diff options
author | Karl Koscher <github@degdeg.com> | 2012-07-21 21:54:37 -0700 |
---|---|---|
committer | Karl Koscher <github@degdeg.com> | 2012-07-21 21:54:37 -0700 |
commit | 60b8461d28409c1ca7ca491020248d059840e82c (patch) | |
tree | 9e8b60d0d58a4476d07642504c38364ce7922c48 | |
parent | 7b86d6e0a32dca8918775b3e2bb0dfb04a843766 (diff) |
Initial commit of the Toorcamp SIM tool
-rw-r--r-- | pySim/__init__.py | 0 | ||||
-rw-r--r-- | pySim/cards.py | 351 | ||||
-rw-r--r-- | pySim/commands.py | 95 | ||||
-rw-r--r-- | pySim/exceptions.py | 33 | ||||
-rw-r--r-- | pySim/transport/__init__.py | 88 | ||||
-rw-r--r-- | pySim/transport/pcsc.py | 80 | ||||
-rw-r--r-- | pySim/transport/serial.py | 224 | ||||
-rw-r--r-- | pySim/utils.py | 44 | ||||
-rw-r--r-- | toorsimtool.py | 276 |
9 files changed, 1191 insertions, 0 deletions
diff --git a/pySim/__init__.py b/pySim/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/pySim/__init__.py diff --git a/pySim/cards.py b/pySim/cards.py new file mode 100644 index 0000000..88eceb0 --- /dev/null +++ b/pySim/cards.py @@ -0,0 +1,351 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: Card programmation logic +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# Copyright (C) 2011 Harald Welte <laforge@gnumonks.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from pySim.utils import b2h, h2b, swap_nibbles, rpad, lpad + + +class Card(object): + + def __init__(self, scc): + self._scc = scc + + def _e_iccid(self, iccid): + return swap_nibbles(rpad(iccid, 20)) + + def _e_imsi(self, imsi): + """Converts a string imsi into the value of the EF""" + l = (len(imsi) + 1) // 2 # Required bytes + oe = len(imsi) & 1 # Odd (1) / Even (0) + ei = '%02x' % l + swap_nibbles(lpad('%01x%s' % ((oe<<3)|1, imsi), 16)) + return ei + + def _e_plmn(self, mcc, mnc): + """Converts integer MCC/MNC into 6 bytes for EF""" + return swap_nibbles(lpad('%d' % mcc, 3) + lpad('%d' % mnc, 3)) + + def reset(self): + self._scc.reset_card() + + +class _MagicSimBase(Card): + """ + Theses cards uses several record based EFs to store the provider infos, + each possible provider uses a specific record number in each EF. The + indexes used are ( where N is the number of providers supported ) : + - [2 .. N+1] for the operator name + - [1 .. N] for the programable EFs + + * 3f00/7f4d/8f0c : Operator Name + + bytes 0-15 : provider name, padded with 0xff + byte 16 : length of the provider name + byte 17 : 01 for valid records, 00 otherwise + + * 3f00/7f4d/8f0d : Programmable Binary EFs + + * 3f00/7f4d/8f0e : Programmable Record EFs + + """ + + @classmethod + def autodetect(kls, scc): + try: + for p, l, t in kls._files.values(): + if not t: + continue + if scc.record_size(['3f00', '7f4d', p]) != l: + return None + except: + return None + + return kls(scc) + + def _get_count(self): + """ + Selects the file and returns the total number of entries + and entry size + """ + f = self._files['name'] + + r = self._scc.select_file(['3f00', '7f4d', f[0]]) + rec_len = int(r[-1][28:30], 16) + tlen = int(r[-1][4:8],16) + rec_cnt = (tlen / rec_len) - 1; + + if (rec_cnt < 1) or (rec_len != f[1]): + raise RuntimeError('Bad card type') + + return rec_cnt + + def program(self, p): + # Go to dir + self._scc.select_file(['3f00', '7f4d']) + + # Home PLMN in PLMN_Sel format + hplmn = self._e_plmn(p['mcc'], p['mnc']) + + # Operator name ( 3f00/7f4d/8f0c ) + self._scc.update_record(self._files['name'][0], 2, + rpad(b2h(p['name']), 32) + ('%02x' % len(p['name'])) + '01' + ) + + # ICCID/IMSI/Ki/HPLMN ( 3f00/7f4d/8f0d ) + v = '' + + # inline Ki + if self._ki_file is None: + v += p['ki'] + + # ICCID + v += '3f00' + '2fe2' + '0a' + self._e_iccid(p['iccid']) + + # IMSI + v += '7f20' + '6f07' + '09' + self._e_imsi(p['imsi']) + + # Ki + if self._ki_file: + v += self._ki_file + '10' + p['ki'] + + # PLMN_Sel + v+= '6f30' + '18' + rpad(hplmn, 36) + + self._scc.update_record(self._files['b_ef'][0], 1, + rpad(v, self._files['b_ef'][1]*2) + ) + + # SMSP ( 3f00/7f4d/8f0e ) + # FIXME + + # Write PLMN_Sel forcefully as well + r = self._scc.select_file(['3f00', '7f20', '6f30']) + tl = int(r[-1][4:8], 16) + + hplmn = self._e_plmn(p['mcc'], p['mnc']) + self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3)) + + def erase(self): + # Dummy + df = {} + for k, v in self._files.iteritems(): + ofs = 1 + fv = v[1] * 'ff' + if k == 'name': + ofs = 2 + fv = fv[0:-4] + '0000' + df[v[0]] = (fv, ofs) + + # Write + for n in range(0,self._get_count()): + for k, (msg, ofs) in df.iteritems(): + self._scc.update_record(['3f00', '7f4d', k], n + ofs, msg) + + +class SuperSim(_MagicSimBase): + + name = 'supersim' + + _files = { + 'name' : ('8f0c', 18, True), + 'b_ef' : ('8f0d', 74, True), + 'r_ef' : ('8f0e', 50, True), + } + + _ki_file = None + + +class MagicSim(_MagicSimBase): + + name = 'magicsim' + + _files = { + 'name' : ('8f0c', 18, True), + 'b_ef' : ('8f0d', 130, True), + 'r_ef' : ('8f0e', 102, False), + } + + _ki_file = '6f1b' + + +class FakeMagicSim(Card): + """ + Theses cards have a record based EF 3f00/000c that contains the provider + informations. See the program method for its format. The records go from + 1 to N. + """ + + name = 'fakemagicsim' + + @classmethod + def autodetect(kls, scc): + try: + if scc.record_size(['3f00', '000c']) != 0x5a: + return None + except: + return None + + return kls(scc) + + def _get_infos(self): + """ + Selects the file and returns the total number of entries + and entry size + """ + + r = self._scc.select_file(['3f00', '000c']) + rec_len = int(r[-1][28:30], 16) + tlen = int(r[-1][4:8],16) + rec_cnt = (tlen / rec_len) - 1; + + if (rec_cnt < 1) or (rec_len != 0x5a): + raise RuntimeError('Bad card type') + + return rec_cnt, rec_len + + def program(self, p): + # Home PLMN + r = self._scc.select_file(['3f00', '7f20', '6f30']) + tl = int(r[-1][4:8], 16) + + hplmn = self._e_plmn(p['mcc'], p['mnc']) + self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3)) + + # Get total number of entries and entry size + rec_cnt, rec_len = self._get_infos() + + # Set first entry + entry = ( + '81' + # 1b Status: Valid & Active + rpad(b2h(p['name'][0:14]), 28) + # 14b Entry Name + self._e_iccid(p['iccid']) + # 10b ICCID + self._e_imsi(p['imsi']) + # 9b IMSI_len + id_type(9) + IMSI + p['ki'] + # 16b Ki + lpad(p['smsp'], 80) # 40b SMSP (padded with ff if needed) + ) + self._scc.update_record('000c', 1, entry) + + def erase(self): + # Get total number of entries and entry size + rec_cnt, rec_len = self._get_infos() + + # Erase all entries + entry = 'ff' * rec_len + for i in range(0, rec_cnt): + self._scc.update_record('000c', 1+i, entry) + +class GrcardSim(Card): + """ + Greencard (grcard.cn) HZCOS GSM SIM + These cards have a much more regular ISO 7816-4 / TS 11.11 structure, + and use standard UPDATE RECORD / UPDATE BINARY commands except for Ki. + """ + + name = 'grcardsim' + + @classmethod + def autodetect(kls, scc): + return None + + def program(self, p): + # We don't really know yet what ADM PIN 4 is about + #self._scc.verify_chv(4, h2b("4444444444444444")) + + # Authenticate using ADM PIN 5 + self._scc.verify_chv(5, h2b("4444444444444444")) + + # EF.ICCID + r = self._scc.select_file(['3f00', '2fe2']) + data, sw = self._scc.update_binary('2fe2', self._e_iccid(p['iccid'])) + + # EF.IMSI + r = self._scc.select_file(['3f00', '7f20', '6f07']) + data, sw = self._scc.update_binary('6f07', self._e_imsi(p['imsi'])) + + # EF.ACC + #r = self._scc.select_file(['3f00', '7f20', '6f78']) + #self._scc.update_binary('6f78', self._e_imsi(p['imsi']) + + # EF.SMSP + r = self._scc.select_file(['3f00', '7f10', '6f42']) + data, sw = self._scc.update_record('6f42', 1, lpad(p['smsp'], 80)) + + # Set the Ki using proprietary command + pdu = '80d4020010' + p['ki'] + data, sw = self._scc._tp.send_apdu(pdu) + + # EF.HPLMN + r = self._scc.select_file(['3f00', '7f20', '6f30']) + size = int(r[-1][4:8], 16) + hplmn = self._e_plmn(p['mcc'], p['mnc']) + self._scc.update_binary('6f30', hplmn + 'ff' * (size-3)) + + # EF.SPN (Service Provider Name) + r = self._scc.select_file(['3f00', '7f20', '6f30']) + size = int(r[-1][4:8], 16) + # FIXME + + # FIXME: EF.MSISDN + + def erase(self): + return + +class SysmoSIMgr1(GrcardSim): + """ + sysmocom sysmoSIM-GR1 + These cards have a much more regular ISO 7816-4 / TS 11.11 structure, + and use standard UPDATE RECORD / UPDATE BINARY commands except for Ki. + """ + name = 'sysmosim-gr1' + + # In order for autodetection ... + +class SysmoUSIMgr1(Card): + """ + sysmocom sysmoUSIM-GR1 + """ + name = 'sysmoUSIM-GR1' + + @classmethod + def autodetect(kls, scc): + # TODO: Access the ATR + return None + + def program(self, p): + # TODO: check if verify_chv could be used or what it needs + # self._scc.verify_chv(0x0A, [0x33,0x32,0x32,0x31,0x33,0x32,0x33,0x32]) + # Unlock the card.. + data, sw = self._scc._tp.send_apdu_checksw("0020000A083332323133323332") + + # TODO: move into SimCardCommands + par = ( p['ki'] + # 16b K + p['opc'] + # 32b OPC + self._e_iccid(p['iccid']) + # 10b ICCID + self._e_imsi(p['imsi']) # 9b IMSI_len + id_type(9) + IMSI + ) + data, sw = self._scc._tp.send_apdu_checksw("0099000033" + par) + + def erase(self): + return + +_cards_classes = [ FakeMagicSim, SuperSim, MagicSim, GrcardSim, + SysmoSIMgr1, SysmoUSIMgr1 ] diff --git a/pySim/commands.py b/pySim/commands.py new file mode 100644 index 0000000..f650272 --- /dev/null +++ b/pySim/commands.py @@ -0,0 +1,95 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: SIM Card commands according to ISO 7816-4 and TS 11.11 +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# Copyright (C) 2010 Harald Welte <laforge@gnumonks.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from pySim.utils import rpad, b2h + + +class SimCardCommands(object): + def __init__(self, transport): + self._tp = transport; + + def select_file(self, dir_list): + rv = [] + for i in dir_list: + data, sw = self._tp.send_apdu_checksw("a0a4000002" + i) + rv.append(data) + return rv + + def read_binary(self, ef, length=None, offset=0): + if not hasattr(type(ef), '__iter__'): + ef = [ef] + r = self.select_file(ef) + if length is None: + length = int(r[-1][4:8], 16) - offset + pdu = 'a0b0%04x%02x' % (offset, (min(256, length) & 0xff)) + return self._tp.send_apdu(pdu) + + def update_binary(self, ef, data, offset=0): + if not hasattr(type(ef), '__iter__'): + ef = [ef] + self.select_file(ef) + pdu = 'a0d6%04x%02x' % (offset, len(data)/2) + data + return self._tp.send_apdu_checksw(pdu) + + def read_record(self, ef, rec_no): + if not hasattr(type(ef), '__iter__'): + ef = [ef] + r = self.select_file(ef) + rec_length = int(r[-1][28:30], 16) + pdu = 'a0b2%02x04%02x' % (rec_no, rec_length) + return self._tp.send_apdu(pdu) + + def update_record(self, ef, rec_no, data, force_len=False): + if not hasattr(type(ef), '__iter__'): + ef = [ef] + r = self.select_file(ef) + if not force_len: + rec_length = int(r[-1][28:30], 16) + if (len(data)/2 != rec_length): + raise ValueError('Invalid data length (expected %d, got %d)' % (rec_length, len(data)/2)) + else: + rec_length = len(data)/2 + pdu = ('a0dc%02x04%02x' % (rec_no, rec_length)) + data + return self._tp.send_apdu_checksw(pdu) + + def record_size(self, ef): + r = self.select_file(ef) + return int(r[-1][28:30], 16) + + def record_count(self, ef): + r = self.select_file(ef) + return int(r[-1][4:8], 16) // int(r[-1][28:30], 16) + + def run_gsm(self, rand): + if len(rand) != 32: + raise ValueError('Invalid rand') + self.select_file(['3f00', '7f20']) + return self._tp.send_apdu('a088000010' + rand) + + def reset_card(self): + return self._tp.reset_card() + + def verify_chv(self, chv_no, code): + fc = rpad(b2h(code), 16) + return self._tp.send_apdu_checksw('a02000' + ('%02x' % chv_no) + '08' + fc) diff --git a/pySim/exceptions.py b/pySim/exceptions.py new file mode 100644 index 0000000..403f54c --- /dev/null +++ b/pySim/exceptions.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: Exceptions +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from __future__ import absolute_import + +import exceptions + + +class NoCardError(exceptions.Exception): + pass + +class ProtocolError(exceptions.Exception): + pass diff --git a/pySim/transport/__init__.py b/pySim/transport/__init__.py new file mode 100644 index 0000000..dd04bba --- /dev/null +++ b/pySim/transport/__init__.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: PCSC reader transport link base +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +class LinkBase(object): + + def wait_for_card(self, timeout=None, newcardonly=False): + """wait_for_card(): Wait for a card and connect to it + + timeout : Maximum wait time (None=no timeout) + newcardonly : Should we wait for a new card, or an already + inserted one ? + """ + pass + + def connect(self): + """connect(): Connect to a card immediately + """ + pass + + def disconnect(self): + """disconnect(): Disconnect from card + """ + pass + + def reset_card(self): + """reset_card(): Resets the card (power down/up) + """ + pass + + def send_apdu_raw(self, pdu): + """send_apdu_raw(pdu): Sends an APDU with minimal processing + + pdu : string of hexadecimal characters (ex. "A0A40000023F00") + return : tuple(data, sw), where + data : string (in hex) of returned data (ex. "074F4EFFFF") + sw : string (in hex) of status word (ex. "9000") + """ + pass + + def send_apdu(self, pdu): + """send_apdu(pdu): Sends an APDU and auto fetch response data + + pdu : string of hexadecimal characters (ex. "A0A40000023F00") + return : tuple(data, sw), where + data : string (in hex) of returned data (ex. "074F4EFFFF") + sw : string (in hex) of status word (ex. "9000") + """ + data, sw = self.send_apdu_raw(pdu) + + if (sw is not None) and (sw[0:2] == '9f'): + pdu_gr = pdu[0:2] + 'c00000' + sw[2:4] + data, sw = self.send_apdu_raw(pdu_gr) + + return data, sw + + def send_apdu_checksw(self, pdu, sw="9000"): + """send_apdu_checksw(pdu,sw): Sends an APDU and check returned SW + + pdu : string of hexadecimal characters (ex. "A0A40000023F00") + sw : string of 4 hexadecimal characters (ex. "9000") + return : tuple(data, sw), where + data : string (in hex) of returned data (ex. "074F4EFFFF") + sw : string (in hex) of status word (ex. "9000") + """ + rv = self.send_apdu(pdu) + if sw.lower() != rv[1]: + raise RuntimeError("SW match failed ! Expected %s and got %s." % (sw.lower(), rv[1])) + return rv diff --git a/pySim/transport/pcsc.py b/pySim/transport/pcsc.py new file mode 100644 index 0000000..dc040c5 --- /dev/null +++ b/pySim/transport/pcsc.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: PCSC reader transport link +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# Copyright (C) 2010 Harald Welte <laforge@gnumonks.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from smartcard.CardRequest import CardRequest +from smartcard.Exceptions import NoCardException, CardRequestTimeoutException +from smartcard.System import readers + +from pySim.exceptions import NoCardError +from pySim.transport import LinkBase +from pySim.utils import h2i, i2h + + +class PcscSimLink(LinkBase): + + def __init__(self, reader_number=0): + r = readers(); + self._reader = r[reader_number] + self._con = self._reader.createConnection() + + def __del__(self): + self._con.disconnect() + return + + def wait_for_card(self, timeout=None, newcardonly=False): + cr = CardRequest(readers=[self._reader], timeout=timeout, newcardonly=newcardonly) + try: + cr.waitforcard() + except CardRequestTimeoutException: + raise NoCardError() + self.connect() + + def connect(self): + try: + self._con.connect() + except NoCardException: + raise NoCardError() + + def disconnect(self): + self._con.disconnect() + + def reset_card(self): + self._con.disconnect() + try: + self._con.connect() + except NoCardException: + raise NoCardError() + return 1 + + def send_apdu_raw(self, pdu): + """see LinkBase.send_apdu_raw""" + + apdu = h2i(pdu) + + data, sw1, sw2 = self._con.transmit(apdu) + + sw = [sw1, sw2] + + # Return value + return i2h(data), i2h(sw) diff --git a/pySim/transport/serial.py b/pySim/transport/serial.py new file mode 100644 index 0000000..825c458 --- /dev/null +++ b/pySim/transport/serial.py @@ -0,0 +1,224 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: Transport Link for serial (RS232) based readers included with simcard +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from __future__ import absolute_import + +import serial +import time + +from pySim.exceptions import NoCardError, ProtocolError +from pySim.transport import LinkBase +from pySim.utils import h2b, b2h + + +class SerialSimLink(LinkBase): + + def __init__(self, device='/dev/ttyUSB0', baudrate=9600, rst='-rts', debug=False): + self._sl = serial.Serial( + port = device, + parity = serial.PARITY_EVEN, + bytesize = serial.EIGHTBITS, + stopbits = serial.STOPBITS_TWO, + timeout = 1, + xonxoff = 0, + rtscts = 0, + baudrate = baudrate, + ) + self._rst_pin = rst + self._debug = debug + + def __del__(self): + self._sl.close() + + def wait_for_card(self, timeout=None, newcardonly=False): + # Direct try + existing = False + + try: + self.reset_card() + if not newcardonly: + return + else: + existing = True + except NoCardError: + pass + + # Poll ... + mt = time.time() + timeout if timeout is not None else None + pe = 0 + + while (mt is None) or (time.time() < mt): + try: + time.sleep(0.5) + self.reset_card() + if not existing: + return + except NoCardError: + existing = False + except ProtocolError: + if existing: + existing = False + else: + # Tolerate a couple of protocol error ... can happen if + # we try when the card is 'half' inserted + pe += 1 + if (pe > 2): + raise + + # Timed out ... + raise NoCardError() + + def connect(self): + self.reset_card() + + def disconnect(self): + pass # Nothing to do really ... + + def reset_card(self): + rv = self._reset_card() + if rv == 0: + raise NoCardError() + elif rv < 0: + raise ProtocolError() + + def _reset_card(self): + rst_meth_map = { + 'rts': self._sl.setRTS, + 'dtr': self._sl.setDTR, + } + rst_val_map = { '+':0, '-':1 } + + try: + rst_meth = rst_meth_map[self._rst_pin[1:]] + rst_val = rst_val_map[self._rst_pin[0]] + except: + raise ValueError('Invalid reset pin %s' % self._rst_pin); + + rst_meth(rst_val) + time.sleep(0.1) # 100 ms + self._sl.flushInput() + rst_meth(rst_val ^ 1) + + b = self._rx_byte() + if not b: + return 0 + if ord(b) != 0x3b: + return -1; + self._dbg_print("TS: 0x%x Direct convention" % ord(b)) + + while ord(b) == 0x3b: + b = self._rx_byte() + + if not b: + return -1 + t0 = ord(b) + self._dbg_print("T0: 0x%x" % t0) + + for i in range(4): + if t0 & (0x10 << i): + self._dbg_print("T%si = %x" % (chr(ord('A')+i), ord(self._rx_byte()))) + + for i in range(0, t0 & 0xf): + self._dbg_print("Historical = %x" % ord(self._rx_byte())) + + while True: + x = self._rx_byte() + if not x: + break + self._dbg_print("Extra: %x" % ord(x)) + + return 1 + + def _dbg_print(self, s): + if self._debug: + print s + + def _tx_byte(self, b): + self._sl.write(b) + r = self._sl.read() + if r != b: # TX and RX are tied, so we must clear the echo + raise ProtocolError("Bad echo value. Expected %02x, got %s)" % (ord(b), '%02x'%ord(r) if r else '(nil)')) + + def _tx_string(self, s): + """This is only safe if it's guaranteed the card won't send any data + during the time of tx of the string !!!""" + self._sl.write(s) + r = self._sl.read(len(s)) + if r != s: # TX and RX are tied, so we must clear the echo + raise ProtocolError("Bad echo value (Expected: %s, got %s)" % (b2h(s), b2h(r))) + + def _rx_byte(self): + return self._sl.read() + + def send_apdu_raw(self, pdu): + """see LinkBase.send_apdu_raw""" + + pdu = h2b(pdu) + data_len = ord(pdu[4]) # P3 + + # Send first CLASS,INS,P1,P2,P3 + self._tx_string(pdu[0:5]) + + # Wait ack which can be + # - INS: Command acked -> go ahead + # - 0x60: NULL, just wait some more + # - SW1: The card can apparently proceed ... + while True: + b = self._rx_byte() + if b == pdu[1]: + break + elif b != '\x60': + # Ok, it 'could' be SW1 + sw1 = b + sw2 = self._rx_byte() + nil = self._rx_byte() + if (sw2 and not nil): + return '', b2h(sw1+sw2) + + raise ProtocolError() + + # Send data (if any) + if len(pdu) > 5: + self._tx_string(pdu[5:]) + + # Receive data (including SW !) + # length = [P3 - tx_data (=len(pdu)-len(hdr)) + 2 (SW1/2) ] + to_recv = data_len - len(pdu) + 5 + 2 + + data = '' + while (len(data) < to_recv): + b = self._rx_byte() + if (to_recv == 2) and (b == '\x60'): # Ignore NIL if we have no RX data (hack ?) + continue + if not b: + break; + data += b + + # Split datafield from SW + if len(data) < 2: + return None, None + sw = data[-2:] + data = data[0:-2] + + # Return value + return b2h(data), b2h(sw) diff --git a/pySim/utils.py b/pySim/utils.py new file mode 100644 index 0000000..d8b9518 --- /dev/null +++ b/pySim/utils.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" pySim: various utilities +""" + +# +# Copyright (C) 2009-2010 Sylvain Munaut <tnt@246tNt.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +def h2b(s): + return ''.join([chr((int(x,16)<<4)+int(y,16)) for x,y in zip(s[0::2], s[1::2])]) + +def b2h(s): + return ''.join(['%02x'%ord(x) for x in s]) + +def h2i(s): + return [(int(x,16)<<4)+int(y,16) for x,y in zip(s[0::2], s[1::2])] + +def i2h(s): + return ''.join(['%02x'%(x) for x in s]) + +def swap_nibbles(s): + return ''.join([x+y for x,y in zip(s[1::2], s[0::2])]) + +def rpad(s, l, c='f'): + return s + c * (l - len(s)) + +def lpad(s, l, c='f'): + return c * (l - len(s)) + s diff --git a/toorsimtool.py b/toorsimtool.py new file mode 100644 index 0000000..f5208b0 --- /dev/null +++ b/toorsimtool.py @@ -0,0 +1,276 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +""" toorsimtool.py: A toolkit for the Toorcamp SIM cards + + Requires the pySim libraries (http://cgit.osmocom.org/cgit/pysim/) +""" + +# +# Copyright (C) 2012 Karl Koscher <supersat@cs.washington.edu> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from pySim.commands import SimCardCommands +from pySim.utils import swap_nibbles +try: + import argparse +except Exception, err: + print "Missing argparse -- try apt-get install python-argparse" +import zipfile +import time +import struct + +#------ + +def hex_ber_length(data): + dataLen = len(data) / 2 + if dataLen < 0x80: + return '%02x' % dataLen + dataLen = '%x' % dataLen + lenDataLen = len(dataLen) + if lenDataLen % 2: + dataLen = '0' + dataLen + lenDataLen = lenDataLen + 1 + return ('%02x' % (0x80 + (lenDataLen / 2))) + dataLen + +class AppLoaderCommands(object): + def __init__(self, transport): + self._tp = transport + self._apduCounter = 0; + + def send_terminal_profile(self): + return self._tp.send_apdu_checksw('A010000011FFFF000000000000000000000000000000') + + # Wrap an APDU inside an SMS-PP APDU + def send_wrapped_apdu(self, data): + # Command packet header + # SPI: PoR required + # TAR: Remote App Management (000000) + envelopeData = '0D0001000000000000000000' + ('%02x' % (self._apduCounter & 0xff)) + '00' + data; + self._apduCounter = self._apduCounter + 1 + + # Command + envelopeData = '027000' + ('%04x' % (len(envelopeData) / 2)) + envelopeData; + + # SMS-TDPU header: MS-Delivery, no more messages, TP-UD header, no reply path, + # TP-OA = TON/NPI 55667788, TP-PID = SIM Download, BS timestamp + envelopeData = '400881556677887ff600112912000004' + ('%02x' % (len(envelopeData) / 2)) + envelopeData; + + # (82) Device Identities: (83) Network to (81) USIM + # (8b) SMS-TPDU + envelopeData = '820283818B' + hex_ber_length(envelopeData) + envelopeData + + # d1 = SMS-PP Download, d2 = Cell Broadcast Download + envelopeData = 'd1' + hex_ber_length(envelopeData) + envelopeData; + response = self._tp.send_apdu_checksw('a0c20000' + ('%02x' % (len(envelopeData) / 2)) + envelopeData)[0] + + # Unwrap response + response = response[(int(response[10:12],16)*2)+12:] + return (response[6:], response[2:6]) + + def send_wrapped_apdu_checksw(self, data, sw="9000"): + response = self.send_wrapped_apdu(data) + if response[1] != sw: + raise RuntimeError("SW match failed! Expected %s and got %s." % (sw.lower(), response[1])) + return response + + def get_security_domain_aid(self): + # Get Status followed by Get Response + response = self.send_wrapped_apdu_checksw('80F28000024F0000C0000000')[0] + return response[2:(int(response[0:2],16)*2)+2] + + def delete_aid(self, aid, delete_related=True): + aidDesc = '4f' + ('%02x' % (len(aid) / 2)) + aid + apdu = '80e400' + ('80' if delete_related else '00') + ('%02x' % (len(aidDesc) / 2)) + aidDesc + '00c0000000' + return self.send_wrapped_apdu(apdu) + + def load_aid_raw(self, aid, executable, codeSize, volatileDataSize = 0, nonvolatileDataSize = 0): + loadParameters = 'c602' + ('%04x' % codeSize) + if volatileDataSize > 0: + loadParameters = loadParameters + 'c702' ('%04x' % volatileDataSize) + if nonvolatileDataSize > 0: + loadParameters = loadParameters + 'c802' ('%04x' % nonvolatileDataSize) + loadParameters = 'ef' + ('%02x' % (len(loadParameters) / 2)) + loadParameters + + # Install for load APDU, no security domain or hash specified + data = ('%02x' % (len(aid) / 2)) + aid + '0000' + ('%02x' % (len(loadParameters) / 2)) + loadParameters + '0000' + self.send_wrapped_apdu_checksw('80e60200' + ('%02x' % (len(data) / 2)) + data + '00c0000000') + + # Load APDUs + loadData = 'c4' + hex_ber_length(executable) + executable + loadBlock = 0; + + while len(loadData): + if len(loadData) > 0xd8: + apdu = '80e800' + ('%02x' % loadBlock) + '6c' + loadData[:0xd8] + loadData = loadData[0xd8:] + loadBlock = loadBlock + 1 + else: + apdu = '80e880' + ('%02x' % loadBlock) + ('%02x' % (len(loadData) / 2)) + loadData + loadData = '' + + self.send_wrapped_apdu_checksw(apdu + '00c0000000') + + def generate_load_file(self, capfile): + zipcap = zipfile.ZipFile(capfile) + zipfiles = zipcap.namelist() + + header = None + directory = None + impt = None + applet = None + clas = None + method = None + staticfield = None + export = None + constpool = None + reflocation = None + + for i, filename in enumerate(zipfiles): + if filename.lower().endswith('header.cap'): + header = zipcap.read(filename) + elif filename.lower().endswith('directory.cap'): + directory = zipcap.read(filename) + elif filename.lower().endswith('import.cap'): + impt = zipcap.read(filename) + elif filename.lower().endswith('applet.cap'): + applet = zipcap.read(filename) + elif filename.lower().endswith('class.cap'): + clas = zipcap.read(filename) + elif filename.lower().endswith('method.cap'): + method = zipcap.read(filename) + elif filename.lower().endswith('staticfield.cap'): + staticfield = zipcap.read(filename) + elif filename.lower().endswith('export.cap'): + export = zipcap.read(filename) + elif filename.lower().endswith('constantpool.cap'): + constpool = zipcap.read(filename) + elif filename.lower().endswith('reflocation.cap'): + reflocation = zipcap.read(filename) + + data = header.encode("hex") + if directory: + data = data + directory.encode("hex") + if impt: + data = data + impt.encode("hex") + if applet: + data = data + applet.encode("hex") + if clas: + data = data + clas.encode("hex") + if method: + data = data + method.encode("hex") + if staticfield: + data = data + staticfield.encode("hex") + if export: + data = data + export.encode("hex") + if constpool: + data = data + constpool.encode("hex") + if reflocation: + data = data + reflocation.encode("hex") + + return data + + def get_aid_from_load_file(self, data): + return data[26:26+(int(data[24:26],16)*2)] + + def load_app(self, capfile): + data = self.generate_load_file(capfile) + aid = self.get_aid_from_load_file(data) + self.load_aid_raw(aid, data, len(data) / 2) + + def install_app(self, args): + loadfile = self.generate_load_file(args.install) + aid = self.get_aid_from_load_file(loadfile) + + toolkit_params = '' + if args.enable_sim_toolkit: + assert len(args.access_domain) % 2 == 0 + assert len(args.priority_level) == 2 + toolkit_params = ('%02x' % (len(args.access_domain) / 2)) + args.access_domain + toolkit_params = toolkit_params + args.priority_level + ('%02x' % args.max_timers) + toolkit_params = toolkit_params + ('%02x' % args.max_menu_entry_text) + toolkit_params = toolkit_params + ('%02x' % args.max_menu_entries) + '0000' * args.max_menu_entries + '0000' + toolkit_params = 'ca' + ('%02x' % (len(toolkit_params) / 2)) + toolkit_params + + assert len(args.nonvolatile_memory_required) == 4 + assert len(args.volatile_memory_for_install) == 4 + parameters = 'c802' + args.nonvolatile_memory_required + 'c702' + args.volatile_memory_for_install + if toolkit_params: + parameters = parameters + toolkit_params + parameters = 'ef' + ('%02x' % (len(parameters) / 2)) + parameters + 'c9' + ('%02x' % (len(args.app_parameters) / 2)) + args.app_parameters + + data = ('%02x' % (len(aid) / 2)) + aid + ('%02x' % (len(args.module_aid) / 2)) + args.module_aid + ('%02x' % (len(args.instance_aid) / 2)) + \ + args.instance_aid + '0100' + ('%02x' % (len(parameters) / 2)) + parameters + '00' + self.send_wrapped_apdu_checksw('80e60c00' + ('%02x' % (len(data) / 2)) + data + '00c0000000') +#------ + +parser = argparse.ArgumentParser(description='Tool for Toorcamp SIMs.') +parser.add_argument('-s', '--serialport') +parser.add_argument('-p', '--pcsc', nargs='?', const=0, type=int) +parser.add_argument('-d', '--delete-app') +parser.add_argument('-l', '--load-app') +parser.add_argument('-i', '--install') +parser.add_argument('--module-aid') +parser.add_argument('--instance-aid') +parser.add_argument('--nonvolatile-memory-required', default='0000') +parser.add_argument('--volatile-memory-for-install', default='0000') +parser.add_argument('--enable-sim-toolkit', action='store_true') +parser.add_argument('--access-domain', default='ff') +parser.add_argument('--priority-level', default='01') +parser.add_argument('--max-timers', type=int, default=0) +parser.add_argument('--max-menu-entry-text', type=int, default=16) +parser.add_argument('--max-menu-entries', type=int, default=0) +parser.add_argument('--app-parameters', default='') +parser.add_argument('--print-info', action='store_true') +parser.add_argument('-n', '--new-card-required', action='store_true') +parser.add_argument('-z', '--sleep_after_insertion', type=float, default=0.0) +parser.add_argument('--disable-pin') + +args = parser.parse_args() + +if args.pcsc is not None: + from pySim.transport.pcsc import PcscSimLink + sl = PcscSimLink(args.pcsc) +elif args.serialport is not None: + from pySim.transport.serial import SerialSimLink + sl = SerialSimLink(device=args.serialport, baudrate=9600) +else: + raise RuntimeError("Need to specify either --serialport or --pcsc") + +sc = SimCardCommands(sl) +ac = AppLoaderCommands(sl) + +sl.wait_for_card(newcardonly=args.new_card_required) +time.sleep(args.sleep_after_insertion) + +# Get the ICCID +print "ICCID: " + swap_nibbles(sc.read_binary(['3f00', '2fe2'])[0]) +ac.send_terminal_profile() + +if args.delete_app: + ac.delete_aid(args.delete_app) + +if args.load_app: + ac.load_app(args.load_app) + +if args.install: + ac.install_app(args) + +if args.print_info: + print "--print-info not implemented yet." + +if args.disable_pin: + sl.send_apdu_checksw('0026000108' + args.disable_pin.encode("hex") + 'ff' * (8 - len(args.disable_pin))) |