFM
4. Depend on how RFM implemented by card vendor, need to know how to pass APDU for updating the
filesystem. I assume we simply need to pass the APDU to RFM applet.

Let say,
1. the TAR is B0 00 10, please note this value is very specific to card vendor.
2. MSL is 0x25 means content must be encrypted and use CHryptographic CHecksum
3. Keyset to use is keyset 2 with algo Triple DES using outer CBC-Mode with 2 different keys and

KiC: 00112233445566778899AABBCCDDEEFF
KiD: 00112233445566778899AABBCCDDEEFF

Then we can generate APDU SMS-PP Download like this:

A0 C2 00 00 7B D1 79 02 02 83 81 06 04 00 21 43
F5 0B 6D 63 05 00 99 40 F1 7F F6 01 01 01 01 01
01 00 5D 02 70 00 00 58 15 06 01 25 25 B0 00 10
25 4E 56 31 DF D0 4D 77 DC 9C 64 90 30 E6 E8 97
DF 57 49 4B FC 45 11 71 56 2B 5E D3 FF C0 11 AA
62 CA 46 B6 4A 51 B0 A8 52 B3 CC 9F D0 6B 0D 95
C0 E8 DB E7 BF 44 25 39 67 90 B6 E2 22 BE C3 3F
EF 5B 35 2D 9D F7 97 22 15 08 67 F4 AA 29 A5 73

Next step is send this APDU over the air using SMS and the file inside SIMCard will be updated without user intervention.

Good luck 🙂

Written by adywicaksono

June 21, 2008 at 5:31 pm