Ady Wicaksono Daily Activities

Remote File Management (RFM) on SIMCard

with 14 comments

What is the thing sold by GSM Operator to subscriber?

The answer is: SIMCard, a smartcard that personalized for telecommunication purpose. Yes, as we know physically GSM operator sell a SIMCard,  the rest are services upon it including SMS, call service, MMS, Voice Mailbox  and many things.

The next question, since SIMcard will be hold by customer inside their mobile phone, how could GSM operator manage the SIMcard remotely?  Things like managing javacard applet & filesystem inside the SIMCard. The answer is by OTA (over the air) using SMS and or CAT-TP bearer (GPRS based), but we will focus on the one using SMS (short message protocol).

GSM 03.48 define RFM and also RAM as standard mechanism for doing remote file management (RFM) and remote applet management. We are now focus on RFM, please note the implementation for this feature is vendor specific.

OK, let me give an example as our case study, one day we as operator need to do OTA campaign for updating file EF_SMSP (7F10/6F42) since the address of SMSC is now changed. As we know, based on 3GPP TS 31.102 document, EF_SMSP contains SMSC information that will be used by mobile phone for sending mobile originated  (MO) SMS. For example the content of file EF_SMSP (7F10/6F42) is now


You can refer to TS 31.102 document for the structure of EF_SMSP, but simply said the SMSC address defined here is: 85292040031. Now, operator want to change it to 85292040034 over the air.

So, technically we need to:
1. Prepare APDU for updating the file
2. Construct appropriate 03.48 + 03.40 APDU command
3. Send it over the air to customer

The result is, the file on customer SIMcard is updated silenty without user intervention.

Let us, go deeply with APDU for updating the file. Sequence for updating EF 7F10/6F42 record 1 from




is by executing these 4 APDU(s):


Details of each APDU is:

1) APDU for select 3F00 ==> A0 A4 00 00 02 3F 00
2) APDU for select DF 7F10 under MF 3F00 ==> A0 A4 00 00 02 7F 10
3) APDU to select EF 6F42 under DF 7F10 ==> A0 A4 00 00 02 6F 42
4) APDU to update record 1 of EF 6F42 to 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9:

A0 DC 01 04 28 534D532043454E545245FFFFE1FFFFFFFFFFFFFFFFFFFFFFFF07915892020430F4FFFFFFFF0000A9

Now, we need to construct 03.48 SMS, means we need to ask our card vendor about these parameters:
1. TAR (toolkit application reference) of RFM applet
2. MSL (minimum security level setting)
3. Depend on MSL, maybe we need to know KiC & KiD of the card for RFM
4. Depend on how RFM implemented by card vendor, need to know how to pass APDU for updating the
filesystem. I assume we simply need to pass the APDU to RFM applet.

Let say,
1. the TAR is B0 00 10, please note this value is very specific to card vendor.
2. MSL is 0x25 means content must be encrypted and use CHryptographic CHecksum
3. Keyset to use is keyset 2 with algo Triple DES using outer CBC-Mode with 2 different keys and

KiC: 00112233445566778899AABBCCDDEEFF
KiD: 00112233445566778899AABBCCDDEEFF

Then we can generate APDU SMS-PP Download like this:

A0 C2 00 00 7B D1 79 02 02 83 81 06 04 00 21 43
F5 0B 6D 63 05 00 99 40 F1 7F F6 01 01 01 01 01
01 00 5D 02 70 00 00 58 15 06 01 25 25 B0 00 10
25 4E 56 31 DF D0 4D 77 DC 9C 64 90 30 E6 E8 97
DF 57 49 4B FC 45 11 71 56 2B 5E D3 FF C0 11 AA
62 CA 46 B6 4A 51 B0 A8 52 B3 CC 9F D0 6B 0D 95
C0 E8 DB E7 BF 44 25 39 67 90 B6 E2 22 BE C3 3F
EF 5B 35 2D 9D F7 97 22 15 08 67 F4 AA 29 A5 73

Next step is send this APDU over the air using SMS and the file inside SIMCard will be updated without user intervention.

Good luck 🙂

Written by adywicaksono

June 21, 2008 at 5:31 pm

14 Responses

Subscribe to comments with RSS.

  1. hore nomer 1… 🙂
    ngga paham aku ilmunya terlalu tinggi tulisan sampeyan…


    June 26, 2008 at 9:07 am

  2. Hi,

    We are currently doing research at Stanford on remote file management using SIM OTA. This was very helpful for us. We still have some questions though so we wish if the author of this can send us a reply to so that we can further communicate with him. Compensation is surely not a problem.



    July 14, 2008 at 8:32 am

  3. hi ; i am exploring the file structure of SIM right now i wanna read

    MF 3F00 –> DF GSM –>BCCH which contains RX vals through a java card gemalto applet can some body assist me; my code throws exception on

    gsmFile.readRecord((short) 1, (byte) 0x04, (short) 0, tempBuffer,
    (short) 0, (short) 1);

    it throws ISOException here…. any help will be appriciateable…

    Waqar Ahmed

    July 16, 2008 at 12:37 pm

  4. Hi ahmed

    Have you select the file properly?
    what’s the file type? linier, record file?



    July 16, 2008 at 1:40 pm

  5. well i found it … lol… i done it through read Binary method…[;)]

    Waqar Ahmed

    July 17, 2008 at 5:57 am

  6. Thanx! for your response….

    Waqar Ahmed

    July 17, 2008 at 5:59 am

  7. great 🙂

    if file is transparent, obviously readRecord() will throw exception 🙂

    ady wicaksono

    July 17, 2008 at 6:33 am

  8. Hi Ady;

    Man!…. actaully i want to get two type of information or parameters….
    1. BCCH
    2. TA -timing Advance

    from the applet, before this file reading approach i was trying it through commands; but simulator reponds that “Command is Beyond simulators Capabilty” 😦 not even AT commands are supportedby Simulator….

    So; than i switched to reading thi information through reading GSM Files….
    I got the BCCH values… yet… 🙂 but i dont know which file contains the
    value of “timing advance” secondly if some one has some info about decding the values i got from BCCH file and TA…. please share it… that will really be helpful for me….

    i saw this code on gemaltos forums but it is of no use… 😦

    Only code = 0x00 (local info) -supported
    = 0x01 (IMEI) -suppotred

    code = 0x02 (NMR) -Not Supported By Simulator
    code = 0x03 (Date-Time) –Not Supported By Simulator
    code = 0x05 (Timing Advance) -Not Supported By Simulator

    .My Code………………………………………… 🙂 …………………………
    Pliz review if its wrong 😮 …….
    ProactiveHandler proHdlr = ProactiveHandler.getTheHandler();
    ProactiveResponseHandler rspHdlr = ProactiveResponseHandler

    // Send Provide IMEI Information – IMEI Info command to the mobile
    // proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0x02, DEV_ID_ME); // for NMR

    // proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0x03, DEV_ID_ME); // for Date & Time

    // proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0x04, DEV_ID_ME); // for Unknown

    proHdlr.init(PRO_CMD_PROVIDE_LOCAL_INFORMATION, (byte) 0x05, DEV_ID_ME); // for Timing Advance

    // Clear the tempBuffer[] area reserved for Local Information
    Util.arrayFillNonAtomic(tempBuffer, OFFSET_LOCATION_INFO,
    LENGTH_LOCATION_INFO, (byte) 0x00);

    rspHdlr.findAndCopyValue(TAG_LOCATION_INFORMATION, tempBuffer,
    decodeLocationIDs(tempBuffer, (short) 10); // just a hex2Asci convertor..
    //tempBuffer[0] = ‘Waqar’;

    proHdlr.initDisplayText((byte) 0, DCS_8_BIT_DATA, tempBuffer,
    (short) 0, (short) 12);

    ………………… my code runs f9 but simulator does not support commands as i ststed befroe….. that why i am trying to read files to have info whichis needed…. got Bcch but Timing advanced TA is still which i didnt got.. 😦

    if can help or guide or give suggestions; ! 🙂 ..
    dath will be great as i am stucked here for since last weak… 😦

    Waqar Ahmed

    July 17, 2008 at 11:47 am

  9. I suggest you read about CARD Application Toolkit as your reference



    July 19, 2008 at 9:14 am

  10. 8) Thanx Ady… yeah the simulator does’nt support it , and i believe work around will be that to test it on live sim..and on real cell fone…B) I am going for it,… and if i will be success full that way i will post the solu tion here… so other guy have benifit as well


    Waqar Ahmed

    July 29, 2008 at 8:04 am

  11. Hi All,

    I was wondering based on the information and example supplied above.

    I would like to know how can i verify the new set sms center address saved?

    How can i read back the information using ADPU commands?

    Hope you can help,



    March 15, 2010 at 8:44 pm

  12. Hi Ady,

    We plan to update the SMSC address inside the EF SMSP and we made a OTA vendor comparison based on several things below :
    – SMS throughput.
    – Report generation.
    – Fail SIM handling.

    Do you have any idea, what else things should be putted as vendor comparison items ? Off sourse we have to put the price also 😀


    Ichwan Sontani

    April 14, 2010 at 7:13 am

    • I have no idea for that purpose, however updating EF_SMSP is not good idea, as normally OTA campaign has x% of failure due to many reason.


      April 25, 2010 at 6:50 am

  13. Hi Ady,

    great article, but I’d very much like to know the details of how you use the kic and kid keys to encrypt the data, is that possible?



    May 4, 2010 at 3:01 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: