短信SMS触发SIMOTA流程STKBIP协议分析案例(日本Docomo)

admin 3年前 (2022-02-02) caiji 350 0

版本历史ReversionDateAuthorDescription of change0.12018-03-26Vicent GAOInitial目录1. 写在前面 31.1. 什么是BIP 31.2. BIP无纺布厂家15838056980能做些什么? 31.3. BIP功能的普及性如何? 32. BIP流程的触发 42.1. 模块收到SIM Data download类型的新短信 42.2. 模块向电话卡发送ENVELOP命令(SMS-PP Download) 73. OPEN CHANNEL(可以理解为:PDP激活) 93.1. 模块向电话卡发送FETCH命令(OPEN CHANNEL) 93.2. 模块向电话卡发送TERMINAL RESPONSE命令(OPEN CHANNEL) 94. SEND DATA(发送数据到Internet服务器) 114.1. 模块向电话卡发送FETCH命令(SEND DATA) 114.2. 模块向电话卡发送TERMINAL RESPONSE命令(SEND DATA) 115. RECEIVE DATA(从Internet服务器接收数据) 135.1. 模块向电话卡发送ENVELOP命令(Data available) 135.2. 模块向电话卡发送FETCH命令(RECEIVE DATA) 135.3. 模块向电话卡发送TERMINAL RESPONSE命令(RECEIVE DATA) 146. CLOSE CHANNEL(可以理解为:去激活PDP) 166.1. 模块向电话卡发送FETCH命令(CLOSE CHANNEL) 166.2. 模块向电话卡发送TERMINAL RESPONSE命令(CLOSE CHANNEL) 161. 写在前面1.1 什么是BIPBIP(Bearer Independent Protocol),属于电话卡STK功能的子功能,电话卡通过使用STK BIP,可以使用模块的数据功能,与远程的Internet服务器进行数据交互,实现一些功能,如常见的OTA功能。1.2 BIP能做些什么?电话卡可以通过BIP功能来更新电话卡内的文件系统、固件版本等。设想中的更高级的可以实现的功能是:卡A初始是中国移动的卡,通过BIP下载并更新了中国无纺布厂家15838056980联通的文件系统,卡A摇身一变就是中国联通的卡了。1.3 BIP功能的普及性如何?普及性比较小,在中国都找不到支持BIP功能的电话卡,只有在国外零星会用到一点。但是在做国外的运营商认证的时候,BIP都是必测项。2. BIP流程的触发2.1 模块收到SIM Data download类型的新短信2018 Mar 20 06:21:27.248 [3F] 0x713A UMTS UE OTA -- SMS_CP_DATAMessage Direction = To UEchan_type = 0 (0x0)prot_disc_check = 9 (0x9)trans_id_or_skip_ind = 0 (0x0)prot_disc = 9 (0x9) (GSM_SMS_MESSAGES)msg_type = 1 (0x1)protsms_protsms_cp_datasms_cp_user_datalength = 105 (0x69)rp_messagemti = 1 (0x1)message_reference = 24 (0x18)sms_rp_message_bodyrp_data_to_ueorig_addrlength = 7 (0x7)ext = 1 (0x1)type = 1 (0x1)num_plan_id = 1 (0x1)number[0] = 4 (0x4)number[1] = 2 (0x2)number[2] = 3 (0x3)number[3] = 7 (0x7)number[4] = 9 (0x9)number[5] = 0 (0x0)number[6] = 1 (0x1)number[7] = 0 (0x0)number[8] = 5 (0x5)number[9] = 5 (0x5)number[10] = 0 (0x0)number[11] = 15 (0xf)dest_addrlength = 0 (0x0)user_datalength = 93 (0x5d)sms_tpdu_protmti = 0 (0x0)sm_tl_sms_deliverreply_path = 0 (0x0)udh_indicator = 1 (0x1)stat_rep_indicator = 0 (0x0)more_messages = 1 (0x1)orig_addresslength = 6 (0x6)type_of_number = 0 (0x0)number_plan_id = 9 (0x9)addr_value[0] = 9 (0x9)addr_value[1] = 0 (0x0)addr_value[2] = 0 (0x0)addr_value[3] = 0 (0x0)addr_value[4] = 3 (0x3)addr_value[5] = 0 (0x0)prot_id = 127 (0x7f) ((U)SIM Data download)data_coding_scheme = 246 (0xf6) (0xf6 data coding=1, class=2)serv_cent_time_stamp_date =(0x) (03/20/18)serv_cent_time_stamp_time =(0x) (06:21:25)serv_cent_time_stamp_tz = 0 (0x0) (0x00 +00:00)tp_user_datauser_data_len = 77 (0x4d)sm_tp_user_data_ascii_8udhl = 2 (0x2)num_ies = 1 (0x1)info_elements[0]iei = 112 (0x70) (USIM_TOOLKIT_SEC_HDRS_0)usim_toolkit_sec_hdrsuser_data_8_bit[0] = 0 (0x0) (00)user_data_8_bit[1] = 72 (0x48) (0110)user_data_8_bit[2] = 21 (0x15) (025)user_data_8_bit[3] = 22 (0x16) (026)user_data_8_bit[4] = 1 (0x1) (01)user_data_8_bit[5] = 18 (0x12) (022)user_data_8_bit[6] = 18 (0x12) (022)user_data_8_bit[7] = 0 (0x0) (00)user_data_8_bit[8] = 0 (0x0) (00)user_data_8_bit[9] = 0 (0x0) (00)user_data_8_bit[10] = 55 (0x37) (067)user_data_8_bit[11] = 198 (0xc6) (0306)user_data_8_bit[12] = 76 (0x4c) (0114)user_data_8_bit[13] = 40 (0x28) (050)user_data_8_bit[14] = 241 (0xf1) (0361)user_data_8_bit[15] = 194 (0xc2) (0302)user_data_8_bit[16] = 240 (0xf0) (0360)user_data_8_bit[17] = 65 (0x41) (0101)user_data_8_bit[18] = 64 (0x40) (0100)user_data_8_bit[19] = 218 (0xda) (0332)user_data_8_bit[20] = 20 (0x14) (024)user_data_8_bit[21] = 148 (0x94) (0224)user_data_8_bit[22] = 62 (0x3e) (076)user_data_8_bit[23] = 116 (0x74) (0164)user_data_8_bit[24] = 66 (0x42) (0102)user_data_8_bit[25] = 14 (0xe) (016)user_data_8_bit[26] = 133 (0x85) (0205)user_data_8_bit[27] = 179 (0xb3) (0263)user_data_8_bit[28] = 126 (0x7e) (0176)user_data_8_bit[29] = 20 (0x14) (024)user_data_8_bit[30] = 110 (0x6e) (0156)user_data_8_bit[31] = 108 (0x6c) (0154)user_data_8_bit[32] = 13 (0xd) (015)user_data_8_bit[33] = 200 (0xc8) (0310)user_data_8_bit[34] = 79 (0x4f) (0117)user_data_8_bit[35] = 12 (0xc) (014)user_data_8_bit[36] = 174 (0xae) (0256)user_data_8_bit[37] = 197 (0xc5) (0305)user_data_8_bit[38] = 9 (0x9) (011)user_data_8_bit[39] = 172 (0xac) (0254)user_data_8_bit[40] = 27 (0x1b) (033)user_data_8_bit[41] = 93 (0x5d) (0135)user_data_8_bit[42] = 85 (0x55) (0125)user_data_8_bit[43] = 170 (0xaa) (0252)user_data_8_bit[44] = 45 (0x2d) (055)user_data_8_bit[45] = 226 (0xe2) (0342)user_data_8_bit[46] = 176 (0xb0) (0260)user_data_8_bit[47] = 144 (0x90) (0220)user_data_8_bit[48] = 117 (0x75) (0165)user_data_8_bit[49] = 221 (0xdd) (0335)user_data_8_bit[50] = 14 (0xe) (016)user_data_8_bit[51] = 148 (0x94) (0224)user_data_8_bit[52] = 242 (0xf2) (0362)user_data_8_bit[53] = 48 (0x30) (060)user_data_8_bit[54] = 41 (0x29) (051)user_data_8_bit[55] = 135 (0x87) (0207)user_data_8_bit[56] = 19 (0x13) (023)user_data_8_bit[57] = 180 (0xb4) (0264)user_data_8_bit[58] = 50 (0x32) (062)user_data_8_bit[59] = 41 (0x29) (051)user_data_8_bit[60] = 134 (0x86) (0206)user_data_8_bit[61] = 50 (0x32) (062)user_data_8_bit[62] = 31 (0x1f) (037)user_data_8_bit[63] = 200 (0xc8) (0310)user_data_8_bit[64] = 42 (0x2a) (052)user_data_8_bit[65] = 104 (0x68) (0150)user_data_8_bit[66] = 223 (0xdf) (0337)user_data_8_bit[67] = 1 (0x1) (01)user_data_8_bit[68] = 163 (0xa3) (0243)user_data_8_bit[69] = 84 (0x54) (0124)user_data_8_bit[70] = 35 (0x23) (043)user_data_8_bit[71] = 15 (0xf) (017)user_data_8_bit[72] = 231 (0xe7) (0347)user_data_8_bit[73] = 85 (0x55) (0125)user_data_8_bit[74] = 0 (0x0) (00)2.2 模块向电话卡发送ENVELOP命令(SMS-PP Download)模块 -> 电话卡:80 C2 00 00 6E电话卡 -> 模块:C2模块 -> 电话卡:D1 6C 02 02 83 81 06 07 91 24 73 09 01 55 F0 0B 5D 44 06 89 09 00 03 7F F6 81 30 02 60 12 52 00 4D 02 70 00 00 48 15 16 01 12 12 00 00 00 37 C6 4C 28 F1 C2 F0 41 40 DA 14 94 3E 74 42 0E 85 B3 7E 14 6E 6C 0D C8 4F 0C AE C5 09 AC 1B 5D 55 AA 2D E2 B0 90 75 DD 0E 94 F2 30 29 87 13 B4 32 29 86 32 1F C8 2A 68 DF 01 A3 54 23 0F E7 55电话卡 -> 模块:61 13模块 -> 电话卡:00 C0 00 00 13电话卡 -> 模块:C0 02 71 00 00 0E 0A 00 00 00 00 00 00 00 11 00 00 02 90 00 91 0B//QCAT APDU解析内容:slot value:1ENVELOPELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardSMS-PP Download -- Command Data:Device IDSource ID : networkDestination ID : SIMAddressType of Number : International NumberNumbering Plan ID : ISDN/telephonyDialing Number : SMS TPDU TLV : 0x0B 0x5D 0x44 ...SMS-PP Download -- Response Data:UICC Acknowledgement : 0x02 0x71 0x00 0x00 0x0E 0x0A 0x00 0x00 0x00 0x00: 0x00 0x00 0x00 0x11 0x00 0x00 0x02 0x90 0x00Status Words - 0x91 0x0B - Normal ending of command, Extra info from proactive SIM Data available3. OPEN CHANNEL(可以理解为:PDP激活)3.1 模块向电话卡发送FETCH命令(OPEN CHANNEL)模块 -> 电话卡:80 12 00 00 29电话卡 -> 模块:12 D0 27 81 03 01 40 03 82 02 81 82 05 00 35 07 02 00 00 03 00 00 02 39 02 02 00 47 01 00 3C 03 02 10 14 3E 05 21 34 1C 80 C8 90 00//QCAT APDU解析内容:slot value:1FETCHLogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardProactive command data:Command DetailsCommand Number : 1Command Type : OPEN CHANNELCommand Qualifier : immediate link establishment: auto reconnection: no background modeDevice IDSource ID : SIMDestination ID : terminalBuffer Size : 512 bytesNetwork Access Name :Data Destination Addr : IPv4 address: 52.28.128.200Status Words - 0x90 0x00 - Normal ending of the command3.2 模块向电话卡发送TERMINAL RESPONSE命令(OPEN CHANNEL)模块 -> 电话卡:80 14 00 00 1D电话卡 -> 模块:14模块 -> 电话卡:81 03 01 40 03 02 02 82 81 03 01 00 38 02 81 00 35 07 02 00 00 03 00 00 02 39 02 02 00电话卡 -> 模块:91 4E//QCAT APDU解析内容:slot value:1TERMINAL RESPONSELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardResponse DataCommand DetailsCommand Number : 1Command Type : OPEN CHANNELCommand Qualifier : immediate link establishment: auto reconnection: no background modeDevice IDSource ID : terminalDestination ID : SIMResultGeneral Result : Cmd performed successfullyChannel Status : Channel Identifier 1For CS, PDP, local & Default bearer: Link established or PDP context activatedFor UICC Server Mode : TCP in ESTABLISHED stateFor Term. Server Mode & TCP: TCP in ESTABLISHED stateUnknown TLV : 0x00 0x02 0x39 ...Status Words - 0x91 0x4E - Normal ending of command, Extra info from proactive SIM Data available4. SEND DATA(发送数据到Internet服务器)4.1 模块向电话卡发送FETCH命令(SEND DATA)模块 -> 电话卡:80 12 00 00 4E电话卡 -> 模块:12 D0 4C 81 03 01 43 01 82 02 81 21 36 41 16 03 03 00 3C 01 00 00 38 03 03 37 00 C0 4F CB 0F 39 C8 D8 6C A5 FE CF 98 1E 9D 0C C3 C6 77 21 AF 02 58 9E 7C 84 F8 5F 53 1E B8 00 00 0A 00 AE 00 8C 00 8B 00 B0 00 2C 01 00 00 05 00 01 00 01 01 90 00//QCAT APDU解析内容:slot value:1FETCHLogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardProactive command data:Command DetailsCommand Number : 1Command Type : SEND DATACommand Qualifier : send data immediatelyDevice IDSource ID : SIMDestination ID : Channel 1channel data : 0x22 0x3 0x3 0x0 0x60 0x1 0x0 0x0 0x56 0x3 0x3 0x55 0x0 0x192 0x79 0x203 0x15 0x57 0x200 0x216 0x108 0x165 0x254 0x207 0x152 0x30 0x157 0x12 0x195 0x198 0x119 0x33 0x175 0x2 0x88 0x158 0x124 0x132 0x248 0x95 0x83 0x30 0x184 0x0 0x0 0x10 0x0 0x174 0x0 0x140 0x0 0x139 0x0 0x176 0x0 0x44 0x1 0x0 0x0 0x5 0x0 0x1 0x0 0x1 0x1Status Words - 0x90 0x00 - Normal ending of the command4.2 模块向电话卡发送TERMINAL RESPONSE命令(SEND DATA)模块 -> 电话卡:80 14 00 00 0F电话卡 -> 模块:14模块 -> 电话卡:81 03 01 43 01 02 02 82 81 03 01 00 37 01 FF电话卡 -> 模块:91 13//QCAT APDU解析内容:slot value:1TERMINAL RESPONSELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardResponse DataCommand DetailsCommand Number : 1Command Type : SEND DATACommand Qualifier : send data immediatelyDevice IDSource ID : terminalDestination ID : SIMResultGeneral Result : Cmd performed successfullyChannel Data Length : More than 255 bytes availableStatus Words - 0x91 0x13 - Normal ending of command, Extra info from proactive SIM Data available5. RECEIVE DATA(从Internet服务器接收数据)5.1 模块向电话卡发送ENVELOP命令(Data available)模块 -> 电话卡:80 C2 00 00 10电话卡 -> 模块:C2模块 -> 电话卡:D6 0E 19 01 09 02 02 82 81 38 02 81 00 37 01 36电话卡 -> 模块:91 0E//QCAT APDU解析内容:slot value:1ENVELOPELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardEvent Download -- Command Data:Event List : Data availableDevice IDSource ID : terminalDestination ID : SIMChannel Status : Channel Identifier 1For CS, PDP, local & Default bearer: Link established or PDP context activatedFor UICC Server Mode : TCP in ESTABLISHED stateFor Term. Server Mode & TCP: TCP in ESTABLISHED stateChannel Data Length : 54Status Words - 0x91 0x0E - Normal ending of command, Extra info from proactive SIM Data available5.2 模块向电话卡发送FETCH命令(RECEIVE DATA)模块 -> 电话卡:80 12 00 00 0E电话卡 -> 模块:12 D0 0C 81 03 01 42 00 82 02 81 21 37 01 36 90 00//QCAT APDU解析内容:slot value:1FETCHLogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardProactive command data:Command DetailsCommand Number : 1Command Type : RECEIVE DATADevice IDSource ID : SIMDestination ID : Channel 1Channel Data Length : 54Status Words - 0x90 0x00 - Normal ending of the command5.3 模块向电话卡发送TERMINAL RESPONSE命令(RECEIVE DATA)模块 -> 电话卡:80 14 00 00 47电话卡 -> 模块:14模块 -> 电话卡:81 03 01 42 00 02 02 82 81 03 01 00 36 36 16 03 03 00 31 02 00 00 2D 03 03 4D C9 C5 AC 09 53 88 FF F5 FB 19 32 51 01 D7 D8 A1 16 A6 FC E6 D5 EC 9F 4B 2C 2C 38 5C 89 15 A8 00 00 8C 00 00 05 00 01 00 01 01 37 01 00电话卡 -> 模块:90 00//QCAT APDU解析内容:slot value:1TERMINAL RESPONSELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardResponse DataCommand DetailsCommand Number : 1Command Type : RECEIVE DATADevice IDSource ID : terminalDestination ID : SIMResultGeneral Result : Cmd performed successfullychannel data : 0x22 0x3 0x3 0x0 0x49 0x2 0x0 0x0 0x45 0x3 0x3 0x77 0x201 0x197 0x172 0x9 0x83 0x136 0x255 0x245 0x251 0x25 0x50 0x81 0x1 0x215 0x216 0x161 0x22 0x166 0x252 0x230 0x213 0x236 0x159 0x75 0x44 0x44 0x56 0x92 0x137 0x21 0x168 0x0 0x0 0x140 0x0 0x0 0x5 0x0 0x1 0x0 0x1 0x1 0x55 0x1 0x0Status Words - 0x90 0x00 - Normal ending of the command6. CLOSE CHANNEL(可以理解为:去激活PDP)6.1 模块向电话卡发送FETCH命令(CLOSE CHANNEL)模块 -> 电话卡:80 12 00 00 0B电话卡 -> 模块:12 D0 09 81 03 01 41 00 82 02 81 21 90 00slot value:1FETCHLogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardProactive command data:Command DetailsCommand Number : 1Command Type : CLOSE CHANNELDevice IDSource ID : SIMDestination ID : Channel 1Status Words - 0x90 0x00 - Normal ending of the command6.2 模块向电话卡发送TERMINAL RESPONSE命令(CLOSE CHANNEL)模块 -> 电话卡:80 14 00 00 0C电话卡 -> 模块:14模块 -> 电话卡:81 03 01 41 00 02 02 82 81 03 01 00电话卡 -> 模块:90 00//QCAT APDU解析内容:slot value:1TERMINAL RESPONSELogical Channel: 0UICC instruction classCLA - No SM used between terminal and cardResponse DataCommand DetailsCommand Number : 1Command Type : CLOSE CHANNELDevice IDSource ID : terminalDestination ID : SIMResultGeneral Result : Cmd performed successfullyStatus Words - 0x90 0x00 - Normal ending of the command

微信号:15838056980
添加微信好友, 获取更多信息
复制微信号

网友评论

  • (*)

最新评论

联系我们

欢迎访问本网站。本厂可以生3米幅宽以内无纺布,从10克-120克均可生产,广泛应用于包装、农业、工业、建筑、市政、医疗、绿化等领域。欢迎来电或加微信咨询,电话/微信:15838056980