pysim-suci.md

pysim-suci.md

---

The following document is now part of the official pysim documentation and available here: https://downloads.osmocom.org/docs/pysim/master/html/suci-tutorial.html

This gist is an archive and will not be updated.

---

SUPI/SUCI Concealment is a new 5G-Standalone (SA) feature to encrypt the IMSI/SUPI with a network operator public key. pySIM now supports writing these 5G-specific files to USIM cards.

In short:

• USIM Service 124 enables SUCI calculation
• SUCI_Calc_Info, stores the public keys, required
• Routing Indicator, required

To enable SUCI concealment, follow all steps. If you want to disable the feature, you can just disable USIM Service 124.

For details, see TS31.102 (minimum Version 16 for 5G stuff).

---

I highly recommend reading the sysmoUSIM User Manual, Section 9.1, for more and up-to-date information.

---

Admin Keys

Start pySIM-shell and enter the admin key for your card. If you bought the SIM card from your network operator and don't have the admin key, you cannot change SIM contents.

Launch pySIM:

$ ./pySim-shell.py -p 0
Using PC/SC reader interface
Autodetected card type: sysmoISIM-SJA2
Welcome to pySim-shell!
pySIM-shell (MF)>

Enter the ADM keys:

pySIM-shell (MF)> verify_adm XXXXXXXX

Otherwise, write commands will fail with 'SW Mismatch: Expected 9000 and got 6982.'

Key Provisioning

pySIM-shell (MF)> select MF
pySIM-shell (MF)> select ADF.USIM 
pySIM-shell (MF/ADF.USIM)> select DF.5GS 
pySIM-shell (MF/ADF.USIM/DF.5GS)> select EF.SUCI_Calc_Info 

By default, the file is present but empty:

pySIM-shell (MF/ADF.USIM/DF.5GS/EF.SUCI_Calc_Info)> read_binary_decoded 
missing Protection Scheme Identifier List data object tag
9000: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff -> {}

The following JSON config defines the testfile from TS31.121 4.9.4 with test keys from TS33.501 Annex C.4. Highest priority (0) has a Profile-B (identifier: 2) key in key slot 1, which means the key with hnet_pubkey_identifier: 27.

{
     "prot_scheme_id_list": [
        {"priority": 0, "identifier": 2, "key_index": 1},
        {"priority": 1, "identifier": 1, "key_index": 2},
        {"priority": 2, "identifier": 0, "key_index": 0}],
     "hnet_pubkey_list": [
        {"hnet_pubkey_identifier": 27,
         "hnet_pubkey": "0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1"},
        {"hnet_pubkey_identifier": 30,
         "hnet_pubkey": "5A8D38864820197C3394B92613B20B91633CBD897119273BF8E4A6F4EEC0A650"}]
}

Write the config to file (must be single-line input as for now):

pySIM-shell (MF/ADF.USIM/DF.5GS/EF.SUCI_Calc_Info)> update_binary_decoded '{ "prot_scheme_id_list": [ {"priority": 0, "identifier": 2, "key_index": 1}, {"priority": 1, "identifier": 1, "key_index": 2}, {"priority": 2, "identifier": 0, "key_index": 0}], "hnet_pubkey_list": [ {"hnet_pubkey_identifier": 27, "hnet_pubkey": "0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1"}, {"hnet_pubkey_identifier": 30, "hnet_pubkey": "5A8D38864820197C3394B92613B20B91633CBD897119273BF8E4A6F4EEC0A650"}]}'

Routing Indicator

The Routing Indicator must be present for the SUCI feature. By default, the file is invalid:

pySIM-shell (MF)> select MF
pySIM-shell (MF)> select ADF.USIM 
pySIM-shell (MF/ADF.USIM)> select DF.5GS 
pySIM-shell (MF/ADF.USIM/DF.5GS)> select EF.Routing_Indicator 
pySIM-shell (MF/ADF.USIM/DF.5GS/EF.Routing_Indicator)> read_binary_decoded 
9000: ffffffff -> {'raw': 'ffffffff'}

The Routing Indicator is a four-byte file but the actual Routing Indicator goes into bytes 0 and 1 (the other bytes are reserved). To set the Routing Indicator to 0x71:

pySIM-shell (MF/ADF.USIM/DF.5GS/EF.Routing_Indicator)> update_binary 0071ffff

(the encoding might be different, see this comment) You can also set the routing indicator to 0x0, which is valid and means "routing indicator not specified", leaving it to the modem.

Service Table

First, check out the USIM Service Table (UST):

pySIM-shell (MF)> select MF
pySIM-shell (MF)> select ADF.USIM 
pySIM-shell (MF/ADF.USIM)> select EF.UST 
pySIM-shell (MF/ADF.USIM/EF.UST)> read_binary_decoded 
9000: beff9f9de73e0408400170730000002e00000000 -> [2, 3, 4, 5, 6, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 25, 27, 28, 29, 33, 34, 35, 38, 39, 42, 43, 44, 45, 46, 51, 60, 71, 73, 85, 86, 87, 89, 90, 93, 94, 95, 122, 123, 124, 126]

From TS31.102:

Service No.	Description
122	5GS Mobility Management Information
123	5G Security Parameters
124	Subscription identifier privacy support
125	SUCI calculation by the USIM
126	UAC Access Identities support
129	5GS Operator PLMN List

If you’d like to enable/disable any service:

pySIM-shell (MF/ADF.USIM/EF.UST)> ust_service_deactivate 124
pySIM-shell (MF/ADF.USIM/EF.UST)> ust_service_activate 124
pySIM-shell (MF/ADF.USIM/EF.UST)> ust_service_deactivate 125

In this case, Service 124 is already enabled and you’re good to go. The sysmocom ISIM does not support on-SIM calculation, so service 125 must be disabled.

USIM Error with 5G and sysmocom-ISIM

sysmocom-ISIMs come 5GS-enabled. By default however, the USIM configuration is not valid for 5G networks: Service 124 is enabled, but SUCI Calc Info and the Routing Indicator are empty files (hence invalid).

At least for Qualcomm’s X55 modem, this results in an USIM error and the whole modem shutting 5G down. If you don’t need SUCI concealment but the smartphone refuses to connect to any 5G network, try to disable the service 124.

@teslagal You're right, seems that first and second Byte contain the actual Routing Indicator. I couldn't verify the order, but added a link to your comment to help people figure this out! Thanks!

Hi @mrlnc thanks for your tutorial.
Do you know if it's possible to create such 5G files on a SIM card even if they don't exist?

Hey @Matheus-Garbelini - good question. I think file creation is only possible during the "personalization" lifecycle and locked afterwards (my takeaway from Harald Welte's talk here: https://media.ccc.de/v/osmodevcall-20211022-laforge-sim ). So you could only (de-)activate files but not actually create new ones.

thanks @mrlnc
It seems that even if it's possible, they are using proprietary APDUs commands which no one knows:

Hi @mrlnc thanks for your tutorial. Do you know if it's possible to create such 5G files on a SIM card even if they don't exist?

This is highly dependent on the cardOS capabilities and the existing personalization of the card, as well as your access level. On some OS, if the profile permits it, you can create files when authenticated via ADM1 or via OTA. On the sysmoISIM-SJA2 we tried to make it possible, but not many people have played with it. pySim-shell has a create_file command these days.

and btw, if you want multi-line JSON input, I suggest to try @edit_binary_decoded@ instead of @update_binary_decoded@ which will spawn your $EDITOR where you can enter multi-line input.

Great work!!!

Have been using it with SysmocomSJA2 cards and has been of so much help!

Just one thing, when updating the Routing Indicator, it is left padded with f's but also inverted. Therefore, to send a value of 0x71 I had to update the EF with:

pySIM-shell (MF/ADF.USIM/DF.5GS/EF.Routing_Indicator)> update_binary 17ffffff

Hope it helps!

Hi,

I'm using SysmocomSJA2 but when I excecute the command: pySIM-shell (MF/ADF.USIM/DF.5GS)> select EF.SUCI_Calc_Info there will be an error: EXCEPTION of type 'RuntimeError' occurred with message: '6283: Warnings - Selected file invalidated'
To enable full traceback, run the following command: 'set debug true'.

Any help I would appreciate!

Hi,

I'm using SysmocomSJA2 but when I excecute the command: pySIM-shell (MF/ADF.USIM/DF.5GS)> select EF.SUCI_Calc_Info there will be an error: EXCEPTION of type 'RuntimeError' occurred with message: '6283: Warnings - Selected file invalidated'
To enable full traceback, run the following command: 'set debug true'.

Any help I would appreciate!

Hi,

I'm using SysmocomSJA2 but when I excecute the command: pySIM-shell (MF/ADF.USIM/DF.5GS)> select EF.SUCI_Calc_Info there will be an error: EXCEPTION of type 'RuntimeError' occurred with message: '6283: Warnings - Selected file invalidated' To enable full traceback, run the following command: 'set debug true'.

Any help I would appreciate!

Did you try re-enabling the files, as described in the manual, Section 9.1? https://www.sysmocom.de/manuals/sysmousim-manual.pdf Section

Hi! Thank you for this tutorial! When I set up the priorities as shown in this tutorial, giving priority to profile B:

{
     "prot_scheme_id_list": [
        {"priority": 0, "identifier": 2, "key_index": 1},
        {"priority": 1, "identifier": 1, "key_index": 2},
        {"priority": 2, "identifier": 0, "key_index": 0}],
     "hnet_pubkey_list": [
        {"hnet_pubkey_identifier": 27,
         "hnet_pubkey": "0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1"},
        {"hnet_pubkey_identifier": 30,
         "hnet_pubkey": "5A8D38864820197C3394B92613B20B91633CBD897119273BF8E4A6F4EEC0A650"}]
}

The UE fails to connect to the Amarisoft network.

However, if I change the priorities so that it uses profile A, like this:

{
     "prot_scheme_id_list": [
        {"priority": 0, "identifier": 1, "key_index": 2},
        {"priority": 1, "identifier": 2, "key_index": 1},
        {"priority": 2, "identifier": 0, "key_index": 0}],
     "hnet_pubkey_list": [
        {"hnet_pubkey_identifier": 27,
         "hnet_pubkey": "0272DA71976234CE833A6907425867B82E074D44EF907DFB4B3E21C1C2256EBCD1"},
        {"hnet_pubkey_identifier": 30,
         "hnet_pubkey": "5A8D38864820197C3394B92613B20B91633CBD897119273BF8E4A6F4EEC0A650"}]
}

The UE connects without problems, using ECIES profile A: And I can see this in the Amarisoft logs:

Protection sheme id = 1 (ECIES scheme profile A)
Home network public key identifier = 30
ECC ephemeral public key = The ephemeral public key
Ciphertext = The Ciphertext
MAC tag = The MAC tag

Can anyone help me with this? I can provide more information if you need it.

Hi, @mrlnc @helloTkk,
I'm working on the lab also, I'm wondering that I use pcsc_scan it can find the sim card, but when I run ./pySim-read.py -p0 it show that it doesn't found, can you help me? Thank's ! ! !

I don't know is any problem with my device or setting. thank's again.

Hi @yzucyh! in the pcsc_scan command output, which number appears here?

Using reader plug'n play mechanism
Scanning present readers...
0: Bit4id miniLector-s

In this example, the sysmocom device is listed as Bit4id miniLector-s and has a reader number of 0. That is the number to use in the ./pySim-read.py -p command.

Could it be that you are setting the wrong reader number? I believe the number depends on the system configuration and the type of smart card reader used.

Hi @cristina-posada, thanks for your reply ! I've check my reader number, changed and it works !!!
Your explanation really clear, hope you have a good day !
Thank's again !

Hi @cristina-posada,
I'm practicing this tutorial
I've problem with test device. I'm using iphone13 mini, and samsung a52s.
Facing the problem with Guru part.
Can you provide the test device or any resource when you did this lab?
I'll be very thankful !!

Thanks for the turorial. I think it would be great to make the information easier to find for pySim and/or sysmoISIM users.

would you be interested in contributing this to either the pySim documentation, or the sysmoISIM user manual?

Hi @cristina-posada, I'm practicing this tutorial I've problem with test device. I'm using iphone13 mini, and samsung a52s. Facing the problem with Guru part. Can you provide the test device or any resource when you did this lab? I'll be very thankful !!

Hi @yzucyh, I followed that same tutorial. My test device is a Samsung Galaxy S21 FE 5G, I also had problems connecting Iphones to an SA network.

Thanks for the turorial. I think it would be great to make the information easier to find for pySim and/or sysmoISIM users.
would you be interested in contributing this to either the pySim documentation, or the sysmoISIM user manual?

@laf0rge I submitted a PR on gerrit: https://gerrit.osmocom.org/c/pysim/+/32688
If you have larger edits in mind or would prefer another place and feel like the PR is too much overhead, feel free to edit outside of that PR. I'll link to the resulting guide, then.

@teslagal You're right, seems that first and second Byte contain the actual Routing Indicator. I couldn't verify the order, but added a link to your comment to help people figure this out! Thanks!

Note that TS 31.102 4.4.11.11 refers to TS 24.501, which in 9.11.3.4.1 actually states:

Routing Indicator shall consist of 1 to 4 digits. The coding of this field is the responsibility of home network operator but BCD coding shall be used. If a network operator decides to assign less than 4 digits to Routing Indicator, the remaining digits shall be coded as "1111" to fill the 4 digits coding of Routing Indicator (see NOTE 2). If no Routing Indicator is configured in the USIM, the UE shall code bits 1 to 4 of octet 8 of the Routing Indicator as "0000" and the remaining digits as “1111".

So the minimum accepted file content should be "f0ffffff", which is also what I'm going to make the default in the future sysmoISIM-SJA5 cards.

Furthermore, pySim is getting a proper encoder/decoder for the EF.Routing_Indicator in https://gerrit.osmocom.org/c/pysim/+/33064

I am trying to write a Test SIM Card using OmniKey 3121 reader. The Card is detected and able to read the data.

root@reeturaj--ubuntu:/home/reeturaj/SIM_CARD/pyscard-2.0.7/pysim# ./pySim-read.py -p 0
Using PC/SC reader interface
Reading ...
Autodetection failed
ICCID: 89010020000005348023
IMSI: 262800555020091
GID1: ffffffffffffffff
GID2: ffffffffffffffff
SMSP: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
SPN: 12800520091
Show in HPLMN: True
Hide in OPLMN: False
PLMNsel: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
PLMNwAcT:

But I am not able to write new data onto the SIM Card.

root@reeturaj--ubuntu:/tmp/pysim# ./pySim-prog.py -p 0 -n OpenBSC -t sysmosim-gr1 --mcc=234 --mnc=015 --iccid=89010020000005348023 --imsi=234015055502000 --msisdn=+12800520000
Using PC/SC reader interface
Ready for Programming: Insert card now (or CTRL-C to cancel)
Generated card parameters :

Name : OpenBSC
SMSP : e1ffffffffffffffffffffffff0581005155f5ffffffffffff000000
ICCID : 89010020000005348023
MCC/MNC : 234/015
IMSI : 234015055502000
Ki : 45cff4d0a894740572ab4037e17d4e69
OPC : 305b6c995a27a112d72cb278dddc232d
ACC : None
ADM1(hex): None
OPMODE : None
Programming ...

Card programming failed with an exception:
---------------------8<---------------------
Traceback (most recent call last):
File "/tmp/pysim/./pySim-prog.py", line 824, in
rc = process_card(opts, first, ch)
File "/tmp/pysim/./pySim-prog.py", line 774, in process_card
card.program(cp)
File "/tmp/pysim/pySim/legacy/cards.py", line 736, in program
self._scc.verify_chv(5, pin)
File "/tmp/pysim/pySim/commands.py", line 523, in verify_chv
self._chv_process_sw('verify', chv_no, code, sw)
File "/tmp/pysim/pySim/commands.py", line 511, in _chv_process_sw
raise SwMatchError(sw, '6b00')
pySim.exceptions.SwMatchError: SW match failed! Expected 9000 and got 6b00.

Any suggestion would be appreciated.