% !TeX root = ../Thesis.tex

%************************************************
\chapter{Evaluation}\label{ch:evaluation}
%************************************************
\glsresetall % Resets all acronyms to not used

% evaluation goal: use differential testing to analyze the security of esim on sim cards
% evaluation was performed on multiple esim on sim: in total 8 esims (shown in table)
% including the sysmoEUICC: special card -> loaded with gsma test certificate -> can also be used for smdp server with gsma test certificate -> testing of systems
% test ceritificate is freely available
% firmware implementation should not differ from normal esims
% altough for tests including an smdp server we have to use profiles with the test certificate
% estk.me does not offer an isd-r for regular interaction with our lpa implmenetation -> tesing is limited
% 9esim v2 offers both -> only testing isd-r not USAT for RSP related communication

% data fuzzing
% data fuzzing was performed on all esim except the estk.me esim since this card does not offer an isd-r 
% each fuzzing test was performed on all esims one after one


% findings

% different isd-r aids
% during the intital setup process of the tracer when running the tracer between some esim and their corresponding lpa
% we noticed that some esim used different aids to select the isd-r when intercepting the traffic
% xesim, 5ber and esim.me use different aids
% esim.me offers both their custom aid and the common aid to select the isd-r

% estk.me fwupd
% estk.me offers an esim firmware update utility on their website
% this tool can be run on some host machine and comes with the newest firmware image of the esim
% the firmware image seems to be encrypted when looking at the shannon entropy (run this through shannon entropy tool and add actual entropy)
% the firmware update tool is a binary
% analysation with ghidra -> rev engeneering
% looking at dissassembled code -> trying to guess functions based on their implementation
% this is something unique to the estk.me esim since all other esims neither offer an public update utility nor having a custom publicly documented flash endpoint for newer firmware
% Etsi (check which version) defines that all sims and esim have to have some sort of update utility
% application updates can be perfomred via global platform commands although requiring the manufacturer keys to unlock the smartcard


% TODO: explain fwupd mechanism here
% update mechanism offers 2 functions: get_version and flash_firmware
% the custom flash endpoint is locate under the aid A06573746B6D65FFFFFFFF6677757064
% the aid is the hex encoded text 'estkmeÿÿÿÿfwupd' 

% get_version retrieves the version code of the currently installed firmware by sending the apdu packet APDU(class=0xAA, instruction=0xFF, p1=0x00, p2=0x00, le=0x08)
% our estk.me esim responds with Version 'T001V06' which corresponds to the 4.6.0 received via the euicc info 1
% this shows that this is an older estk.me model with the current one having the firmware version 'T3V7' as shown in newer firmware versions
% the firmware update happens ins 6 Steps: setup, unlock, send_program_block, validate, and check_flash_status
%
% setup: to setup esim.me for flashing, the firmware update tool selects the custom flashing endpoint with the APDU command APDUPacket(cla=0x01, ins=0x55, p1=0x55, p2=0x55) and enters the esim into flashing mode
% unlock: 

% we could reimplement the code in python -> see implementation
% with the reimplementation we could analyze the traffic further and apply similar mutations as used in the apdu fuzzing section (cref)
% when applying these mutations to every firmware section blob the esim would immediatly reject the section 
% based on this behaviour we assume that there is some signing of the blocks involved or some checksum or hash implementeted in each section to prevent transmission errors and subsequently writing a faulty firmware image, which in the worst case could corrupt the fwupd mechanism and prevent further fixing of the image

% skipping signature verification
%


\begin{table}[ht]
    \centering
    \begin{tabular}{|l|l|l|l|l|l|l|c|}
        \hline
        \textbf{Name} & \textbf{Manufacturer} & \textbf{Firmware} & \textbf{SVN} & \textbf{Apps} \\
        \hline
        \hline
        9esim v2     & Kigen            & 36.18.5 & 2.3.0 & 12 \\
        9esim        & Kigen            & 36.17.4 & 2.3.0 & 11 \\
        sysmoEUICC   & Kigen            & 35.6.35 & 2.3.0 & 8  \\
        EIOTClub     & Kigen            & 36.7.24 & 2.3.0 & 10 \\
        esim.me      & Eastcompeace     & 4.2.0   & 2.2.0 & 0  \\
        estk.me      & G+D              & 4.6.0   & 2.2.0 & 0  \\
        5Ber         & Eastcompeace     & 4.2.0   & 2.2.2 & 0  \\
        Xesim        & Eastcompeace     & 4.2.0   & 2.2.2 & 0  \\
        \hline
    \end{tabular}
    \caption{Overview of Analyzed eSIM Cards}
    \label{tab:esim-overview}
\end{table}

\section{Design}

\section{Findings}
\label{sec:findings}

\section{estk Firmware Update Application}