💸

$ pcsc_scanPC/SC device scannerV 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>Compiled with PC/SC lite version: 1.8.11Using reader plug'n play mechanismScanning present readers...0: Gemalto PC Twin Reader 00 00

Wed Oct 5 21:45:38 2016Reader 0: Gemalto PC Twin Reader 00 00 Card state: Card inserted, ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C

ATR: 3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C+ TS = 3B --> Direct Convention+ T0 = 9D, Y(1): 1001, K: 13 (historical bytes) TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0----- TD(2) = 3F --> Y(i+1) = 0011, Protocol T = 15 - Global interface bytes following----- TA(3) = C7 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V TB(3) = A0 -->+ Historical bytes: 80 31 A0 73 BE 21 13 51 05 83 05 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: A0 - Application selection: by full DF name - BER-TLV data objects available in EF.DIR - EF.DIR and EF.ATR access services: by GET RECORD(s) command - Card with MF Tag: 7, len: 3 (card capabilities) Selection methods: BE - DF selection by full DF name - DF selection by path - DF selection by file identifier - Implicit DF selection - Short EF identifier supported - Record number supported Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: 13 - Logical channel number assignment: by the card - Maximum number of logical channels: 4 Tag: 5, len: 1 (card issuer's data) Card issuer data: 05 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 05 (Operational state (activated)) SW: 9000 (Normal processing.)+ TCK = 7C (correct checksum)

Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt):3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C

NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)

- Maximum number of logical channels: 4 Tag: 5, len: 1 (card issuer's data) Card issuer data: 05 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 05 (Operational state (activated)) SW: 9000 (Normal processing.)+ TCK = 7C (correct checksum)

Possibly identified card (using /home/sim-user/.cache/smartcard_list.txt):3B 9D 95 80 3F C7 A0 80 31 A0 73 BE 21 13 51 05 83 05 90 00 7C

NTT docomo Xi(LTE) DN05(DNP) Pink SIM (Telecommunication)

thanks!!

3GPP

3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999

MF '3F00'

DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP

'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E' DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31' see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK '5F3C' '4F40' '4F41' '4F42' '4F43' EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax '6F05' '6F07' '6F20' '6F30' '6F31' '6F37' EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI '6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45' EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI '6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E' EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS '6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4' EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS '6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52' EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH '6F53' '6F54' '6F60' '6F61' '6F62' '6F63' EFINVSCAN '6F64'

Figure 8: File identifiers and directory structures of GSM

./pySim-read.py -p 0Reading ... 8981100004402791051 440103152044102SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9ACC: 0004MSISDN: 07817040919843f3ffffffffffffDone !

ICCID:IMSI:

./pySim-read.py -p 0Reading ... 8981100004402791051 440103152044102SMSP: edffffffffffffffffffffffff07911809131056f2ffffffffffffa9ACC: 0004MSISDN: 07817040919843f3ffffffffffffDone !

ICCID:

IMSI:

3GPP

3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999

MF '3F00'

DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP

'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E' DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31' see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK '5F3C' '4F40' '4F41' '4F42' '4F43' EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax '6F05' '6F07' '6F20' '6F30' '6F31' '6F37' EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI '6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45' EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI '6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E' EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS '6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4' EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS '6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52' EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH '6F53' '6F54' '6F60' '6F61' '6F62' '6F63' EFINVSCAN '6F64'

Figure 8: File identifiers and directory structures of GSM

19 bytes

2bytes 2bytes 2bytes 12bytes 1byte

MII CC II 12bytes CS

89 81 10 000440279105 1

3GPP

3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999

MF '3F00'

DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP

'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E' DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31' see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK '5F3C' '4F40' '4F41' '4F42' '4F43' EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax '6F05' '6F07' '6F20' '6F30' '6F31' '6F37' EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI '6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45' EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI '6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E' EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS '6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4' EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS '6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52' EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH '6F53' '6F54' '6F60' '6F61' '6F62' '6F63' EFINVSCAN '6F64'

Figure 8: File identifiers and directory structures of GSM

3GPP

3GPP TS 11.11 V8.14.0 (2007-06)118Release 1999

MF '3F00'

DFGSM DFTELECOM DFIS-41 DFFP-CTS EFICCID EFELP

'7F20' '7F10' '7F22' '7F23' '2FE2' '2F05' see GSM 11.19 EFADN EFFDN EFSMS EFCCP EFMSISDN '6F3A' '6F3B' '6F3C' '6F3D' '6F40' EFSMSP EFSMSS EFLND EFSMSR EFSDN '6F42' '6F43' '6F44' '6F47' '6F49' EFEXT1 EFEXT2 EFEXT3 EFBDN EFEXT4 '6F4A' '6F4B' '6F4C' '6F4D' '6F4E' DFGRAPHICS EFIMG '5F50' '4F20' DFIRIDIUM DFGLOBST DFICO DFACeS '5F30' '5F31' '5F32' '5F33' DFEIA/TIA-553 DFCTS DFSoLSA EFSAI EFSLL '5F40' '5F60' '5F70' '4F30' '4F31' see GSM 11.19 DFMExE EFMExE-ST EFORPK EFARPK EFTPRPK '5F3C' '4F40' '4F41' '4F42' '4F43' EFLP EFIMSI EFKc EFPLMNsel EFHPPLMN EFACMmax '6F05' '6F07' '6F20' '6F30' '6F31' '6F37' EFSST EFACM EFGID1 EFGID2 EFPUCT EFCBMI '6F38' '6F39' '6F3E' '6F3F' '6F41' '6F45' EFSPN EFCBMID EFBCCH EFACC EFFPLMN EFLOCI '6F46' '6F48' '6F74' '6F78' '6F7B' '6F7E' EFAD EFPHASE EFVGCS EFVGCSS EFVBS EFVBSS '6FAD' '6FAE' '6FB1' '6FB2' '6FB3' '6FB4' EFeMLPP EFAAeM EFECC EFCBMIR EFNIA EFKcGPRS '6FB5' '6FB6' '6FB7' '6F50' '6F51' '6F52' EFLOCIGPRS EFSUME EFPLMNwAcT EFOPLMNwAcT EFHPLMNAcT EFCPBCCH '6F53' '6F54' '6F60' '6F61' '6F62' '6F63' EFINVSCAN '6F64'

Figure 8: File identifiers and directory structures of GSM

~ 16 bytes

3bytes 2 ~ 3bytes ~ 10bytes

MCC MNC MSIN

440 10 3152044102

HNI

Peer

Peer

Authenticator

Authenticator

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/SIM/Start (AT_VERSION_LIST)

EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)

EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)

Peer runs GSM algorithms, verifies

AT_MAC and derives session keys

EAP-Response/SIM/Challenge (AT_MAC)

EAP-Success

Peer

Peer

Authenticator

Authenticator

EAP-Request/Identity

EAP-Response/Identity (Includes user’s NAI)

Server runs AKA algorithms,

generates RAND and AUTN.

EAP-Request/AKA-Challenge (AT_RAND, AT_AUTN, AT_MAC)

Peer runs AKA algorithms, verifies AUTN

and MAC, derives RES and session key

EAP-Response/AKA-Challenge (AT_RES, AT_MAC)

Server checks the given RES,

and MAC and finds them correct.

EAP-Success

Peer

Peer

Authenticator

Authenticator

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/SIM/Start (AT_VERSION_LIST)

EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)

EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)

Peer runs GSM algorithms, verifies

AT_MAC and derives session keys

EAP-Response/SIM/Challenge (AT_MAC)

EAP-Success

Peer

Peer

Authenticator

Authenticator

EAP-Request/Identity

EAP-Response/Identity (Includes user’s NAI)

Server runs AKA algorithms,

generates RAND and AUTN.

EAP-Request/AKA-Challenge (AT_RAND, AT_AUTN, AT_MAC)

Peer runs AKA algorithms, verifies AUTN

and MAC, derives RES and session key

EAP-Response/AKA-Challenge (AT_RES, AT_MAC)

Server checks the given RES,

and MAC and finds them correct.

EAP-Success

3GPP

3GPP TS 11.11 V8.14.0 (2007-06)48Release 1999

9.2.13 UNBLOCK CHV

COMMAND CLASS INS P1 P2 P3 UNBLOCK CHV 'A0' '2C' '00' CHV No. '10'

Parameter P2 specifies the CHV:

- 00 = CHV1;

- 02 = CHV2.

NOTE: The coding '00' for CHV1 differs from the coding of CHV1 used for other commands.

Command parameters/data:

Byte(s) Description Length 1 - 8 UNBLOCK CHV value 8

9 - 16 New CHV value 8

9.2.14 INVALIDATE

COMMAND CLASS INS P1 P2 P3 INVALIDATE 'A0' '04' '00' '00' '00'

9.2.15 REHABILITATE

COMMAND CLASS INS P1 P2 P3 REHABILITATE 'A0' '44' '00' '00' '00'

9.2.16 RUN GSM ALGORITHM

COMMAND CLASS INS P1 P2 P3 RUN GSM ALGORITHM

'A0' '88' '00' '00' '10'

Command parameters/data:

Byte(s) Description Length 1 - 16 RAND 16

Response parameters/data:

Byte(s) Description Length 1 - 4 SRES 4

5 - 12 Cipher Key Kc 8 The most significant bit of SRES is coded on bit 8 of byte 1. The most significant bit of Kc is coded on bit 8 of byte 5.

9.2.17 SLEEP

COMMAND CLASS INS P1 P2 P3 SLEEP 'A0' 'FA' '00' '00' '00'

3GPP TS 11.11

$ cat /etc/freeradius/simtriplets.dat# IMSI RAND SRES Kc440103152044102,02bbdd69578d11057f3534539d61c3e1,9b93ab20,38a74d32f6334018440103152044102,38279ae1b4ca5d63e93fcdbc2722b216,f8f9e5fe,9952db0411e0ac54440103152044102,f35f71777ccfd21aec28913fc3fbe3bc,31452835,752a8baa96fa7dbf