(U)ICC/(U)SIM Script Commands and Responses

(U)ICC/(U)SIM Script Commands and Responses

The discussion under (U)ICC/(U)SIM Script Commands and Responses is one of a number that will appear to assist Diploma students with their course work.

http://sim2usim.blogspot.co.uk/2013/10/uiccusim-script-commands-and-responses.html

(U)ICC/(U)SIM Script Commands and Responses

(U)ICC/(U)SIM 3F00 7F10 6F4A

3GPP UICC/USIM script selecting Master File, Dedicated File and Elementary File

GSM ICC/SIM script selecting Master File, Dedicated File and Elementary File

Reason for script test : defining an examination procedure to isolate and test a single elementary file; determine the EF's status, file structure, coding etc; conrroborate the ability of the (U)ICC/(U)SIM to action responses from commands sent to card; provide corroborating evidence of commands sent to the card to demonstrate evidential integrity (transparency of practices and procedures); testing the examination card reader is functioning correctly; QA procedures. 

Script examination tool used : USIM Commander - http://www.quantaq.com/usimcommander.htm

Relevant Core Diplomas:-

Aims : MTEB Diploma for Mobile Evidence QA and Evidence Handling - Mobile Telephone Diploma Core CQAE1

Objectives : Device Maintenance and Calibration; Examination Procedure

Aims :  MTEB Diploma for SIM and USIM Technology Examination - Mobile Telephone
Diploma Core CSUT2

Objectives : Your understanding of roles and responsibilities and the importance of
appropriate practices and procedures for SIM and USIM Technology
Examination for acquiring evidence.

Reference Standards :
GSM11.11/3GPP TS51.011/3GPP TS31.102,
GSM11.12,
GSM11.17/3GPP TS51.017/3GPP TS31.120/3GPP TS31.121/3GPP TS31.122,
GSM11.18/3GPP31.101,

EU MTEB Diploma Student Note : Remember to check with ETSI Standards e.g. TS102.221 etc

US MTEB Diploma Student Note : Diploma Students remember to check e.g. C.S0065-0 v1.0, C.S0074-0 v1.0, C.S0074-A v1.0, N.S0009-0 v1.0, S.R0095-0 v1.0 etc

Generically speaking, apart from GSMA and 3GPP, there is also 3GPP2 which also includes ARIB, CCSA, TIA TTA, TTC that all have conditions that can impact/influence results on (U)ICC/(U)SIM.

The discussion under (U)ICC/(U)SIM Script Commands and Responses is one of a number that will appear here to assist Diploma students with their course work.

The latest MTEB Diploma Modules Guide MTEdipl 2.2 can be downloaded here:
https://dl.dropboxusercontent.com/u/84491783/MTEdipl%202.2.pdf

SIM PIN Challenge 2

SIM PIN Challenge 2

.
A reminder that this challenge ends on the 15th February 2009:
.
http://trewmte.blogspot.com/2009/01/sim-pin-challenge.html
.
No pressure here guys, but we have had the first written response to the SIM PIN Challenge from a Challenge Entrant who has just started in mobile telephone forensics. This Challenge should therefore be a walk in the park for all you mobile phone and computer forensic examiners who have given evidence about SIM Cards in Court.
.
As a brief history about SIM Cards, the requirement for *Personal Identity Number (PIN) to be available in a SIM Card is defined by way of the GSM Standard GSM11.11. Moreover, GSM11.11 v3 1995 standard and onwards can be downloaded free of charge. So at least we know there is over 13 years of technical knowledge about SIM Card PIN that is traceable. Furthermore, there are other standards that are used to test for allocation and activation of PIN and the mandated execution of the function between the mobile phone and SIM Card.
.
*Do remember that PIN is only used because it is comon language now, but has been made obsolete from the standards and replaced by CHV (Card Holder Verification).
.
Finally, many ten of thousands of SIM Cards have been examined and their evidence, along with examiners' testimonies/experts' opinions, have been presented in criminal proceedings at Court for well over a decade. A large number of the SIM Cards presented for examination had PIN enabled, thus understanding the fundamental operation of PIN is vital to forensic investigation understanding and the evidence presented about it.
.
I have sent copies of this Challenge and MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE (see weblink at the end of this discussion) to the following who have the responsibility for: innovation, universities and skills; and regulation of forensic sciences:
.

Rt Hon John Denham Secretary of State for the

Department of Innovation, Universities and Skills (DIUS)

.

Mr Andrew Rennison UK Forensic Science Regulator

.
MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE

http://trewmte.blogspot.com/2009/01/mobile-forensics-and-evidence-degrees.html

SIM PIN Challenge 2

SIM PIN Challenge 2

.
A reminder that this challenge ends on the 15th February 2012:
.
http://trewmte.blogspot.com/2009/01/sim-pin-challenge.html
.
No pressure here guys, but we have had the first written response to the SIM PIN Challenge from a Challenge Entrant who has just started in mobile telephone forensics. This Challenge should therefore be a walk in the park for all you mobile phone and computer forensic examiners who have given evidence about SIM Cards in Court.
.
As a brief history about SIM Cards, the requirement for *Personal Identity Number (PIN) to be available in a SIM Card is defined by way of the GSM Standard GSM11.11. Moreover, GSM11.11 v3 1995 standard and onwards can be downloaded free of charge. So at least we know there is over 13 years of technical knowledge about SIM Card PIN that is traceable. Furthermore, there are other standards that are used to test for allocation and activation of PIN and the mandated execution of the function between the mobile phone and SIM Card.
.
*Do remember that PIN is only used because it is comon language now, but has been made obsolete from the standards and replaced by CHV (Card Holder Verification).
.
Finally, many ten of thousands of SIM Cards have been examined and their evidence, along with examiners' testimonies/experts' opinions, have been presented in criminal proceedings at Court for well over a decade. A large number of the SIM Cards presented for examination had PIN enabled, thus understanding the fundamental operation of PIN is vital to forensic investigation understanding and the evidence presented about it.
.
I have sent copies of this Challenge and MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE (see weblink at the end of this discussion) to the following who have the responsibility for: innovation, universities and skills; and regulation of forensic sciences:
.

Rt Hon John Denham Secretary of State for the

Department of Innovation, Universities and Skills (DIUS)

.

Mr Andrew Rennison UK Forensic Science Regulator

.
MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE

http://trewmte.blogspot.com/2009/01/mobile-forensics-and-evidence-degrees.html

SIM PIN Challenge

SIM PIN Challenge

.

Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.

.

The presentation had reached the part "Verifying the CHV" and went on to record:

.

~ To verify PIN, the verifyCHV APDU is used....

.

A0 20 00 CHVNum 08 PINValue

.

~ The message sent from the phone to the SIM in order to check your PIN number 1111, is:

.

A0 20 00 01 08 313131FFFFFFFF

.

This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.

.

.
So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an address 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.
.
To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.
.
As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough :-). However, the first person who posts the correct answer at Forensic Focus , I am sure we can sort out some sort of prize:
.
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349
.
However, there are some rules (there is always something like this):
.
1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2009.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.
.
GOOD LUCK
.
PHASE 1 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
----------------------------------------
Allocated memory :1A47File ID :3F00
Type of file :MFNumber of DF : 2
Number of EF : 3 Number of CHV's : 4
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :2 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
----------------------------------------
File ID :0000
Type of file :RFU
Structure of file :Transparent
File Size :0018
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 15
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.
Phase 2 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
----------------------------------------
Allocated memory :639C
File ID :3F00
Type of file :MF
Number of DF : 2
Number of EF : 7
Number of CHV's : 2
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0012
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 10
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.
Phase 3 (2+) SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
----------------------------------------
Allocated memory :0001
File ID :3F00
Type of file :MF
Number of DF : 4
Number of EF : 18
Number of CHV's : 10
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0017
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 11
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------

SIM PIN Challenge

SIM PIN Challenge

.

Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.

.

The presentation had reached the part "Verifying the CHV" and went on to record:

.

~ To verify PIN, the verifyCHV APDU is used....

.

A0 20 00 CHVNum 08 PINValue

.

~ The message sent from the phone to the SIM in order to check your PIN number 1111, is:

.

A0 20 00 01 08 313131FFFFFFFF

.

This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.

.

.So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an address 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.
.
To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.
.
As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough :-). However, the first person who posts the correct answer at Forensic Focus , I am sure we can sort out some sort of prize:
.
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349
.
However, there are some rules (there is always something like this):
.
1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2012.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.
.
GOOD LUCK
.
PHASE 1 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
----------------------------------------
Allocated memory :1A47File ID :3F00
Type of file :MFNumber of DF : 2
Number of EF : 3 Number of CHV's : 4
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :2 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
----------------------------------------
File ID :0000
Type of file :RFU
Structure of file :Transparent
File Size :0018
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 15
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.
Phase 2 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
----------------------------------------
Allocated memory :639C
File ID :3F00
Type of file :MF
Number of DF : 2
Number of EF : 7
Number of CHV's : 2
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0012
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 10
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.
Phase 3 (2+) SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
----------------------------------------
Allocated memory :0001
File ID :3F00
Type of file :MF
Number of DF : 4
Number of EF : 18
Number of CHV's : 10
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
--------------------------------------------------------------------------------
.
3F00:0000
--------------------------------------------------------------------------------
Response: 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0017
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 11
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------