Last
Update: 15.07.1999
SIM-PIC
V2.3 |
oooooooooooooooooooooo |
|
 Ronny's
SIM-PIC. |
|
 |
 |
NEW!!!
Sim-Pic
V2.3 (includes A3A8 Algorithm!)
This
version of Sim-Pic is a GSM Sim card emulator for the GSM Mobile Phone
made for the GoldWafer (Pic16f84 + 24c16). V2.3 includes a lot of goodies:
Pin Code (8 digits), ~20 Records and Binaries, A3A8 Algorithm procedure
+ tables, PhoneBook of 7 numbers, procedure to write or modify the content
of the 24c16 eeprom with normal ISO card programming commands.
To
make Sim-Pic work, all the Records, Binaries, Ki... must be read from your
original Sim and copied to the 24c16 eeprom in the wafer. I will try to
describe step by step how to do that. V2.3 is a test version so try it
and send an email if successful. It contains a new procedure for receive/transmit
byte so hopefully it works on all phones. It was just tested with my old
Nokia 2110 and my new 6110. Who knows, maybe it's not Y2K bug safe too
;-) |
|
WAFERS
 |
If
you don't feel like buying a wafer and your phone supports a full size
Sim then you can make the following PCB or use the chip contacts of a phone
card.
This
single Pic wafer (White Wafer) can be used with Sim-Pic version 1.0
or with the Motorola test card only. |
|
 |
To
use Sim-Pic v2.3 you must have this piece of hardware! The Gold Wafer contains
the Pic16f84 + an additional memory of 16Kbit from the external EEprom 24c16.
You
can build one but if your phone is happy just with a mini size Sim then
forget it! For a relatively low price, you can buy a Gold Wafer at Techtronics
or at MaxKing and cut it to mini size
with the help of your original Sim.
Basicaly
the need of the 24c16 was because of the 5 giant Tables of the A3A8 Algorithm.
The biggest Table (Table 0) is 4Kbit long! Tables 1,2,3,4 are 2Kbit, 1Kbit,
512bits, 256bits long. |
|
The
content of the Wafer V2.3:
Pic16f84: the concrete code (not to be modified!).
Internal EEprom (Pic16f84): ATR, list of valid INSTRUCTIONS (INS), list
of valid file addr.
External EEprom (24c16): Pin, Ki, Records, Binaries, A3A8 Tables, PhoneBook.
|
|
PROGRAMING
THE 24C16
To
be able to program the Wafer successfully, first the file SimPic23.hex
has to be burned in the Pic. Once the Pic is programmed the wafer can receive
ISO card commands for programming the 24c16. The best software for doing
that is WINEXPLORER V3.6 by Dexter. Download
& Configuration
The
24c16 contains 8 pages, each 2Kbit long (256 bytes)
The
ISO card command syntaxes:
| Reading
Page 0 - 7 |
. |
| A0
BB 00 00 00 RFF R01 |
BB
is an Instruction defined by me (not a GSM inst.) for reading the content
of the 24c16 eeprom. This command syntax will read PAGE 0 of the eeprom
which is FF+1 bytes (hex) = 256 bytes long.
P1
defines the page number. |
A0
BB 01 00 00 RFF R01
A0
BB 02 00 00 RFF R01
A0
BB 03 00 00 RFF R01
A0
BB 04 00 00 RFF R01
A0
BB 05 00 00 RFF R01
A0
BB 06 00 00 RFF R01
A0
BB 07 00 00 RFF R01 |
That
should read all the eeprom content
(8
pages, 0-7).
If
P1 = 1 then read Page 1
If
P1 = 7 then read Page 7... Got it?
Note:
R is for Receive.
See
Example! |
| Writing
1 - 10 bytes |
. |
| A0
AA 00 00 01 R01 81 R02 |
Instruction
AA is writing 1 till 10 (hex) =16 bytes in the EEprom.
P1
defines the Page number.
P2
defines the Address in the Page.
LEN
defines the number of bytes to be written.
In
this example, one byte 81 will be written in PAGE 0, Address 0. (The first
location in the EEprom) |
| A0
AA 01 30 02 R01 88 88 R02 |
Here
two bytes 88 88 will be written in Page 1 at Address 30, 31
R01
is the BYTE RETURN (AA)
R02
are the STATUS BYTES (90 00) if successful.
See
Example! |
|
|
THE
DATA IN THE 24C16 (the names are based on Asim) |
|
Page 0 |
ADDR
00
- 07 |
Pin
Code |
|
|
ADDR
10
- 1F |
Ki |
|
|
ADDR
(20)
21 - 24 |
7F20:6F05
(LANGUAGE) |
|
|
ADDR
(25)
26 - 2E |
7F20:6F07
(IMSI) |
|
|
ADDR
(2F)
30 - 38 |
7F20:6F20
(Kc) |
|
|
ADDR
(39)
3A - 3E |
7F20:6F41
(PRICE PER UNIT) |
|
|
ADDR
(3F)
40 - 6F |
7F20:6F30
(PLMN SELECTOR) |
|
|
ADDR(70)
71 |
7F20:6F31
(SEARCH PERIOD) |
|
|
ADDR
(72)
73 - 75 |
7F20:6F37
(ACOUNT MAXIMUM) |
|
|
ADDR
(76)
77 - 7A |
7F20:6F38
(SIM SERVICE TABLE) |
|
|
ADDR
(7B)
7C - 7E |
7F20:6F39
(ACUMULATED CALL METER |
|
|
ADDR
(7F)
80 - 8F |
7F20:6F74
(BROADCAST CONTROL CHANEL) |
|
|
ADDR
(90)
91 - 92 |
7F20:6F78
(ACCESS CONTROL CLASS) |
|
|
ADDR
(93)
94 - 9F |
7F20:6F7B
(PLMN PROHIBIDAS) |
|
|
ADDR
(A0)
A1 - AB |
7F20:6F7E
(LOCATION INFORMATION) |
|
|
ADDR
(AC)
AD - AF |
7F20:6FAD
(ADMINISTRATIVE DATA) |
|
|
ADDR
(B0)
B1 |
7F20:6FAE
(PHASE IDENTIFICATION) |
|
|
ADDR
(B2)
B3 - BC |
3F00:2FE2
(CARD SERIAL NUM) |
|
|
ADDR
(BD)
BE - BF |
7F20:6F10
(Not Implanted) Safer is better :-) |
|
|
ADDR
(C0)
C1 - C2 |
7F10:6F43
(SMS STATUS) |
|
|
ADDR
(D0)
D1 - E6 |
(MESSAGE
7F10) |
|
|
ADDR
(E7)
E8 - FD |
(MESSAGE
7F20) |
|
|
|
|
|
Page 1 |
ADDR(00)
01 - 0F |
(MESSAGE
2FE2) |
|
|
ADDR
(10) 11 - 1F |
(MESSAGE
6F07) |
|
|
ADDR
(20)
21 - 2F |
(MESSAGE
6F20) |
|
|
ADDR
(30)
31 - 3F |
(MESSAGE
6F30) |
|
|
ADDR
(40)
41 - 4F |
(MESSAGE
6F38) |
|
|
ADDR
(50)
51 - 5F |
(MESSAGE
6F3A) |
|
|
ADDR
(60)
61 - 6F |
(MESSAGE
6F3B) |
|
|
ADDR
(70)
71 - 7F |
(MESSAGE
6F3C) |
|
|
ADDR
(80)
81 - 8F |
(MESSAGE
6F40) |
|
|
ADDR
(90)
91 - 9F |
(MESSAGE
6F4A) |
|
|
ADDR
(A0)
A1 - AF |
(MESSAGE
6F74) |
|
|
ADDR
(B0) B1 - BF |
(MESSAGE
6F78) |
|
|
ADDR
(C0)
C1 - CF |
(MESSAGE
6F7B) |
|
|
ADDR
(D0) D1 - DF |
(MESSAGE
6F7E) |
|
|
ADDR
(E0)
E1 - EF |
(MESSAGE
6FAD) |
|
|
ADDR
(F0)
F1 - FF |
A
general message for the remaining addresses. |
|
|
|
|
|
Page 2 |
ADDR
00
- FF |
A3A8
TABLE 0 (First half) |
|
Page 3 |
ADDR
00
- FF |
A3A8
TABLE 0 (Second half) |
|
Page 4 |
ADDR
00
- FF |
A3A8
TABLE 1 |
|
Page 5 |
ADDR
00
- 7F |
A3A8
TABLE 2 |
|
Page 6 |
ADDR
00
- 3F |
A3A8
TABLE 3 |
|
Page 7 |
ADDR
00
- 1F |
A3A8
TABLE 4 |
|
|
ADDR
20
- 3F |
PHONEBOOK
LOCATION 1 |
|
|
ADDR
40
- 5F |
PHONEBOOK
LOCATION 2 |
|
|
ADDR
60
- 7F |
PHONEBOOK
LOCATION 3 |
|
|
ADDR
80
- 9F |
PHONEBOOK
LOCATION 4 |
|
|
ADDR
A0
- BF |
PHONEBOOK
LOCATION 5 |
|
|
ADDR
C0
- DF |
PHONEBOOK
LOCATION 6 |
|
|
ADDR
E0
- EF |
PHONEBOOK
LOCATION 7 |
|
|
|
|
|
MPORTANT:
The Address byte in brackets indicates the length of the Record which comes
after, and is very important for SimPic to keep those bytes as they are
in this Example! Those bytes I call HARD BYTES.
If
those bytes are being modified, simpic will output errors. It works so
that when you ask simpic to output x bytes of message or record, and x
is smaller or equal to LEN of the message, then simpic will output the
first x bytes of the specific message. If x is bigger then LEN of message,
the ending 67_00 (Wrong LEN) will be returned.
SIM-PIC
V1.0 (dos hex generator for the Pic16x84 and White Wafer)
Short
description and info: simpic10.html
 |
Sim-Pic
was made by myself for myself and works fine with the Hardware/Software
that I have. I don't guaranty that it will work on all the phone models,
after all I don't profit from it and just wanted to share my toys with
you. If happens that with the help of Sim-Pic you send to your phone some
funny bytes, telling your phone 'Go in self-destruct mode', don't send me
an E-mail with the subject: It's your fault.
But
if successful, E-mails are welcome :-) |
Thanks
to everyone who helped. (Janus, Rick, Goran, Antonio...)
Legal
stuff: the SIM-PIC won't help anybody to make free phone call, it's basically
doing the same thing like the ASIM on Janus
page, not with a PC but with a Pic card.
Those
with original Sims can maximum build clones of their own Sims, those without
can
experiment
with FF FFs so they can maximum get the menu of the phone working but not
logged in the Center.
Final
word: if you are not familiar to bits and cards, it's not recommended to
use any of what I mentioned above. You might finish with burnt I/O card
(programming Pics) or locked SIM ('I thought it was the Pic-card!!') or
waste of time. I'm not responsible of any damage you might cause!!!
|
|
|
|
|
|
~Created by Ronny Stern~ 1999