5

I've patched android with SEEK for Galaxy S3 and after some struggle I'm now able to send APDUs to SIM card and get proper responses.

I want to place my own applet inside SIM but since there is no way we can get the access to do so, I start to wonder if there is anyway we can issue a java card to work like a SIM card. All I need is a java card that the phone can't distinguish from a SIM, no network coverage is needed and I know it is almost impossible to create a SIM that works OK with operator and gives network coverage.

The reason for all this is I need to send APDUs and work with my applet, but if I insert a java card instead of a SIM card in GS3, it gives me no access at all.

So my question is this: Is it possible to issue a java card so that it looks like a SIM by the phone (and not the operator)?

or Is it possible to change android so that it gives needed access when there is a java card in it, i.e. RIL works as usual?

EDIT

Okay, I think I'll try to issue a Java Card with following properties:

First, it will have an auto selected applet (default applet) that from now on will be call fake-UICC.
Second, in fake-UICC we'll emulate the file system of UICC (according to http://www.in2eps.com/fo-uicc/tk-fo-uicc-mf.html).
Third, since different class is used for SIM APDUs (0xA0) so All APDUs sent from RIL will be directed to fake-UICC by JCRE, since class+instruction is not recognized by normal Java Card. e.g. 0xA0A4 is select for SIM but 0x00A4 is select command for Java Card.
In last step, we will try to send exact same responses a real SIM would send to each APDU.

Maybe it won't work but I think it's worth a try.

MFA
  • 537
  • 2
  • 6
  • 16
  • May I ask you to say me how did you send APDUs to your SIM card in your galaxy S3? I've the same handset mobile, and I want to do it also. (It's better to help me [here](http://chat.stackoverflow.com/rooms/82615/send-apdu-to-sim-card-in-android) ) Thanks in advance. –  Jul 07 '15 at 14:17
  • It seems I can't use that chat menu yet, more rep is needed. – MFA Jul 08 '15 at 09:25
  • Any progress with your fake UICC? – vojta Jul 27 '15 at 06:31
  • 1
    Dear @vojta, actually there's been some progress and it's now possible to send APDU to our fake UICC. With special thanks to you and Abraham. I will now try to do same thing with a dual SIM phone, if you have any suggestions on that, I'd really appreciate it. – MFA Jul 29 '15 at 11:24

2 Answers2

2

SIM Card (UICC) accessed through SEEK is not the only secure element you can use in your cellphone.

On the market there are other Java Card solutions: mostly based on microSD slot (provided e. g. by GoTrust or Feitian Technologies), which you should be able to access through SEEK.

Some cellphones (Galaxy S3 is not this case, unfortunately) are equipped with a special secure element slot, which you can insert common smart card (mostly by Oberthur) into and access through SEEK (see http://www.nfcworld.com/technology/embedded-secure-element-ese/ for some devices with this feature).

There is an interesting article about SE options: http://nelenkov.blogspot.cz/2012/08/accessing-embedded-secure-element-in.html

If you know some other vendors offering microSD Java Card products, please write them down in comments and I will add them to my post. This answer is not supposed to be any advertisement for the companies mentioned above.

vojta
  • 5,591
  • 2
  • 24
  • 64
  • Thanks vojta for answering. You said there are some cellphones that have a smart card slot in them. Is there a link that lists these phones or can you name one that you know will work? (tested yourself or have seen others test results) – MFA Jul 08 '15 at 09:42
  • 1
    Dear Vojta, can't the questioner simulate a UICC system file with a java card applet? (Implement ETSI and GSM files inside an applet) and use the simple Java card instead of SIM card? – Ebrahim Ghasemi Jul 08 '15 at 10:58
  • @Abraham Interesting... It could not work, however. Javacard AIDs are longer than AIDs of files on UICC... And you could not use it for calling, of course, which might be a problem :-) – vojta Jul 08 '15 at 11:19
  • 1
    I didn't mean to simulate each UICC file with one Java Card applet. I was meant write an applet and make it default selected and inside that applet, implement UICC files with switch cases, for example. If it is not possible also, can't we use a card that support partial AID selecting to simulate the UICC also? I mean the first two bytes if JC Applets are equal with UICC files, so when the handset send select command, it assumed as a partial AID select command...,Is it possible? Surely we can't call with that simulated card. – Ebrahim Ghasemi Jul 08 '15 at 11:33
  • Dear @Abraham thanks for your comment, interesting idea indeed. If I'm not mistaken, there are two main differences between a SIM and a normal java card, first is the class ('cla = 0xA0') and some instructions in sending APDU and second is the file system available on UICC which as far as I know is not normally present on java cards. I think some crypto standards are not present in java cards either but for my purpose it's not really that important. So first of all, are there any more differences between these cards and second is it possible to somehow overcome these differences? – MFA Jul 08 '15 at 20:16
  • @MFA Yourwelcome, I don't know any further difference. _Can we overcome ..._ Well, I think the answer is yes, but I'm waiting for Vojta's answer to my previous comment. He knows really more than me in this field. – Ebrahim Ghasemi Jul 09 '15 at 06:10
  • Vojta I'm waiting for your answer, please say your opinion. If I write an applet and make it the default application on card, will I get all APDUs sent to java card with class '0xA0'? if the answer is yes, is it possible to simulate SIM in this applet like what @Abraham suggested? – MFA Jul 09 '15 at 10:32
  • Dear Vojta, I'm still waiting for your opinion – MFA Jul 13 '15 at 13:19
  • 2
    @Abraham There are several applets present on SIM card: one for GSM communication, one for 3G communication (USIM) etc. I do not know what happens in phone's OS, if GSM application is not found - it might ignore the UICC completely (so you could not access it through SEEK either, because SEEK translates your APDUs to OS commands - SIM slot is not a common smartcard reader). I honestly cannot say if all these obstacles are possible to overcome or not, but I would like to discourage you (and MFA) from these attempts. It will be difficult, time-consuming and probably with no useful results. – vojta Jul 13 '15 at 21:37
  • @MFA see my comment above – vojta Jul 14 '15 at 06:54
  • @Abraham : can you post your comment as an answer so that I can mark it and close this thread. and again thank you all for you help. – MFA Aug 08 '15 at 06:45
1

Well, Actually I'm not sure if this solution works or not, and as dear @Vojta mentioned in the comments under his answer I would like to discourage people from the following attempts. It will be difficult, time-consuming and probably with no useful results. He knows a lot more than me in this field.

Anyway, as you wanted I posted my suggestion:

Each file in the system file of the SIM/USIM card is linked to a hexadecimal number as its addresses (AID). These AIDs are defined in GSM and ETSI standards (GSM 11.11 for example). You can write some Javacard applets to simulate that system file.

As SIM/USIM card's AIDs are shorten than JavaCard AIDs, you might need to choose a Java Card that support partial AID selection and use this capability to refer incoming command to its associated applet.

I think you can simulate all the system file inside a single applet also and then make that applet default selected applet.

If you had any success with this solution, please inform us. :)

Ebrahim Ghasemi
  • 5,850
  • 10
  • 52
  • 113
  • 1
    it was successful in my case (for GS3). Issued java card has an auto select app which handles all APDUs sent to it and responds as a real SIM would do. – MFA Aug 08 '15 at 07:41