Hi all.
Even though this is linked to my question about using a Hex ADM1 PIN, that thread is more about a “bug” (not a big bug). I’m hoping to scrape together enough time to sign up for, and configure gerrit so I can push my fix for that.
My question is hopefully more specific.
TL;DR at the bottom if you don’t care about specifics or history.
Background:
I’ve been programming for decades, but I’m a newcomer to Javacard and applets. I’m fine with the syntax of the language (I started using Java at 1.0a, pre-release). I’ve inherited a toolchain which compiles the Java, then converts it into a CAP file, ready for flashing.
We (before my time at my employer) did most of the work on Morpho SIMs which had a built-in Card Manager applet.
Up until now, the next part of the toolchain converts the CAP file into what we call an “OTA” file, which is just a series of PDUs that are sent to the card in 1 of 2 ways.
We would send the OTA file directly to the Card Manager, without using any ADM keys, and it would take the OTA file and spoof an OTA campaign.
The other way is we’d send the OTA file to an OTA server on the SIM card, secured with the KIC and KID keys.
The first line of this file is
80E400800A4F08A00000xxxxxxxxxx
Breaking that down, this is
80: Global Platform Command
E4: Delete
00: Only Command
80: Delete
0A: 10 bytes of data to follow
4F: Don’t know
08: 8 bytes of AID to follow
A00000xxxxxxxxxx: Aid to delete
(where xxx is the AID of our applet)
This has worked for years. The initial cards (Idemia) had the Card Manager. The next set of cards had OTA support (I believe), so we would switch from our custom auth to use OTA with KIC and KID.
We’ve just bought a much larger load of cards, and these are causing us problems…
They don’t have a card manager, they don’t seem to be running an OTA server, so we’ve got a stack of cards we can’t use. We use the KIC and KID to do the 0348 auth, but when we send the command to delete the existing applet, it rejects it with a 6D00. (Instruction code not supported or invalid)
What’s really distressing is they don’t seem to have a security domain AID, so GPPro looks at the SIM and just throws its hands up, as it can literally do nothing with them.
In parallel with this, we’re also trying to flash some Valid SIM cards, supplied by O2 in the UK. We have the ADM 4 keys for these, plus the KIC and KID for 2 of them. The KIC and KID don’t work - again, the don’t seem to be running an OTA server. We can authenticate with the KIK and KID, but when we send the APDU over, it rejects it with an 0x6D00
I appreciate that pySIM-shell doesn’t support ADM4, but I’ve hacked it to replace the 0x0A (ADM1) with 0x0D (ADM4), and it seems to be happy. If I use the wrong ADM4, it tells me it’s wrong. If I use the correct one, it doesn’t tell me I’m wrong.
So at this stage, all is well. I can move through the tree. A colleague has done something similar with an in-house tool and has managed to set an entry in the SST to enable a piece of functionality we need. This used the ADM4 key.
At this stage, pySIM seems to be the most flexible out there.
ShadySim hasn’t been updated for 12 years, and seems to be closely related to, or possibly an ancestor of pySIM.
The SIM card manufacturer tools are awful, even if we can get hold of them.
GlobalPlatformPro seems great, but requires ENC, MAC and DEC keys, which we don’t have access to. It’s predominantly used for SmartCards, not SIM cards.
TL;DR bit, and my main question:
The main sticking point I have at the moment is simply flashing my CAP file into my SIM card.
Given we don’t seem to have an OTA server or Card Manager, we only have the ADM1 or 4 keys, but no ENC,MAC and DEK keys, are we completely out of luck?
It it possible to flash an applet with just the ADM key? And is it possible to do it using pySIM-shell?
Thanks.
Pete.