Simlock Overview: Confidential and Proprietary - Qualcomm Technologies, Inc

SimLock Overview
80-ND826-1 A
Confidential and Proprietary – Qualcomm Technologies, Inc.

Restricted Distribution: Not to be distributed to anyone who is not an employee of either Qualcomm or its subsidiaries without the express approval of Qualcomm’s Configuration Management.

Restricted Distribution: Not to be distributed to anyone who is not an employee of either Qualcomm or its subsidiaries without the express approval of Qualcomm’s
Configuration Management.
Not to be used, copied, reproduced, or modified in whole or in part, nor its contents revealed in any manner to others without the express written permission of
Qualcomm Technologies, Inc.
Qualcomm reserves the right to make changes to the product(s) or information contained herein without notice. No liability is assumed for any damages arising directly
or indirectly by their use or application. The information provided in this document is provided on an “as is” basis.
This document contains confidential and proprietary information and must be shredded when discarded.
Qualcomm is a trademark of QUALCOMM Incorporated, registered in the United States and other countries. All QUALCOMM Incorporated trademarks are used with
permission. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly
prohibited.
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2012 Qualcomm Technologies, Inc.
All rights reserved.
PAGE 2 80-ND826-1 A Oct 2012 Confidential and Proprietary – Qualcomm Technologies, Inc. | MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION
Revision History
Revision Date Description
A Oct 2012 Initial release
Contents
 SimLock in the Modem

 SimLock on Apps Processor
 Secure Channel Between Modem and TrustZone
 Notes on Security
 External SimLock in Modem
 NV Items
 External SimLock – Integration with RIL
 References
 Questions?
SimLock in the Modem
 The Qualcomm Technologies, Inc. (QTI) chipset has support for SimLock
 Compliant with [S1]
 Partial implementation of [S2] per operator requirements
 SimLock is configured in the factory using the diag interface
 Control key (CK) values are generated randomly
 CK values are locked after configuration is completed using diag interface
 Configuration is stored on a secure file system
 The modem executes SimLock verification during card initialization
 Network is not acquired before SimLock is verified
SimLock on Apps Processor
 It is possible to implement SimLock on the apps processor.

 It is executed in sequence after the internal SimLock algorithm.
 Normally, modem SimLock is disabled in this case.
 The modem waits for the apps processor to complete the SimLock algorithm
before acquiring the network.
 The QMI UIM exposes messages to access required EFs (IMSI, AD, etc.)
to execute the SimLock algorithm on the apps processor and to indicate
the result.
 The QMI UIM interface is documented in [Q2].
 Details about this mechanism are available in [Q3].
Secure Channel Between Modem and TrustZone
 Implementation of SimLock on the apps processor is vulnerable to

attacks.
 In most cases, a high-level OS is not trusted.
 Malicious applications can send messages to the modem on behalf of the
SimLock application or intercept and modify those messages.
 The SimLock application is implemented in TrustZone (TZ).
 A secure channel is established between TZ and the modem.
 It guarantees authenticity and integrity of the messages.
 Only part of the payload of the message is encrypted and not the entire message.
 Messages are routed using a dedicated application on the apps processor.
 Changes in the RIL layer are also possible to implement the same functionality.
Secure Channel Between Modem and TrustZone (cont.)
Notes on Security
 In case of a failed SimLock check, TZ should not pass the encrypted IMSI
in the request to the modem.
 This is required to avoid a malicious application from modifying a flag that
indicated the result from failure to success.
 In general, the opposite attack (modifying from success to failure) is not an
issue.
 IMSI needs to be reencrypted by TZ.
 TZ retrieves encrypted IMSI from the modem, decrypts it, and must then
reencrypt it when notifying the modem to proceed.
 This guarantees that encrypted payload when IMSI is read is not reused by
malicious applications to fake a message from TZ.
External SimLock in Modem
 An external SimLock engine can be implemented also directly in the

modem
 No need of bridge on apps processor
 Direct communication with MMGSDI
 No need of encryption/decryption as everything is in the modem
 MMGSDI APIs are used directly
 MMGSDI events can be used to know when MMGSDI has completed the
internal SimLock procedure
 The mmgsdi_session_subscription_ok() API is available to indicate to proceed
with a subscription
External SimLock in Modem (cont.)
NV Items
 Two NV items control the external SimLock engine

 NV item 65954
 Stored in nv/item_files/modem/uim/mmgsdi/halt_subscription
 Indicates if MMGSDI stops initialization and waits for an external SimLock
verification
 If NV item is not set, MMGSDI continues without waiting for the external client
 NV item 67285
 Stored in nv/item_files/modem/uim/mmgsdi/encrypt_sub_ok
 Indicates if QMI UIM requires encrypted IMSI in the
QMI_UIM_SUBSCRIPTION_OK request to process it
 If an NV item is not set, QMI UIM does not require encryption in the request
External SimLock – Integration with RIL
 In case of an external SimLock engine (in TZ or in the modem), integration

with RIL is required
 No reference code is available for this
 Customer is responsible to integrate SimLock on the device UI
 Different requirements might exist, e.g., the ability to disable SimLock when a
card is missing or with a valid card
References
Ref. Document
Qualcomm Technologies
Q1 Application Note: Software Glossary for Customers CL93-V3077-1
Q2 QMI UIM 1.27, QMI User Identity Module Specification 80-VB816-12
Q3 Application Note: Application Processor Controlled Personalization 80-N6375-1
Standards
S1 Personalisation of Mobile Equipment (ME); Mobile Functionality Specification 3GPP 22.022
S2 ME Personalization for cdma2000 Spread Spectrum Systems 3GPP2 C.S0068-0
Questions?
https://support.cdmatech.com

Simlock Overview: Confidential and Proprietary - Qualcomm Technologies, Inc

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Simlock Overview: Confidential and Proprietary - Qualcomm Technologies, Inc

Uploaded by

Copyright:

Available Formats

SimLock Overview

Confidential and Proprietary – Qualcomm Technologies, Inc.

Confidential and Proprietary – Qualcomm Technologies, Inc.

Revision Date Description

A Oct 2012 Initial release

 SimLock in the Modem

 It is possible to implement SimLock on the apps processor.

 Implementation of SimLock on the apps processor is vulnerable to

 An external SimLock engine can be implemented also directly in the

 Two NV items control the external SimLock engine

 In case of an external SimLock engine (in TZ or in the modem), integration

Q2 QMI UIM 1.27, QMI User Identity Module Specification 80-VB816-12

Q3 Application Note: Application Processor Controlled Personalization 80-N6375-1

S2 ME Personalization for cdma2000 Spread Spectrum Systems 3GPP2 C.S0068-0

You might also like