Simlock Overview: Confidential and Proprietary - Qualcomm Technologies, Inc

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

SimLock Overview

80-ND826-1 A

Confidential and Proprietary – Qualcomm Technologies, Inc.


Restricted Distribution: Not to be distributed to anyone who is not an employee of either Qualcomm or its subsidiaries without the express approval of Qualcomm’s Configuration Management.
Confidential and Proprietary – Qualcomm Technologies, Inc.

Confidential and Proprietary – Qualcomm Technologies, Inc.


Restricted Distribution: Not to be distributed to anyone who is not an employee of either Qualcomm or its subsidiaries without the express approval of Qualcomm’s
Configuration Management.
Not to be used, copied, reproduced, or modified in whole or in part, nor its contents revealed in any manner to others without the express written permission of
Qualcomm Technologies, Inc.
Qualcomm reserves the right to make changes to the product(s) or information contained herein without notice. No liability is assumed for any damages arising directly
or indirectly by their use or application. The information provided in this document is provided on an “as is” basis.
This document contains confidential and proprietary information and must be shredded when discarded.
Qualcomm is a trademark of QUALCOMM Incorporated, registered in the United States and other countries. All QUALCOMM Incorporated trademarks are used with
permission. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly
prohibited.
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2012 Qualcomm Technologies, Inc.
All rights reserved.

PAGE 2 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Revision History

Revision Date Description

A Oct 2012 Initial release

PAGE 3 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Contents

 SimLock in the Modem


 SimLock on Apps Processor
 Secure Channel Between Modem and TrustZone
 Notes on Security
 External SimLock in Modem
 NV Items
 External SimLock – Integration with RIL
 References
 Questions?

PAGE 4 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
SimLock in the Modem

 The Qualcomm Technologies, Inc. (QTI) chipset has support for SimLock
 Compliant with [S1]
 Partial implementation of [S2] per operator requirements
 SimLock is configured in the factory using the diag interface
 Control key (CK) values are generated randomly
 CK values are locked after configuration is completed using diag interface
 Configuration is stored on a secure file system
 The modem executes SimLock verification during card initialization
 Network is not acquired before SimLock is verified

PAGE 5 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
SimLock on Apps Processor

 It is possible to implement SimLock on the apps processor.


 It is executed in sequence after the internal SimLock algorithm.
 Normally, modem SimLock is disabled in this case.
 The modem waits for the apps processor to complete the SimLock algorithm
before acquiring the network.
 The QMI UIM exposes messages to access required EFs (IMSI, AD, etc.)
to execute the SimLock algorithm on the apps processor and to indicate
the result.
 The QMI UIM interface is documented in [Q2].
 Details about this mechanism are available in [Q3].

PAGE 6 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Secure Channel Between Modem and TrustZone

 Implementation of SimLock on the apps processor is vulnerable to


attacks.
 In most cases, a high-level OS is not trusted.
 Malicious applications can send messages to the modem on behalf of the
SimLock application or intercept and modify those messages.
 The SimLock application is implemented in TrustZone (TZ).
 A secure channel is established between TZ and the modem.
 It guarantees authenticity and integrity of the messages.
 Only part of the payload of the message is encrypted and not the entire message.
 Messages are routed using a dedicated application on the apps processor.
 Changes in the RIL layer are also possible to implement the same functionality.

PAGE 7 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Secure Channel Between Modem and TrustZone (cont.)

PAGE 8 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Secure Channel Between Modem and TrustZone (cont.)

PAGE 9 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Secure Channel Between Modem and TrustZone (cont.)

PAGE 10 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Notes on Security

 In case of a failed SimLock check, TZ should not pass the encrypted IMSI
in the request to the modem.
 This is required to avoid a malicious application from modifying a flag that
indicated the result from failure to success.
 In general, the opposite attack (modifying from success to failure) is not an
issue.
 IMSI needs to be reencrypted by TZ.
 TZ retrieves encrypted IMSI from the modem, decrypts it, and must then
reencrypt it when notifying the modem to proceed.
 This guarantees that encrypted payload when IMSI is read is not reused by
malicious applications to fake a message from TZ.

PAGE 11 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
External SimLock in Modem

 An external SimLock engine can be implemented also directly in the


modem
 No need of bridge on apps processor
 Direct communication with MMGSDI
 No need of encryption/decryption as everything is in the modem
 MMGSDI APIs are used directly
 MMGSDI events can be used to know when MMGSDI has completed the
internal SimLock procedure
 The mmgsdi_session_subscription_ok() API is available to indicate to proceed
with a subscription

PAGE 12 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
External SimLock in Modem (cont.)

PAGE 13 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
NV Items

 Two NV items control the external SimLock engine


 NV item 65954
 Stored in nv/item_files/modem/uim/mmgsdi/halt_subscription
 Indicates if MMGSDI stops initialization and waits for an external SimLock
verification
 If NV item is not set, MMGSDI continues without waiting for the external client
 NV item 67285
 Stored in nv/item_files/modem/uim/mmgsdi/encrypt_sub_ok
 Indicates if QMI UIM requires encrypted IMSI in the
QMI_UIM_SUBSCRIPTION_OK request to process it
 If an NV item is not set, QMI UIM does not require encryption in the request

PAGE 14 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
External SimLock – Integration with RIL

 In case of an external SimLock engine (in TZ or in the modem), integration


with RIL is required
 No reference code is available for this
 Customer is responsible to integrate SimLock on the device UI
 Different requirements might exist, e.g., the ability to disable SimLock when a
card is missing or with a valid card

PAGE 15 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
References

Ref. Document

Qualcomm Technologies
Q1 Application Note: Software Glossary for Customers CL93-V3077-1

Q2 QMI UIM 1.27, QMI User Identity Module Specification 80-VB816-12

Q3 Application Note: Application Processor Controlled Personalization 80-N6375-1

Standards
S1 Personalisation of Mobile Equipment (ME); Mobile Functionality Specification 3GPP 22.022

S2 ME Personalization for cdma2000 Spread Spectrum Systems 3GPP2 C.S0068-0

PAGE 16 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Questions?
https://support.cdmatech.com

PAGE 17 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION

You might also like