CoIMS sim card config has no effect about docker_open5gs HOT 6 CLOSED

gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --install applet.cap
I have this at the end:
Error: STRICT WARNING: Card cryptogram invalid!
Card: AF127048A5AB94EA
Host: A1059F4186659AB6
!!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!

For this, I see you that you have successfully unlocked the card (see logs below). Once you unlock the card the old keys are not valid anymore. The new keys would be (as mentioned in the log) 404142434445464748494A4B4C4D4E4F. And, when you try to execute the following command gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --install applet.cap you got that error because the keys were wrong.

NOTE: Once you unlock the card, there is not need to provide --key-enc, --key-dek or --key-mac anymore as it will use the default key (404142434445464748494A4B4C4D4E4F)

jsm@jsm-Latitude-E6530:~/SIM/CoIMS_Wiki$ gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --unlock
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=B2AA8E526E512135054165A1A202F163 MAC=D1D31078C771787284DD213AF86C8C98 RMAC=DEEF29690B938AD42315294EBE7E9069, card keys=ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for SCP02
Default 404142434445464748494A4B4C4D4E4F set as master key for A000000003000000

Now to the Oneplus not sending SIP REGISTER part, I see the following in the pcap, i.e. UE IP type is set to IPv4v6 in the open5gs WebUI. I would suggest to change it to IPv4 only. And, then restart the phone and attempt IMS register again.

Can you tell me if the CoIMS config is OK ?

Yes, you did not have to install the applet as the Sysmocom ISIM (black card) already come pre-installed with that applet. All you need is to push the certificates.

Do I have to disable ims script on the card too ?

Technically its not needed. You are free to do it if you like. I dont think it should affect whether a phone registers or not

Is it ok to use the test PLMN 00101 ?

Definitely yes, I use it all the time

from docker_open5gs.

Hi @herlesupreeth,

Thank you for your fast answer!
Now I have 3 more UE connecting to IMS servers and I performed my first calls and video calls!

I tried your advice to only push the certificate to sysmoISIM-SJA2 and it works.
So do you know why they didn't push it by default to make the applet working ? (Note I discovered ARA-M with this project la week...)

Thanks again,
Julien

from docker_open5gs.

So do you know why they didn't push it by default to make the applet working ?

The certificate you push to ARA-M applet is a certificate I used to sign the CoIMS app you download from App Store. Since that certificate is tied to that app, it does make much sense for Sysmocom to push the certificate by default. This way whomsoever buys the SIM card can push they own certificates with which they sign their Android app which requires Carrier Privileges

from docker_open5gs.

Ok, I think i understand. Please tell me if I am wrong.
sysmoISIM-SJA2 already have the ARA-M needed to do IMS on PLMN 00101
CoIMS app is useful to check if IMS is active on a sim card. But to use it we need to load a certificate on the sim, this way the ARA-M will allow CoIMS app to read params in the secured sim files.

I just tested with a SIM card sysmoISIM-SJA2 where I only change the PLMN to 00101 and it connects and it works!

The problem I had when I wrote the issue was in fact not from the SIM configuration but from apn conf.
For others, I put here again the image I found in another post with the correct apn configuration:

from docker_open5gs.

ARA-M applet is like a storage where one can write SHA1 or other certificates and it has no relation to IMS.

Google as part of AOSP has outlined something called Carrier Privileges, which is a special privilege given to an Android app to override certain settings. And, in order to provide an Android app Carrier Privilege, Android device first reads the certificates stored in ARA-M. Then, if the any of the certificate in ARA-M matches with the certificate with which Android app is signed then the app get Carrier Privilege. Using Carrier Privilege one can override IMS settings etc.

CoIMS app is the Android app I talked above.

from docker_open5gs.

Ok it's clear, thank you very much for your help!
I close the issue.
Have a nice day

from docker_open5gs.