Flashing applets to SIM card using pySIM-shell

Hi all.

Even though this is linked to my question about using a Hex ADM1 PIN, that thread is more about a “bug” (not a big bug). I’m hoping to scrape together enough time to sign up for, and configure gerrit so I can push my fix for that.

My question is hopefully more specific.

TL;DR at the bottom if you don’t care about specifics or history.


I’ve been programming for decades, but I’m a newcomer to Javacard and applets. I’m fine with the syntax of the language (I started using Java at 1.0a, pre-release). I’ve inherited a toolchain which compiles the Java, then converts it into a CAP file, ready for flashing.

We (before my time at my employer) did most of the work on Morpho SIMs which had a built-in Card Manager applet.

Up until now, the next part of the toolchain converts the CAP file into what we call an “OTA” file, which is just a series of PDUs that are sent to the card in 1 of 2 ways.

We would send the OTA file directly to the Card Manager, without using any ADM keys, and it would take the OTA file and spoof an OTA campaign.

The other way is we’d send the OTA file to an OTA server on the SIM card, secured with the KIC and KID keys.

The first line of this file is


Breaking that down, this is

80: Global Platform Command
E4: Delete
00: Only Command
80: Delete
0A: 10 bytes of data to follow
4F: Don’t know
08: 8 bytes of AID to follow
A00000xxxxxxxxxx: Aid to delete

(where xxx is the AID of our applet)

This has worked for years. The initial cards (Idemia) had the Card Manager. The next set of cards had OTA support (I believe), so we would switch from our custom auth to use OTA with KIC and KID.

We’ve just bought a much larger load of cards, and these are causing us problems…

They don’t have a card manager, they don’t seem to be running an OTA server, so we’ve got a stack of cards we can’t use. We use the KIC and KID to do the 0348 auth, but when we send the command to delete the existing applet, it rejects it with a 6D00. (Instruction code not supported or invalid)

What’s really distressing is they don’t seem to have a security domain AID, so GPPro looks at the SIM and just throws its hands up, as it can literally do nothing with them.

In parallel with this, we’re also trying to flash some Valid SIM cards, supplied by O2 in the UK. We have the ADM 4 keys for these, plus the KIC and KID for 2 of them. The KIC and KID don’t work - again, the don’t seem to be running an OTA server. We can authenticate with the KIK and KID, but when we send the APDU over, it rejects it with an 0x6D00

I appreciate that pySIM-shell doesn’t support ADM4, but I’ve hacked it to replace the 0x0A (ADM1) with 0x0D (ADM4), and it seems to be happy. If I use the wrong ADM4, it tells me it’s wrong. If I use the correct one, it doesn’t tell me I’m wrong.

So at this stage, all is well. I can move through the tree. A colleague has done something similar with an in-house tool and has managed to set an entry in the SST to enable a piece of functionality we need. This used the ADM4 key.

At this stage, pySIM seems to be the most flexible out there.

ShadySim hasn’t been updated for 12 years, and seems to be closely related to, or possibly an ancestor of pySIM.
The SIM card manufacturer tools are awful, even if we can get hold of them.
GlobalPlatformPro seems great, but requires ENC, MAC and DEC keys, which we don’t have access to. It’s predominantly used for SmartCards, not SIM cards.

TL;DR bit, and my main question:

The main sticking point I have at the moment is simply flashing my CAP file into my SIM card.

Given we don’t seem to have an OTA server or Card Manager, we only have the ADM1 or 4 keys, but no ENC,MAC and DEK keys, are we completely out of luck?

It it possible to flash an applet with just the ADM key? And is it possible to do it using pySIM-shell?



1 Like

The question cannot really be answered in a generic way. OS vendors might in theory have any number of proprietary ways to install applets onto cards. We have no idea, obviously.

The only standardized way to install are all via GlobalPlatform LOAD commands, which can be sent over SCP02, SCP03, SCP80 (SMS OTA) or SCP81 (HTTP TLS-PSK). In either of those cases you’d need the respective key materials that allow you to establish the respective SCP to the ISD.

At sysmocom we provide customers with the related keys for SCP80 and SCP02 for our SJA5 cards. If you need cards in bulk volume, pricing is much better than the 10packs.

SCP02+03 are now implemented in pySim, see the user manual. The LOAD command is not in master yet. For SCP80/OTA the library code is working and verified. Higher level application code I have in a branch I’m developing on; it will be submitted for code review once it is finished.

This is useful, thank you.

I think I must be missing something, somewhere.

We’ve got the 0348 keys for some of our cards (in fact all of our cards, except one O2 one which I have in my possession, which we were never sent). We’ve got them from Idemia, Thales, Valid & G&D, and all of them respond in the same way - as soon as we try the call to delete the existing applet from the card, they respond with 6D00. Even though we’ve authenticated with the KIK & KID via 0348.

If we could get hold of the K/OPC fields from the operators we’re working with, we could use your cards to clone theirs, to make sure that our product works, but that’s not a good test, as 99% of the issues we have with cards is that the SST’s not set up right, or the crypto libraries don’t work, or the general libraries are incorrect (e.g. R15 card with R8 libraries on it). Once the card is running, the applet is stable and always works.

I was just checking I’d not missed anything obvious. Thanks for your help anyway!

Out of interest, what do I need to do to get the Global Platform menu to appear in pySIM-shell?


You have to have to define a security domain as a sub-class of pySim.global_platform.CardApplicationSD and then that AID would have to exist on the card. This is currently only done for the ISD + ECASD in pySim/euicc.py. You’d have to do something similar for whatever SD you want to talk to on your card.

I haven’t yet studied if there’s some standardized method to enumerate all SDs, or at least figure out the AID of the ISD. If there was, one could automate the task.