FreeCalypso > hg > fc-pcsc-tools
annotate doc/Brute-force-search @ 184:8d073ff62c48
fc-simtool: imsi command does higher-level parsing,
the old version is now imsi-raw
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 06 Mar 2021 05:44:17 +0000 |
parents | efe944a5c4e3 |
children |
rev | line source |
---|---|
170
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
1 Brute force search of card file system file ID space |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
2 ==================================================== |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
3 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
4 The two protocols for accessing the file system of SIM cards (the original GSM |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
5 11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
6 directories and elementary files (EFs) by file IDs, but there is no provision |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
7 in either protocol for listing or enumerating what file IDs exist - there is no |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
8 'ls' operation. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
9 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
10 I (Mother Mychaela) really wanted to see the complete file system tree (all |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
11 directories and files) on SIM and UICC cards that are sold as programmable, made |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
12 by vendors such as Grcard and Sysmocom - my philosophy is that customers of such |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
13 programmable SIMs have a natural right to know about every file on those cards |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
14 and to exercise full control over the file system. But the unfortunate reality |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
15 with all currently available "programmable" SIMs on the market (or at least all |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
16 known ones) is that not only are their vendors not giving us a way to reformat |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
17 their cards and to recreate an entirely new file system layout as we like it, |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
18 but they don't even document the complete file system content their cards are |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
19 shipped with - and because there is no 'ls' operation in either of the two |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
20 standard protocols, there is no trivial way for us to just see it. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
21 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
22 In order to see the true undocumented file system content of both Grcard and |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
23 Sysmocom SIMs, I have implemented a brute force search of the file ID space. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
24 This brute force search works as follows: |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
25 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
26 * Starting with MF (file ID 3F00), try selecting every possible file ID from |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
27 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
28 returns something other than "file ID not found" error (SW 9404 for SIM or |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
29 6A82 for UICC), follow up with GET RESPONSE and report what is found. For |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
30 every found file ID that turns out to be a DF when the full response is |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
31 parsed, the brute force search code takes note of it for further descent. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
32 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
33 * For every found DF, repeat the same brute force search inside that DF. File |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
34 IDs to be skipped at this search level include MF, the DF being searched, and |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
35 siblings of the current DF. If there are further nested DFs, the search has |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
36 to continue recursively. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
37 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
38 In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
39 one bfsearch-mf command, performing the search from MF - in this protocol there |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
40 is only one file system tree. In the case of UICC-architecture cards, there are |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
41 multiple file system trees that are independent and disjoint: there is the main |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
42 file system tree starting at MF, and then each application of the USIM/ISIM kind |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
43 has its own ADF and a separate file system tree under that ADF, practically |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
44 meaning ADF.USIM, ADF.ISIM and whatever other applications are present. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
45 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
46 bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
47 command takes no arguments and should work the same way irrespective of any |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
48 prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
49 command for searching ADF-based directory trees; in order to use bfsearch-adf, |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
50 you have to first select the desired application (select-aid, select-usim or |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
51 select-isim) in the same card session. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
52 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
53 Please note that these brute force searches are very slow - in the Mother's |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
54 experience with Grcard and Sysmocom cards, each bfsearch run took about an hour. |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
55 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
56 Findings on GrcardSIM2 and sysmoISIM-SJA2 |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
57 ========================================= |
13b8d90eb5c7
doc/Brute-force-search article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
58 |
179
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
59 The data directory in this code repository contains some findings that have been |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
60 captured with brute force searches. As one can see from these data captures, |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
61 both Grcard and Sysmocom cards have plenty of additional directories and files |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
62 beyond the standard ones called for SIM/USIM/ISIM, and we can only guess at what |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
63 purpose all those extra proprietary directories and files may be serving. There |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
64 is one proprietary file on GrcardSIM2 and a few on sysmoISIM-SJA2 that are |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
65 documented, but what we have found with bfsearch goes far beyond these few |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
66 documented proprietary files. I wonder if perhaps various card-resident |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
67 applications are using some of these proprietary files for their internal |
efe944a5c4e3
doc/Brute-force-search: update for data directory rename
Mychaela Falconia <falcon@freecalypso.org>
parents:
170
diff
changeset
|
68 purposes. |