Sunday, October 02, 2011



There are many ways you may wish to approach examining a SIM Card elementary file (EF) and to the university students that wrote and asked for some ideas here are some observations. I would recommend, assuming you have access to SIM reading tools, that it is useful to target a particular EF in the GSM standard GSM11.11. Importantly, as there have been numerous versions and revisions of GSM11.11 it is an essential task to check the various versions and revisions taking account of any changes to the technical requirements for the EF: for instance

a) access conditions
b) content
c) coding
d) etc

To illustrate some of the points raised by this blog discussion I have selected the SIM forbidden list found in elementary file (EF) FPLMN (Forbidden PLMNs) 7F20:6F7B (7F21:6F7B). PLMNs MCC/MNC populated in this EF are those that the MS shall not camp on and provide a location update. 

ETS GSM11.11 v4.21.1 December 1999
GSM 11.11 v8.14.0 June 2007

Of course, when reading the conditions laid out in the standards it is also essential to appreciate the conditions under which a PLMN (MCC/MNC) may be updated into this EF. Trial test conditions should relate to 'automatic' update and update caused by 'manual' selection of a Forbidden PLMN. These are not simple tasks as one might imagine. There is the radio environment to consider? Which PLMNs are forbidden? Is roaming required? The coding of the data? ....and so on. So for an elementary file that largely gets overlooked during examination and ignored in evidence, an analysis of exactly the tasks this EF performs in the SIM module is quite surprising when considering its impact on the MS. That is from the perspective that its evidence could be considered when placing an MS within an PLMN's radio coverage and the follow on potential inference of a geographical location. EF-FPLMN adds an intriguing prospects to be considered, beyond handset and SIM analysis, and that is it can be used in cell site analysis and call record analysis, too.

Extracted and Harvested Data
It is inescapable, thus unavoidable, that validating data that has been extracted and harvested cannot be performed based upon using one tool. Moreover, tools vary in the way they present harvested data and will require the examiner to pay particular attention to ensure the output data (although presented in various arrangements) should be identical. If parity isn't possible then analysis of the tools should be undertaken. It is worth mentioning at this juncture, so as to avoid unduly raising concerns, many tools once released into the marketplace do not allow users to update the product. Changes to SIM techncial specifications or new services or new/change to operators may simply not be included in a tool. 

SIMSpy Trace file Output (Text file)

Other tools present data in varying layouts within the program:

SIM Explorer



USIM Detective

In conclusion, students asked for some observations and I hope the above may help. Care should be taken when reading the binary not to corrupt content in the EF; to consider the use of reverse-nibble; writing scripts; APDU/PDU and so on, in addition to the automatic and manual tests to be conducted. Moreover, any discovery could also extend to the use of EF-FPLMN to cell site analysis and call record analysis.

No comments: