kernelvm #12 でのハッピです。

3. 💸

11. $ pcsc_scan
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.11
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader 00 00
Wed Oct 5 21:45:38 2016
Reader 0: Gemalto PC Twin Reader 00 00
Card state: Card inserted,
ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C
ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C
+ TS = 3B --> Direct Convention
+ T0 = 9D, Y(1): 1001, K: 13 (historical bytes)
TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
TD(2) = 3F --> Y(i+1) = 0011, Protocol T = 15 - Global interface bytes following
-----
TA(3) = C7 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V
TB(3) = A0 -->
+ Historical bytes: 80 31 A0 73 BE 21 13 51 05 83 05 90 00
Category indicator byte: 80 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: A0
- Application selection: by full DF name
- BER-TLV data objects available in EF.DIR
- EF.DIR and EF.ATR access services: by GET RECORD(s) command
- Card with MF
Tag: 7, len: 3 (card capabilities)
Selection methods: BE
- DF selection by full DF name
- DF selection by path
- DF selection by file identifier
- Implicit DF selection
- Short EF identifier supported
- Record number supported
Data coding byte: 21
- Behaviour of write functions: proprietary
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 13
- Logical channel number assignment: by the card
- Maximum number of logical channels: 4
Tag: 5, len: 1 (card issuer's data)
Card issuer data: 05
Tag: 8, len: 3 (status indicator)
LCS (life card cycle): 05 (Operational state (activated))
SW: 9000 (Normal processing.)
+ TCK = 7C (correct checksum)
Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt):
3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C
NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)

12. - Maximum number of logical channels: 4
Tag: 5, len: 1 (card issuer's data)
Card issuer data: 05
Tag: 8, len: 3 (status indicator)
LCS (life card cycle): 05 (Operational state (activated))
SW: 9000 (Normal processing.)
+ TCK = 7C (correct checksum)
Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt):
3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C
NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)

14. thanks!!

18. 3GPP
3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999
MF
'3F00'
DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP
'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05'
see GSM 11.19
EFADN EFFDN EFSMS EFCCP EFMSISDN
'6F3A' '6F3B' '6F3C' '6F3D' '6F40'
EFSMSP EFSMSS EFLND EFSMSR EFSDN
'6F42' '6F43' '6F44' '6F47' '6F49'
EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4
'6F4A' '6F4B' '6F4C' '6F4D' '6F4E'
DFGRAPHICS EFIMG
'5F50' '4F20'
DFIRIDIUM DFGLOBST DFICO DFACeS
'5F30' '5F31' '5F32' '5F33'
DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL
'5F40' '5F60' '5F70' '4F30' '4F31'
see GSM 11.19
DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK
'5F3C' '4F40' '4F41' '4F42' '4F43'
EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax
'6F05' '6F07' '6F20' '6F30' '6F31' '6F37'
EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI
'6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45'
EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI
'6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E'
EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS
'6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4'
EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS
'6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52'
EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH
'6F53' '6F54' '6F60' '6F61' '6F62' '6F63'
EFINVSCAN
'6F64'
Figure 8: File identifiers and directory structures of GSM

19. ./pySim-read.py -p 0
Reading ...
8981100004402791051
440103152044102
SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9
ACC: 0004
MSISDN: 07817040919843f3ffffffffffff
Done !
ICCID:
IMSI:

20. ./pySim-read.py -p 0
Reading ...
8981100004402791051
440103152044102
SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9
ACC: 0004
MSISDN: 07817040919843f3ffffffffffff
Done !
ICCID:
IMSI:

22. 3GPP TS 11.11 V8.14.0 (200118se 1999
MF
'3F00'
FGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP
F20' '7F10' '7F22' '7F23' '2FE2' '2F05'
see GSM 11.19
EFADN EFFDN EFSMS EFCCP EFMSISDN
'6F3A' '6F3B' '6F3C' '6F3D' '6F40'
EFSMSP EFSMSS EFLND EFSMSR EFSDN
'6F42' '6F43' '6F44' '6F47' '6F49'
EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4
'6F4A' '6F4B' '6F4C' '6F4D' '6F4E'

23. 19 bytes
2bytes 2bytes 2bytes 12bytes 1byte
MII CC II 12bytes CS
89 81 10 000440279105 1

27. 3GPP TS 11.11 V8.14.0 (20118Release 1999
MF
'3F00'
DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP
'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05
see GSM 11.19
EFADN EFFDN EFSMS EFCCP EFMSISD
'6F3A' '6F3B' '6F3C' '6F3D' '6F40
EFSMSP EFSMSS EFLND EFSMSR EFSDN
'6F42' '6F43' '6F44' '6F47' '6F49
EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4
'6F4A' '6F4B' '6F4C' '6F4D' '6F4E
DFGRAPHICS EFIMG
'5F50' '4F20'
EFADN EFFDN EFSMS EFCCP EFMSISD
'6F3A' '6F3B' '6F3C' '6F3D' '6F40
EFSMSP EFSMSS EFLND EFSMSR EFSDN
'6F42' '6F43' '6F44' '6F47' '6F49
EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4
'6F4A' '6F4B' '6F4C' '6F4D' '6F4E
DFGRAPHICS EFIMG
'5F50' '4F20'
DFIRIDIUM DFGLOBST DFICO DFACeS
'5F30' '5F31' '5F32' '5F33'
DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL
'5F40' '5F60' '5F70' '4F30' '4F31
see GSM 11.19
DFMExE EFMExE-ST EFORPK EFARPK EFTPRP
'5F3C' '4F40' '4F41' '4F42' '4F43
EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMma
'6F05' '6F07' '6F20' '6F30' '6F31' '6F37
EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI

28. ~ 16 bytes
3bytes 2 ~ 3bytes ~ 10bytes
MCC MNC MSIN
440 10 3152044102
HNI

32. Peer
Peer
Authenticator
Authenticator
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/SIM/Start (AT_VERSION_LIST)
EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)
EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)
Peer runs GSM algorithms, verifies
AT_MAC and derives session keys
EAP-Response/SIM/Challenge (AT_MAC)
EAP-Success

34. Peer
Peer
Authenticator
Authenticator
EAP-Request/Identity
EAP-Response/Identity (Includes user’s NAI)
Server runs AKA algorithms,
generates RAND and AUTN.
EAP-Request/AKA-Challenge (AT_RAND, AT_AUTN, AT_MAC)
Peer runs AKA algorithms, verifies AUTN
and MAC, derives RES and session key
EAP-Response/AKA-Challenge (AT_RES, AT_MAC)
Server checks the given RES,
and MAC and finds them correct.
EAP-Success

39. COMMAND CLASS INS P1 P2 P3
INVALIDATE 'A0' '04' '00' '00' '00'
9.2.15 REHABILITATE
COMMAND CLASS INS P1 P2 P3
REHABILITATE 'A0' '44' '00' '00' '00'
9.2.16 RUN GSM ALGORITHM
COMMAND CLASS INS P1 P2 P3
RUN GSM
ALGORITHM
'A0' '88' '00' '00' '10'
Command parameters/data:
Byte(s) Description Length
1 - 16 RAND 16
Response parameters/data:
Byte(s) Description Length
1 - 4 SRES 4
5 - 12 Cipher Key Kc 8
The most significant bit of SRES is coded on bit 8 of byte 1. The most significant bit of Kc is coded on bit 8 of byte 5.
9.2.17 SLEEP
COMMAND CLASS INS P1 P2 P3
3GPP TS 11.11

41. $ cat /etc/freeradius/simtriplets.dat
# IMSI RAND SRES Kc
440103152044102,02bbdd69578d11057f3534539d61c3e1,9b93ab20,38a74d32f6334018
440103152044102,38279ae1b4ca5d63e93fcdbc2722b216,f8f9e5fe,9952db0411e0ac54
440103152044102,f35f71777ccfd21aec28913fc3fbe3bc,31452835,752a8baa96fa7dbf