SIM CARD APDU parsing tool

Question

I'm sniffing the IO line between a SIM card and an LTE module. I record a lot of data but since there's only one line for command and response, I get a load of hex data with no boundary in between. Is there any tool that can take that hex dump and parse it into commands and responses and also tell which type of command it is and what it's doing?

What insight do you expect from a nice dump? I can't imagine it helps you to skip studying the Global Plattform specifications and ISO 7816-3, section T=0 protocol, anyway. I would guess most of the data boring and the remainder either encrypted or in some way randomized. — guidot, Oct 31 '17 at 20:23
That's the problem. It's just a dump. So I was wondering if there was a tool that could parse it into meaningful command and response pairs. Otherwise I would have to go through the dump and parse it manually which would take a long time — Uzair Chughtai, Nov 01 '17 at 02:14

vlp · Accepted Answer · 2017-11-01T10:41:45.397

I dug my archive for a program I wrote 15+ years ago and shared it on github.

It analyzes T=0 communication as captured on the wire and has sort of basic APDU recognition (SIM only, no USIM).

Might be useful for you.

Good luck!

PS: There is a simtrace project, which might provide similar functionality.

Example input:

FF FF 3F 2F 00 80 69 AF 02 04 02 31 00 00 00 0E 
83 3E 9F 16 A0 A4 00 00 02 A4 3F 00 9F 16 A0 A4 
00 00 02 A4 2F E2 9F 0F A0 B0 00 00 0A B0 FF FF 
FF FF FF FF FF FF FF FF 90 00 A0 A4 00 00 02 A4 
7F 20 9F 16 A0 A4 00 00 02 A4 6F AE 9F 0F A0 B0 
00 00 01 B0 02 90 00 A0 A4 00 00 02 A4 6F 05 9F 
0F A0 C0 00 00 0F C0 85 0D 00 07 6F 05 04 00 01 
FF FF 03 02 00 00 90 00 A0 B0 00 00 05 B0 01 00 
03 02 04 90 00 A0 A4 00 00 02 A4 7F 20 9F 16 A0 
C0 00 00 16 C0 85 14 00 04 7F 20 02 00 00 FB FF 
03 09 99 00 12 04 00 83 8A 80 8A 90 00 A0 A4 00 
00 02 A4 6F 07 9F 0F A0 C0 00 00 0F C0 85 0D 00 
09 6F 07 04 00 1B FF 1B 03 02 00 00 90 00 A0 A4 
00 00 02 A4 3F 00 9F 16 A0 A4 00 00 02 A4 2F E2 
9F 0F A0 A4 00 00 02 A4 7F 20 9F 16 A0 A4 00 00 
02 A4 6F 31 9F 0F A0 B0 00 00 01 B0 FF 90 00 A0 
A4 00 00 02 A4 6F 16 94 04 A0 A4 00 00 02 A4 6F 
AD 9F 0F A0 C0 00 00 0F C0 85 0D 00 03 6F AD 04 
00 0B FF FF 03 02 00 00 90 00 A0 B0 00 00 03 B0 
00 FF FF 90 00 A0 A4 00 00 02 A4 6F 38 9F 0F A0 
C0 00 00 0F C0 85 0D 00 04 6F 38 04 00 1B FF FF 
03 02 00 00 90 00 A0 B0 00 00 04 B0 FF 3F FF 0F 
90 00 A0 A4 00 00 02 A4 6F 07 9F 0F

Example output:

---============-----------------------------------------------------------------
Garbage: FF FF

---============-----------------------------------------------------------------
ATR: 3F 2F 00 80 69 AF 02 04 02 31 00 00 00 0E 83 3E 9F 16

(*) ATR analyze
        Initial character TS=3F
                Inverse convention
        Format character T0=2F
                TB1 global interface character(s) defined
                15 historical characters present
        Global interface character TB1=00
        Historical characters: 80 69 AF 02 04 02 31 00 00 00 0E 83 3E 9F 16

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 3F 00 - (File 3F00)

SIM: 9F 16 - (SIM has response data with length 16)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 2F E2 - (File 2FE2)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 0A - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: FF FF FF FF FF FF FF FF FF FF - (Data of file 2FE2 at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 7F 20 - (File 7F20)

SIM: 9F 16 - (SIM has response data with length 16)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F AE - (File 6FAE)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 01 - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: 02 - (Data of file 6FAE at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 05 - (File 6F05)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 C0 00 00 0F - (GET RESPONSE command)
SIM: C0 - (Ins echo)

(Processing command GET RESPONSE)

SIM: 85 0D 00 07 6F 05 04 00 01 FF FF 03 02 00 00 - (SELECT response data)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 05 - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: 01 00 03 02 04 - (Data of file 6F05 at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 7F 20 - (File 7F20)

SIM: 9F 16 - (SIM has response data with length 16)

---============-----------------------------------------------------------------
ME: A0 C0 00 00 16 - (GET RESPONSE command)
SIM: C0 - (Ins echo)

(Processing command GET RESPONSE)

SIM: 85 14 00 04 7F 20 02 00 00 FB FF 03 09 99 00 12 04 00 83 8A 80 8A - (SELECT response data)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 07 - (File 6F07)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 C0 00 00 0F - (GET RESPONSE command)
SIM: C0 - (Ins echo)

(Processing command GET RESPONSE)

SIM: 85 0D 00 09 6F 07 04 00 1B FF 1B 03 02 00 00 - (SELECT response data)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 3F 00 - (File 3F00)

SIM: 9F 16 - (SIM has response data with length 16)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 2F E2 - (File 2FE2)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 7F 20 - (File 7F20)

SIM: 9F 16 - (SIM has response data with length 16)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 31 - (File 6F31)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 01 - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: FF - (Data of file 6F31 at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 16 - (File 6F16)

SIM: 94 04 - (File ID not found / Pattern not found)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F AD - (File 6FAD)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 C0 00 00 0F - (GET RESPONSE command)
SIM: C0 - (Ins echo)

(Processing command GET RESPONSE)

SIM: 85 0D 00 03 6F AD 04 00 0B FF FF 03 02 00 00 - (SELECT response data)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 03 - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: 00 FF FF - (Data of file 6FAD at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 38 - (File 6F38)

SIM: 9F 0F - (SIM has response data with length 0F)

---============-----------------------------------------------------------------
ME: A0 C0 00 00 0F - (GET RESPONSE command)
SIM: C0 - (Ins echo)

(Processing command GET RESPONSE)

SIM: 85 0D 00 04 6F 38 04 00 1B FF FF 03 02 00 00 - (SELECT response data)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 B0 00 00 04 - (READ BINARY command)
SIM: B0 - (Ins echo)

(Processing command READ BINARY)

SIM: FF 3F FF 0F - (Data of file 6F38 at offset 0000)

SIM: 90 00 - (Normal ending of the command)

---============-----------------------------------------------------------------
ME: A0 A4 00 00 02 - (SELECT command)
SIM: A4 - (Ins echo)

(Processing command SELECT)

ME: 6F 07 - (File 6F07)

SIM: 9F 0F - (SIM has response data with length 0F)

score 3 · Answer 2 · answered Nov 06 '17 at 11:19

We implemented online tools to parse card ATR and APDU Command/Responses for known Instructions.

For sample:

ISO 7816 APDU parser https://iso8583.info/lib/ISO/7816/APDU
EMV APDU parser https://iso8583.info/lib/EMV/APDU
PC/SC APDU parser https://iso8583.info/lib/PC_SC/APDU

The traces data entry can be in Level 1 format which is protocol level with INS echos for T=0, T=1 packets, etc. Or in pseudo trace log of APDU Command and responses.

The parsers with data breakdown for related specifications. Sorry, no SIM toolkit defined yet.

Below your APDU traces from SIM card (without echoed INS bytes).

Try to parse it with ISO 7816 APDU parser tool to see some available details:

# FF FF
? 3F 2F 00 80 69 AF 02 04 02 31 00 00 00 0E 83 3E 9F 16

# Ins Echo removed from card responses

> A0 A4 00 00 02 3F 00
< 9F 16

> A0 A4 00 00 02 2F E2
< 9F 0F

> A0 B0 00 00 0A FF FF FF FF FF FF FF FF FF FF
< 90 00

> A0 A4 00 00 02 7F 20
< 9F 16

> A0 A4 00 00 02 6F AE
< 9F 0F

> A0 B0 00 00 01
< 02 90 00

> A0 A4 00 00 02 6F 05
< 9F 0F

> A0 C0 00 00 0F 
< 85 0D 00 07 6F 05 04 00 01 FF FF 03 02 00 00
< 90 00

> A0 B0 00 00 05
< 01 00 03 02 04 90 00

> A0 A4 00 00 02 7F 20
< 9F 16

> A0 C0 00 00 16
> 85 14 00 04 7F 20 02 00 00 FB FF 03 09 99 00 12 04 00 83 8A 80 8A 90 00

> A0 A4 00 00 02 6F 07
< 9F 0F

> A0 C0 00 00 0F
< 85 0D 00 09 6F 07 04 00 1B FF 1B 03 02 00 00 90 00

> A0 A4 00 00 02 3F 00
< 9F 16

> A0 A4 00 00 02 2F E2
< 9F 0F

> A0 A4 00 00 02 7F 20
< 9F 16

> A0 A4 00 00 02 6F 31
< 9F 0F

> A0 B0 00 00 01
< FF 90 00

> A0 A4 00 00 02 6F 16
< 94 04

> A0 A4 00 00 02 6F AD
< 9F 0F

> A0 C0 00 00 0F
< 85 0D 00 03 6F AD 04 00 0B FF FF 03 02 00 00 90 00

> A0 B0 00 00 03
< 00 FF FF 90 00

> A0 A4 00 00 02 6F 38
< 9F 0F

> A0 C0 00 00 0F
< 85 0D 00 04 6F 38 04 00 1B FF FF 03 02 00 00 90 00

> A0 B0 00 00 04
< FF 3F FF 0F 90 00

> A0 A4 00 00 02 6F 07
< 9F 0F

SIM CARD APDU parsing tool

2 Answers2