Initial commit of the Toorcamp SIM tool

9 files changed, 1191 insertions, 0 deletions

diff --git a/pySim/__init__.py b/pySim/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/pySim/__init__.py
diff --git a/pySim/cards.py b/pySim/cards.py
new file mode 100644
index 0000000..88eceb0
--- /dev/null
+++ b/pySim/cards.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: Card programmation logic
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+# Copyright (C) 2011  Harald Welte <laforge@gnumonks.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from pySim.utils import b2h, h2b, swap_nibbles, rpad, lpad
+
+
+class Card(object):
+
+	def __init__(self, scc):
+		self._scc = scc
+
+	def _e_iccid(self, iccid):
+		return swap_nibbles(rpad(iccid, 20))
+
+	def _e_imsi(self, imsi):
+		"""Converts a string imsi into the value of the EF"""
+		l = (len(imsi) + 1) // 2	# Required bytes
+		oe = len(imsi) & 1			# Odd (1) / Even (0)
+		ei = '%02x' % l + swap_nibbles(lpad('%01x%s' % ((oe<<3)|1, imsi), 16))
+		return ei
+
+	def _e_plmn(self, mcc, mnc):
+		"""Converts integer MCC/MNC into 6 bytes for EF"""
+		return swap_nibbles(lpad('%d' % mcc, 3) + lpad('%d' % mnc, 3))
+
+	def reset(self):
+		self._scc.reset_card()
+
+
+class _MagicSimBase(Card):
+	"""
+	Theses cards uses several record based EFs to store the provider infos,
+	each possible provider uses a specific record number in each EF. The
+	indexes used are ( where N is the number of providers supported ) :
+	 - [2 .. N+1] for the operator name
+     - [1 .. N] for the programable EFs
+
+	* 3f00/7f4d/8f0c : Operator Name
+
+	bytes 0-15 : provider name, padded with 0xff
+	byte  16   : length of the provider name
+	byte  17   : 01 for valid records, 00 otherwise
+
+	* 3f00/7f4d/8f0d : Programmable Binary EFs
+
+	* 3f00/7f4d/8f0e : Programmable Record EFs
+
+	"""
+
+	@classmethod
+	def autodetect(kls, scc):
+		try:
+			for p, l, t in kls._files.values():
+				if not t:
+					continue
+				if scc.record_size(['3f00', '7f4d', p]) != l:
+					return None
+		except:
+			return None
+
+		return kls(scc)
+
+	def _get_count(self):
+		"""
+		Selects the file and returns the total number of entries
+		and entry size
+		"""
+		f = self._files['name']
+
+		r = self._scc.select_file(['3f00', '7f4d', f[0]])
+		rec_len = int(r[-1][28:30], 16)
+		tlen = int(r[-1][4:8],16)
+		rec_cnt = (tlen / rec_len) - 1;
+
+		if (rec_cnt < 1) or (rec_len != f[1]):
+			raise RuntimeError('Bad card type')
+
+		return rec_cnt
+
+	def program(self, p):
+		# Go to dir
+		self._scc.select_file(['3f00', '7f4d'])
+
+		# Home PLMN in PLMN_Sel format
+		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+
+		# Operator name ( 3f00/7f4d/8f0c )
+		self._scc.update_record(self._files['name'][0], 2,
+			rpad(b2h(p['name']), 32)  + ('%02x' % len(p['name'])) + '01'
+		)
+
+		# ICCID/IMSI/Ki/HPLMN ( 3f00/7f4d/8f0d )
+		v = ''
+
+			# inline Ki
+		if self._ki_file is None:
+			v += p['ki']
+
+			# ICCID
+		v += '3f00' + '2fe2' + '0a' + self._e_iccid(p['iccid'])
+
+			# IMSI
+		v += '7f20' + '6f07' + '09' + self._e_imsi(p['imsi'])
+
+			# Ki
+		if self._ki_file:
+			v += self._ki_file + '10' + p['ki']
+
+			# PLMN_Sel
+		v+= '6f30' + '18' +  rpad(hplmn, 36)
+
+		self._scc.update_record(self._files['b_ef'][0], 1,
+			rpad(v, self._files['b_ef'][1]*2)
+		)
+
+		# SMSP ( 3f00/7f4d/8f0e )
+			# FIXME
+
+		# Write PLMN_Sel forcefully as well
+		r = self._scc.select_file(['3f00', '7f20', '6f30'])
+		tl = int(r[-1][4:8], 16)
+
+		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3))
+
+	def erase(self):
+		# Dummy
+		df = {}
+		for k, v in self._files.iteritems():
+			ofs = 1
+			fv = v[1] * 'ff'
+			if k == 'name':
+				ofs = 2
+				fv = fv[0:-4] + '0000'
+			df[v[0]] = (fv, ofs)
+
+		# Write
+		for n in range(0,self._get_count()):
+			for k, (msg, ofs) in df.iteritems():
+				self._scc.update_record(['3f00', '7f4d', k], n + ofs, msg)
+
+
+class SuperSim(_MagicSimBase):
+
+	name = 'supersim'
+
+	_files = {
+		'name' : ('8f0c', 18, True),
+		'b_ef' : ('8f0d', 74, True),
+		'r_ef' : ('8f0e', 50, True),
+	}
+
+	_ki_file = None
+
+
+class MagicSim(_MagicSimBase):
+
+	name = 'magicsim'
+
+	_files = {
+		'name' : ('8f0c', 18, True),
+		'b_ef' : ('8f0d', 130, True),
+		'r_ef' : ('8f0e', 102, False),
+	}
+
+	_ki_file = '6f1b'
+
+
+class FakeMagicSim(Card):
+	"""
+	Theses cards have a record based EF 3f00/000c that contains the provider
+	informations. See the program method for its format. The records go from
+	1 to N.
+	"""
+
+	name = 'fakemagicsim'
+
+	@classmethod
+	def autodetect(kls, scc):
+		try:
+			if scc.record_size(['3f00', '000c']) != 0x5a:
+				return None
+		except:
+			return None
+
+		return kls(scc)
+
+	def _get_infos(self):
+		"""
+		Selects the file and returns the total number of entries
+		and entry size
+		"""
+
+		r = self._scc.select_file(['3f00', '000c'])
+		rec_len = int(r[-1][28:30], 16)
+		tlen = int(r[-1][4:8],16)
+		rec_cnt = (tlen / rec_len) - 1;
+
+		if (rec_cnt < 1) or (rec_len != 0x5a):
+			raise RuntimeError('Bad card type')
+
+		return rec_cnt, rec_len
+
+	def program(self, p):
+		# Home PLMN
+		r = self._scc.select_file(['3f00', '7f20', '6f30'])
+		tl = int(r[-1][4:8], 16)
+
+		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3))
+
+		# Get total number of entries and entry size
+		rec_cnt, rec_len = self._get_infos()
+
+		# Set first entry
+		entry = (
+			'81' +								#  1b  Status: Valid & Active
+			rpad(b2h(p['name'][0:14]), 28) +	# 14b  Entry Name
+			self._e_iccid(p['iccid']) +			# 10b  ICCID
+			self._e_imsi(p['imsi']) +			#  9b  IMSI_len + id_type(9) + IMSI
+			p['ki'] +							# 16b  Ki
+			lpad(p['smsp'], 80)					# 40b  SMSP (padded with ff if needed)
+		)
+		self._scc.update_record('000c', 1, entry)
+
+	def erase(self):
+		# Get total number of entries and entry size
+		rec_cnt, rec_len = self._get_infos()
+
+		# Erase all entries
+		entry = 'ff' * rec_len
+		for i in range(0, rec_cnt):
+			self._scc.update_record('000c', 1+i, entry)
+
+class GrcardSim(Card):
+	"""
+	Greencard (grcard.cn) HZCOS GSM SIM
+	These cards have a much more regular ISO 7816-4 / TS 11.11 structure,
+	and use standard UPDATE RECORD / UPDATE BINARY commands except for Ki.
+	"""
+
+	name = 'grcardsim'
+
+	@classmethod
+	def autodetect(kls, scc):
+		return None
+
+	def program(self, p):
+		# We don't really know yet what ADM PIN 4 is about
+		#self._scc.verify_chv(4, h2b("4444444444444444"))
+
+		# Authenticate using ADM PIN 5
+		self._scc.verify_chv(5, h2b("4444444444444444"))
+
+		# EF.ICCID
+		r = self._scc.select_file(['3f00', '2fe2'])
+		data, sw = self._scc.update_binary('2fe2', self._e_iccid(p['iccid']))
+
+		# EF.IMSI
+		r = self._scc.select_file(['3f00', '7f20', '6f07'])
+		data, sw = self._scc.update_binary('6f07', self._e_imsi(p['imsi']))
+
+		# EF.ACC
+		#r = self._scc.select_file(['3f00', '7f20', '6f78'])
+		#self._scc.update_binary('6f78', self._e_imsi(p['imsi'])
+
+		# EF.SMSP
+		r = self._scc.select_file(['3f00', '7f10', '6f42'])
+		data, sw = self._scc.update_record('6f42', 1, lpad(p['smsp'], 80))
+
+		# Set the Ki using proprietary command
+		pdu = '80d4020010' + p['ki']
+		data, sw = self._scc._tp.send_apdu(pdu)
+
+		# EF.HPLMN
+		r = self._scc.select_file(['3f00', '7f20', '6f30'])
+		size = int(r[-1][4:8], 16)
+		hplmn = self._e_plmn(p['mcc'], p['mnc'])
+		self._scc.update_binary('6f30', hplmn + 'ff' * (size-3))
+
+		# EF.SPN (Service Provider Name)
+		r = self._scc.select_file(['3f00', '7f20', '6f30'])
+		size = int(r[-1][4:8], 16)
+		# FIXME
+
+		# FIXME: EF.MSISDN
+
+	def erase(self):
+		return
+
+class SysmoSIMgr1(GrcardSim):
+	"""
+	sysmocom sysmoSIM-GR1
+	These cards have a much more regular ISO 7816-4 / TS 11.11 structure,
+	and use standard UPDATE RECORD / UPDATE BINARY commands except for Ki.
+	"""
+	name = 'sysmosim-gr1'
+
+	# In order for autodetection ...
+
+class SysmoUSIMgr1(Card):
+	"""
+	sysmocom sysmoUSIM-GR1
+	"""
+	name = 'sysmoUSIM-GR1'
+
+	@classmethod
+	def autodetect(kls, scc):
+		# TODO: Access the ATR
+		return None
+
+	def program(self, p):
+		# TODO: check if verify_chv could be used or what it needs
+		# self._scc.verify_chv(0x0A, [0x33,0x32,0x32,0x31,0x33,0x32,0x33,0x32])
+		# Unlock the card..
+		data, sw = self._scc._tp.send_apdu_checksw("0020000A083332323133323332")
+
+		# TODO: move into SimCardCommands
+		par = ( p['ki'] +			# 16b  K
+			p['opc'] +			# 32b  OPC
+			self._e_iccid(p['iccid']) +	# 10b  ICCID
+			self._e_imsi(p['imsi'])		#  9b  IMSI_len + id_type(9) + IMSI
+			)
+		data, sw = self._scc._tp.send_apdu_checksw("0099000033" + par)
+
+	def erase(self):
+		return
+
+_cards_classes = [ FakeMagicSim, SuperSim, MagicSim, GrcardSim,
+		   SysmoSIMgr1, SysmoUSIMgr1 ]
diff --git a/pySim/commands.py b/pySim/commands.py
new file mode 100644
index 0000000..f650272
--- /dev/null
+++ b/pySim/commands.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: SIM Card commands according to ISO 7816-4 and TS 11.11
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+# Copyright (C) 2010       Harald Welte <laforge@gnumonks.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from pySim.utils import rpad, b2h
+
+
+class SimCardCommands(object):
+	def __init__(self, transport):
+		self._tp = transport;
+
+	def select_file(self, dir_list):
+		rv = []
+		for i in dir_list:
+			data, sw = self._tp.send_apdu_checksw("a0a4000002" + i)
+			rv.append(data)
+		return rv
+
+	def read_binary(self, ef, length=None, offset=0):
+		if not hasattr(type(ef), '__iter__'):
+			ef = [ef]
+		r = self.select_file(ef)
+		if length is None:
+			length = int(r[-1][4:8], 16) - offset
+		pdu = 'a0b0%04x%02x' % (offset, (min(256, length) & 0xff))
+		return self._tp.send_apdu(pdu)
+
+	def update_binary(self, ef, data, offset=0):
+		if not hasattr(type(ef), '__iter__'):
+			ef = [ef]
+		self.select_file(ef)
+		pdu = 'a0d6%04x%02x' % (offset, len(data)/2) + data
+		return self._tp.send_apdu_checksw(pdu)
+
+	def read_record(self, ef, rec_no):
+		if not hasattr(type(ef), '__iter__'):
+			ef = [ef]
+		r = self.select_file(ef)
+		rec_length = int(r[-1][28:30], 16)
+		pdu = 'a0b2%02x04%02x' % (rec_no, rec_length)
+		return self._tp.send_apdu(pdu)
+
+	def update_record(self, ef, rec_no, data, force_len=False):
+		if not hasattr(type(ef), '__iter__'):
+			ef = [ef]
+		r = self.select_file(ef)
+		if not force_len:
+			rec_length = int(r[-1][28:30], 16)
+			if (len(data)/2 != rec_length):
+				raise ValueError('Invalid data length (expected %d, got %d)' % (rec_length, len(data)/2))
+		else:
+			rec_length = len(data)/2
+		pdu = ('a0dc%02x04%02x' % (rec_no, rec_length)) + data
+		return self._tp.send_apdu_checksw(pdu)
+
+	def record_size(self, ef):
+		r = self.select_file(ef)
+		return int(r[-1][28:30], 16)
+
+	def record_count(self, ef):
+		r = self.select_file(ef)
+		return int(r[-1][4:8], 16) // int(r[-1][28:30], 16)
+
+	def run_gsm(self, rand):
+		if len(rand) != 32:
+			raise ValueError('Invalid rand')
+		self.select_file(['3f00', '7f20'])
+		return self._tp.send_apdu('a088000010' + rand)
+
+	def reset_card(self):
+		return self._tp.reset_card()
+
+	def verify_chv(self, chv_no, code):
+		fc = rpad(b2h(code), 16)
+		return self._tp.send_apdu_checksw('a02000' + ('%02x' % chv_no) + '08' + fc)
diff --git a/pySim/exceptions.py b/pySim/exceptions.py
new file mode 100644
index 0000000..403f54c
--- /dev/null
+++ b/pySim/exceptions.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: Exceptions
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import absolute_import
+
+import exceptions
+
+
+class NoCardError(exceptions.Exception):
+	pass
+
+class ProtocolError(exceptions.Exception):
+	pass
diff --git a/pySim/transport/__init__.py b/pySim/transport/__init__.py
new file mode 100644
index 0000000..dd04bba
--- /dev/null
+++ b/pySim/transport/__init__.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: PCSC reader transport link base
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+class LinkBase(object):
+
+	def wait_for_card(self, timeout=None, newcardonly=False):
+		"""wait_for_card(): Wait for a card and connect to it
+
+		   timeout     : Maximum wait time (None=no timeout)
+		   newcardonly : Should we wait for a new card, or an already
+		                 inserted one ?
+		"""
+		pass
+
+	def connect(self):
+		"""connect(): Connect to a card immediately
+		"""
+		pass
+
+	def disconnect(self):
+		"""disconnect(): Disconnect from card
+		"""
+		pass
+
+	def reset_card(self):
+		"""reset_card(): Resets the card (power down/up)
+		"""
+		pass
+
+	def send_apdu_raw(self, pdu):
+		"""send_apdu_raw(pdu): Sends an APDU with minimal processing
+
+		   pdu    : string of hexadecimal characters (ex. "A0A40000023F00")
+		   return : tuple(data, sw), where
+		            data : string (in hex) of returned data (ex. "074F4EFFFF")
+		            sw   : string (in hex) of status word (ex. "9000")
+		"""
+		pass
+
+	def send_apdu(self, pdu):
+		"""send_apdu(pdu): Sends an APDU and auto fetch response data
+
+		   pdu    : string of hexadecimal characters (ex. "A0A40000023F00")
+		   return : tuple(data, sw), where
+		            data : string (in hex) of returned data (ex. "074F4EFFFF")
+		            sw   : string (in hex) of status word (ex. "9000")
+		"""
+		data, sw = self.send_apdu_raw(pdu)
+
+		if (sw is not None) and (sw[0:2] == '9f'):
+			pdu_gr = pdu[0:2] + 'c00000' + sw[2:4]
+			data, sw = self.send_apdu_raw(pdu_gr)
+
+		return data, sw
+
+	def send_apdu_checksw(self, pdu, sw="9000"):
+		"""send_apdu_checksw(pdu,sw): Sends an APDU and check returned SW
+
+		   pdu    : string of hexadecimal characters (ex. "A0A40000023F00")
+		   sw     : string of 4 hexadecimal characters (ex. "9000")
+		   return : tuple(data, sw), where
+		            data : string (in hex) of returned data (ex. "074F4EFFFF")
+		            sw   : string (in hex) of status word (ex. "9000")
+		"""
+		rv = self.send_apdu(pdu)
+		if sw.lower() != rv[1]:
+			raise RuntimeError("SW match failed ! Expected %s and got %s." % (sw.lower(), rv[1]))
+		return rv
diff --git a/pySim/transport/pcsc.py b/pySim/transport/pcsc.py
new file mode 100644
index 0000000..dc040c5
--- /dev/null
+++ b/pySim/transport/pcsc.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: PCSC reader transport link
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+# Copyright (C) 2010  Harald Welte <laforge@gnumonks.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from smartcard.CardRequest import CardRequest
+from smartcard.Exceptions import NoCardException, CardRequestTimeoutException
+from smartcard.System import readers
+
+from pySim.exceptions import NoCardError
+from pySim.transport import LinkBase
+from pySim.utils import h2i, i2h
+
+
+class PcscSimLink(LinkBase):
+
+	def __init__(self, reader_number=0):
+		r = readers();
+		self._reader = r[reader_number]
+		self._con = self._reader.createConnection()
+
+	def __del__(self):
+		self._con.disconnect()
+		return
+
+	def wait_for_card(self, timeout=None, newcardonly=False):
+		cr = CardRequest(readers=[self._reader], timeout=timeout, newcardonly=newcardonly)
+		try:
+			cr.waitforcard()
+		except CardRequestTimeoutException:
+			raise NoCardError()
+		self.connect()
+
+	def connect(self):
+		try:
+			self._con.connect()
+		except NoCardException:
+			raise NoCardError()
+
+	def disconnect(self):
+		self._con.disconnect()
+
+	def reset_card(self):
+		self._con.disconnect()
+		try:
+			self._con.connect()
+		except NoCardException:
+			raise NoCardError()
+		return 1
+
+	def send_apdu_raw(self, pdu):
+		"""see LinkBase.send_apdu_raw"""
+
+		apdu = h2i(pdu)
+
+		data, sw1, sw2 = self._con.transmit(apdu)
+
+		sw = [sw1, sw2]
+
+		# Return value
+		return i2h(data), i2h(sw)
diff --git a/pySim/transport/serial.py b/pySim/transport/serial.py
new file mode 100644
index 0000000..825c458
--- /dev/null
+++ b/pySim/transport/serial.py
@@ -0,0 +1,224 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: Transport Link for serial (RS232) based readers included with simcard
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import absolute_import
+
+import serial
+import time
+
+from pySim.exceptions import NoCardError, ProtocolError
+from pySim.transport import LinkBase
+from pySim.utils import h2b, b2h
+
+
+class SerialSimLink(LinkBase):
+
+	def __init__(self, device='/dev/ttyUSB0', baudrate=9600, rst='-rts', debug=False):
+		self._sl = serial.Serial(
+				port = device,
+				parity = serial.PARITY_EVEN,
+				bytesize = serial.EIGHTBITS,
+				stopbits = serial.STOPBITS_TWO,
+				timeout = 1,
+				xonxoff = 0,
+				rtscts = 0,
+				baudrate = baudrate,
+			)
+		self._rst_pin = rst
+		self._debug = debug
+
+	def __del__(self):
+		self._sl.close()
+
+	def wait_for_card(self, timeout=None, newcardonly=False):
+		# Direct try
+		existing = False
+
+		try:
+			self.reset_card()
+			if not newcardonly:
+				return
+			else:
+				existing = True
+		except NoCardError:
+			pass
+
+		# Poll ...
+		mt = time.time() + timeout if timeout is not None else None
+		pe = 0
+
+		while (mt is None) or (time.time() < mt):
+			try:
+				time.sleep(0.5)
+				self.reset_card()
+				if not existing:
+					return
+			except NoCardError:
+				existing = False
+			except ProtocolError:
+				if existing:
+					existing = False
+				else:
+					# Tolerate a couple of protocol error ... can happen if
+					# we try when the card is 'half' inserted
+					pe += 1
+					if (pe > 2):
+						raise
+
+		# Timed out ...
+		raise NoCardError()
+
+	def connect(self):
+		self.reset_card()
+
+	def disconnect(self):
+		pass # Nothing to do really ...
+
+	def reset_card(self):
+		rv = self._reset_card()
+		if rv == 0:
+			raise NoCardError()
+		elif rv < 0:
+			raise ProtocolError()
+
+	def _reset_card(self):
+		rst_meth_map = {
+			'rts': self._sl.setRTS,
+			'dtr': self._sl.setDTR,
+		}
+		rst_val_map = { '+':0, '-':1 }
+
+		try:
+			rst_meth = rst_meth_map[self._rst_pin[1:]]
+			rst_val  = rst_val_map[self._rst_pin[0]]
+		except:
+			raise ValueError('Invalid reset pin %s' % self._rst_pin);
+
+		rst_meth(rst_val)
+		time.sleep(0.1)  # 100 ms
+		self._sl.flushInput()
+		rst_meth(rst_val ^ 1)
+
+		b = self._rx_byte()
+		if not b:
+			return 0
+		if ord(b) != 0x3b:
+			return -1;
+		self._dbg_print("TS: 0x%x Direct convention" % ord(b))
+
+		while ord(b) == 0x3b:
+			b = self._rx_byte()
+
+		if not b:
+			return -1
+		t0 = ord(b)
+		self._dbg_print("T0: 0x%x" % t0)
+
+		for i in range(4):
+			if t0 & (0x10 << i):
+				self._dbg_print("T%si = %x" % (chr(ord('A')+i), ord(self._rx_byte())))
+
+		for i in range(0, t0 & 0xf):
+			self._dbg_print("Historical = %x" % ord(self._rx_byte()))
+
+		while True:
+			x = self._rx_byte()
+			if not x:
+				break
+			self._dbg_print("Extra: %x" % ord(x))
+
+		return 1
+
+	def _dbg_print(self, s):
+		if self._debug:
+			print s
+
+	def _tx_byte(self, b):
+		self._sl.write(b)
+		r = self._sl.read()
+		if r != b:	# TX and RX are tied, so we must clear the echo
+			raise ProtocolError("Bad echo value. Expected %02x, got %s)" % (ord(b), '%02x'%ord(r) if r else '(nil)'))
+
+	def _tx_string(self, s):
+		"""This is only safe if it's guaranteed the card won't send any data
+		during the time of tx of the string !!!"""
+		self._sl.write(s)
+		r = self._sl.read(len(s))
+		if r != s:	# TX and RX are tied, so we must clear the echo
+			raise ProtocolError("Bad echo value (Expected: %s, got %s)" % (b2h(s), b2h(r)))
+
+	def _rx_byte(self):
+		return self._sl.read()
+
+	def send_apdu_raw(self, pdu):
+		"""see LinkBase.send_apdu_raw"""
+
+		pdu = h2b(pdu)
+		data_len = ord(pdu[4])	# P3
+
+		# Send first CLASS,INS,P1,P2,P3
+		self._tx_string(pdu[0:5])
+
+		# Wait ack which can be
+		#  - INS: Command acked -> go ahead
+		#  - 0x60: NULL, just wait some more
+		#  - SW1: The card can apparently proceed ...
+		while True:
+			b = self._rx_byte()
+			if b == pdu[1]:
+				break
+			elif b != '\x60':
+				# Ok, it 'could' be SW1
+				sw1 = b
+				sw2 = self._rx_byte()
+				nil = self._rx_byte()
+				if (sw2 and not nil):
+					return '', b2h(sw1+sw2)
+
+				raise ProtocolError()
+
+		# Send data (if any)
+		if len(pdu) > 5:
+			self._tx_string(pdu[5:])
+
+		# Receive data (including SW !)
+		#  length = [P3 - tx_data (=len(pdu)-len(hdr)) + 2 (SW1/2) ]
+		to_recv = data_len - len(pdu) + 5 + 2
+
+		data = ''
+		while (len(data) < to_recv):
+			b = self._rx_byte()
+			if (to_recv == 2) and (b == '\x60'): # Ignore NIL if we have no RX data (hack ?)
+				continue
+			if not b:
+				break;
+			data += b
+
+		# Split datafield from SW
+		if len(data) < 2:
+			return None, None
+		sw = data[-2:]
+		data = data[0:-2]
+
+		# Return value
+		return b2h(data), b2h(sw)
diff --git a/pySim/utils.py b/pySim/utils.py
new file mode 100644
index 0000000..d8b9518
--- /dev/null
+++ b/pySim/utils.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" pySim: various utilities
+"""
+
+#
+# Copyright (C) 2009-2010  Sylvain Munaut <tnt@246tNt.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+def h2b(s):
+	return ''.join([chr((int(x,16)<<4)+int(y,16)) for x,y in zip(s[0::2], s[1::2])])
+
+def b2h(s):
+	return ''.join(['%02x'%ord(x) for x in s])
+
+def h2i(s):
+	return [(int(x,16)<<4)+int(y,16) for x,y in zip(s[0::2], s[1::2])]
+
+def i2h(s):
+	return ''.join(['%02x'%(x) for x in s])
+
+def swap_nibbles(s):
+	return ''.join([x+y for x,y in zip(s[1::2], s[0::2])])
+
+def rpad(s, l, c='f'):
+	return s + c * (l - len(s))
+
+def lpad(s, l, c='f'):
+	return c * (l - len(s)) + s
diff --git a/toorsimtool.py b/toorsimtool.py
new file mode 100644
index 0000000..f5208b0
--- /dev/null
+++ b/toorsimtool.py
@@ -0,0 +1,276 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+""" toorsimtool.py: A toolkit for the Toorcamp SIM cards
+
+	Requires the pySim libraries (http://cgit.osmocom.org/cgit/pysim/)
+"""
+
+#
+# Copyright (C) 2012  Karl Koscher <supersat@cs.washington.edu>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from pySim.commands import SimCardCommands
+from pySim.utils import swap_nibbles
+try:
+	import argparse
+except Exception, err:
+	print "Missing argparse -- try apt-get install python-argparse"
+import zipfile
+import time
+import struct
+
+#------
+
+def hex_ber_length(data):
+	dataLen = len(data) / 2
+	if dataLen < 0x80:
+		return '%02x' % dataLen
+	dataLen = '%x' % dataLen
+	lenDataLen = len(dataLen)
+	if lenDataLen % 2:
+		dataLen = '0' + dataLen
+		lenDataLen = lenDataLen + 1
+	return ('%02x' % (0x80 + (lenDataLen / 2))) + dataLen
+
+class AppLoaderCommands(object):
+	def __init__(self, transport):
+		self._tp = transport
+		self._apduCounter = 0;
+
+	def send_terminal_profile(self):
+		return self._tp.send_apdu_checksw('A010000011FFFF000000000000000000000000000000')
+
+	# Wrap an APDU inside an SMS-PP APDU	
+	def send_wrapped_apdu(self, data):
+		# Command packet header
+		# SPI: PoR required
+		# TAR: Remote App Management (000000)
+		envelopeData = '0D0001000000000000000000' + ('%02x' % (self._apduCounter & 0xff)) + '00' + data;
+		self._apduCounter = self._apduCounter + 1
+
+		# Command
+		envelopeData = '027000' + ('%04x' % (len(envelopeData) / 2)) + envelopeData;
+
+		# SMS-TDPU header: MS-Delivery, no more messages, TP-UD header, no reply path,
+		# TP-OA = TON/NPI 55667788, TP-PID = SIM Download, BS timestamp
+		envelopeData = '400881556677887ff600112912000004' + ('%02x' % (len(envelopeData) / 2)) + envelopeData;
+
+		# (82) Device Identities: (83) Network to (81) USIM
+		# (8b) SMS-TPDU 
+		envelopeData = '820283818B' + hex_ber_length(envelopeData) + envelopeData
+		
+		# d1 = SMS-PP Download, d2 = Cell Broadcast Download
+		envelopeData = 'd1' + hex_ber_length(envelopeData) + envelopeData;	
+		response = self._tp.send_apdu_checksw('a0c20000' + ('%02x' % (len(envelopeData) / 2)) + envelopeData)[0]
+
+		# Unwrap response
+		response = response[(int(response[10:12],16)*2)+12:]
+		return (response[6:], response[2:6])
+
+	def send_wrapped_apdu_checksw(self, data, sw="9000"):
+		response = self.send_wrapped_apdu(data)
+		if response[1] != sw:
+			raise RuntimeError("SW match failed! Expected %s and got %s." % (sw.lower(), response[1]))
+		return response
+
+	def get_security_domain_aid(self):
+		# Get Status followed by Get Response
+		response = self.send_wrapped_apdu_checksw('80F28000024F0000C0000000')[0]
+		return response[2:(int(response[0:2],16)*2)+2]
+
+	def delete_aid(self, aid, delete_related=True):
+		aidDesc = '4f' + ('%02x' % (len(aid) / 2)) + aid
+		apdu = '80e400' + ('80' if delete_related else '00') + ('%02x' % (len(aidDesc) / 2)) + aidDesc + '00c0000000'
+		return self.send_wrapped_apdu(apdu)
+
+	def load_aid_raw(self, aid, executable, codeSize, volatileDataSize = 0, nonvolatileDataSize = 0):
+		loadParameters = 'c602' + ('%04x' % codeSize)
+		if volatileDataSize > 0:
+			loadParameters = loadParameters + 'c702' ('%04x' % volatileDataSize)
+		if nonvolatileDataSize > 0:
+			loadParameters = loadParameters + 'c802' ('%04x' % nonvolatileDataSize)
+		loadParameters = 'ef' + ('%02x' % (len(loadParameters) / 2)) + loadParameters
+		
+		# Install for load APDU, no security domain or hash specified
+		data = ('%02x' % (len(aid) / 2)) + aid + '0000' + ('%02x' % (len(loadParameters) / 2)) + loadParameters + '0000'
+		self.send_wrapped_apdu_checksw('80e60200' + ('%02x' % (len(data) / 2)) + data + '00c0000000')
+
+		# Load APDUs
+		loadData = 'c4' + hex_ber_length(executable) + executable
+		loadBlock = 0;
+
+		while len(loadData):
+			if len(loadData) > 0xd8:
+				apdu = '80e800' + ('%02x' % loadBlock) + '6c' + loadData[:0xd8]
+				loadData = loadData[0xd8:]
+				loadBlock = loadBlock + 1
+			else:
+				apdu = '80e880' + ('%02x' % loadBlock) + ('%02x' % (len(loadData) / 2)) + loadData
+				loadData = ''
+
+			self.send_wrapped_apdu_checksw(apdu + '00c0000000')
+	
+	def generate_load_file(self, capfile):
+		zipcap = zipfile.ZipFile(capfile)
+		zipfiles = zipcap.namelist()
+
+		header = None
+		directory = None
+		impt = None
+		applet = None
+		clas = None
+		method = None
+		staticfield = None
+		export = None
+		constpool = None
+		reflocation = None
+
+		for i, filename in enumerate(zipfiles):
+			if filename.lower().endswith('header.cap'):
+				header = zipcap.read(filename)
+			elif filename.lower().endswith('directory.cap'):
+				directory = zipcap.read(filename)
+			elif filename.lower().endswith('import.cap'):
+				impt = zipcap.read(filename)
+			elif filename.lower().endswith('applet.cap'):
+				applet = zipcap.read(filename)
+			elif filename.lower().endswith('class.cap'):
+				clas = zipcap.read(filename)
+			elif filename.lower().endswith('method.cap'):
+				method = zipcap.read(filename)
+			elif filename.lower().endswith('staticfield.cap'):
+				staticfield = zipcap.read(filename)
+			elif filename.lower().endswith('export.cap'):
+				export = zipcap.read(filename)
+			elif filename.lower().endswith('constantpool.cap'):
+				constpool = zipcap.read(filename)
+			elif filename.lower().endswith('reflocation.cap'):
+				reflocation = zipcap.read(filename)
+
+		data = header.encode("hex")
+		if directory:
+			data = data + directory.encode("hex")
+		if impt:
+			data = data + impt.encode("hex")
+		if applet:
+			data = data + applet.encode("hex")
+		if clas:
+			data = data + clas.encode("hex")
+		if method:
+			data = data + method.encode("hex")
+		if staticfield:
+			data = data + staticfield.encode("hex")
+		if export:
+			data = data + export.encode("hex")
+		if constpool:
+			data = data + constpool.encode("hex")
+		if reflocation:
+			data = data + reflocation.encode("hex")
+
+		return data
+
+	def get_aid_from_load_file(self, data):
+		return data[26:26+(int(data[24:26],16)*2)]
+		 
+	def load_app(self, capfile):
+		data = self.generate_load_file(capfile)
+		aid = self.get_aid_from_load_file(data)
+		self.load_aid_raw(aid, data, len(data) / 2)
+
+	def install_app(self, args):
+		loadfile = self.generate_load_file(args.install)
+		aid = self.get_aid_from_load_file(loadfile)
+
+		toolkit_params = ''
+		if args.enable_sim_toolkit:
+			assert len(args.access_domain) % 2 == 0
+			assert len(args.priority_level) == 2
+			toolkit_params = ('%02x' % (len(args.access_domain) / 2))  + args.access_domain
+			toolkit_params = toolkit_params + args.priority_level + ('%02x' % args.max_timers)
+			toolkit_params = toolkit_params + ('%02x' % args.max_menu_entry_text)
+			toolkit_params = toolkit_params + ('%02x' % args.max_menu_entries) + '0000' * args.max_menu_entries + '0000'
+			toolkit_params = 'ca' + ('%02x' % (len(toolkit_params) / 2)) + toolkit_params
+
+		assert len(args.nonvolatile_memory_required) == 4
+		assert len(args.volatile_memory_for_install) == 4
+		parameters = 'c802' + args.nonvolatile_memory_required + 'c702' + args.volatile_memory_for_install
+		if toolkit_params:
+			parameters = parameters + toolkit_params
+		parameters = 'ef' + ('%02x' % (len(parameters) / 2)) + parameters + 'c9' + ('%02x' % (len(args.app_parameters) / 2)) + args.app_parameters
+		
+		data = ('%02x' % (len(aid) / 2)) + aid + ('%02x' % (len(args.module_aid) / 2)) + args.module_aid + ('%02x' % (len(args.instance_aid) / 2)) + \
+			   args.instance_aid + '0100' + ('%02x' % (len(parameters) / 2)) + parameters + '00'
+		self.send_wrapped_apdu_checksw('80e60c00' + ('%02x' % (len(data) / 2)) + data + '00c0000000')
+#------
+
+parser = argparse.ArgumentParser(description='Tool for Toorcamp SIMs.')
+parser.add_argument('-s', '--serialport')
+parser.add_argument('-p', '--pcsc', nargs='?', const=0, type=int)
+parser.add_argument('-d', '--delete-app')
+parser.add_argument('-l', '--load-app')
+parser.add_argument('-i', '--install')
+parser.add_argument('--module-aid')
+parser.add_argument('--instance-aid')
+parser.add_argument('--nonvolatile-memory-required', default='0000')
+parser.add_argument('--volatile-memory-for-install', default='0000')
+parser.add_argument('--enable-sim-toolkit', action='store_true')
+parser.add_argument('--access-domain', default='ff')
+parser.add_argument('--priority-level', default='01')
+parser.add_argument('--max-timers', type=int, default=0)
+parser.add_argument('--max-menu-entry-text', type=int, default=16)
+parser.add_argument('--max-menu-entries', type=int, default=0)
+parser.add_argument('--app-parameters', default='')
+parser.add_argument('--print-info', action='store_true')
+parser.add_argument('-n', '--new-card-required', action='store_true')
+parser.add_argument('-z', '--sleep_after_insertion', type=float, default=0.0)
+parser.add_argument('--disable-pin')
+
+args = parser.parse_args()
+
+if args.pcsc is not None:
+	from pySim.transport.pcsc import PcscSimLink
+	sl = PcscSimLink(args.pcsc)
+elif args.serialport is not None:
+	from pySim.transport.serial import SerialSimLink
+	sl = SerialSimLink(device=args.serialport, baudrate=9600)
+else:
+	raise RuntimeError("Need to specify either --serialport or --pcsc")
+
+sc = SimCardCommands(sl)
+ac = AppLoaderCommands(sl)
+
+sl.wait_for_card(newcardonly=args.new_card_required)
+time.sleep(args.sleep_after_insertion)
+
+# Get the ICCID
+print "ICCID: " + swap_nibbles(sc.read_binary(['3f00', '2fe2'])[0])
+ac.send_terminal_profile()
+
+if args.delete_app:
+	ac.delete_aid(args.delete_app)
+
+if args.load_app:
+	ac.load_app(args.load_app)
+
+if args.install:
+	ac.install_app(args)
+
+if args.print_info:
+	print "--print-info not implemented yet."
+
+if args.disable_pin:
+	sl.send_apdu_checksw('0026000108' + args.disable_pin.encode("hex") + 'ff' * (8 - len(args.disable_pin)))