As you may know, OTA messages or Over The Air messages, are specially crafted binary SMS messages which are used by mobile operators to send APDU commands to the SIM cards for managements purposes. They can use this type of messages to install or delete applets on/from the SIM cards for example.

I want to know if is there any public document that illustrated format and structure of these messages from bottom up?! In the other words: Is there any specification[s] which I can use to craft an OTA message based on it?

I know that OTA messages are usually signed by keys which only provider may have them, but I heard that some of them don't require any signature.

Targeted device have the ability to receive a SMS that contains a set of U(SIM) Application Toolkit Commands (3GPP TS 31.111 Universal Subscriber Identity Module (USIM) Application Toolkit(USAT)). A SMS that contains these commands is commonly referred to as an OTA (Over The Air) SMS.

These are specific type of an OTA SMS, destined directly for the SIM Card (SIM OTA SMSs). The set of Application Toolkit Commands themselves are stored in the Secured Data (3GPP TS 31.115 Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications) section of the STK Command Packet, which itself is enclosed within the TP-UD(3GPP TS 23.040 Technical realization of the Short Message Service (SMS)) parameter within a SMS-SUBMIT or SMS-DELIVER , that make up the SMS.

To send this kind of messages you can use the Osmocom project is an umbrella project regarding Open source mobile communications. This includes software and tools implementing a variety of mobile communication standards, including GSM, DECT, TETRA and others.

Brief History

The OTA specification, GSM 03.48, was first created for Release 97 of GSM.

GSM 03.48 “Security Mechanism for the SIM application toolkit” defines:

• The structure of the secured packets in SMS-PP (Point-to-Point) and SMS-CB (Cell Broadcast)
• The set of commands for Remote File Management on the SIM
• The set of commands used for Remote Applet Management for SIM cards compliant with 03.19 (i.e. JavaCard cards)

GSM 03.48 was renamed 3GPP TS 23.048 for Rel-4 and Rel-5 and is applicable to both GSM and 3G.

For Rel-6 TS 23.048 is split into 4 specifications:

• ETSI TS 102 225
• ETSI TS 102 226
• 3GPP TS 31.115
• 3GPP TS 31.116

The features applicable to any telecommunication environment are transferred to ETSI SCP (ETSI TS 102 225 and TS 102 226), while the 3GPP specific parts are kept in 3GPP TS 31.115 and TS 31.116.

• ETSI TS 102 225 “Secured packet structure for UICC based applications” Defines the secured packet structure.
• ETSI TS 102 226 “Remote APDU Structure for UICC based applications” Defines the set of commands to make Remote File Management and Remote Application Management. Those commands are transported in the secured packets as defined in TS 102 225.
• 3GPP TS 31.115 “Secured packet structure for (U)SIM Toolkit applications” Is the mapping of the secured packets on SMS.
• 3GPP TS 31.116 “Remote APDU Structure for USIM Toolkit applications” Contains the SIM/USIM specific features for remote file management and remote applet management.