SMS Protocols

The SMS message is broken down into 3 main parts:

1. 23.040 1st Header Used to understand the sender, destination and data protocols
2. 23.048 2nd Header Enhanced security features
3. 51.011 Body The program to execute or Text message (Application Protocol Data Unit
TP-UD)

23.040 Protocol

The following page gives a details on what should be within each of the above sectors
of the 23.040

Coding of the TP-PDU field :

This field contains the generic information as to how to treat the SMS
TYPE
Format
Direction
Status report
More message

DESCRIPTION
header in body (Y/N) ?
from Network/to Network ?
requested : (Y/N) ?
to come : (Y/N )?

Coding of the TP-UDHI field :

This field indicates if the SMS contains an Secure Header or not
NB OF BYTES
1

DESCRIPTION
If equal to :
0 The TP-UD field contains only the short message
1 The beginning of the TP-UD field contains a Header in
addition to the short message

Coding of the TP-OA field :

This field contains the Originating Address.
NB OF BYTES
DESCRIPTION
1
address length
1
type of number / numbering plan
(TON/NPI)
0 to 10
address value

identification

The address length represents the number of significant nibbles in the address value (nibbles
are swapped in the bytes). When the number of nibbles is odd, Fh is used as a terminator in the
last byte of the address field.
example of address field: 09 xx 21 43 65 87 F9
The address length must be in the range 0 to 20; therefore, the minimum length of the address
field is 2 bytes, and the maximum length is 12 bytes.
Coding of the TP-DA field :
This field contains the Destination Address.
NB OF BYTES
DESCRIPTION
1
address length
1
type of number / numbering plan
(TON/NPI)
0 to 10
address value

identification

This number represents the MSISDN number or Subscriber Mobile Phone number to which the
message is to be sent too.
Coding of the TP-PID field :

This field contains the Process Identify;

PID VALUE
7F
40
41

DESCRIPTION
Envelope Mode
Update record ME must acknowledge receipt
Update record (U)SIM must acknowledge receipt

This explains to the Mobile Equipment (ME) how the message is to be transferred to the card :

Coding of the TP-DCS

This field contains the Data Coding Scheme:
Type
Class
Class
Class
Class

Description
0
1
2
3

Flash Message
ME-specific
(U)SIM specific
TE specific

DCS 7
Byte
F0
F1
F2
F3

DCS 8
Byte
F4
F5
F6
F7

When the (U)SIM handles an executable SMS record (received from the network), it will assume
that the TP-UD is 8-bit coded, because the TP-UD shall contain in that case commands.
When the (U)SIM overwrites an SMS record after the execution of an SMS application, the Data
Coding Scheme is modified in order to indicate a 7-bit coding, because the subsequent text
string in the TP-UD uses a 7-bit alphabet. This allows the storage of a 160-character string.
TP-UDL (User-Data-Length)
This byte indicates the number of significant characters in the TP-UD field. It is limited in every
case to 140 bytes. When TP-DCS indicates a 7-bit coding, it is possible to store 160 characters;
when TP-DCS indicates a 8-bit coding, it is possible to store 140 bytes or 140 8-bit coded
characters.

23.048 Protocol
Sigue el udl y precede el tp cpl y vale 02 70 00 generalmente

User Data Header Length (UDHL)

contains the length of the user data header (0x02)
The header contains IEI and IEIDL
Information Element Identifier (IEI)
Indication that the packet is 03.48 format = 0x70
Information Element Identifier Data Length (IEIDL)
Indicates whether the IEI contains data = 0x00

UDHL
1

IEI
1

IEIDL
1

23.048 SMS Header

Length?
Length?
Data
Datalength
length

TP-CPL
(2)

Target?
Target?
Which
WhichDomain
Domain
should receive the
should receive the
data.
data.

Security?
Security?
Secured Packet
Secured Packet
Information
Information

TP-CHL
(1)

Length?
Length?
Header
Headerlength
length

TP-SPI
(2)

TP-KIc
(1)

TP-KId
(1)

How was the message inHow was the messageinincoded?

coded?
Key reference & Algorithm
Key reference & Algorithm
reference.
reference.

TP-TAR
(3)

Length?
Length?
Padding
Padding(FF)
(FF)

TPCNTR
(5)

Replay?
Replay?

TPPCNTR
(1)

Avoid the same MT

Avoid the same MT
being delivered twice
being delivered twice

TP-RC/CC
(O,4 or 8 )

Signature?
Signature?

Coding of the TP-CPL

The Command Packet Length indicates the total length of an SMS including the concatenation if
it is implicated for messages that exceed 1 SMS.
Coding of the TP-CHL
Depending on which options are to be used in the 23.048 header and also the length of the
nibble within the header (TP-CNTR) the 23.048 header can vary in size.
Minimum 23.048 size=16 bytes
Maximum 23.048 size =24 bytes
5

Coding of the TP-SPI

The SPI (Secure Packet Information) is based upon the (U)SIM cards Minimum Security Level
(MSL)
Minimum Security Level
Defined for each Remote Manager, on 4 bytes (2 SPI and 2 for keys)
indicates if it is mandatory in incoming SMS or Response Packet to use :
checksum (CC or RC)
ciphering
counter
specific key set for CC
specific key for ciphering
SPI = Security Level +Response Level
Security Level

Response Level

Security Check
if the incoming SMS has a 23.048 security level insufficient from the Minimum
Security Level, the command is rejected.

Coding of the TP-KIc & KId

A Security Domain must contain at least one key set.
A Key set contains 3 keys which have a size of 16 bytes.
Key label

Cryptographic operation

K IC

Confidentiality

Integrity

ID

K IK

Key Confidentiality

In the 23.048 header:

Calculation of encryption will be performed with K IC key
Calculation of signature (CC) will be performed with the K

ID

key

By default all encryption and signature calculation are performed using 3DES
15 different key sets can be used for the OTA communication (key sets are numbered
1 to 15)

Coding of the TP-TAR

Each applet is known by its Application Identifier (AID), which can be up to 16 bytes in size.
The TAR value is the 13th,
13th 14th & 15th bytes from the AID.

Example: AID = A00000001803090000000000B00010 this AID is 15 bytes long.

Therefore the TAR value for this applet is B00010.
Byt
e
Valu
e

1
A

2
0

3
0

4
0

5
0

6
8

7
3

8
9

9
0

10
0

11
0

12
0

13
0

14
0

15
1

Coding of the TP-CNTR

The synchro counter is used to stop the same SMS message being executed twice in the card. Depending
on the minimum security level (MSL) of the application being targeted in the (U)SIM.
Example:

Telecom applets the synchro counter should just be greater than the counter stored in the (U)SIM

Banking applets the synchro counter should be just >1 than the counter stored in the (U)SIM

Coding of the TP-PCNTR

This indicates the number of padding bytes used for ciphering at the end of the Additional
Response Data
Coding of the TP-RC/CC
0
= No RC or CC used to encrypt the message
4(RC) = The number of bytes that make the whole message is used as a checksum to encrypt
the message
8(CC) = The reference Kid that is used along with its algorithm (Binary) to encrypt the message

16

When an applet is loaded in a card it is not accessible without a form of API, it is this API type which holds
the TAR value which corresponds to the Applet to be targeted.

1.1.1 51.011 Protocol

Coding of the TP UD
The User-Data Body: field is available for the storage of applications in the SIM.
The APDU commands follow certain rules:

The Class byte tells

A0h 0xH 8xh -

the (U)SIM what type of command is to follow.

2G commands (Example: Select / Update Record)
3G commands (Example: Select / Update Record)
Open Platform commands (Example: Applet download/delete)

10

The Instruction & Parameter bytes afterward are 99% identical between 2G & 3G commands.
You can see in the above table that on the A4 Select column the only different is P2.
2G Application Message example

2G Application Message

A0 A4 00 00 02 3F 00 A0 A4 00 00 02 7F 10 A0 A4
00 00 02 6F 3A A0 DC 01 04 1C 47 2B 20 53 75 70
70 6F 72 74 FF FF FF FF 07 91 33 44 32 66 06 F0
FF FF FF FF FF FF FF

This example has been split to allow easy reading. Normally the APDU is one long string.
This 2G APDU is selecting:
Master File A0 A4 00 00 02 3F00
Telecom DF A0 A4 00 00 02 7F10
ADN EF A0 A4 00 00 02 4F3A
Then the APDU performs an Update (ADN Specifications applied)
Nibble

Description

A0 DC
01 04 1C
47 2B 20 53 75 70 70 6F 72 74
07
91 33 44 32 66 06 F0

2G Update Record
Record 1, Current mode, Length 28
Name in Binary (G+ Support)
N of bytes for the TEL. N
+33442366600 (International)

11

3G Application Message example

3G Application Message

00 A4 00 0C 02 3F 00 00 A4 00 0C 02 7F10 00 A4 00
0C 02 5F 3A 00 A4 00 0C 02 6F 3A 00 DC 01 04 1C
47 2B 20 53 75 70 70 6F 72 74 FF FF FF FF 07 91 33
44 32 66 06 F0 FF FF FF FF FF FF FF

This 3G APDU is selecting:

Master File 00 A4 09 0C 02 3F 00
Telecom DF 00 A4 09 0C 02 7F 10
3G Phonebook DF 00 A4 09 0C 02 5F 3A
ADN EF 00 A4 09 0C 02 6F 3A
Then the APDU performs an Update (ADN Specifications applied)
Nibble

Description

00 DC
01 04 1C
47 2B 20 53 75 70 70 6F 72 74
07
91 33 44 32 66 06 F0

2G Update Record
Record 1, Current mode, Length 28
Name in Binary (G+ Support)
Number of bytes for TEL. N
+33442366600 (International)

Note that the Update Record command between 2G (A0 DC) & 3G (00 DC) are
different !

12

1.1.1.

- TON and NPI

Contents:
Type of number (TON) and numbering plan identification (NPI).
Coding:
according to TS 04.08 [15]. If the Dialling Number/SSC String does not contain a dialling number, e.g. a
control string deactivating a service, the TON/NPI byte shall be set to 'FF' by the ME (see note 2).
NOTE 2: If a dialling number is absent, no TON/NPI byte is transmitted over the radio interface (see TS 04.08 [15]).
Accordingly, the ME should not interpret the value 'FF' and not send it over the radio interface.
b8

b7

b6

b5

b4

b3

b2

b1
NPI
TON
1

These fields define the Type of Number (TON) to be used in the SME address parameters. The
following TON values are defined:
Unknown 00000000
International 00000001
National 00000010
Network Specific 00000011
Subscriber Number 00000100
Alphanumeric 00000101
Abbreviated 00000110
All other values reserved
Table: TON values
These fields define the Numeric Plan Indicator (NPI) to be used in the SME address parameters.
The following NPI values are defined:
Unknown 00000000
ISDN (E163/E164) 00000001
Data (X.121) 00000011
Telex (F.69) 00000100
Land Mobile (E.212) 00000110
National 00001000
Private 00001001
ERMES 00001010
Internet (IP) 00001110
WAP Client Id (to be
defined by WAP Forum)
00010010
All other values reserved
Table: NPI values

13

1.1.2.

smpp

los numeros estan en 3X 3X 3X 3X 3X

viene con 01 01 o 02 01 antes que son el ton/npi (01 01 por internacional y 02 01 por nacional)

14