Some time ago I wanted to recover the deleted SMS from a friend's SIM card and I tried to find some programs to do it. After some time searching the web I found SIMCon and SIMEditor which made well the job, showing all the SMS slots, deleted and not, with the help of a SIM reader, of course. I was curious about the raw process of these programs so I search the web again ;)

First of all we'll need some software to send commands to the SIM card. I'm a Linux user so I used scriptor, contained in the pcsc-tools package. We need to know what to send and what the SIM card structure is. For this we have the GSM specification, a brief resume of the commands we must send and we can receive, and some information about the directories within a SIM card. These commands are called Application Protocol Data Units (APDU). After reading this links we know that we have to send the following commands:

The directory structure is a tree-like one with a root directory (Master File, MF) and some Dedicated Files (DF) which store Elementary Files (EF). Each of these file elements has an ID to access them through the SELECT command. The SMS messages are stored in the TELECOM dedicated file (7F10) in the SMS elementary file (6F3C).

With this knowledge we can already start to read an SMS record. These are the needed commands and their responses:

< A0 20 00 01 08 31 31 31 31 FF FF FF FF (VERIFY CHV, PIN 1111)
> 90 00 (OK)
< A0 A4 00 00 02 7F 10 (SELECT TELECOM)
> 9F 16 (OK, 22 bytes, 0x16, pending to read)
< A0 C0 00 00 16  (GET RESPONSE, 22 bytes)
> 00 00 72 10 7F 10 02 00 00 00 00 00 09 11 00 0B 0C 00 83 8A 82 8A 90 00
< A0 A4 00 00 02 6F 3C (SELECT SMS)
> 9F 0F (OK, 15 bytes, 0x0F, pending to read)
< A0 C0 00 00 0F (GET RESPONSE, 15 bytes)
> 00 00 0D C0 6F 3C 04 00 11 F0 AA 01 02 01 B0 90 00
< A0 B2 01 04 B0 (READ RECORD number 01, absolute mode, 176 bytes, 0xB0)
> 01 07 91... (it's an used record, not deleted)

When we retrieve an SMS record the first byte (marked in blue in the example) is the record status. If it's 00 means that the record is free and can be used and if it's 01 means that the record is in use. When the phone software deletes an SMS it usually writes 00 in this status byte but leaves intact the rest of the record, so we could restore the deleted SMS. However some phones, like the Nokia 6234, overwrite the rest of the record too, avoiding this restoring process :(

Once we have the record content we can use this program or use this online decoder in order to obtain all the message information like the sender number, the timestamp or the SMS data in plain text. If you want to modify the SIM card or make additional actions you can read the mentioned specification. Enjoy it! ;)