-2

I have a smart card reader and I want to get data from my SIM card. I've tried to send several APDU commands but I could not receive anything but ATR. So if there is a possible way to access a SIM card which APDU commands do I have to send?

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
BornForJava
  • 221
  • 1
  • 3
  • 13
  • Can you show what commands you've tried so far? Also, not many people are familiar with APDU, so posting context helps to combat the inevitable downvote/close spree from people who don't immediately see how to produce an answer. – Jeroen Mostert Feb 24 '15 at 08:23

2 Answers2

3

When talking about SIM Cards, you need to refer to 3GPP specification for APDU commands instead of ISO 7816. The APDU commands are listed in 3GPP TS 11.11 section 8 and 9. The latest version is 8.14.0. Please note that the CLA byte is proprietary, i.e. using 0xA0.

Try to send SELECT APDU command, with MF as the file identifier, as follow:

A0 A4 00 00 02 3F 00

You should get 9FXX response.

If your card is a USIM, you can send APDU commands based on ETSI 102.221 and 3GPP 31.102, and 3GPP 51.011.

David
  • 3,957
  • 2
  • 28
  • 52
  • Are the APDU commands of a SIM card different from APDU commands of a USIM? can you refer me to the right specifications for both? What about OTA commands? Is there any specification that helps me in using OTA SMSs? – Jean Mar 14 '15 at 11:09
  • Moreover, I couldn't find `3GPP 51.011` as a pdf. Do you have it? – Jean Mar 14 '15 at 11:17
  • 1
    The APDU for SIM and USIM/UICC differs on the CLA ('A0' vs '00'/'80'). However, both are using similar INS. The OTA data is sent from server to the SIM, which the mobile phone uses Envelope APDU (INS 'C2'). To understand OTA, you need to master SMS specification (3GPP TS 23.040), and then the concatenated+secure messaging (3GPP TS 23.048). All specifications can be downloaded from 3GPP.org here: http://www.3gpp.org/specifications/specification-numbering – David Mar 14 '15 at 15:01
  • Thank you very much. Just another question, Does the OTA keys choose specific per each SIM/USIM card or they are specific per operator typically? i.e. a single operator have a single OTA key for all of its users? or it have different OTAs for different users? (Typically) – Jean Mar 15 '15 at 06:56
  • 1
    OTA Keys is usually generated per card. – David Mar 15 '15 at 08:28
  • I highly appreciate your time. Just another question. If I had OTA keys of my SIM/USIM card, can I send OTA data from another phone to my SIM/USIM? Or there is no trick and I must have access to BTS server indubitable to be able to send this kind of data? – Jean Mar 15 '15 at 09:49
  • 1
    It is much easier if you send it from the server. If you want to send using another phone, then make sure that: 1. you know and you can build the SMS binaries according to the spec (usually using AT command with phone connected to desktop PC, maybe using Android can but I haven't tried it), and 2. there is no checking of incoming address (TP-OA) in the (U)SIM card. – David Mar 15 '15 at 22:20
2

T=0 is a peculiar protocol. It never sends a response beyond the standard SW1/SW2, if not extra asked for. This is accomplished via a GET RESPONSE command using the length prom the previous SW1/SW2. For further information see ISO 7816, part 4.

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
guidot
  • 5,095
  • 2
  • 25
  • 37
  • Yeah i've tried that. I sent GET RESPONSE command and received this response with success: 85 10 00 00 ? 00 8 00 00 00 01 00 01 00 00 00 00 m 90 00, I read that this is MF(Instruction byte). Now what i have to do with this bytes? – BornForJava Feb 25 '15 at 06:41
  • So you are able to get the output of the card now. I guess, that you gave the response to Select MF/Application which not contains much interesting stuff. Look in the section 10 of the document linked by @David for existing files and their contents. – guidot Feb 25 '15 at 09:50