Remote File Management (RFM) on SIMCard
What is the thing sold by GSM Operator to subscriber?
The answer is: SIMCard, a smartcard that personalized for telecommunication purpose. Yes, as we know physically GSM operator sell a SIMCard, the rest are services upon it including SMS, call service, MMS, Voice Mailbox and many things.
The next question, since SIMcard will be hold by customer inside their mobile phone, how could GSM operator manage the SIMcard remotely? Things like managing javacard applet & filesystem inside the SIMCard. The answer is by OTA (over the air) using SMS and or CAT-TP bearer (GPRS based), but we will focus on the one using SMS (short message protocol).
GSM 03.48 define RFM and also RAM as standard mechanism for doing remote file management (RFM) and remote applet management. We are now focus on RFM, please note the implementation for this feature is vendor specific.
OK, let me give an example as our case study, one day we as operator need to do OTA campaign for updating file EF_SMSP (7F10/6F42) since the address of SMSC is now changed. As we know, based on 3GPP TS 31.102 document, EF_SMSP contains SMSC information that will be used by mobile phone for sending mobile originated (MO) SMS. For example the content of file EF_SMSP (7F10/6F42) is now
You can refer to TS 31.102 document for the structure of EF_SMSP, but simply said the SMSC address defined here is: 85292040031. Now, operator want to change it to 85292040034 over the air.
So, technically we need to:
1. Prepare APDU for updating the file
2. Construct appropriate 03.48 + 03.40 APDU command
3. Send it over the air to customer
The result is, the file on customer SIMcard is updated silenty without user intervention.
Let us, go deeply with APDU for updating the file. Sequence for updating EF 7F10/6F42 record 1 from
is by executing these 4 APDU(s):
A0A40000023F00 A0A40000027F10 A0A40000026F42 A0DC010428534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9
Details of each APDU is:
1) APDU for select 3F00 ==> A0 A4 00 00 02 3F 00 2) APDU for select DF 7F10 under MF 3F00 ==> A0 A4 00 00 02 7F 10 3) APDU to select EF 6F42 under DF 7F10 ==> A0 A4 00 00 02 6F 42 4) APDU to update record 1 of EF 6F42 to 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9: A0 DC 01 04 28 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9
Now, we need to construct 03.48 SMS, means we need to ask our card vendor about these parameters:
1. TAR (toolkit application reference) of RFM applet
2. MSL (minimum security level setting)
3. Depend on MSL, maybe we need to know KiC & KiD of the card for RFM
4. Depend on how RFM implemented by card vendor, need to know how to pass APDU for updating the
filesystem. I assume we simply need to pass the APDU to RFM applet.
1. the TAR is B0 00 10, please note this value is very specific to card vendor.
2. MSL is 0x25 means content must be encrypted and use CHryptographic CHecksum
3. Keyset to use is keyset 2 with algo Triple DES using outer CBC-Mode with 2 different keys and
Then we can generate APDU SMS-PP Download like this:
A0 C2 00 00 7B D1 79 02 02 83 81 06 04 00 21 43 F5 0B 6D 63 05 00 99 40 F1 7F F6 01 01 01 01 01 01 00 5D 02 70 00 00 58 15 06 01 25 25 B0 00 10 25 4E 56 31 DF D0 4D 77 DC 9C 64 90 30 E6 E8 97 DF 57 49 4B FC 45 11 71 56 2B 5E D3 FF C0 11 AA 62 CA 46 B6 4A 51 B0 A8 52 B3 CC 9F D0 6B 0D 95 C0 E8 DB E7 BF 44 25 39 67 90 B6 E2 22 BE C3 3F EF 5B 35 2D 9D F7 97 22 15 08 67 F4 AA 29 A5 73 00
Next step is send this APDU over the air using SMS and the file inside SIMCard will be updated without user intervention.
Good luck 🙂