I've patched android with SEEK for Galaxy S3 and after some struggle I'm now able to send APDUs to SIM card and get proper responses.
I want to place my own applet inside SIM but since there is no way we can get the access to do so, I start to wonder if there is anyway we can issue a java card to work like a SIM card. All I need is a java card that the phone can't distinguish from a SIM, no network coverage is needed and I know it is almost impossible to create a SIM that works OK with operator and gives network coverage.
The reason for all this is I need to send APDUs and work with my applet, but if I insert a java card instead of a SIM card in GS3, it gives me no access at all.
So my question is this:
Is it possible to issue a java card so that it looks like a SIM by the phone (and not the operator)?
or Is it possible to change android so that it gives needed access when there is a java card in it, i.e. RIL works as usual?
EDIT
Okay, I think I'll try to issue a Java Card with following properties:
First, it will have an auto selected applet (default applet) that from now on will be call fake-UICC.
Second, in fake-UICC we'll emulate the file system of UICC (according to http://www.in2eps.com/fo-uicc/tk-fo-uicc-mf.html).
Third, since different class is used for SIM APDUs (0xA0) so All APDUs sent from RIL will be directed to fake-UICC by JCRE, since class+instruction is not recognized by normal Java Card. e.g. 0xA0A4 is select for SIM but 0x00A4 is select command for Java Card.
In last step, we will try to send exact same responses a real SIM would send to each APDU.
Maybe it won't work but I think it's worth a try.
SIM Card (UICC) accessed through SEEK is not the only secure element you can use in your cellphone.
On the market there are other Java Card solutions: mostly based on microSD slot (provided e. g. by GoTrust or Feitian Technologies), which you should be able to access through SEEK.
Some cellphones (Galaxy S3 is not this case, unfortunately) are equipped with a special secure element slot, which you can insert common smart card (mostly by Oberthur) into and access through SEEK (see http://www.nfcworld.com/technology/embedded-secure-element-ese/ for some devices with this feature).
There is an interesting article about SE options: http://nelenkov.blogspot.cz/2012/08/accessing-embedded-secure-element-in.html
If you know some other vendors offering microSD Java Card products, please write them down in comments and I will add them to my post. This answer is not supposed to be any advertisement for the companies mentioned above.
Well, Actually I'm not sure if this solution works or not, and as dear #Vojta mentioned in the comments under his answer I would like to discourage people from the following attempts. It will be difficult, time-consuming and probably with no useful results. He knows a lot more than me in this field.
Anyway, as you wanted I posted my suggestion:
Each file in the system file of the SIM/USIM card is linked to a hexadecimal number as its addresses (AID). These AIDs are defined in GSM and ETSI standards (GSM 11.11 for example). You can write some Javacard applets to simulate that system file.
As SIM/USIM card's AIDs are shorten than JavaCard AIDs, you might need to choose a Java Card that support partial AID selection and use this capability to refer incoming command to its associated applet.
I think you can simulate all the system file inside a single applet also and then make that applet default selected applet.
If you had any success with this solution, please inform us. :)
Related
I'm going to write a Java Card applet to convert my card into an EMV compliant card.
1- The question is how can I do that?
As far as I know, there are four EMV specifications known as EMV Books which contain principles of EMV cards (Chip characteristics, file structure and also the list of APDU commands). Do I need any other specifications to implement my applet or these are all I need? If there are some other specifications which I need, are they freely available or they are proprietary?
2- Do EMV cards have an specific Applet AID?
EFT-Lab provided a good list of applet AIDs. As you see below, there are a lot of AIDs which belong to Visa International (as vendors) that all are "EMV" types. Why does Visa International have a lot of different AIDs for its EMV applets? What's the difference between these applets?
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
1- The question is how can I do that?
Yes. Implement the specifications. If there are any other requirements (and surely there will be) then they should be referenced in the specs.
2- Do EMV cards have an specific Applet AID?
Because they offer specific functionality? You may even have multiple applications on the same card. Note that it is possible to select applications using a partial AID (see how the Debit & Credit card partially match). The VISA specific cards are likely used internally only, e.g. when servicing cash machines.
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
Not likely. It would be rather unusable because it would require EMVCo security evaluation to be accepted. So you need some kind of payment structure to pay for certification and audits. No open source initiative is likely to pony up the cash up front.
Often these kind of implementations require techniques to avoid vulnerabilities that need to remain secret; smart cards do not offer perfect security after all. That's perpendicular to open sourcing an implementation. So if there is anything out there it must be created out of academic interest (e.g. for testing the security of the protocol, proof of concept etc.).
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
Generally it is more about which parts of the applet are available or not. The fact that most applets can be used in dual mode probably speaks for itself otherwise.
This paper seems to have a good introduction to the possible differences.
Is there any open source EMV applet? Is there any Java Card that has
an EMV applet/package by default?
Was working on a similar project and found this github repo. According to the owner:
This is a fully working EMV applet for javacard 2.2.1.
I am trying to develop a custom cryptographically secure protocol for authenticating through an RFID smart card, all I can find over the internet are generic info on how write static Tags into the card.
For my project I need for the reader to send a Challenge nonce to the card (fixed length random bytes), then the card should send back the challenge encrypted with the hard-coded key (for example with AES CBC) or an hash HMAC.
The problem is: how can I program the card to do such behavior? I can write the code to do so, but how to "flash" it to the card. Also the code for the reader is not a problem (I want to use an Arduino with a reader module).
And then has a passive chip enough power to do this kind of calculations or is better to use an active one, considering that the distance would be few centimeters, such as behind a door?
A passive tag can't do this. Those just hold serial numbers that they spit out back.
You need some smarter card. You have basically two choices:
1) Choose a general-purpose card that fit your needs
The authentication scheme you describe is very widely used, and implemented by virtually all general-purpose smart cards, whether with contact or contactless (RF) interfaces (or both). If you go this way, you don't need to program the card with your own code, you just need to get the specs and initialize the card with the key value you want by sending the appropriate commands. And actually, with these cards, there are often generic tools available to initialize them. Easy.
Mifare (by NXP), for example is very widely used, easily available, and cards are cheap (drawback: it is certainly not the most secure cards ever made). You could use Mifare Classic - with proprietary NXP security protocol - specs here (be careful, the reader must be compatible) or Mifare UltraLight C, with open 3DES crypto - specs here. There are other variants, as well (e.g. Mifare Plus, which uses AES). Just don't go for the simple Mifare Ultralight, which doesn't provide authentication means. You'll see that for all these type of cards, there is a builtin authentication scheme that can functionally fulfill your needs (it is actually a mutual authentication, so it does more that what you require, but it's fine).
FeliCa (made by Sony), ACOS3 (made by ACS - specs here) are other possibilities, although I'm less familiar with it.
2) Get programmable cards
There are some, but it is not very easy to find for contactless and they are very expensive. You can lookup:
BasicCard (ZeitControl), which exist with dual interface. Those cards are programmable in Basic, and there are some kits available (but I'm not familiar with it either).
JavaCard (any manufacturer), which is a standard, but those are hard to find for small volumes. A few online shops seem to have some, though. These cards are programmable in Java (actually a subset of Java). There are tools available for the development phase (from Oracle, or even as Eclipse Plugins, for example). Then, for loading your custom applet in the smart card, you need to get familiar with GlobalPlatform, which is another (publicy available) standard, describing the way applications are managed in a smart card. This would be too broad to describe in detail here, though. You can find resources on the internet, but this road is definitely the most difficult.
Note, that NFC just describes the communication method and tells nothing about the intelligence available on other side.
More intelligence is needed (the command you seem to look for is called EXTERNAL AUTHENTICATE in ISO 7816-4), but does not help for your range problem, since the weaker the field, the less power is available. The idea of having communication through the door will only work for doors which are so weak, that a high-tech electronic protection won't improve overall security. The maximum distance achievable with standard field strength (heart pacemakers and similar devices limit that one) with nothing more than air between suffices typically for something like 10 centimeters. So for me it seems that your reader has to be on the outside and needs to be mechanically hardened against tampering itself.
(What would help, is a "card" with its own power source, so the field is only required for communication. As far as I know, this is mostly provided by a sort of external sleeve.)
What dim fails to mention is the product group of so-called native cards, which are typically only programmable with significant manufacturer support (non-disclosure agreement, probably fee involved), but luckily contain functionality for most use cases already, in your case the commands Get Challenge and External Authenticate.
I'm looking to write a simple beginner program using Java Card to run on sim cards. Can anyone point me to some very basic information on getting started? I've seen some descriptions of the toolkit api, but I'm looking for things like: what capabilities are supported by the sim card, how to upload my code to the card (do i need special hardware?), how do I tell whether a sim card supports java card, that sort of thing.
EDIT: I'm specifically looking to run code on sim cards. I've seen some very high level tutorials online, but nothing that goes as far as connecting to a sim card or uploading code. I have a USB sim card reader and a variety of cards to test, but I can't find any detail on how to work with them.
To upload your code to a sim card, it seems to require one of these tools:
GPShell from the GlobalPlatform project
JCardManager which is part of the Gemalto Developer Suite
SIMAlliance CAT Loader
I've not got any of these to recognise my ebay sim card reader, so I think I'll have buy a different reader (probably from gemalto)
Edit: I bought the ACS ACR38 SDK, which includes 3 card readers and a selection of cards, along with drivers, code samples and tools. These card readers are working nicely with the Gemalto Developer Suite.
The Usability Lab tutorial provided with the Gemalto Developer Suite is a pretty good way of diving into sim card development.
Very interesting thing to note: it's pretty hard to get your code running on commercial mobile network operator SIM cards. They typically require the correct certificate before you can write to them.
There are hardware workarounds to this. I'm currently investigating TurboSIM and RebelSIM.
I finally gave up on this project due to other pressures. I was not able to get any Java Card running except on the dev cards, which are not compatible with real devices on a mobile network. The cutout cards such as TurboSIM and RebelSIM are a possibility but quite frustrating to work with.
there is a nice quickstart tutorial on the netbeans page
http://netbeans.org/kb/docs/javame/java-card.html
I wanted to create J2ME application, in which the application should work only with the SIM card that was used during installation. On SIM card (GSM) change the application should now work.
For achieving this, i thought of taking an signature of the simcard and save it in a persistent storage. On every start of the application the signature can be verified. Any idea of how to implement this.
Thanks in advance
The 'SATSA' (Security and Trust Services API aka JSR177) could be used from your J2ME application to communicate with the SIM. You could send '3GPP TS 11.11' commands to obtain the IMSI (select file DG_GSM, select file EF_IMSI, read binary).
Drawbacks are: (1) You're talking to the SIM on a relatively low level of abstraction (the ISO7816-4 layer); (2) Not all handsets support JSR177 at the moment.
I believe this is not possible. If it was possible with a specific phone it would not be possible in a generic way.
For ATT in US, for J2ME apps, the handset embeds "CarrierDeviceId" in the Jad file. This is unique per SIM card. So, if something similar is available to you, just read this Jad parameter the first time the app starts, save it to RMS or send it to server. Now each time the app starts, you can verify this number matches, and thus verify the SIM card is same.
You can also try obtaining the phone number that is tied to the SIM card and thus verify the old SIM is being used.
J2ME provides JSR 177 which has APIs to access the SIM as a smart card. I want to explore this more and see what all I can do with this, but, I cant find any documentation with respect to that. All documentation that I have found so far is very generic and only mentions how to access a smart card with the APDU APIs and not how I can use this to do anything on the SIM.
Any ideas on where to get started?
Mostly, JSR 177 is supposed to be used to extract the certificate that is on the SIM so you can encrypt/decrypt/sign data in a way that your MNO likes.
The difficulty in finding documentation comes from so few handset manufacturers having included a full JSR177 implementation in their phone.
That, in turn, presumably comes from the huge amount of external, security-related specs to read and understand before the JSR177 spec itself makes sense if you're not a cryptography protocols expert.
The TCK sources and supplemental Symbian/Nokia test code would be a good place to look but, unfortunately, none of that has been open-sourced yet.
Common commands like changing the SIM PIN code basically require an understanding of the binary protocol itself. Simply appending the correct sequence of bytes to an APDU GCF url will get it executed if the JSR177 implementation itself is correct.
If you have only looked at the Sun JavaME SDK, you should probably have a look at the APDU MIDlet example in the latest Series60 SDK and added documentation in Nokia's Java Developer's Library.