tomasz-lisowski/swsim

GSM SIM: MS fails to update files after authentication

laf0rge opened this issue · 6 comments

I now have swsim at a point where a legacy 2G-only MS will get all the way up to (successful) authentication. Next, the MS tries to UPDATE BINARY on EF.Kc, EF.LOCI and EF.BCCH. Those three all fail with 6d00 (unknown instruction code). As a result, the network thinks the MS is successfully registered, but the MS thinks not. Any subsequent paging or othe transaction fails.

Could you list the APDUs sent by the MS to perform UPDATE BINARY? I suspect this is simply because I didn't implement UPDATE BINARY in the A0 class (right now UPDATE BINARY exists only in the 00, 40, 60, and interindustry classes).

swsim/src/apduh.c

Lines 1365 to 1372 in 5d951ae

/* ETSI + 3GPP */
if ((cmd->hdr->cla.raw & 0xF0) == 0x00 ||
(cmd->hdr->cla.raw & 0xF0) == 0x40 ||
(cmd->hdr->cla.raw & 0xF0) == 0x60)
{
ret = apduh_3gpp_bin_update(swicc_state, cmd, res,
procedure_count);
}

Could you list the APDUs sent by the MS to perform UPDATE BINARY? I suspect this is simply because I didn't implement UPDATE BINARY in the A0 class (right now UPDATE BINARY exists only in the 00, 40, 60, and interindustry classes).

swsim/src/apduh.c

Lines 1365 to 1372 in 5d951ae

/* ETSI + 3GPP */
if ((cmd->hdr->cla.raw & 0xF0) == 0x00 ||
(cmd->hdr->cla.raw & 0xF0) == 0x40 ||
(cmd->hdr->cla.raw & 0xF0) == 0x60)
{
ret = apduh_3gpp_bin_update(swicc_state, cmd, res,
procedure_count);
}

It just uses the normal UPDATE BINARY like a0 d6 00 00 09 ff ff ff fe ff ff ff f2 06 / 90 00 as an example for EF.Kc.

I've added a related patch for UPDATE BINARY support to my branch/PR.

edbek commented

Colleagues, is it possible to give a file system (gsm.json or in another format) which would be authenticated in the GSM network ?
With the current gsm.json file from swsim, my authentication fails.

Thank you in advance

@edbek, did you make sure to configure your (private GSM) network to use the same Ki as swsim (for the same IMSI)? Did you make sure to configure your network to COMP128v1? If so, but you still get auth failure, please provide the APDU of the RUN GSM ALGORITHM command (and its response), as well as the Ki (if it's not confidential).

edbek commented

I'm in a situation where I'm not even getting into the authentication process itself yet.

My GSM modem probes the swsim file system (gsm.json), but for some reason it doesn’t come out to read the ready the Kc key and to request authentication (command RUN GSM ALGORITHM is missing).
The GSM modem doesn't like something in the swsim file system (gsm.json).

@edbek it would help tremendously if you would include the APDU log. Which file is the last one the MS selects/reads? likely that files contents is to be blamed. This is how I debugged+ fixed #6 and #7 whose fixes were just merged to master. Also, best to create a separate issue, as it is unrelated to this one.