Error in programmin Ki with PySim-prog
When using pySim-prog, the value of the Ki written on the card is shifted by on hex digit to the left and an extra 0xFF is written at the end. pySim-prog display the values as passed as parameters, but not the actual written values.
./pySim-prog.py -p 0 --iccid=8988211910000000987 --pin-adm=11111111 --mcc=214 --mnc=03 --imsi=214030123456789 -k 00ffeeddccbbaa998877665544332211@ Using PC/SC reader interface Ready for Programming: Insert card now (or CTRL-C to cancel) Autodetected card type: sysmoISIM-SJA2 Generated card parameters : > Name : Magic > SMSP : e1ffffffffffffffffffffffff0581005155f5ffffffffffff000000 > ICCID : 8988211910000000987 > MCC/MNC : 214/03 > IMSI : 214030123456789 > Ki : 00ffeeddccbbaa998877665544332211 > OPC : 8d772bbc604afa494ebc8ff6a71c14df > ACC : None > ADM1(hex): 3131313131313131 > OPMODE : None Programming ... Warning: Programming of the ICCID is not implemented for this type of card. Programming successful: Remove card from reader
I haven't found a way to read the Ki value using pySim-shell or pySim-read, so I used simso-isim-tool.sja2.py to verify the card content.
./sysmo-isim-tool.sja2.py -a 11111111 -k sysmoISIM-SJA2 parameterization tool Copyright (c)2019 Sysmocom s.f.m.c. GmbH Trying to find card with ATR: 3B 9F 96 80 1F 87 80 31 E0 73 FE 21 1B 67 4A 4C 75 30 34 05 4B A9 Initializing smartcard terminal... * Card not detected! Trying to find card with ATR: 3B 9F 96 80 1F 87 80 31 E0 73 FE 21 1B 67 4A 4C 75 31 33 02 51 B2 Initializing smartcard terminal... * Card not detected! Trying to find card with ATR: 3B 9F 96 80 1F 87 80 31 E0 73 FE 21 1B 67 4A 4C 52 75 31 04 51 D5 Initializing smartcard terminal... * Detected Card IMSI: 214030123456789 USIM Application installed Authenticating... * Remaining attempts: 3 * Authenticating... * Authentication successful * Remaining attempts: 3 Reading KI value... * Initalizing... * Reading... * Current KI setting: KI: ffeeddccbbaa998877665544332211ff Done!
The value recognized by the network is indeed the key as read by sysmo-isim-tool.sja2.py
Both tools are used in their most recent version, retrieved last week.
- Status changed from New to In Progress
- % Done changed from 0 to 20
I can reproduce the problem.
- sysmo-isim-tool.sja2.py is correctly reading and writing K
- pySim-prog.py is indeed dropping the first byte, shifting everything to the left by one byte, and not overwriting the last byte of K
In order to improve the situation, and to move away more from legacy tools and towards pySim-shell, I've now added more read/write capabilities of the SJA2 specific non-standard files to pySim-shell.
The actual bug seems to have been introduced by
commit 2e6dc03f345150353ecc796f18614c02256bd2df Author: andrew-ma <email@example.com> Date: Sat Jul 31 22:18:24 2021 -0700 Allow update_binary function to write more than 255 bytes The T0 protocol (selected in transport/pcsc.py) does not support extended APDU, so 255 bytes is the maximum number of bytes that can be transmitted at a time. We can divide large data into 255 byte chunks. The read_binary function already has code to read more than 255 bytes, so we can just adapt it to the update_binary function. Change-Id: Icc240d5c8c04198640eb118565ea99f10ba27466
which changes the semantics of the update_binary() method when a non-zero offset is used.