annotate doc/Brute-force-search @ 170:13b8d90eb5c7

doc/Brute-force-search article written
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 01 Mar 2021 00:25:49 +0000
parents
children efe944a5c4e3
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
170
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 Brute force search of card file system file ID space
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 ====================================================
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 The two protocols for accessing the file system of SIM cards (the original GSM
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5 11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 directories and elementary files (EFs) by file IDs, but there is no provision
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 in either protocol for listing or enumerating what file IDs exist - there is no
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 'ls' operation.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10 I (Mother Mychaela) really wanted to see the complete file system tree (all
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 directories and files) on SIM and UICC cards that are sold as programmable, made
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 by vendors such as Grcard and Sysmocom - my philosophy is that customers of such
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 programmable SIMs have a natural right to know about every file on those cards
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14 and to exercise full control over the file system. But the unfortunate reality
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15 with all currently available "programmable" SIMs on the market (or at least all
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 known ones) is that not only are their vendors not giving us a way to reformat
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17 their cards and to recreate an entirely new file system layout as we like it,
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 but they don't even document the complete file system content their cards are
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 shipped with - and because there is no 'ls' operation in either of the two
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 standard protocols, there is no trivial way for us to just see it.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 In order to see the true undocumented file system content of both Grcard and
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23 Sysmocom SIMs, I have implemented a brute force search of the file ID space.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 This brute force search works as follows:
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 * Starting with MF (file ID 3F00), try selecting every possible file ID from
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 returns something other than "file ID not found" error (SW 9404 for SIM or
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29 6A82 for UICC), follow up with GET RESPONSE and report what is found. For
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
30 every found file ID that turns out to be a DF when the full response is
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
31 parsed, the brute force search code takes note of it for further descent.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
32
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
33 * For every found DF, repeat the same brute force search inside that DF. File
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
34 IDs to be skipped at this search level include MF, the DF being searched, and
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
35 siblings of the current DF. If there are further nested DFs, the search has
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
36 to continue recursively.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
37
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
38 In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
39 one bfsearch-mf command, performing the search from MF - in this protocol there
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
40 is only one file system tree. In the case of UICC-architecture cards, there are
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
41 multiple file system trees that are independent and disjoint: there is the main
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
42 file system tree starting at MF, and then each application of the USIM/ISIM kind
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
43 has its own ADF and a separate file system tree under that ADF, practically
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
44 meaning ADF.USIM, ADF.ISIM and whatever other applications are present.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
45
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
46 bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
47 command takes no arguments and should work the same way irrespective of any
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
48 prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
49 command for searching ADF-based directory trees; in order to use bfsearch-adf,
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
50 you have to first select the desired application (select-aid, select-usim or
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
51 select-isim) in the same card session.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
52
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
53 Please note that these brute force searches are very slow - in the Mother's
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
54 experience with Grcard and Sysmocom cards, each bfsearch run took about an hour.
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
55
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
56 Findings on GrcardSIM2 and sysmoISIM-SJA2
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
57 =========================================
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
58
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
59 bfsearch-booty directory in this code repository contains some findings that
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
60 have been captured with brute force searches. As one can see from these data
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
61 captures, both Grcard and Sysmocom cards have plenty of additional directories
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
62 and files beyond the standard ones called for SIM/USIM/ISIM, and we can only
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
63 guess at what purpose all those extra proprietary directories and files may be
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
64 serving. There is one proprietary file on GrcardSIM2 and a few on sysmoISIM-
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
65 SJA2 that are documented, but what we have found with bfsearch goes far beyond
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
66 these few documented proprietary files. I wonder if perhaps various card-
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
67 resident applications are using some of these proprietary files for their
13b8d90eb5c7 doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
68 internal purposes.