-
8/13/2019 Sim Course3
1/57
-
8/13/2019 Sim Course3
2/57
-
8/13/2019 Sim Course3
3/57
I
6
6ATR
6PPS
OS
3OSROM
3FLASH
3
-
8/13/2019 Sim Course3
4/57
II
APDU
APDU
( SW1,SW2) APDU
A3/A8
-
8/13/2019 Sim Course3
5/57
1
1
GSM
GSM
Phase 1
GSM
CF1
CB2
3
1
-Call Forward2 -Call Barring3 -Roaming
-
8/13/2019 Sim Course3
6/57
2
2
Phase 2
1
SMS-PP1
SMS-CB2
CCF3
CW4
FAX , DATA
CLIP5
CLIR6
Phase 2+
2
STK
VPN7
SDN8
GPRS9
WAP10
(Advice of Charge)
SPN1
Dual IMSI
1 -Short Message Service-Point to Point2 -SMS Cell Broadcast3
-Call Conference4 -Call Waiting5 -Calling Line Identification
Presentation6 -Calling Line Identification Restriction7 -Virtual
Private Number8
-Service Dialing Number9 -General Packet Switch Service10
-Wireless Application Protocol
-
8/13/2019 Sim Course3
7/57
3
3
MicroController
1 -Service Provider Name
-
8/13/2019 Sim Course3
8/57
4
4
CPU1
OS
OS2
CPU
CPU
1 -Central Processing Unit2 -Operating System
-
8/13/2019 Sim Course3
9/57
5
5
CICS
CPU8051
CPU(Instruction)
Instruction8051
(Read Instruction)8051
RISC1
1 - Reduced Instruction Set Computer
-
8/13/2019 Sim Course3
10/57
6
6
CPUInstruction
ROM
Instruction
RISC
ROM1
ROM
OS
ROM
OSOS
OSROM
1 - Read Only Memory
-
8/13/2019 Sim Course3
11/57
7
7
OS
ROM
ROMOS
OS
OS
OSROM
CPU
ROM
RAM1
RAM
XRAM2
XRAMRAMCPU
Address BusData BusCPU
IRAM3
IRAMRAMCPU
CPUIRAM
1
-Random Access Memory2 -External RAM3 -Internal RAM
-
8/13/2019 Sim Course3
12/57
8
8
EEPROM
1
ROM
Vpp
Vpp
Vcc
Phone BookSMSBCCH2
UART
T0T1
T1T0Protocol
AsynchronousAsynchronousClock
9600bps (PPS Suppor)9600bps (PPS Suppor)Bit Rate
1 Bit1 Bit1 Bit
OptionalOptionalStop Bit
1 Bit1 BitParity Bit
Half DuplexHalf DuplexDirection
Block BasedCharacter BasedTransmition Type
T0T1
9600
bpsPPS
1 -Electrical Erasable ROM2 -Broadcast Common Control
Channel
-
8/13/2019 Sim Course3
13/57
9
9
100kbps
T0T1T0
T1
T0Reset
ATR
RNG1
PLL2
(Track)
BUS
BUSCPU
DATA BUS
word
CPUBUS
1 - Random Generator2
- Phase Lock Loop
-
8/13/2019 Sim Course3
14/57
10
10
Coprocessor
CPU
Coprocessor
Coprocessor
Crypto Processor
ISO
VppEEPROM
Vcc
GSM11.11
Vcc
-
8/13/2019 Sim Course3
15/57
11
11
GND
CLK
0015
1MHz10MHz.
RST
Reset
01.
I/O
9600 bps
Half Duplex
-
8/13/2019 Sim Course3
16/57
12
12
PluginETSI
ISOID-1ID-000
A10%(4.5-5.5) 5V
B10%(2.7-3.3) 3V
C10%1.8 V(1.62-1.96)
AB
C
Dual Voltage2.8V-5.5V
-
8/13/2019 Sim Course3
17/57
13
13
CLK-Stop mode
Operation mode
Operation1mA10mA
6
ATR
PPS
6ATR1
ATRReset
ATR
ATR
1 -Answer To Reset
-
8/13/2019 Sim Course3
18/57
14
14
ATR
Ts ( Initial Character)
ATR
ATRTs
-
8/13/2019 Sim Course3
19/57
15
15
TsAZZAAAAAAZ(3F)AZZAZZAAZ(3B)
0(Z)1
(A)Msb
0A1ZLsb
Msb
Ts
Ts
T0 ( Format Character)
T0
T0
-
8/13/2019 Sim Course3
20/57
16
16
b5b8TA(1)TD(1)b1
b4HistoricalATR
TA( i )TC( i)
GlobalSpecific
TA( 1)TB(1)
TC(1)TA(2)TB(2)GlobalTC(2)Specific
TTD(i-1)TA(i)TB(i)TC(i)Global
Specific
TA(1) -b5b8FIb1b4DI
fDFetu 1*1
FIDI
FIDI
-
8/13/2019 Sim Course3
21/57
17
17
TD(1) -EEPROM
Vpp0
b6b7I1b1b5PI1
EEPROM
TC(1)-(Guard Time)
TD(i) -
10TD
b5b8TA
(i+1)TD
(i+1)
b1b4T
T=0Half duplex
T=1Half duplex
T=2T=3
T=4Half duplex
-
8/13/2019 Sim Course3
22/57
-
8/13/2019 Sim Course3
23/57
19
19
6PPS1
fDFetu 1*1
1MHz
5 MHz
FD372
1
3.5712 MHz
Bps9600372
1*3571200
PPS9600
bps
ME Reset > SIM
< ATR TA1 ='94'
PPSS = 'FF'
PPS0= '10' PPS Request>
PPS1= '94'
PCK = '7B'
PPSS = 'FF'
< PPS Response PPS0= '10'
PPS1= '94'
PCK = '7B'
PPS
1 -& Protocol & Parameter Selection
-
8/13/2019 Sim Course3
24/57
20
20
6PPS
PPS
PPS
PPS
PPS
PPS
Reset
Reject
PPSResetReject
PPS
PPS
12PPS
-
8/13/2019 Sim Course3
25/57
-
8/13/2019 Sim Course3
26/57
22
22
PPS
OS
STK
Native
Native
STK
STKSDK1
1 -SIM Development Kit
-
8/13/2019 Sim Course3
27/57
23
23
STK
OTA
Application
Java
Native
Java
JavaJavaJava Applet
Java
Java
GSM
Java
Core
Issuer
Security
Domain
Application
1
(GSM)
Application
2
(Banking)
-
8/13/2019 Sim Course3
28/57
24
24
Java
3OSROM
OSC
ROMROM
OSROM
ROM
8
16K Native
32K (Native)
64K ( Java)
128
20
70
140
170
Q1 Q2 Q3 Q4 Q1 Q2
Million
cards
-
8/13/2019 Sim Course3
29/57
25
25
3FLASH
OSROM
OS
ROM
OSROM
OS
FLASHOS
LoaderROMLoader
I/OOS
FLASHOS
OSOS
ROM
OS
ROMOS
OS
OS
-
8/13/2019 Sim Course3
30/57
26
26
FLASH
OS
3
SMS
( ,PLMN,LOC,IMSI)OS
DOS
MF
DF2
EF
DF1
DF11
DF111 EF
DF12 ....
EF
EF EF
EF EF ....
-
8/13/2019 Sim Course3
31/57
27
27
MF1
PartitionDOS
MF3F 00
DF2
DF7F223
DF TELECOM :7F 10
ADN
(LND)(SMS)
DF GSM : 7F20
IMSILOCI
KcPLMN
DF DCS1800 : 7F21
DCS
GSM
GSM
DF GSMDCSDF DCS
1 - Master File2 - Dedicate File
-
8/13/2019 Sim Course3
32/57
28
28
EF1
MFDF
EF
FileTransparent
01
headerbodyheader
bodybodyheader
Linear Fixed
( body )
AND
Cyclic
1 - Elementary File
-
8/13/2019 Sim Course3
33/57
29
29
Linear Fixed
Linear Fixed
Transparent File
Header
Body Sequence
of bytes
Linear Fixed File
Header
Body Record 1
Record 2
Record n
Cyclic File
HeaderBody Record 1
Record 2
Record n
-
8/13/2019 Sim Course3
34/57
30
30
Level Access Condition
01
234to 1415
ALWaysCHV1
CHV2Reserved for GSM Future UseADMNEVer
AlwaysCHV1CHV2
PIN1PIN2
ADM
Never
Ki
.
EF ICCID
HLR
IMSI
IMSI
Check Bit
-
8/13/2019 Sim Course3
35/57
31
31
Identifier: '2FE2' Structure: transparent Mandatory
File size: 10bytes Update activity: low
Access Conditions:READ ALWAYSUPDATE NEVERINVALIDATE
ADMREHABILITATE ADM
Bytes Description M/O Length
1 - 10 Identification number M 10 bytes
EF ICCID
EF IMSI
IMSIIMSI
MMC(3)-MNC(2)-HLRID(2 to 4)-SN(6 to 8)
Identifier: '6F07' Structure: transparent MandatoryFile size:
9bytes Update activity: low
Access Conditions:READ CHV1UPDATE ADMINVALIDATE ADMREHABILITATE
CHV1
Bytes Description M/O Length
1 length of IMSI M 1byte
2 - 9 IMSI M 8bytes
EF IMSI
-
8/13/2019 Sim Course3
36/57
32
32
EFKC
KcA8Identifier: '6F20' Structure: transparent Mandatory
File size: 9bytes Update activity: high
Access Conditions:READ CHV1UPDATE CHV1INVALIDATE ADMREHABILITATE
ADM
Bytes Description M/O Length
1 - 8 Ciphering key Kc M 8bytes
9 Ciphering key sequence number n M 1byte
EF Kc
EF PLMNSel
Update
.Identifier: '6F30' Structure: transparent Optional
File size: 3n (n 8) bytes Update activity: low
Access Conditions:READ CHV1
UPDATE CHV1
INVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 - 3 1stPLMN (highest priority) M 3bytes
22- 24 8thPLMN M 3bytes
25- 27 9thPLMN O 3bytes
(3n-2)-3n nth PLMN (lowest priority) O 3bytes
EF PLMNsel
-
8/13/2019 Sim Course3
37/57
33
33
EF HPLMN
Update
Location Update
Identifier: '6F31' Structure: transparent Mandatory
File size: 1byte Update activity: low
Access Conditions:READ CHV1
UPDATE ADMINVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 Time interval M 1byte
EF HPLMN
EF SST
FDN1FDN
0
FDN
-
8/13/2019 Sim Course3
38/57
34
34
File size: X bytes, X 2 Update activity: low
Access Conditions:READ CHV1
UPDATE ADMINVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 Services n1to n4 M 1byte
2 Services n5to n8 M 1byte
3 Services n9ton12 O 1byte
4 Services n13to n16 O 1byte
5 Services n17to n20 O 1byte
6 Services n21to n24 O 1byte
7 Services n25to n28 O 1byte
8 Services n29to n32 O 1byte
etc.X Services (4X-3) to (4X) O 1byte
-ServicesContents: Service n1: CHV1disable function
Service n2: Abbreviated Dialling Numbers (ADN)Service n3: Fixed
Dialling Numbers (FDN)Service n4: Short Message Storage
(SMS)Service n5: Advice of Charge (AoC)Service n6: Capability
Configuration Parameters (CCP)Service n7: PLMN selectorService n8:
RFUService n9: MSISDNService n10: Extension1Service n11:
Extension2
Service n12: SMS ParametersService n13: Last Number Dialled
(LND)Service n14: Cell Broadcast Message IdentifierService n15:
Group Identifier Level 1Service n16: Group Identifier Level
2Service n17: Service Provider NameService n18: Service Dialling
Numbers (SDN)Service n19: Extension3Service n20: RFUService n21:
VGCS Group Identifier List (EFVGCSand EFVGCSS)Service n22: VBS
Group Identifier List (EFVBSand EFVBSS)Service n23: enhanced
Multi-Level Precedence and Pre-emption ServiceService n24:
Automatic Answer for EmlppService n25: Data download via
SMS-CBService n26: Data download via SMS-PPService n27: Menu
selection
Service n28: Call controlService n29: Proactive SIMService n30:
Cell Broadcast Message Identifier RangesService n31: Barred
Dialling Numbers (BDN)Service n32: Extension4Service n33:
De-personalization Control KeysService n34: Co-operative Network
ListService n35: Short Message Status ReportsService n36: Network's
indication of alerting in the MSService n37: Mobile Originated
Short Message control by SIMService n38: GPRSService n39: Image
(IMG)Service n40: SoLSA (Support of Local Service Area)Service n41:
USSD string data object supported in Call ControlService n42: RUN
AT COMMAND command
Service n 43: User controlled PLMN Selector with Access
Technology
Service n44: Operator controlled PLMN Selector with Access
TechnologyService n45 HPLMN Selector with Access TechnologyService
n46: CPBCCH Information
-
8/13/2019 Sim Course3
39/57
35
35
Service n47: Investigation ScanService n48: Extended Capability
Configuration ParametersService n49: MExEService n50 RPLMN last
used Access Technology
EF SST
EF SPN
Identifier: '6F46' Structure: transparent Optional
File Size: 17 bytes Update activity: low
Access Conditions:READ ALWAYS
UPDATE ADMINVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 Display Condition M 1byte
2 - 17 Service Provider Name M 16 bytes
EF SPN
EF Phase
112
22+STK
.Identifier: '6FAE' Structure: transparent Mandatory
File size: 1byte Update activity: low
Access Conditions:READ ALW
UPDATE ADMINVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 SIM Phase M 1byte
EF Phase
-
8/13/2019 Sim Course3
40/57
36
36
EF BCCH
BCCH
Handover
Identifier: '6F74' Structure: transparent Mandatory
File size: 16bytes Update activity: high
Access Conditions:READ CHV1
UPDATE CHV1INVALIDATE ADMREHABILITATE ADM
Bytes Description M/O Length
1 - 16 BCCH information M 16 bytes
EF BCCH
EF loci
Update
Handover
Location Update Status, TMSI TIME,
TMSI, LAILAIMNCMCC
Identifier: '6F7E' Structure: transparent MandatoryFile size:
11bytes Update activity: high
Access Conditions:READ CHV1UPDATE CHV1INVALIDATE ADMREHABILITATE
CHV1
Bytes Description M/O Length
1 - 4 TMSI M 4bytes
5 - 9 LAI M 5bytes
10 TMSI TIME M 1byte
11 Location update status M 1byteEF Loci
-
8/13/2019 Sim Course3
41/57
37
37
EF AND
EF LND
FDN
AND
PIN2FDN
FDN
FDNPIN2
SMS
SMS
SMSP
SMSSMS
SMS
SDN
-
8/13/2019 Sim Course3
42/57
38
38
EF ACC
ACC
RACH
Identifier: '6F78' Structure: transparent Mandatory
File size: 2bytes Update activity: low
Access Conditions:READ CHV1UPDATE ADMINVALIDATE ADMREHABILITATE
ADM
Bytes Description M/O Length
1 - 2 Access control classes M 2bytes
(SW1,SW2)
(Application Protocol Data Unit) APDU
-
8/13/2019 Sim Course3
43/57
39
39
COMMAND INS P1 P2 P3 S/R
SELECT 'A4' '00' '00' '02' S/RSTATUS 'F2' '00' '00' lgth R
READ BINARY 'B0' offset high offset low lgth RUPDATE BINARY 'D6'
offset high offset low lgth SREAD RECORD 'B2' rec No. mode lgth
RUPDATE RECORD 'DC' rec No. mode lgth SSEEK 'A2' '00' type/mode
lgth S/RINCREASE '32' '00' '00' '03' S/R
VERIFY CHV '20' '00' CHV No. '08' SCHANGE CHV '24' '00' CHV No.
'10' SDISABLE CHV '26' '00' '01' '08' SENABLE CHV '28' '00' '01'
'08' SUNBLOCK CHV '2C' '00' see note '10' S
INVALIDATE '04' '00' '00' '00' -
REHABILITATE '44' '00' '00' '00' -
RUN GSMALGORITHM
'88' '00' '00' '10' S/R
SLEEP 'FA' '00' '00' '00' -
GET RESPONSE 'C0' '00' '00' lgth RTERMINAL PROFILE '10' '00'
'00' lgth SENVELOPE 'C2' '00' '00' lgth S/RFETCH '12' '00' '00'
lgth RTERMINAL
RESPONSE'14' '00' '00' lgth S
NOTE If the UNBLOCK CHV command applies to CHV1then P2is coded
'00'; if it appliesto CHV2then P2is coded '02'.
APDU
A command APDU has the following general format
ME ---------------- > SIM
CLA INS P1 P2 P3 Data
-
8/13/2019 Sim Course3
44/57
40
40
CLACLA
GSMA0
INS
P3P2P1P3
MESIMP3 = 00
SIMMEP3 = 00
APDU
SW1SW2Status
Read Binary
Status
The response APDU has the following general format
SIM ------------------>> ME
Data SW1 SW2
SELECT
MFDFEFSELECTEF
DFDFEF
-
8/13/2019 Sim Course3
45/57
41
41
MF
MFDF
CHV
EF
EF
STATUS
DFEF
SELECTSTATUS
Pro-activeSTK
READ BINARY
Transparent EF
UPDATE BINARY
Transparent
READ RECORD
-
8/13/2019 Sim Course3
46/57
42
42
Linear FixedCyclic
UPDATE RECORD
Linear FixedCyclic
READ RECORDUPDATE RECORD
Absolute )((Current, Next, Previous )
SEEK
Linear Fixed
READ
INCREASE
Cyclic
INCREASECyclicME
FF
-
8/13/2019 Sim Course3
47/57
43
43
VERIFY CHV
MECHVCHV
MESIM
CHV
CHANGE CHV
CHV
CHV
ENABLE CHV
CHV
CHVCHV
DISABLECHV
CHV
CHVCHV
CHV1CHV2
ADM
UNBLOCK CHV
-
8/13/2019 Sim Course3
48/57
44
44
CHV1CHV2
PUK1PUK2
PUK1PUK2
VERIFYCHVCHANGECHVENABLE CHV
DISABLECHVCHV
UNBLOCK CHV
INVALIDATE
INVALIDATE
REHABILITATE
RUN GSM ALGORITM
RAND
A8/ A3KiSRESKc
-
8/13/2019 Sim Course3
49/57
45
45
DF GSMCHV1
SLEEP
TERMINAL PROFILE
STK
STK
ENVELOPE
MESTKSIM
FETCH
STKDataME
TERMINAL RESPONSE
MESTKFETCH
STK
-
8/13/2019 Sim Course3
50/57
46
46
( SW1,SW2) APDU
ME
SW1SW2
Case 1: No input/ "OK" response with no output, plus additional
command
from SIMCLA INS P1 P2 P3 SW1 SW2
lgth (='00') '91' lgth1
[Possible "normal GSM operation" command/response pairs]
FETCH
CLA INS P1 P2 P3 DATA with length lgth1 SW1 SW2
lgth1 '90' '00'
NOTE: lgth1='00' causes a data transfer of 256bytes.
Case 2: No input/ "OK" response with data of known length, plus
additional
command from SIM
CLA
INS P1 P2 P3
DATA with length lgth
SW1
SW2
lgth '91' lgth1
[Possible "normal GSM operation" command/response pairs]
FETCH
CLA INS P1 P2 P3 DATA with length lgth1 SW1 SW2
lgth1
'90' '00'
NOTE: lgth='00' causes a data transfer of 256bytes. The same
applies to lgth1.
Case 3: No Input/ "OK" response with data of unknown length,
plus additional
command from SIMCLA INS P1 P2 P3 SW1 SW2
lgth (='00') '9F' lgth1
GET RESPONSE
CLA INS P1 P2 P3 DATA with length lgth2 lgth1SW1 SW2
lgth2 '91' lgth3
[Possible "normal GSM operation" command/response pairs]
FETCH
CLA INS P1 P2 P3 DATA with length lgth3 SW1 SW2
lgth3 '90' '00'
-
8/13/2019 Sim Course3
51/57
47
47
Case 4: Input/ "OK" response with no output data, plus
additional command
from SIMCLA INS P1 P2 P3 DATA with length lgth SW1 SW2
lgth '91' lgth1
[Possible "normal GSM operation" command/response pairs]
FETCH
CLA INS P1 P2 P3 DATA with length lgth1 SW1 SW2
lgth1 '90' '00'
Case 5: Input/ "OK" response with data of known or unknown
length, plus
additional command from SIM
CLA INS P1 P2 P3 DATA with length lgth SW1 SW2
lgth '9F' lgth1
GET RESPONSE
CLA INS P1 P2 P3 DATA with length lgth2 lgth1SW1 SW2
lgth2 '91' lgth3
[Possible "normal GSM operation" command/response pairs]
FETCH
CLA INS P1 P2 P3 DATA with length lgth3
SW1 SW2
lgth3 '90' '00'
.
SW1SW2
IMSI
Ki
AUCLocation
UpdateAUC
RAND
-
8/13/2019 Sim Course3
52/57
48
48
KiA3
SRES
KiRANDA3
SIM Authentication
Ki
Ki
Ki
-
8/13/2019 Sim Course3
53/57
49
49
KiRANDA8
KC
A3/A8
XOR
Comp 128-1
XOR
RANDSRESKi
KiA3/A8
Ki
A3/A8
Authentication Counter
Comp 128-2,3
-
8/13/2019 Sim Course3
54/57
50
50
Comp128-1
Comp128-2,3
Comp128-3Kiki
A3/A8Kc
DF GSM
A5/1A5/2Kc
-
8/13/2019 Sim Course3
55/57
51
51
ROM
FLASH
Per Personalization
SPN,
SDN, SMSP
ICC ID
IMSI
Ki
CHVADM
MSISDNHLR
IMSIKiAUC
-
8/13/2019 Sim Course3
56/57
52
52
CHV1
CHV2FDN
PUK2 , PUK1CHV1CHV2
ADM1ADM8
-
8/13/2019 Sim Course3
57/57
This document was created with Win2PDF available at
http://www.daneprairie.com.The unregistered version of Win2PDF is
for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/
