Believe it or not, SIMs (Subscriber Identity Modules) are able to run small applications, called applets. Every Super SIM contains an applet which can switch the IMSI used in order to give you access to the widest selection of networks and redundant paths over which your data can be sent. To have the best experience with Super SIM, it’s important to understand how this applet interacts with your device.
An International Mobile Subscriber Identity (IMSI) identifies a single user of the cellular network. When a device connects to a cellular network, that network uses the IMSI to check with the SIM’s home network to query what privileges the network should allow the SIM: whether it can use data, whether it can use SMS — and even whether it’s allowed to attach to that network at all.
A SIM generally contains only one IMSI. If that IMSI’s home network doesn’t have a roaming agreement with the network to which one of your devices is trying to attach, then the device will not be able to connect to that network. Neither will any of your other devices.
There’s another problem inherent in having just one IMSIs: the operator of your home network is a single point of failure. All of your data has to be transmitted through its infrastructure. If anything goes wrong there, your devices will not be able to connect to your backend even if the local network that your device is attached to is performing perfectly.
To bypass these limitations, each Super SIM holds multiple IMSIs. The SIM uses the multi-IMSI applet to switch between these IMSIs in order to give you access to the best selection of networks at the best rates in whetever country your device is currently located. Super SIM might therefore use one IMSI in the United States and a completely different IMSI when the device is moved to Australia because of either better network availability or better pricing.
There are a number of different situations that will cause a Super SIM to switch its IMSI. When an IMSI switch occurs, the applet will communicate with your device using “proactive commands” — instructions sent by the SIM to the device — offered by the Card Application Toolkit, a component of the standard GSM system.
When a Super SIM changes its IMSI, the applet sends a
REFRESH proactive command to the host device. This instructs the device to re-read the data on the SIM, including the new IMSI. Take a look at The REFRESH Proactive Command, below, for more details on how this works.
Each Super SIM has a table that indicates which IMSI it should use in a given country. If the applet detects a Location Status event, a Status command, or an update to the LOCI (LOCation Information) files on your device, it will use the location data and the table to determine if it is using the preferred IMSI for that country. If it is not, the applet will switch to the preferred IMSI.
Many devices record the networks they have attempted to attach to but were not able to do so. This ensures they don’t waste time attempting to connect to those networks in future. The record is called a forbidden networks (FPLMN) list. When all of the networks currently visible to the device are listed as forbidden networks, the applet on the SIM will switch IMSI to try to attach again with a different IMSI.
On each IMSI switch, the FPLMN list will be cleared just before the
REFRESH proactive command is sent.
Super SIMs are able to handle host devices that don’t support either of the IMSI switching mechanisms outlined above. If the Super SIM enters Limited Service mode — because the device has not been unable to attach to any networks — it starts a timer. If the timer expires and the SIM is still in Limited Service, the applet now switches the IMSI and sends a
REFRESH proactive command to the device.
The duration of the timer is approximately 180 seconds (three minutes).
If your device automatically restarts after a specified period of time during which it wasn’t able to establish a data connection, make sure that the period is greater than the Super SIM’s IMSI switching timer duration, or the applet’s timer will not fire and the IMSI will not change accordingly. This is because your device may reset the onboard timer when it restarts.
When a Super SIM’s multi-IMSI applet switches the IMSI, a
REFRESH proactive command is sent to the host device. This instruction informs the device that the contents or structure of the Elementary Files (EFs) on the SIM have been changed. This command instructs the device to refresh the information it holds about the SIM and is therefore expected to reload the EFs and other data, including the IMSI, from the SIM.
The Super SIM multi-IMSI applet follows the ETSI Technical Specification 102 223 Release 6. The
REFRESH proactive command sent by the applet uses command qualifier
00 - NAA Initialization and Full File Change Notification.
Later releases of ETSI TS 102 223 discourage the use of command qualifier
00. However, using the suggested alternative command qualifier,
04 - UICC Reset, can result in the device resetting and prompting the user for the SIM PIN, leaving the device disconnected from the network. To avoid this, the multi-IMSI applet continues to use command qualifier
Here is an example of Super SIM’s multi-IMSI applet in action.
- The SIM is initially provisioned with IMSI 1 as the active IMSI.
- The SIM attaches to a German network (MCC 262).
- Later, the SIM travels to Argentina (MCC 722).
- The SIM tries to attach to a network in Argentina using the active IMSI, IMSI 1. However, no roaming agreement is in place, so IMSI 1 is rejected by the visited network.
- The SIM applet finds Argentina (MCC 722) as the new location.
- The SIM applet overwrites the active IMSI: IMSI 1 is replaced with IMSI 3 according to IMSI Selection Table.
- The SIM sends the
REFRESHpro-actve command to the device and a new network attach is performed using IMSI 3 .
- The SIM is connected with IMSI 3 on an Argentine network partner.
AT+CSIM command can be used to read the status of the multi-IMSI applet. It instructs the module to relay to the SIM an embedded Application Protocol Data Unit (APDU)
ENVELOPE command. This, in turn, contains proprietary instructions for the SIM.
The crucial point is that you can use the returned data to check applet status. Look at the first hexadecimal byte of the response. This should be
80, which indicates that the SIM is set to switch IMSIs automatically. The value is a bitfield. Bit 7 should always be set; bit 0 indicates the applet’s current operation mode: if it is clear, the applet will switch IMSIs automatically.
AT+CSIM=26,"80C2000008CF06020282814C00" +CSIM: 24,"80FF200000000F00009000"
Some modems may require a second command to read the response you're after. If your modem returns
+CSIM: 4, "6109" you will need to issue a second command to read the response.
AT+CSIM=26,"80C2000008CF06020282814C00" +CSIM: 4, "6109" AT+CSIM=10,"00C0000009" +CSIM: 24,"80FF200000000F00009000"
The following command causes the SIM to provide a new IMSI to the module. It will be the next IMSI in its list. This may not be usable in the device’s current location, in which case the module will fail to connect, ultimately triggering a further IMSI switch.
AT+CSIM=28,"80C2000009CF07020282814E0101" +CSIM: 4,"910B"
If you query the SIM’s status again, the first byte of the response should no longer be
80. Common values are
82 depending on the point in the process at which you complete the query, but other values may be seen.
A1 means that the applet’s timer is in operation (bit 6 is set) and the applet is in Default IMSI mode (bit 0 is set). When the timer fires, the applet will switch to Automatic mode.
82 indicates that the applet has switched from Default IMSI mode to Automatic mode. Bit 1 is set when the applet mode changes.
As long as the SIM is not already using the preferred IMSI for its location, the following command will cause the SIM to provide a new IMSI to the module. Either way, the multi-IMSI applet will once again be in automatic mode.
AT+CSIM=36,"80C200000DCF0B020282814F050190000000" +CSIM: 4,"9000"
If you query the SIM’s status again, the first byte of the response will once more be
80 — IMSI switching will take place automatically.
You can find full information on the structure of APDU commands and the responses they may yield by consulting ETSI Technical Specification 102 221.