FreeCalypso > hg > fc-pcsc-tools
comparison doc/Brute-force-search @ 170:13b8d90eb5c7
doc/Brute-force-search article written
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Mon, 01 Mar 2021 00:25:49 +0000 |
parents | |
children | efe944a5c4e3 |
comparison
equal
deleted
inserted
replaced
169:c37a3cc0fafe | 170:13b8d90eb5c7 |
---|---|
1 Brute force search of card file system file ID space | |
2 ==================================================== | |
3 | |
4 The two protocols for accessing the file system of SIM cards (the original GSM | |
5 11.11 SIM protocol and the UICC protocol of ETSI TS 102 221) allow for selecting | |
6 directories and elementary files (EFs) by file IDs, but there is no provision | |
7 in either protocol for listing or enumerating what file IDs exist - there is no | |
8 'ls' operation. | |
9 | |
10 I (Mother Mychaela) really wanted to see the complete file system tree (all | |
11 directories and files) on SIM and UICC cards that are sold as programmable, made | |
12 by vendors such as Grcard and Sysmocom - my philosophy is that customers of such | |
13 programmable SIMs have a natural right to know about every file on those cards | |
14 and to exercise full control over the file system. But the unfortunate reality | |
15 with all currently available "programmable" SIMs on the market (or at least all | |
16 known ones) is that not only are their vendors not giving us a way to reformat | |
17 their cards and to recreate an entirely new file system layout as we like it, | |
18 but they don't even document the complete file system content their cards are | |
19 shipped with - and because there is no 'ls' operation in either of the two | |
20 standard protocols, there is no trivial way for us to just see it. | |
21 | |
22 In order to see the true undocumented file system content of both Grcard and | |
23 Sysmocom SIMs, I have implemented a brute force search of the file ID space. | |
24 This brute force search works as follows: | |
25 | |
26 * Starting with MF (file ID 3F00), try selecting every possible file ID from | |
27 0000 to FFFF, skipping only 3F00. For every file ID where the SELECT command | |
28 returns something other than "file ID not found" error (SW 9404 for SIM or | |
29 6A82 for UICC), follow up with GET RESPONSE and report what is found. For | |
30 every found file ID that turns out to be a DF when the full response is | |
31 parsed, the brute force search code takes note of it for further descent. | |
32 | |
33 * For every found DF, repeat the same brute force search inside that DF. File | |
34 IDs to be skipped at this search level include MF, the DF being searched, and | |
35 siblings of the current DF. If there are further nested DFs, the search has | |
36 to continue recursively. | |
37 | |
38 In the case of the classic GSM 11.11 SIM protocol and fc-simtool, there is only | |
39 one bfsearch-mf command, performing the search from MF - in this protocol there | |
40 is only one file system tree. In the case of UICC-architecture cards, there are | |
41 multiple file system trees that are independent and disjoint: there is the main | |
42 file system tree starting at MF, and then each application of the USIM/ISIM kind | |
43 has its own ADF and a separate file system tree under that ADF, practically | |
44 meaning ADF.USIM, ADF.ISIM and whatever other applications are present. | |
45 | |
46 bfsearch-mf command is implemented in both fc-simtool and fc-uicc-tool; this | |
47 command takes no arguments and should work the same way irrespective of any | |
48 prior card session state. fc-uicc-tool also adds a complementary bfsearch-adf | |
49 command for searching ADF-based directory trees; in order to use bfsearch-adf, | |
50 you have to first select the desired application (select-aid, select-usim or | |
51 select-isim) in the same card session. | |
52 | |
53 Please note that these brute force searches are very slow - in the Mother's | |
54 experience with Grcard and Sysmocom cards, each bfsearch run took about an hour. | |
55 | |
56 Findings on GrcardSIM2 and sysmoISIM-SJA2 | |
57 ========================================= | |
58 | |
59 bfsearch-booty directory in this code repository contains some findings that | |
60 have been captured with brute force searches. As one can see from these data | |
61 captures, both Grcard and Sysmocom cards have plenty of additional directories | |
62 and files beyond the standard ones called for SIM/USIM/ISIM, and we can only | |
63 guess at what purpose all those extra proprietary directories and files may be | |
64 serving. There is one proprietary file on GrcardSIM2 and a few on sysmoISIM- | |
65 SJA2 that are documented, but what we have found with bfsearch goes far beyond | |
66 these few documented proprietary files. I wonder if perhaps various card- | |
67 resident applications are using some of these proprietary files for their | |
68 internal purposes. |