VoLTE IMS Android Carrier Privileges » History » Version 1
herlesupreeth, 01/19/2020 05:46 PM
| 1 | 1 | herlesupreeth | h1. VoLTE IMS Android Carrier Privileges / CoIMS (Carrier Config overriding IMS settings) |
|---|---|---|---|
| 2 | |||
| 3 | Guide for overriding IMS settings to force enable VoLTE/VoWiFi using Carrier Privileges |
||
| 4 | |||
| 5 | (this guide by Supreeth Herle was first published at https://github.com/herlesupreeth/CoIMS_Wiki and is reproduce here with permission) |
||
| 6 | |||
| 7 | h2. Requirements |
||
| 8 | |||
| 9 | * A programmable version of USIM/ISIM with KIC1, KID1 and KIK1, or a non-programmable USIM/ISIM with ARA-M application but with option to push certficates to ARA-M via OTA |
||
| 10 | ** [[sysmoUSIM-SJS1]] is a known-working, publicly available option |
||
| 11 | * VoLTE/VoWiFi capable phone with Android Pie or above |
||
| 12 | * PCSC, serial card reader (SIM card programmer) |
||
| 13 | * Java v1.8 |
||
| 14 | |||
| 15 | h2. My Setup |
||
| 16 | |||
| 17 | * [[sysmoUSIM-SJS1]]-4ff USIM with ADM keys |
||
| 18 | * OnePlus 5t UE with Android Pie |
||
| 19 | * Gemalto SIM programmer |
||
| 20 | |||
| 21 | h2. Big shout out and credits to following people for their awesome work |
||
| 22 | |||
| 23 | "Martin Paljak":https://github.com/martinpaljak for GlobalPlatformPro (gp.jar) - A tool to load and manage applets on compatible JavaCards from command line |
||
| 24 | |||
| 25 | "Bertrand Martel":https://github.com/bertrandmartel/aram-applet for ARA-M applet (applet.cap) - ARA-M implementation for JavaCards. ARA-M is an application (typically present on a SIM card) which manage access rules that are enforced by an Access Control Enforcer (typically present on Android device). The enforcer makes sure the rules from the ARAM are enforced. An access rule is composed of an AID, a certificate hash (SHA1/SHA256 of client application cert) and a set of rules. The Access Control enforcer will allow/deny a client application (for example an Android app) to send APDU to a Secure Element (SE) applet based on these rules |
||
| 26 | |||
| 27 | h2. Steps |
||
| 28 | |||
| 29 | h3. Step 1: Clone repository and fetch details of the SIM |
||
| 30 | |||
| 31 | In order to install and/or manage Java Card applets on your SIM card, make sure to have KIC1, KID1 and KIK1 keys. KIC1, KID1 and KIK1 could differ from one SIM card to another so make sure to have the correct keys. If you have a non-programmable USIM/ISIM with ARA-M application and have option to push certficates to ARA-M via OTA, jump to Step 4 |
||
| 32 | |||
| 33 | <pre> |
||
| 34 | $ git clone https://github.com/herlesupreeth/CoIMS_Wiki |
||
| 35 | $ cd CoIMS_Wiki |
||
| 36 | $ alias gp="java -jar $PWD/gp.jar" |
||
| 37 | </pre> |
||
| 38 | |||
| 39 | Example: In [[sysmoUSIM-SJS1]]-4ff USIM cards, the key mappings for GlobalPlatformPro are as follows |
||
| 40 | |_.sysmoUSIM key |_.GlobalPlatformPro argument | |
||
| 41 | |KIC1|--key-enc| |
||
| 42 | |KID1|--key-mac| |
||
| 43 | |KIK1|--key-dek| |
||
| 44 | |||
| 45 | Fetch details of the SIM by replacing KIC1, KID1 and KIK1 with correct keys respective to your SIM card. Execution of below command should not result in any error. If there is an error, please check the error and double check everything before proceeding |
||
| 46 | <pre> |
||
| 47 | $ gp --key-enc KIC1 --key-mac KID1 --key-dek KIK1 -lvi |
||
| 48 | </pre> |
||
| 49 | |||
| 50 | h3. Step 2: Unlock the SIM card for easier installation of applet as follows (Optional) |
||
| 51 | |||
| 52 | *Proceed with caution when unlocking SIM card as it could brick your USIM/ISIM if incorrect KIC1, KID1 and KIK1 keys are used* |
||
| 53 | <pre> |
||
| 54 | $ gp --key-enc KIC1 --key-mac KID1 --key-dek KIK1 --unlock |
||
| 55 | </pre> |
||
| 56 | |||
| 57 | Example: A sysmoUSIM-SJS1-4ff USIM card with following keys is unlocked as follows |
||
| 58 | |||
| 59 | KIC1 = --key-enc = 975B496CED1F2FB984145A55AB31A585 |
||
| 60 | |||
| 61 | KID1 = --key-mac = E7207B567F9D08726A6EFBD90C50DA9A |
||
| 62 | |||
| 63 | KIK1 = --key-dek = DEAA4E9A9B3BC6FC5EFF77A8E9925632 |
||
| 64 | |||
| 65 | <pre> |
||
| 66 | $ gp --key-enc 975B496CED1F2FB984145A55AB31A585 --key-mac E7207B567F9D08726A6EFBD90C50DA9A --key-dek DEAA4E9A9B3BC6FC5EFF77A8E9925632 --unlock |
||
| 67 | Default type=DES3 bytes=404142434445464748494A4B4C4D4E4F kcv=8BAF47 set as master key for A000000003000000 |
||
| 68 | </pre> |
||
| 69 | |||
| 70 | h3. Step 3: Install ARA-M Java Card applets on USIM/ISIM |
||
| 71 | |||
| 72 | *Proceed with caution when installing applets on SIM card as it could brick your USIM/ISIM if incorrect KIC1, KID1 and KIK1 keys are used* |
||
| 73 | |||
| 74 | Install the ARA-M applet (applet.cap). The following command must execute without any errors. |
||
| 75 | |||
| 76 | <pre> |
||
| 77 | # If SIM is not unlocked in Step 2 |
||
| 78 | $ gp --key-enc KIC1 --key-mac KID1 --key-dek KIK1 --install applet.cap |
||
| 79 | # If SIM is unlocked in Step 2 |
||
| 80 | $ gp --install applet.cap |
||
| 81 | </pre> |
||
| 82 | |||
| 83 | h3. Step 4: Push the SHA-1 certifcate of the Carrier Config Android app onto ARA-M in USIM/ISIM |
||
| 84 | |||
| 85 | The Carrier Config Android app which will be installed in Step 5 is signed with following SHA1 key |
||
| 86 | |||
| 87 | SHA1: E4:68:72:F2:8B:35:0B:7E:1F:14:0D:E5:35:C2:A8:D5:80:4F:0B:E3 |
||
| 88 | |||
| 89 | In order to provide Carrier Privileges to Carrier Config app, push the above SHA1 certifcate as follows |
||
| 90 | |||
| 91 | <pre> |
||
| 92 | # If SIM is not unlocked in Step 2 |
||
| 93 | $ gp --key-enc KIC1 --key-mac KID1 --key-dek KIK1 -a 00A4040009A00000015141434C0000 -a 80E2900033F031E22FE11E4F06FFFFFFFFFFFFC114E46872F28B350B7E1F140DE535C2A8D5804F0BE3E30DD00101DB080000000000000001 |
||
| 94 | # If SIM is unlocked in Step 2 |
||
| 95 | $ gp -a 00A4040009A00000015141434C0000 -a 80E2900033F031E22FE11E4F06FFFFFFFFFFFFC114E46872F28B350B7E1F140DE535C2A8D5804F0BE3E30DD00101DB080000000000000001 |
||
| 96 | </pre> |
||
| 97 | |||
| 98 | The split-up of above APDU sent to SIM card is as follows |
||
| 99 | |||
| 100 | <pre> |
||
| 101 | #### REF-AR-DO for UICC Carrier Privileges |
||
| 102 | |||
| 103 | |REF-AR-DO|T|E2 | | | | | |
||
| 104 | | |L|2F | | | | | |
||
| 105 | | |V|REF-DO|T|E1 | | | |
||
| 106 | | | | |L|1E | | | |
||
| 107 | | | | |V|AID-REF-DO |T|4F | |
||
| 108 | | | | | | |L|06 | |
||
| 109 | | | | | | |V|FFFFFFFFFFFF | |
||
| 110 | | | | | |DeviceAppID-REF-DO|T|C1 | |
||
| 111 | | | | | | |L|14 | |
||
| 112 | | | | | | |V|E46872F28B350B7E1F140DE535C2A8D5804F0BE3| |
||
| 113 | | | |AR-DO |T|E3 | | | |
||
| 114 | | | | |L|0D | | | |
||
| 115 | | | | |V|APDU-AR-DO |T|D0 | |
||
| 116 | | | | | | |L|01 | |
||
| 117 | | | | | | |V|01 (Always) | |
||
| 118 | | | | | |PERM-AR-DO |T|DB | |
||
| 119 | | | | | | |L|08 | |
||
| 120 | | | | | | |V|0000000000000001 | |
||
| 121 | </pre> |
||
| 122 | |||
| 123 | To check the list of installed certificates use the following command |
||
| 124 | |||
| 125 | <pre> |
||
| 126 | # If SIM is not unlocked in Step 2 |
||
| 127 | $ gp --key-enc KIC1 --key-mac KID1 --key-dek KIK1 -acr-list |
||
| 128 | RULE #0 : |
||
| 129 | AID : FFFFFFFFFFFF |
||
| 130 | HASH : E46872F28B350B7E1F140DE535C2A8D5804F0BE3 |
||
| 131 | APDU rule : ALWAYS(0x01) |
||
| 132 | # If SIM is unlocked in Step 2 |
||
| 133 | $ gp -acr-list |
||
| 134 | RULE #0 : |
||
| 135 | AID : FFFFFFFFFFFF |
||
| 136 | HASH : E46872F28B350B7E1F140DE535C2A8D5804F0BE3 |
||
| 137 | APDU rule : ALWAYS(0x01) |
||
| 138 | </pre> |
||
| 139 | |||
| 140 | _If you have a non-programmable USIM/ISIM with ARA-M application and have option to push certficates to ARA-M via OTA, push the above SHA1 certificate on to the SIM_ |
||
| 141 | |||
| 142 | h3. Step 5: Install the Carrier Config Android app from Play Store |
||
| 143 | |||
| 144 | Make sure the SIM card is placed in the default/first SIM slot of the device (only for multi-sim capable devices) |
||
| 145 | |||
| 146 | Download the "CoIMS":https://play.google.com/store/apps/details?id=com.sherle.coims Carrier Config app from play store. Then, run the app |
||
| 147 | |||
| 148 | Important points/values to note after running the app for this app to enable VoLTE |
||
| 149 | |||
| 150 | * "App has Carrier Privileges" must be true |
||
| 151 | * "SIM Carrier Id" must not be -1 (i.e Unknown Carrier) |
||
| 152 | * "carrier_volte_provisioned_bool" must be true |
||
| 153 | |||
| 154 | h2. Debugging |
||
| 155 | |||
| 156 | Use adb debugging with filter for "ims" keyword |
||
| 157 | |||
| 158 | h3. Potential reasons for this method not working |
||
| 159 | |||
| 160 | # If the value of CarrierIdentifier indicated in the app is -1 (i.e Unknown Carrier) |
||
| 161 | #* If PLMN is on the following list (https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/master/assets/carrier_list.textpb) Resolution: Wait for vendor to release an update and hopefully it contains the updated carrier list |
||
| 162 | #*If PLMN is not on the following list (https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/master/assets/carrier_list.textpb) Resolution: Refer the following link (https://source.android.com/devices/tech/config/carrierid#integrating_carrier_ids_with_carrierconfig) |
||
| 163 | # Some devices with Samsung Exynos chipset/ Mediatek chipset require ISIM, only USIM is not enough for SIP registrations |
||
| 164 | # Does not seem to work on Samsung devices with Exynos chipset |
||
| 165 | # If the SIM is placed in non-default SIM slot in a multi-SIM phones i.e. SIM in slot 1 (SIM slot 0 (default), SIM slot 1) of device |
