[Simsec] SIMtester on Android (partial code included)

Lukas Kuzmiak lukas at srlabs.de
Mon May 25 18:53:45 CEST 2015

Hi Joey,

very nice! We did research on our part on how to port SIMTester to Android, it however did not bring much success - this was pre-Android 5 though.
Our main requirement was for it to run without a custom software on the phone, perhaps with rooting only (similar to SnoopSnitch app), so that many people can use it.

I will try to have a look on your code on Android 5 phone, but from what you’ve described you’ve reached similar conclusions to ours. That being - SIM card slot is connected to baseband and baseband itself handles some of the communication - meaning you can’t exactly get as raw interface as you can on a PCSC reader (I don’t remember exactly but I think FETCH and GET_RESPONSE APDUs were handled at least). This would also strip down some functionality of SIMTester as it needs such raw access to detect some of the stuff. Also some SIM cards are just utterly broken and SIMTester will mess up the context between a phone and a SIM card meaning a phone would have to be restarted to be able to use the SIM card again.

Closest we’ve gotten was by implementing a RILD proxy and using OEM_HOOK_RAW commands (which are proprietary) to issue APDUs to SIM cards. We haven’t finished the effort mainly due to user unfriendliness of the solution - you still have to talk to the phone process on Android either faking or forwarding its requests to the SIM (or rild) otherwise it will decide something went wrong and it reboots the system.

Once I have a bit more time I’ll try to revive this on Android 5 - I’ll keep you posted on updates, if you’d decide to continue with this further feel free to contact me directly for support/help with the SIM stuff.


> On 02 Mar 2015, at 09:25, Joey Hewitt <joey at joeyhewitt.com> wrote:
> Hello all,
> Android 5 has an iccTransmitApduBasicChannel() API, and some earlier
> builds of Android have similar patches (SEEK).  I wondered if SIMtester
> could be ported to this.  I've made a first attempt, code is here:
> https://github.com/scintill/SIMtester
> This is only tested on my CyanogenMod 11 Sony phone, and it doesn't work
> very well.  The SEEK APIs used should be available on several commercial
> Android builds, but it's hard to find reliable information about which.
> It's able to read the first few SIM files, but fails at MANUAREA, with
> SW = 6f00.  If I hack that out, it goes on to probe TARs, but the
> results don't match what I see on my PC with PCSC.  Looking at the logs
> from my Qualcomm RIL, I think what is happening is that only certain
> types of commands are allowed.  The error message also points to a QMI
> error code, which leads me to believe the baseband is denying access, so
> it's not something that could be trivially bypassed.
> I'm not sure if I can or will pursue this further, but here are some
> ideas for discussion or further investigation:
> - Logical channel access might have less restrictions.  I don't know
> enough about SIMs/smartcards to know if SIMtester can be rewritten to
> use a logical channel rather than the basic channel.
> - The [Remote SIM Access for Android app](http://www.android-rsap.com/)
> proxies SIM requests in some way over Bluetooth on supported phones.
> Maybe it has another route to SIM card access that is less restricted.
> I tried the trial app on my phone (which is supposed to be supported),
> but I could not get it to work.  It seemed to be a fairly superficial
> problem with the installation of a RIL wrapper library, rather than
> something deeper, so maybe there is some hope yet.
> - Arbitrary SIM requests may be possible with proprietary RIL requests,
> AT commands, and/or Linux device ioctl's etc.  Personally, that's not
> very interesting to me, though -- full Android support would be much
> more useful.
> Some more information is in the README.md of the linked code repository.
> If you're interested but are having trouble compiling or running, I'm
> happy to help where I can, but maybe it should be off-list.
> Thanks for reading and cheers,
> Joey Hewitt
> _______________________________________________
> Simsec mailing list
> Simsec at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4100 bytes
Desc: not available
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20150525/05de0e78/attachment.bin>

More information about the Simsec mailing list